mirror of https://github.com/wolfSSL/wolfssl.git
Unwind a few changes adding guards so it'll build with old FIPS.
John Safranek
Daniel Pouzzner
parent
b54459ace3
commit
f53a4db4e7
|
|
@ -53,6 +53,7 @@
|
|||
#define WOLFSSL_VALIDATE_ECC_IMPORT
|
||||
#define WOLFSSL_VALIDATE_FFC_IMPORT
|
||||
#define HAVE_FFDHE_Q
|
||||
#define HAVE_PUBLIC_FFDHE
|
||||
#define WOLFSSL_AESNI
|
||||
#define HAVE_INTEL_RDSEED
|
||||
#define FORCE_FAILURE_RDSEED
|
||||
|
|
@ -61,6 +62,7 @@
|
|||
#undef WOLFSSL_AESNI /* Comment out if using PAA */
|
||||
#undef HAVE_INTEL_RDSEED
|
||||
#undef FORCE_FAILURE_RDSEED
|
||||
#undef HAVE_PUBLIC_FFDHE
|
||||
|
||||
#define NO_DES
|
||||
#define NO_DES3
|
||||
|
|
|
|||
|
|
@ -3414,7 +3414,7 @@ AS_CASE([$FIPS_VERSION],
|
|||
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
|
||||
],
|
||||
["v2"],[ # Cert 3389
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DHAVE_PUBLIC_FFDHE"
|
||||
ENABLED_KEYGEN="yes"
|
||||
ENABLED_SHA224="yes"
|
||||
ENABLED_DES3="yes"
|
||||
|
|
|
|||
|
|
@ -23401,6 +23401,9 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
|
|||
int ret = 0;
|
||||
word16 length;
|
||||
#ifdef HAVE_FFDHE
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
const DhParams* params = NULL;
|
||||
#endif
|
||||
word16 group = 0;
|
||||
#endif
|
||||
|
||||
|
|
@ -23566,26 +23569,41 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
|
|||
switch (ssl->options.dhKeySz) {
|
||||
#ifdef HAVE_FFDHE_2048
|
||||
case 2048/8:
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
params = wc_Dh_ffdhe2048_Get();
|
||||
#endif
|
||||
group = WOLFSSL_FFDHE_2048;
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_3072
|
||||
case 3072/8:
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
params = wc_Dh_ffdhe3072_Get();
|
||||
#endif
|
||||
group = WOLFSSL_FFDHE_3072;
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_4096
|
||||
case 4096/8:
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
params = wc_Dh_ffdhe4096_Get();
|
||||
#endif
|
||||
group = WOLFSSL_FFDHE_4096;
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_6144
|
||||
case 6144/8:
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
params = wc_Dh_ffdhe6144_Get();
|
||||
#endif
|
||||
group = WOLFSSL_FFDHE_6144;
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_8192
|
||||
case 8192/8:
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
params = wc_Dh_ffdhe8192_Get();
|
||||
#endif
|
||||
group = WOLFSSL_FFDHE_8192;
|
||||
break;
|
||||
#endif
|
||||
|
|
@ -23593,10 +23611,20 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
|
|||
break;
|
||||
}
|
||||
|
||||
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
if (params == NULL || params->g_len != ssl->buffers.serverDH_G.length ||
|
||||
(XMEMCMP(ssl->buffers.serverDH_G.buffer, params->g,
|
||||
params->g_len) != 0) ||
|
||||
(XMEMCMP(ssl->buffers.serverDH_P.buffer, params->p,
|
||||
params->p_len) != 0))
|
||||
#else
|
||||
if (!wc_DhCmpNamedKey(group, 1,
|
||||
ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length,
|
||||
ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length,
|
||||
NULL, 0)) {
|
||||
NULL, 0))
|
||||
#endif
|
||||
{
|
||||
WOLFSSL_MSG("Server not using FFDHE parameters");
|
||||
#ifdef WOLFSSL_REQUIRE_FFDHE
|
||||
SendAlert(ssl, alert_fatal, handshake_failure);
|
||||
|
|
@ -24970,7 +24998,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
|
|||
goto exit_scke;
|
||||
}
|
||||
|
||||
#ifdef HAVE_FFDHE
|
||||
#if defined(HAVE_FFDHE) && !defined(HAVE_PUBLIC_FFDHE)
|
||||
if (ssl->namedGroup) {
|
||||
ret = wc_DhSetNamedKey(ssl->buffers.serverDH_Key,
|
||||
ssl->namedGroup);
|
||||
|
|
@ -26876,7 +26904,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||
!defined(WOLFSSL_NO_TLS12))
|
||||
case diffie_hellman_kea:
|
||||
#endif
|
||||
#if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
|
||||
#if (defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)) && !defined(HAVE_PUBLIC_FFDHE)
|
||||
if (ssl->namedGroup) {
|
||||
word32 pSz = 0;
|
||||
|
||||
|
|
|
|||
53
src/tls.c
53
src/tls.c
|
|
@ -4171,7 +4171,11 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
|
|||
SupportedCurve* serverGroup;
|
||||
SupportedCurve* clientGroup;
|
||||
SupportedCurve* group;
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
const DhParams* params = NULL;
|
||||
#else
|
||||
word32 p_len;
|
||||
#endif
|
||||
int found = 0;
|
||||
|
||||
extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
|
||||
|
|
@ -4220,6 +4224,43 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
|
|||
if (serverGroup->name != group->name)
|
||||
continue;
|
||||
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
switch (serverGroup->name) {
|
||||
#ifdef HAVE_FFDHE_2048
|
||||
case WOLFSSL_FFDHE_2048:
|
||||
params = wc_Dh_ffdhe2048_Get();
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_3072
|
||||
case WOLFSSL_FFDHE_3072:
|
||||
params = wc_Dh_ffdhe3072_Get();
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_4096
|
||||
case WOLFSSL_FFDHE_4096:
|
||||
params = wc_Dh_ffdhe4096_Get();
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_6144
|
||||
case WOLFSSL_FFDHE_6144:
|
||||
params = wc_Dh_ffdhe6144_Get();
|
||||
break;
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_8192
|
||||
case WOLFSSL_FFDHE_8192:
|
||||
params = wc_Dh_ffdhe8192_Get();
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
if (params == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
if (params->p_len >= ssl->options.minDhKeySz &&
|
||||
params->p_len <= ssl->options.maxDhKeySz) {
|
||||
break;
|
||||
}
|
||||
#else
|
||||
wc_DhGetNamedKeyParamSize(serverGroup->name, &p_len, NULL, NULL);
|
||||
if (p_len == 0)
|
||||
return BAD_FUNC_ARG;
|
||||
|
|
@ -4227,6 +4268,7 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
|
|||
p_len <= ssl->options.maxDhKeySz) {
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (group != NULL && serverGroup->name == group->name)
|
||||
|
|
@ -4234,6 +4276,12 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
|
|||
}
|
||||
|
||||
if (serverGroup) {
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
ssl->buffers.serverDH_P.buffer = (unsigned char *)params->p;
|
||||
ssl->buffers.serverDH_P.length = params->p_len;
|
||||
ssl->buffers.serverDH_G.buffer = (unsigned char *)params->g;
|
||||
ssl->buffers.serverDH_G.length = params->g_len;
|
||||
#else
|
||||
word32 pSz, gSz;
|
||||
|
||||
ret = wc_DhGetNamedKeyParamSize(serverGroup->name, &pSz, &gSz, NULL);
|
||||
|
|
@ -4247,13 +4295,14 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
|
|||
ssl->buffers.serverDH_P.buffer, &pSz,
|
||||
ssl->buffers.serverDH_G.buffer, &gSz,
|
||||
NULL, NULL);
|
||||
ssl->namedGroup = serverGroup->name;
|
||||
ssl->buffers.weOwnDH = 1;
|
||||
#endif
|
||||
|
||||
ssl->namedGroup = serverGroup->name;
|
||||
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
|
||||
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
|
||||
ssl->options.dhDoKeyTest = 0;
|
||||
#endif
|
||||
ssl->buffers.weOwnDH = 1;
|
||||
ssl->options.haveDH = 1;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5073,7 +5073,11 @@ void bench_dh(int doAsync)
|
|||
word32 privSz2 = BENCH_DH_PRIV_SIZE;
|
||||
word32 agreeSz[BENCH_MAX_PENDING];
|
||||
#if defined(HAVE_FFDHE_2048) || defined(HAVE_FFDHE_3072)
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
const DhParams *params = NULL;
|
||||
#else
|
||||
int paramName = 0;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
DECLARE_ARRAY(pub, byte, BENCH_MAX_PENDING, BENCH_DH_KEY_SIZE, HEAP_HINT);
|
||||
|
|
@ -5112,13 +5116,21 @@ void bench_dh(int doAsync)
|
|||
}
|
||||
#ifdef HAVE_FFDHE_2048
|
||||
else if (use_ffdhe == 2048) {
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
params = wc_Dh_ffdhe2048_Get();
|
||||
#else
|
||||
paramName = WC_FFDHE_2048;
|
||||
#endif
|
||||
dhKeySz = 2048;
|
||||
}
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_3072
|
||||
else if (use_ffdhe == 3072) {
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
params = wc_Dh_ffdhe2048_Get();
|
||||
#else
|
||||
paramName = WC_FFDHE_3072;
|
||||
#endif
|
||||
dhKeySz = 3072;
|
||||
}
|
||||
#endif
|
||||
|
|
@ -5151,9 +5163,16 @@ void bench_dh(int doAsync)
|
|||
#endif
|
||||
}
|
||||
#if defined(HAVE_FFDHE_2048) || defined(HAVE_FFDHE_3072)
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
else if (params != NULL) {
|
||||
ret = wc_DhSetKey(&dhKey[i], params->p, params->p_len, params->g,
|
||||
params->g_len);
|
||||
}
|
||||
#else
|
||||
else if (paramName != 0) {
|
||||
ret = wc_DhSetNamedKey(&dhKey[i], paramName);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
if (ret != 0) {
|
||||
printf("DhKeyDecode failed %d, can't benchmark\n", ret);
|
||||
|
|
|
|||
|
|
@ -16026,8 +16026,8 @@ static int dh_fips_generate_test(WC_RNG *rng)
|
|||
0xec, 0x24, 0x5d, 0x78, 0x59, 0xe7, 0x8d, 0xb5,
|
||||
0x40, 0x52, 0xed, 0x41
|
||||
};
|
||||
byte priv[sizeof q];
|
||||
byte pub[sizeof p];
|
||||
byte priv[256];
|
||||
byte pub[256];
|
||||
word32 privSz = sizeof(priv);
|
||||
word32 pubSz = sizeof(pub);
|
||||
|
||||
|
|
@ -16326,7 +16326,11 @@ static int dh_test_check_pubvalue(void)
|
|||
#endif
|
||||
|
||||
#ifndef WC_NO_RNG
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
static int dh_ffdhe_test(WC_RNG *rng, const DhParams* params)
|
||||
#else
|
||||
static int dh_ffdhe_test(WC_RNG *rng, int name)
|
||||
#endif
|
||||
{
|
||||
int ret;
|
||||
word32 privSz, pubSz, privSz2, pubSz2;
|
||||
|
|
@ -16366,8 +16370,13 @@ static int dh_ffdhe_test(WC_RNG *rng, int name)
|
|||
|
||||
pubSz = FFDHE_KEY_SIZE;
|
||||
pubSz2 = FFDHE_KEY_SIZE;
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
privSz = FFDHE_KEY_SIZE;
|
||||
privSz2 = FFDHE_KEY_SIZE;
|
||||
#else
|
||||
privSz = wc_DhGetNamedKeyMinSize(name);
|
||||
privSz2 = privSz;
|
||||
#endif
|
||||
|
||||
XMEMSET(key, 0, sizeof(*key));
|
||||
XMEMSET(key2, 0, sizeof(*key2));
|
||||
|
|
@ -16381,12 +16390,21 @@ static int dh_ffdhe_test(WC_RNG *rng, int name)
|
|||
ERROR_OUT(-8052, done);
|
||||
}
|
||||
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
ret = wc_DhSetKey(key, params->p, params->p_len, params->g, params->g_len);
|
||||
#else
|
||||
ret = wc_DhSetNamedKey(key, name);
|
||||
#endif
|
||||
if (ret != 0) {
|
||||
ERROR_OUT(-8053, done);
|
||||
}
|
||||
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
ret = wc_DhSetKey(key2, params->p, params->p_len, params->g,
|
||||
params->g_len);
|
||||
#else
|
||||
ret = wc_DhSetNamedKey(key2, name);
|
||||
#endif
|
||||
if (ret != 0) {
|
||||
ERROR_OUT(-8054, done);
|
||||
}
|
||||
|
|
@ -16808,12 +16826,20 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void)
|
|||
#ifndef WC_NO_RNG
|
||||
/* Specialized code for key gen when using FFDHE-2048, FFDHE-3072 and FFDHE-4096 */
|
||||
#ifdef HAVE_FFDHE_2048
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
ret = dh_ffdhe_test(&rng, wc_Dh_ffdhe2048_Get());
|
||||
#else
|
||||
ret = dh_ffdhe_test(&rng, WC_FFDHE_2048);
|
||||
#endif
|
||||
if (ret != 0)
|
||||
ERROR_OUT(-8126, done);
|
||||
#endif
|
||||
#ifdef HAVE_FFDHE_3072
|
||||
#ifdef HAVE_PUBLIC_FFDHE
|
||||
ret = dh_ffdhe_test(&rng, wc_Dh_ffdhe3072_Get());
|
||||
#else
|
||||
ret = dh_ffdhe_test(&rng, WC_FFDHE_3072);
|
||||
#endif
|
||||
if (ret != 0)
|
||||
ERROR_OUT(-8127, done);
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Reference in New Issue