WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

AES-CCM FIPS 

1. Add new error code for the AES-CCM FIPS KAT failure.
2. When enabling FIPSv2, force enable AES-CCM.
cert-3389
John Safranek 2018-01-10 09:27:15 -08:00
parent 8ff328cb39
commit 0c5d704c7f
4 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
configure.ac
View File

@ -2044,6 +2044,9 @@ then
AS_IF([test "x$FIPS_VERSION" = "xv2"], AS_IF([test "x$FIPS_VERSION" = "xv2"],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN" [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN"
ENABLED_KEYGEN="yes" ENABLED_KEYGEN="yes"
AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
[ENABLED_AESCCM="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
[ENABLED_RSAPSS="yes" [ENABLED_RSAPSS="yes"
AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])

9
wolfcrypt/src/aes.c
View File

@ -172,10 +172,11 @@
#endif /* HAVE_AESGCM */ #endif /* HAVE_AESGCM */
/* AES-CCM */ /* AES-CCM */
#ifdef HAVE_AESCCM #if defined(HAVE_AESCCM) && \
void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz) defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
{ {
AesCcmSetKey(aes, key, keySz); return AesCcmSetKey(aes, key, keySz);
} }
int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz, int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
const byte* nonce, word32 nonceSz, const byte* nonce, word32 nonceSz,
@ -209,7 +210,7 @@
authTag, authTagSz, authIn, authInSz); authTag, authTagSz, authIn, authInSz);
} }
#endif /* HAVE_AES_DECRYPT */ #endif /* HAVE_AES_DECRYPT */
#endif /* HAVE_AESCCM */ #endif /* HAVE_AESCCM && HAVE_FIPS_VERSION 2 */
int wc_AesInit(Aes* aes, void* h, int i) int wc_AesInit(Aes* aes, void* h, int i)
{ {

3
wolfcrypt/src/error.c
View File

@ -461,6 +461,9 @@ const char* wc_GetErrorString(int error)
case DH_KAT_FIPS_E: case DH_KAT_FIPS_E:
return "wolfcrypt FIPS DH Known Answer Test Failure"; return "wolfcrypt FIPS DH Known Answer Test Failure";
case AESCCM_KAT_FIPS_E:
return "AESCCM Known Answer Test check FIPS error";
default: default:
return "unknown error number"; return "unknown error number";

3
wolfssl/wolfcrypt/error-crypt.h
View File

@ -205,8 +205,9 @@ enum {
RSAPSS_PAT_FIPS_E = -254, /* RSA-PSS PAT failure */ RSAPSS_PAT_FIPS_E = -254, /* RSA-PSS PAT failure */
ECDSA_PAT_FIPS_E = -255, /* ECDSA PAT failure */ ECDSA_PAT_FIPS_E = -255, /* ECDSA PAT failure */
DH_KAT_FIPS_E = -256, /* DH KAT failure */ DH_KAT_FIPS_E = -256, /* DH KAT failure */
AESCCM_KAT_FIPS_E = -257, /* AESCCM KAT failure */
WC_LAST_E = -256, /* Update this to indicate last error */ WC_LAST_E = -257, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */ MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes /* add new companion error id strings for any new error codes