From 3cebf35b1b0780fc4a2c8574fc5576b60dfd9a94 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 6 Oct 2023 14:44:29 -0700 Subject: [PATCH 1/2] Cleanups for IDE/WIN10 user_settings.h to allow for FIPS 140-2 3389 cert. Fixed compiler warning with possible use of uninitialized data. --- IDE/WIN10/user_settings.h | 12 ++++++++++++ src/pk.c | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/IDE/WIN10/user_settings.h b/IDE/WIN10/user_settings.h index 32d747e3c..cc1c34ede 100644 --- a/IDE/WIN10/user_settings.h +++ b/IDE/WIN10/user_settings.h @@ -1,6 +1,16 @@ #ifndef _WIN_USER_SETTINGS_H_ #define _WIN_USER_SETTINGS_H_ +/* For FIPS 140-2 3389 build set to "#if 1" */ +#if 0 +#undef HAVE_FIPS +#define HAVE_FIPS +#undef HAVE_FIPS_VERSION +#define HAVE_FIPS_VERSION 2 +#undef HAVE_FIPS_VERSION_MINOR +#define HAVE_FIPS_VERSION_MINOR 0 +#endif + /* Set the following to 1 for WCv5.0-RC12 build. */ #if 0 #undef HAVE_FIPS @@ -67,8 +77,10 @@ #define WOLFSSL_VALIDATE_FFC_IMPORT #define HAVE_FFDHE_Q #define HAVE_PUBLIC_FFDHE + #ifdef _WIN64 #define WOLFSSL_AESNI #define HAVE_INTEL_RDSEED + #endif #define FORCE_FAILURE_RDSEED #endif /* FIPS v2 */ #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5) diff --git a/src/pk.c b/src/pk.c index a09b7f33e..0a595b75e 100644 --- a/src/pk.c +++ b/src/pk.c @@ -2110,7 +2110,7 @@ int wolfSSL_PEM_write_RSAPrivateKey(XFILE fp, WOLFSSL_RSA *rsa, { int ret = 1; byte* pem = NULL; - int pLen; + int pLen = 0; (void)cb; (void)arg; From c05aea7c5a312a64d0c7ec311d30cb36ab654948 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 11 Oct 2023 12:51:32 -0700 Subject: [PATCH 2/2] Improvements to the wolfCrypt FIPS Visual Studio project link settings to resolve ASLR (Randomized Base Address) issue on some platforms. ZD 16615 --- IDE/WIN/README.txt | 18 ++++++++++-------- IDE/WIN/wolfssl-fips.vcxproj | 18 ++++++++++++++++-- IDE/WIN10/README.txt | 10 +++++++--- IDE/WIN10/wolfssl-fips.vcxproj | 14 ++++++++++++++ 4 files changed, 47 insertions(+), 13 deletions(-) diff --git a/IDE/WIN/README.txt b/IDE/WIN/README.txt index 25e4d7e8d..4c86dc195 100644 --- a/IDE/WIN/README.txt +++ b/IDE/WIN/README.txt @@ -3,7 +3,7 @@ First, if you did not get the FIPS files with your archive, you must contact wolfSSL to obtain them. -The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate. +The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate. See IDE/WIN10/wolfssl-fips.sln for the FIPS v2 #3389 or later Visual Studio solution. # Building the wolfssl-fips project @@ -30,11 +30,13 @@ The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt FIPS library code and constant data and compares it with a known value in the code. -The Randomized Base Address setting needs to be disabled on the 32-bit builds -but can be enabled on the 64-bit builds. In the 32-bit mode the addresses -being different throws off the in-core memory calculation. It looks like in -64-bit mode the library uses all offsets, so the core hash calculation -is the same every time. +The following wolfCrypt FIPS project linker settings are required for the DLL Win32 configuration: +1) The [Randomized Base Address setting (ASLR)](https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170) +needs to be disabled on all builds as the feature throws off the in-core memory calculation causing the test to fail. +2) The [Incremental Link](https://learn.microsoft.com/en-us/cpp/build/reference/incremental-link-incrementally?view=msvc-170) +option need turned off so function pointers go to actual code, not a jump instruction. +3) The [FixedBaseAddress](https://learn.microsoft.com/en-us/cpp/build/reference/fixed-fixed-base-address?view=msvc-170) +option to YES, which disables the support for ASLR. The "verifyCore" check value in the source fips_test.c needs to be updated when building the code. The POS performs this check and the default failure callback @@ -71,13 +73,13 @@ These settings are defined in IDE/WIN/user_settings.h. # Notes on enabling DTLS including DTLS version 1.3 -The file IDE/WIN/user_settings_dtls.h contains the needed build options for +The file IDE/WIN/user_settings_dtls.h contains the needed build options for enabling DTLS and DTLS version 1.3. To incorporate the build options: * Rename IDE/WIN/user_settings.h to IDE/WIN/user_settings.h.bak * Rename IDE/WIN/user_settings_dtls.h to IDE/WIN/user_settings.h - + Alternatively, copy the DTLS labeled section from IDE/WIN/user_settings_dtls.h in to IDE/WIN/user_settings.h. \ No newline at end of file diff --git a/IDE/WIN/wolfssl-fips.vcxproj b/IDE/WIN/wolfssl-fips.vcxproj index a27574f4a..b91c6efef 100644 --- a/IDE/WIN/wolfssl-fips.vcxproj +++ b/IDE/WIN/wolfssl-fips.vcxproj @@ -117,6 +117,18 @@ $(SolutionDir)$(Configuration)\$(Platform)\ $(Configuration)\$(Platform)\obj\ + + false + + + false + + + false + + + false + Disabled @@ -146,6 +158,7 @@ 0x5A000000 false false + true @@ -174,7 +187,7 @@ ws2_32.lib;%(AdditionalDependencies) - true + false false @@ -206,6 +219,7 @@ ws2_32.lib;%(AdditionalDependencies) false 0x5A000000 + true @@ -234,7 +248,7 @@ ws2_32.lib;%(AdditionalDependencies) - true + false diff --git a/IDE/WIN10/README.txt b/IDE/WIN10/README.txt index 80c6ec47f..4ef0a1454 100644 --- a/IDE/WIN10/README.txt +++ b/IDE/WIN10/README.txt @@ -29,8 +29,13 @@ The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt FIPS library code and constant data and compares it with a known value in the code. -The Randomized Base Address setting needs to be disabled on all builds as the -feature throws off the in-core memory calculation causing the test to fail. +The following wolfCrypt FIPS project linker settings are required for the DLL Win32 configuration: +1) The [Randomized Base Address setting (ASLR)](https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170) +needs to be disabled on all builds as the feature throws off the in-core memory calculation causing the test to fail. +2) The [Incremental Link](https://learn.microsoft.com/en-us/cpp/build/reference/incremental-link-incrementally?view=msvc-170) +option need turned off so function pointers go to actual code, not a jump instruction. +3) The [FixedBaseAddress](https://learn.microsoft.com/en-us/cpp/build/reference/fixed-fixed-base-address?view=msvc-170) +option to YES, which disables the support for ASLR. The "verifyCore" check value in the source fips_test.c needs to be updated when building the code. The POS performs this check and the default failure callback @@ -39,7 +44,6 @@ value and paste it back into your code in the verifyCore initializer then rebuild the code. When statically linking, you may have to recalculate your check value when changing your application. - # Build Options The default build options should be the proper default set of options: diff --git a/IDE/WIN10/wolfssl-fips.vcxproj b/IDE/WIN10/wolfssl-fips.vcxproj index 92d1dda83..99ffb4352 100644 --- a/IDE/WIN10/wolfssl-fips.vcxproj +++ b/IDE/WIN10/wolfssl-fips.vcxproj @@ -117,6 +117,18 @@ $(SolutionDir)$(Configuration)\$(Platform)\ $(Configuration)\$(Platform)\$(ProjectName)_obj\ + + false + + + false + + + false + + + false + Disabled @@ -146,6 +158,7 @@ 0x5A000000 false false + true @@ -206,6 +219,7 @@ ws2_32.lib;%(AdditionalDependencies) false 0x5A000000 + true