wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

1. Rename and relabel the FIPS 140-3 option as wolfCrypt v5.

Browse Source 
2. Make sure the correct SHA assembly files are copied over for the latest FIPS build.
This commit is contained in:
John Safranek
2021-03-11 08:51:54 -08:00
parent 30d0188fca
commit b87fca669d
4 changed files with 18 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
configure.ac
View File

@ -183,7 +183,7 @@ AC_ARG_ENABLE([fips],
[ENABLED_FIPS="no"])
# The FIPS options are:
# v4 - FIPS 140-3
# v5 - FIPS 140-3 (wolfCrypt v5.0.0)
# v3 - FIPS Ready
# ready - same as v3
# rand - wolfRand
@ -201,7 +201,7 @@ AS_CASE([$ENABLED_FIPS],
FIPS_VERSION="none"
ENABLED_FIPS="no"
],
[rand|v1|v2|v4],[
[rand|v1|v2|v5],[
FIPS_VERSION="$ENABLED_FIPS"
ENABLED_FIPS="yes"
],
@ -212,7 +212,7 @@ AS_CASE([$ENABLED_FIPS],
FIPS_VERSION="v1"
],
[
AC_MSG_ERROR([Invalid value for --enable-fips \"$ENABLED_FIPS\" (allowed: ready, rand, v1, v2)])
AC_MSG_ERROR([Invalid value for --enable-fips \"$ENABLED_FIPS\" (allowed: ready, rand, v1, v2, v5)])
])
AS_CASE([$FIPS_VERSION],
@ -237,7 +237,7 @@ AC_ARG_ENABLE([fips-3],
[AS_HELP_STRING([--enable-fips-3],[Enable FIPS 140-3, Will NOT work w/o FIPS license (default: disabled)])],
[ENABLED_FIPS_140_3=$enableval],
[ENABLED_FIPS_140_3="no"])
AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v4"])
AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v5"])
# Linux Kernel Module
AC_ARG_ENABLE([linuxkm],
@ -1719,7 +1719,7 @@ fi
SHA3_DEFAULT=no
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64"
then
if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4"
if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv5"
then
SHA3_DEFAULT=yes
fi
@ -2956,9 +2956,9 @@ fi
# FIPS
AS_CASE([$FIPS_VERSION],
["v4"], [ # FIPS 140-3
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=4 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING"
ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
["v5"], [ # FIPS 140-3
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=5 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING"
ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"; ENABLED=WOLFSSH="yes"
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
@ -6227,8 +6227,8 @@ AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"])
AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"])
AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"])
AM_CONDITIONAL([BUILD_FIPS_V3],[test "x$FIPS_VERSION" = "xv3"])
AM_CONDITIONAL([BUILD_FIPS_V4],[test "x$FIPS_VERSION" = "xv4"])
AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4"])
AM_CONDITIONAL([BUILD_FIPS_V4],[test "x$FIPS_VERSION" = "xv5"])
AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv5"])
AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])

11
fips-check.sh
View File

@ -36,7 +36,7 @@ Platform is one of:
stm32l4-v2 (FIPSv2, use for STM32L4)
wolfrand
solaris
linuxv3 (FIPS 140-3)
linuxv5 (FIPS 140-3)
Keep (default off) retains the XXX-fips-test temp dir for inspection.
Example:
@ -266,7 +266,7 @@ solaris)
FIPS_OPTION=v2
MAKE=gmake
;;
linuxv3)
linuxv5)
FIPS_REPO="git@github.com:ejohnstown/fips.git"
FIPS_VERSION="fipsv3"
CRYPT_REPO="git@github.com:ejohnstown/wolfssl.git"
@ -277,8 +277,9 @@ linuxv3)
RNG_VERSION="fipsv3"
FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
FIPS_INCS=( fips.h )
FIPS_OPTION="v4"
COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm )
FIPS_OPTION="v5"
COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm
wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S )
;;
*)
Usage
@ -319,7 +320,7 @@ then
cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH
cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH
fi
elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ] || [ "x$FIPS_OPTION" == "xv4" ]
elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ] || [ "x$FIPS_OPTION" == "xv5" ]
then
$GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION
# Checkout the fips versions of the wolfCrypt files from the repo.

2
wolfcrypt/src/hmac.c
View File

@ -1968,7 +1968,7 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,
return ret;
}
#endif /* WOLFSSL_SSH */
#endif /* WOLFSSL_WOLFSSH */
#endif /* HAVE_FIPS */
#endif /* NO_HMAC */

2
wolfssl/wolfcrypt/hmac.h
View File

@ -268,7 +268,7 @@ WOLFSSL_API int wc_SSH_KDF(byte hashId, byte keyId,
const byte* h, word32 hSz,
const byte* sessionId, word32 sessionIdSz);
#endif /* WOLFSSL_SSH */
#endif /* WOLFSSL_WOLFSSH */
#ifdef __cplusplus
} /* extern "C" */