WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #5159 from kareem-wolfssl/fipsv3HmacMd5 

Allow using 3DES and MD5 with FIPS 140-3, as they fall outside of the FIPS boundary.
pull/5168/head
David Garske 2022-05-20 18:40:29 -07:00 committed by GitHub
parent 9a74745246 832a7a40a6
commit b5d65b9579
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
configure.ac
View File

@ -3767,11 +3767,9 @@ AS_CASE([$FIPS_VERSION],
AS_IF([test "$ENABLED_AESGCM" = "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm" != "no")],
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
AS_IF([test "$ENABLED_MD5" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_md5" != "yes")],
[ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
AS_IF([test "$ENABLED_DES3" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_des3" != "yes")],
[ENABLED_DES3="no"])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
[ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
[AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],

2
tests/api.c
View File

@ -41263,7 +41263,7 @@ static void test_wolfSSL_HMAC_CTX(void)
digest, digestSz), 0);
#endif /* WOLFSSL_SHA512 */
#ifndef NO_MD5
#if !defined(NO_MD5) && (!defined(HAVE_FIPS_VERSION) || HAVE_FIPS_VERSION <= 2)
AssertIntEQ((digestSz = test_HMAC_CTX_helper(EVP_md5(), digest)), 16);
AssertIntEQ(XMEMCMP("\xB7\x27\xC4\x41\xE5\x2E\x62\xBA\x54\xED\x72\x70\x9F"
"\xE4\x98\xDD", digest, digestSz), 0);

6
wolfcrypt/test/test.c
View File

@ -18404,9 +18404,15 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
c.inLen = XSTRLEN(c.input);
c.outLen = WC_MD5_DIGEST_SIZE;
#if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)
/* Expect failure with MD5 + HMAC when using FIPS 140-3. */
if (HMAC(EVP_md5(), "JefeJefeJefeJefe", 16, (byte*)c.input, (int)c.inLen,
hash, 0) != NULL)
#else
if (HMAC(EVP_md5(), "JefeJefeJefeJefe", 16, (byte*)c.input, (int)c.inLen,
hash, 0) == NULL ||
XMEMCMP(hash, c.output, WC_MD5_DIGEST_SIZE) != 0)
#endif
{
return -8612;
}