From 19106a9510e2bea3f7d02a1ab5059e9b1cccbb4a Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 6 Jul 2022 17:31:56 -0500 Subject: [PATCH 1/5] configure.ac and tests/api.c: lock out compkey on FIPS 140-3 RC12 and ready, and add backward-compat code in test_wc_ecc_export_x963_ex() to allow RC12 compkey builds to pass unit.test. --- configure.ac | 14 +++++++++----- tests/api.c | 7 ++++++- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index df97ac75c..769524068 100644 --- a/configure.ac +++ b/configure.ac @@ -2879,10 +2879,6 @@ if test "$ENABLED_WPAS" = "yes" then ENABLED_COMPKEY=yes fi -if test "$ENABLED_COMPKEY" = "yes" -then - AM_CFLAGS="$AM_CFLAGS -DHAVE_COMP_KEY" -fi # for using memory optimization setting on both curve25519 and ed25519 @@ -3947,6 +3943,9 @@ AS_CASE([$FIPS_VERSION], AS_IF([test "$ENABLED_KEYGEN" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")], [ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"]) + AS_IF([test "$ENABLED_COMPKEY" = "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_compkey" != "yes")], + [ENABLED_COMPKEY="no"]) + AS_IF([test "$ENABLED_SHA224" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha224" != "no")], [ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"]) @@ -7701,8 +7700,13 @@ if test "x$ENABLED_SECURE_RENEGOTIATION_INFO" = "xyes"; then fi +if test "$ENABLED_COMPKEY" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_COMP_KEY" +fi -# Depricated Algorithm Handling + +# Deprecated Algorithm Handling if test "$ENABLED_ARC4" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_RC4" diff --git a/tests/api.c b/tests/api.c index 4fd108285..b31043e61 100644 --- a/tests/api.c +++ b/tests/api.c @@ -24715,7 +24715,12 @@ static int test_wc_ecc_export_x963_ex (void) if (ret == BAD_FUNC_ARG) { ret = wc_ecc_export_x963_ex(&key, out, &badOutLen, COMP); } - if (ret == LENGTH_ONLY_E) { +#if defined(HAVE_FIPS) && (!defined(FIPS_VERSION_LT) || FIPS_VERSION_LT(5,3)) + if (ret == BUFFER_E) +#else + if (ret == LENGTH_ONLY_E) +#endif + { key.idx = -4; ret = wc_ecc_export_x963_ex(&key, out, &outlen, COMP); } From 6b6abfac54b123d405567b7057c9417037a0e438 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 6 Jul 2022 17:32:26 -0500 Subject: [PATCH 2/5] examples/client/client.c: remove break after err_sys() to mollify clang-tidy unreachable-break sensor. --- examples/client/client.c | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/client/client.c b/examples/client/client.c index c88dde320..6e1660472 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -2952,7 +2952,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) break; #else err_sys("invalid minimum downgrade version"); - break; #endif /* WOLFSSL_DTLS13 */ case 3: minVersion = WOLFSSL_DTLSV1_2; From 7c49449a79d4b60251e04264c4dc93949580ec01 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 6 Jul 2022 17:35:15 -0500 Subject: [PATCH 3/5] wolfcrypt/src/port/arm/armv8-sha512.c: gate out Sha512_Family_GetHash() in builds that have 224 and 256 bit hashes gated out, to fix unused function warning. --- wolfcrypt/src/port/arm/armv8-sha512.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfcrypt/src/port/arm/armv8-sha512.c b/wolfcrypt/src/port/arm/armv8-sha512.c index 358cf06ab..7584b2498 100644 --- a/wolfcrypt/src/port/arm/armv8-sha512.c +++ b/wolfcrypt/src/port/arm/armv8-sha512.c @@ -797,6 +797,8 @@ void wc_Sha384Free(wc_Sha384* sha384) #ifdef WOLFSSL_SHA512 +#if !defined(WOLFSSL_NOSHA512_224) || !defined(WOLFSSL_NOSHA512_256) + static int Sha512_Family_GetHash(wc_Sha512* sha512, byte* hash, enum wc_HashType type ) { @@ -833,6 +835,8 @@ static int Sha512_Family_GetHash(wc_Sha512* sha512, byte* hash, return ret; } +#endif /* !WOLFSSL_NOSHA512_224 || !WOLFSSL_NOSHA512_256 */ + int wc_Sha512GetHash(wc_Sha512* sha512, byte* hash) { int ret; From eff4fe398be381eeab0228c5e20afd3d5125212d Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 6 Jul 2022 17:37:43 -0500 Subject: [PATCH 4/5] src/include.am: fix gating around sha* and BUILD_ARMASM, to avoid empty-translation-unit warnings for sha{256,512}.c on armasm builds. --- src/include.am | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/include.am b/src/include.am index 361bf6a89..7a608f9ac 100644 --- a/src/include.am +++ b/src/include.am @@ -170,8 +170,7 @@ src_libwolfssl_la_SOURCES += \ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/hmac.c \ - wolfcrypt/src/random.c \ - wolfcrypt/src/sha256.c + wolfcrypt/src/random.c src_libwolfssl_la_SOURCES += wolfcrypt/src/kdf.c @@ -201,13 +200,14 @@ endif if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c -endif +else +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256.c if BUILD_INTELASM src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S endif +endif if BUILD_SHA512 -src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512.c if BUILD_ARMASM_INLINE @@ -217,11 +217,13 @@ else src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm.S src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S endif -endif +else +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c if BUILD_INTELASM src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S endif endif +endif if BUILD_SHA3 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c From 82b1dc0cd07e5bf466b14bbc94d6e72dd2ef2d36 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 6 Jul 2022 17:39:59 -0500 Subject: [PATCH 5/5] wolfcrypt/src/asn.c: move final return in DecodeECC_DSA_Sig() outside the NO_STRICT_ECDSA_LEN gate, to avoid no-return-from-non-void. --- wolfcrypt/src/asn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index de3249e0e..92c9397aa 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -28276,8 +28276,8 @@ int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s) ret = ASN_ECC_KEY_E; } - return ret; #endif + return ret; #endif /* WOLFSSL_ASN_TEMPLATE */ } #endif