From d6fb454063fba8498efc7de09979c851ef0472d4 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 9 Mar 2022 10:35:39 -0800 Subject: [PATCH] Fix wolfRand Build 1. Remove the v3 FIPS build from configure and automake. This was for the old FIPS Ready build, which is now fixed to the certificate 3389 configuration. 2. Remove AES-GCM, PKCS12, and SHA-3 from wolfRand build. They were getting reenabled later in the configure. --- configure.ac | 26 ++++++++++++-------- src/include.am | 66 -------------------------------------------------- 2 files changed, 16 insertions(+), 76 deletions(-) diff --git a/configure.ac b/configure.ac index b930c50ec..f47069b1f 100644 --- a/configure.ac +++ b/configure.ac @@ -266,11 +266,13 @@ AS_CASE([$ENABLED_FIPS], [v2|cert3389],[ FIPS_VERSION="v2" HAVE_FIPS_VERSION=2 + HAVE_FIPS_VERSION_MINOR=0 ENABLED_FIPS="yes" ], [rand],[ FIPS_VERSION="rand" - HAVE_FIPS_VERSION=3 + HAVE_FIPS_VERSION=2 + HAVE_FIPS_VERSION_MINOR=1 ENABLED_FIPS="yes" ], [v5-RC8],[ @@ -857,7 +859,8 @@ AC_ARG_ENABLE([tls13], [ ENABLED_TLS13=$enableval ], [ ENABLED_TLS13=yes ] ) -if test "x$FIPS_VERSION" = "xv1" +if test "x$FIPS_VERSION" = "xv1" || + ( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 1 ) then ENABLED_TLS13="no" fi @@ -1694,8 +1697,8 @@ AC_ARG_ENABLE([aesgcm-stream], ) # leanpsk and leantls don't need gcm -if test "$ENABLED_LEANPSK" = "yes" || ( test "$ENABLED_LEANTLS" = "yes" && - test "$ENABLED_TLS13" = "no") +if test "$FIPS_VERSION" = "rand" || test "$ENABLED_LEANPSK" = "yes" || + (test "$ENABLED_LEANTLS" = "yes" && test "$ENABLED_TLS13" = "no") then ENABLED_AESGCM=no fi @@ -2262,7 +2265,9 @@ fi SHA224_DEFAULT=no if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" then - if test "x$ENABLED_AFALG" = "xno" && test "x$ENABLED_DEVCRYPTO" = "xno" && ( test "x$ENABLED_FIPS" = "xno" || test "$HAVE_FIPS_VERSION" = 2 ) + if test "x$ENABLED_AFALG" = "xno" && test "x$ENABLED_DEVCRYPTO" = "xno" && + ( test "x$ENABLED_FIPS" = "xno" || + ( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" != 1 ) ) then SHA224_DEFAULT=yes fi @@ -5482,7 +5487,7 @@ fi # PKCS#12 # set PKCS#12 default PKCS12_DEFAULT=yes -if test "$ENABLED_ASN" = "no" +if test "$ENABLED_ASN" = "no" || test "$FIPS_VERSION" = "rand" then PKCS12_DEFAULT=no fi @@ -6883,7 +6888,8 @@ do -DHAVE_FFDHE_2048 | -DTFM_TIMING_RESISTANT | -DECC_TIMING_RESISTANT | \ -DWC_RSA_BLINDING | -DHAVE_AESGCM | -DWOLFSSL_SHA512 | -DWOLFSSL_SHA384 | \ -DHAVE_ECC | -DTFM_ECC256 | -DECC_SHAMIR | -DHAVE_TLS_EXTENSIONS | \ --DHAVE_SUPPORTED_CURVES | -DHAVE_EXTENDED_MASTER | -DUSE_FAST_MATH) +-DHAVE_SUPPORTED_CURVES | -DHAVE_EXTENDED_MASTER | -DUSE_FAST_MATH | \ +-DWOLFSSL_SHA3) AS_ECHO(["ignoring $v"]) ;; *) @@ -7580,11 +7586,11 @@ AM_CONDITIONAL([BUILD_MD5],[test "x$ENABLED_MD5" = "xyes" || test "x$ENABLED_USE AM_CONDITIONAL([BUILD_SHA],[test "x$ENABLED_SHA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"]) AM_CONDITIONAL([BUILD_FIPS_V1],[test "$HAVE_FIPS_VERSION" = 1]) -AM_CONDITIONAL([BUILD_FIPS_V2],[test "$HAVE_FIPS_VERSION" = 2]) -AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"]) -AM_CONDITIONAL([BUILD_FIPS_V3],[test "$HAVE_FIPS_VERSION" = 3]) +AM_CONDITIONAL([BUILD_FIPS_V2],[test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 0]) +AM_CONDITIONAL([BUILD_FIPS_RAND],[test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" = 1]) AM_CONDITIONAL([BUILD_FIPS_V5],[test "$HAVE_FIPS_VERSION" = 5]) AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "$HAVE_FIPS_VERSION" -ge 2 ]) + # BUILD_FIPS_CURRENT is for builds after cert 2425. AM_CONDITIONAL([BUILD_SIPHASH],[test "x$ENABLED_SIPHASH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"]) diff --git a/src/include.am b/src/include.am index 8eb8ffc0b..9a29d640a 100644 --- a/src/include.am +++ b/src/include.am @@ -157,70 +157,6 @@ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/wolfcrypt_last.c endif BUILD_FIPS_RAND -if BUILD_FIPS_V3 -# FIPS Ready first file -src_libwolfssl_la_SOURCES += \ - wolfcrypt/src/wolfcrypt_first.c - -src_libwolfssl_la_SOURCES += \ - wolfcrypt/src/hmac.c \ - wolfcrypt/src/random.c \ - wolfcrypt/src/sha256.c - -if BUILD_RSA -src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c -endif - -if BUILD_ECC -src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c -endif - -if BUILD_AES -src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c -endif - -if BUILD_AESNI -src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S -src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S -endif - -if BUILD_DES3 -src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c -endif - -if BUILD_SHA -src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c -if BUILD_INTELASM -src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S -endif -endif - -if BUILD_SHA512 -src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c -if BUILD_INTELASM -src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S -endif -endif - -if BUILD_SHA3 -src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c -endif - -if BUILD_DH -src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c -endif - -if BUILD_CMAC -src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c -endif - -src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \ - wolfcrypt/src/fips_test.c - -# FIPS Ready last file -src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c -endif BUILD_FIPS_V3 - if BUILD_FIPS_V5 # FIPS 140-3 first file src_libwolfssl_la_SOURCES += \ @@ -449,11 +385,9 @@ endif endif !BUILD_FIPS_CURRENT if !BUILD_FIPS_V2 -if !BUILD_FIPS_V3 if BUILD_DES3 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c endif BUILD_DES3 -endif !BUILD_FIPS_V3 endif !BUILD_FIPS_V2 if !BUILD_FIPS_CURRENT