From 8972867ada465a6700ff8ea4105f6afe3d4db43e Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 18 Sep 2018 16:08:35 -0700 Subject: [PATCH] FIPSv2: RNG Update 1. Updated the IDE/WIN10 user settings to enable RDSEED by default. 2. Updated the Windows GenerateSeed() function to take into account the RDSEED enabled setting. 3. Exclude the TestSeed() function check for the "selftest" build as well as old FIPS. --- IDE/WIN10/user_settings.h | 3 +++ wolfcrypt/src/random.c | 13 +++++++++++++ wolfcrypt/test/test.c | 2 +- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/IDE/WIN10/user_settings.h b/IDE/WIN10/user_settings.h index 15476f9e2..4b106cf1c 100644 --- a/IDE/WIN10/user_settings.h +++ b/IDE/WIN10/user_settings.h @@ -42,6 +42,9 @@ #define WOLFSSL_VALIDATE_ECC_IMPORT #define WOLFSSL_VALIDATE_FFC_IMPORT #define HAVE_FFDHE_Q + #define WOLFSSL_AESNI + #define HAVE_INTEL_RDSEED + #define FORCE_FAILURE_RDSEED #endif /* FIPS v2 */ #else /* Enables blinding mode, to prevent timing attacks */ diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 597fbb24f..12ca83a79 100755 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -1442,6 +1442,19 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) { + #ifdef HAVE_INTEL_RDSEED + if (IS_INTEL_RDSEED(intel_flags)) { + if (!wc_GenerateSeed_IntelRD(NULL, output, sz)) { + /* success, we're done */ + return 0; + } + #ifdef FORCE_FAILURE_RDSEED + /* don't fall back to CryptoAPI */ + return READ_RAN_E; + #endif + } + #endif /* HAVE_INTEL_RDSEED */ + if(!CryptAcquireContext(&os->handle, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) return WINCRYPT_E; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index d9af1b827..0995b7663 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -8277,7 +8277,7 @@ int random_test(void) return ret; /* Test the seed check function. */ -#if !defined(HAVE_FIPS) || \ +#if !(defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) { word32 i, outputSz;