feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

FIPS Revalidation

Browse Source 
1. Added CMAC to the boundary.
2. Added DHE to the boundary.
This commit is contained in:
John Safranek
2018-02-01 11:20:57 -08:00
parent 8576dc4a6c
commit 80e589c7d9
5 changed files with 53 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
configure.ac
View File

@@ -1881,7 +1881,8 @@ fi
AS_IF([test "x$ENABLED_CMAC" = "xyes"], AS_IF([test "x$ENABLED_CMAC" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"]) [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])
AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"]) #AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])
#moved to FIPS section
# AES-XTS # AES-XTS
@@ -1994,6 +1995,9 @@ then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256" AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])]) [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
AS_IF([test "x$ENABLED_CMAC" != "xyes"],
[ENABLED_CMAC="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])
]) ])
else else
if test "x$ENABLED_FORTRESS" = "xyes" if test "x$ENABLED_FORTRESS" = "xyes"
@@ -2004,6 +2008,7 @@ fi
AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"]) AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"])
AM_CONDITIONAL([BUILD_FIPS_V2], [test "x$FIPS_VERSION" = "xv2"]) AM_CONDITIONAL([BUILD_FIPS_V2], [test "x$FIPS_VERSION" = "xv2"])
AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])
# SELFTEST # SELFTEST
AC_ARG_ENABLE([selftest], AC_ARG_ENABLE([selftest],

12
wolfcrypt/src/cmac.c
View File

@@ -28,6 +28,18 @@
#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#ifdef NO_INLINE #ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h> #include <wolfssl/wolfcrypt/misc.h>
#else #else

15
wolfcrypt/src/dh.c
View File

@@ -28,6 +28,18 @@
#ifndef NO_DH #ifndef NO_DH
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/dh.h> #include <wolfssl/wolfcrypt/dh.h>
#include <wolfssl/wolfcrypt/error-crypt.h> #include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h> #include <wolfssl/wolfcrypt/logging.h>
@@ -524,7 +536,7 @@ int wc_InitDhKey(DhKey* key)
} }
void wc_FreeDhKey(DhKey* key) int wc_FreeDhKey(DhKey* key)
{ {
if (key) { if (key) {
mp_clear(&key->p); mp_clear(&key->p);
@@ -535,6 +547,7 @@ void wc_FreeDhKey(DhKey* key)
wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_DH); wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_DH);
#endif #endif
} }
return 0;
} }

10
wolfssl/wolfcrypt/cmac.h
View File

@@ -28,10 +28,19 @@
#if !defined(NO_AES) && defined(WOLFSSL_CMAC) #if !defined(NO_AES) && defined(WOLFSSL_CMAC)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif
/* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
typedef struct Cmac { typedef struct Cmac {
Aes aes; Aes aes;
byte buffer[AES_BLOCK_SIZE]; /* partially stored block */ byte buffer[AES_BLOCK_SIZE]; /* partially stored block */
@@ -47,6 +56,7 @@ typedef enum CmacType {
WC_CMAC_AES = 1 WC_CMAC_AES = 1
} CmacType; } CmacType;
#endif /* HAVE_FIPS */
WOLFSSL_API WOLFSSL_API
int wc_InitCmac(Cmac* cmac, int wc_InitCmac(Cmac* cmac,

12
wolfssl/wolfcrypt/dh.h
View File

@@ -30,6 +30,11 @@
#ifndef NO_DH #ifndef NO_DH
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#include <wolfssl/wolfcrypt/integer.h> #include <wolfssl/wolfcrypt/integer.h>
#include <wolfssl/wolfcrypt/random.h> #include <wolfssl/wolfcrypt/random.h>
@@ -37,6 +42,10 @@
extern "C" { extern "C" {
#endif #endif
/* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h> #include <wolfssl/wolfcrypt/async.h>
#endif #endif
@@ -56,6 +65,7 @@ typedef struct DhKey {
#endif #endif
} DhKey; } DhKey;
#endif /* HAVE_FIPS */
#ifdef HAVE_FFDHE_2048 #ifdef HAVE_FFDHE_2048
WOLFSSL_API const DhParams* wc_Dh_ffdhe2048_Get(void); WOLFSSL_API const DhParams* wc_Dh_ffdhe2048_Get(void);
@@ -75,7 +85,7 @@ WOLFSSL_API const DhParams* wc_Dh_ffdhe8192_Get(void);
WOLFSSL_API int wc_InitDhKey(DhKey* key); WOLFSSL_API int wc_InitDhKey(DhKey* key);
WOLFSSL_API int wc_InitDhKey_ex(DhKey* key, void* heap, int devId); WOLFSSL_API int wc_InitDhKey_ex(DhKey* key, void* heap, int devId);
WOLFSSL_API void wc_FreeDhKey(DhKey* key); WOLFSSL_API int wc_FreeDhKey(DhKey* key);
WOLFSSL_API int wc_DhGenerateKeyPair(DhKey* key, WC_RNG* rng, byte* priv, WOLFSSL_API int wc_DhGenerateKeyPair(DhKey* key, WC_RNG* rng, byte* priv,
word32* privSz, byte* pub, word32* pubSz); word32* privSz, byte* pub, word32* pubSz);