FIPS v5 gating fixes:

configure.ac: * fix logic in "Forcing off" test expressions, first flubbed in 19106a9510; * fix auto-enable of compkey to exclude v5 even if v5-dev. src/tls13.c: fix gating for HKDF _ex() variants (>=6.0, not >=5.3). wolfcrypt/src/error.c: snip out stray spaces at start of several ECC error message strings. wolfcrypt/test/test.c: * in render_error_message(), use wolfSSL_ERR_reason_error_string() if available rather than wc_GetErrorString(), to render non-wolfcrypt error strings; * in ecc_test_deterministic_k(), ecc384_test_deterministic_k(), ecc521_test_deterministic_k(), on FIPS <6.0, gate out SHA384 and SHA512 tests (FIPS v5 only supports SHA256 in wc_ecc_gen_deterministic_k()); * in cmac_test(), gate use of wc_AesCmacGenerate_ex() and wc_AesCmacVerify_ex() on >=6.0, not >=5.3.
2026-01-28 21:09:58 +01:00 · 2024-09-20 13:53:36 -05:00
parent d796d8c107
commit 55cd8a800f
4 changed files with 44 additions and 38 deletions
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -221,7 +221,7 @@ static int Tls13HKDFExpandLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
 #endif
    (void)ssl;
    PRIVATE_KEY_UNLOCK();
-#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
+#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
    ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,
                                     protocol, protocolLen,
                                     label, labelLen,
@@ -261,7 +261,7 @@ static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
        return ret;
 #endif

-#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
+#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
    ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,
                                      protocol, protocolLen,
                                      label, labelLen,
@@ -1137,7 +1137,7 @@ static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt,
 #endif
    {
    #if !defined(HAVE_FIPS) || \
-        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
+        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
        ret = wc_Tls13_HKDF_Extract_ex(prk, salt, (word32)saltLen, ikm, (word32)ikmLen, digest,
            ssl->heap, ssl->devId);
    #else
@@ -4840,7 +4840,7 @@ static int EchCheckAcceptance(WOLFSSL* ssl, const byte* input,
    if (ret == 0) {
        PRIVATE_KEY_UNLOCK();
    #if !defined(HAVE_FIPS) || \
-        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
+        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
        ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
            ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk,
            ssl->heap, ssl->devId);
@@ -4978,7 +4978,7 @@ static int EchWriteAcceptance(WOLFSSL* ssl, byte* output,
    if (ret == 0) {
        PRIVATE_KEY_UNLOCK();
    #if !defined(HAVE_FIPS) || \
-        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
+        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
        ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
            ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk,
            ssl->heap, ssl->devId);