mirror of https://github.com/wolfSSL/wolfssl.git
FIPS Update
1. Moved the rest of the FIPS algorithms to FIPSv2. 2. Updated the fips-check and autogen scripts. 3. Updated the automake include for the crypto files. 4. Updated the example server to use the wolfSSL API and wolfSSL-based OpenSSL compatibility layer. 5. Added error code for the SHA-3 KAT. 6. Updated an test case in the API test for AES-GCM encrypt that is now considered a success case, but the FIPS mode was still treating as a failure.cert-3389
parent
df4d748f59
commit
f6fe3744a7
|
@ -18,7 +18,8 @@ if test -e .git; then
|
|||
# touch fips files for non fips distribution
|
||||
touch ./ctaocrypt/src/fips.c
|
||||
touch ./ctaocrypt/src/fips_test.c
|
||||
touch ./wolfcrypt/src/fipsv2.c
|
||||
touch ./wolfcrypt/src/fips.c
|
||||
touch ./wolfcrypt/src/fips_test.c
|
||||
touch ./wolfssl/wolfcrypt/fips.h
|
||||
|
||||
# touch CAVP selftest files for non-selftest distribution
|
||||
|
|
|
@ -23,11 +23,11 @@
|
|||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
#include <cyassl/ssl.h> /* name change portability layer */
|
||||
#include <wolfssl/ssl.h> /* name change portability layer */
|
||||
|
||||
#include <cyassl/ctaocrypt/settings.h>
|
||||
#include <wolfssl/wolfcrypt/settings.h>
|
||||
#ifdef HAVE_ECC
|
||||
#include <cyassl/ctaocrypt/ecc.h> /* ecc_fp_free */
|
||||
#include <wolfssl/wolfcrypt/ecc.h> /* ecc_fp_free */
|
||||
#endif
|
||||
|
||||
#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
|
||||
|
@ -39,10 +39,10 @@
|
|||
#include "wolfssl_MDK_ARM.h"
|
||||
#endif
|
||||
|
||||
#include <cyassl/openssl/ssl.h>
|
||||
#include <cyassl/test.h>
|
||||
#ifdef CYASSL_DTLS
|
||||
#include <cyassl/error-ssl.h>
|
||||
#include <wolfssl/openssl/ssl.h>
|
||||
#include <wolfssl/test.h>
|
||||
#ifdef WOLFSSL_DTLS
|
||||
#include <wolfssl/error-ssl.h>
|
||||
#endif
|
||||
|
||||
#include "examples/server/server.h"
|
||||
|
@ -75,7 +75,7 @@ static const char webServerMsg[] =
|
|||
int runWithErrors = 0; /* Used with -x flag to run err_sys vs. print errors */
|
||||
|
||||
|
||||
#ifdef CYASSL_CALLBACKS
|
||||
#ifdef WOLFSSL_CALLBACKS
|
||||
Timeval srvTo;
|
||||
static int srvHandShakeCB(HandShakeInfo* info)
|
||||
{
|
||||
|
@ -117,13 +117,13 @@ static void err_sys_ex(int out, const char* msg)
|
|||
|
||||
static int NonBlockingSSL_Accept(SSL* ssl)
|
||||
{
|
||||
#ifndef CYASSL_CALLBACKS
|
||||
#ifndef WOLFSSL_CALLBACKS
|
||||
int ret = SSL_accept(ssl);
|
||||
#else
|
||||
int ret = CyaSSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo);
|
||||
int ret = SSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo);
|
||||
#endif
|
||||
int error = SSL_get_error(ssl, 0);
|
||||
SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl);
|
||||
SOCKET_T sockfd = (SOCKET_T)SSL_get_fd(ssl);
|
||||
int select_ret = 0;
|
||||
|
||||
while (ret != WOLFSSL_SUCCESS &&
|
||||
|
@ -149,8 +149,8 @@ static int NonBlockingSSL_Accept(SSL* ssl)
|
|||
else
|
||||
#endif
|
||||
{
|
||||
#ifdef CYASSL_DTLS
|
||||
currTimeout = CyaSSL_dtls_get_current_timeout(ssl);
|
||||
#ifdef WOLFSSL_DTLS
|
||||
currTimeout = wolfSSL_dtls_get_current_timeout(ssl);
|
||||
#endif
|
||||
select_ret = tcp_select(sockfd, currTimeout);
|
||||
}
|
||||
|
@ -163,17 +163,17 @@ static int NonBlockingSSL_Accept(SSL* ssl)
|
|||
#ifndef CYASSL_CALLBACKS
|
||||
ret = SSL_accept(ssl);
|
||||
#else
|
||||
ret = CyaSSL_accept_ex(ssl,
|
||||
ret = SSL_accept_ex(ssl,
|
||||
srvHandShakeCB, srvTimeoutCB, srvTo);
|
||||
#endif
|
||||
error = SSL_get_error(ssl, 0);
|
||||
}
|
||||
else if (select_ret == TEST_TIMEOUT && !CyaSSL_dtls(ssl)) {
|
||||
else if (select_ret == TEST_TIMEOUT && !wolfSSL_dtls(ssl)) {
|
||||
error = WOLFSSL_ERROR_WANT_READ;
|
||||
}
|
||||
#ifdef CYASSL_DTLS
|
||||
else if (select_ret == TEST_TIMEOUT && CyaSSL_dtls(ssl) &&
|
||||
CyaSSL_dtls_got_timeout(ssl) >= 0) {
|
||||
#ifdef WOLFSSL_DTLS
|
||||
else if (select_ret == TEST_TIMEOUT && wolfSSL_dtls(ssl) &&
|
||||
wolfSSL_dtls_got_timeout(ssl) >= 0) {
|
||||
error = WOLFSSL_ERROR_WANT_READ;
|
||||
}
|
||||
#endif
|
||||
|
@ -284,7 +284,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
|
|||
static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
|
||||
{
|
||||
int ret, err;
|
||||
char buffer[CYASSL_MAX_ERROR_SZ];
|
||||
char buffer[WOLFSSL_MAX_ERROR_SZ];
|
||||
|
||||
/* Read data */
|
||||
do {
|
||||
|
@ -300,7 +300,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
|
|||
}
|
||||
else
|
||||
#endif
|
||||
#ifdef CYASSL_DTLS
|
||||
#ifdef WOLFSSL_DTLS
|
||||
if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) {
|
||||
printf("Dropped client's message due to a bad MAC\n");
|
||||
}
|
||||
|
@ -322,7 +322,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
|
|||
static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
|
||||
{
|
||||
int ret, err;
|
||||
char buffer[CYASSL_MAX_ERROR_SZ];
|
||||
char buffer[WOLFSSL_MAX_ERROR_SZ];
|
||||
|
||||
do {
|
||||
err = 0; /* reset error */
|
||||
|
@ -347,10 +347,10 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
|
|||
|
||||
static void Usage(void)
|
||||
{
|
||||
printf("server " LIBCYASSL_VERSION_STRING
|
||||
printf("server " LIBWOLFSSL_VERSION_STRING
|
||||
" NOTE: All files relative to wolfSSL home dir\n");
|
||||
printf("-? Help, print this usage\n");
|
||||
printf("-p <num> Port to listen on, not 0, default %d\n", yasslPort);
|
||||
printf("-p <num> Port to listen on, not 0, default %d\n", wolfSSLPort);
|
||||
#ifndef WOLFSSL_TLS13
|
||||
printf("-v <num> SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n",
|
||||
SERVER_DEFAULT_VERSION);
|
||||
|
@ -444,7 +444,7 @@ static void Usage(void)
|
|||
#endif
|
||||
}
|
||||
|
||||
THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
||||
THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
||||
{
|
||||
SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID;
|
||||
SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
|
||||
|
@ -528,7 +528,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
#ifdef HAVE_WNR
|
||||
const char* wnrConfigFile = wnrConfig;
|
||||
#endif
|
||||
char buffer[CYASSL_MAX_ERROR_SZ];
|
||||
char buffer[WOLFSSL_MAX_ERROR_SZ];
|
||||
#ifdef WOLFSSL_TLS13
|
||||
int noPskDheKe = 0;
|
||||
#endif
|
||||
|
@ -591,7 +591,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
(void)mcastID;
|
||||
(void)useX25519;
|
||||
|
||||
#ifdef CYASSL_TIRTOS
|
||||
#ifdef WOLFSSL_TIRTOS
|
||||
fdOpenSession(Task_self());
|
||||
#endif
|
||||
|
||||
|
@ -966,7 +966,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
break;
|
||||
#endif /* NO_TLS */
|
||||
|
||||
#ifdef CYASSL_DTLS
|
||||
#ifdef WOLFSSL_DTLS
|
||||
#ifndef NO_OLD_TLS
|
||||
case -1:
|
||||
method = wolfDTLSv1_server_method_ex;
|
||||
|
@ -1025,7 +1025,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
err_sys_ex(runWithErrors, "server can't set cipher list 1");
|
||||
}
|
||||
|
||||
#ifdef CYASSL_LEANPSK
|
||||
#ifdef WOLFSSL_LEANPSK
|
||||
if (!usePsk) {
|
||||
usePsk = 1;
|
||||
}
|
||||
|
@ -1038,7 +1038,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
#endif
|
||||
|
||||
if (fewerPackets)
|
||||
CyaSSL_CTX_set_group_messages(ctx);
|
||||
wolfSSL_CTX_set_group_messages(ctx);
|
||||
|
||||
#ifdef WOLFSSL_SCTP
|
||||
if (dtlsSCTP)
|
||||
|
@ -1081,7 +1081,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
|
||||
#ifdef HAVE_NTRU
|
||||
if (useNtruKey) {
|
||||
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
|
||||
if (SSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
|
||||
!= WOLFSSL_SUCCESS)
|
||||
err_sys_ex(runWithErrors, "can't load ntru key file, "
|
||||
"Please run from wolfSSL home dir");
|
||||
|
@ -1137,7 +1137,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
|
||||
if (useAnon) {
|
||||
#ifdef HAVE_ANON
|
||||
CyaSSL_CTX_allow_anon_cipher(ctx);
|
||||
SSL_CTX_allow_anon_cipher(ctx);
|
||||
if (cipherList == NULL || (cipherList && useDefCipherList)) {
|
||||
const char* defaultCipherList;
|
||||
defaultCipherList = "ADH-AES256-GCM-SHA384:"
|
||||
|
@ -1169,7 +1169,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(CYASSL_SNIFFER)
|
||||
#if defined(WOLFSSL_SNIFFER)
|
||||
/* don't use EDH, can't sniff tmp keys */
|
||||
if (cipherList == NULL) {
|
||||
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS)
|
||||
|
@ -1179,7 +1179,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
|
||||
#ifdef HAVE_SNI
|
||||
if (sniHostName)
|
||||
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
|
||||
if (SSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
|
||||
(word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS)
|
||||
err_sys_ex(runWithErrors, "UseSNI failed");
|
||||
#endif
|
||||
|
@ -1287,25 +1287,25 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
#endif
|
||||
#ifdef HAVE_CRL
|
||||
#ifdef HAVE_CRL_MONITOR
|
||||
crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON;
|
||||
crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON;
|
||||
#endif
|
||||
if (CyaSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS)
|
||||
if (wolfSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS)
|
||||
err_sys_ex(runWithErrors, "unable to enable CRL");
|
||||
if (CyaSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags)
|
||||
if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags)
|
||||
!= WOLFSSL_SUCCESS)
|
||||
err_sys_ex(runWithErrors, "unable to load CRL");
|
||||
if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS)
|
||||
if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS)
|
||||
err_sys_ex(runWithErrors, "unable to set CRL callback url");
|
||||
#endif
|
||||
#ifdef HAVE_OCSP
|
||||
if (useOcsp) {
|
||||
if (ocspUrl != NULL) {
|
||||
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
|
||||
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
|
||||
| CYASSL_OCSP_URL_OVERRIDE);
|
||||
wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
|
||||
wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE
|
||||
| WOLFSSL_OCSP_URL_OVERRIDE);
|
||||
}
|
||||
else
|
||||
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
|
||||
wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
|
||||
}
|
||||
#endif
|
||||
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|
||||
|
@ -1418,20 +1418,20 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
|
||||
|| needDH == 1) {
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
|
||||
CyaSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM);
|
||||
wolfSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM);
|
||||
#elif !defined(NO_DH)
|
||||
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifndef CYASSL_CALLBACKS
|
||||
#ifndef WOLFSSL_CALLBACKS
|
||||
if (nonBlocking) {
|
||||
CyaSSL_set_using_nonblock(ssl, 1);
|
||||
wolfSSL_set_using_nonblock(ssl, 1);
|
||||
tcp_set_nonblocking(&clientfd);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef CYASSL_CALLBACKS
|
||||
#ifndef WOLFSSL_CALLBACKS
|
||||
if (nonBlocking) {
|
||||
ret = NonBlockingSSL_Accept(ssl);
|
||||
}
|
||||
|
@ -1624,7 +1624,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
|
|||
|
||||
#if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
|
||||
os_dly_wait(500) ;
|
||||
#elif defined (CYASSL_TIRTOS)
|
||||
#elif defined (WOLFSSL_TIRTOS)
|
||||
Task_yield();
|
||||
#endif
|
||||
|
||||
|
@ -1684,7 +1684,7 @@ exit:
|
|||
ecc_fp_free(); /* free per thread cache */
|
||||
#endif
|
||||
|
||||
#ifdef CYASSL_TIRTOS
|
||||
#ifdef WOLFSSL_TIRTOS
|
||||
fdCloseSession(Task_self());
|
||||
#endif
|
||||
|
||||
|
@ -1706,7 +1706,7 @@ exit:
|
|||
(void) useNtruKey;
|
||||
(void) ourDhParam;
|
||||
(void) ourCert;
|
||||
#ifndef CYASSL_TIRTOS
|
||||
#ifndef WOLFSSL_TIRTOS
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
@ -1731,9 +1731,9 @@ exit:
|
|||
InitTcpReady(&ready);
|
||||
|
||||
#if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL)
|
||||
CyaSSL_Debugging_ON();
|
||||
wolfSSL_Debugging_ON();
|
||||
#endif
|
||||
CyaSSL_Init();
|
||||
wolfSSL_Init();
|
||||
ChangeToWolfRoot();
|
||||
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
|
@ -1746,7 +1746,7 @@ exit:
|
|||
printf("Server not compiled in!\n");
|
||||
#endif
|
||||
|
||||
CyaSSL_Cleanup();
|
||||
wolfSSL_Cleanup();
|
||||
FreeTcpReady(&ready);
|
||||
|
||||
#ifdef HAVE_WNR
|
||||
|
|
178
fips-check.sh
178
fips-check.sh
|
@ -11,7 +11,7 @@
|
|||
#
|
||||
# $ ./fips-check [version] [keep]
|
||||
#
|
||||
# - version: linux (default), ios, android, windows, freertos, linux-ecc
|
||||
# - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2
|
||||
#
|
||||
# - keep: (default off) XXX-fips-test temp dir around for inspection
|
||||
#
|
||||
|
@ -29,6 +29,7 @@ function Usage() {
|
|||
printf '\t%s\n' "netbsd-selftest"
|
||||
printf '\t%s\n' "sgx"
|
||||
printf '\t%s\n' "netos-7.6"
|
||||
printf '\t%s\n' "linuxv2"
|
||||
printf '\n%s\n\n' "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection"
|
||||
printf '%s\n' "EXAMPLE:"
|
||||
printf '%s\n' "---------------------------------"
|
||||
|
@ -38,38 +39,42 @@ function Usage() {
|
|||
|
||||
LINUX_FIPS_VERSION=v3.2.6
|
||||
LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
LINUX_CTAO_VERSION=v3.2.6
|
||||
LINUX_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
LINUX_CRYPT_VERSION=v3.2.6
|
||||
LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
LINUX_ECC_FIPS_VERSION=v3.10.3
|
||||
LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
LINUX_ECC_CTAO_VERSION=v3.2.6
|
||||
LINUX_ECC_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
LINUX_ECC_CRYPT_VERSION=v3.2.6
|
||||
LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
LINUXV2_FIPS_VERSION=fipsv2
|
||||
LINUXV2_FIPS_REPO=git@github.com:ejohnstown/fips.git
|
||||
LINUXV2_CRYPT_VERSION=fipsv2
|
||||
|
||||
IOS_FIPS_VERSION=v3.4.8a
|
||||
IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
IOS_CTAO_VERSION=v3.4.8.fips
|
||||
IOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
IOS_CRYPT_VERSION=v3.4.8.fips
|
||||
IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
ANDROID_FIPS_VERSION=v3.5.0
|
||||
ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
ANDROID_CTAO_VERSION=v3.5.0
|
||||
ANDROID_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
ANDROID_CRYPT_VERSION=v3.5.0
|
||||
ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
WINDOWS_FIPS_VERSION=v3.6.6
|
||||
WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
WINDOWS_CTAO_VERSION=v3.6.6
|
||||
WINDOWS_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
WINDOWS_CRYPT_VERSION=v3.6.6
|
||||
WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
|
||||
FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
FREERTOS_CTAO_VERSION=v3.6.1
|
||||
FREERTOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
FREERTOS_CRYPT_VERSION=v3.6.1
|
||||
FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
|
||||
OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
OPENRTOS_3_9_2_CTAO_VERSION=v3.6.1
|
||||
OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1
|
||||
OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
#NOTE: Does not include the SGX examples yet, update version once fipsv2 is
|
||||
# finished and merge conflicts can be resolved. This will be tagged as
|
||||
|
@ -77,29 +82,28 @@ OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
|||
#SGX_FIPS_VERSION=v3.12.4.sgx-examples
|
||||
SGX_FIPS_VERSION=v3.6.6
|
||||
SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
SGX_CTAO_VERSION=v3.12.4
|
||||
SGX_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
SGX_CRYPT_VERSION=v3.12.4
|
||||
SGX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
NETOS_7_6_FIPS_VERSION=v3.12.6
|
||||
NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git
|
||||
NETOS_7_6_CTAO_VERSION=v3.12.4
|
||||
NETOS_7_6_CTAO_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
|
||||
FIPS_SRCS=( fips.c fips_test.c )
|
||||
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
|
||||
TEST_DIR=XXX-fips-test
|
||||
WC_INC_PATH=cyassl/ctaocrypt
|
||||
WC_SRC_PATH=ctaocrypt/src
|
||||
CAVP_SELFTEST_ONLY="no"
|
||||
NETOS_7_6_CRYPT_VERSION=v3.12.4
|
||||
NETOS_7_6_CRYPT_REPO=git@github.com:cyassl/cyassl.git
|
||||
|
||||
# non-FIPS, CAVP only but pull in selftest
|
||||
# will reset above variables below in platform switch
|
||||
NETBSD_FIPS_VERSION=v3.14.2a
|
||||
NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
|
||||
NETBSD_CTAO_VERSION=v3.14.2
|
||||
NETBSD_CTAO_REPO=git@github.com:wolfssl/wolfssl.git
|
||||
NETBSD_CRYPT_VERSION=v3.14.2
|
||||
NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
|
||||
|
||||
FIPS_SRCS=( fips.c fips_test.c )
|
||||
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
|
||||
TEST_DIR=XXX-fips-test
|
||||
CRYPT_INC_PATH=cyassl/ctaocrypt
|
||||
CRYPT_SRC_PATH=ctaocrypt/src
|
||||
FIPS_OPTION=v1
|
||||
CAVP_SELFTEST_ONLY="no"
|
||||
|
||||
if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
|
||||
|
||||
|
@ -109,68 +113,79 @@ case $PLATFORM in
|
|||
ios)
|
||||
FIPS_VERSION=$IOS_FIPS_VERSION
|
||||
FIPS_REPO=$IOS_FIPS_REPO
|
||||
CTAO_VERSION=$IOS_CTAO_VERSION
|
||||
CTAO_REPO=$IOS_CTAO_REPO
|
||||
CRYPT_VERSION=$IOS_CRYPT_VERSION
|
||||
CRYPT_REPO=$IOS_CRYPT_REPO
|
||||
;;
|
||||
android)
|
||||
FIPS_VERSION=$ANDROID_FIPS_VERSION
|
||||
FIPS_REPO=$ANDROID_FIPS_REPO
|
||||
CTAO_VERSION=$ANDROID_CTAO_VERSION
|
||||
CTAO_REPO=$ANDROID_CTAO_REPO
|
||||
CRYPT_VERSION=$ANDROID_CRYPT_VERSION
|
||||
CRYPT_REPO=$ANDROID_CRYPT_REPO
|
||||
;;
|
||||
windows)
|
||||
FIPS_VERSION=$WINDOWS_FIPS_VERSION
|
||||
FIPS_REPO=$WINDOWS_FIPS_REPO
|
||||
CTAO_VERSION=$WINDOWS_CTAO_VERSION
|
||||
CTAO_REPO=$WINDOWS_CTAO_REPO
|
||||
CRYPT_VERSION=$WINDOWS_CRYPT_VERSION
|
||||
CRYPT_REPO=$WINDOWS_CRYPT_REPO
|
||||
;;
|
||||
freertos)
|
||||
FIPS_VERSION=$FREERTOS_FIPS_VERSION
|
||||
FIPS_REPO=$FREERTOS_FIPS_REPO
|
||||
CTAO_VERSION=$FREERTOS_CTAO_VERSION
|
||||
CTAO_REPO=$FREERTOS_CTAO_REPO
|
||||
CRYPT_VERSION=$FREERTOS_CRYPT_VERSION
|
||||
CRYPT_REPO=$FREERTOS_CRYPT_REPO
|
||||
;;
|
||||
openrtos-3.9.2)
|
||||
FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
|
||||
FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
|
||||
CTAO_VERSION=$OPENRTOS_3_9_2_CTAO_VERSION
|
||||
CTAO_REPO=$OPENRTOS_3_9_2_CTAO_REPO
|
||||
CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION
|
||||
CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO
|
||||
FIPS_CONFLICTS=( aes hmac random sha256 )
|
||||
;;
|
||||
linux)
|
||||
FIPS_VERSION=$LINUX_FIPS_VERSION
|
||||
FIPS_REPO=$LINUX_FIPS_REPO
|
||||
CTAO_VERSION=$LINUX_CTAO_VERSION
|
||||
CTAO_REPO=$LINUX_CTAO_REPO
|
||||
CRYPT_VERSION=$LINUX_CRYPT_VERSION
|
||||
CRYPT_REPO=$LINUX_CRYPT_REPO
|
||||
;;
|
||||
linux-ecc)
|
||||
FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
|
||||
FIPS_REPO=$LINUX_ECC_FIPS_REPO
|
||||
CTAO_VERSION=$LINUX_ECC_CTAO_VERSION
|
||||
CTAO_REPO=$LINUX_ECC_CTAO_REPO
|
||||
CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION
|
||||
CRYPT_REPO=$LINUX_ECC_CRYPT_REPO
|
||||
;;
|
||||
linuxv2)
|
||||
FIPS_VERSION=$LINUXV2_FIPS_VERSION
|
||||
FIPS_REPO=$LINUXV2_FIPS_REPO
|
||||
CRYPT_VERSION=$LINUXV2_CRYPT_VERSION
|
||||
CRYPT_INC_PATH=wolfssl/wolfcrypt
|
||||
CRYPT_SRC_PATH=wolfcrypt/src
|
||||
WC_MODS+=( cmac dh )
|
||||
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
|
||||
FIPS_INCS=( fips.h )
|
||||
FIPS_OPTION=v2
|
||||
;;
|
||||
netbsd-selftest)
|
||||
FIPS_VERSION=$NETBSD_FIPS_VERSION
|
||||
FIPS_REPO=$NETBSD_FIPS_REPO
|
||||
CTAO_VERSION=$NETBSD_CTAO_VERSION
|
||||
CTAO_REPO=$NETBSD_CTAO_REPO
|
||||
CRYPT_VERSION=$NETBSD_CRYPT_VERSION
|
||||
CRYPT_REPO=$NETBSD_CRYPT_REPO
|
||||
FIPS_SRCS=( selftest.c )
|
||||
WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
|
||||
WC_INC_PATH=wolfssl/wolfcrypt
|
||||
WC_SRC_PATH=wolfcrypt/src
|
||||
CRYPT_INC_PATH=wolfssl/wolfcrypt
|
||||
CRYPT_SRC_PATH=wolfcrypt/src
|
||||
CAVP_SELFTEST_ONLY="yes"
|
||||
;;
|
||||
sgx)
|
||||
FIPS_VERSION=$SGX_FIPS_VERSION
|
||||
FIPS_REPO=$SGX_FIPS_REPO
|
||||
CTAO_VERSION=$SGX_CTAO_VERSION
|
||||
CTAO_REPO=$SGX_CTAO_REPO
|
||||
CRYPT_VERSION=$SGX_CRYPT_VERSION
|
||||
CRYPT_REPO=$SGX_CRYPT_REPO
|
||||
;;
|
||||
netos-7.6)
|
||||
FIPS_VERSION=$NETOS_7_6_FIPS_VERSION
|
||||
FIPS_REPO=$NETOS_7_6_FIPS_REPO
|
||||
CTAO_VERSION=$NETOS_7_6_CTAO_VERSION
|
||||
CTAO_REPO=$NETOS_7_6_CTAO_REPO
|
||||
CRYPT_VERSION=$NETOS_7_6_CRYPT_VERSION
|
||||
CRYPT_REPO=$NETOS_7_6_CRYPT_REPO
|
||||
;;
|
||||
*)
|
||||
Usage
|
||||
|
@ -182,27 +197,37 @@ git clone . $TEST_DIR
|
|||
|
||||
pushd $TEST_DIR
|
||||
|
||||
# make a clone of the last FIPS release tag
|
||||
git clone -b $CTAO_VERSION $CTAO_REPO old-tree
|
||||
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
|
||||
|
||||
for MOD in ${WC_MODS[@]}
|
||||
do
|
||||
cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH
|
||||
cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH
|
||||
done
|
||||
|
||||
# The following is temporary. We are using random.c from a separate release
|
||||
# This is forcefully overwriting any other checkout of the cyassl sources.
|
||||
# Removing this as default behavior for SGX and netos projects.
|
||||
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
|
||||
[ "x$PLATFORM" != "xnetos-7.6" ];
|
||||
if [ "x$FIPS_OPTION" == "xv1" ];
|
||||
then
|
||||
pushd old-tree
|
||||
git checkout v3.6.0
|
||||
popd
|
||||
cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
|
||||
cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH
|
||||
# make a clone of the last FIPS release tag
|
||||
git clone -b $CRYPT_VERSION $CRYPT_REPO old-tree
|
||||
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
|
||||
|
||||
for MOD in ${WC_MODS[@]}
|
||||
do
|
||||
cp old-tree/$CRYPT_SRC_PATH/${MOD}.c $CRYPT_SRC_PATH
|
||||
cp old-tree/$CRYPT_INC_PATH/${MOD}.h $CRYPT_INC_PATH
|
||||
done
|
||||
|
||||
# The following is temporary. We are using random.c from a separate release
|
||||
# This is forcefully overwriting any other checkout of the cyassl sources.
|
||||
# Removing this as default behavior for SGX and netos projects.
|
||||
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
|
||||
[ "x$PLATFORM" != "xnetos-7.6" ];
|
||||
then
|
||||
pushd old-tree
|
||||
git checkout v3.6.0
|
||||
popd
|
||||
cp old-tree/$CRYPT_SRC_PATH/random.c $CRYPT_SRC_PATH
|
||||
cp old-tree/$CRYPT_INC_PATH/random.h $CRYPT_INC_PATH
|
||||
fi
|
||||
else
|
||||
git branch --track $CRYPT_VERSION origin/$CRYPT_VERSION
|
||||
# Checkout the fips versions of the wolfCrypt files from the repo.
|
||||
for MOD in ${WC_MODS[@]}
|
||||
do
|
||||
git checkout $CRYPT_VERSION -- $CRYPT_SRC_PATH/$MOD.c $CRYPT_INC_PATH/$MOD.h
|
||||
done
|
||||
fi
|
||||
|
||||
# clone the FIPS repository
|
||||
|
@ -211,7 +236,12 @@ git clone -b $FIPS_VERSION $FIPS_REPO fips
|
|||
|
||||
for SRC in ${FIPS_SRCS[@]}
|
||||
do
|
||||
cp fips/$SRC $WC_SRC_PATH
|
||||
cp fips/$SRC $CRYPT_SRC_PATH
|
||||
done
|
||||
|
||||
for INC in ${FIPS_INCS[@]}
|
||||
do
|
||||
cp fips/$INC $CRYPT_INC_PATH
|
||||
done
|
||||
|
||||
# run the make test
|
||||
|
@ -220,7 +250,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
|
|||
then
|
||||
./configure --enable-selftest
|
||||
else
|
||||
./configure --enable-fips
|
||||
./configure --enable-fips=$FIPS_OPTION
|
||||
fi
|
||||
make
|
||||
[ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1
|
||||
|
@ -229,7 +259,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
|
|||
then
|
||||
NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
|
||||
if [ -n "$NEWHASH" ]; then
|
||||
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c
|
||||
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c
|
||||
make clean
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -23,33 +23,19 @@ ipp_DATA = $(IPPLIBS)
|
|||
include_HEADERS+=$(IPPHEADERS)
|
||||
endif # BUILD_FAST_RSA
|
||||
|
||||
# fips first file
|
||||
if BUILD_FIPS
|
||||
if !BUILD_FIPS_V2
|
||||
# fips first file
|
||||
src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c
|
||||
|
||||
if BUILD_FIPS_V2
|
||||
src_libwolfssl_la_SOURCES += \
|
||||
wolfcrypt/src/hmac.c \
|
||||
wolfcrypt/src/random.c \
|
||||
wolfcrypt/src/sha256.c
|
||||
else
|
||||
src_libwolfssl_la_SOURCES += \
|
||||
ctaocrypt/src/hmac.c
|
||||
ctaocrypt/src/hmac.c \
|
||||
ctaocrypt/src/random.c \
|
||||
ctaocrypt/src/sha256.c
|
||||
endif
|
||||
|
||||
if BUILD_RSA
|
||||
if BUILD_FIPS_V2
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
|
||||
else
|
||||
src_libwolfssl_la_SOURCES += ctaocrypt/src/rsa.c
|
||||
endif
|
||||
endif
|
||||
|
||||
if BUILD_ECC
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
|
||||
endif
|
||||
|
||||
if BUILD_AES
|
||||
src_libwolfssl_la_SOURCES += ctaocrypt/src/aes.c
|
||||
|
@ -67,16 +53,72 @@ if BUILD_SHA512
|
|||
src_libwolfssl_la_SOURCES += ctaocrypt/src/sha512.c
|
||||
endif
|
||||
|
||||
if BUILD_FIPS_V2
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
|
||||
endif
|
||||
|
||||
src_libwolfssl_la_SOURCES += ctaocrypt/src/fips.c
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/fipsv2.c
|
||||
src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c
|
||||
|
||||
# fips last file
|
||||
src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c
|
||||
|
||||
else
|
||||
|
||||
# FIPSv2 first file
|
||||
src_libwolfssl_la_SOURCES += \
|
||||
wolfcrypt/src/wolfcrypt_first.c
|
||||
|
||||
src_libwolfssl_la_SOURCES += \
|
||||
wolfcrypt/src/hmac.c \
|
||||
wolfcrypt/src/random.c \
|
||||
wolfcrypt/src/sha256.c
|
||||
|
||||
if BUILD_RSA
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
|
||||
endif
|
||||
|
||||
if BUILD_ECC
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
|
||||
endif
|
||||
|
||||
if BUILD_AES
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
|
||||
endif
|
||||
|
||||
if BUILD_DES3
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
|
||||
endif
|
||||
|
||||
if BUILD_SHA
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
|
||||
endif
|
||||
|
||||
if BUILD_SHA512
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
|
||||
endif
|
||||
|
||||
if BUILD_SHA3
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
|
||||
endif
|
||||
|
||||
if BUILD_DH
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
|
||||
endif
|
||||
|
||||
if BUILD_CMAC
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
|
||||
endif
|
||||
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
|
||||
wolfcrypt/src/fips_test.c
|
||||
|
||||
# fips last file
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
|
||||
endif
|
||||
endif
|
||||
|
||||
# For FIPSV2, exclude the wolfCrypt files included above.
|
||||
# For old FIPS, keep the wolfCrypt versions of the
|
||||
# CtaoCrypt files included above.
|
||||
if !BUILD_FIPS_V2
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
|
||||
endif
|
||||
|
||||
# CAVP self test
|
||||
|
@ -85,7 +127,6 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c
|
|||
endif
|
||||
|
||||
src_libwolfssl_la_SOURCES += \
|
||||
wolfcrypt/src/hmac.c \
|
||||
wolfcrypt/src/hash.c \
|
||||
wolfcrypt/src/cpuid.c
|
||||
|
||||
|
@ -142,28 +183,38 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_int.c
|
|||
endif
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_AES
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
|
||||
if BUILD_ARMASM
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_CMAC
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
|
||||
endif
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_DES3
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
|
||||
endif
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_SHA
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
|
||||
endif
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_SHA512
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
|
||||
endif
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_SHA3
|
||||
|
@ -183,9 +234,11 @@ if BUILD_MEMORY
|
|||
src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
|
||||
endif
|
||||
|
||||
if !BUILD_FIPS_V2
|
||||
if BUILD_DH
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
|
||||
endif
|
||||
endif
|
||||
|
||||
if BUILD_ASN
|
||||
src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c
|
||||
|
|
28
tests/api.c
28
tests/api.c
|
@ -8400,19 +8400,21 @@ static int test_wc_AesGcmEncryptDecrypt (void)
|
|||
sizeof(vector), iv, sizeof(iv)/sizeof(byte),
|
||||
resultT, sizeof(resultT) - 5, a, sizeof(a));
|
||||
}
|
||||
if (gcmE == BAD_FUNC_ARG) {
|
||||
gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
|
||||
sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
|
||||
a, sizeof(a));
|
||||
}
|
||||
#ifdef HAVE_FIPS
|
||||
if (gcmE == BAD_FUNC_ARG) {
|
||||
gcmE = 0;
|
||||
} else {
|
||||
gcmE = WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
#endif
|
||||
} /* END wc_AesGcmEncrypt */
|
||||
|
||||
if (gcmE == BAD_FUNC_ARG) {
|
||||
gcmE = 0;
|
||||
} else {
|
||||
gcmE = WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
/* This case is now considered good. Long IVs are now allowed. */
|
||||
if (gcmE == 0) {
|
||||
gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
|
||||
sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
|
||||
a, sizeof(a));
|
||||
}
|
||||
/* END wc_AesGcmEncrypt */
|
||||
|
||||
printf(resultFmt, gcmE == 0 ? passed : failed);
|
||||
if (gcmE != 0) {
|
||||
|
|
|
@ -28,12 +28,27 @@
|
|||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
|
||||
#if !defined(NO_AES)
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
|
||||
#ifdef USE_WINDOWS_API
|
||||
#pragma code_seg(".fipsA$d")
|
||||
#pragma const_seg(".fipsB$d")
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/aes.h>
|
||||
#include <wolfssl/wolfcrypt/cpuid.h>
|
||||
|
||||
|
||||
/* fips wrapper calls, user can call direct */
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
|
||||
int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
|
||||
int dir)
|
||||
{
|
||||
|
@ -228,7 +243,7 @@
|
|||
AesFree(aes); */
|
||||
}
|
||||
|
||||
#else /* HAVE_FIPS */
|
||||
#else /* else build without fips, or for FIPS v2 */
|
||||
|
||||
|
||||
#if defined(WOLFSSL_TI_CRYPT)
|
||||
|
|
|
@ -31,10 +31,24 @@
|
|||
|
||||
#ifndef NO_DES3
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
|
||||
#ifdef USE_WINDOWS_API
|
||||
#pragma code_seg(".fipsA$d")
|
||||
#pragma const_seg(".fipsB$d")
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/des3.h>
|
||||
|
||||
/* fips wrapper calls, user can call direct */
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
|
||||
int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
|
||||
{
|
||||
return Des_SetKey(des, key, iv, dir);
|
||||
|
@ -107,7 +121,7 @@
|
|||
Des3Free(des3); */
|
||||
}
|
||||
|
||||
#else /* build without fips */
|
||||
#else /* else build without fips, or for FIPS v2 */
|
||||
|
||||
|
||||
#if defined(WOLFSSL_TI_CRYPT)
|
||||
|
|
|
@ -464,6 +464,9 @@ const char* wc_GetErrorString(int error)
|
|||
case AESCCM_KAT_FIPS_E:
|
||||
return "AESCCM Known Answer Test check FIPS error";
|
||||
|
||||
case SHA3_KAT_FIPS_E:
|
||||
return "SHA-3 Known Answer Test check FIPS error";
|
||||
|
||||
default:
|
||||
return "unknown error number";
|
||||
|
||||
|
|
|
@ -32,6 +32,19 @@
|
|||
|
||||
*/
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
|
||||
#ifdef USE_WINDOWS_API
|
||||
#pragma code_seg(".fipsA$d")
|
||||
#pragma const_seg(".fipsB$d")
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
#include <wolfssl/wolfcrypt/cpuid.h>
|
||||
|
||||
|
|
|
@ -28,11 +28,25 @@
|
|||
|
||||
#if !defined(NO_SHA)
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
|
||||
#ifdef USE_WINDOWS_API
|
||||
#pragma code_seg(".fipsA$d")
|
||||
#pragma const_seg(".fipsB$d")
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/sha.h>
|
||||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
|
||||
/* fips wrapper calls, user can call direct */
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
|
||||
int wc_InitSha(wc_Sha* sha)
|
||||
{
|
||||
if (sha == NULL) {
|
||||
|
@ -71,7 +85,7 @@
|
|||
/* Not supported in FIPS */
|
||||
}
|
||||
|
||||
#else /* else build without fips */
|
||||
#else /* else build without fips, or for FIPS v2 */
|
||||
|
||||
|
||||
#if defined(WOLFSSL_TI_HASH)
|
||||
|
|
|
@ -28,6 +28,18 @@
|
|||
|
||||
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT)
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
|
||||
#ifdef USE_WINDOWS_API
|
||||
#pragma code_seg(".fipsA$d")
|
||||
#pragma const_seg(".fipsB$d")
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/sha3.h>
|
||||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
|
||||
|
|
|
@ -27,6 +27,19 @@
|
|||
#include <wolfssl/wolfcrypt/settings.h>
|
||||
|
||||
#ifdef WOLFSSL_SHA512
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
|
||||
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
|
||||
#define FIPS_NO_WRAPPERS
|
||||
|
||||
#ifdef USE_WINDOWS_API
|
||||
#pragma code_seg(".fipsA$d")
|
||||
#pragma const_seg(".fipsB$d")
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <wolfssl/wolfcrypt/sha512.h>
|
||||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
#include <wolfssl/wolfcrypt/cpuid.h>
|
||||
|
@ -37,7 +50,9 @@
|
|||
#endif
|
||||
|
||||
/* fips wrapper calls, user can call direct */
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
|
||||
int wc_InitSha512(wc_Sha512* sha)
|
||||
{
|
||||
if (sha == NULL) {
|
||||
|
@ -115,7 +130,7 @@
|
|||
}
|
||||
#endif /* WOLFSSL_SHA384 || HAVE_AESGCM */
|
||||
|
||||
#else /* else build without using fips */
|
||||
#else /* else build without fips, or for FIPS v2 */
|
||||
|
||||
#include <wolfssl/wolfcrypt/logging.h>
|
||||
|
||||
|
|
|
@ -31,8 +31,14 @@
|
|||
|
||||
#ifndef NO_AES
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
#include <wolfssl/wolfcrypt/fips.h>
|
||||
#endif /* HAVE_FIPS_VERSION >= 2 */
|
||||
|
||||
/* included for fips @wc_fips */
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
#include <cyassl/ctaocrypt/aes.h>
|
||||
#if defined(CYASSL_AES_COUNTER) && !defined(WOLFSSL_AES_COUNTER)
|
||||
#define WOLFSSL_AES_COUNTER
|
||||
|
@ -63,7 +69,7 @@
|
|||
#endif
|
||||
|
||||
/* these are required for FIPS and non-FIPS */
|
||||
enum {
|
||||
enum {
|
||||
AES_128_KEY_SIZE = 16, /* for 128 bit */
|
||||
AES_192_KEY_SIZE = 24, /* for 192 bit */
|
||||
AES_256_KEY_SIZE = 32, /* for 256 bit */
|
||||
|
@ -72,7 +78,9 @@ enum {
|
|||
};
|
||||
|
||||
|
||||
#ifndef HAVE_FIPS /* to avoid redefinition of structures */
|
||||
/* avoid redefinition of structs */
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
|
||||
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
#include <wolfssl/wolfcrypt/async.h>
|
||||
|
|
|
@ -30,7 +30,13 @@
|
|||
|
||||
#ifndef NO_DES3
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
#include <wolfssl/wolfcrypt/fips.h>
|
||||
#endif /* HAVE_FIPS_VERSION >= 2 */
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
/* included for fips @wc_fips */
|
||||
#include <cyassl/ctaocrypt/des3.h>
|
||||
#endif
|
||||
|
@ -47,7 +53,9 @@ enum {
|
|||
};
|
||||
|
||||
|
||||
#ifndef HAVE_FIPS /* to avoid redefinition of macros */
|
||||
/* avoid redefinition of structs */
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
|
||||
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
#include <wolfssl/wolfcrypt/async.h>
|
||||
|
|
|
@ -206,8 +206,9 @@ enum {
|
|||
ECDSA_PAT_FIPS_E = -255, /* ECDSA PAT failure */
|
||||
DH_KAT_FIPS_E = -256, /* DH KAT failure */
|
||||
AESCCM_KAT_FIPS_E = -257, /* AESCCM KAT failure */
|
||||
SHA3_KAT_FIPS_E = -258, /* SHA-3 KAT failure */
|
||||
|
||||
WC_LAST_E = -257, /* Update this to indicate last error */
|
||||
WC_LAST_E = -258, /* Update this to indicate last error */
|
||||
MIN_CODE_E = -300 /* errors -101 - -299 */
|
||||
|
||||
/* add new companion error id strings for any new error codes
|
||||
|
|
|
@ -31,7 +31,13 @@
|
|||
|
||||
#ifndef NO_SHA
|
||||
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
#include <wolfssl/wolfcrypt/fips.h>
|
||||
#endif /* HAVE_FIPS_VERSION >= 2 */
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
#define wc_Sha Sha
|
||||
#define WC_SHA SHA
|
||||
#define WC_SHA_BLOCK_SIZE SHA_BLOCK_SIZE
|
||||
|
@ -50,7 +56,9 @@
|
|||
extern "C" {
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_FIPS /* avoid redefining structs */
|
||||
/* avoid redefinition of structs */
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
|
||||
|
||||
#ifdef WOLFSSL_MICROCHIP_PIC32MZ
|
||||
#include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* sha512.h
|
||||
*
|
||||
* Copyright (C) 2006-2017 wolfSSL Inc.
|
||||
* Copyright (C) 2006-2018 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfSSL.
|
||||
*
|
||||
|
@ -31,8 +31,13 @@
|
|||
|
||||
#ifdef WOLFSSL_SHA512
|
||||
|
||||
/* for fips @wc_fips */
|
||||
#ifdef HAVE_FIPS
|
||||
#if defined(HAVE_FIPS) && \
|
||||
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
|
||||
#include <wolfssl/wolfcrypt/fips.h>
|
||||
#endif /* HAVE_FIPS_VERSION >= 2 */
|
||||
|
||||
#if defined(HAVE_FIPS) && \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
|
||||
#define wc_Sha512 Sha512
|
||||
#define WC_SHA512 SHA512
|
||||
#define WC_SHA512_BLOCK_SIZE SHA512_BLOCK_SIZE
|
||||
|
@ -50,6 +55,7 @@
|
|||
#if defined(WOLFSSL_SHA384)
|
||||
#define CYASSL_SHA384
|
||||
#endif
|
||||
/* for fips @wc_fips */
|
||||
#include <cyassl/ctaocrypt/sha512.h>
|
||||
#endif
|
||||
|
||||
|
@ -57,7 +63,9 @@
|
|||
extern "C" {
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_FIPS /* avoid redefinition of structs */
|
||||
/* avoid redefinition of structs */
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
|
||||
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
#include <wolfssl/wolfcrypt/async.h>
|
||||
|
@ -121,7 +129,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst);
|
|||
|
||||
#if defined(WOLFSSL_SHA384)
|
||||
|
||||
#ifndef HAVE_FIPS /* avoid redefinition of structs */
|
||||
/* avoid redefinition of structs */
|
||||
#if !defined(HAVE_FIPS) || \
|
||||
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
|
||||
|
||||
#ifndef NO_OLD_WC_NAMES
|
||||
#define Sha384 wc_Sha384
|
||||
|
|
Loading…
Reference in New Issue