diff --git a/IDE/Android/app/src/main/cpp/CMakeLists.txt b/IDE/Android/app/src/main/cpp/CMakeLists.txt index f43d8c2..cf02793 100644 --- a/IDE/Android/app/src/main/cpp/CMakeLists.txt +++ b/IDE/Android/app/src/main/cpp/CMakeLists.txt @@ -87,14 +87,14 @@ if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal") elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") # The wolfCrypt FIPS In Core Integrity checksum will vary with compiler # versions, runtime library versions, target hardware, and build type. - # Anytime the module is shifted up or down in memory or loaded from a - # new memory location the hash will change. This is expected during - # normal development cycles but should be stable in a production - # deployment. The verifyCore[] hash can be manually updated in + # Anytime the module is shifted up or down in memory or loaded from a new + # memory location the hash will change. This is expected during normal + # development cycles but should be stable in a production deployment. + # The verifyCore[] hash can be manually updated in # 'wolfcrypt/src/fips_test.c' and the app recompiled. Or, the define # WOLFCRYPT_FIPS_CORE_HASH_VALUE can be set below, which is helpful - # for Android Studio, which builds for all these architectures in the - # same build. + # for Android Studio, which builds for all these architectures in the same + # build. # # The hash values below are only for reference and will need to # be updated to match your build. To update this value: @@ -102,17 +102,17 @@ elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") # 1. Build and install your app which contains wolfCrypt FIPS # 2. Run your app on each architecture, looking at the logcat output # to see the expected verifyCore[] hash value. - # 3. Copy the expected hash value from logcat to the proper - # architecture section below. + # 3. Copy the expected hash value from logcat to the proper architecture + # section below. # 4. Re-build your application now that the expected hash value has # been set. # 5. Re-install and re-run your application on each architecture to # confirm the hash is stable and application runs as expected. # # NOTE: If using wolfSSL FIPS Ready or FIPS proper with this sample - # application and run into the scenario where the verifyCore[] hash - # output at runtime is empty, consider checking/increasing the size of - # the MAX_FIPS_DATA_SZ define in 'wolfcrypt/src/fips_test.c'. + # application and run into the scenario where the verifyCore[] hash output + # at runtime is empty, consider checking/increasing the size of the + # MAX_FIPS_DATA_SZ define in 'wolfcrypt/src/fips_test.c'. if("${ANDROID_ABI}" MATCHES "arm64-v8a") # https://developer.android.com/ndk/guides/abis#arm64-v8a @@ -129,44 +129,64 @@ elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") endif() # Add preprocessor defines to CFLAGS, these match those placed into - # wolfssl/options.h by configure if using: "./configure" on a Unix/Linux - # platform. The options below have been chosen to match a FIPS Ready - # build, and are based on the example user_settings.h file located here: - # https://github.com/wolfSSL/wolfssl/blob/master/examples/configs/user_settings_fipsv5.h + # wolfssl/options.h by configure if using the following configure on a Unix/Linux + # platform with a wolfSSL FIPS Ready GPLv3 bundle: + # + # ./configure --enable-fips=ready --enable-jni + # # This list may be configurable depending on use case and desired - # optimizations, being careful not to break FIPS compatibility if - # targeting FIPS proper in the future. - add_definitions(-DHAVE_FIPS -DHAVE_FIPS_VERSION=5 -DHAVE_FIPS_VERSION_MINOR=3 - -DHAVE_HASHDRBG -DHAVE_THREAD_LS -DHAVE_REPRODUCIBLE_BUILD - -DFP_MAX_BITS=16384 -DSP_INT_BITS=8192 -DWOLFSSL_PUBLIC_MP - -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWC_RSA_BLINDING - -DWC_RNG_SEED_CB -DWOLFSSL_VALIDATE_ECC_IMPORT - -DWOLFSSL_VALIDATE_ECC_KEYGEN -DWOLFSSL_VALIDATE_FFC_IMPORT - -DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_ENCRYPT_THEN_MAC - -DHAVE_SUPPORTED_CURVES -DHAVE_EXTENDED_MASTER -DHAVE_ONE_TIME_AUTH - -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO -DHAVE_SESSION_TICKET - -DWOLFSSL_USE_ALIGN -DWOLFSSL_BASE64_ENCODE -DHAVE_CRL - -DHAVE_EXT_CACHE -DWOLFSSL_VERIFY_CB_ALL_CERTS -DWOLFSSL_ALWAYS_VERIFY_CB - -DWOLFSSL_DH_EXTRA -DWOLFSSL_WOLFSSH -DOPENSSL_EXTRA -DOPENSSL_ALL - -DHAVE_FFDHE_Q -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 - -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DHAVE_DH_DEFAULT_PARAMS -DHAVE_PUBLIC_FFDHE - -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR -DHAVE_ECC_CDH -DECC_USER_CURVES - -DHAVE_ECC256 -DHAVE_ECC384 -DHAVE_ECC521 -DWOLFSSL_ECDSA_SET_K - -DWC_RSA_PSS -DWOLFSSL_KEY_GEN -DWC_RSA_NO_PADDING - -DWOLFSSL_AES_COUNTER -DHAVE_AESCCM -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT - -DWOLFSSL_AES_OFB -DHAVE_AESGCM -DGCM_TABLE_4BIT -DWOLFSSL_CMAC - -DWOLFSSL_SHA224 -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DWOLFSSL_NO_SHAKE256 - -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256 -DWOLFSSL_SHA3 -DHAVE_HKDF - -DNO_OLD_TLS -DNO_PSK -DNO_DO178 - -DNO_RC4 -DNO_MD4 -DNO_MD5 -DNO_DES3 -DNO_DSA -DNO_RABBIT + # optimizations, being careful not to break FIPS compatibility if targeting + # FIPS proper in the future. Please contact support@wolfssl.com for assistance + # properly compiling for use with wolfCrypt FIPS variants. + add_definitions( + -DWOLFSSL_FIPS_READY -DHAVE_FIPS -DHAVE_FIPS_VERSION=7 + -DHAVE_FIPS_VERSION_MAJOR=7 -DHAVE_FIPS_VERSION_MINOR=0 + -DHAVE_FIPS_VERSION_PATCH=0 -DWC_RNG_SEED_CB -DHAVE_THREAD_LS + + -DWOLFSSL_WOLFSSH -DNO_DO178 -DHAVE_REPRODUCIBLE_BUILD -DWC_NO_ASYNC_THREADING + -DNO_OLD_TLS -DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SNI + -DHAVE_KEYING_MATERIAL -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES + -DHAVE_EXTENDED_MASTER -DHAVE_ENCRYPT_THEN_MAC -DWOLFSSL_JNI -DHAVE_EX_DATA + -DKEEP_PEER_CERT -DWOLFSSL_ALWAYS_VERIFY_CB -DWOLFSSL_DTLS -DOPENSSL_EXTRA + -DOPENSSL_ALL -DWOLFSSL_ERROR_CODE_OPENSSL -DHAVE_CRL -DHAVE_CRL_MONITOR + -DHAVE_OCSP -DPERSIST_SESSION_CACHE -DPERSIST_CERT_CACHE -DATOMIC_USER + -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_REQ -DWOLFSSL_KEY_GEN + -DHAVE_ALPN -DWOLFSSL_ALT_CERT_CHAINS -DSESSION_CERTS -DWOLFSSL_ENCRYPTED_KEYS + -DWOLFSSL_SYS_CA_CERTS -DWOLFSSL_ALT_NAMES -DWOLFSSL_EITHER_SIDE + -DWOLFSSL_TICKET_HAVE_ID -DWOLFSSL_CERT_NAME_ALL + -DHAVE_SERVER_RENEGOTIATION_INFO -DWOLFSSL_ASN_TEMPLATE -DWOLFSSL_ASN_PRINT + -DWOLFSSL_BASE64_ENCODE -DERROR_QUEUE_PER_THREAD -DNO_ERROR_QUEUE + -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWOLFSSL_USE_ALIGN + -DWOLFSSL_PUBLIC_MP + + -DWC_RSA_BLINDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWC_RSA_NO_PADDING + + -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR -DECC_MIN_KEY_SZ=192 -DHAVE_ECC_CDH + -DECC_USER_CURVES -DHAVE_ECC192 -DHAVE_ECC224 -DHAVE_ECC256 -DHAVE_ECC384 + -DHAVE_ECC521 -DWOLFSSL_ECDSA_SET_K -DWOLFSSL_VALIDATE_ECC_IMPORT + -DWOLFSSL_VALIDATE_ECC_KEYGEN + + -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DHAVE_FFDHE_2048 + -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 + -DHAVE_DH_DEFAULT_PARAMS + + -DHAVE_HKDF -DHAVE_PBKDF2 -DHAVE_HASHDRBG -DWC_SRTP_KDF -DWOLFSSL_SRTP + + -DHAVE_AESGCM -DGCM_TABLE_4BIT -DWOLFSSL_AESGCM_STREAM -DHAVE_AESCCM + -DWOLFSSL_AES_COUNTER -DWOLFSSL_CMAC -DWOLFSSL_AES_OFB -DWOLFSSL_AES_CFB + -DWOLFSSL_AES_XTS -DWOLFSSL_AESXTS_STREAM -DWOLFSSL_AES_DIRECT + -DHAVE_AES_ECB -DHAVE_AES_KEYWRAP -DWOLFSSL_AES_XTS -DHAVE_AES_KEYWRAP + + -DHAVE_ED25519 -DHAVE_ED25519_KEY_IMPORT -DHAVE_ED448 -DHAVE_ED448_KEY_IMPORT + -DWOLFSSL_ED448_STREAMING_VERIFY + + -DHAVE_CURVE25519 -DHAVE_CURVE448 + + -DWOLFSSL_SHA224 -DWOLFSSL_SHA384 -DWOLFSSL_SHA512 -DWOLFSSL_NOSHA512_224 + -DWOLFSSL_NOSHA512_256 -DWOLFSSL_SHA3 -DWOLFSSL_SHAKE128 -DWOLFSSL_SHAKE256 + + -DNO_DSA -DNO_RC4 -DNO_MD4 -DNO_DES3 -DNO_DES3_TLS_SUITES - -DWOLFSSL_JNI -DHAVE_EX_DATA -DHAVE_OCSP -DHAVE_CRL_MONITOR - -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN -DHAVE_SNI -DHAVE_ALPN - -DWOLFSSL_ENCRYPTED_KEYS -DNO_ERROR_QUEUE -DWOLFSSL_EITHER_SIDE - -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID - -DWOLFSSL_ERROR_CODE_OPENSSL -DWOLFSSL_EXTRA_ALERTS - -DWOLFSSL_FORCE_CACHE_ON_TICKET -DWOLFSSL_AKID_NAME -DHAVE_CTS - -DKEEP_PEER_CERT -DSESSION_CERTS -DSIZEOF_LONG=4 -DSIZEOF_LONG_LONG=8 -DWOLFSSL_CUSTOM_CONFIG # For gethostbyname() @@ -175,12 +195,11 @@ elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") # Enable below options for wolfSSL debug logging #-DDEBUG_WOLFSSL -DWOLFSSL_ANDROID_DEBUG - # Below options are added only for wolfCrypt test and benchmark - # applications. These can be left off / removed when integrating - # into a real-world application. Add -DNO_FILESYSTEM to disable - # file system use for wolfCrypt test, but make sure to remove - # this define in production applications as filesystem access - # is required for wolfJCE use. + # Below options are added only for wolfCrypt test and benchmark applications. + # These can be left off / removed when integrating into a real-world application. + # Add -DNO_FILESYSTEM to disable file system use for wolfCrypt test, but make sure + # to remove this define in production applications as filesystem access is required + # for wolfJSSE use. -DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256 -DNO_WRITE_TEMP_FILES -DNO_MAIN_DRIVER ) @@ -196,7 +215,8 @@ elseif("${WOLFSSL_MATH_LIB}" MATCHES "spmath") -DWOLFSSL_HAVE_SP_RSA -DWOLFSSL_SP_4096 -DWOLFSSL_HAVE_SP_DH -DWOLFSSL_HAVE_SP_ECC -DWOLFSSL_SP_384 -DWOLFSSL_SP_521 - -DWOLFSSL_SP_LARGE_CODE) + -DWOLFSSL_SP_LARGE_CODE + -DFP_MAX_BITS=16384 -DSP_INT_BITS=8192) # SP Math architecture-specific settings (ex: assembly optimizations) if("${ANDROID_ABI}" MATCHES "arm64-v8a") @@ -250,16 +270,21 @@ elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wolfcrypt_first.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/hmac.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/random.c) - list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha256.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/kdf.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/rsa.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ecc.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/aes.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha256.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha512.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/sha3.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/dh.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/cmac.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/curve448.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ed448.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/curve25519.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ed25519.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/pwdbased.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fips.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fips_test.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wolfcrypt_last.c) @@ -283,9 +308,18 @@ elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/memory.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/asn.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/coding.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/md5.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/pwdbased.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/pkcs12.c) list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/tfm.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_lms.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_lms_impl.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_xmss.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/wc_xmss_impl.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fe_operations.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ge_operations.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/fe_448.c) + list(APPEND CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/ge_448.c) endif() # wolfSSL will be compiled as a SHARED library