forked from wolfSSL/wolfssl
FIPS Update
1. When configuring FIPSv2, force enable RSA-PSS and ECC. 2. Add more checks for FIPSv2 around the code.
This commit is contained in:
John Safranek
11
configure.ac
11
configure.ac
@ -1935,7 +1935,16 @@ then
|
||||
# Add the FIPS flag.
|
||||
AS_IF([test "x$FIPS_VERSION" = "xv2"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN"
|
||||
ENABLED_KEYGEN="yes"])
|
||||
ENABLED_KEYGEN="yes"
|
||||
AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
|
||||
[ENABLED_RSAPSS="yes"
|
||||
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
|
||||
AS_IF([test "x$ENABLED_ECC" != "xyes"],
|
||||
[ENABLED_ECC="yes"
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
|
||||
AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
|
||||
])
|
||||
else
|
||||
if test "x$ENABLED_FORTRESS" = "xyes"
|
||||
then
|
||||
|
||||
@ -186,7 +186,7 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
|
||||
* wc_RsaPublicKeyDecode
|
||||
*/
|
||||
|
||||
#else /* else build without fips */
|
||||
#else /* else build without fips, or for new fips */
|
||||
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
#include <wolfssl/wolfcrypt/logging.h>
|
||||
|
||||
@ -7248,7 +7248,8 @@ static int rsa_flatten_test(RsaKey* key)
|
||||
* -101 = USER_CRYPTO_ERROR
|
||||
*/
|
||||
if (ret == 0)
|
||||
#elif defined(HAVE_FIPS)
|
||||
#elif defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
if (ret != 0)
|
||||
#else
|
||||
if (ret != RSA_BUFFER_E)
|
||||
@ -8048,7 +8049,8 @@ int rsa_test(void)
|
||||
#ifndef WC_NO_RSA_OAEP
|
||||
/* OAEP padding testing */
|
||||
#if !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \
|
||||
!defined(HAVE_FIPS)
|
||||
(!defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
|
||||
#ifndef NO_SHA
|
||||
XMEMSET(plain, 0, plainSz);
|
||||
|
||||
|
||||
@ -30,7 +30,8 @@
|
||||
#include <wolfssl/wolfcrypt/integer.h>
|
||||
|
||||
/* fips declare of RsaPrivateKeyDecode @wc_fips */
|
||||
#if defined(HAVE_FIPS) && !defined(NO_RSA)
|
||||
#if defined(HAVE_FIPS) && !defined(NO_RSA) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
#include <cyassl/ctaocrypt/rsa.h>
|
||||
#endif
|
||||
|
||||
|
||||
@ -176,8 +176,6 @@ typedef enum ecc_curve_id {
|
||||
#endif
|
||||
} ecc_curve_id;
|
||||
|
||||
#if !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)
|
||||
|
||||
#ifdef HAVE_OID_ENCODING
|
||||
typedef word16 ecc_oid_t;
|
||||
#else
|
||||
@ -204,7 +202,6 @@ typedef struct ecc_set_type {
|
||||
int cofactor;
|
||||
} ecc_set_type;
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef ALT_ECC_SIZE
|
||||
|
||||
@ -265,7 +262,6 @@ typedef struct alt_fp_int {
|
||||
#endif /* ALT_ECC_SIZE */
|
||||
|
||||
|
||||
#if !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)
|
||||
/* A point on an ECC curve, stored in Jacbobian format such that (x,y,z) =>
|
||||
(x/z^2, y/z^3, 1) when interpreted as affine */
|
||||
typedef struct {
|
||||
@ -323,7 +319,6 @@ struct ecc_key {
|
||||
typedef struct ecc_key ecc_key;
|
||||
#define WC_ECCKEY_TYPE_DEFINED
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
||||
/* ECC predefined curve sets */
|
||||
|
||||
@ -39,7 +39,8 @@
|
||||
#include "user_rsa.h"
|
||||
#else
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
/* for fips @wc_fips */
|
||||
#include <cyassl/ctaocrypt/rsa.h>
|
||||
#if defined(CYASSL_KEY_GEN) && !defined(WOLFSSL_KEY_GEN)
|
||||
@ -48,7 +49,11 @@
|
||||
#else
|
||||
#include <wolfssl/wolfcrypt/integer.h>
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
#endif /* HAVE_FIPS */
|
||||
#endif /* HAVE_FIPS && HAVE_FIPS_VERION 1 */
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
#include <wolfssl/wolfcrypt/fips.h>
|
||||
#endif
|
||||
|
||||
/* header file needed for OAEP padding */
|
||||
#include <wolfssl/wolfcrypt/hash.h>
|
||||
@ -62,7 +67,8 @@
|
||||
#endif
|
||||
|
||||
/* avoid redefinition of structs */
|
||||
#if !defined(HAVE_FIPS)
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
|
||||
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
#include <wolfssl/wolfcrypt/async.h>
|
||||
@ -180,7 +186,9 @@ WOLFSSL_API int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inLen,
|
||||
|
||||
WOLFSSL_API int wc_RsaEncryptSize(RsaKey* key);
|
||||
|
||||
#ifndef HAVE_FIPS /* to avoid asn duplicate symbols @wc_fips */
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
|
||||
/* to avoid asn duplicate symbols @wc_fips */
|
||||
WOLFSSL_API int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx,
|
||||
RsaKey*, word32);
|
||||
WOLFSSL_API int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx,
|
||||
|
||||
Reference in New Issue
Block a user