WCv4.0.1-stable changes

CHAR_BIT to 8, simplify logic from peer review

Update build script

fips-check.sh

@@ -11,7 +11,7 @@
 #
 #     $ ./fips-check [version] [keep]
 #
-#     - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2, fips-ready
+#     - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2, fips-ready, stm32l4-v2
 #
 #     - keep: (default off) XXX-fips-test temp dir around for inspection
 #
@@ -32,6 +32,7 @@ Platform is one of:
     netos-7.6
     linuxv2 (FIPSv2, use for Win10)
     fips-ready
+    stm32l4-v2 (FIPSv2, use for STM32L4)
 Keep (default off) retains the XXX-fips-test temp dir for inspection.
 
 Example:
@@ -95,6 +96,10 @@ NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
 NETBSD_CRYPT_VERSION=v3.14.2
 NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
 
+STM32L4_V2_FIPS_VERSION=WCv4.0.1-stable
+STM32L4_V2_FIPS_REPO=git@github.com:wolfSSL/fips.git
+STM32L4_V2_CRYPT_VERSION=WCv4.0.1-stable
+
 FIPS_SRCS=( fips.c fips_test.c )
 WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
 TEST_DIR=XXX-fips-test
@@ -197,6 +202,19 @@ fips-ready)
   FIPS_INCS=( fips.h )
   FIPS_OPTION=ready
   ;;
+stm32l4-v2)
+  FIPS_VERSION=$STM32L4_V2_FIPS_VERSION
+  FIPS_REPO=$STM32L4_V2_FIPS_REPO
+  CRYPT_VERSION=$STM32L4_V2_CRYPT_VERSION
+  CRYPT_INC_PATH=wolfssl/wolfcrypt
+  CRYPT_SRC_PATH=wolfcrypt/src
+# Replace the WC_MODS list for now. Do not want to copy over random.c yet.
+  WC_MODS=( aes des3 sha sha256 sha512 rsa hmac )
+  WC_MODS+=( cmac dh ecc )
+  FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
+  FIPS_INCS=( fips.h )
+  FIPS_OPTION=v2
+  ;;
 *)
   Usage
   exit 1

scripts/include.am

@@ -90,3 +90,6 @@ EXTRA_DIST +=  scripts/testsuite.pcap \
 EXTRA_DIST +=  scripts/openssl.test
 
 EXTRA_DIST +=  scripts/dertoc.pl
+
+# for use with wolfssl-x.x.x-commercial-fips-stm32l4-v2
+EXTRA_DIST += scripts/stm32l4-v4_0_1_build.sh

scripts/stm32l4-v4_0_1_build.sh

@@ -0,0 +1,199 @@
+#!/bin/bash
+WOLF_ROOT=$(eval "pwd")
+echo "WOLF_ROOT set to: \"$WOLF_ROOT\""
+cd ../ || exit 5
+APP_ROOT=$(eval "pwd")
+echo "APP_ROOT set to: \"$APP_ROOT\""
+cd ../../ || exit 5
+FIRMWARE_ROOT=$(eval "pwd")
+echo "FIRMWARE_ROOT set to: \"$FIRMWARE_ROOT\""
+cd "$WOLF_ROOT"  || exit 5
+
+WOLFCRYPT_SRC_LIST=(wolfcrypt_first hmac random sha256 rsa ecc aes des3 sha
+                    sha512 sha3 dh cmac fips fips_test wolfcrypt_last asn coding
+                    dsa error hash logging md5 memory signature tfm wc_encrypt
+                    wc_port wolfmath
+                   )
+
+assumptions(){
+    printf '%s\n' "ASSUMPTIONS:"
+    printf '%s\n' "It is assumed that the firmware directory layout is as follows:"
+    printf '%s\n' "firmware-root/"
+    printf '%s\n' "firmware-root/dir1/"
+    printf '%s\n' "firmware-root/dir1/app-root/"
+    printf '%s\n' "firmware-root/dir1/app-root/wolfssl-x.x.x-commercial-fips-stm32l4-v2/"
+    printf '\n\n%s\n' "It is also assumed this script will be run from the directory:"
+    printf '%s\n' "firmware-root/dir1/app-root/wolfssl-x.x.x-commercial-fips-stm32l4-v2/"
+    printf '%s\n' "with the command:"
+    printf '%s\n' "./scripts/stm32l4-v4_0_2_build.sh"
+}
+
+flatten_wolfcrypt_sources(){
+    if [ -d "$WOLF_ROOT" ]; then
+
+        for TARGET_FILE in "${WOLFCRYPT_SRC_LIST[@]}"
+        do
+            if [ -f "$APP_ROOT/$TARGET_FILE".c ]; then
+                printf '%s\n' "Removing: APP_ROOT/$TARGET_FILE.c"
+                rm "$APP_ROOT/$TARGET_FILE".c
+            fi
+            printf '%s\n' "WOLF_ROOT/wolfcrypt/src/$TARGET_FILE.c --> APP_ROOT/$TARGET_FILE.c"
+            cp "$WOLF_ROOT/wolfcrypt/src/$TARGET_FILE".c "$APP_ROOT/"
+        done
+
+        # uncomment to copy over the test app for testing purposes
+        #cp "$WOLF_ROOT/wolfcrypt/test/test.c" ./
+    else
+        printf '%s\n' "Please update the MY_WOLF_RELEASE_VARIABLE to the name"
+        printf '%s\n' "of the release you received most recently. Currently"
+        printf '%s\n' "it is set to \"$MY_WOLF_RELEASE_NAME\""
+    fi
+}
+
+update_user_settings(){
+    if [ -f user_settings.h ]; then
+        printf '%s\n' "Removing old user_settings.h"
+        rm user_settings.h
+    fi
+
+    printf '%s\n' "Generating new user_settings.h..."
+    touch user_settings.h
+
+    printf '%s\n' "#ifndef STM32L4_V_4_0_1_USER_SETTINGS_H" > user_settings.h
+    {
+        printf '%s\n' "#define STM32L4_V_4_0_1_USER_SETTINGS_H";
+        printf '%s\n' "";
+        printf '%s\n' "/* FIPS SETTINGS - BEGIN */";
+        printf '%s\n' "#define HAVE_FIPS";
+        printf '%s\n' "#define HAVE_FIPS_VERSION 2";
+        printf '%s\n' "#define NO_THREAD_LS";
+        printf '%s\n' "#define NO_STRICT_ECDSA_LEN";
+        printf '%s\n' "#define HAVE_ECC";
+        printf '%s\n' "#define HAVE_HKDF";
+        printf '%s\n' "#define HAVE_AESCCM";
+        printf '%s\n' "#define HAVE_AES_ECB";
+        printf '%s\n' "#define HAVE_ECC_CDH";
+        printf '%s\n' "#define HAVE_FFDHE_Q";
+        printf '%s\n' "#define HAVE_FFDHE_2048"; # NEW
+        printf '%s\n' "#define HAVE_HASHDRBG";
+        printf '%s\n' "#define WOLFSSL_SHA3";
+        printf '%s\n' "#define WOLFSSL_CMAC";
+        printf '%s\n' "#define WOLFSSL_SHA224";
+        printf '%s\n' "#define WOLFSSL_SHA384";
+        printf '%s\n' "#define WOLFSSL_SHA512";
+        printf '%s\n' "#define WOLFSSL_KEY_GEN";
+        printf '%s\n' "#define WOLFSSL_PUBLIC_MP";
+        printf '%s\n' "#define WOLFSSL_AES_DIRECT";
+        printf '%s\n' "#define WOLFSSL_AES_COUNTER";
+        printf '%s\n' "#define WOLFSSL_BASE64_ENCODE";
+        printf '%s\n' "#define WOLFSSL_VALIDATE_FFC_IMPORT";
+        printf '%s\n' "#define WOLFSSL_VALIDATE_ECC_IMPORT";
+        printf '%s\n' "#define WC_RSA_PSS";
+        printf '%s\n' "#define WC_RSA_NO_PADDING";
+# NEW        printf '%s\n' "#define WC_RSA_BLINDING";
+        printf '%s\n' "#define FP_MAX_BITS 8192";
+        printf '%s\n' "";
+        printf '%s\n' "/* For operational testing use only in validation effort */";
+#        printf '%s\n' "/* #define HAVE_FORCE_FIPS_FAILURE */";
+        printf '%s\n' "#define HAVE_FORCE_FIPS_FAILURE";
+        printf '%s\n' "/* FIPS SETTINGS - END */";
+        printf '%s\n' "";
+        printf '%s\n' "/* Debugging */";
+        printf '%s\n' "/* #define WOLFSSL_DEBUG_MEMORY */";
+        printf '%s\n' "/* #define WOLFSSL_TRACK_MEMORY */";
+        printf '%s\n' "/* #define WOLFSSL_DEBUG_MEMORY_PRINT */";
+        printf '%s\n' "/* Debugging */";
+        printf '%s\n' "";
+        printf '%s\n' "/* Environment settings */";
+        printf '%s\n' "#define NO_FILESYSTEM";
+        printf '%s\n' "#define USE_FAST_MATH";
+        printf '%s\n' "#define NO_MAIN_DRIVER";
+        printf '%s\n' "#define WOLFCRYPT_ONLY";
+        printf '%s\n' "#define WC_RSA_BLINDING";
+        printf '%s\n' "#define SINGLE_THREADED";
+        printf '%s\n' "#define TFM_TIMING_RESISTANT";
+        printf '%s\n' "#define ECC_TIMING_RESISTANT";
+        printf '%s\n' "#define USE_CERT_BUFFERS_256";
+        printf '%s\n' "#define USE_CERT_BUFFERS_2048";
+        printf '%s\n' "#define WOLFSSL_STM32L4";
+        printf '%s\n' "#define WOLFSSL_STM32_CUBEMX";
+        printf '%s\n' "#define WOLFSSL_CUBEMX_USE_LL";
+        printf '%s\n' "#define STM32_RNG";
+        printf '%s\n' "#define NO_STM32_CRYPTO";
+        printf '%s\n' "#define NO_STM32_HASH";
+        printf '%s\n' "#define NO_OLD_RNGNAME";
+        printf '%s\n' "/* Environment settings */";
+        printf '%s\n' "";
+        printf '%s\n' "/* Tuning options */";
+        printf '%s\n' "#define ALT_ECC_SIZE";
+        printf '%s\n' "#define NO_RC4";
+        printf '%s\n' "#define NO_MD4";
+        printf '%s\n' "#define NO_PSK";
+        printf '%s\n' "#define NO_HC128";
+        printf '%s\n' "#define NO_RABBIT";
+        printf '%s\n' "#define GCM_SMALL";
+        printf '%s\n' "#define TFM_ECC256";
+        printf '%s\n' "#define ECC_SHAMIR";
+        printf '%s\n' "#define HAVE_AESGCM";
+        printf '%s\n' "#define NO_PWDBASED";
+        printf '%s\n' "/* Tuning options */";
+        printf '%s\n' "";
+        printf '%s\n' "/* Non-FIPS related settings */";
+        printf '%s\n' "#define HAVE_TLS_EXTENSIONS";
+        printf '%s\n' "#define HAVE_EXTENDED_MASTER";
+        printf '%s\n' "#define HAVE_SUPPORTED_CURVES";
+        printf '%s\n' "/* Non-FIPS related settings */";
+        printf '%s\n' "";
+        printf '%s\n' "/* Agent harness settings */";
+        printf '%s\n' "#define USE_NORMAL_PRINTF";
+        printf '%s\n' "#define STM32L4R9I_DISCO";
+        printf '%s\n' "#define USE_NORMAL_SCAN";
+        printf '%s\n' "#define HAVE_FIPS";
+        printf '%s\n' "#define HAVE_FIPS_VERSION 2";
+        printf '%s\n' "#define VERIFY_GENERATED_PSS_SIGS";
+        printf '%s\n' "/* Agent harness settings */";
+        printf '%s\n' "";
+        printf '%s\n' "#endif /* STM32L4_V_4_0_1_USER_SETTINGS_H */";
+        printf '%s\n' "";
+    } >> user_settings.h
+
+    printf '%s\n' "new user_settings.h has been created"
+}
+
+assumptions
+
+if [ -f wolfssl/ssl.h ]; then
+    if [ -f "$FIRMWARE_ROOT"/project.mk ]; then
+        printf '%s\n' "Found ../../../project.mk, wolfSSL properly placed in"
+        printf '%s\n' "application root directory"
+    else
+        printf '%s\n' "Failed to locate ../../../project.mk, wolfSSL in wrong"
+        printf '%s\n' "location or assumptions need updated."
+    fi
+else
+    printf '%s\n' "Run this script from the wolfSSL root directory"
+    exit 1
+fi
+
+flatten_wolfcrypt_sources
+# optional test application, remove if not testing
+if [ -f "$APP_ROOT/test.c" ]; then
+    printf '%s\n' "Removing: $APP_ROOT/test.c"
+    rm "$APP_ROOT/test.c"
+fi
+printf '%s\n' "WOLF_ROOT/wolfcrypt/test/test.c --> APP_ROOT/test.c"
+cp "$WOLF_ROOT/wolfcrypt/test/test.c" "$APP_ROOT/"
+# optional test application section end
+
+# used during fips validation only, these will not be in final distribution
+#./scripts/flatten-agent-sources.sh
+#./scripts/flatten-op-test.sh
+# used during fips validation only, these will not be in final distribution
+
+update_user_settings
+
+cd "$FIRMWARE_ROOT"
+make clean
+make -j 1
+cd "$APP_ROOT"
+make install-target

wolfssl/wolfcrypt/settings.h

@@ -202,7 +202,13 @@
 
 /* make sure old RNG name is used with CTaoCrypt FIPS */
 #ifdef HAVE_FIPS
-    #define WC_RNG RNG
+    #if !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)
+        #define WC_RNG RNG
+    #else
+        #ifndef WOLFSSL_STM32L4
+            #define RNG WC_RNG
+        #endif
+    #endif
     /* blinding adds API not available yet in FIPS mode */
     #undef WC_RSA_BLINDING
 #endif
@@ -1103,6 +1109,9 @@ extern void uITRON4_free(void *p) ;
     defined(WOLFSSL_STM32L4)
 
     #define SIZEOF_LONG_LONG 8
+    #ifndef CHAR_BIT
+      #define CHAR_BIT 8
+    #endif
     #define NO_DEV_RANDOM
     #define NO_WOLFSSL_DIR
     #undef  NO_RABBIT
@@ -1142,6 +1151,9 @@ extern void uITRON4_free(void *p) ;
         #elif defined(WOLFSSL_STM32F1)
             #include "stm32f1xx_hal.h"
         #endif
+        #if defined(WOLFSSL_CUBEMX_USE_LL) && defined(WOLFSSL_STM32L4)
+            #include "stm32l4xx_ll_rng.h"
+        #endif
 
         #ifndef STM32_HAL_TIMEOUT
             #define STM32_HAL_TIMEOUT   0xFF