mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-01 19:54:40 +02:00
Fixes for building TLSv1.3 with FIPS v1 (no RSA PSS or HKDF).
This commit is contained in:
David Garske
54
configure.ac
54
configure.ac
@@ -96,6 +96,32 @@ AS_IF([test "$ax_enable_debug" = "yes"],
|
|||||||
[AM_CFLAGS="$AM_CFLAGS -DNDEBUG"])
|
[AM_CFLAGS="$AM_CFLAGS -DNDEBUG"])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# FIPS
|
||||||
|
AC_ARG_ENABLE([fips],
|
||||||
|
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
|
||||||
|
[ENABLED_FIPS=$enableval],
|
||||||
|
[ENABLED_FIPS="no"])
|
||||||
|
|
||||||
|
AS_CASE([$ENABLED_FIPS],
|
||||||
|
["v2"],[
|
||||||
|
# FIPS v2
|
||||||
|
ENABLED_FIPS="yes"
|
||||||
|
FIPS_VERSION="v2"
|
||||||
|
],
|
||||||
|
["rand"],[
|
||||||
|
# FIPS Rand
|
||||||
|
ENABLED_FIPS="yes"
|
||||||
|
FIPS_VERSION="rand"
|
||||||
|
],
|
||||||
|
["no"],[FIPS_VERSION="none"],
|
||||||
|
[
|
||||||
|
# FIPS v1
|
||||||
|
ENABLED_FIPS="yes"
|
||||||
|
FIPS_VERSION="v1"
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
# Distro build feature subset (Debian, Ubuntu, etc.)
|
# Distro build feature subset (Debian, Ubuntu, etc.)
|
||||||
AC_ARG_ENABLE([distro],
|
AC_ARG_ENABLE([distro],
|
||||||
[AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])],
|
[AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])],
|
||||||
@@ -119,7 +145,11 @@ AC_ARG_ENABLE([all],
|
|||||||
if test "$ENABLED_ALL" = "yes"
|
if test "$ENABLED_ALL" = "yes"
|
||||||
then
|
then
|
||||||
enable_dtls=yes
|
enable_dtls=yes
|
||||||
enable_tls13=yes
|
if test "x$FIPS_VERSION" != "xv1"
|
||||||
|
then
|
||||||
|
enable_tls13=yes
|
||||||
|
enable_rsapss=yes
|
||||||
|
fi
|
||||||
enable_openssh=yes
|
enable_openssh=yes
|
||||||
enable_opensslextra=yes
|
enable_opensslextra=yes
|
||||||
enable_opensslall=yes
|
enable_opensslall=yes
|
||||||
@@ -293,7 +323,10 @@ AC_ARG_ENABLE([tls13],
|
|||||||
[ ENABLED_TLS13=$enableval ],
|
[ ENABLED_TLS13=$enableval ],
|
||||||
[ ENABLED_TLS13=yes ]
|
[ ENABLED_TLS13=yes ]
|
||||||
)
|
)
|
||||||
|
if test "x$FIPS_VERSION" = "xv1"
|
||||||
|
then
|
||||||
|
ENABLED_TLS13="no"
|
||||||
|
fi
|
||||||
if test "$ENABLED_TLS13" = "yes"
|
if test "$ENABLED_TLS13" = "yes"
|
||||||
then
|
then
|
||||||
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
|
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
|
||||||
@@ -2429,14 +2462,8 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
# FIPS
|
# FIPS
|
||||||
AC_ARG_ENABLE([fips],
|
AS_CASE([$FIPS_VERSION],
|
||||||
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
|
["v2"],[
|
||||||
[ENABLED_FIPS=$enableval],
|
|
||||||
[ENABLED_FIPS="no"])
|
|
||||||
|
|
||||||
AS_CASE([$ENABLED_FIPS],
|
|
||||||
["v2"],[FIPS_VERSION="v2"
|
|
||||||
ENABLED_FIPS=yes
|
|
||||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
|
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
|
||||||
ENABLED_KEYGEN="yes"
|
ENABLED_KEYGEN="yes"
|
||||||
ENABLED_SHA224="yes"
|
ENABLED_SHA224="yes"
|
||||||
@@ -2467,14 +2494,9 @@ AS_CASE([$ENABLED_FIPS],
|
|||||||
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
|
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
|
||||||
],
|
],
|
||||||
["rand"],[
|
["rand"],[
|
||||||
ENABLED_FIPS="yes"
|
|
||||||
FIPS_VERSION="rand"
|
|
||||||
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
|
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
|
||||||
],
|
],
|
||||||
["no"],[FIPS_VERSION="none"],
|
["v1"],[
|
||||||
[
|
|
||||||
ENABLED_FIPS="yes"
|
|
||||||
FIPS_VERSION="v1"
|
|
||||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
|
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
|
||||||
])
|
])
|
||||||
|
|
||||||
|
|||||||
@@ -4679,7 +4679,7 @@ static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
|
|||||||
}
|
}
|
||||||
#endif /* HAVE_ECC */
|
#endif /* HAVE_ECC */
|
||||||
|
|
||||||
#ifndef NO_RSA
|
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
|
||||||
/* Check that the decrypted signature matches the encoded signature
|
/* Check that the decrypted signature matches the encoded signature
|
||||||
* based on the digest of the signature data.
|
* based on the digest of the signature data.
|
||||||
*
|
*
|
||||||
@@ -4722,7 +4722,7 @@ static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
|
|||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
#endif /* !NO_RSA */
|
#endif /* !NO_RSA && WC_RSA_PSS */
|
||||||
#endif /* !NO_RSA || HAVE_ECC */
|
#endif /* !NO_RSA || HAVE_ECC */
|
||||||
|
|
||||||
/* Get the next certificate from the list for writing into the TLS v1.3
|
/* Get the next certificate from the list for writing into the TLS v1.3
|
||||||
@@ -5759,7 +5759,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
|
|||||||
|
|
||||||
case TLS_ASYNC_VERIFY:
|
case TLS_ASYNC_VERIFY:
|
||||||
{
|
{
|
||||||
#ifndef NO_RSA
|
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
|
||||||
if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
|
if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
|
||||||
ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
|
ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
|
||||||
args->output, args->sendSz);
|
args->output, args->sendSz);
|
||||||
@@ -5769,7 +5769,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
|
|||||||
FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
|
FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
|
||||||
ssl->peerRsaKeyPresent = 0;
|
ssl->peerRsaKeyPresent = 0;
|
||||||
}
|
}
|
||||||
#endif /* !NO_RSA */
|
#endif /* !NO_RSA && WC_RSA_PSS */
|
||||||
|
|
||||||
/* Advance state and proceed */
|
/* Advance state and proceed */
|
||||||
ssl->options.asyncState = TLS_ASYNC_FINALIZE;
|
ssl->options.asyncState = TLS_ASYNC_FINALIZE;
|
||||||
|
|||||||
@@ -11726,7 +11726,7 @@ done:
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WC_RSA_PSS
|
#if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
|
||||||
static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
|
static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
|
||||||
{
|
{
|
||||||
byte digest[WC_MAX_DIGEST_SIZE];
|
byte digest[WC_MAX_DIGEST_SIZE];
|
||||||
@@ -13862,7 +13862,7 @@ int rsa_test(void)
|
|||||||
#endif /* WOLFSSL_CERT_REQ */
|
#endif /* WOLFSSL_CERT_REQ */
|
||||||
#endif /* WOLFSSL_CERT_GEN */
|
#endif /* WOLFSSL_CERT_GEN */
|
||||||
|
|
||||||
#ifdef WC_RSA_PSS
|
#if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
|
||||||
ret = rsa_pss_test(&rng, &key);
|
ret = rsa_pss_test(&rng, &key);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|||||||
@@ -2229,6 +2229,12 @@ extern void uITRON4_free(void *p) ;
|
|||||||
#define WOLFSSL_NO_CONSTCHARCONST
|
#define WOLFSSL_NO_CONSTCHARCONST
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* FIPS v1 does not support TLS v1.3 (requires RSA PSS and HKDF) */
|
||||||
|
#if defined(HAVE_FIPS) && !defined(HAVE_FIPS_VERSION)
|
||||||
|
#undef WC_RSA_PSS
|
||||||
|
#undef WOLFSSL_TLS13
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
} /* extern "C" */
|
} /* extern "C" */
|
||||||
|
|||||||
Reference in New Issue
Block a user