forked from wolfSSL/wolfssl
Merge pull request #8751 from douzzer/20250508-linuxkm-lkcapi-ECDH-never-fips_enabled
20250508-linuxkm-lkcapi-ECDH-never-fips_enabled
This commit is contained in:
philljj
GitHub
53
configure.ac
53
configure.ac
@@ -4452,25 +4452,6 @@ then
|
||||
ENABLED_CURVE25519="yes"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_CURVE25519" != "no"
|
||||
then
|
||||
if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
|
||||
ENABLED_CURVE25519_SMALL=yes
|
||||
ENABLED_CURVE25519=yes
|
||||
fi
|
||||
|
||||
if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
|
||||
fi
|
||||
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE25519"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CURVE25519"
|
||||
ENABLED_FEMATH=yes
|
||||
fi
|
||||
|
||||
|
||||
# ED25519
|
||||
AC_ARG_ENABLE([ed25519],
|
||||
@@ -9799,12 +9780,12 @@ then
|
||||
ENABLED_OPENSSLEXTRA="yes"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_CURVE25519" != "no" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
|
||||
if test "$ENABLED_CURVE25519" != "no" && test "$ENABLED_CURVE25519" != "asm" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
|
||||
then
|
||||
ENABLED_CURVE25519=noasm
|
||||
fi
|
||||
|
||||
if test "$ENABLED_ED25519" != "no" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
|
||||
if test "$ENABLED_ED25519" != "no" && test "$ENABLED_ED25519" != "asm" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
|
||||
then
|
||||
ENABLED_ED25519=noasm
|
||||
fi
|
||||
@@ -9814,18 +9795,37 @@ then
|
||||
AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_X64"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_CURVE25519" != "no"
|
||||
then
|
||||
if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
|
||||
ENABLED_CURVE25519_SMALL=yes
|
||||
fi
|
||||
|
||||
if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
|
||||
fi
|
||||
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE25519"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CURVE25519"
|
||||
ENABLED_FEMATH=yes
|
||||
fi
|
||||
|
||||
if test "$ENABLED_ED25519" != "no"
|
||||
then
|
||||
if test "$ENABLED_ED25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"
|
||||
ENABLED_ED25519_SMALL=yes
|
||||
ENABLED_CURVE25519_SMALL=yes
|
||||
ENABLED_ED25519=yes
|
||||
fi
|
||||
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_ED25519"
|
||||
ENABLED_FEMATH=yes
|
||||
ENABLED_GEMATH=yes
|
||||
ENABLED_CERTS=yes
|
||||
fi
|
||||
|
||||
if test "$ENABLED_ED25519" != "no" || test "$ENABLED_ED448" != "no"
|
||||
@@ -9988,13 +9988,6 @@ AS_IF([test "x$ENABLED_CERTGEN" = "xyes"],
|
||||
AS_IF([test "x$ENABLED_CERTEXT" = "xyes"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"])
|
||||
|
||||
AS_IF([test "$ENABLED_ED25519" != "no"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
|
||||
AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_ED25519"])
|
||||
|
||||
AS_IF([test "x$ENABLED_ED25519_SMALL" = "xyes"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"])
|
||||
|
||||
AS_IF([test "x$ENABLED_OCSP" = "xyes"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"])
|
||||
|
||||
|
||||
@@ -499,15 +499,24 @@ static int linuxkm_lkcapi_register(void)
|
||||
|
||||
#ifdef LINUXKM_LKCAPI_REGISTER_ECDH
|
||||
|
||||
#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) && \
|
||||
defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \
|
||||
defined(CONFIG_CRYPTO_MANAGER) && \
|
||||
/* In kernels before 5.13.0, ecdh-nist-p256 was not recognized as
|
||||
* fips_allowed, and ecdh-nist-p384 was completely
|
||||
* missing before 5.14 and not fips_allowed before 5.15.
|
||||
*
|
||||
* RedHat also recently patched their crypto manager to mark ECDH
|
||||
* !fips_allowed due the vagaries of their own certificate. (See 5074fb61f6,
|
||||
* 2025-Mar-13.)
|
||||
*
|
||||
* Given the above, and given we're not actually relying on the crypto
|
||||
* manager for FIPS self tests, and given the FIPS ECDH implementation passes
|
||||
* the non-FIPS ECDH crypto manager tests, the pragmatic solution we settle
|
||||
* on here for ECDH is to always clear fips_enabled in target kernels that
|
||||
* have it.
|
||||
*/
|
||||
|
||||
#if defined(CONFIG_CRYPTO_FIPS) && \
|
||||
defined(CONFIG_CRYPTO_MANAGER) && \
|
||||
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
|
||||
/*
|
||||
* In kernel crypto/testmgr.c, ecdh-nist-p256 was not recognized as
|
||||
* fips_allowed before 5.13, and ecdh-nist-p384 was completely
|
||||
* missing before 5.14 and not fips_allowed before 5.15.
|
||||
*/
|
||||
fips_enabled = 0;
|
||||
#endif
|
||||
|
||||
@@ -522,9 +531,8 @@ static int linuxkm_lkcapi_register(void)
|
||||
REGISTER_ALG(ecdh_nist_p384, kpp,
|
||||
linuxkm_test_ecdh_nist_p384);
|
||||
|
||||
#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) && \
|
||||
defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \
|
||||
defined(CONFIG_CRYPTO_MANAGER) && \
|
||||
#if defined(CONFIG_CRYPTO_FIPS) && \
|
||||
defined(CONFIG_CRYPTO_MANAGER) && \
|
||||
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
|
||||
fips_enabled = 1;
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user