FIPS Revalidation/Test Fixes

1. For FIPSv2 builds, changed the FP_MAX_BITS to 6144. 2. Fixed bug in HMAC-SHA-3 where the digest size was being used instead of the block size for processing the key.
2025-07-29 18:27:29 +02:00 · 2018-03-26 17:30:07 -07:00
parent ab9f1875b8
commit dca2424aae
2 changed files with 9 additions and 9 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1982,7 +1982,7 @@ then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
    # Add the FIPS flag.
    AS_IF([test "x$FIPS_VERSION" = "xv2"],
-          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING"
+          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DFP_MAX_BITS=6144"
           ENABLED_KEYGEN="yes"
           ENABLED_SHA224="yes"
           AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@ -479,7 +479,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
    #ifdef WOLFSSL_SHA3
        case WC_SHA3_224:
            hmac_block_size = WC_SHA3_224_BLOCK_SIZE;
-            if (length <= SHA3_224_DIGEST_SIZE) {
+            if (length <= WC_SHA3_224_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }
@ -492,12 +492,12 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                if (ret != 0)
                    break;

-                length = SHA3_224_DIGEST_SIZE;
+                length = WC_SHA3_224_DIGEST_SIZE;
            }
            break;
        case WC_SHA3_256:
            hmac_block_size = WC_SHA3_256_BLOCK_SIZE;
-            if (length <= SHA3_256_DIGEST_SIZE) {
+            if (length <= WC_SHA3_256_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }
@ -510,12 +510,12 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                if (ret != 0)
                    break;

-                length = SHA3_256_DIGEST_SIZE;
+                length = WC_SHA3_256_DIGEST_SIZE;
            }
            break;
        case WC_SHA3_384:
            hmac_block_size = WC_SHA3_384_BLOCK_SIZE;
-            if (length <= SHA3_384_DIGEST_SIZE) {
+            if (length <= WC_SHA3_384_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }
@ -528,12 +528,12 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                if (ret != 0)
                    break;

-                length = SHA3_384_DIGEST_SIZE;
+                length = WC_SHA3_384_DIGEST_SIZE;
            }
            break;
        case WC_SHA3_512:
            hmac_block_size = WC_SHA3_512_BLOCK_SIZE;
-            if (length <= SHA3_512_DIGEST_SIZE) {
+            if (length <= WC_SHA3_512_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }
@ -546,7 +546,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                if (ret != 0)
                    break;

-                length = SHA3_512_DIGEST_SIZE;
+                length = WC_SHA3_512_DIGEST_SIZE;
            }
            break;
    #endif /* WOLFSSL_SHA3 */