wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

FIPS Revalidation

Browse Source 
1. Added new AES-GCM Encrypt API for FIPS where the IV is generated internally.
2. Fix the AES-NI guard flags so it can be used when FIPS enabled.
This commit is contained in:
John Safranek
2018-02-05 13:50:30 -08:00
parent 80e589c7d9
commit 2683fb29df
3 changed files with 83 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
wolfcrypt/src/aes.c
View File

@ -7971,6 +7971,31 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
#endif /* HAVE_AES_DECRYPT || HAVE_AESGCM_DECRYPT */
#endif /* (WOLFSSL_XILINX_CRYPT) */
int wc_AesGcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
byte* iv, word32 ivSz, byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz, WC_RNG* rng)
{
int ret = 0;
if (aes == NULL || out == NULL || (in == NULL && sz != 0) ||
iv == NULL || ivSz != NONCE_SZ || (authIn == NULL && authInSz != 0) ||
rng == NULL) {
ret = BAD_FUNC_ARG;
}
if (ret == 0)
ret = wc_RNG_GenerateBlock(rng, iv, ivSz);
if (ret == 0)
ret = wc_AesGcmEncrypt(aes, out, in, sz, iv, ivSz,
authTag, authTagSz, authIn, authInSz);
return ret;
}
WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
{
if (gmac == NULL || key == NULL) {

48
wolfcrypt/test/test.c
View File

@ -6482,6 +6482,54 @@ int aesgcm_test(void)
return -4325;
#endif /* HAVE_AES_DECRYPT */
#endif /* WOLFSSL_AES_256 */
/* Test encrypt with internally generated IV */
{
WC_RNG rng;
byte randIV[12];
result = wc_InitRng(&rng);
if (result != 0)
return -8208;
XMEMSET(randIV, 0, sizeof(randIV));
XMEMSET(resultT, 0, sizeof(resultT));
XMEMSET(resultC, 0, sizeof(resultC));
XMEMSET(resultP, 0, sizeof(resultP));
wc_AesGcmSetKey(&enc, k1, sizeof(k1));
result = wc_AesGcmEncrypt_ex(&enc, resultC, p, sizeof(p),
randIV, sizeof(randIV), resultT, sizeof(resultT),
a, sizeof(a), &rng);
#if defined(WOLFSSL_ASYNC_CRYPT)
result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
#endif
if (result != 0)
return -8209;
/* Check the IV has been set. */
{
word32 i, ivSum = 0;
for (i = 0; i < sizeof(randIV); i++)
ivSum += randIV[i];
if (ivSum == 0)
return -8210;
}
result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(resultC),
randIV, sizeof(randIV), resultT, sizeof(resultT),
a, sizeof(a));
#if defined(WOLFSSL_ASYNC_CRYPT)
result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
#endif
if (result != 0)
return -8211;
if (XMEMCMP(p, resultP, sizeof(resultP)))
return -8212;
wc_FreeRng(&rng);
}
wc_AesFree(&enc);
return 0;

12
wolfssl/wolfcrypt/aes.h
View File

@ -48,7 +48,6 @@
#endif
#endif
#ifndef HAVE_FIPS /* to avoid redefinition of macros */
#ifdef WOLFSSL_AESNI
@ -58,11 +57,11 @@
#endif /* WOLFSSL_AESNI */
#ifdef WOLFSSL_XILINX_CRYPT
#include "xsecure_aes.h"
#endif
#endif /* HAVE_FIPS */
#ifdef __cplusplus
extern "C" {
@ -129,6 +128,8 @@ typedef struct XtsAes {
#endif
#ifdef HAVE_AESGCM
#include <wolfssl/wolfcrypt/random.h>
typedef struct Gmac {
Aes aes;
} Gmac;
@ -202,6 +203,13 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out,
const byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz);
WOLFSSL_API int wc_AesGcmEncrypt_ex(Aes* aes, byte* out,
const byte* in, word32 sz,
byte* iv, word32 ivSz,
byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz,
WC_RNG* rng);
WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len);
WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
const byte* authIn, word32 authInSz,