WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

FIPS Update 

1. Moved the rest of the FIPS algorithms to FIPSv2.
2. Updated the fips-check and autogen scripts.
3. Updated the automake include for the crypto files.
4. Updated the example server to use the wolfSSL API and wolfSSL-based OpenSSL compatibility layer.
5. Added error code for the SHA-3 KAT.
6. Updated an test case in the API test for AES-GCM encrypt that is now considered a success case, but the FIPS mode was still treating as a failure.
cert-3389
John Safranek 2018-02-01 11:02:35 -08:00
parent df4d748f59
commit f6fe3744a7
17 changed files with 390 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
autogen.sh
View File

@ -18,7 +18,8 @@ if test -e .git; then
# touch fips files for non fips distribution
touch ./ctaocrypt/src/fips.c
touch ./ctaocrypt/src/fips_test.c
touch ./wolfcrypt/src/fipsv2.c
touch ./wolfcrypt/src/fips.c
touch ./wolfcrypt/src/fips_test.c
touch ./wolfssl/wolfcrypt/fips.h
# touch CAVP selftest files for non-selftest distribution

102
examples/server/server.c
View File

@ -23,11 +23,11 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <cyassl/ssl.h> /* name change portability layer */
#include <wolfssl/ssl.h> /* name change portability layer */
#include <cyassl/ctaocrypt/settings.h>
#include <wolfssl/wolfcrypt/settings.h>
#ifdef HAVE_ECC
#include <cyassl/ctaocrypt/ecc.h> /* ecc_fp_free */
#include <wolfssl/wolfcrypt/ecc.h> /* ecc_fp_free */
#endif
#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
@ -39,10 +39,10 @@
#include "wolfssl_MDK_ARM.h"
#endif
#include <cyassl/openssl/ssl.h>
#include <cyassl/test.h>
#ifdef CYASSL_DTLS
#include <cyassl/error-ssl.h>
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/test.h>
#ifdef WOLFSSL_DTLS
#include <wolfssl/error-ssl.h>
#endif
#include "examples/server/server.h"
@ -75,7 +75,7 @@ static const char webServerMsg[] =
int runWithErrors = 0; /* Used with -x flag to run err_sys vs. print errors */
#ifdef CYASSL_CALLBACKS
#ifdef WOLFSSL_CALLBACKS
Timeval srvTo;
static int srvHandShakeCB(HandShakeInfo* info)
{
@ -117,13 +117,13 @@ static void err_sys_ex(int out, const char* msg)
static int NonBlockingSSL_Accept(SSL* ssl)
{
#ifndef CYASSL_CALLBACKS
#ifndef WOLFSSL_CALLBACKS
int ret = SSL_accept(ssl);
#else
int ret = CyaSSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo);
int ret = SSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo);
#endif
int error = SSL_get_error(ssl, 0);
SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl);
SOCKET_T sockfd = (SOCKET_T)SSL_get_fd(ssl);
int select_ret = 0;
while (ret != WOLFSSL_SUCCESS &&
@ -149,8 +149,8 @@ static int NonBlockingSSL_Accept(SSL* ssl)
else
#endif
{
#ifdef CYASSL_DTLS
currTimeout = CyaSSL_dtls_get_current_timeout(ssl);
#ifdef WOLFSSL_DTLS
currTimeout = wolfSSL_dtls_get_current_timeout(ssl);
#endif
select_ret = tcp_select(sockfd, currTimeout);
}
@ -163,17 +163,17 @@ static int NonBlockingSSL_Accept(SSL* ssl)
#ifndef CYASSL_CALLBACKS
ret = SSL_accept(ssl);
#else
ret = CyaSSL_accept_ex(ssl,
ret = SSL_accept_ex(ssl,
srvHandShakeCB, srvTimeoutCB, srvTo);
#endif
error = SSL_get_error(ssl, 0);
}
else if (select_ret == TEST_TIMEOUT && !CyaSSL_dtls(ssl)) {
else if (select_ret == TEST_TIMEOUT && !wolfSSL_dtls(ssl)) {
error = WOLFSSL_ERROR_WANT_READ;
}
#ifdef CYASSL_DTLS
else if (select_ret == TEST_TIMEOUT && CyaSSL_dtls(ssl) &&
CyaSSL_dtls_got_timeout(ssl) >= 0) {
#ifdef WOLFSSL_DTLS
else if (select_ret == TEST_TIMEOUT && wolfSSL_dtls(ssl) &&
wolfSSL_dtls_got_timeout(ssl) >= 0) {
error = WOLFSSL_ERROR_WANT_READ;
}
#endif
@ -284,7 +284,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
{
int ret, err;
char buffer[CYASSL_MAX_ERROR_SZ];
char buffer[WOLFSSL_MAX_ERROR_SZ];
/* Read data */
do {
@ -300,7 +300,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
}
else
#endif
#ifdef CYASSL_DTLS
#ifdef WOLFSSL_DTLS
if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) {
printf("Dropped client's message due to a bad MAC\n");
}
@ -322,7 +322,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
{
int ret, err;
char buffer[CYASSL_MAX_ERROR_SZ];
char buffer[WOLFSSL_MAX_ERROR_SZ];
do {
err = 0; /* reset error */
@ -347,10 +347,10 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
static void Usage(void)
{
printf("server " LIBCYASSL_VERSION_STRING
printf("server " LIBWOLFSSL_VERSION_STRING
" NOTE: All files relative to wolfSSL home dir\n");
printf("-? Help, print this usage\n");
printf("-p <num> Port to listen on, not 0, default %d\n", yasslPort);
printf("-p <num> Port to listen on, not 0, default %d\n", wolfSSLPort);
#ifndef WOLFSSL_TLS13
printf("-v <num> SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n",
SERVER_DEFAULT_VERSION);
@ -444,7 +444,7 @@ static void Usage(void)
#endif
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
{
SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID;
SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
@ -528,7 +528,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_WNR
const char* wnrConfigFile = wnrConfig;
#endif
char buffer[CYASSL_MAX_ERROR_SZ];
char buffer[WOLFSSL_MAX_ERROR_SZ];
#ifdef WOLFSSL_TLS13
int noPskDheKe = 0;
#endif
@ -591,7 +591,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
(void)mcastID;
(void)useX25519;
#ifdef CYASSL_TIRTOS
#ifdef WOLFSSL_TIRTOS
fdOpenSession(Task_self());
#endif
@ -966,7 +966,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
break;
#endif /* NO_TLS */
#ifdef CYASSL_DTLS
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case -1:
method = wolfDTLSv1_server_method_ex;
@ -1025,7 +1025,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
err_sys_ex(runWithErrors, "server can't set cipher list 1");
}
#ifdef CYASSL_LEANPSK
#ifdef WOLFSSL_LEANPSK
if (!usePsk) {
usePsk = 1;
}
@ -1038,7 +1038,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif
if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx);
wolfSSL_CTX_set_group_messages(ctx);
#ifdef WOLFSSL_SCTP
if (dtlsSCTP)
@ -1081,7 +1081,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_NTRU
if (useNtruKey) {
if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
if (SSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load ntru key file, "
"Please run from wolfSSL home dir");
@ -1137,7 +1137,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if (useAnon) {
#ifdef HAVE_ANON
CyaSSL_CTX_allow_anon_cipher(ctx);
SSL_CTX_allow_anon_cipher(ctx);
if (cipherList == NULL || (cipherList && useDefCipherList)) {
const char* defaultCipherList;
defaultCipherList = "ADH-AES256-GCM-SHA384:"
@ -1169,7 +1169,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
#endif
#if defined(CYASSL_SNIFFER)
#if defined(WOLFSSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS)
@ -1179,7 +1179,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
if (SSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
(word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "UseSNI failed");
#endif
@ -1287,25 +1287,25 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif
#ifdef HAVE_CRL
#ifdef HAVE_CRL_MONITOR
crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON;
crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON;
#endif
if (CyaSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS)
if (wolfSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "unable to enable CRL");
if (CyaSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags)
if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "unable to load CRL");
if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS)
if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "unable to set CRL callback url");
#endif
#ifdef HAVE_OCSP
if (useOcsp) {
if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE);
wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE
| WOLFSSL_OCSP_URL_OVERRIDE);
}
else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
}
#endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
@ -1418,20 +1418,20 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
|| needDH == 1) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
CyaSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM);
wolfSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM);
#elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
#endif
}
#ifndef CYASSL_CALLBACKS
#ifndef WOLFSSL_CALLBACKS
if (nonBlocking) {
CyaSSL_set_using_nonblock(ssl, 1);
wolfSSL_set_using_nonblock(ssl, 1);
tcp_set_nonblocking(&clientfd);
}
#endif
#ifndef CYASSL_CALLBACKS
#ifndef WOLFSSL_CALLBACKS
if (nonBlocking) {
ret = NonBlockingSSL_Accept(ssl);
}
@ -1624,7 +1624,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
os_dly_wait(500) ;
#elif defined (CYASSL_TIRTOS)
#elif defined (WOLFSSL_TIRTOS)
Task_yield();
#endif
@ -1684,7 +1684,7 @@ exit:
ecc_fp_free(); /* free per thread cache */
#endif
#ifdef CYASSL_TIRTOS
#ifdef WOLFSSL_TIRTOS
fdCloseSession(Task_self());
#endif
@ -1706,7 +1706,7 @@ exit:
(void) useNtruKey;
(void) ourDhParam;
(void) ourCert;
#ifndef CYASSL_TIRTOS
#ifndef WOLFSSL_TIRTOS
return 0;
#endif
}
@ -1731,9 +1731,9 @@ exit:
InitTcpReady(&ready);
#if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL)
CyaSSL_Debugging_ON();
wolfSSL_Debugging_ON();
#endif
CyaSSL_Init();
wolfSSL_Init();
ChangeToWolfRoot();
#ifndef NO_WOLFSSL_SERVER
@ -1746,7 +1746,7 @@ exit:
printf("Server not compiled in!\n");
#endif
CyaSSL_Cleanup();
wolfSSL_Cleanup();
FreeTcpReady(&ready);
#ifdef HAVE_WNR

178
fips-check.sh
View File

@ -11,7 +11,7 @@
#
# $ ./fips-check [version] [keep]
#
# - version: linux (default), ios, android, windows, freertos, linux-ecc
# - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2
#
# - keep: (default off) XXX-fips-test temp dir around for inspection
#
@ -29,6 +29,7 @@ function Usage() {
printf '\t%s\n' "netbsd-selftest"
printf '\t%s\n' "sgx"
printf '\t%s\n' "netos-7.6"
printf '\t%s\n' "linuxv2"
printf '\n%s\n\n' "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection"
printf '%s\n' "EXAMPLE:"
printf '%s\n' "---------------------------------"
@ -38,38 +39,42 @@ function Usage() {
LINUX_FIPS_VERSION=v3.2.6
LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
LINUX_CTAO_VERSION=v3.2.6
LINUX_CTAO_REPO=git@github.com:cyassl/cyassl.git
LINUX_CRYPT_VERSION=v3.2.6
LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
LINUX_ECC_FIPS_VERSION=v3.10.3
LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
LINUX_ECC_CTAO_VERSION=v3.2.6
LINUX_ECC_CTAO_REPO=git@github.com:cyassl/cyassl.git
LINUX_ECC_CRYPT_VERSION=v3.2.6
LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
LINUXV2_FIPS_VERSION=fipsv2
LINUXV2_FIPS_REPO=git@github.com:ejohnstown/fips.git
LINUXV2_CRYPT_VERSION=fipsv2
IOS_FIPS_VERSION=v3.4.8a
IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
IOS_CTAO_VERSION=v3.4.8.fips
IOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
IOS_CRYPT_VERSION=v3.4.8.fips
IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
ANDROID_FIPS_VERSION=v3.5.0
ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
ANDROID_CTAO_VERSION=v3.5.0
ANDROID_CTAO_REPO=git@github.com:cyassl/cyassl.git
ANDROID_CRYPT_VERSION=v3.5.0
ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git
WINDOWS_FIPS_VERSION=v3.6.6
WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
WINDOWS_CTAO_VERSION=v3.6.6
WINDOWS_CTAO_REPO=git@github.com:cyassl/cyassl.git
WINDOWS_CRYPT_VERSION=v3.6.6
WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
FREERTOS_CTAO_VERSION=v3.6.1
FREERTOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
FREERTOS_CRYPT_VERSION=v3.6.1
FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git
OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
OPENRTOS_3_9_2_CTAO_VERSION=v3.6.1
OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git
OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1
OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git
#NOTE: Does not include the SGX examples yet, update version once fipsv2 is
# finished and merge conflicts can be resolved. This will be tagged as
@ -77,29 +82,28 @@ OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git
#SGX_FIPS_VERSION=v3.12.4.sgx-examples
SGX_FIPS_VERSION=v3.6.6
SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git
SGX_CTAO_VERSION=v3.12.4
SGX_CTAO_REPO=git@github.com:cyassl/cyassl.git
SGX_CRYPT_VERSION=v3.12.4
SGX_CRYPT_REPO=git@github.com:cyassl/cyassl.git
NETOS_7_6_FIPS_VERSION=v3.12.6
NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git
NETOS_7_6_CTAO_VERSION=v3.12.4
NETOS_7_6_CTAO_REPO=git@github.com:cyassl/cyassl.git
FIPS_SRCS=( fips.c fips_test.c )
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
TEST_DIR=XXX-fips-test
WC_INC_PATH=cyassl/ctaocrypt
WC_SRC_PATH=ctaocrypt/src
CAVP_SELFTEST_ONLY="no"
NETOS_7_6_CRYPT_VERSION=v3.12.4
NETOS_7_6_CRYPT_REPO=git@github.com:cyassl/cyassl.git
# non-FIPS, CAVP only but pull in selftest
# will reset above variables below in platform switch
NETBSD_FIPS_VERSION=v3.14.2a
NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
NETBSD_CTAO_VERSION=v3.14.2
NETBSD_CTAO_REPO=git@github.com:wolfssl/wolfssl.git
NETBSD_CRYPT_VERSION=v3.14.2
NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git
FIPS_SRCS=( fips.c fips_test.c )
WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
TEST_DIR=XXX-fips-test
CRYPT_INC_PATH=cyassl/ctaocrypt
CRYPT_SRC_PATH=ctaocrypt/src
FIPS_OPTION=v1
CAVP_SELFTEST_ONLY="no"
if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi
@ -109,68 +113,79 @@ case $PLATFORM in
ios)
FIPS_VERSION=$IOS_FIPS_VERSION
FIPS_REPO=$IOS_FIPS_REPO
CTAO_VERSION=$IOS_CTAO_VERSION
CTAO_REPO=$IOS_CTAO_REPO
CRYPT_VERSION=$IOS_CRYPT_VERSION
CRYPT_REPO=$IOS_CRYPT_REPO
;;
android)
FIPS_VERSION=$ANDROID_FIPS_VERSION
FIPS_REPO=$ANDROID_FIPS_REPO
CTAO_VERSION=$ANDROID_CTAO_VERSION
CTAO_REPO=$ANDROID_CTAO_REPO
CRYPT_VERSION=$ANDROID_CRYPT_VERSION
CRYPT_REPO=$ANDROID_CRYPT_REPO
;;
windows)
FIPS_VERSION=$WINDOWS_FIPS_VERSION
FIPS_REPO=$WINDOWS_FIPS_REPO
CTAO_VERSION=$WINDOWS_CTAO_VERSION
CTAO_REPO=$WINDOWS_CTAO_REPO
CRYPT_VERSION=$WINDOWS_CRYPT_VERSION
CRYPT_REPO=$WINDOWS_CRYPT_REPO
;;
freertos)
FIPS_VERSION=$FREERTOS_FIPS_VERSION
FIPS_REPO=$FREERTOS_FIPS_REPO
CTAO_VERSION=$FREERTOS_CTAO_VERSION
CTAO_REPO=$FREERTOS_CTAO_REPO
CRYPT_VERSION=$FREERTOS_CRYPT_VERSION
CRYPT_REPO=$FREERTOS_CRYPT_REPO
;;
openrtos-3.9.2)
FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
CTAO_VERSION=$OPENRTOS_3_9_2_CTAO_VERSION
CTAO_REPO=$OPENRTOS_3_9_2_CTAO_REPO
CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION
CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO
FIPS_CONFLICTS=( aes hmac random sha256 )
;;
linux)
FIPS_VERSION=$LINUX_FIPS_VERSION
FIPS_REPO=$LINUX_FIPS_REPO
CTAO_VERSION=$LINUX_CTAO_VERSION
CTAO_REPO=$LINUX_CTAO_REPO
CRYPT_VERSION=$LINUX_CRYPT_VERSION
CRYPT_REPO=$LINUX_CRYPT_REPO
;;
linux-ecc)
FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
FIPS_REPO=$LINUX_ECC_FIPS_REPO
CTAO_VERSION=$LINUX_ECC_CTAO_VERSION
CTAO_REPO=$LINUX_ECC_CTAO_REPO
CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION
CRYPT_REPO=$LINUX_ECC_CRYPT_REPO
;;
linuxv2)
FIPS_VERSION=$LINUXV2_FIPS_VERSION
FIPS_REPO=$LINUXV2_FIPS_REPO
CRYPT_VERSION=$LINUXV2_CRYPT_VERSION
CRYPT_INC_PATH=wolfssl/wolfcrypt
CRYPT_SRC_PATH=wolfcrypt/src
WC_MODS+=( cmac dh )
FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
FIPS_INCS=( fips.h )
FIPS_OPTION=v2
;;
netbsd-selftest)
FIPS_VERSION=$NETBSD_FIPS_VERSION
FIPS_REPO=$NETBSD_FIPS_REPO
CTAO_VERSION=$NETBSD_CTAO_VERSION
CTAO_REPO=$NETBSD_CTAO_REPO
CRYPT_VERSION=$NETBSD_CRYPT_VERSION
CRYPT_REPO=$NETBSD_CRYPT_REPO
FIPS_SRCS=( selftest.c )
WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
WC_INC_PATH=wolfssl/wolfcrypt
WC_SRC_PATH=wolfcrypt/src
CRYPT_INC_PATH=wolfssl/wolfcrypt
CRYPT_SRC_PATH=wolfcrypt/src
CAVP_SELFTEST_ONLY="yes"
;;
sgx)
FIPS_VERSION=$SGX_FIPS_VERSION
FIPS_REPO=$SGX_FIPS_REPO
CTAO_VERSION=$SGX_CTAO_VERSION
CTAO_REPO=$SGX_CTAO_REPO
CRYPT_VERSION=$SGX_CRYPT_VERSION
CRYPT_REPO=$SGX_CRYPT_REPO
;;
netos-7.6)
FIPS_VERSION=$NETOS_7_6_FIPS_VERSION
FIPS_REPO=$NETOS_7_6_FIPS_REPO
CTAO_VERSION=$NETOS_7_6_CTAO_VERSION
CTAO_REPO=$NETOS_7_6_CTAO_REPO
CRYPT_VERSION=$NETOS_7_6_CRYPT_VERSION
CRYPT_REPO=$NETOS_7_6_CRYPT_REPO
;;
*)
Usage
@ -182,27 +197,37 @@ git clone . $TEST_DIR
pushd $TEST_DIR
# make a clone of the last FIPS release tag
git clone -b $CTAO_VERSION $CTAO_REPO old-tree
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
for MOD in ${WC_MODS[@]}
do
cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH
cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH
done
# The following is temporary. We are using random.c from a separate release
# This is forcefully overwriting any other checkout of the cyassl sources.
# Removing this as default behavior for SGX and netos projects.
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
[ "x$PLATFORM" != "xnetos-7.6" ];
if [ "x$FIPS_OPTION" == "xv1" ];
then
pushd old-tree
git checkout v3.6.0
popd
cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH
# make a clone of the last FIPS release tag
git clone -b $CRYPT_VERSION $CRYPT_REPO old-tree
[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
for MOD in ${WC_MODS[@]}
do
cp old-tree/$CRYPT_SRC_PATH/${MOD}.c $CRYPT_SRC_PATH
cp old-tree/$CRYPT_INC_PATH/${MOD}.h $CRYPT_INC_PATH
done
# The following is temporary. We are using random.c from a separate release
# This is forcefully overwriting any other checkout of the cyassl sources.
# Removing this as default behavior for SGX and netos projects.
if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \
[ "x$PLATFORM" != "xnetos-7.6" ];
then
pushd old-tree
git checkout v3.6.0
popd
cp old-tree/$CRYPT_SRC_PATH/random.c $CRYPT_SRC_PATH
cp old-tree/$CRYPT_INC_PATH/random.h $CRYPT_INC_PATH
fi
else
git branch --track $CRYPT_VERSION origin/$CRYPT_VERSION
# Checkout the fips versions of the wolfCrypt files from the repo.
for MOD in ${WC_MODS[@]}
do
git checkout $CRYPT_VERSION -- $CRYPT_SRC_PATH/$MOD.c $CRYPT_INC_PATH/$MOD.h
done
fi
# clone the FIPS repository
@ -211,7 +236,12 @@ git clone -b $FIPS_VERSION $FIPS_REPO fips
for SRC in ${FIPS_SRCS[@]}
do
cp fips/$SRC $WC_SRC_PATH
cp fips/$SRC $CRYPT_SRC_PATH
done
for INC in ${FIPS_INCS[@]}
do
cp fips/$INC $CRYPT_INC_PATH
done
# run the make test
@ -220,7 +250,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
then
./configure --enable-selftest
else
./configure --enable-fips
./configure --enable-fips=$FIPS_OPTION
fi
make
[ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1
@ -229,7 +259,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
then
NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
if [ -n "$NEWHASH" ]; then
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c
sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c
make clean
fi
fi

99
src/include.am
View File

@ -23,33 +23,19 @@ ipp_DATA = $(IPPLIBS)
include_HEADERS+=$(IPPHEADERS)
endif # BUILD_FAST_RSA
# fips first file
if BUILD_FIPS
if !BUILD_FIPS_V2
# fips first file
src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c
if BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/hmac.c \
wolfcrypt/src/random.c \
wolfcrypt/src/sha256.c
else
src_libwolfssl_la_SOURCES += \
ctaocrypt/src/hmac.c
ctaocrypt/src/hmac.c \
ctaocrypt/src/random.c \
ctaocrypt/src/sha256.c
endif
if BUILD_RSA
if BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
else
src_libwolfssl_la_SOURCES += ctaocrypt/src/rsa.c
endif
endif
if BUILD_ECC
src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
endif
if BUILD_AES
src_libwolfssl_la_SOURCES += ctaocrypt/src/aes.c
@ -67,16 +53,72 @@ if BUILD_SHA512
src_libwolfssl_la_SOURCES += ctaocrypt/src/sha512.c
endif
if BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
endif
src_libwolfssl_la_SOURCES += ctaocrypt/src/fips.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/fipsv2.c
src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c
# fips last file
src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c
else
# FIPSv2 first file
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/wolfcrypt_first.c
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/hmac.c \
wolfcrypt/src/random.c \
wolfcrypt/src/sha256.c
if BUILD_RSA
src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
endif
if BUILD_ECC
src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
endif
if BUILD_AES
src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
endif
if BUILD_DES3
src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
endif
if BUILD_SHA
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
endif
if BUILD_SHA512
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
endif
if BUILD_SHA3
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
endif
if BUILD_DH
src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
endif
if BUILD_CMAC
src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
endif
src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
wolfcrypt/src/fips_test.c
# fips last file
src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
endif
endif
# For FIPSV2, exclude the wolfCrypt files included above.
# For old FIPS, keep the wolfCrypt versions of the
# CtaoCrypt files included above.
if !BUILD_FIPS_V2
src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
endif
# CAVP self test
@ -85,7 +127,6 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c
endif
src_libwolfssl_la_SOURCES += \
wolfcrypt/src/hmac.c \
wolfcrypt/src/hash.c \
wolfcrypt/src/cpuid.c
@ -142,28 +183,38 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_int.c
endif
endif
if !BUILD_FIPS_V2
if BUILD_AES
src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
if BUILD_ARMASM
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
endif
endif
endif
if !BUILD_FIPS_V2
if BUILD_CMAC
src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
endif
endif
if !BUILD_FIPS_V2
if BUILD_DES3
src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
endif
endif
if !BUILD_FIPS_V2
if BUILD_SHA
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
endif
endif
if !BUILD_FIPS_V2
if BUILD_SHA512
src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
endif
endif
if !BUILD_FIPS_V2
if BUILD_SHA3
@ -183,9 +234,11 @@ if BUILD_MEMORY
src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
endif
if !BUILD_FIPS_V2
if BUILD_DH
src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
endif
endif
if BUILD_ASN
src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c

28
tests/api.c
View File

@ -8400,19 +8400,21 @@ static int test_wc_AesGcmEncryptDecrypt (void)
sizeof(vector), iv, sizeof(iv)/sizeof(byte),
resultT, sizeof(resultT) - 5, a, sizeof(a));
}
if (gcmE == BAD_FUNC_ARG) {
gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
a, sizeof(a));
}
#ifdef HAVE_FIPS
if (gcmE == BAD_FUNC_ARG) {
gcmE = 0;
} else {
gcmE = WOLFSSL_FATAL_ERROR;
}
#endif
} /* END wc_AesGcmEncrypt */
if (gcmE == BAD_FUNC_ARG) {
gcmE = 0;
} else {
gcmE = WOLFSSL_FATAL_ERROR;
}
}
/* This case is now considered good. Long IVs are now allowed. */
if (gcmE == 0) {
gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
a, sizeof(a));
}
/* END wc_AesGcmEncrypt */
printf(resultFmt, gcmE == 0 ? passed : failed);
if (gcmE != 0) {

19
wolfcrypt/src/aes.c
View File

@ -28,12 +28,27 @@
#include <wolfssl/wolfcrypt/error-crypt.h>
#if !defined(NO_AES)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/aes.h>
#include <wolfssl/wolfcrypt/cpuid.h>
/* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
int dir)
{
@ -228,7 +243,7 @@
AesFree(aes); */
}
#else /* HAVE_FIPS */
#else /* else build without fips, or for FIPS v2 */
#if defined(WOLFSSL_TI_CRYPT)

18
wolfcrypt/src/des3.c
View File

@ -31,10 +31,24 @@
#ifndef NO_DES3
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/des3.h>
/* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
{
return Des_SetKey(des, key, iv, dir);
@ -107,7 +121,7 @@
Des3Free(des3); */
}
#else /* build without fips */
#else /* else build without fips, or for FIPS v2 */
#if defined(WOLFSSL_TI_CRYPT)

3
wolfcrypt/src/error.c
View File

@ -464,6 +464,9 @@ const char* wc_GetErrorString(int error)
case AESCCM_KAT_FIPS_E:
return "AESCCM Known Answer Test check FIPS error";
case SHA3_KAT_FIPS_E:
return "SHA-3 Known Answer Test check FIPS error";
default:
return "unknown error number";

13
wolfcrypt/src/random.c
View File

@ -32,6 +32,19 @@
*/
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/cpuid.h>

18
wolfcrypt/src/sha.c
View File

@ -28,11 +28,25 @@
#if !defined(NO_SHA)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/sha.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
/* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_InitSha(wc_Sha* sha)
{
if (sha == NULL) {
@ -71,7 +85,7 @@
/* Not supported in FIPS */
}
#else /* else build without fips */
#else /* else build without fips, or for FIPS v2 */
#if defined(WOLFSSL_TI_HASH)

12
wolfcrypt/src/sha3.c
View File

@ -28,6 +28,18 @@
#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT)
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/sha3.h>
#include <wolfssl/wolfcrypt/error-crypt.h>

19
wolfcrypt/src/sha512.c
View File

@ -27,6 +27,19 @@
#include <wolfssl/wolfcrypt/settings.h>
#ifdef WOLFSSL_SHA512
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#ifdef USE_WINDOWS_API
#pragma code_seg(".fipsA$d")
#pragma const_seg(".fipsB$d")
#endif
#endif
#include <wolfssl/wolfcrypt/sha512.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/cpuid.h>
@ -37,7 +50,9 @@
#endif
/* fips wrapper calls, user can call direct */
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
int wc_InitSha512(wc_Sha512* sha)
{
if (sha == NULL) {
@ -115,7 +130,7 @@
}
#endif /* WOLFSSL_SHA384 || HAVE_AESGCM */
#else /* else build without using fips */
#else /* else build without fips, or for FIPS v2 */
#include <wolfssl/wolfcrypt/logging.h>

14
wolfssl/wolfcrypt/aes.h
View File

@ -31,8 +31,14 @@
#ifndef NO_AES
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
/* included for fips @wc_fips */
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
#include <cyassl/ctaocrypt/aes.h>
#if defined(CYASSL_AES_COUNTER) && !defined(WOLFSSL_AES_COUNTER)
#define WOLFSSL_AES_COUNTER
@ -63,7 +69,7 @@
#endif
/* these are required for FIPS and non-FIPS */
enum {
enum {
AES_128_KEY_SIZE = 16, /* for 128 bit */
AES_192_KEY_SIZE = 24, /* for 192 bit */
AES_256_KEY_SIZE = 32, /* for 256 bit */
@ -72,7 +78,9 @@ enum {
};
#ifndef HAVE_FIPS /* to avoid redefinition of structures */
/* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h>

12
wolfssl/wolfcrypt/des3.h
View File

@ -30,7 +30,13 @@
#ifndef NO_DES3
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
/* included for fips @wc_fips */
#include <cyassl/ctaocrypt/des3.h>
#endif
@ -47,7 +53,9 @@ enum {
};
#ifndef HAVE_FIPS /* to avoid redefinition of macros */
/* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h>

3
wolfssl/wolfcrypt/error-crypt.h
View File

@ -206,8 +206,9 @@ enum {
ECDSA_PAT_FIPS_E = -255, /* ECDSA PAT failure */
DH_KAT_FIPS_E = -256, /* DH KAT failure */
AESCCM_KAT_FIPS_E = -257, /* AESCCM KAT failure */
SHA3_KAT_FIPS_E = -258, /* SHA-3 KAT failure */
WC_LAST_E = -257, /* Update this to indicate last error */
WC_LAST_E = -258, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes

12
wolfssl/wolfcrypt/sha.h
View File

@ -31,7 +31,13 @@
#ifndef NO_SHA
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
#define wc_Sha Sha
#define WC_SHA SHA
#define WC_SHA_BLOCK_SIZE SHA_BLOCK_SIZE
@ -50,7 +56,9 @@
extern "C" {
#endif
#ifndef HAVE_FIPS /* avoid redefining structs */
/* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_MICROCHIP_PIC32MZ
#include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>

20
wolfssl/wolfcrypt/sha512.h
View File

@ -1,6 +1,6 @@
/* sha512.h
*
* Copyright (C) 2006-2017 wolfSSL Inc.
* Copyright (C) 2006-2018 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
@ -31,8 +31,13 @@
#ifdef WOLFSSL_SHA512
/* for fips @wc_fips */
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) && \
defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
#include <wolfssl/wolfcrypt/fips.h>
#endif /* HAVE_FIPS_VERSION >= 2 */
#if defined(HAVE_FIPS) && \
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
#define wc_Sha512 Sha512
#define WC_SHA512 SHA512
#define WC_SHA512_BLOCK_SIZE SHA512_BLOCK_SIZE
@ -50,6 +55,7 @@
#if defined(WOLFSSL_SHA384)
#define CYASSL_SHA384
#endif
/* for fips @wc_fips */
#include <cyassl/ctaocrypt/sha512.h>
#endif
@ -57,7 +63,9 @@
extern "C" {
#endif
#ifndef HAVE_FIPS /* avoid redefinition of structs */
/* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h>
@ -121,7 +129,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst);
#if defined(WOLFSSL_SHA384)
#ifndef HAVE_FIPS /* avoid redefinition of structs */
/* avoid redefinition of structs */
#if !defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
#ifndef NO_OLD_WC_NAMES
#define Sha384 wc_Sha384