From f6fe3744a77c9e90e4711bf33d76b105976dbe71 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 1 Feb 2018 11:02:35 -0800 Subject: [PATCH] FIPS Update 1. Moved the rest of the FIPS algorithms to FIPSv2. 2. Updated the fips-check and autogen scripts. 3. Updated the automake include for the crypto files. 4. Updated the example server to use the wolfSSL API and wolfSSL-based OpenSSL compatibility layer. 5. Added error code for the SHA-3 KAT. 6. Updated an test case in the API test for AES-GCM encrypt that is now considered a success case, but the FIPS mode was still treating as a failure. --- autogen.sh | 3 +- examples/server/server.c | 102 +++++++++--------- fips-check.sh | 178 +++++++++++++++++++------------- src/include.am | 99 +++++++++++++----- tests/api.c | 28 ++--- wolfcrypt/src/aes.c | 19 +++- wolfcrypt/src/des3.c | 18 +++- wolfcrypt/src/error.c | 3 + wolfcrypt/src/random.c | 13 +++ wolfcrypt/src/sha.c | 18 +++- wolfcrypt/src/sha3.c | 12 +++ wolfcrypt/src/sha512.c | 19 +++- wolfssl/wolfcrypt/aes.h | 14 ++- wolfssl/wolfcrypt/des3.h | 12 ++- wolfssl/wolfcrypt/error-crypt.h | 3 +- wolfssl/wolfcrypt/sha.h | 12 ++- wolfssl/wolfcrypt/sha512.h | 20 +++- 17 files changed, 390 insertions(+), 183 deletions(-) diff --git a/autogen.sh b/autogen.sh index d9a234a88..60452d180 100755 --- a/autogen.sh +++ b/autogen.sh @@ -18,7 +18,8 @@ if test -e .git; then # touch fips files for non fips distribution touch ./ctaocrypt/src/fips.c touch ./ctaocrypt/src/fips_test.c - touch ./wolfcrypt/src/fipsv2.c + touch ./wolfcrypt/src/fips.c + touch ./wolfcrypt/src/fips_test.c touch ./wolfssl/wolfcrypt/fips.h # touch CAVP selftest files for non-selftest distribution diff --git a/examples/server/server.c b/examples/server/server.c index 0a44095ed..544ff46cf 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -23,11 +23,11 @@ #ifdef HAVE_CONFIG_H #include #endif -#include /* name change portability layer */ +#include /* name change portability layer */ -#include +#include #ifdef HAVE_ECC - #include /* ecc_fp_free */ + #include /* ecc_fp_free */ #endif #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) @@ -39,10 +39,10 @@ #include "wolfssl_MDK_ARM.h" #endif -#include -#include -#ifdef CYASSL_DTLS - #include +#include +#include +#ifdef WOLFSSL_DTLS + #include #endif #include "examples/server/server.h" @@ -75,7 +75,7 @@ static const char webServerMsg[] = int runWithErrors = 0; /* Used with -x flag to run err_sys vs. print errors */ -#ifdef CYASSL_CALLBACKS +#ifdef WOLFSSL_CALLBACKS Timeval srvTo; static int srvHandShakeCB(HandShakeInfo* info) { @@ -117,13 +117,13 @@ static void err_sys_ex(int out, const char* msg) static int NonBlockingSSL_Accept(SSL* ssl) { -#ifndef CYASSL_CALLBACKS +#ifndef WOLFSSL_CALLBACKS int ret = SSL_accept(ssl); #else - int ret = CyaSSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo); + int ret = SSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo); #endif int error = SSL_get_error(ssl, 0); - SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl); + SOCKET_T sockfd = (SOCKET_T)SSL_get_fd(ssl); int select_ret = 0; while (ret != WOLFSSL_SUCCESS && @@ -149,8 +149,8 @@ static int NonBlockingSSL_Accept(SSL* ssl) else #endif { - #ifdef CYASSL_DTLS - currTimeout = CyaSSL_dtls_get_current_timeout(ssl); + #ifdef WOLFSSL_DTLS + currTimeout = wolfSSL_dtls_get_current_timeout(ssl); #endif select_ret = tcp_select(sockfd, currTimeout); } @@ -163,17 +163,17 @@ static int NonBlockingSSL_Accept(SSL* ssl) #ifndef CYASSL_CALLBACKS ret = SSL_accept(ssl); #else - ret = CyaSSL_accept_ex(ssl, + ret = SSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo); #endif error = SSL_get_error(ssl, 0); } - else if (select_ret == TEST_TIMEOUT && !CyaSSL_dtls(ssl)) { + else if (select_ret == TEST_TIMEOUT && !wolfSSL_dtls(ssl)) { error = WOLFSSL_ERROR_WANT_READ; } - #ifdef CYASSL_DTLS - else if (select_ret == TEST_TIMEOUT && CyaSSL_dtls(ssl) && - CyaSSL_dtls_got_timeout(ssl) >= 0) { + #ifdef WOLFSSL_DTLS + else if (select_ret == TEST_TIMEOUT && wolfSSL_dtls(ssl) && + wolfSSL_dtls_got_timeout(ssl) >= 0) { error = WOLFSSL_ERROR_WANT_READ; } #endif @@ -284,7 +284,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, static void ServerRead(WOLFSSL* ssl, char* input, int inputLen) { int ret, err; - char buffer[CYASSL_MAX_ERROR_SZ]; + char buffer[WOLFSSL_MAX_ERROR_SZ]; /* Read data */ do { @@ -300,7 +300,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen) } else #endif - #ifdef CYASSL_DTLS + #ifdef WOLFSSL_DTLS if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) { printf("Dropped client's message due to a bad MAC\n"); } @@ -322,7 +322,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen) static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen) { int ret, err; - char buffer[CYASSL_MAX_ERROR_SZ]; + char buffer[WOLFSSL_MAX_ERROR_SZ]; do { err = 0; /* reset error */ @@ -347,10 +347,10 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen) static void Usage(void) { - printf("server " LIBCYASSL_VERSION_STRING + printf("server " LIBWOLFSSL_VERSION_STRING " NOTE: All files relative to wolfSSL home dir\n"); printf("-? Help, print this usage\n"); - printf("-p Port to listen on, not 0, default %d\n", yasslPort); + printf("-p Port to listen on, not 0, default %d\n", wolfSSLPort); #ifndef WOLFSSL_TLS13 printf("-v SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n", SERVER_DEFAULT_VERSION); @@ -444,7 +444,7 @@ static void Usage(void) #endif } -THREAD_RETURN CYASSL_THREAD server_test(void* args) +THREAD_RETURN WOLFSSL_THREAD server_test(void* args) { SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID; SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID; @@ -528,7 +528,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef HAVE_WNR const char* wnrConfigFile = wnrConfig; #endif - char buffer[CYASSL_MAX_ERROR_SZ]; + char buffer[WOLFSSL_MAX_ERROR_SZ]; #ifdef WOLFSSL_TLS13 int noPskDheKe = 0; #endif @@ -591,7 +591,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) (void)mcastID; (void)useX25519; -#ifdef CYASSL_TIRTOS +#ifdef WOLFSSL_TIRTOS fdOpenSession(Task_self()); #endif @@ -966,7 +966,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) break; #endif /* NO_TLS */ -#ifdef CYASSL_DTLS +#ifdef WOLFSSL_DTLS #ifndef NO_OLD_TLS case -1: method = wolfDTLSv1_server_method_ex; @@ -1025,7 +1025,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) err_sys_ex(runWithErrors, "server can't set cipher list 1"); } -#ifdef CYASSL_LEANPSK +#ifdef WOLFSSL_LEANPSK if (!usePsk) { usePsk = 1; } @@ -1038,7 +1038,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif if (fewerPackets) - CyaSSL_CTX_set_group_messages(ctx); + wolfSSL_CTX_set_group_messages(ctx); #ifdef WOLFSSL_SCTP if (dtlsSCTP) @@ -1081,7 +1081,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef HAVE_NTRU if (useNtruKey) { - if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey) + if (SSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "can't load ntru key file, " "Please run from wolfSSL home dir"); @@ -1137,7 +1137,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) if (useAnon) { #ifdef HAVE_ANON - CyaSSL_CTX_allow_anon_cipher(ctx); + SSL_CTX_allow_anon_cipher(ctx); if (cipherList == NULL || (cipherList && useDefCipherList)) { const char* defaultCipherList; defaultCipherList = "ADH-AES256-GCM-SHA384:" @@ -1169,7 +1169,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif -#if defined(CYASSL_SNIFFER) +#if defined(WOLFSSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ if (cipherList == NULL) { if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS) @@ -1179,7 +1179,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef HAVE_SNI if (sniHostName) - if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName, + if (SSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName, (word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "UseSNI failed"); #endif @@ -1287,25 +1287,25 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif #ifdef HAVE_CRL #ifdef HAVE_CRL_MONITOR - crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON; + crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON; #endif - if (CyaSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS) + if (wolfSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "unable to enable CRL"); - if (CyaSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags) + if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "unable to load CRL"); - if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS) + if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "unable to set CRL callback url"); #endif #ifdef HAVE_OCSP if (useOcsp) { if (ocspUrl != NULL) { - CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); - CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE - | CYASSL_OCSP_URL_OVERRIDE); + wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); + wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE + | WOLFSSL_OCSP_URL_OVERRIDE); } else - CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE); + wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); } #endif #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ @@ -1418,20 +1418,20 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL || needDH == 1) { #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN) - CyaSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM); + wolfSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM); #elif !defined(NO_DH) SetDH(ssl); /* repick suites with DHE, higher priority than PSK */ #endif } -#ifndef CYASSL_CALLBACKS +#ifndef WOLFSSL_CALLBACKS if (nonBlocking) { - CyaSSL_set_using_nonblock(ssl, 1); + wolfSSL_set_using_nonblock(ssl, 1); tcp_set_nonblocking(&clientfd); } #endif -#ifndef CYASSL_CALLBACKS +#ifndef WOLFSSL_CALLBACKS if (nonBlocking) { ret = NonBlockingSSL_Accept(ssl); } @@ -1624,7 +1624,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX) os_dly_wait(500) ; -#elif defined (CYASSL_TIRTOS) +#elif defined (WOLFSSL_TIRTOS) Task_yield(); #endif @@ -1684,7 +1684,7 @@ exit: ecc_fp_free(); /* free per thread cache */ #endif -#ifdef CYASSL_TIRTOS +#ifdef WOLFSSL_TIRTOS fdCloseSession(Task_self()); #endif @@ -1706,7 +1706,7 @@ exit: (void) useNtruKey; (void) ourDhParam; (void) ourCert; -#ifndef CYASSL_TIRTOS +#ifndef WOLFSSL_TIRTOS return 0; #endif } @@ -1731,9 +1731,9 @@ exit: InitTcpReady(&ready); #if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL) - CyaSSL_Debugging_ON(); + wolfSSL_Debugging_ON(); #endif - CyaSSL_Init(); + wolfSSL_Init(); ChangeToWolfRoot(); #ifndef NO_WOLFSSL_SERVER @@ -1746,7 +1746,7 @@ exit: printf("Server not compiled in!\n"); #endif - CyaSSL_Cleanup(); + wolfSSL_Cleanup(); FreeTcpReady(&ready); #ifdef HAVE_WNR diff --git a/fips-check.sh b/fips-check.sh index 4d228e218..e016b09f9 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -11,7 +11,7 @@ # # $ ./fips-check [version] [keep] # -# - version: linux (default), ios, android, windows, freertos, linux-ecc +# - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2 # # - keep: (default off) XXX-fips-test temp dir around for inspection # @@ -29,6 +29,7 @@ function Usage() { printf '\t%s\n' "netbsd-selftest" printf '\t%s\n' "sgx" printf '\t%s\n' "netos-7.6" + printf '\t%s\n' "linuxv2" printf '\n%s\n\n' "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection" printf '%s\n' "EXAMPLE:" printf '%s\n' "---------------------------------" @@ -38,38 +39,42 @@ function Usage() { LINUX_FIPS_VERSION=v3.2.6 LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git -LINUX_CTAO_VERSION=v3.2.6 -LINUX_CTAO_REPO=git@github.com:cyassl/cyassl.git +LINUX_CRYPT_VERSION=v3.2.6 +LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git LINUX_ECC_FIPS_VERSION=v3.10.3 LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git -LINUX_ECC_CTAO_VERSION=v3.2.6 -LINUX_ECC_CTAO_REPO=git@github.com:cyassl/cyassl.git +LINUX_ECC_CRYPT_VERSION=v3.2.6 +LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git + +LINUXV2_FIPS_VERSION=fipsv2 +LINUXV2_FIPS_REPO=git@github.com:ejohnstown/fips.git +LINUXV2_CRYPT_VERSION=fipsv2 IOS_FIPS_VERSION=v3.4.8a IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git -IOS_CTAO_VERSION=v3.4.8.fips -IOS_CTAO_REPO=git@github.com:cyassl/cyassl.git +IOS_CRYPT_VERSION=v3.4.8.fips +IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git ANDROID_FIPS_VERSION=v3.5.0 ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git -ANDROID_CTAO_VERSION=v3.5.0 -ANDROID_CTAO_REPO=git@github.com:cyassl/cyassl.git +ANDROID_CRYPT_VERSION=v3.5.0 +ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git WINDOWS_FIPS_VERSION=v3.6.6 WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git -WINDOWS_CTAO_VERSION=v3.6.6 -WINDOWS_CTAO_REPO=git@github.com:cyassl/cyassl.git +WINDOWS_CRYPT_VERSION=v3.6.6 +WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git -FREERTOS_CTAO_VERSION=v3.6.1 -FREERTOS_CTAO_REPO=git@github.com:cyassl/cyassl.git +FREERTOS_CRYPT_VERSION=v3.6.1 +FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git -OPENRTOS_3_9_2_CTAO_VERSION=v3.6.1 -OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git +OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1 +OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git #NOTE: Does not include the SGX examples yet, update version once fipsv2 is # finished and merge conflicts can be resolved. This will be tagged as @@ -77,29 +82,28 @@ OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git #SGX_FIPS_VERSION=v3.12.4.sgx-examples SGX_FIPS_VERSION=v3.6.6 SGX_FIPS_REPO=git@github.com:wolfSSL/fips.git -SGX_CTAO_VERSION=v3.12.4 -SGX_CTAO_REPO=git@github.com:cyassl/cyassl.git +SGX_CRYPT_VERSION=v3.12.4 +SGX_CRYPT_REPO=git@github.com:cyassl/cyassl.git NETOS_7_6_FIPS_VERSION=v3.12.6 NETOS_7_6_FIPS_REPO=git@github.com:wolfSSL/fips.git -NETOS_7_6_CTAO_VERSION=v3.12.4 -NETOS_7_6_CTAO_REPO=git@github.com:cyassl/cyassl.git - - -FIPS_SRCS=( fips.c fips_test.c ) -WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random ) -TEST_DIR=XXX-fips-test -WC_INC_PATH=cyassl/ctaocrypt -WC_SRC_PATH=ctaocrypt/src -CAVP_SELFTEST_ONLY="no" +NETOS_7_6_CRYPT_VERSION=v3.12.4 +NETOS_7_6_CRYPT_REPO=git@github.com:cyassl/cyassl.git # non-FIPS, CAVP only but pull in selftest # will reset above variables below in platform switch NETBSD_FIPS_VERSION=v3.14.2a NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git -NETBSD_CTAO_VERSION=v3.14.2 -NETBSD_CTAO_REPO=git@github.com:wolfssl/wolfssl.git +NETBSD_CRYPT_VERSION=v3.14.2 +NETBSD_CRYPT_REPO=git@github.com:wolfssl/wolfssl.git +FIPS_SRCS=( fips.c fips_test.c ) +WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random ) +TEST_DIR=XXX-fips-test +CRYPT_INC_PATH=cyassl/ctaocrypt +CRYPT_SRC_PATH=ctaocrypt/src +FIPS_OPTION=v1 +CAVP_SELFTEST_ONLY="no" if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi @@ -109,68 +113,79 @@ case $PLATFORM in ios) FIPS_VERSION=$IOS_FIPS_VERSION FIPS_REPO=$IOS_FIPS_REPO - CTAO_VERSION=$IOS_CTAO_VERSION - CTAO_REPO=$IOS_CTAO_REPO + CRYPT_VERSION=$IOS_CRYPT_VERSION + CRYPT_REPO=$IOS_CRYPT_REPO ;; android) FIPS_VERSION=$ANDROID_FIPS_VERSION FIPS_REPO=$ANDROID_FIPS_REPO - CTAO_VERSION=$ANDROID_CTAO_VERSION - CTAO_REPO=$ANDROID_CTAO_REPO + CRYPT_VERSION=$ANDROID_CRYPT_VERSION + CRYPT_REPO=$ANDROID_CRYPT_REPO ;; windows) FIPS_VERSION=$WINDOWS_FIPS_VERSION FIPS_REPO=$WINDOWS_FIPS_REPO - CTAO_VERSION=$WINDOWS_CTAO_VERSION - CTAO_REPO=$WINDOWS_CTAO_REPO + CRYPT_VERSION=$WINDOWS_CRYPT_VERSION + CRYPT_REPO=$WINDOWS_CRYPT_REPO ;; freertos) FIPS_VERSION=$FREERTOS_FIPS_VERSION FIPS_REPO=$FREERTOS_FIPS_REPO - CTAO_VERSION=$FREERTOS_CTAO_VERSION - CTAO_REPO=$FREERTOS_CTAO_REPO + CRYPT_VERSION=$FREERTOS_CRYPT_VERSION + CRYPT_REPO=$FREERTOS_CRYPT_REPO ;; openrtos-3.9.2) FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO - CTAO_VERSION=$OPENRTOS_3_9_2_CTAO_VERSION - CTAO_REPO=$OPENRTOS_3_9_2_CTAO_REPO + CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION + CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO FIPS_CONFLICTS=( aes hmac random sha256 ) ;; linux) FIPS_VERSION=$LINUX_FIPS_VERSION FIPS_REPO=$LINUX_FIPS_REPO - CTAO_VERSION=$LINUX_CTAO_VERSION - CTAO_REPO=$LINUX_CTAO_REPO + CRYPT_VERSION=$LINUX_CRYPT_VERSION + CRYPT_REPO=$LINUX_CRYPT_REPO ;; linux-ecc) FIPS_VERSION=$LINUX_ECC_FIPS_VERSION FIPS_REPO=$LINUX_ECC_FIPS_REPO - CTAO_VERSION=$LINUX_ECC_CTAO_VERSION - CTAO_REPO=$LINUX_ECC_CTAO_REPO + CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION + CRYPT_REPO=$LINUX_ECC_CRYPT_REPO + ;; +linuxv2) + FIPS_VERSION=$LINUXV2_FIPS_VERSION + FIPS_REPO=$LINUXV2_FIPS_REPO + CRYPT_VERSION=$LINUXV2_CRYPT_VERSION + CRYPT_INC_PATH=wolfssl/wolfcrypt + CRYPT_SRC_PATH=wolfcrypt/src + WC_MODS+=( cmac dh ) + FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) + FIPS_INCS=( fips.h ) + FIPS_OPTION=v2 ;; netbsd-selftest) FIPS_VERSION=$NETBSD_FIPS_VERSION FIPS_REPO=$NETBSD_FIPS_REPO - CTAO_VERSION=$NETBSD_CTAO_VERSION - CTAO_REPO=$NETBSD_CTAO_REPO + CRYPT_VERSION=$NETBSD_CRYPT_VERSION + CRYPT_REPO=$NETBSD_CRYPT_REPO FIPS_SRCS=( selftest.c ) WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random ) - WC_INC_PATH=wolfssl/wolfcrypt - WC_SRC_PATH=wolfcrypt/src + CRYPT_INC_PATH=wolfssl/wolfcrypt + CRYPT_SRC_PATH=wolfcrypt/src CAVP_SELFTEST_ONLY="yes" ;; sgx) FIPS_VERSION=$SGX_FIPS_VERSION FIPS_REPO=$SGX_FIPS_REPO - CTAO_VERSION=$SGX_CTAO_VERSION - CTAO_REPO=$SGX_CTAO_REPO + CRYPT_VERSION=$SGX_CRYPT_VERSION + CRYPT_REPO=$SGX_CRYPT_REPO ;; netos-7.6) FIPS_VERSION=$NETOS_7_6_FIPS_VERSION FIPS_REPO=$NETOS_7_6_FIPS_REPO - CTAO_VERSION=$NETOS_7_6_CTAO_VERSION - CTAO_REPO=$NETOS_7_6_CTAO_REPO + CRYPT_VERSION=$NETOS_7_6_CRYPT_VERSION + CRYPT_REPO=$NETOS_7_6_CRYPT_REPO ;; *) Usage @@ -182,27 +197,37 @@ git clone . $TEST_DIR pushd $TEST_DIR -# make a clone of the last FIPS release tag -git clone -b $CTAO_VERSION $CTAO_REPO old-tree -[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1 - -for MOD in ${WC_MODS[@]} -do - cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH - cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH -done - -# The following is temporary. We are using random.c from a separate release -# This is forcefully overwriting any other checkout of the cyassl sources. -# Removing this as default behavior for SGX and netos projects. -if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \ - [ "x$PLATFORM" != "xnetos-7.6" ]; +if [ "x$FIPS_OPTION" == "xv1" ]; then - pushd old-tree - git checkout v3.6.0 - popd - cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH - cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH + # make a clone of the last FIPS release tag + git clone -b $CRYPT_VERSION $CRYPT_REPO old-tree + [ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1 + + for MOD in ${WC_MODS[@]} + do + cp old-tree/$CRYPT_SRC_PATH/${MOD}.c $CRYPT_SRC_PATH + cp old-tree/$CRYPT_INC_PATH/${MOD}.h $CRYPT_INC_PATH + done + + # The following is temporary. We are using random.c from a separate release + # This is forcefully overwriting any other checkout of the cyassl sources. + # Removing this as default behavior for SGX and netos projects. + if [ "x$CAVP_SELFTEST_ONLY" == "xno" ] && [ "x$PLATFORM" != "xsgx" ] && \ + [ "x$PLATFORM" != "xnetos-7.6" ]; + then + pushd old-tree + git checkout v3.6.0 + popd + cp old-tree/$CRYPT_SRC_PATH/random.c $CRYPT_SRC_PATH + cp old-tree/$CRYPT_INC_PATH/random.h $CRYPT_INC_PATH + fi +else + git branch --track $CRYPT_VERSION origin/$CRYPT_VERSION + # Checkout the fips versions of the wolfCrypt files from the repo. + for MOD in ${WC_MODS[@]} + do + git checkout $CRYPT_VERSION -- $CRYPT_SRC_PATH/$MOD.c $CRYPT_INC_PATH/$MOD.h + done fi # clone the FIPS repository @@ -211,7 +236,12 @@ git clone -b $FIPS_VERSION $FIPS_REPO fips for SRC in ${FIPS_SRCS[@]} do - cp fips/$SRC $WC_SRC_PATH + cp fips/$SRC $CRYPT_SRC_PATH +done + +for INC in ${FIPS_INCS[@]} +do + cp fips/$INC $CRYPT_INC_PATH done # run the make test @@ -220,7 +250,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ]; then ./configure --enable-selftest else - ./configure --enable-fips + ./configure --enable-fips=$FIPS_OPTION fi make [ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1 @@ -229,7 +259,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xno" ]; then NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'` if [ -n "$NEWHASH" ]; then - sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c + sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c make clean fi fi diff --git a/src/include.am b/src/include.am index bdf4217f6..dac9adaf1 100644 --- a/src/include.am +++ b/src/include.am @@ -23,33 +23,19 @@ ipp_DATA = $(IPPLIBS) include_HEADERS+=$(IPPHEADERS) endif # BUILD_FAST_RSA -# fips first file if BUILD_FIPS +if !BUILD_FIPS_V2 +# fips first file src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c -if BUILD_FIPS_V2 src_libwolfssl_la_SOURCES += \ - wolfcrypt/src/hmac.c \ - wolfcrypt/src/random.c \ - wolfcrypt/src/sha256.c -else -src_libwolfssl_la_SOURCES += \ - ctaocrypt/src/hmac.c + ctaocrypt/src/hmac.c \ ctaocrypt/src/random.c \ ctaocrypt/src/sha256.c -endif if BUILD_RSA -if BUILD_FIPS_V2 -src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c -else src_libwolfssl_la_SOURCES += ctaocrypt/src/rsa.c endif -endif - -if BUILD_ECC -src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c -endif if BUILD_AES src_libwolfssl_la_SOURCES += ctaocrypt/src/aes.c @@ -67,16 +53,72 @@ if BUILD_SHA512 src_libwolfssl_la_SOURCES += ctaocrypt/src/sha512.c endif -if BUILD_FIPS_V2 -src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c -endif - src_libwolfssl_la_SOURCES += ctaocrypt/src/fips.c -src_libwolfssl_la_SOURCES += wolfcrypt/src/fipsv2.c src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c # fips last file src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c + +else + +# FIPSv2 first file +src_libwolfssl_la_SOURCES += \ + wolfcrypt/src/wolfcrypt_first.c + +src_libwolfssl_la_SOURCES += \ + wolfcrypt/src/hmac.c \ + wolfcrypt/src/random.c \ + wolfcrypt/src/sha256.c + +if BUILD_RSA +src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c +endif + +if BUILD_ECC +src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c +endif + +if BUILD_AES +src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c +endif + +if BUILD_DES3 +src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c +endif + +if BUILD_SHA +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c +endif + +if BUILD_SHA512 +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c +endif + +if BUILD_SHA3 +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c +endif + +if BUILD_DH +src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c +endif + +if BUILD_CMAC +src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c +endif + +src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \ + wolfcrypt/src/fips_test.c + +# fips last file +src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c +endif +endif + +# For FIPSV2, exclude the wolfCrypt files included above. +# For old FIPS, keep the wolfCrypt versions of the +# CtaoCrypt files included above. +if !BUILD_FIPS_V2 +src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c endif # CAVP self test @@ -85,7 +127,6 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c endif src_libwolfssl_la_SOURCES += \ - wolfcrypt/src/hmac.c \ wolfcrypt/src/hash.c \ wolfcrypt/src/cpuid.c @@ -142,28 +183,38 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_int.c endif endif +if !BUILD_FIPS_V2 if BUILD_AES src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c endif endif +endif +if !BUILD_FIPS_V2 if BUILD_CMAC src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c endif +endif +if !BUILD_FIPS_V2 if BUILD_DES3 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c endif +endif +if !BUILD_FIPS_V2 if BUILD_SHA src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c endif +endif +if !BUILD_FIPS_V2 if BUILD_SHA512 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c endif +endif if !BUILD_FIPS_V2 if BUILD_SHA3 @@ -183,9 +234,11 @@ if BUILD_MEMORY src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c endif +if !BUILD_FIPS_V2 if BUILD_DH src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c endif +endif if BUILD_ASN src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c diff --git a/tests/api.c b/tests/api.c index 11bcbded3..33f8836e1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -8400,19 +8400,21 @@ static int test_wc_AesGcmEncryptDecrypt (void) sizeof(vector), iv, sizeof(iv)/sizeof(byte), resultT, sizeof(resultT) - 5, a, sizeof(a)); } - if (gcmE == BAD_FUNC_ARG) { - gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV, - sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT), - a, sizeof(a)); - } - #ifdef HAVE_FIPS - if (gcmE == BAD_FUNC_ARG) { - gcmE = 0; - } else { - gcmE = WOLFSSL_FATAL_ERROR; - } - #endif - } /* END wc_AesGcmEncrypt */ + + if (gcmE == BAD_FUNC_ARG) { + gcmE = 0; + } else { + gcmE = WOLFSSL_FATAL_ERROR; + } + } + + /* This case is now considered good. Long IVs are now allowed. */ + if (gcmE == 0) { + gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV, + sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT), + a, sizeof(a)); + } + /* END wc_AesGcmEncrypt */ printf(resultFmt, gcmE == 0 ? passed : failed); if (gcmE != 0) { diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 906f360f5..fba9e87bb 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -28,12 +28,27 @@ #include #if !defined(NO_AES) + +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + + /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ + #define FIPS_NO_WRAPPERS + + #ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$d") + #pragma const_seg(".fipsB$d") + #endif +#endif + #include #include /* fips wrapper calls, user can call direct */ -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) + int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv, int dir) { @@ -228,7 +243,7 @@ AesFree(aes); */ } -#else /* HAVE_FIPS */ +#else /* else build without fips, or for FIPS v2 */ #if defined(WOLFSSL_TI_CRYPT) diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c index ab07fde65..33576e0ff 100644 --- a/wolfcrypt/src/des3.c +++ b/wolfcrypt/src/des3.c @@ -31,10 +31,24 @@ #ifndef NO_DES3 +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + + /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ + #define FIPS_NO_WRAPPERS + + #ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$d") + #pragma const_seg(".fipsB$d") + #endif +#endif + #include /* fips wrapper calls, user can call direct */ -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) + int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir) { return Des_SetKey(des, key, iv, dir); @@ -107,7 +121,7 @@ Des3Free(des3); */ } -#else /* build without fips */ +#else /* else build without fips, or for FIPS v2 */ #if defined(WOLFSSL_TI_CRYPT) diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index cd9991152..c7a304408 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -464,6 +464,9 @@ const char* wc_GetErrorString(int error) case AESCCM_KAT_FIPS_E: return "AESCCM Known Answer Test check FIPS error"; + case SHA3_KAT_FIPS_E: + return "SHA-3 Known Answer Test check FIPS error"; + default: return "unknown error number"; diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 3755a30cb..b98fa6516 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -32,6 +32,19 @@ */ +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + + /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ + #define FIPS_NO_WRAPPERS + + #ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$d") + #pragma const_seg(".fipsB$d") + #endif +#endif + + #include #include diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 3a4a97376..548fd0f20 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -28,11 +28,25 @@ #if !defined(NO_SHA) +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + + /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ + #define FIPS_NO_WRAPPERS + + #ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$d") + #pragma const_seg(".fipsB$d") + #endif +#endif + #include #include /* fips wrapper calls, user can call direct */ -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) + int wc_InitSha(wc_Sha* sha) { if (sha == NULL) { @@ -71,7 +85,7 @@ /* Not supported in FIPS */ } -#else /* else build without fips */ +#else /* else build without fips, or for FIPS v2 */ #if defined(WOLFSSL_TI_HASH) diff --git a/wolfcrypt/src/sha3.c b/wolfcrypt/src/sha3.c index 82305c903..721bb45a1 100644 --- a/wolfcrypt/src/sha3.c +++ b/wolfcrypt/src/sha3.c @@ -28,6 +28,18 @@ #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT) +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + + /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ + #define FIPS_NO_WRAPPERS + + #ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$d") + #pragma const_seg(".fipsB$d") + #endif +#endif + #include #include diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index b96b29ad6..b50d8528d 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -27,6 +27,19 @@ #include #ifdef WOLFSSL_SHA512 + +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + + /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ + #define FIPS_NO_WRAPPERS + + #ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$d") + #pragma const_seg(".fipsB$d") + #endif +#endif + #include #include #include @@ -37,7 +50,9 @@ #endif /* fips wrapper calls, user can call direct */ -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) + int wc_InitSha512(wc_Sha512* sha) { if (sha == NULL) { @@ -115,7 +130,7 @@ } #endif /* WOLFSSL_SHA384 || HAVE_AESGCM */ -#else /* else build without using fips */ +#else /* else build without fips, or for FIPS v2 */ #include diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index d85635294..212ded476 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -31,8 +31,14 @@ #ifndef NO_AES +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + #include +#endif /* HAVE_FIPS_VERSION >= 2 */ + /* included for fips @wc_fips */ -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) #include #if defined(CYASSL_AES_COUNTER) && !defined(WOLFSSL_AES_COUNTER) #define WOLFSSL_AES_COUNTER @@ -63,7 +69,7 @@ #endif /* these are required for FIPS and non-FIPS */ -enum { +enum { AES_128_KEY_SIZE = 16, /* for 128 bit */ AES_192_KEY_SIZE = 24, /* for 192 bit */ AES_256_KEY_SIZE = 32, /* for 256 bit */ @@ -72,7 +78,9 @@ enum { }; -#ifndef HAVE_FIPS /* to avoid redefinition of structures */ +/* avoid redefinition of structs */ +#if !defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) #ifdef WOLFSSL_ASYNC_CRYPT #include diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h index 7d6297356..c4312ab69 100644 --- a/wolfssl/wolfcrypt/des3.h +++ b/wolfssl/wolfcrypt/des3.h @@ -30,7 +30,13 @@ #ifndef NO_DES3 -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + #include +#endif /* HAVE_FIPS_VERSION >= 2 */ + +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) /* included for fips @wc_fips */ #include #endif @@ -47,7 +53,9 @@ enum { }; -#ifndef HAVE_FIPS /* to avoid redefinition of macros */ +/* avoid redefinition of structs */ +#if !defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) #ifdef WOLFSSL_ASYNC_CRYPT #include diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 7c903e1d2..0ff9d6907 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -206,8 +206,9 @@ enum { ECDSA_PAT_FIPS_E = -255, /* ECDSA PAT failure */ DH_KAT_FIPS_E = -256, /* DH KAT failure */ AESCCM_KAT_FIPS_E = -257, /* AESCCM KAT failure */ + SHA3_KAT_FIPS_E = -258, /* SHA-3 KAT failure */ - WC_LAST_E = -257, /* Update this to indicate last error */ + WC_LAST_E = -258, /* Update this to indicate last error */ MIN_CODE_E = -300 /* errors -101 - -299 */ /* add new companion error id strings for any new error codes diff --git a/wolfssl/wolfcrypt/sha.h b/wolfssl/wolfcrypt/sha.h index 8e3519f50..8fc1d4f5d 100644 --- a/wolfssl/wolfcrypt/sha.h +++ b/wolfssl/wolfcrypt/sha.h @@ -31,7 +31,13 @@ #ifndef NO_SHA -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + #include +#endif /* HAVE_FIPS_VERSION >= 2 */ + +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) #define wc_Sha Sha #define WC_SHA SHA #define WC_SHA_BLOCK_SIZE SHA_BLOCK_SIZE @@ -50,7 +56,9 @@ extern "C" { #endif -#ifndef HAVE_FIPS /* avoid redefining structs */ +/* avoid redefinition of structs */ +#if !defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) #ifdef WOLFSSL_MICROCHIP_PIC32MZ #include diff --git a/wolfssl/wolfcrypt/sha512.h b/wolfssl/wolfcrypt/sha512.h index ec93e80ef..279b43383 100644 --- a/wolfssl/wolfcrypt/sha512.h +++ b/wolfssl/wolfcrypt/sha512.h @@ -1,6 +1,6 @@ /* sha512.h * - * Copyright (C) 2006-2017 wolfSSL Inc. + * Copyright (C) 2006-2018 wolfSSL Inc. * * This file is part of wolfSSL. * @@ -31,8 +31,13 @@ #ifdef WOLFSSL_SHA512 -/* for fips @wc_fips */ -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) && \ + defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) + #include +#endif /* HAVE_FIPS_VERSION >= 2 */ + +#if defined(HAVE_FIPS) && \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) #define wc_Sha512 Sha512 #define WC_SHA512 SHA512 #define WC_SHA512_BLOCK_SIZE SHA512_BLOCK_SIZE @@ -50,6 +55,7 @@ #if defined(WOLFSSL_SHA384) #define CYASSL_SHA384 #endif + /* for fips @wc_fips */ #include #endif @@ -57,7 +63,9 @@ extern "C" { #endif -#ifndef HAVE_FIPS /* avoid redefinition of structs */ +/* avoid redefinition of structs */ +#if !defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) #ifdef WOLFSSL_ASYNC_CRYPT #include @@ -121,7 +129,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst); #if defined(WOLFSSL_SHA384) -#ifndef HAVE_FIPS /* avoid redefinition of structs */ +/* avoid redefinition of structs */ +#if !defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) #ifndef NO_OLD_WC_NAMES #define Sha384 wc_Sha384