wolfRand

In configure.ac,
1. Change some whitespace in the FIPS enable section.
2. Reorganize the FIPS section a little bit.
3. When enabling wolfRand, also force cryptonly.
4. Treat wolfRand like FIPSv2 at build time.
In the source include.am,
5. Add checks against BUILD_FIPS_RAND as appropriate.
6. Add the SHA-256 assembly to the wolfRand source list.

configure.ac

@@ -2250,54 +2250,56 @@ AC_ARG_ENABLE([fips],
     [ENABLED_FIPS="no"])
 
 AS_CASE([$ENABLED_FIPS],
-        ["v2"],[FIPS_VERSION="v2"
-            ENABLED_FIPS=yes
-            AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
-            ENABLED_KEYGEN="yes"
-            ENABLED_SHA224="yes"
-            AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
-                  [ENABLED_AESCCM="yes"
-                   AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
-            AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
-                  [ENABLED_RSAPSS="yes"
-                   AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
-            AS_IF([test "x$ENABLED_ECC" != "xyes"],
-                  [ENABLED_ECC="yes"
-                   AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
-                   AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
-                         [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
-                  [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
-            AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
-                  [ENABLED_AESCTR="yes"
-                   AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
-            AS_IF([test "x$ENABLED_CMAC" != "xyes"],
-                  [ENABLED_CMAC="yes"
-                   AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
-            AS_IF([test "x$ENABLED_HKDF" != "xyes"],
-                  [ENABLED_HKDF="yes"
-                   AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
-            AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
-                  [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
-        ],
-        ["rand"],[
-            ENABLED_FIPS="yes"
-            FIPS_VERSION="rand"
-            AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND"
-        ],
-        ["no"],[FIPS_VERSION="none"],
-        [
-            ENABLED_FIPS="yes"
-            FIPS_VERSION="v1"
-            AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
-        ])
+    ["v2"],[FIPS_VERSION="v2"
+        ENABLED_FIPS=yes
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
+        ENABLED_KEYGEN="yes"
+        ENABLED_SHA224="yes"
+        AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
+              [ENABLED_AESCCM="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
+        AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
+              [ENABLED_RSAPSS="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
+        AS_IF([test "x$ENABLED_ECC" != "xyes"],
+              [ENABLED_ECC="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
+               AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
+                     [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
+              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
+        AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
+              [ENABLED_AESCTR="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
+        AS_IF([test "x$ENABLED_CMAC" != "xyes"],
+              [ENABLED_CMAC="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
+        AS_IF([test "x$ENABLED_HKDF" != "xyes"],
+              [ENABLED_HKDF="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
+        AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
+              [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
+    ],
+    ["rand"],[
+        ENABLED_FIPS="yes"
+        FIPS_VERSION="rand"
+        AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
+    ],
+    ["no"],[FIPS_VERSION="none"],
+    [
+        ENABLED_FIPS="yes"
+        FIPS_VERSION="v1"
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
+    ])
 
-AS_IF([test "x$ENABLED_FIPS" = "xyes"],
+AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"],
+    [AC_MSG_ERROR([FIPS requires Thread Local Storage])])
+
+AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" != "xrand"],
 [
-    # Check prerequisites, force them on or error out.
-    AS_IF([test "x$thread_ls_on" = "xno"],[AC_MSG_ERROR([FIPS requires Thread Local Storage])])
+    # Force enable the prerequisites.
     AS_IF([test "x$ENABLED_SHA512" = "xno"],
         [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
-    AS_IF([test "x$ENABLED_AESGCM" != "xyes"],
+    AS_IF([test "x$ENABLED_AESGCM" = "xno"],
         [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
     AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
 ],
@@ -3485,6 +3487,8 @@ AC_ARG_ENABLE([cryptonly],
     [ENABLED_CRYPTONLY=$enableval],
     [ENABLED_CRYPTONLY=no])
 
+AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"])
+
 if test "$ENABLED_CRYPTONLY" = "yes"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"

src/include.am

@@ -124,42 +124,45 @@ src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/hmac.c \
                wolfcrypt/src/random.c \
                wolfcrypt/src/sha256.c \
+               wolfcrypt/src/sha256_asm.S \
                wolfcrypt/src/fips.c \
                wolfcrypt/src/fips_test.c \
                wolfcrypt/src/wolfcrypt_last.c
-endif
+endif BUILD_FIPS_RAND
 
-endif
+endif BUILD_FIPS
+
+# For wolfRand, exclude everything else.
+if !BUILD_FIPS_RAND
 
 # For FIPSV2, exclude the wolfCrypt files included above.
 # For wolfRand, exclude just a couple files.
 # For old FIPS, keep the wolfCrypt versions of the
 # CtaoCrypt files included above.
 if !BUILD_FIPS_V2
-if !BUILD_FIPS_RAND
 src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
 endif
-endif
 
 # CAVP self test
 if BUILD_SELFTEST
 src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c
 endif
 
+endif !BUILD_FIPS_RAND
+
 src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/hash.c \
                wolfcrypt/src/cpuid.c
 
-if !BUILD_FIPS_V2
 if !BUILD_FIPS_RAND
+
+if !BUILD_FIPS_V2
 if BUILD_RNG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c
 endif
 endif
-endif
 
 if !BUILD_FIPS_V2
-if !BUILD_FIPS_RAND
 if BUILD_ARMASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
 else
@@ -169,7 +172,6 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
 endif
 endif
 endif
-endif
 
 if BUILD_AFALG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_hash.c
@@ -272,18 +274,25 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
 endif
 endif
 
+endif !BUILD_FIPS_RAND
+
 src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/logging.c \
                wolfcrypt/src/wc_encrypt.c \
                wolfcrypt/src/wc_port.c \
-               wolfcrypt/src/error.c \
+               wolfcrypt/src/error.c
+
+if !BUILD_FIPS_RAND
+src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/signature.c \
                wolfcrypt/src/wolfmath.c
+endif !BUILD_FIPS_RAND
 
 if BUILD_MEMORY
 src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
 endif
 
+if !BUILD_FIPS_RAND
 if !BUILD_FIPS_V2
 if BUILD_DH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
@@ -294,10 +303,14 @@ if BUILD_ASN
 src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c
 endif
 
+endif !BUILD_FIPS_RAND
+
 if BUILD_CODING
 src_libwolfssl_la_SOURCES += wolfcrypt/src/coding.c
 endif
 
+if !BUILD_FIPS_RAND
+
 if BUILD_POLY1305
 src_libwolfssl_la_SOURCES += wolfcrypt/src/poly1305.c
 if BUILD_INTELASM
@@ -481,4 +494,6 @@ if BUILD_SNIFFER
 src_libwolfssl_la_SOURCES += src/sniffer.c
 endif
 
-endif # !BUILD_CRYPTONLY
+endif !BUILD_CRYPTONLY
+
+endif !BUILD_FIPS_RAND