wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8576 from douzzer/20250319-FIPS-lean-aesgcm

Browse Source 
20250319-FIPS-lean-aesgcm
This commit is contained in:
David Garske
2025-03-21 08:55:34 -07:00
committed by GitHub
parent 5f013c735e f14498ea6b
commit b9aeeac58b
9 changed files with 303 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.wolfssl_known_macro_extras
View File

@ -255,7 +255,6 @@ INTIMEVER
IOTSAFE_NO_GETDATA IOTSAFE_NO_GETDATA
IOTSAFE_SIG_8BIT_LENGTH IOTSAFE_SIG_8BIT_LENGTH
KCAPI_USE_XMALLOC KCAPI_USE_XMALLOC
MLKEM_NONDETERMINISTIC
K_SERIES K_SERIES
LIBWOLFSSL_VERSION_GIT_BRANCH LIBWOLFSSL_VERSION_GIT_BRANCH
LIBWOLFSSL_VERSION_GIT_HASH LIBWOLFSSL_VERSION_GIT_HASH
@ -284,6 +283,7 @@ MICRIUM_MALLOC
MICROCHIP_MPLAB_HARMONY MICROCHIP_MPLAB_HARMONY
MICROCHIP_MPLAB_HARMONY_3 MICROCHIP_MPLAB_HARMONY_3
MICRO_SESSION_CACHEx MICRO_SESSION_CACHEx
MLKEM_NONDETERMINISTIC
MODULE_SOCK_TCP MODULE_SOCK_TCP
MP_31BIT MP_31BIT
MP_8BIT MP_8BIT

287
configure.ac
View File

@ -529,9 +529,16 @@ AS_CASE([$ENABLED_FIPS],
ENABLED_FIPS="yes" ENABLED_FIPS="yes"
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) # for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
], ],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
FIPS_VERSION="$ENABLED_FIPS"
HAVE_FIPS_VERSION_MAJOR=7
HAVE_FIPS_VERSION_MINOR=0
HAVE_FIPS_VERSION_PATCH=0
ENABLED_FIPS="yes"
],
[ [
AS_IF([test "$ENABLED_FIPS" = "yes"],[ENABLED_FIPS="(unset)"],[ENABLED_FIPS=\"$ENABLED_FIPS\"]) AS_IF([test "$ENABLED_FIPS" = "yes"],[ENABLED_FIPS="(unset)"],[ENABLED_FIPS=\"$ENABLED_FIPS\"])
AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, ready, dev, rand, no, disabled)]) AC_MSG_ERROR([Invalid value for --enable-fips $ENABLED_FIPS (main options: v1, v2, v5, v6, ready, dev, rand, lean-aesgcm, no, disabled)])
]) ])
if test -z "$HAVE_FIPS_VERSION_MAJOR" if test -z "$HAVE_FIPS_VERSION_MAJOR"
@ -3913,6 +3920,19 @@ then
fi fi
# SHA256
AC_ARG_ENABLE([sha256],
[AS_HELP_STRING([--enable-sha256],[Enable wolfSSL SHA256 support (default: enabled)])],
[ ENABLED_SHA256=$enableval ],
[ ENABLED_SHA256=yes ]
)
if test "$ENABLED_SHA256" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SHA256"
fi
# set sha224 default # set sha224 default
SHA224_DEFAULT=no SHA224_DEFAULT=no
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64" if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
@ -3921,7 +3941,7 @@ then
( test "x$ENABLED_FIPS" = "xno" || ( test "x$ENABLED_FIPS" = "xno" ||
( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" != 1 ) ) ( test "$HAVE_FIPS_VERSION" = 2 && test "$HAVE_FIPS_VERSION_MINOR" != 1 ) )
then then
SHA224_DEFAULT=yes SHA224_DEFAULT=$ENABLED_SHA256
fi fi
fi fi
@ -3934,6 +3954,10 @@ AC_ARG_ENABLE([sha224],
if test "$ENABLED_SHA224" = "yes" if test "$ENABLED_SHA224" = "yes"
then then
if test "$ENABLED_SHA256" = "no"
then
AC_MSG_ERROR([Enabling SHA224 requires enabling SHA256.])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"
fi fi
@ -5448,13 +5472,14 @@ AC_ARG_ENABLE([aeskeywrap],
# FIPS feature and macro setup # FIPS feature and macro setup
AS_IF([test "$FIPS_VERSION" = "dev"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "ready"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AS_CASE([$FIPS_VERSION], AS_CASE([$FIPS_VERSION],
[v6|ready|dev],[ # FIPS 140-3 SRTP-KDF [v6|ready|dev],[ # FIPS 140-3 SRTP-KDF
AS_IF([test "$FIPS_VERSION" = "dev"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "ready"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AM_CFLAGS="$AM_CFLAGS \ AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \ -DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \ -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
@ -5473,7 +5498,7 @@ AS_CASE([$FIPS_VERSION],
-DHAVE_FFDHE_6144 \ -DHAVE_FFDHE_6144 \
-DHAVE_FFDHE_8192" -DHAVE_FFDHE_8192"
# KCAPI API does not support custom k for sign, don't force enable ECC key sizes and do not use seed callback # KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"], AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
[AM_CFLAGS="$AM_CFLAGS \ [AM_CFLAGS="$AM_CFLAGS \
-DWC_RNG_SEED_CB \ -DWC_RNG_SEED_CB \
@ -5617,10 +5642,10 @@ AS_CASE([$FIPS_VERSION],
(test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")], (test "$FIPS_VERSION" != "dev" || test "$enable_aesxts_stream" != "no")],
[ENABLED_AESXTS_STREAM="yes"]) [ENABLED_AESXTS_STREAM="yes"])
AS_IF([(test "$ENABLED_AESCCM" = "yes" && test "$HAVE_AESCCM_PORT" != "yes") || AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" = "yes" && test "$HAVE_AESCTR_PORT" != "yes") || (test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" = "yes" && test "$HAVE_AESGCM_PORT" != "yes") || (test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" = "yes" && test "$HAVE_AESOFB_PORT" != "yes")], (test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"]) [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" && AS_IF([test "x$ENABLED_AESKEYWRAP" != "xyes" &&
@ -5633,6 +5658,218 @@ AS_CASE([$FIPS_VERSION],
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"]) ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
], ],
[lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[
AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-dev"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
AS_IF([test "$FIPS_VERSION" = "lean-aesgcm-ready"],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
AM_CFLAGS="$AM_CFLAGS \
-DHAVE_FIPS \
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
-DNO_BIG_INT \
-DWC_RNG_SEED_CB"
# optimizations section
# protocol section
AS_IF([test "$ENABLED_CRYPTONLY" != "yes" && test "$enable_cryptonly" != "no"],
[ENABLED_CRYPTONLY="yes"; enable_cryptonly="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"])
AS_IF([test "$ENABLED_TLS" != "no" && test "$enable_tls" != "yes"],
[ENABLED_TLS="no"; enable_tls="no"; AM_CFLAGS="$AM_CFLAGS -DNO_TLS"])
AS_IF([test "$ENABLED_TLSV12" != "no" && test "$enable_tlsv12" != "yes"],
[ENABLED_TLSV12="no"; enable_tlsv12="no"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_TLS12"])
AS_IF([test "$ENABLED_ASN" != "no" && test "$enable_asn" != "yes"],
[ENABLED_ASN="no"; enable_asn="no"; AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT"])
AS_IF([test "$ENABLED_SEND_HRR_COOKIE" != "no" && test "$enable_hrrcookie" != "yes"],
[ENABLED_SEND_HRR_COOKIE="no"; enable_hrrcookie="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SEND_HRR_COOKIE"])
AS_IF([test "$ENABLED_WOLFSSH" != "no" && test "$enable_ssh" != "yes"],
[ENABLED_WOLFSSH="no"; enable_ssh="no"])
AS_IF([test "$ENABLED_HKDF" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_hkdf" != "yes")],
[enable_hkdf="no"; ENABLED_HKDF="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_HKDF"])
AS_IF([test "$ENABLED_PWDBASED" != "yes" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_pwdbased" != "no")],
[enable_pwdbased="yes"; ENABLED_PWDBASED="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_PBKDF2"])
AS_IF([test "$ENABLED_SRTP" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp" != "yes")],
[enable_srtp="no"; ENABLED_SRTP="no"])
AS_IF([test "$ENABLED_SRTP_KDF" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_srtp_kdf" != "yes")],
[enable_srtp_kdf="no"; ENABLED_SRTP_KDF="no"])
AS_IF([test "$ENABLED_PKCS8" != "no" && test "$enable_pkcs8" != "yes"],
[enable_pkcs8="no"; ENABLED_PKCS8="no"; AM_CFLAGS="$AM_CFLAGS -DNO_PKCS8"])
# public key section
AS_IF([test "$ENABLED_SP_MATH_ALL" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sp_math_all" != "yes")],
[enable_sp_math_all="no"; ENABLED_SP_MATH_ALL="no"])
AS_IF([test "$ENABLED_KEYGEN" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_keygen" != "yes")],
[enable_keygen="no"; ENABLED_KEYGEN="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_KEY_GEN"])
AS_IF([test "$ENABLED_COMPKEY" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_compkey" != "yes")],
[enable_compkey="no"; ENABLED_COMPKEY="no"])
AS_IF([test "$ENABLED_RSA" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsa" != "yes")],
[enable_rsa="no"; ENABLED_RSA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_RSA"])
AS_IF([test "$ENABLED_RSAPSS" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_rsapss" != "yes")],
[enable_rsapss="no"; ENABLED_RSAPSS="no"; AM_CFLAGS="$AM_CFLAGS -UWC_RSA_PSS"])
AS_IF([test "$ENABLED_DH" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_dh" != "yes")],
[enable_dh="no"; ENABLED_DH="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DH"])
AS_IF([test "$ENABLED_ECC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ecc" != "yes")],
[enable_ecc="no"; ENABLED_ECC="no"; ENABLED_ECCMINSZ="n/a"; ENABLED_ECC_SHAMIR="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ECC -UTFM_ECC256 -UECC_MIN_KEY_SZ -UECC_SHAMIR"])
AS_IF([test "$ENABLED_ED25519" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519" != "yes")],
[enable_ed25519="no"; ENABLED_ED25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED25519 -UHAVE_ED25519_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE25519" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve25519" != "yes")],
[enable_curve25519="no"; ENABLED_CURVE25519="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE25519"])
AS_IF([test "$ENABLED_ED448" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448" != "yes")],
[enable_ed448="no"; ENABLED_ED448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_ED448 -UHAVE_ED448_KEY_IMPORT"])
AS_IF([test "$ENABLED_CURVE448" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_curve448" != "yes")],
[enable_curve448="no"; ENABLED_CURVE448="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_CURVE448"])
AS_IF([test "$ENABLED_ED25519_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed25519_stream" != "yes")],
[enable_ed25519_stream="no"; ENABLED_ED25519_STREAM="no"])
AS_IF([test "$ENABLED_ED448_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_ed448_stream" != "yes")],
[enable_ed448_stream="no"; ENABLED_ED448_STREAM="no"])
AS_IF([test "$ENABLED_ECCCUSTCURVES" != "no" &&
test "$FIPS_VERSION" != "lean-aesgcm-dev"],
[ENABLED_ECCCUSTCURVES="no"])
# Hashing section
AS_IF([test "$ENABLED_SHA" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha" != "yes")],
[enable_sha="no"; ENABLED_SHA="no"; AM_CFLAGS="$AM_CFLAGS -DNO_SHA"])
AS_IF([test "$ENABLED_SHA256" = "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha256" != "no")],
[enable_sha256="yes"; ENABLED_SHA256="yes"; AM_CFLAGS="$AM_CFLAGS -UNO_SHA256"])
AS_IF([test "$ENABLED_SHA3" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha3" != "yes")],
[enable_sha3="no"; ENABLED_SHA3="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA3"])
AS_IF([test "$ENABLED_SHA224" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha224" != "yes")],
[enable_sha224="no"; ENABLED_SHA224="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA224"])
AS_IF([test "$ENABLED_SHA384" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha384" != "yes")],
[enable_sha384="no"; ENABLED_SHA384="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA384 -UWOLFSSL_SHA384"])
AS_IF([test "$ENABLED_SHA512" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")],
[enable_sha512="no"; ENABLED_SHA512="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
AS_IF([test "$ENABLED_SHAKE128" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake128" != "yes")],
[enable_shake128="no"; ENABLED_SHAKE128="no"])
AS_IF([test "$ENABLED_SHAKE256" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_shake256" != "yes")],
[enable_shake256="no"; ENABLED_SHAKE256="no"])
AS_IF([test "$ENABLED_MD5" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_md5" != "yes")],
[enable_md5="no"; ENABLED_MD5="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5"])
# Aes section
AS_IF([test "$ENABLED_AESCBC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescbc" != "yes")],
[enable_aescbc="no"; ENABLED_AESCBC="no"; AM_CFLAGS="$AM_CFLAGS -DNO_AES_CBC"])
AS_IF([test "$ENABLED_AESCCM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesccm" != "yes")],
[enable_aesccm="no"; ENABLED_AESCCM="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AESCCM"])
AS_IF([test "$ENABLED_AESCTR" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesctr" != "yes")],
[enable_aesctr="no"; ENABLED_AESCTR="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_COUNTER"])
AS_IF([test "$ENABLED_CMAC" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_cmac" != "yes")],
[enable_cmac="no"; ENABLED_CMAC="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_CMAC"])
AS_IF([test "$ENABLED_AESGCM" = "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesgcm_stream" != "no")],
[ENABLED_AESGCM_STREAM="yes"])
AS_IF([test "$ENABLED_AESOFB" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesofb" != "yes")],
[enable_aesofb="no"; ENABLED_AESOFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_OFB"])
AS_IF([test "$ENABLED_AESCFB" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aescfb" != "yes")],
[enable_aescfb="no"; ENABLED_AESCFB="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_CFB"])
AS_IF([test "$ENABLED_AESXTS" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts" != "yes")],
[enable_aesxts="no"; ENABLED_AESXTS="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_AES_XTS"])
AS_IF([test "$ENABLED_AESXTS" = "yes" && test "$ENABLED_AESNI" = "yes"],
[AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_AES_XTS"])
AS_IF([test "$ENABLED_AESXTS_STREAM" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aesxts_stream" != "yes")],
[enable_aesxts_stream="no"; ENABLED_AESXTS_STREAM="no"])
AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
AS_IF([test "$ENABLED_AESKEYWRAP" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_aeskeywrap" != "yes")],
[enable_aeskeywrap="no"; ENABLED_AESKEYWRAP="no"; AM_CFLAGS="$AM_CFLAGS -UHAVE_AES_KEYWRAP"])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
],
[v5*], [ # FIPS 140-3 [v5*], [ # FIPS 140-3
AM_CFLAGS="$AM_CFLAGS \ AM_CFLAGS="$AM_CFLAGS \
@ -5773,11 +6010,11 @@ AS_CASE([$FIPS_VERSION],
[AC_MSG_WARN([Forcing off srtp-kdf for FIPS ${FIPS_VERSION}.]) [AC_MSG_WARN([Forcing off srtp-kdf for FIPS ${FIPS_VERSION}.])
ENABLED_SRTP_KDF="no"]) ENABLED_SRTP_KDF="no"])
AS_IF([(test "$ENABLED_AESCCM" = "yes" && test "$HAVE_AESCCM_PORT" != "yes") || AS_IF([(test "$ENABLED_AESCCM" != "no" && test "$HAVE_AESCCM_PORT" != "yes") ||
(test "$ENABLED_AESCTR" = "yes" && test "$HAVE_AESCTR_PORT" != "yes") || (test "$ENABLED_AESCTR" != "no" && test "$HAVE_AESCTR_PORT" != "yes") ||
(test "$ENABLED_AESGCM" = "yes" && test "$HAVE_AESGCM_PORT" != "yes") || (test "$ENABLED_AESGCM" != "no" && test "$HAVE_AESGCM_PORT" != "yes") ||
(test "$ENABLED_AESOFB" = "yes" && test "$HAVE_AESOFB_PORT" != "yes") || (test "$ENABLED_AESOFB" != "no" && test "$HAVE_AESOFB_PORT" != "yes") ||
(test "$ENABLED_AESXTS" = "yes" && test "$HAVE_AESXTS_PORT" != "yes")], (test "$ENABLED_AESXTS" != "no" && test "$HAVE_AESXTS_PORT" != "yes")],
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"]) [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB"])
], ],
@ -6418,6 +6655,12 @@ if test "$host_cpu" = "x86_64" || test "$host_cpu" = "x86" || test "$host_cpu" =
then then
SNI_DEFAULT=yes SNI_DEFAULT=yes
fi fi
if test "$ENABLED_TLS" = "no"
then
SNI_DEFAULT=no
fi
AC_ARG_ENABLE([sni], AC_ARG_ENABLE([sni],
[AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])], [AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])],
[ ENABLED_SNI=$enableval ], [ ENABLED_SNI=$enableval ],
@ -9013,11 +9256,10 @@ fi
AC_ARG_ENABLE([defaultdhparams], AC_ARG_ENABLE([defaultdhparams],
[AS_HELP_STRING([--enable-defaultdhparams],[Enables option for default dh parameters (default: disabled)])], [AS_HELP_STRING([--enable-defaultdhparams],[Enables option for default dh parameters (default: disabled)])],
[ ENABLED_DHDEFAULTPARAMS=$enableval ], [ ENABLED_DHDEFAULTPARAMS=$enableval ],
[ ENABLED_DHDEFAULTPARAMS=yes ] [ ENABLED_DHDEFAULTPARAMS=$ENABLED_DH ]
) )
if test "x$ENABLED_DH" = "xyes" && test "x$ENABLED_DHDEFAULTPARAMS" = "xyes" && test "x$ENABLED_QT" != "xyes" if test "x$ENABLED_DHDEFAULTPARAMS" = "xyes" && test "x$ENABLED_QT" != "xyes"
then then
ENABLED_DHDEFAULTPARAMS=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_DH_DEFAULT_PARAMS" AM_CFLAGS="$AM_CFLAGS -DHAVE_DH_DEFAULT_PARAMS"
fi fi
@ -9567,8 +9809,8 @@ AS_IF([test "x$ENABLED_16BIT" = "xyes" && \
################################################################################ ################################################################################
# Update CFLAGS based on options # # Update CFLAGS based on options #
################################################################################ ################################################################################
AS_IF([test "x$ENABLED_SP_MATH_ALL" = "xno" && test "x$ENABLED_FASTMATH" = "xno" && AS_IF([test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no" &&
test "x$ENABLED_HEAPMATH" = "xno"], test "$ENABLED_FASTMATH" = "no" && test "$ENABLED_HEAPMATH" = "no"],
[AM_CFLAGS="$AM_CFLAGS -DNO_BIG_INT"]) [AM_CFLAGS="$AM_CFLAGS -DNO_BIG_INT"])
AS_IF([test "x$ENABLED_CERTS" = "xno"], AS_IF([test "x$ENABLED_CERTS" = "xno"],
@ -10605,6 +10847,7 @@ echo " * MD5: $ENABLED_MD5"
echo " * RIPEMD: $ENABLED_RIPEMD" echo " * RIPEMD: $ENABLED_RIPEMD"
echo " * SHA: $ENABLED_SHA" echo " * SHA: $ENABLED_SHA"
echo " * SHA-224: $ENABLED_SHA224" echo " * SHA-224: $ENABLED_SHA224"
echo " * SHA-256: $ENABLED_SHA256"
echo " * SHA-384: $ENABLED_SHA384" echo " * SHA-384: $ENABLED_SHA384"
echo " * SHA-512: $ENABLED_SHA512" echo " * SHA-512: $ENABLED_SHA512"
echo " * SHA3: $ENABLED_SHA3" echo " * SHA3: $ENABLED_SHA3"

1
examples/configs/user_settings_eccnonblock.h
View File

@ -125,7 +125,6 @@ extern "C" {
#define NO_SHA #define NO_SHA
#define NO_DSA #define NO_DSA
#define NO_DES3 #define NO_DES3
#define NO_BIG_INT
#define NO_RC4 #define NO_RC4
#define WOLFSSL_NO_SHAKE128 #define WOLFSSL_NO_SHAKE128
#define WOLFSSL_NO_SHAKE256 #define WOLFSSL_NO_SHAKE256

1
examples/configs/user_settings_wolftpm.h
View File

@ -216,7 +216,6 @@ extern "C" {
#define NO_SIG_WRAPPER #define NO_SIG_WRAPPER
#define NO_ASN_TIME #define NO_ASN_TIME
#define NO_CODING #define NO_CODING
#define NO_BIG_INT
#endif #endif
#ifdef __cplusplus #ifdef __cplusplus

20
wolfcrypt/benchmark/benchmark.c
View File

@ -3634,9 +3634,9 @@ static void* benchmarks_do(void* args)
bench_scrypt(); bench_scrypt();
#endif #endif
#ifndef NO_RSA #if !defined(NO_RSA) && !defined(WC_NO_RNG)
#ifndef HAVE_RENESAS_SYNC #ifndef HAVE_RENESAS_SYNC
#ifdef WOLFSSL_KEY_GEN #if defined(WOLFSSL_KEY_GEN)
if (bench_all || (bench_asym_algs & BENCH_RSA_KEYGEN)) { if (bench_all || (bench_asym_algs & BENCH_RSA_KEYGEN)) {
#ifndef NO_SW_BENCH #ifndef NO_SW_BENCH
if (((word32)bench_asym_algs == 0xFFFFFFFFU) || if (((word32)bench_asym_algs == 0xFFFFFFFFU) ||
@ -3656,7 +3656,7 @@ static void* benchmarks_do(void* args)
} }
#endif #endif
} }
#endif #endif /* WOLFSSL_KEY_GEN */
if (bench_all || (bench_asym_algs & BENCH_RSA)) { if (bench_all || (bench_asym_algs & BENCH_RSA)) {
#ifndef NO_SW_BENCH #ifndef NO_SW_BENCH
bench_rsa(0); bench_rsa(0);
@ -3677,9 +3677,9 @@ static void* benchmarks_do(void* args)
} }
#endif #endif
#endif #endif
#endif #endif /* !NO_RSA && !WC_NO_RNG */
#ifndef NO_DH #if !defined(NO_DH) && !defined(WC_NO_RNG)
if (bench_all || (bench_asym_algs & BENCH_DH)) { if (bench_all || (bench_asym_algs & BENCH_DH)) {
#ifndef NO_SW_BENCH #ifndef NO_SW_BENCH
bench_dh(0); bench_dh(0);
@ -3761,7 +3761,7 @@ static void* benchmarks_do(void* args)
#endif #endif
#endif /* if defined(WOLFSSL_HAVE_XMSS) && !defined(WOLFSSL_XMSS_VERIFY_ONLY) */ #endif /* if defined(WOLFSSL_HAVE_XMSS) && !defined(WOLFSSL_XMSS_VERIFY_ONLY) */
#ifdef HAVE_ECC #if defined(HAVE_ECC) && !defined(WC_NO_RNG)
if (bench_all || (bench_asym_algs & BENCH_ECC_MAKEKEY) || if (bench_all || (bench_asym_algs & BENCH_ECC_MAKEKEY) ||
(bench_asym_algs & BENCH_ECC) || (bench_asym_algs & BENCH_ECC) ||
(bench_asym_algs & BENCH_ECC_ALL) || (bench_asym_algs & BENCH_ECC_ALL) ||
@ -9370,7 +9370,7 @@ exit:
#endif /* !NO_RSA */ #endif /* !NO_RSA */
#ifndef NO_DH #if !defined(NO_DH) && !defined(WC_NO_RNG)
#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \ #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
!defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
@ -9650,7 +9650,7 @@ exit:
WC_FREE_VAR(priv2, HEAP_HINT); WC_FREE_VAR(priv2, HEAP_HINT);
WC_FREE_ARRAY(agree, BENCH_MAX_PENDING, HEAP_HINT); WC_FREE_ARRAY(agree, BENCH_MAX_PENDING, HEAP_HINT);
} }
#endif /* !NO_DH */ #endif /* !NO_DH && !WC_NO_RNG */
#ifdef WOLFSSL_HAVE_MLKEM #ifdef WOLFSSL_HAVE_MLKEM
static void bench_mlkem_keygen(int type, const char* name, int keySize, static void bench_mlkem_keygen(int type, const char* name, int keySize,
@ -11047,7 +11047,7 @@ void bench_xmss(int hash)
} }
#endif /* if defined(WOLFSSL_HAVE_XMSS) && !defined(WOLFSSL_XMSS_VERIFY_ONLY) */ #endif /* if defined(WOLFSSL_HAVE_XMSS) && !defined(WOLFSSL_XMSS_VERIFY_ONLY) */
#ifdef HAVE_ECC #if defined(HAVE_ECC) && !defined(WC_NO_RNG)
/* Maximum ECC name plus null terminator: /* Maximum ECC name plus null terminator:
* "ECC [%15s]" and "ECDHE [%15s]" and "ECDSA [%15s]" */ * "ECC [%15s]" and "ECDHE [%15s]" and "ECDSA [%15s]" */
@ -11940,7 +11940,7 @@ exit:
(void)name; (void)name;
} }
#endif /* WOLFSSL_SM2 */ #endif /* WOLFSSL_SM2 */
#endif /* HAVE_ECC */ #endif /* HAVE_ECC && && !defined(WC_NO_RNG) */
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
void bench_curve25519KeyGen(int useDeviceID) void bench_curve25519KeyGen(int useDeviceID)

4
wolfcrypt/src/wc_encrypt.c
View File

@ -455,10 +455,12 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
#if defined(WOLFSSL_AES_256) #if defined(WOLFSSL_AES_256)
case PBE_AES256_CBC: case PBE_AES256_CBC:
switch(shaOid) { switch(shaOid) {
#ifndef NO_SHA256
case HMAC_SHA256_OID: case HMAC_SHA256_OID:
typeH = WC_SHA256; typeH = WC_SHA256;
derivedLen = 32; derivedLen = 32;
break; break;
#endif
#ifndef NO_SHA #ifndef NO_SHA
default: default:
typeH = WC_SHA; typeH = WC_SHA;
@ -471,10 +473,12 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
#if defined(WOLFSSL_AES_128) #if defined(WOLFSSL_AES_128)
case PBE_AES128_CBC: case PBE_AES128_CBC:
switch(shaOid) { switch(shaOid) {
#ifndef NO_SHA256
case HMAC_SHA256_OID: case HMAC_SHA256_OID:
typeH = WC_SHA256; typeH = WC_SHA256;
derivedLen = 16; derivedLen = 16;
break; break;
#endif
#ifndef NO_SHA #ifndef NO_SHA
default: default:
typeH = WC_SHA; typeH = WC_SHA;

16
wolfcrypt/test/test.c
View File

@ -19565,7 +19565,7 @@ static wc_test_ret_t rsa_export_key_test(RsaKey* key)
} }
#endif /* !HAVE_FIPS && !NO_ASN && !WOLFSSL_RSA_VERIFY_ONLY */ #endif /* !HAVE_FIPS && !NO_ASN && !WOLFSSL_RSA_VERIFY_ONLY */
#ifndef NO_SIG_WRAPPER #if !defined(NO_SIG_WRAPPER) && !defined(NO_SHA256)
static wc_test_ret_t rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG* rng) static wc_test_ret_t rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG* rng)
{ {
wc_test_ret_t ret; wc_test_ret_t ret;
@ -19753,7 +19753,7 @@ static wc_test_ret_t rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG
return 0; return 0;
} }
#endif /* !NO_SIG_WRAPPER */ #endif /* !NO_SIG_WRAPPER && !NO_SHA256 */
#ifdef WC_RSA_NONBLOCK #ifdef WC_RSA_NONBLOCK
static wc_test_ret_t rsa_nb_test(RsaKey* key, const byte* in, word32 inLen, byte* out, static wc_test_ret_t rsa_nb_test(RsaKey* key, const byte* in, word32 inLen, byte* out,
@ -22110,10 +22110,14 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
#endif #endif
#ifndef NO_SIG_WRAPPER #ifndef NO_SIG_WRAPPER
#ifndef NO_SHA256
ret = rsa_sig_test(key, sizeof *key, modLen, &rng); ret = rsa_sig_test(key, sizeof *key, modLen, &rng);
if (ret != 0) if (ret != 0)
goto exit_rsa; goto exit_rsa;
#endif #else /* NO_SHA256 */
(void)modLen;
#endif /* NO_SHA256 */
#endif /* !NO_SIG_WRAPPER */
#ifdef WC_RSA_NONBLOCK #ifdef WC_RSA_NONBLOCK
ret = rsa_nb_test(key, in, inLen, out, outSz, plain, plainSz, &rng); ret = rsa_nb_test(key, in, inLen, out, outSz, plain, plainSz, &rng);
@ -27063,7 +27067,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t scrypt_test(void)
} }
#endif #endif
#ifdef HAVE_PKCS12 #if defined(HAVE_PKCS12) && !defined(NO_SHA256)
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs12_pbkdf_test(void) WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs12_pbkdf_test(void)
{ {
WOLFSSL_SMALL_STACK_STATIC const byte passwd[] = { 0x00, 0x73, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x67, WOLFSSL_SMALL_STACK_STATIC const byte passwd[] = { 0x00, 0x73, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x67,
@ -27117,7 +27121,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs12_pbkdf_test(void)
return 0; return 0;
} }
#endif /* HAVE_PKCS12 */ #endif /* HAVE_PKCS12 && !NO_SHA256 */
#if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC) #if defined(HAVE_PBKDF2) && !defined(NO_SHA256) && !defined(NO_HMAC)
WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pbkdf2_test(void) WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pbkdf2_test(void)
@ -27196,7 +27200,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pwdbased_test(void)
if (ret != 0) if (ret != 0)
return ret; return ret;
#endif #endif
#ifdef HAVE_PKCS12 #if defined(HAVE_PKCS12) && !defined(NO_SHA256)
ret = pkcs12_pbkdf_test(); ret = pkcs12_pbkdf_test();
if (ret != 0) if (ret != 0)
return ret; return ret;

2
wolfssl/openssl/bn.h
View File

@ -40,7 +40,7 @@
typedef struct WOLFSSL_BIGNUM { typedef struct WOLFSSL_BIGNUM {
int neg; /* openssh deference */ int neg; /* openssh deference */
void *internal; /* our big num */ void *internal; /* our big num */
#if !defined(NO_BIG_INT) || defined(WOLFSSL_SP_MATH) #if !defined(NO_BIG_INT)
mp_int mpi; mp_int mpi;
#endif #endif
} WOLFSSL_BIGNUM; } WOLFSSL_BIGNUM;

15
wolfssl/wolfcrypt/wolfmath.h
View File

@ -40,7 +40,16 @@ This library provides big integer math functions.
#endif #endif
#if defined(USE_FAST_MATH) #if defined(NO_BIG_INT)
/* MPI globally disabled -- no PK algorithms supported. */
#if defined(USE_FAST_MATH) || defined(USE_INTEGER_HEAP_MATH) || \
defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH) || \
defined(HAVE_WOLF_BIGINT) || defined(WOLFSSL_EXPORT_INT)
#error Conflicting MPI settings.
#endif
#elif defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)
#include <wolfssl/wolfcrypt/sp_int.h>
#elif defined(USE_FAST_MATH)
#include <wolfssl/wolfcrypt/tfm.h> #include <wolfssl/wolfcrypt/tfm.h>
#elif defined(USE_INTEGER_HEAP_MATH) #elif defined(USE_INTEGER_HEAP_MATH)
#include <wolfssl/wolfcrypt/integer.h> #include <wolfssl/wolfcrypt/integer.h>
@ -48,7 +57,7 @@ This library provides big integer math functions.
#include <wolfssl/wolfcrypt/sp_int.h> #include <wolfssl/wolfcrypt/sp_int.h>
#endif #endif
#if !defined(NO_BIG_INT) || defined(WOLFSSL_SP_MATH) #if !defined(NO_BIG_INT)
#include <wolfssl/wolfcrypt/random.h> #include <wolfssl/wolfcrypt/random.h>
#endif #endif
@ -72,7 +81,7 @@ This library provides big integer math functions.
extern const wc_ptr_t wc_off_on_addr[2]; extern const wc_ptr_t wc_off_on_addr[2];
#endif #endif
#if !defined(NO_BIG_INT) || defined(WOLFSSL_SP_MATH) #if !defined(NO_BIG_INT)
/* common math functions */ /* common math functions */
MP_API int get_digit_count(const mp_int* a); MP_API int get_digit_count(const mp_int* a);
MP_API mp_digit get_digit(const mp_int* a, int n); MP_API mp_digit get_digit(const mp_int* a, int n);