Merge pull request #6856 from dgarske/fips_win32

Fixes for wolfCrypt FIPS DLL win32
2023-10-13 09:49:26 -06:00 · 2023-10-13 09:49:26 -06:00 · 95137f91fa
parent dd1459ec8e c05aea7c5a
commit 95137f91fa
6 changed files with 60 additions and 14 deletions
--- a/IDE/WIN/README.txt
+++ b/IDE/WIN/README.txt
@ -3,7 +3,7 @@
 First, if you did not get the FIPS files with your archive, you must contact
 wolfSSL to obtain them.

-The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate. 
+The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate.
 See IDE/WIN10/wolfssl-fips.sln for the FIPS v2 #3389 or later Visual Studio solution.

 # Building the wolfssl-fips project
@ -30,11 +30,13 @@ The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
 FIPS library code and constant data and compares it with a known value in
 the code.

-The Randomized Base Address setting needs to be disabled on the 32-bit builds
-but can be enabled on the 64-bit builds. In the 32-bit mode the addresses
-being different throws off the in-core memory calculation. It looks like in
-64-bit mode the library uses all offsets, so the core hash calculation
-is the same every time.
+The following wolfCrypt FIPS project linker settings are required for the DLL Win32 configuration:
+1) The [Randomized Base Address setting (ASLR)](https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170)
+needs to be disabled on all builds as the feature throws off the in-core memory calculation causing the test to fail.
+2) The [Incremental Link](https://learn.microsoft.com/en-us/cpp/build/reference/incremental-link-incrementally?view=msvc-170)
+option need turned off so function pointers go to actual code, not a jump instruction.
+3) The [FixedBaseAddress](https://learn.microsoft.com/en-us/cpp/build/reference/fixed-fixed-base-address?view=msvc-170)
+option to YES, which disables the support for ASLR.

 The "verifyCore" check value in the source fips_test.c needs to be updated when
 building the code. The POS performs this check and the default failure callback
@ -71,13 +73,13 @@ These settings are defined in IDE/WIN/user_settings.h.

 # Notes on enabling DTLS including DTLS version 1.3

-The file IDE/WIN/user_settings_dtls.h contains the needed build options for 
+The file IDE/WIN/user_settings_dtls.h contains the needed build options for
 enabling DTLS and DTLS version 1.3.

 To incorporate the build options:

 * Rename IDE/WIN/user_settings.h to IDE/WIN/user_settings.h.bak
 * Rename IDE/WIN/user_settings_dtls.h to IDE/WIN/user_settings.h
- 
+
 Alternatively, copy the DTLS labeled section from IDE/WIN/user_settings_dtls.h
 in to IDE/WIN/user_settings.h.
--- a/IDE/WIN/wolfssl-fips.vcxproj
+++ b/IDE/WIN/wolfssl-fips.vcxproj
@ -117,6 +117,18 @@
    <OutDir>$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
    <IntDir>$(Configuration)\$(Platform)\obj\</IntDir>
  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
      <Optimization>Disabled</Optimization>
@ -146,6 +158,7 @@
      <BaseAddress>0x5A000000</BaseAddress>
      <RandomizedBaseAddress>false</RandomizedBaseAddress>
      <DataExecutionPrevention>false</DataExecutionPrevention>
+      <FixedBaseAddress>true</FixedBaseAddress>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@ -174,7 +187,7 @@
    </ClCompile>
    <Link>
      <AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
-      <RandomizedBaseAddress>true</RandomizedBaseAddress>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
      <DataExecutionPrevention>false</DataExecutionPrevention>
    </Link>
  </ItemDefinitionGroup>
@ -206,6 +219,7 @@
      <AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <RandomizedBaseAddress>false</RandomizedBaseAddress>
      <BaseAddress>0x5A000000</BaseAddress>
+      <FixedBaseAddress>true</FixedBaseAddress>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@ -234,7 +248,7 @@
    </ClCompile>
    <Link>
      <AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
-      <RandomizedBaseAddress>true</RandomizedBaseAddress>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
    </Link>
  </ItemDefinitionGroup>
  <ItemGroup>
--- a/IDE/WIN10/README.txt
+++ b/IDE/WIN10/README.txt
@ -29,8 +29,13 @@ The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt
 FIPS library code and constant data and compares it with a known value in
 the code.

-The Randomized Base Address setting needs to be disabled on all builds as the 
-feature throws off the in-core memory calculation causing the test to fail.
+The following wolfCrypt FIPS project linker settings are required for the DLL Win32 configuration:
+1) The [Randomized Base Address setting (ASLR)](https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170)
+needs to be disabled on all builds as the feature throws off the in-core memory calculation causing the test to fail.
+2) The [Incremental Link](https://learn.microsoft.com/en-us/cpp/build/reference/incremental-link-incrementally?view=msvc-170)
+option need turned off so function pointers go to actual code, not a jump instruction.
+3) The [FixedBaseAddress](https://learn.microsoft.com/en-us/cpp/build/reference/fixed-fixed-base-address?view=msvc-170)
+option to YES, which disables the support for ASLR.

 The "verifyCore" check value in the source fips_test.c needs to be updated when
 building the code. The POS performs this check and the default failure callback
@ -39,7 +44,6 @@ value and paste it back into your code in the verifyCore initializer then
 rebuild the code. When statically linking, you may have to recalculate your
 check value when changing your application.

-
 # Build Options

 The default build options should be the proper default set of options:
--- a/IDE/WIN10/user_settings.h
+++ b/IDE/WIN10/user_settings.h
@ -1,6 +1,16 @@
 #ifndef _WIN_USER_SETTINGS_H_
 #define _WIN_USER_SETTINGS_H_

+/* For FIPS 140-2 3389 build set to "#if 1" */
+#if 0
+#undef HAVE_FIPS
+#define HAVE_FIPS
+#undef HAVE_FIPS_VERSION
+#define HAVE_FIPS_VERSION 2
+#undef HAVE_FIPS_VERSION_MINOR
+#define HAVE_FIPS_VERSION_MINOR 0
+#endif
+
 /* Set the following to 1 for WCv5.0-RC12 build. */
 #if 0
 #undef HAVE_FIPS
@ -67,8 +77,10 @@
        #define WOLFSSL_VALIDATE_FFC_IMPORT
        #define HAVE_FFDHE_Q
        #define HAVE_PUBLIC_FFDHE
+    #ifdef _WIN64
        #define WOLFSSL_AESNI
        #define HAVE_INTEL_RDSEED
+    #endif
        #define FORCE_FAILURE_RDSEED
    #endif /* FIPS v2 */
    #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5)
--- a/IDE/WIN10/wolfssl-fips.vcxproj
+++ b/IDE/WIN10/wolfssl-fips.vcxproj
@ -117,6 +117,18 @@
    <OutDir>$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
    <IntDir>$(Configuration)\$(Platform)\$(ProjectName)_obj\</IntDir>
  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
      <Optimization>Disabled</Optimization>
@ -146,6 +158,7 @@
      <BaseAddress>0x5A000000</BaseAddress>
      <RandomizedBaseAddress>false</RandomizedBaseAddress>
      <DataExecutionPrevention>false</DataExecutionPrevention>
+      <FixedBaseAddress>true</FixedBaseAddress>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@ -206,6 +219,7 @@
      <AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <RandomizedBaseAddress>false</RandomizedBaseAddress>
      <BaseAddress>0x5A000000</BaseAddress>
+      <FixedBaseAddress>true</FixedBaseAddress>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
--- a/src/pk.c
+++ b/src/pk.c
@ -2110,7 +2110,7 @@ int wolfSSL_PEM_write_RSAPrivateKey(XFILE fp, WOLFSSL_RSA *rsa,
 {
    int ret = 1;
    byte* pem = NULL;
-    int pLen;
+    int pLen = 0;

    (void)cb;
    (void)arg;