wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4669 from douzzer/rehab-configure-fips

Browse Source 
FIPS configure cleanup
This commit is contained in:
John Safranek
2021-12-17 08:58:44 -08:00
committed by GitHub
parent 2f0b451545 5c6bd8c2c9
commit 771647615a
4 changed files with 228 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files

374
configure.ac
View File

@ -206,18 +206,21 @@ AC_ARG_ENABLE([fips],
[ENABLED_FIPS="no"])
# The FIPS options are:
# v5-RC8 - FIPS 140-3 (wolfCrypt WCv5.0-RC8)
# v5 - alias for v5-RC8 (may change)
# v5-REL - FIPS 140-3, placeholder for upcoming wolfCrypt v5.0.0
# v5-ready - FIPS ready, 140-3 settings
# ready -- same as v5-ready
# v3 - FIPS Ready, 140-2 settings
# v3-ready - same as v3
# rand - wolfRand
# v2 - FIPS 140-2 Cert 3389
# no - FIPS build disabled
# no - FIPS build disabled, FIPS sources forbidden in build tree
# disabled - FIPS build disabled, FIPS sources ignored in build tree
# v1 - FIPS 140-2 Cert 2425
# default - same as v1
# v2 - FIPS 140-2 Cert 3389
# cert3389 - alias for v2
# rand - wolfRand
# v5-RC8 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC8)
# v5-RC9 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC9)
# v5-RC10 - FIPS 140-3, wolfCrypt/fips WCv5.0-RC10
# v5 - currently, alias for v5-RC10
# v5-ready - FIPS 140-3 settings with in-tree wolfcrypt sources, feature locked
# v5-dev - FIPS 140-3 settings with in-tree wolfcrypt sources, features freely adjustable
# ready - currently, same as v5-ready
# dev - currently, same as v5-dev
AS_CASE([$ENABLED_FIPS],
[no],[
FIPS_VERSION="none"
@ -227,17 +230,6 @@ AS_CASE([$ENABLED_FIPS],
FIPS_VERSION="disabled"
ENABLED_FIPS="no"
],
[v3-ready|v3],[
FIPS_VERSION="v3"
HAVE_FIPS_VERSION=3
FIPS_READY="yes"
ENABLED_FIPS="yes"
],
[rand],[
FIPS_VERSION="rand"
HAVE_FIPS_VERSION=3
ENABLED_FIPS="yes"
],
[v1|yes|cert2425],[
FIPS_VERSION="v1"
HAVE_FIPS_VERSION=1
@ -248,16 +240,9 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION=2
ENABLED_FIPS="yes"
],
[v5|v5-RC10],[
FIPS_VERSION="v5-RC10"
HAVE_FIPS_VERSION=5
HAVE_FIPS_VERSION_MINOR=2
ENABLED_FIPS="yes"
],
[v5-RC9|v5-REL],[
FIPS_VERSION="v5-RC9"
HAVE_FIPS_VERSION=5
HAVE_FIPS_VERSION_MINOR=1
[rand],[
FIPS_VERSION="rand"
HAVE_FIPS_VERSION=3
ENABLED_FIPS="yes"
],
[v5-RC8],[
@ -266,14 +251,32 @@ AS_CASE([$ENABLED_FIPS],
HAVE_FIPS_VERSION_MINOR=0
ENABLED_FIPS="yes"
],
[v5-RC9],[
FIPS_VERSION="v5-RC9"
HAVE_FIPS_VERSION=5
HAVE_FIPS_VERSION_MINOR=1
ENABLED_FIPS="yes"
],
[v5|v5-RC10],[
FIPS_VERSION="v5-RC10"
HAVE_FIPS_VERSION=5
HAVE_FIPS_VERSION_MINOR=2
ENABLED_FIPS="yes"
],
[ready|v5-ready],[
FIPS_VERSION="v5-ready"
HAVE_FIPS_VERSION=5
HAVE_FIPS_VERSION_MINOR=2
ENABLED_FIPS="yes"
],
[dev|v5-dev],[
FIPS_VERSION="v5-dev"
HAVE_FIPS_VERSION=5
HAVE_FIPS_VERSION_MINOR=2
ENABLED_FIPS="yes"
],
[
AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (allowed: ready, v3-ready, v5-ready, rand, v1, v2, v5, no, disabled)])
AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (main options: v1, v2, v5, ready, dev, rand, no, disabled)])
])
if test -z "$HAVE_FIPS_VERSION_MINOR"
@ -1840,6 +1843,43 @@ fi
# libkcapi
AC_ARG_ENABLE([kcapi-hash],
[AS_HELP_STRING([--enable-kcapi-hash],[Enable libkcapi use for hashing (default: disabled)])],
[ ENABLED_KCAPI_HASH=$enableval ],
[ ENABLED_KCAPI_HASH=no ]
)
AC_ARG_ENABLE([kcapi-hmac],
[AS_HELP_STRING([--enable-kcapi-hmac],[Enable libkcapi use for HMAC (default: disabled)])],
[ ENABLED_KCAPI_HMAC=$enableval ],
[ ENABLED_KCAPI_HMAC=no ]
)
AC_ARG_ENABLE([kcapi-aes],
[AS_HELP_STRING([--enable-kcapi-aes],[Enable libkcapi use for AES (default: disabled)])],
[ ENABLED_KCAPI_AES=$enableval ],
[ ENABLED_KCAPI_AES=no ]
)
AC_ARG_ENABLE([kcapi-rsa],
[AS_HELP_STRING([--enable-kcapi-rsa],[Enable libkcapi use for RSA (default: disabled)])],
[ ENABLED_KCAPI_RSA=$enableval ],
[ ENABLED_KCAPI_RSA=no ]
)
AC_ARG_ENABLE([kcapi-dh],
[AS_HELP_STRING([--enable-kcapi-dh],[Enable libkcapi use for DH (default: disabled)])],
[ ENABLED_KCAPI_DH=$enableval ],
[ ENABLED_KCAPI_DH=no ]
)
AC_ARG_ENABLE([kcapi-ecc],
[AS_HELP_STRING([--enable-kcapi-ecc],[Enable libkcapi use for ECC (default: disabled)])],
[ ENABLED_KCAPI_ECC=$enableval ],
[ ENABLED_KCAPI_ECC=no ]
)
AC_ARG_ENABLE([kcapi],
[AS_HELP_STRING([--enable-kcapi],[Enable libkcapi use for crypto (default: disabled)])],
[ ENABLED_KCAPI=$enableval ],
@ -1848,79 +1888,55 @@ AC_ARG_ENABLE([kcapi],
if test "$ENABLED_KCAPI" = "yes"
then
if test "$ENABLED_AESCCM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_AES"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HASH -DWOLFSSL_KCAPI_HASH_KEEP"
# Linux Kernel doesn't support truncated SHA512 algorithms
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HMAC"
LIBS="$LIBS -lkcapi"
AS_IF([test "$enable_kcapi_hash" != "no"], [ENABLED_KCAPI_HASH=yes])
AS_IF([test "$enable_kcapi_hmac" != "no"], [ENABLED_KCAPI_HMAC=yes])
AS_IF([test "$enable_kcapi_aes" != "no"], [ENABLED_KCAPI_AES=yes])
# currently the PK alg KCAPI options run into build failures, so disabling here for now.
# AS_IF([test "$enable_kcapi_rsa" != "no"], [ENABLED_KCAPI_RSA=yes])
# AS_IF([test "$enable_kcapi_dh" != "no"], [ENABLED_KCAPI_DH=yes])
# AS_IF([test "$enable_kcapi_ecc" != "no"], [ENABLED_KCAPI_ECC=yes])
fi
AC_ARG_ENABLE([kcapi-hash],
[AS_HELP_STRING([--enable-kcapi-hash],[Enable libkcapi use for hashing (default: disabled)])],
[ ENABLED_KCAPI_HASH=$enableval ],
[ ENABLED_KCAPI_HASH=no ]
)
if test "$ENABLED_KCAPI_AES" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_AES"
fi
AC_ARG_ENABLE([kcapi-hmac],
[AS_HELP_STRING([--enable-kcapi-hmac],[Enable libkcapi use for HMAC (default: disabled)])],
[ ENABLED_KCAPI_RSA=$enableval ],
[ ENABLED_KCAPI_RSA=no ]
)
AS_IF([test "$ENABLED_KCAPI_HASH" != "no" ||
test "$ENABLED_KCAPI_HMAC" != "no" ||
test "$ENABLED_KCAPI_AES" != "no" ||
test "$ENABLED_KCAPI_RSA" != "no" ||
test "$ENABLED_KCAPI_DH" != "no" ||
test "$ENABLED_KCAPI_ECC" != "no"],
[LIBS="$LIBS -lkcapi"])
if test "$ENABLED_KCAPI_HASH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HASH"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HASH -DWOLFSSL_KCAPI_HASH_KEEP"
# Linux Kernel doesn't support truncated SHA512 algorithms
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
fi
AC_ARG_ENABLE([kcapi-aes],
[AS_HELP_STRING([--enable-kcapi-aes],[Enable libkcapi use for AES (default: disabled)])],
[ ENABLED_KCAPI_AES=$enableval ],
[ ENABLED_KCAPI_AES=no ]
)
if test "$ENABLED_KCAPI_HMAC" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HMAC"
fi
AC_ARG_ENABLE([kcapi-rsa],
[AS_HELP_STRING([--enable-kcapi-rsa],[Enable libkcapi use for RSA (default: disabled)])],
[ ENABLED_KCAPI_RSA=$enableval ],
[ ENABLED_KCAPI_RSA=no ]
)
if test "$ENABLED_KCAPI_AES" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_AES"
HAVE_AESGCM_PORT=yes
if test "$ENABLED_AESCCM" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
fi
fi
if test "$ENABLED_KCAPI_RSA" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_RSA"
fi
AC_ARG_ENABLE([kcapi-dh],
[AS_HELP_STRING([--enable-kcapi-dh],[Enable libkcapi use for DH (default: disabled)])],
[ ENABLED_KCAPI_DH=$enableval ],
[ ENABLED_KCAPI_DH=no ]
)
if test "$ENABLED_KCAPI_DH" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_DH"
fi
AC_ARG_ENABLE([kcapi-ecc],
[AS_HELP_STRING([--enable-kcapi-ecc],[Enable libkcapi use for ECC (default: disabled)])],
[ ENABLED_KCAPI_ECC=$enableval ],
[ ENABLED_KCAPI_ECC=no ]
)
if test "$ENABLED_KCAPI_ECC" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_ECC"
@ -3426,52 +3442,116 @@ then
fi
# FIPS
# FIPS feature and macro setup
AS_CASE([$FIPS_VERSION],
[v5*], [ # FIPS 140-3, including 140-3 ready
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
ENABLED_SHAKE256=no
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "x$ENABLED_ECC" != "xyes"],
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DWOLFSSL_VALIDATE_ECC_KEYGEN"])
AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "x$ENABLED_CMAC" != "xyes"],
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "x$ENABLED_HKDF" != "xyes"],
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
AS_IF([test "x$ENABLED_SHA512" = "xno"],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
# AES-GCM optional with fips-ready, required with real fips
AS_IF([test "x$ENABLED_AESGCM" = "xno" && (test "$FIPS_VERSION" != "v5-ready" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
AS_IF([test "x$ENABLED_MD5" = "xyes"],[ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DECC_USER_CURVES -DHAVE_ECC192 -DHAVE_ECC224 -DHAVE_ECC256 -DHAVE_ECC384 -DHAVE_ECC521"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_SET_K -DWC_RNG_SEED_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192"
[v5*], [ # FIPS 140-3
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \
-DWOLFSSL_ECDSA_SET_K \
-DWOLFSSL_VALIDATE_ECC_IMPORT \
-DECC_USER_CURVES \
-DHAVE_ECC192 \
-DHAVE_ECC224 \
-DHAVE_ECC256 \
-DHAVE_ECC384 \
-DHAVE_ECC521 \
-DWOLFSSL_ECDSA_SET_K \
-DWC_RNG_SEED_CB \
-DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \
-DHAVE_FFDHE_3072 \
-DHAVE_FFDHE_4096 \
-DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192"
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
if test $HAVE_FIPS_VERSION_MINOR -ge 2; then
# AES-OFB optional with fips-ready, required with real fips
AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-ready" || test "$enable_aesofb" != "no")],
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
fi
# DES3 is incompatible with FIPS 140-3
AS_IF([test "$ENABLED_DES3" != "no"],
[ENABLED_DES3="no"])
# force various features to FIPS 140-3 defaults, unless overridden with v5-dev:
AS_IF([test "$ENABLED_KEYGEN" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")],
[ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
AS_IF([test "$ENABLED_SHA224" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha224" != "no")],
[ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_WOLFSSH" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_ssh" != "no")],
[enable_ssh="yes"])
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
AS_IF([test "$ENABLED_SHAKE256" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_shake256" != "yes")],
[ENABLED_SHAKE256=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"])
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "$ENABLED_AESCCM" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesccm" != "no")],
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "$ENABLED_RSAPSS" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_rsapss" != "no")],
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "$ENABLED_ECC" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_ecc" != "no")],
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_eccshamir" != "no")],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DWOLFSSL_VALIDATE_ECC_KEYGEN"])
AS_IF([test "$ENABLED_AESCTR" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesctr" != "no")],
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_cmac" != "no")],
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_HKDF" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_hkdf" != "no")],
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "$ENABLED_INTELASM" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
AS_IF([test "$ENABLED_SHA512" = "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha512" != "no")],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
AS_IF([test "$ENABLED_AESGCM" = "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_MD5" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_md5" != "yes")],
[ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
[AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])])
AS_IF([(test "$ENABLED_AESCCM" = "yes" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" = "yes" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" = "yes" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" = "yes" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
],
["v3"],[ # FIPS 140-2 Ready
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DWOLFSSL_ECDSA_SET_K"
[v2],[ # FIPS 140-2, Cert 3389
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DWOLFSSL_KEY_GEN \
-DWOLFSSL_SHA224 \
-DWOLFSSL_AES_DIRECT \
-DHAVE_AES_ECB \
-DHAVE_ECC_CDH \
-DWC_RSA_NO_PADDING \
-DWOLFSSL_VALIDATE_FFC_IMPORT \
-DHAVE_FFDHE_Q \
-DHAVE_PUBLIC_FFDHE"
ENABLED_KEYGEN="yes"
ENABLED_SHA224="yes"
ENABLED_DES3="yes"
@ -3508,48 +3588,11 @@ AS_CASE([$FIPS_VERSION],
AS_IF([test "x$ENABLED_AESGCM" = "xno"],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
],
["v2"],[ # FIPS 140-2, Cert 3389
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DHAVE_PUBLIC_FFDHE"
ENABLED_KEYGEN="yes"
ENABLED_SHA224="yes"
ENABLED_DES3="yes"
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
ENABLED_SHAKE256=no
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
[ENABLED_AESCCM="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
[ENABLED_RSAPSS="yes"
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
AS_IF([test "x$ENABLED_ECC" != "xyes"],
[ENABLED_ECC="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
[ENABLED_AESCTR="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
AS_IF([test "x$ENABLED_CMAC" != "xyes"],
[ENABLED_CMAC="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
AS_IF([test "x$ENABLED_HKDF" != "xyes"],
[ENABLED_HKDF="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
AS_IF([test "x$ENABLED_SHA512" = "xno"],
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
AS_IF([test "x$ENABLED_AESGCM" = "xno"],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
echo "$AM_CFLAGS" >/dev/stderr
],
["rand"],[
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR"
],
["v1"],[ # FIPS 140-2, Cert 2425
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
AS_IF([test "x$ENABLED_SHA512" = "xno"],
@ -7001,9 +7044,6 @@ AS_IF([test "x$ENABLED_NULL_CIPHER" = "xno" && \
[AM_CFLAGS="-DHAVE_NULL_CIPHER $AM_CFLAGS"
ENABLED_NULL_CIPHER=yes])
# FIPSv5 requires the wolfSSH option.
AS_IF([test "$HAVE_FIPS_VERSION" -ge 5],[ENABLED_WOLFSSH="yes"])
# wolfSSH and WPA Supplicant both need Public MP, only enable once.
# This will let you know if you enabled wolfSSH but have any of the prereqs
# disabled. Some of these options, disabling them adds things to the FLAGS and

2
src/ssl.c
View File

@ -47866,7 +47866,7 @@ WOLFSSL_X509_INFO* wolfSSL_sk_X509_INFO_value(
{
WOLFSSL_ENTER("wolfSSL_sk_X509_INFO_value");
return wolfSSL_sk_value(sk, i);
return (WOLFSSL_X509_INFO *)wolfSSL_sk_value(sk, i);
}
WOLFSSL_X509_INFO* wolfSSL_sk_X509_INFO_pop(

29
wolfcrypt/src/ecc.c
View File

@ -6100,15 +6100,16 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
byte V[WC_MAX_DIGEST_SIZE];
byte K[WC_MAX_DIGEST_SIZE];
byte x[MAX_ECC_BYTES];
mp_int z1[1];
#else
byte *h1 = NULL;
byte *V = NULL;
byte *K = NULL;
byte *x = NULL;
mp_int *z1 = NULL;
#endif
word32 xSz, VSz, KSz, h1len;
byte intOct;
mp_int z1;
if (hash == NULL || k == NULL || order == NULL) {
return BAD_FUNC_ARG;
@ -6119,7 +6120,7 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
return BAD_FUNC_ARG;
}
if ((xSz = mp_unsigned_bin_size(priv)) > MAX_ECC_BYTES) {
if (mp_unsigned_bin_size(priv) > MAX_ECC_BYTES) {
WOLFSSL_MSG("private key larger than max expected!");
return BAD_FUNC_ARG;
}
@ -6148,6 +6149,12 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
ret = MEMORY_E;
}
if (ret == 0) {
z1 = (mp_int *)XMALLOC(sizeof(z1), heap, DYNAMIC_TYPE_ECC_BUFFER);
if (z1 == NULL)
ret = MEMORY_E;
}
/* bail out if any error has been hit at this point */
if (ret != 0) {
if (x != NULL)
@ -6170,17 +6177,17 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
/* 3.2 c. Set K = 0x00 0x00 ... */
XMEMSET(K, 0x00, KSz);
mp_init(&z1); /* always init z1 and free z1 */
mp_init(z1); /* always init z1 and free z1 */
ret = mp_to_unsigned_bin_len(priv, x, hashSz);
if (ret == 0) {
qbits = mp_count_bits(order);
ret = mp_read_unsigned_bin(&z1, hash, hashSz);
ret = mp_read_unsigned_bin(z1, hash, hashSz);
}
/* bits2octets on h1 */
if (ret == 0) {
/* right shift by bits in hash minus bits in order */
mp_rshb(&z1, (hashSz * WOLFSSL_BIT_SIZE) - qbits);
mp_rshb(z1, (hashSz * WOLFSSL_BIT_SIZE) - qbits);
XMEMSET(h1, 0, WC_MAX_DIGEST_SIZE);
#if !defined(WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT)
@ -6188,14 +6195,14 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
* RFC6979 lists a variant that uses the hash directly instead of
* doing bits2octets(H(m)), when variant macro is used avoid this
* bits2octets operation */
if (mp_cmp(&z1, order) == MP_GT) {
mp_sub(&z1, order, &z1);
h1len = mp_unsigned_bin_size(&z1);
if (mp_cmp(z1, order) == MP_GT) {
mp_sub(z1, order, z1);
h1len = mp_unsigned_bin_size(z1);
if (h1len < 0 || h1len > WC_MAX_DIGEST_SIZE) {
ret = BUFFER_E;
}
else {
ret = mp_to_unsigned_bin(&z1, h1);
ret = mp_to_unsigned_bin(z1, h1);
}
}
else
@ -6206,7 +6213,7 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
XMEMCPY(h1, hash, hashSz);
}
}
mp_free(&z1);
mp_free(z1);
/* 3.2 step d. K = HMAC_K(V || 0x00 || int2octests(x) || bits2octests(h1) */
if (ret == 0) {
@ -6282,6 +6289,8 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
}
#ifdef WOLFSSL_SMALL_STACK
if (z1 != NULL)
XFREE(z1, heap, DYNAMIC_TYPE_ECC_BUFFER);
if (x != NULL)
XFREE(x, heap, DYNAMIC_TYPE_PRIVATE_KEY);
if (K != NULL)

2
wolfcrypt/src/wc_port.c
View File

@ -374,7 +374,7 @@ int wolfCrypt_Cleanup(void)
#ifdef WOLFSSL_SCE
WOLFSSL_SCE_GSCE_HANDLE.p_api->close(WOLFSSL_SCE_GSCE_HANDLE.p_ctrl);
#endif
#if defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG) || \
defined(WOLFSSL_IMX6_CAAM_BLOB)
wc_caamFree();