From 54c4258c4ba6ee234f7ed0f0dd9c8d14956a219f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 22 Sep 2020 15:23:36 -0700 Subject: [PATCH 1/2] FIPS Ready Windows Fix 1. Modify the WIN10 FIPS solution user_settings.h to check for a FIPS Ready flag and to override HAVE_FIPS_VERSION to 3 if set. 2. Removed some redundant constants from the EVP file. --- IDE/WIN10/user_settings.h | 8 ++++++++ wolfcrypt/src/evp.c | 10 ---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/IDE/WIN10/user_settings.h b/IDE/WIN10/user_settings.h index 0ae91aeec..5c03e94fc 100644 --- a/IDE/WIN10/user_settings.h +++ b/IDE/WIN10/user_settings.h @@ -1,6 +1,14 @@ #ifndef _WIN_USER_SETTINGS_H_ #define _WIN_USER_SETTINGS_H_ +/* For FIPS Ready, uncomment the following: */ +/* #define WOLFSSL_FIPS_READY */ +#ifdef WOLFSSL_FIPS_READY + #undef HAVE_FIPS_VERSION + #define HAVE_FIPS_VERSION 3 +#endif + + /* Verify this is Windows */ #ifndef _WIN32 #error This user_settings.h header is only designed for Windows diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index a1c41eb49..a455bedfa 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -36,16 +36,6 @@ #if defined(OPENSSL_EXTRA) #if !defined(HAVE_PKCS7) && \ - ((defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) || defined(HAVE_SELFTEST)) -enum { - /* In the event of fips cert 3389 or CAVP selftest build, these enums are - * not in aes.h for use with evp so enumerate it here outside the fips - * boundary */ - GCM_NONCE_MID_SZ = 12, /* The usual default nonce size for AES-GCM. */ - CCM_NONCE_MIN_SZ = 7, -}; -#elif !defined(HAVE_PKCS7) && \ ((defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ (HAVE_FIPS_VERSION == 2)) || defined(HAVE_SELFTEST)) #include From f1effea638aea7c529686d423e4d3172daaa9bf1 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 22 Sep 2020 15:55:08 -0700 Subject: [PATCH 2/2] Improve the IDE/WIN10 readme to clarify the difference between this and IDE/WIN. --- IDE/WIN/README.txt | 2 ++ IDE/WIN10/README.txt | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/IDE/WIN/README.txt b/IDE/WIN/README.txt index c748bc5ea..7dfadc789 100644 --- a/IDE/WIN/README.txt +++ b/IDE/WIN/README.txt @@ -3,6 +3,8 @@ First, if you did not get the FIPS files with your archive, you must contact wolfSSL to obtain them. +The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate. +See IDE/WIN10/wolfssl-fips.sln for the FIPS v2 #3389 or later Visual Studio solution. # Building the wolfssl-fips project diff --git a/IDE/WIN10/README.txt b/IDE/WIN10/README.txt index c748bc5ea..bc335c3cc 100644 --- a/IDE/WIN10/README.txt +++ b/IDE/WIN10/README.txt @@ -3,6 +3,7 @@ First, if you did not get the FIPS files with your archive, you must contact wolfSSL to obtain them. +The IDE/WIN10/wolfssl-fips.sln solution is for the FIPS v2 #3389 certificate or later. # Building the wolfssl-fips project @@ -47,6 +48,7 @@ check value when changing your application. The default build options should be the proper default set of options: * HAVE_FIPS + * HAVE_FIPS_VERSION=2 (or 3 with WOLFSSL_FIPS_READY) * HAVE_THREAD_LS * HAVE_AESGCM * HAVE_HASHDRBG @@ -67,4 +69,4 @@ Additionally one may enable: * OPENSSL_EXTRA * WOLFSSL_KEY_GEN -These settings are defined in IDE/WIN/user_settings.h. +These settings are defined in IDE/WIN10/user_settings.h.