FIPS Revalidation/Test Fixes

1. For FIPSv2 builds, changed the FP_MAX_BITS to 6144. 2. Fixed bug in HMAC-SHA-3 where the digest size was being used instead of the block size for processing the key.
2018-03-26 17:30:07 -07:00 · 2018-03-26 17:30:07 -07:00 · 27470aa704
commit 27470aa704
parent 8fb3a0c078
2 changed files with 5 additions and 5 deletions
--- a/configure.ac
+++ b/configure.ac
@ -2043,7 +2043,7 @@ then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
    # Add the FIPS flag.
    AS_IF([test "x$FIPS_VERSION" = "xv2"],
-          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING"
+          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DFP_MAX_BITS=6144"
           ENABLED_KEYGEN="yes"
           ENABLED_SHA224="yes"
           AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@ -462,7 +462,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
    #ifdef WOLFSSL_SHA3
        case WC_SHA3_224:
            hmac_block_size = WC_SHA3_224_BLOCK_SIZE;
-            if (length <= WC_SHA3_224_DIGEST_SIZE) {
+            if (length <= WC_SHA3_224_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }
@ -480,7 +480,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
            break;
        case WC_SHA3_256:
            hmac_block_size = WC_SHA3_256_BLOCK_SIZE;
-            if (length <= WC_SHA3_256_DIGEST_SIZE) {
+            if (length <= WC_SHA3_256_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }
@ -498,7 +498,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
            break;
        case WC_SHA3_384:
            hmac_block_size = WC_SHA3_384_BLOCK_SIZE;
-            if (length <= WC_SHA3_384_DIGEST_SIZE) {
+            if (length <= WC_SHA3_384_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }
@ -516,7 +516,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
            break;
        case WC_SHA3_512:
            hmac_block_size = WC_SHA3_512_BLOCK_SIZE;
-            if (length <= WC_SHA3_512_DIGEST_SIZE) {
+            if (length <= WC_SHA3_512_BLOCK_SIZE) {
                if (key != NULL) {
                    XMEMCPY(ip, key, length);
                }