From 14316f8e24e6aa66539572fe45be2c722add4b96 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 19 Jun 2019 16:32:23 -0700 Subject: [PATCH 1/7] wolfRand Refactor the configure.ac script to make adding additional FIPS options easier. --- configure.ac | 63 ++++++++++++++++++++++++++-------------------------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/configure.ac b/configure.ac index cf03e7f52..896932f81 100644 --- a/configure.ac +++ b/configure.ac @@ -2249,7 +2249,38 @@ AC_ARG_ENABLE([fips], if test "x$ENABLED_FIPS" != "xno" then - FIPS_VERSION=$ENABLED_FIPS + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" + AS_CASE([$ENABLED_FIPS], + ["v2"],[FIPS_VERSION="v2" + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" + ENABLED_KEYGEN="yes" + ENABLED_SHA224="yes" + AS_IF([test "x$ENABLED_AESCCM" != "xyes"], + [ENABLED_AESCCM="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) + AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], + [ENABLED_RSAPSS="yes" + AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) + AS_IF([test "x$ENABLED_ECC" != "xyes"], + [ENABLED_ECC="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT" + AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])], + [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"]) + AS_IF([test "x$ENABLED_AESCTR" != "xyes"], + [ENABLED_AESCTR="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) + AS_IF([test "x$ENABLED_CMAC" != "xyes"], + [ENABLED_CMAC="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) + AS_IF([test "x$ENABLED_HKDF" != "xyes"], + [ENABLED_HKDF="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"]) + AS_IF([test "x$ENABLED_INTELASM" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) + ], + ["rand"],[FIPS_VERSION="rand"], + [FIPS_VERSION="v1"]) ENABLED_FIPS=yes # requires thread local storage if test "$thread_ls_on" = "no" @@ -2273,36 +2304,6 @@ then then ENABLED_DES3="yes" fi - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" - # Add the FIPS flag. - AS_IF([test "x$FIPS_VERSION" = "xv2"], - [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" - ENABLED_KEYGEN="yes" - ENABLED_SHA224="yes" - AS_IF([test "x$ENABLED_AESCCM" != "xyes"], - [ENABLED_AESCCM="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) - AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], - [ENABLED_RSAPSS="yes" - AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) - AS_IF([test "x$ENABLED_ECC" != "xyes"], - [ENABLED_ECC="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT" - AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])], - [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"]) - AS_IF([test "x$ENABLED_AESCTR" != "xyes"], - [ENABLED_AESCTR="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) - AS_IF([test "x$ENABLED_CMAC" != "xyes"], - [ENABLED_CMAC="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) - AS_IF([test "x$ENABLED_HKDF" != "xyes"], - [ENABLED_HKDF="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"]) - AS_IF([test "x$ENABLED_INTELASM" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) - ]) else if test "x$ENABLED_FORTRESS" = "xyes" then From 0931b574a70c03e965dd0973a743c69d5841c39c Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 19 Jun 2019 16:51:51 -0700 Subject: [PATCH 2/7] wolfRand 1. Refactored src/include.am to use the new changes in configure for multiple FIPS versions. 2. Added conditions for wolfRand. --- src/include.am | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/src/include.am b/src/include.am index de5ce74e5..4a25ede47 100644 --- a/src/include.am +++ b/src/include.am @@ -24,7 +24,8 @@ include_HEADERS+=$(IPPHEADERS) endif # BUILD_FAST_RSA if BUILD_FIPS -if !BUILD_FIPS_V2 + +if BUILD_FIPS_V1 # fips first file src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c @@ -58,9 +59,9 @@ src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c # fips last file src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c +endif -else - +if BUILD_FIPS_V2 # FIPSv2 first file src_libwolfssl_la_SOURCES += \ wolfcrypt/src/wolfcrypt_first.c @@ -116,14 +117,29 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \ # fips last file src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c endif + +if BUILD_FIPS_RAND +src_libwolfssl_la_SOURCES += \ + wolfcrypt/src/wolfcrypt_first.c \ + wolfcrypt/src/hmac.c \ + wolfcrypt/src/random.c \ + wolfcrypt/src/sha256.c \ + wolfcrypt/src/fips.c \ + wolfcrypt/src/fips_test.c \ + wolfcrypt/src/wolfcrypt_last.c +endif + endif # For FIPSV2, exclude the wolfCrypt files included above. +# For wolfRand, exclude just a couple files. # For old FIPS, keep the wolfCrypt versions of the # CtaoCrypt files included above. if !BUILD_FIPS_V2 +if !BUILD_FIPS_RAND src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c endif +endif # CAVP self test if BUILD_SELFTEST @@ -135,12 +151,15 @@ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/cpuid.c if !BUILD_FIPS_V2 +if !BUILD_FIPS_RAND if BUILD_RNG src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c endif endif +endif if !BUILD_FIPS_V2 +if !BUILD_FIPS_RAND if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c else @@ -150,6 +169,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S endif endif endif +endif if BUILD_AFALG src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_hash.c From a229e1e8e48dd6158da1d0825252800de8043585 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 21 Jun 2019 15:30:22 -0700 Subject: [PATCH 3/7] wolfRand 1. Rearrange some of the macros in the FIPS section to separate out the different flavors of FIPS with their own flags to set them apart. 2. Add automake flags for FIPSv1 and wolfRand. --- configure.ac | 125 ++++++++++++++++++++++++--------------------------- 1 file changed, 59 insertions(+), 66 deletions(-) diff --git a/configure.ac b/configure.ac index 896932f81..f19331b6b 100644 --- a/configure.ac +++ b/configure.ac @@ -2243,73 +2243,64 @@ fi # FIPS AC_ARG_ENABLE([fips], [AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])], - [ ENABLED_FIPS=$enableval ], - [ ENABLED_FIPS=no ] - ) + [ENABLED_FIPS=$enableval], + [ENABLED_FIPS="no"]) -if test "x$ENABLED_FIPS" != "xno" -then - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" - AS_CASE([$ENABLED_FIPS], - ["v2"],[FIPS_VERSION="v2" - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" - ENABLED_KEYGEN="yes" - ENABLED_SHA224="yes" - AS_IF([test "x$ENABLED_AESCCM" != "xyes"], - [ENABLED_AESCCM="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) - AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], - [ENABLED_RSAPSS="yes" - AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) - AS_IF([test "x$ENABLED_ECC" != "xyes"], - [ENABLED_ECC="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT" - AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])], - [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"]) - AS_IF([test "x$ENABLED_AESCTR" != "xyes"], - [ENABLED_AESCTR="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) - AS_IF([test "x$ENABLED_CMAC" != "xyes"], - [ENABLED_CMAC="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) - AS_IF([test "x$ENABLED_HKDF" != "xyes"], - [ENABLED_HKDF="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"]) - AS_IF([test "x$ENABLED_INTELASM" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) - ], - ["rand"],[FIPS_VERSION="rand"], - [FIPS_VERSION="v1"]) - ENABLED_FIPS=yes - # requires thread local storage - if test "$thread_ls_on" = "no" - then - AC_MSG_ERROR([FIPS requires Thread Local Storage]) - fi - # requires SHA512 - if test "x$ENABLED_SHA512" = "xno" - then - ENABLED_SHA512="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384" - fi - # requires AESGCM - if test "x$ENABLED_AESGCM" != "xyes" - then - ENABLED_AESGCM="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM" - fi - # requires DES3 - if test "x$ENABLED_DES3" = "xno" - then - ENABLED_DES3="yes" - fi -else - if test "x$ENABLED_FORTRESS" = "xyes" - then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB" - fi -fi +AS_CASE([$ENABLED_FIPS], + ["v2"],[FIPS_VERSION="v2" + ENABLED_FIPS=yes + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" + ENABLED_KEYGEN="yes" + ENABLED_SHA224="yes" + AS_IF([test "x$ENABLED_AESCCM" != "xyes"], + [ENABLED_AESCCM="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) + AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], + [ENABLED_RSAPSS="yes" + AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) + AS_IF([test "x$ENABLED_ECC" != "xyes"], + [ENABLED_ECC="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT" + AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])], + [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"]) + AS_IF([test "x$ENABLED_AESCTR" != "xyes"], + [ENABLED_AESCTR="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) + AS_IF([test "x$ENABLED_CMAC" != "xyes"], + [ENABLED_CMAC="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) + AS_IF([test "x$ENABLED_HKDF" != "xyes"], + [ENABLED_HKDF="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"]) + AS_IF([test "x$ENABLED_INTELASM" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) + ], + ["rand"],[ + ENABLED_FIPS="yes" + FIPS_VERSION="rand" + AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND" + ], + ["no"],[FIPS_VERSION="none"], + [ + ENABLED_FIPS="yes" + FIPS_VERSION="v1" + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" + ]) + +AS_IF([test "x$ENABLED_FIPS" = "xyes"], +[ + # Check prerequisites, force them on or error out. + AS_IF([test "x$thread_ls_on" = "xno"],[AC_MSG_ERROR([FIPS requires Thread Local Storage])]) + AS_IF([test "x$ENABLED_SHA512" = "xno"], + [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"]) + AS_IF([test "x$ENABLED_AESGCM" != "xyes"], + [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"]) + AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"]) +], +[ + AS_IF([test "x$ENABLED_FORTRESS" = "xyes"],[ENABLED_DES3="yes"]) +]) # SELFTEST @@ -4697,7 +4688,9 @@ AM_CONDITIONAL([BUILD_SHA],[test "x$ENABLED_SHA" = "xyes"]) AM_CONDITIONAL([BUILD_HC128],[test "x$ENABLED_HC128" = "xyes"]) AM_CONDITIONAL([BUILD_RABBIT],[test "x$ENABLED_RABBIT" = "xyes"]) AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"]) +AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"]) AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"]) +AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"]) AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes"]) AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"]) AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes"]) From 63fe2a219ee79baf845732ec95356f5d1dbbea83 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 24 Jun 2019 15:40:05 -0700 Subject: [PATCH 4/7] wolfRand In configure.ac, 1. Change some whitespace in the FIPS enable section. 2. Reorganize the FIPS section a little bit. 3. When enabling wolfRand, also force cryptonly. 4. Treat wolfRand like FIPSv2 at build time. In the source include.am, 5. Add checks against BUILD_FIPS_RAND as appropriate. 6. Add the SHA-256 assembly to the wolfRand source list. --- configure.ac | 92 ++++++++++++++++++++++++++------------------------ src/include.am | 35 +++++++++++++------ 2 files changed, 73 insertions(+), 54 deletions(-) diff --git a/configure.ac b/configure.ac index f19331b6b..977f4527c 100644 --- a/configure.ac +++ b/configure.ac @@ -2247,54 +2247,56 @@ AC_ARG_ENABLE([fips], [ENABLED_FIPS="no"]) AS_CASE([$ENABLED_FIPS], - ["v2"],[FIPS_VERSION="v2" - ENABLED_FIPS=yes - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" - ENABLED_KEYGEN="yes" - ENABLED_SHA224="yes" - AS_IF([test "x$ENABLED_AESCCM" != "xyes"], - [ENABLED_AESCCM="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) - AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], - [ENABLED_RSAPSS="yes" - AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) - AS_IF([test "x$ENABLED_ECC" != "xyes"], - [ENABLED_ECC="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT" - AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])], - [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"]) - AS_IF([test "x$ENABLED_AESCTR" != "xyes"], - [ENABLED_AESCTR="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) - AS_IF([test "x$ENABLED_CMAC" != "xyes"], - [ENABLED_CMAC="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) - AS_IF([test "x$ENABLED_HKDF" != "xyes"], - [ENABLED_HKDF="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"]) - AS_IF([test "x$ENABLED_INTELASM" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) - ], - ["rand"],[ - ENABLED_FIPS="yes" - FIPS_VERSION="rand" - AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND" - ], - ["no"],[FIPS_VERSION="none"], - [ - ENABLED_FIPS="yes" - FIPS_VERSION="v1" - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" - ]) + ["v2"],[FIPS_VERSION="v2" + ENABLED_FIPS=yes + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" + ENABLED_KEYGEN="yes" + ENABLED_SHA224="yes" + AS_IF([test "x$ENABLED_AESCCM" != "xyes"], + [ENABLED_AESCCM="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) + AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], + [ENABLED_RSAPSS="yes" + AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) + AS_IF([test "x$ENABLED_ECC" != "xyes"], + [ENABLED_ECC="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT" + AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])], + [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"]) + AS_IF([test "x$ENABLED_AESCTR" != "xyes"], + [ENABLED_AESCTR="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) + AS_IF([test "x$ENABLED_CMAC" != "xyes"], + [ENABLED_CMAC="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) + AS_IF([test "x$ENABLED_HKDF" != "xyes"], + [ENABLED_HKDF="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"]) + AS_IF([test "x$ENABLED_INTELASM" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) + ], + ["rand"],[ + ENABLED_FIPS="yes" + FIPS_VERSION="rand" + AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2" + ], + ["no"],[FIPS_VERSION="none"], + [ + ENABLED_FIPS="yes" + FIPS_VERSION="v1" + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" + ]) -AS_IF([test "x$ENABLED_FIPS" = "xyes"], +AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"], + [AC_MSG_ERROR([FIPS requires Thread Local Storage])]) + +AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" != "xrand"], [ - # Check prerequisites, force them on or error out. - AS_IF([test "x$thread_ls_on" = "xno"],[AC_MSG_ERROR([FIPS requires Thread Local Storage])]) + # Force enable the prerequisites. AS_IF([test "x$ENABLED_SHA512" = "xno"], [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"]) - AS_IF([test "x$ENABLED_AESGCM" != "xyes"], + AS_IF([test "x$ENABLED_AESGCM" = "xno"], [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"]) AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"]) ], @@ -3494,6 +3496,8 @@ AC_ARG_ENABLE([cryptonly], [ENABLED_CRYPTONLY=$enableval], [ENABLED_CRYPTONLY=no]) +AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"]) + if test "$ENABLED_CRYPTONLY" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_ONLY" diff --git a/src/include.am b/src/include.am index 4a25ede47..735495ba0 100644 --- a/src/include.am +++ b/src/include.am @@ -124,42 +124,45 @@ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/hmac.c \ wolfcrypt/src/random.c \ wolfcrypt/src/sha256.c \ + wolfcrypt/src/sha256_asm.S \ wolfcrypt/src/fips.c \ wolfcrypt/src/fips_test.c \ wolfcrypt/src/wolfcrypt_last.c -endif +endif BUILD_FIPS_RAND -endif +endif BUILD_FIPS + +# For wolfRand, exclude everything else. +if !BUILD_FIPS_RAND # For FIPSV2, exclude the wolfCrypt files included above. # For wolfRand, exclude just a couple files. # For old FIPS, keep the wolfCrypt versions of the # CtaoCrypt files included above. if !BUILD_FIPS_V2 -if !BUILD_FIPS_RAND src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c endif -endif # CAVP self test if BUILD_SELFTEST src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c endif +endif !BUILD_FIPS_RAND + src_libwolfssl_la_SOURCES += \ wolfcrypt/src/hash.c \ wolfcrypt/src/cpuid.c -if !BUILD_FIPS_V2 if !BUILD_FIPS_RAND + +if !BUILD_FIPS_V2 if BUILD_RNG src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c endif endif -endif if !BUILD_FIPS_V2 -if !BUILD_FIPS_RAND if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c else @@ -169,7 +172,6 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S endif endif endif -endif if BUILD_AFALG src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_hash.c @@ -272,18 +274,25 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c endif endif +endif !BUILD_FIPS_RAND + src_libwolfssl_la_SOURCES += \ wolfcrypt/src/logging.c \ wolfcrypt/src/wc_encrypt.c \ wolfcrypt/src/wc_port.c \ - wolfcrypt/src/error.c \ + wolfcrypt/src/error.c + +if !BUILD_FIPS_RAND +src_libwolfssl_la_SOURCES += \ wolfcrypt/src/signature.c \ wolfcrypt/src/wolfmath.c +endif !BUILD_FIPS_RAND if BUILD_MEMORY src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c endif +if !BUILD_FIPS_RAND if !BUILD_FIPS_V2 if BUILD_DH src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c @@ -294,10 +303,14 @@ if BUILD_ASN src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c endif +endif !BUILD_FIPS_RAND + if BUILD_CODING src_libwolfssl_la_SOURCES += wolfcrypt/src/coding.c endif +if !BUILD_FIPS_RAND + if BUILD_POLY1305 if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-poly1305.c @@ -484,4 +497,6 @@ if BUILD_SNIFFER src_libwolfssl_la_SOURCES += src/sniffer.c endif -endif # !BUILD_CRYPTONLY +endif !BUILD_CRYPTONLY + +endif !BUILD_FIPS_RAND From 9d53e9b6d582e3f34aff1310963fc795fa7ab535 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 24 Jun 2019 16:46:22 -0700 Subject: [PATCH 5/7] wolfRand 1. Add fips.h to the install if doing a wolfRand build. --- wolfssl/wolfcrypt/include.am | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 98a1487d6..60c5a6b48 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -122,3 +122,7 @@ endif if BUILD_FIPS_V2 nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h endif + +if BUILD_FIPS_RAND +nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h +endif From e7f0ed4b98a6424c4fec1ebe19255f192414feb0 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 26 Jun 2019 10:45:12 -0700 Subject: [PATCH 6/7] wolfRand 1. Excluded wc_encrypt.c from the wolfRand build. --- src/include.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/include.am b/src/include.am index 735495ba0..19bcb20f8 100644 --- a/src/include.am +++ b/src/include.am @@ -274,16 +274,17 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c endif endif + endif !BUILD_FIPS_RAND src_libwolfssl_la_SOURCES += \ wolfcrypt/src/logging.c \ - wolfcrypt/src/wc_encrypt.c \ wolfcrypt/src/wc_port.c \ wolfcrypt/src/error.c if !BUILD_FIPS_RAND src_libwolfssl_la_SOURCES += \ + wolfcrypt/src/wc_encrypt.c \ wolfcrypt/src/signature.c \ wolfcrypt/src/wolfmath.c endif !BUILD_FIPS_RAND From e8986f389f41445b724e68fddedcced5fb27b3aa Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 16 Aug 2019 09:33:41 -0700 Subject: [PATCH 7/7] wolfRand 1. Updated fips-check.sh to make an archive for wolfRand. 2. Updated configure.ac to provide a wolfRand build. --- configure.ac | 20 ++++++++++++++++++++ fips-check.sh | 16 +++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 977f4527c..4ea1bd842 100644 --- a/configure.ac +++ b/configure.ac @@ -4395,6 +4395,26 @@ then fi +# When building for wolfRand, strip out all options to disable everything. +AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" = "xrand"], +[NEW_AM_CFLAGS="-DNO_AES -DNO_DH -DNO_ASN -DNO_RSA -DNO_SHA -DNO_MD5 -DNO_BIG_INT" +for v in $AM_CFLAGS +do + case $v in +-DHAVE_FFDHE_2048 | -DTFM_TIMING_RESISTANT | -DECC_TIMING_RESISTANT | \ +-DWC_RSA_BLINDING | -DHAVE_AESGCM | -DWOLFSSL_SHA512 | -DWOLFSSL_SHA384 | \ +-DHAVE_ECC | -DTFM_ECC256 | -DECC_SHAMIR | -DHAVE_TLS_EXTENSIONS | \ +-DHAVE_SUPPORTED_CURVES | -DHAVE_EXTENDED_MASTER | -DUSE_FAST_MATH) + AS_ECHO(["ignoring $v"]) + ;; + *) + NEW_AM_CFLAGS="$NEW_AM_CFLAGS $v" + ;; + esac +done +AM_CFLAGS=$NEW_AM_CFLAGS]) + + ################################################################################ # Check for build-type conflicts # ################################################################################ diff --git a/fips-check.sh b/fips-check.sh index e03bda0fc..0046159ff 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -33,6 +33,7 @@ Platform is one of: linuxv2 (FIPSv2, use for Win10) fips-ready stm32l4-v2 (FIPSv2, use for STM32L4) + wolfrand Keep (default off) retains the XXX-fips-test temp dir for inspection. Example: @@ -215,6 +216,19 @@ stm32l4-v2) FIPS_INCS=( fips.h ) FIPS_OPTION=v2 ;; +wolfrand) + FIPS_REPO=git@github.com:wolfssl/fips.git + FIPS_VERSION=WRv4-stable + CRYPT_REPO=git@github.com:wolfssl/wolfssl.git + CRYPT_VERSION=WCv4-stable + CRYPT_INC_PATH=wolfssl/wolfcrypt + CRYPT_SRC_PATH=wolfcrypt/src + RNG_VERSION=WCv4-rng-stable + WC_MODS=( hmac sha256 random ) + FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) + FIPS_INCS=( fips.h ) + FIPS_OPTION=rand + ;; *) Usage exit 1 @@ -254,7 +268,7 @@ then cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH fi -elif [ "x$FIPS_OPTION" == "xv2" ] +elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ] then $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION # Checkout the fips versions of the wolfCrypt files from the repo.