diff --git a/configure.ac b/configure.ac index 109ad83d0..0666f481a 100644 --- a/configure.ac +++ b/configure.ac @@ -224,7 +224,7 @@ AC_ARG_ENABLE([fips], [ENABLED_FIPS="no"]) # The FIPS options are: -# v4 - FIPS 140-3 +# v5 - FIPS 140-3 (wolfCrypt v5.0.0) # v3 - FIPS Ready # ready - same as v3 # rand - wolfRand @@ -242,7 +242,7 @@ AS_CASE([$ENABLED_FIPS], FIPS_VERSION="none" ENABLED_FIPS="no" ], - [rand|v1|v2|v4],[ + [rand|v1|v2|v5],[ FIPS_VERSION="$ENABLED_FIPS" ENABLED_FIPS="yes" ], @@ -253,7 +253,7 @@ AS_CASE([$ENABLED_FIPS], FIPS_VERSION="v1" ], [ - AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (allowed: ready, rand, v1, v2)]) + AC_MSG_ERROR([Invalid value for --enable-fips \"$ENABLED_FIPS\" (allowed: ready, rand, v1, v2, v5)]) ]) AS_CASE([$FIPS_VERSION], @@ -278,7 +278,7 @@ AC_ARG_ENABLE([fips-3], [AS_HELP_STRING([--enable-fips-3],[Enable FIPS 140-3, Will NOT work w/o FIPS license (default: disabled)])], [ENABLED_FIPS_140_3=$enableval], [ENABLED_FIPS_140_3="no"]) -AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v4"]) +AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v5"]) # Linux Kernel Module AC_ARG_ENABLE([linuxkm], @@ -2014,7 +2014,7 @@ fi SHA3_DEFAULT=no if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64") && test "$ENABLED_32BIT" = "no" then - if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4" + if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv5" then SHA3_DEFAULT=yes fi @@ -3346,9 +3346,9 @@ fi # FIPS AS_CASE([$FIPS_VERSION], - ["v4"], [ # FIPS 140-3 - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=4 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING" - ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no" + ["v5"], [ # FIPS 140-3 + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=5 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING" + ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"; ENABLED=WOLFSSH="yes" # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256" AS_IF([test "x$ENABLED_AESCCM" != "xyes"], @@ -7098,8 +7098,8 @@ AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"]) AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"]) AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"]) AM_CONDITIONAL([BUILD_FIPS_V3],[test "x$FIPS_VERSION" = "xv3"]) -AM_CONDITIONAL([BUILD_FIPS_V4],[test "x$FIPS_VERSION" = "xv4"]) -AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4"]) +AM_CONDITIONAL([BUILD_FIPS_V4],[test "x$FIPS_VERSION" = "xv5"]) +AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv5"]) AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"]) AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) diff --git a/fips-check.sh b/fips-check.sh index 104792646..c21610572 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -36,7 +36,7 @@ Platform is one of: stm32l4-v2 (FIPSv2, use for STM32L4) wolfrand solaris - linuxv3 (FIPS 140-3) + linuxv5 (FIPS 140-3) Keep (default off) retains the XXX-fips-test temp dir for inspection. Example: @@ -266,7 +266,7 @@ solaris) FIPS_OPTION=v2 MAKE=gmake ;; -linuxv3) +linuxv5) FIPS_REPO="git@github.com:ejohnstown/fips.git" FIPS_VERSION="fipsv3" CRYPT_REPO="git@github.com:ejohnstown/wolfssl.git" @@ -277,8 +277,9 @@ linuxv3) RNG_VERSION="fipsv3" FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c ) FIPS_INCS=( fips.h ) - FIPS_OPTION="v4" - COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm ) + FIPS_OPTION="v5" + COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm + wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S ) ;; *) Usage @@ -319,7 +320,7 @@ then cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH fi -elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ] || [ "x$FIPS_OPTION" == "xv4" ] +elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ] || [ "x$FIPS_OPTION" == "xv5" ] then $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION # Checkout the fips versions of the wolfCrypt files from the repo. diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index 60d0cccfa..4e04c2f7b 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -1990,7 +1990,7 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz, return ret; } -#endif /* WOLFSSL_SSH */ +#endif /* WOLFSSL_WOLFSSH */ #endif /* HAVE_FIPS */ #endif /* NO_HMAC */ diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h index 3df4db6a5..9a9709e7b 100644 --- a/wolfssl/wolfcrypt/hmac.h +++ b/wolfssl/wolfcrypt/hmac.h @@ -279,7 +279,7 @@ WOLFSSL_API int wc_SSH_KDF(byte hashId, byte keyId, const byte* h, word32 hSz, const byte* sessionId, word32 sessionIdSz); -#endif /* WOLFSSL_SSH */ +#endif /* WOLFSSL_WOLFSSH */ #ifdef __cplusplus } /* extern "C" */