From 1c2765430005b302df5bb2c80e548b965dee4b8d Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Mon, 27 Sep 2021 20:33:51 -0500 Subject: [PATCH] configure.ac and wolfssl/wolfcrypt/types.h: don't change wc_HashType for FIPS <= v2 (reverts commit 56843fbefd as it affected that definition); add -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256 to FIPS v2 and v3. --- configure.ac | 9 ++++++++- wolfssl/wolfcrypt/types.h | 11 +++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index 284018259..6e0726aab 100644 --- a/configure.ac +++ b/configure.ac @@ -3404,7 +3404,7 @@ AS_CASE([$FIPS_VERSION], # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256" ENABLED_SHAKE256=no - # SHA512-224 and SHA512-256 are a SHA-2 algorithms not in our FIPS algorithm list + # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256" AS_IF([test "x$ENABLED_AESCCM" != "xyes"], [ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) @@ -3441,6 +3441,9 @@ AS_CASE([$FIPS_VERSION], ENABLED_DES3="yes" # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256" + ENABLED_SHAKE256=no + # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256" AS_IF([test "x$ENABLED_AESCCM" != "xyes"], [ENABLED_AESCCM="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) @@ -3476,6 +3479,9 @@ AS_CASE([$FIPS_VERSION], ENABLED_DES3="yes" # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256" + ENABLED_SHAKE256=no + # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256" AS_IF([test "x$ENABLED_AESCCM" != "xyes"], [ENABLED_AESCCM="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) @@ -3503,6 +3509,7 @@ AS_CASE([$FIPS_VERSION], [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"]) AS_IF([test "x$ENABLED_AESGCM" = "xno"], [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"]) +echo "$AM_CFLAGS" >/dev/stderr ], ["rand"],[ AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR" diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 0e64391de..7bb54e334 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -873,8 +873,9 @@ decouple library dependencies with standard string, memory and so on. /* hash types */ enum wc_HashType { - #if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) && \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION <= 2)) + #if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS) && \ + ((! defined(HAVE_FIPS_VERSION)) || \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION <= 2))) /* In selftest build, WC_* types are not mapped to WC_HASH_TYPE types. * Values here are based on old selftest hmac.h enum, with additions. * These values are fixed for backwards FIPS compatibility */ @@ -894,12 +895,6 @@ decouple library dependencies with standard string, memory and so on. WC_HASH_TYPE_SHA3_512 = 13, WC_HASH_TYPE_BLAKE2B = 14, WC_HASH_TYPE_BLAKE2S = 19, - WC_HASH_TYPE_SHA512_224 = 20, - WC_HASH_TYPE_SHA512_256 = 21, - WC_HASH_TYPE_SHAKE128 = 22, - WC_HASH_TYPE_SHAKE256 = 23, - - WC_HASH_TYPE_MAX = WC_HASH_TYPE_SHAKE256 #else WC_HASH_TYPE_NONE = 0, WC_HASH_TYPE_MD2 = 1,