Merge pull request #2411 from ejohnstown/wolfrand

wolfRand
2025-07-29 18:27:29 +02:00 · 2019-09-30 11:11:18 -06:00
parent 056c374f85 e8986f389f
commit caa5ba7551
4 changed files with 145 additions and 73 deletions
--- a/configure.ac
+++ b/configure.ac
@ -2248,72 +2248,66 @@ fi
 # FIPS
 AC_ARG_ENABLE([fips],
    [AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
-    [ ENABLED_FIPS=$enableval ],
-    [ ENABLED_FIPS=no ]
-    )
+    [ENABLED_FIPS=$enableval],
+    [ENABLED_FIPS="no"])

-if test "x$ENABLED_FIPS" != "xno"
-then
-    FIPS_VERSION=$ENABLED_FIPS
-    ENABLED_FIPS=yes
-    # requires thread local storage
-    if test "$thread_ls_on" = "no"
-    then
-        AC_MSG_ERROR([FIPS requires Thread Local Storage])
-    fi
-    # requires SHA512
-    if test "x$ENABLED_SHA512" = "xno"
-    then
-        ENABLED_SHA512="yes"
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"
-    fi
-    # requires AESGCM
-    if test "x$ENABLED_AESGCM" != "xyes"
-    then
-        ENABLED_AESGCM="yes"
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"
-    fi
-    # requires DES3
-    if test "x$ENABLED_DES3" = "xno"
-    then
-        ENABLED_DES3="yes"
-    fi
-    AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
-    # Add the FIPS flag.
-    AS_IF([test "x$FIPS_VERSION" = "xv2"],
-          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
-           ENABLED_KEYGEN="yes"
-           ENABLED_SHA224="yes"
-           AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
-                 [ENABLED_AESCCM="yes"
-                  AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
-           AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
-                 [ENABLED_RSAPSS="yes"
-                  AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
-           AS_IF([test "x$ENABLED_ECC" != "xyes"],
-                 [ENABLED_ECC="yes"
-                  AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
-                  AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
-                        [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
-                 [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
-           AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
-                 [ENABLED_AESCTR="yes"
-                  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
-           AS_IF([test "x$ENABLED_CMAC" != "xyes"],
-                 [ENABLED_CMAC="yes"
-                  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
-           AS_IF([test "x$ENABLED_HKDF" != "xyes"],
-                 [ENABLED_HKDF="yes"
-                  AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
-           AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
-                 [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
-          ])
-else
-    if test "x$ENABLED_FORTRESS" = "xyes"
-    then
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB"
-    fi
-fi
+AS_CASE([$ENABLED_FIPS],
+    ["v2"],[FIPS_VERSION="v2"
+        ENABLED_FIPS=yes
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
+        ENABLED_KEYGEN="yes"
+        ENABLED_SHA224="yes"
+        AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
+              [ENABLED_AESCCM="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
+        AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
+              [ENABLED_RSAPSS="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
+        AS_IF([test "x$ENABLED_ECC" != "xyes"],
+              [ENABLED_ECC="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
+               AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
+                     [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
+              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
+        AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
+              [ENABLED_AESCTR="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
+        AS_IF([test "x$ENABLED_CMAC" != "xyes"],
+              [ENABLED_CMAC="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
+        AS_IF([test "x$ENABLED_HKDF" != "xyes"],
+              [ENABLED_HKDF="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
+        AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
+              [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
+    ],
+    ["rand"],[
+        ENABLED_FIPS="yes"
+        FIPS_VERSION="rand"
+        AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
+    ],
+    ["no"],[FIPS_VERSION="none"],
+    [
+        ENABLED_FIPS="yes"
+        FIPS_VERSION="v1"
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
+    ])
+
+AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"],
+    [AC_MSG_ERROR([FIPS requires Thread Local Storage])])
+
+AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" != "xrand"],
+[
+    # Force enable the prerequisites.
+    AS_IF([test "x$ENABLED_SHA512" = "xno"],
+        [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+    AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+        [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+    AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
+],
+[
+    AS_IF([test "x$ENABLED_FORTRESS" = "xyes"],[ENABLED_DES3="yes"])
+])


 # SELFTEST
@ -3620,6 +3614,8 @@ AC_ARG_ENABLE([cryptonly],
    [ENABLED_CRYPTONLY=$enableval],
    [ENABLED_CRYPTONLY=no])

+AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"])
+
 if test "$ENABLED_CRYPTONLY" = "yes"
 then
    AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY"
@ -4534,6 +4530,26 @@ then
 fi


+# When building for wolfRand, strip out all options to disable everything.
+AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" = "xrand"],
+[NEW_AM_CFLAGS="-DNO_AES -DNO_DH -DNO_ASN -DNO_RSA -DNO_SHA -DNO_MD5 -DNO_BIG_INT"
+for v in $AM_CFLAGS
+do
+  case $v in
+-DHAVE_FFDHE_2048 | -DTFM_TIMING_RESISTANT | -DECC_TIMING_RESISTANT | \
+-DWC_RSA_BLINDING | -DHAVE_AESGCM | -DWOLFSSL_SHA512 | -DWOLFSSL_SHA384 | \
+-DHAVE_ECC | -DTFM_ECC256 | -DECC_SHAMIR | -DHAVE_TLS_EXTENSIONS | \
+-DHAVE_SUPPORTED_CURVES | -DHAVE_EXTENDED_MASTER | -DUSE_FAST_MATH)
+    AS_ECHO(["ignoring $v"])
+    ;;
+  *)
+    NEW_AM_CFLAGS="$NEW_AM_CFLAGS $v"
+    ;;
+  esac
+done
+AM_CFLAGS=$NEW_AM_CFLAGS])
+
+
 ################################################################################
 # Check for build-type conflicts                                               #
 ################################################################################
@ -4831,7 +4847,9 @@ AM_CONDITIONAL([BUILD_SHA],[test "x$ENABLED_SHA" = "xyes"])
 AM_CONDITIONAL([BUILD_HC128],[test "x$ENABLED_HC128" = "xyes"])
 AM_CONDITIONAL([BUILD_RABBIT],[test "x$ENABLED_RABBIT" = "xyes"])
 AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"])
+AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"])
 AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"])
+AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"])
 AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes"])
 AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
 AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes"])
--- a/fips-check.sh
+++ b/fips-check.sh
@ -33,6 +33,7 @@ Platform is one of:
    linuxv2 (FIPSv2, use for Win10)
    fips-ready
    stm32l4-v2 (FIPSv2, use for STM32L4)
+    wolfrand
 Keep (default off) retains the XXX-fips-test temp dir for inspection.

 Example:
@ -215,6 +216,19 @@ stm32l4-v2)
  FIPS_INCS=( fips.h )
  FIPS_OPTION=v2
  ;;
+wolfrand)
+  FIPS_REPO=git@github.com:wolfssl/fips.git
+  FIPS_VERSION=WRv4-stable
+  CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
+  CRYPT_VERSION=WCv4-stable
+  CRYPT_INC_PATH=wolfssl/wolfcrypt
+  CRYPT_SRC_PATH=wolfcrypt/src
+  RNG_VERSION=WCv4-rng-stable
+  WC_MODS=( hmac sha256 random )
+  FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
+  FIPS_INCS=( fips.h )
+  FIPS_OPTION=rand
+  ;;
 *)
  Usage
  exit 1
@ -254,7 +268,7 @@ then
        cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH
        cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH
    fi
-elif [ "x$FIPS_OPTION" == "xv2" ]
+elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ]
 then
    $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION
    # Checkout the fips versions of the wolfCrypt files from the repo.
--- a/src/include.am
+++ b/src/include.am
@ -24,7 +24,8 @@ include_HEADERS+=$(IPPHEADERS)
 endif # BUILD_FAST_RSA

 if BUILD_FIPS
-if !BUILD_FIPS_V2
+
+if BUILD_FIPS_V1
 # fips first  file
 src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c

@ -58,9 +59,9 @@ src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c

 # fips last file
 src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c
+endif

-else
-
+if BUILD_FIPS_V2
 # FIPSv2 first file
 src_libwolfssl_la_SOURCES += \
 			   wolfcrypt/src/wolfcrypt_first.c
@ -125,9 +126,26 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
 # fips last file
 src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
 endif
-endif
+
+if BUILD_FIPS_RAND
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/wolfcrypt_first.c \
+               wolfcrypt/src/hmac.c \
+               wolfcrypt/src/random.c \
+               wolfcrypt/src/sha256.c \
+               wolfcrypt/src/sha256_asm.S \
+               wolfcrypt/src/fips.c \
+               wolfcrypt/src/fips_test.c \
+               wolfcrypt/src/wolfcrypt_last.c
+endif BUILD_FIPS_RAND
+
+endif BUILD_FIPS
+
+# For wolfRand, exclude everything else.
+if !BUILD_FIPS_RAND

 # For FIPSV2, exclude the wolfCrypt files included above.
+# For wolfRand, exclude just a couple files.
 # For old FIPS, keep the wolfCrypt versions of the
 # CtaoCrypt files included above.
 if !BUILD_FIPS_V2
@ -139,10 +157,14 @@ if BUILD_SELFTEST
 src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c
 endif

+endif !BUILD_FIPS_RAND
+
 src_libwolfssl_la_SOURCES += \
               wolfcrypt/src/hash.c \
               wolfcrypt/src/cpuid.c

+if !BUILD_FIPS_RAND
+
 if !BUILD_FIPS_V2
 if BUILD_RNG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c
@ -261,18 +283,26 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
 endif
 endif

+
+endif !BUILD_FIPS_RAND
+
 src_libwolfssl_la_SOURCES += \
               wolfcrypt/src/logging.c \
-               wolfcrypt/src/wc_encrypt.c \
               wolfcrypt/src/wc_port.c \
-               wolfcrypt/src/error.c \
+               wolfcrypt/src/error.c
+
+if !BUILD_FIPS_RAND
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/wc_encrypt.c \
               wolfcrypt/src/signature.c \
               wolfcrypt/src/wolfmath.c
+endif !BUILD_FIPS_RAND

 if BUILD_MEMORY
 src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
 endif

+if !BUILD_FIPS_RAND
 if !BUILD_FIPS_V2
 if BUILD_DH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
@ -283,10 +313,14 @@ if BUILD_ASN
 src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c
 endif

+endif !BUILD_FIPS_RAND
+
 if BUILD_CODING
 src_libwolfssl_la_SOURCES += wolfcrypt/src/coding.c
 endif

+if !BUILD_FIPS_RAND
+
 if BUILD_POLY1305
 if BUILD_ARMASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-poly1305.c
@ -473,4 +507,6 @@ if BUILD_SNIFFER
 src_libwolfssl_la_SOURCES += src/sniffer.c
 endif

-endif # !BUILD_CRYPTONLY
+endif !BUILD_CRYPTONLY
+
+endif !BUILD_FIPS_RAND
--- a/wolfssl/wolfcrypt/include.am
+++ b/wolfssl/wolfcrypt/include.am
@ -123,3 +123,7 @@ endif
 if BUILD_FIPS_V2
 nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h
 endif
+
+if BUILD_FIPS_RAND
+nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h
+endif