feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

For KCAPI do not force enable ECC curves, set K or seed callback, disable AES GCM tests with non standard IV.

Browse Source
This commit is contained in:
David Garske
2022-03-17 14:41:35 -07:00
parent d864fc9a3f
commit 5fe6f1c875
3 changed files with 33 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
configure.ac
View File

@@ -2075,19 +2075,21 @@ then
AS_IF([test "$enable_kcapi_hash" != "no"], [ENABLED_KCAPI_HASH=yes]) AS_IF([test "$enable_kcapi_hash" != "no"], [ENABLED_KCAPI_HASH=yes])
AS_IF([test "$enable_kcapi_hmac" != "no"], [ENABLED_KCAPI_HMAC=yes]) AS_IF([test "$enable_kcapi_hmac" != "no"], [ENABLED_KCAPI_HMAC=yes])
AS_IF([test "$enable_kcapi_aes" != "no"], [ENABLED_KCAPI_AES=yes]) AS_IF([test "$enable_kcapi_aes" != "no"], [ENABLED_KCAPI_AES=yes])
# currently the PK alg KCAPI options run into build failures, so disabling here for now. AS_IF([test "$enable_kcapi_rsa" != "no"], [ENABLED_KCAPI_RSA=yes])
# AS_IF([test "$enable_kcapi_rsa" != "no"], [ENABLED_KCAPI_RSA=yes]) AS_IF([test "$enable_kcapi_dh" != "no"], [ENABLED_KCAPI_DH=yes])
# AS_IF([test "$enable_kcapi_dh" != "no"], [ENABLED_KCAPI_DH=yes]) AS_IF([test "$enable_kcapi_ecc" != "no"], [ENABLED_KCAPI_ECC=yes])
# AS_IF([test "$enable_kcapi_ecc" != "no"], [ENABLED_KCAPI_ECC=yes])
fi fi
AS_IF([test "$ENABLED_KCAPI_HASH" != "no" || if test "$ENABLED_KCAPI_HASH" != "no" ||
test "$ENABLED_KCAPI_HMAC" != "no" || test "$ENABLED_KCAPI_HMAC" != "no" ||
test "$ENABLED_KCAPI_AES" != "no" || test "$ENABLED_KCAPI_AES" != "no" ||
test "$ENABLED_KCAPI_RSA" != "no" || test "$ENABLED_KCAPI_RSA" != "no" ||
test "$ENABLED_KCAPI_DH" != "no" || test "$ENABLED_KCAPI_DH" != "no" ||
test "$ENABLED_KCAPI_ECC" != "no"], test "$ENABLED_KCAPI_ECC" != "no"
[LIBS="$LIBS -lkcapi"]) then
LIBS="$LIBS -lkcapi"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI"
fi
if test "$ENABLED_KCAPI_HASH" = "yes" if test "$ENABLED_KCAPI_HASH" = "yes"
then then
@@ -3594,16 +3596,10 @@ AS_CASE([$FIPS_VERSION],
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \ -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_ECC_CDH \ -DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \ -DWC_RSA_NO_PADDING \
-DWOLFSSL_ECDSA_SET_K \
-DWOLFSSL_VALIDATE_ECC_IMPORT \ -DWOLFSSL_VALIDATE_ECC_IMPORT \
-DECC_USER_CURVES \ -DECC_USER_CURVES \
-DHAVE_ECC192 \
-DHAVE_ECC224 \
-DHAVE_ECC256 \
-DHAVE_ECC384 \ -DHAVE_ECC384 \
-DHAVE_ECC521 \ -DHAVE_ECC521 \
-DWOLFSSL_ECDSA_SET_K \
-DWC_RNG_SEED_CB \
-DWOLFSSL_VALIDATE_FFC_IMPORT \ -DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \ -DHAVE_FFDHE_Q \
-DHAVE_FFDHE_3072 \ -DHAVE_FFDHE_3072 \
@@ -3611,6 +3607,15 @@ AS_CASE([$FIPS_VERSION],
-DHAVE_FFDHE_6144 \ -DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192" -DHAVE_FFDHE_8192"
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and do not use seed callback
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
[AM_CFLAGS="$AM_CFLAGS \
-DWC_RNG_SEED_CB \
-DWOLFSSL_ECDSA_SET_K \
-DHAVE_ECC192 \
-DHAVE_ECC224 \
-DHAVE_ECC256"])
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192 DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
# force various features to FIPS 140-3 defaults, unless overridden with v5-dev: # force various features to FIPS 140-3 defaults, unless overridden with v5-dev:

10
wolfcrypt/test/test.c
View File

@@ -1120,13 +1120,15 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
return err_sys("AES-GCM test failed!\n", ret); return err_sys("AES-GCM test failed!\n", ret);
#endif #endif
#if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \ #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \
!(defined(WOLF_CRYPTO_CB) && \ !defined(WOLFSSL_KCAPI_AES) && !(defined(WOLF_CRYPTO_CB) && \
(defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC))) (defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)))
if ((ret = aesgcm_default_test()) != 0) { if ((ret = aesgcm_default_test()) != 0) {
return err_sys("AES-GCM test failed!\n", ret); return err_sys("AES-GCM test failed!\n", ret);
} }
#endif #endif
if (ret == 0) {
TEST_PASS("AES-GCM test passed!\n"); TEST_PASS("AES-GCM test passed!\n");
}
#endif #endif
#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128) #if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
@@ -21039,7 +21041,8 @@ done:
#endif #endif
#if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K) #if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K) && \
!defined(WOLFSSL_KCAPI_ECC)
static int ecc_test_sign_vectors(WC_RNG* rng) static int ecc_test_sign_vectors(WC_RNG* rng)
{ {
int ret; int ret;
@@ -24118,7 +24121,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_test(void)
#endif #endif
#endif #endif
#if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K) #if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K) && \
!defined(WOLFSSL_KCAPI_ECC)
ret = ecc_test_sign_vectors(&rng); ret = ecc_test_sign_vectors(&rng);
if (ret != 0) { if (ret != 0) {
printf("ecc_test_sign_vectors failed! %d\n", ret); printf("ecc_test_sign_vectors failed! %d\n", ret);

3
wolfssl/wolfcrypt/settings.h
View File

@@ -1627,9 +1627,12 @@ extern void uITRON4_free(void *p) ;
#define WOLFSSL_AES_GCM_FIXED_IV_AAD #define WOLFSSL_AES_GCM_FIXED_IV_AAD
#endif #endif
#ifdef WOLFSSL_KCAPI_ECC #ifdef WOLFSSL_KCAPI_ECC
#undef ECC_USER_CURVES
#define ECC_USER_CURVES #define ECC_USER_CURVES
#undef NO_ECC256 #undef NO_ECC256
#undef HAVE_ECC384
#define HAVE_ECC384 #define HAVE_ECC384
#undef HAVE_ECC521
#define HAVE_ECC521 #define HAVE_ECC521
#endif #endif