feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

FIPS Update

Browse Source 
1. Moved the rest of the FIPS algorithms to FIPSv2.
2. Updated the fips-check and autogen scripts.
3. Updated the automake include for the crypto files.
4. Updated the example server to use the wolfSSL API and wolfSSL-based OpenSSL compatibility layer.
5. Added error code for the SHA-3 KAT.
6. Updated an test case in the API test for AES-GCM encrypt that is now considered a success case, but the FIPS mode was still treating as a failure.
This commit is contained in:
John Safranek
2018-02-01 11:02:35 -08:00
parent df4d748f59
commit f6fe3744a7
17 changed files with 390 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
autogen.sh
View File

@ -18,7 +18,8 @@ if test -e .git; then
# touch fips files for non fips distribution # touch fips files for non fips distribution
touch ./ctaocrypt/src/fips.c touch ./ctaocrypt/src/fips.c
touch ./ctaocrypt/src/fips_test.c touch ./ctaocrypt/src/fips_test.c
touch ./wolfcrypt/src/fipsv2.c touch ./wolfcrypt/src/fips.c
touch ./wolfcrypt/src/fips_test.c
touch ./wolfssl/wolfcrypt/fips.h touch ./wolfssl/wolfcrypt/fips.h
# touch CAVP selftest files for non-selftest distribution # touch CAVP selftest files for non-selftest distribution

102
examples/server/server.c
View File

@ -23,11 +23,11 @@
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include <config.h> #include <config.h>
#endif #endif
#include <cyassl/ssl.h> /* name change portability layer */ #include <wolfssl/ssl.h> /* name change portability layer */
#include <cyassl/ctaocrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#ifdef HAVE_ECC #ifdef HAVE_ECC
#include <cyassl/ctaocrypt/ecc.h> /* ecc_fp_free */ #include <wolfssl/wolfcrypt/ecc.h> /* ecc_fp_free */
#endif #endif
#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
@ -39,10 +39,10 @@
#include "wolfssl_MDK_ARM.h" #include "wolfssl_MDK_ARM.h"
#endif #endif
#include <cyassl/openssl/ssl.h> #include <wolfssl/openssl/ssl.h>
#include <cyassl/test.h> #include <wolfssl/test.h>
#ifdef CYASSL_DTLS #ifdef WOLFSSL_DTLS
#include <cyassl/error-ssl.h> #include <wolfssl/error-ssl.h>
#endif #endif
#include "examples/server/server.h" #include "examples/server/server.h"
@ -75,7 +75,7 @@ static const char webServerMsg[] =
int runWithErrors = 0; /* Used with -x flag to run err_sys vs. print errors */ int runWithErrors = 0; /* Used with -x flag to run err_sys vs. print errors */
#ifdef CYASSL_CALLBACKS #ifdef WOLFSSL_CALLBACKS
Timeval srvTo; Timeval srvTo;
static int srvHandShakeCB(HandShakeInfo* info) static int srvHandShakeCB(HandShakeInfo* info)
{ {
@ -117,13 +117,13 @@ static void err_sys_ex(int out, const char* msg)
static int NonBlockingSSL_Accept(SSL* ssl) static int NonBlockingSSL_Accept(SSL* ssl)
{ {
#ifndef CYASSL_CALLBACKS #ifndef WOLFSSL_CALLBACKS
int ret = SSL_accept(ssl); int ret = SSL_accept(ssl);
#else #else
int ret = CyaSSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo); int ret = SSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo);
#endif #endif
int error = SSL_get_error(ssl, 0); int error = SSL_get_error(ssl, 0);
SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl); SOCKET_T sockfd = (SOCKET_T)SSL_get_fd(ssl);
int select_ret = 0; int select_ret = 0;
while (ret != WOLFSSL_SUCCESS && while (ret != WOLFSSL_SUCCESS &&
@ -149,8 +149,8 @@ static int NonBlockingSSL_Accept(SSL* ssl)
else else
#endif #endif
{ {
#ifdef CYASSL_DTLS #ifdef WOLFSSL_DTLS
currTimeout = CyaSSL_dtls_get_current_timeout(ssl); currTimeout = wolfSSL_dtls_get_current_timeout(ssl);
#endif #endif
select_ret = tcp_select(sockfd, currTimeout); select_ret = tcp_select(sockfd, currTimeout);
} }
@ -163,17 +163,17 @@ static int NonBlockingSSL_Accept(SSL* ssl)
#ifndef CYASSL_CALLBACKS #ifndef CYASSL_CALLBACKS
ret = SSL_accept(ssl); ret = SSL_accept(ssl);
#else #else
ret = CyaSSL_accept_ex(ssl, ret = SSL_accept_ex(ssl,
srvHandShakeCB, srvTimeoutCB, srvTo); srvHandShakeCB, srvTimeoutCB, srvTo);
#endif #endif
error = SSL_get_error(ssl, 0); error = SSL_get_error(ssl, 0);
} }
else if (select_ret == TEST_TIMEOUT && !CyaSSL_dtls(ssl)) { else if (select_ret == TEST_TIMEOUT && !wolfSSL_dtls(ssl)) {
error = WOLFSSL_ERROR_WANT_READ; error = WOLFSSL_ERROR_WANT_READ;
} }
#ifdef CYASSL_DTLS #ifdef WOLFSSL_DTLS
else if (select_ret == TEST_TIMEOUT && CyaSSL_dtls(ssl) && else if (select_ret == TEST_TIMEOUT && wolfSSL_dtls(ssl) &&
CyaSSL_dtls_got_timeout(ssl) >= 0) { wolfSSL_dtls_got_timeout(ssl) >= 0) {
error = WOLFSSL_ERROR_WANT_READ; error = WOLFSSL_ERROR_WANT_READ;
} }
#endif #endif
@ -284,7 +284,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
static void ServerRead(WOLFSSL* ssl, char* input, int inputLen) static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
{ {
int ret, err; int ret, err;
char buffer[CYASSL_MAX_ERROR_SZ]; char buffer[WOLFSSL_MAX_ERROR_SZ];
/* Read data */ /* Read data */
do { do {
@ -300,7 +300,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
} }
else else
#endif #endif
#ifdef CYASSL_DTLS #ifdef WOLFSSL_DTLS
if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) { if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) {
printf("Dropped client's message due to a bad MAC\n"); printf("Dropped client's message due to a bad MAC\n");
} }
@ -322,7 +322,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen) static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
{ {
int ret, err; int ret, err;
char buffer[CYASSL_MAX_ERROR_SZ]; char buffer[WOLFSSL_MAX_ERROR_SZ];
do { do {
err = 0; /* reset error */ err = 0; /* reset error */
@ -347,10 +347,10 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
static void Usage(void) static void Usage(void)
{ {
printf("server " LIBCYASSL_VERSION_STRING printf("server " LIBWOLFSSL_VERSION_STRING
" NOTE: All files relative to wolfSSL home dir\n"); " NOTE: All files relative to wolfSSL home dir\n");
printf("-? Help, print this usage\n"); printf("-? Help, print this usage\n");
printf("-p <num> Port to listen on, not 0, default %d\n", yasslPort); printf("-p <num> Port to listen on, not 0, default %d\n", wolfSSLPort);
#ifndef WOLFSSL_TLS13 #ifndef WOLFSSL_TLS13
printf("-v <num> SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n", printf("-v <num> SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n",
SERVER_DEFAULT_VERSION); SERVER_DEFAULT_VERSION);
@ -444,7 +444,7 @@ static void Usage(void)
#endif #endif
} }
THREAD_RETURN CYASSL_THREAD server_test(void* args) THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
{ {
SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID; SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID;
SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID; SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
@ -528,7 +528,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_WNR #ifdef HAVE_WNR
const char* wnrConfigFile = wnrConfig; const char* wnrConfigFile = wnrConfig;
#endif #endif
char buffer[CYASSL_MAX_ERROR_SZ]; char buffer[WOLFSSL_MAX_ERROR_SZ];
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
int noPskDheKe = 0; int noPskDheKe = 0;
#endif #endif
@ -591,7 +591,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
(void)mcastID; (void)mcastID;
(void)useX25519; (void)useX25519;
#ifdef CYASSL_TIRTOS #ifdef WOLFSSL_TIRTOS
fdOpenSession(Task_self()); fdOpenSession(Task_self());
#endif #endif
@ -966,7 +966,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
break; break;
#endif /* NO_TLS */ #endif /* NO_TLS */
#ifdef CYASSL_DTLS #ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS #ifndef NO_OLD_TLS
case -1: case -1:
method = wolfDTLSv1_server_method_ex; method = wolfDTLSv1_server_method_ex;
@ -1025,7 +1025,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
err_sys_ex(runWithErrors, "server can't set cipher list 1"); err_sys_ex(runWithErrors, "server can't set cipher list 1");
} }
#ifdef CYASSL_LEANPSK #ifdef WOLFSSL_LEANPSK
if (!usePsk) { if (!usePsk) {
usePsk = 1; usePsk = 1;
} }
@ -1038,7 +1038,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif #endif
if (fewerPackets) if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx); wolfSSL_CTX_set_group_messages(ctx);
#ifdef WOLFSSL_SCTP #ifdef WOLFSSL_SCTP
if (dtlsSCTP) if (dtlsSCTP)
@ -1081,7 +1081,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_NTRU #ifdef HAVE_NTRU
if (useNtruKey) { if (useNtruKey) {
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey) if (SSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= WOLFSSL_SUCCESS) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load ntru key file, " err_sys_ex(runWithErrors, "can't load ntru key file, "
"Please run from wolfSSL home dir"); "Please run from wolfSSL home dir");
@ -1137,7 +1137,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if (useAnon) { if (useAnon) {
#ifdef HAVE_ANON #ifdef HAVE_ANON
CyaSSL_CTX_allow_anon_cipher(ctx); SSL_CTX_allow_anon_cipher(ctx);
if (cipherList == NULL || (cipherList && useDefCipherList)) { if (cipherList == NULL || (cipherList && useDefCipherList)) {
const char* defaultCipherList; const char* defaultCipherList;
defaultCipherList = "ADH-AES256-GCM-SHA384:" defaultCipherList = "ADH-AES256-GCM-SHA384:"
@ -1169,7 +1169,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
} }
#endif #endif
#if defined(CYASSL_SNIFFER) #if defined(WOLFSSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */ /* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) { if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS) if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS)
@ -1179,7 +1179,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_SNI #ifdef HAVE_SNI
if (sniHostName) if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName, if (SSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
(word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS) (word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "UseSNI failed"); err_sys_ex(runWithErrors, "UseSNI failed");
#endif #endif
@ -1287,25 +1287,25 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif #endif
#ifdef HAVE_CRL #ifdef HAVE_CRL
#ifdef HAVE_CRL_MONITOR #ifdef HAVE_CRL_MONITOR
crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON; crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON;
#endif #endif
if (CyaSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS) if (wolfSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "unable to enable CRL"); err_sys_ex(runWithErrors, "unable to enable CRL");
if (CyaSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags) if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags)
!= WOLFSSL_SUCCESS) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "unable to load CRL"); err_sys_ex(runWithErrors, "unable to load CRL");
if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS) if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "unable to set CRL callback url"); err_sys_ex(runWithErrors, "unable to set CRL callback url");
#endif #endif
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (useOcsp) { if (useOcsp) {
if (ocspUrl != NULL) { if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE); | WOLFSSL_OCSP_URL_OVERRIDE);
} }
else else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE); wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
} }
#endif #endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
@ -1418,20 +1418,20 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
|| needDH == 1) { || needDH == 1) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN) #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
CyaSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM); wolfSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM);
#elif !defined(NO_DH) #elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */ SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
#endif #endif
} }
#ifndef CYASSL_CALLBACKS #ifndef WOLFSSL_CALLBACKS
if (nonBlocking) { if (nonBlocking) {
CyaSSL_set_using_nonblock(ssl, 1); wolfSSL_set_using_nonblock(ssl, 1);
tcp_set_nonblocking(&clientfd); tcp_set_nonblocking(&clientfd);
} }
#endif #endif
#ifndef CYASSL_CALLBACKS #ifndef WOLFSSL_CALLBACKS
if (nonBlocking) { if (nonBlocking) {
ret = NonBlockingSSL_Accept(ssl); ret = NonBlockingSSL_Accept(ssl);
} }
@ -1624,7 +1624,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX) #if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
os_dly_wait(500) ; os_dly_wait(500) ;
#elif defined (CYASSL_TIRTOS) #elif defined (WOLFSSL_TIRTOS)
Task_yield(); Task_yield();
#endif #endif
@ -1684,7 +1684,7 @@ exit:
ecc_fp_free(); /* free per thread cache */ ecc_fp_free(); /* free per thread cache */
#endif #endif
#ifdef CYASSL_TIRTOS #ifdef WOLFSSL_TIRTOS
fdCloseSession(Task_self()); fdCloseSession(Task_self());
#endif #endif
@ -1706,7 +1706,7 @@ exit:
(void) useNtruKey; (void) useNtruKey;
(void) ourDhParam; (void) ourDhParam;
(void) ourCert; (void) ourCert;
#ifndef CYASSL_TIRTOS #ifndef WOLFSSL_TIRTOS
return 0; return 0;
#endif #endif
} }
@ -1731,9 +1731,9 @@ exit:
InitTcpReady(&ready); InitTcpReady(&ready);
#if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL) #if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL)
CyaSSL_Debugging_ON(); wolfSSL_Debugging_ON();
#endif #endif
CyaSSL_Init(); wolfSSL_Init();
ChangeToWolfRoot(); ChangeToWolfRoot();
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
@ -1746,7 +1746,7 @@ exit:
printf("Server not compiled in!\n"); printf("Server not compiled in!\n");
#endif #endif
CyaSSL_Cleanup(); wolfSSL_Cleanup();
FreeTcpReady(&ready); FreeTcpReady(&ready);
#ifdef HAVE_WNR #ifdef HAVE_WNR

178
fips-check.sh
View File

@ -11,7 +11,7 @@
# #
# $ ./fips-check [version] [keep] # $ ./fips-check [version] [keep]
# #
# - version: linux (default), ios, android, windows, freertos, linux-ecc # - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2
# #
# - keep: (default off) XXX-fips-test temp dir around for inspection # - keep: (default off) XXX-fips-test temp dir around for inspection
# #
@ -29,6 +29,7 @@ function Usage() {
printf '\t%s\n' "netbsd-selftest" printf '\t%s\n' "netbsd-selftest"
printf '\t%s\n' "sgx" printf '\t%s\n' "sgx"
printf '\t%s\n' "netos-7.6" printf '\t%s\n' "netos-7.6"
printf '\t%s\n' "linuxv2"
printf '\n%s\n\n' "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection" printf '\n%s\n\n' "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection"
printf '%s\n' "EXAMPLE:" printf '%s\n' "EXAMPLE:"
printf '%s\n' "---------------------------------" printf '%s\n' "---------------------------------"
@ -38,38 +39,42 @@ function Usage() {
LINUX_FIPS_VERSION=v3.2.6 LINUX_FIPS_VERSION=v3.2.6
LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
LINUX_CTAO_VERSION=v3.2.6 LINUX_CRYPT_VERSION=v3.2.6
LINUX_CTAO_REPO=git@github.com:cyassl/cyassl.git LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
LINUX_ECC_FIPS_VERSION=v3.10.3 LINUX_ECC_FIPS_VERSION=v3.10.3
LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
LINUX_ECC_CTAO_VERSION=v3.2.6 LINUX_ECC_CRYPT_VERSION=v3.2.6
LINUX_ECC_CTAO_REPO=git@github.com:cyassl/cyassl.git LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
LINUXV2_FIPS_VERSION=fipsv2
LINUXV2_FIPS_REPO=git@github.com:ejohnstown/fips.git
LINUXV2_CRYPT_VERSION=fipsv2
IOS_FIPS_VERSION=v3.4.8a IOS_FIPS_VERSION=v3.4.8a
IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
IOS_CTAO_VERSION=v3.4.8.fips IOS_CRYPT_VERSION=v3.4.8.fips
IOS_CTAO_REPO=git@github.com:cyassl/cyassl.git IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
ANDROID_FIPS_VERSION=v3.5.0 ANDROID_FIPS_VERSION=v3.5.0
ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
ANDROID_CTAO_VERSION=v3.5.0 ANDROID_CRYPT_VERSION=v3.5.0
ANDROID_CTAO_REPO=git@github.com:cyassl/cyassl.git ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git
WINDOWS_FIPS_VERSION=v3.6.6 WINDOWS_FIPS_VERSION=v3.6.6
WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
WINDOWS_CTAO_VERSION=v3.6.6 WINDOWS_CRYPT_VERSION=v3.6.6
WINDOWS_CTAO_REPO=git@github.com:cyassl/cyassl.git WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
FREERTOS_CTAO_VERSION=v3.6.1 FREERTOS_CRYPT_VERSION=v3.6.1
FREERTOS_CTAO_REPO=git@github.com:cyassl/cyassl.git FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
OPENRTOS_3_9_2_CTAO_VERSION=v3.6.1 OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1
OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git
#NOTE: Does not include the SGX examples yet, update version once fipsv2 is #NOTE: Does not include the SGX examples yet, update version once fipsv2 is
# finished and merge conflicts can be resolved. This will be tagged as # finished and merge conflicts can be resolved. This will be tagged as
@ -77,29 +82,28 @@ OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git
#SGX_FIPS_VERSION=v3.12.4.sgx-examples #SGX_FIPS_VERSION=v3.12.4.sgx-examples
SGX_FIPS_VERSION=v3.6.6 SGX_FIPS_VERSION=v3.6.6
SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git
SGX_CTAO_VERSION=v3.12.4 SGX_CRYPT_VERSION=v3.12.4
SGX_CTAO_REPO=git@github.com:cyassl/cyassl.git SGX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
NETOS_7_6_FIPS_VERSION=v3.12.6 NETOS_7_6_FIPS_VERSION=v3.12.6
NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git
NETOS_7_6_CTAO_VERSION=v3.12.4 NETOS_7_6_CRYPT_VERSION=v3.12.4
NETOS_7_6_CTAO_REPO=git@github.com:cyassl/cyassl.git NETOS_7_6_CRYPT_REPO=git@github.com:cyassl/cyassl.git
FIPS_SRCS=( fips.c fips_test.c )
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
TEST_DIR=XXX-fips-test
WC_INC_PATH=cyassl/ctaocrypt
WC_SRC_PATH=ctaocrypt/src
CAVP_SELFTEST_ONLY="no"
# non-FIPS, CAVP only but pull in selftest # non-FIPS, CAVP only but pull in selftest
# will reset above variables below in platform switch # will reset above variables below in platform switch
NETBSD_FIPS_VERSION=v3.14.2a NETBSD_FIPS_VERSION=v3.14.2a
NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
NETBSD_CTAO_VERSION=v3.14.2 NETBSD_CRYPT_VERSION=v3.14.2
NETBSD_CTAO_REPO=git@github.com:wolfssl/wolfssl.git NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
FIPS_SRCS=( fips.c fips_test.c )
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
TEST_DIR=XXX-fips-test
CRYPT_INC_PATH=cyassl/ctaocrypt
CRYPT_SRC_PATH=ctaocrypt/src
FIPS_OPTION=v1
CAVP_SELFTEST_ONLY="no"
if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
@ -109,68 +113,79 @@ case $PLATFORM in
ios) ios)
FIPS_VERSION=$IOS_FIPS_VERSION FIPS_VERSION=$IOS_FIPS_VERSION
FIPS_REPO=$IOS_FIPS_REPO FIPS_REPO=$IOS_FIPS_REPO
CTAO_VERSION=$IOS_CTAO_VERSION CRYPT_VERSION=$IOS_CRYPT_VERSION
CTAO_REPO=$IOS_CTAO_REPO CRYPT_REPO=$IOS_CRYPT_REPO
;; ;;
android) android)
FIPS_VERSION=$ANDROID_FIPS_VERSION FIPS_VERSION=$ANDROID_FIPS_VERSION
FIPS_REPO=$ANDROID_FIPS_REPO FIPS_REPO=$ANDROID_FIPS_REPO
CTAO_VERSION=$ANDROID_CTAO_VERSION CRYPT_VERSION=$ANDROID_CRYPT_VERSION
CTAO_REPO=$ANDROID_CTAO_REPO CRYPT_REPO=$ANDROID_CRYPT_REPO
;; ;;
windows) windows)
FIPS_VERSION=$WINDOWS_FIPS_VERSION FIPS_VERSION=$WINDOWS_FIPS_VERSION
FIPS_REPO=$WINDOWS_FIPS_REPO FIPS_REPO=$WINDOWS_FIPS_REPO
CTAO_VERSION=$WINDOWS_CTAO_VERSION CRYPT_VERSION=$WINDOWS_CRYPT_VERSION
CTAO_REPO=$WINDOWS_CTAO_REPO CRYPT_REPO=$WINDOWS_CRYPT_REPO
;; ;;
freertos) freertos)
FIPS_VERSION=$FREERTOS_FIPS_VERSION FIPS_VERSION=$FREERTOS_FIPS_VERSION
FIPS_REPO=$FREERTOS_FIPS_REPO FIPS_REPO=$FREERTOS_FIPS_REPO
CTAO_VERSION=$FREERTOS_CTAO_VERSION CRYPT_VERSION=$FREERTOS_CRYPT_VERSION
CTAO_REPO=$FREERTOS_CTAO_REPO CRYPT_REPO=$FREERTOS_CRYPT_REPO
;; ;;
openrtos-3.9.2) openrtos-3.9.2)
FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
CTAO_VERSION=$OPENRTOS_3_9_2_CTAO_VERSION CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION
CTAO_REPO=$OPENRTOS_3_9_2_CTAO_REPO CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO
FIPS_CONFLICTS=( aes hmac random sha256 ) FIPS_CONFLICTS=( aes hmac random sha256 )
;; ;;
linux) linux)
FIPS_VERSION=$LINUX_FIPS_VERSION FIPS_VERSION=$LINUX_FIPS_VERSION
FIPS_REPO=$LINUX_FIPS_REPO FIPS_REPO=$LINUX_FIPS_REPO
CTAO_VERSION=$LINUX_CTAO_VERSION CRYPT_VERSION=$LINUX_CRYPT_VERSION
CTAO_REPO=$LINUX_CTAO_REPO CRYPT_REPO=$LINUX_CRYPT_REPO
;; ;;
linux-ecc) linux-ecc)
FIPS_VERSION=$LINUX_ECC_FIPS_VERSION FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
FIPS_REPO=$LINUX_ECC_FIPS_REPO FIPS_REPO=$LINUX_ECC_FIPS_REPO
CTAO_VERSION=$LINUX_ECC_CTAO_VERSION CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION
CTAO_REPO=$LINUX_ECC_CTAO_REPO CRYPT_REPO=$LINUX_ECC_CRYPT_REPO
;;
linuxv2)
FIPS_VERSION=$LINUXV2_FIPS_VERSION
FIPS_REPO=$LINUXV2_FIPS_REPO
CRYPT_VERSION=$LINUXV2_CRYPT_VERSION
CRYPT_INC_PATH=wolfssl/wolfcrypt
CRYPT_SRC_PATH=wolfcrypt/src
WC_MODS+=( cmac dh )
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
FIPS_INCS=( fips.h )
FIPS_OPTION=v2
;; ;;
netbsd-selftest) netbsd-selftest)
FIPS_VERSION=$NETBSD_FIPS_VERSION FIPS_VERSION=$NETBSD_FIPS_VERSION
FIPS_REPO=$NETBSD_FIPS_REPO FIPS_REPO=$NETBSD_FIPS_REPO
CTAO_VERSION=$NETBSD_CTAO_VERSION CRYPT_VERSION=$NETBSD_CRYPT_VERSION
CTAO_REPO=$NETBSD_CTAO_REPO CRYPT_REPO=$NETBSD_CRYPT_REPO
FIPS_SRCS=( selftest.c ) FIPS_SRCS=( selftest.c )
WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random ) WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
WC_INC_PATH=wolfssl/wolfcrypt CRYPT_INC_PATH=wolfssl/wolfcrypt
WC_SRC_PATH=wolfcrypt/src CRYPT_SRC_PATH=wolfcrypt/src
CAVP_SELFTEST_ONLY="yes" CAVP_SELFTEST_ONLY="yes"
;; ;;
sgx) sgx)
FIPS_VERSION=$SGX_FIPS_VERSION FIPS_VERSION=$SGX_FIPS_VERSION
FIPS_REPO=$SGX_FIPS_REPO FIPS_REPO=$SGX_FIPS_REPO
CTAO_VERSION=$SGX_CTAO_VERSION CRYPT_VERSION=$SGX_CRYPT_VERSION
CTAO_REPO=$SGX_CTAO_REPO CRYPT_REPO=$SGX_CRYPT_REPO
;; ;;
netos-7.6) netos-7.6)
FIPS_VERSION=$NETOS_7_6_FIPS_VERSION FIPS_VERSION=$NETOS_7_6_FIPS_VERSION
FIPS_REPO=$NETOS_7_6_FIPS_REPO FIPS_REPO=$NETOS_7_6_FIPS_REPO
CTAO_VERSION=$NETOS_7_6_CTAO_VERSION CRYPT_VERSION=$NETOS_7_6_CRYPT_VERSION
CTAO_REPO=$NETOS_7_6_CTAO_REPO CRYPT_REPO=$NETOS_7_6_CRYPT_REPO
;; ;;
*) *)
Usage Usage
@ -182,27 +197,37 @@ git clone . $TEST_DIR
pushd $TEST_DIR pushd $TEST_DIR
# make a clone of the last FIPS release tag if [ "x$FIPS_OPTION" == "xv1" ];
git clone -b $CTAO_VERSION $CTAO_REPO old-tree
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
for MOD in ${WC_MODS[@]}
do
cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH
cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH
done
# The following is temporary. We are using random.c from a separate release
# This is forcefully overwriting any other checkout of the cyassl sources.
# Removing this as default behavior for SGX and netos projects.
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
[ "x$PLATFORM" != "xnetos-7.6" ];
then then
pushd old-tree # make a clone of the last FIPS release tag
git checkout v3.6.0 git clone -b $CRYPT_VERSION $CRYPT_REPO old-tree
popd [ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH for MOD in ${WC_MODS[@]}
do
cp old-tree/$CRYPT_SRC_PATH/${MOD}.c $CRYPT_SRC_PATH
cp old-tree/$CRYPT_INC_PATH/${MOD}.h $CRYPT_INC_PATH
done
# The following is temporary. We are using random.c from a separate release
# This is forcefully overwriting any other checkout of the cyassl sources.
# Removing this as default behavior for SGX and netos projects.
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
[ "x$PLATFORM" != "xnetos-7.6" ];
then
pushd old-tree
git checkout v3.6.0
popd
cp old-tree/$CRYPT_SRC_PATH/random.c $CRYPT_SRC_PATH
cp old-tree/$CRYPT_INC_PATH/random.h $CRYPT_INC_PATH
fi
else
git branch --track $CRYPT_VERSION origin/$CRYPT_VERSION
# Checkout the fips versions of the wolfCrypt files from the repo.
for MOD in ${WC_MODS[@]}
do
git checkout $CRYPT_VERSION -- $CRYPT_SRC_PATH/$MOD.c $CRYPT_INC_PATH/$MOD.h
done
fi fi
# clone the FIPS repository # clone the FIPS repository
@ -211,7 +236,12 @@ git clone -b $FIPS_VERSION $FIPS_REPO fips
for SRC in ${FIPS_SRCS[@]} for SRC in ${FIPS_SRCS[@]}
do do
cp fips/$SRC $WC_SRC_PATH cp fips/$SRC $CRYPT_SRC_PATH
done
for INC in ${FIPS_INCS[@]}
do
cp fips/$INC $CRYPT_INC_PATH
done done
# run the make test # run the make test
@ -220,7 +250,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
then then
./configure --enable-selftest ./configure --enable-selftest
else else
./configure --enable-fips ./configure --enable-fips=$FIPS_OPTION
fi fi
make make
[ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1 [ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1
@ -229,7 +259,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
then then
NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'` NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
if [ -n "$NEWHASH" ]; then if [ -n "$NEWHASH" ]; then
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c
make clean make clean
fi fi
fi fi

99
src/include.am
View File

@ -23,33 +23,19 @@ ipp_DATA = $(IPPLIBS)
include_HEADERS+=$(IPPHEADERS) include_HEADERS+=$(IPPHEADERS)
endif # BUILD_FAST_RSA endif # BUILD_FAST_RSA
# fips first file
if BUILD_FIPS if BUILD_FIPS
if !BUILD_FIPS_V2
# fips first file
src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c
if BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += \ src_libwolfssl_la_SOURCES += \
wolfcrypt/src/hmac.c \ ctaocrypt/src/hmac.c \
wolfcrypt/src/random.c \
wolfcrypt/src/sha256.c
else
src_libwolfssl_la_SOURCES += \
ctaocrypt/src/hmac.c
ctaocrypt/src/random.c \ ctaocrypt/src/random.c \
ctaocrypt/src/sha256.c ctaocrypt/src/sha256.c
endif
if BUILD_RSA if BUILD_RSA
if BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
else
src_libwolfssl_la_SOURCES += ctaocrypt/src/rsa.c src_libwolfssl_la_SOURCES += ctaocrypt/src/rsa.c
endif endif
endif
if BUILD_ECC
src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
endif
if BUILD_AES if BUILD_AES
src_libwolfssl_la_SOURCES += ctaocrypt/src/aes.c src_libwolfssl_la_SOURCES += ctaocrypt/src/aes.c
@ -67,16 +53,72 @@ if BUILD_SHA512
src_libwolfssl_la_SOURCES += ctaocrypt/src/sha512.c src_libwolfssl_la_SOURCES += ctaocrypt/src/sha512.c
endif endif
if BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
endif
src_libwolfssl_la_SOURCES += ctaocrypt/src/fips.c src_libwolfssl_la_SOURCES += ctaocrypt/src/fips.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/fipsv2.c
src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c
# fips last file # fips last file
src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c
else
# FIPSv2 first file
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/wolfcrypt_first.c
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/hmac.c \
wolfcrypt/src/random.c \
wolfcrypt/src/sha256.c
if BUILD_RSA
src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
endif
if BUILD_ECC
src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
endif
if BUILD_AES
src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
endif
if BUILD_DES3
src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
endif
if BUILD_SHA
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
endif
if BUILD_SHA512
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
endif
if BUILD_SHA3
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
endif
if BUILD_DH
src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
endif
if BUILD_CMAC
src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
endif
src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
wolfcrypt/src/fips_test.c
# fips last file
src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
endif
endif
# For FIPSV2, exclude the wolfCrypt files included above.
# For old FIPS, keep the wolfCrypt versions of the
# CtaoCrypt files included above.
if !BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
endif endif
# CAVP self test # CAVP self test
@ -85,7 +127,6 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c
endif endif
src_libwolfssl_la_SOURCES += \ src_libwolfssl_la_SOURCES += \
wolfcrypt/src/hmac.c \
wolfcrypt/src/hash.c \ wolfcrypt/src/hash.c \
wolfcrypt/src/cpuid.c wolfcrypt/src/cpuid.c
@ -142,28 +183,38 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_int.c
endif endif
endif endif
if !BUILD_FIPS_V2
if BUILD_AES if BUILD_AES
src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
if BUILD_ARMASM if BUILD_ARMASM
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
endif endif
endif endif
endif
if !BUILD_FIPS_V2
if BUILD_CMAC if BUILD_CMAC
src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
endif endif
endif
if !BUILD_FIPS_V2
if BUILD_DES3 if BUILD_DES3
src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
endif endif
endif
if !BUILD_FIPS_V2
if BUILD_SHA if BUILD_SHA
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
endif endif
endif
if !BUILD_FIPS_V2
if BUILD_SHA512 if BUILD_SHA512
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
endif endif
endif
if !BUILD_FIPS_V2 if !BUILD_FIPS_V2
if BUILD_SHA3 if BUILD_SHA3
@ -183,9 +234,11 @@ if BUILD_MEMORY
src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
endif endif
if !BUILD_FIPS_V2
if BUILD_DH if BUILD_DH
src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
endif endif
endif
if BUILD_ASN if BUILD_ASN
src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c

28
tests/api.c
View File

@ -8400,19 +8400,21 @@ static int test_wc_AesGcmEncryptDecrypt (void)
sizeof(vector), iv, sizeof(iv)/sizeof(byte), sizeof(vector), iv, sizeof(iv)/sizeof(byte),
resultT, sizeof(resultT) - 5, a, sizeof(a)); resultT, sizeof(resultT) - 5, a, sizeof(a));
} }
if (gcmE == BAD_FUNC_ARG) {
gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV, if (gcmE == BAD_FUNC_ARG) {
sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT), gcmE = 0;
a, sizeof(a)); } else {
} gcmE = WOLFSSL_FATAL_ERROR;
#ifdef HAVE_FIPS }
if (gcmE == BAD_FUNC_ARG) { }
gcmE = 0;
} else { /* This case is now considered good. Long IVs are now allowed. */
gcmE = WOLFSSL_FATAL_ERROR; if (gcmE == 0) {
} gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
#endif sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
} /* END wc_AesGcmEncrypt */ a, sizeof(a));
}
/* END wc_AesGcmEncrypt */
printf(resultFmt, gcmE == 0 ? passed : failed); printf(resultFmt, gcmE == 0 ? passed : failed);
if (gcmE != 0) { if (gcmE != 0) {

19
wolfcrypt/src/aes.c
View File

@ -28,12 +28,27 @@
#include <wolfssl/wolfcrypt/error-crypt.h> #include <wolfssl/wolfcrypt/error-crypt.h>
#if !defined(NO_AES) #if !defined(NO_AES)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/aes.h> #include <wolfssl/wolfcrypt/aes.h>
#include <wolfssl/wolfcrypt/cpuid.h> #include <wolfssl/wolfcrypt/cpuid.h>
/* fips wrapper calls, user can call direct */ /* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS #if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv, int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
int dir) int dir)
{ {
@ -228,7 +243,7 @@
AesFree(aes); */ AesFree(aes); */
} }
#else /* HAVE_FIPS */ #else /* else build without fips, or for FIPS v2 */
#if defined(WOLFSSL_TI_CRYPT) #if defined(WOLFSSL_TI_CRYPT)

18
wolfcrypt/src/des3.c
View File

@ -31,10 +31,24 @@
#ifndef NO_DES3 #ifndef NO_DES3
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/des3.h> #include <wolfssl/wolfcrypt/des3.h>
/* fips wrapper calls, user can call direct */ /* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS #if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir) int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
{ {
return Des_SetKey(des, key, iv, dir); return Des_SetKey(des, key, iv, dir);
@ -107,7 +121,7 @@
Des3Free(des3); */ Des3Free(des3); */
} }
#else /* build without fips */ #else /* else build without fips, or for FIPS v2 */
#if defined(WOLFSSL_TI_CRYPT) #if defined(WOLFSSL_TI_CRYPT)

3
wolfcrypt/src/error.c
View File

@ -464,6 +464,9 @@ const char* wc_GetErrorString(int error)
case AESCCM_KAT_FIPS_E: case AESCCM_KAT_FIPS_E:
return "AESCCM Known Answer Test check FIPS error"; return "AESCCM Known Answer Test check FIPS error";
case SHA3_KAT_FIPS_E:
return "SHA-3 Known Answer Test check FIPS error";
default: default:
return "unknown error number"; return "unknown error number";

13
wolfcrypt/src/random.c
View File

@ -32,6 +32,19 @@
*/ */
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/random.h> #include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/cpuid.h> #include <wolfssl/wolfcrypt/cpuid.h>

18
wolfcrypt/src/sha.c
View File

@ -28,11 +28,25 @@
#if !defined(NO_SHA) #if !defined(NO_SHA)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/sha.h> #include <wolfssl/wolfcrypt/sha.h>
#include <wolfssl/wolfcrypt/error-crypt.h> #include <wolfssl/wolfcrypt/error-crypt.h>
/* fips wrapper calls, user can call direct */ /* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS #if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_InitSha(wc_Sha* sha) int wc_InitSha(wc_Sha* sha)
{ {
if (sha == NULL) { if (sha == NULL) {
@ -71,7 +85,7 @@
/* Not supported in FIPS */ /* Not supported in FIPS */
} }
#else /* else build without fips */ #else /* else build without fips, or for FIPS v2 */
#if defined(WOLFSSL_TI_HASH) #if defined(WOLFSSL_TI_HASH)

12
wolfcrypt/src/sha3.c
View File

@ -28,6 +28,18 @@
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT) #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/sha3.h> #include <wolfssl/wolfcrypt/sha3.h>
#include <wolfssl/wolfcrypt/error-crypt.h> #include <wolfssl/wolfcrypt/error-crypt.h>

19
wolfcrypt/src/sha512.c
View File

@ -27,6 +27,19 @@
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA512
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/sha512.h> #include <wolfssl/wolfcrypt/sha512.h>
#include <wolfssl/wolfcrypt/error-crypt.h> #include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/cpuid.h> #include <wolfssl/wolfcrypt/cpuid.h>
@ -37,7 +50,9 @@
#endif #endif
/* fips wrapper calls, user can call direct */ /* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS #if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_InitSha512(wc_Sha512* sha) int wc_InitSha512(wc_Sha512* sha)
{ {
if (sha == NULL) { if (sha == NULL) {
@ -115,7 +130,7 @@
} }
#endif /* WOLFSSL_SHA384 || HAVE_AESGCM */ #endif /* WOLFSSL_SHA384 || HAVE_AESGCM */
#else /* else build without using fips */ #else /* else build without fips, or for FIPS v2 */
#include <wolfssl/wolfcrypt/logging.h> #include <wolfssl/wolfcrypt/logging.h>

14
wolfssl/wolfcrypt/aes.h
View File

@ -31,8 +31,14 @@
#ifndef NO_AES #ifndef NO_AES
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
/* included for fips @wc_fips */ /* included for fips @wc_fips */
#ifdef HAVE_FIPS #if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
#include <cyassl/ctaocrypt/aes.h> #include <cyassl/ctaocrypt/aes.h>
#if defined(CYASSL_AES_COUNTER) && !defined(WOLFSSL_AES_COUNTER) #if defined(CYASSL_AES_COUNTER) && !defined(WOLFSSL_AES_COUNTER)
#define WOLFSSL_AES_COUNTER #define WOLFSSL_AES_COUNTER
@ -63,7 +69,7 @@
#endif #endif
/* these are required for FIPS and non-FIPS */ /* these are required for FIPS and non-FIPS */
enum { enum {
AES_128_KEY_SIZE = 16, /* for 128 bit */ AES_128_KEY_SIZE = 16, /* for 128 bit */
AES_192_KEY_SIZE = 24, /* for 192 bit */ AES_192_KEY_SIZE = 24, /* for 192 bit */
AES_256_KEY_SIZE = 32, /* for 256 bit */ AES_256_KEY_SIZE = 32, /* for 256 bit */
@ -72,7 +78,9 @@ enum {
}; };
#ifndef HAVE_FIPS /* to avoid redefinition of structures */ /* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h> #include <wolfssl/wolfcrypt/async.h>

12
wolfssl/wolfcrypt/des3.h
View File

@ -30,7 +30,13 @@
#ifndef NO_DES3 #ifndef NO_DES3
#ifdef HAVE_FIPS #if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
/* included for fips @wc_fips */ /* included for fips @wc_fips */
#include <cyassl/ctaocrypt/des3.h> #include <cyassl/ctaocrypt/des3.h>
#endif #endif
@ -47,7 +53,9 @@ enum {
}; };
#ifndef HAVE_FIPS /* to avoid redefinition of macros */ /* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h> #include <wolfssl/wolfcrypt/async.h>

3
wolfssl/wolfcrypt/error-crypt.h
View File

@ -206,8 +206,9 @@ enum {
ECDSA_PAT_FIPS_E = -255, /* ECDSA PAT failure */ ECDSA_PAT_FIPS_E = -255, /* ECDSA PAT failure */
DH_KAT_FIPS_E = -256, /* DH KAT failure */ DH_KAT_FIPS_E = -256, /* DH KAT failure */
AESCCM_KAT_FIPS_E = -257, /* AESCCM KAT failure */ AESCCM_KAT_FIPS_E = -257, /* AESCCM KAT failure */
SHA3_KAT_FIPS_E = -258, /* SHA-3 KAT failure */
WC_LAST_E = -257, /* Update this to indicate last error */ WC_LAST_E = -258, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */ MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes /* add new companion error id strings for any new error codes

12
wolfssl/wolfcrypt/sha.h
View File

@ -31,7 +31,13 @@
#ifndef NO_SHA #ifndef NO_SHA
#ifdef HAVE_FIPS #if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
#define wc_Sha Sha #define wc_Sha Sha
#define WC_SHA SHA #define WC_SHA SHA
#define WC_SHA_BLOCK_SIZE SHA_BLOCK_SIZE #define WC_SHA_BLOCK_SIZE SHA_BLOCK_SIZE
@ -50,7 +56,9 @@
extern "C" { extern "C" {
#endif #endif
#ifndef HAVE_FIPS /* avoid redefining structs */ /* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_MICROCHIP_PIC32MZ #ifdef WOLFSSL_MICROCHIP_PIC32MZ
#include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h> #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>

20
wolfssl/wolfcrypt/sha512.h
View File

@ -1,6 +1,6 @@
/* sha512.h /* sha512.h
* *
* Copyright (C) 2006-2017 wolfSSL Inc. * Copyright (C) 2006-2018 wolfSSL Inc.
* *
* This file is part of wolfSSL. * This file is part of wolfSSL.
* *
@ -31,8 +31,13 @@
#ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA512
/* for fips @wc_fips */ #if defined(HAVE_FIPS) && \
#ifdef HAVE_FIPS defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
#define wc_Sha512 Sha512 #define wc_Sha512 Sha512
#define WC_SHA512 SHA512 #define WC_SHA512 SHA512
#define WC_SHA512_BLOCK_SIZE SHA512_BLOCK_SIZE #define WC_SHA512_BLOCK_SIZE SHA512_BLOCK_SIZE
@ -50,6 +55,7 @@
#if defined(WOLFSSL_SHA384) #if defined(WOLFSSL_SHA384)
#define CYASSL_SHA384 #define CYASSL_SHA384
#endif #endif
/* for fips @wc_fips */
#include <cyassl/ctaocrypt/sha512.h> #include <cyassl/ctaocrypt/sha512.h>
#endif #endif
@ -57,7 +63,9 @@
extern "C" { extern "C" {
#endif #endif
#ifndef HAVE_FIPS /* avoid redefinition of structs */ /* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h> #include <wolfssl/wolfcrypt/async.h>
@ -121,7 +129,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst);
#if defined(WOLFSSL_SHA384) #if defined(WOLFSSL_SHA384)
#ifndef HAVE_FIPS /* avoid redefinition of structs */ /* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifndef NO_OLD_WC_NAMES #ifndef NO_OLD_WC_NAMES
#define Sha384 wc_Sha384 #define Sha384 wc_Sha384