From d9073f39e1d92cf0b54bb30d8227a9c9831f0ab8 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 27 Jan 2022 17:04:43 -0600 Subject: [PATCH 1/3] fips_test.h: add arg names to prototypes, and delete obsolete+unused DoIntegrityTest() prototype. --- wolfssl/wolfcrypt/fips_test.h | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/wolfssl/wolfcrypt/fips_test.h b/wolfssl/wolfcrypt/fips_test.h index d2e986714..7c25f10c9 100644 --- a/wolfssl/wolfcrypt/fips_test.h +++ b/wolfssl/wolfcrypt/fips_test.h @@ -77,16 +77,15 @@ WOLFSSL_API const char* wolfCrypt_GetCoreHash_fips(void); #ifdef HAVE_FORCE_FIPS_FAILURE /* Public function to force failure mode for operational testing */ - WOLFSSL_API int wolfCrypt_SetStatus_fips(int); + WOLFSSL_API int wolfCrypt_SetStatus_fips(int status); #endif -WOLFSSL_LOCAL int DoIntegrityTest(char*, int); -WOLFSSL_LOCAL int DoPOST(char*, int); -WOLFSSL_LOCAL int DoCAST(int); -WOLFSSL_LOCAL int DoKnownAnswerTests(char*, int); /* FIPSv1 and FIPSv2 */ +WOLFSSL_LOCAL int DoPOST(char* base16_hash, int base16_hashSz); +WOLFSSL_LOCAL int DoCAST(int type); +WOLFSSL_LOCAL int DoKnownAnswerTests(char* base16_hash, int base16_hashSz); /* FIPSv1 and FIPSv2 */ -WOLFSSL_API int wc_RunCast_fips(int); -WOLFSSL_API int wc_GetCastStatus_fips(int); +WOLFSSL_API int wc_RunCast_fips(int type); +WOLFSSL_API int wc_GetCastStatus_fips(int type); #ifdef __cplusplus } /* extern "C" */ From 19042023f4f253a9d6a9a6f97169ba129fddd8fc Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 27 Jan 2022 18:14:14 -0600 Subject: [PATCH 2/3] MD5 vs. FIPS 140-3: fix gating so that unit.test succeeds when --enable-fips=v5 --enable-md5 (HMAC-MD5 is non-FIPS in 140-3, but even in a FIPS 140-3 build, the non-FIPS API can be accessed directly by #undef'ing wc_Hmac*()). --- tests/api.c | 13 +++++++++++-- tests/hash.c | 3 ++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/api.c b/tests/api.c index faff69bca..98b37748f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -13772,9 +13772,18 @@ static int test_wc_Md5HmacSetKey (void) for (itr = 0; itr < times; itr++) { ret = wc_HmacSetKey(&hmac, WC_MD5, (byte*)keys[itr], (word32)XSTRLEN(keys[itr])); +#if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5) + wc_HmacFree(&hmac); + if (ret == BAD_FUNC_ARG) + return 0; + else { + return WOLFSSL_FATAL_ERROR; + } +#else if (ret != 0) { flag = ret; } +#endif } /* Bad args. */ @@ -14166,7 +14175,7 @@ static int test_wc_Sha384HmacSetKey (void) static int test_wc_Md5HmacUpdate (void) { int flag = 0; -#if !defined(NO_HMAC) && !defined(NO_MD5) +#if !defined(NO_HMAC) && !defined(NO_MD5) && !(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5)) Hmac hmac; testVector a, b; int ret; @@ -14567,7 +14576,7 @@ static int test_wc_Sha384HmacUpdate (void) static int test_wc_Md5HmacFinal (void) { int flag = 0; -#if !defined(NO_HMAC) && !defined(NO_MD5) +#if !defined(NO_HMAC) && !defined(NO_MD5) && !(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5)) Hmac hmac; byte hash[WC_MD5_DIGEST_SIZE]; testVector a; diff --git a/tests/hash.c b/tests/hash.c index fd5e79c64..de62bd1bf 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -130,7 +130,8 @@ int HashTest(void) #endif #ifndef NO_HMAC - #ifndef NO_MD5 + #if !defined(NO_MD5) && !(defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) \ + && (HAVE_FIPS_VERSION >= 5)) if ( (ret = hmac_md5_test()) ) { printf( " HMAC-MD5 test failed!\n"); return ret; From 30b20732288857cf9e3e3efa6de3db76b097fdcc Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 27 Jan 2022 19:54:07 -0600 Subject: [PATCH 3/3] test.c: fix gating on wc_ecc_encrypt_ex() for FIPS <5.3 --enable-all. --- wolfcrypt/test/test.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 160fb26be..463aecf6b 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -24642,7 +24642,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void) ret = -10412; goto done; } -#ifdef HAVE_COMP_KEY +#if defined(HAVE_COMP_KEY) && \ + (! defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) /* Create new client and server contexts. */ wc_ecc_ctx_free(srvCtx); wc_ecc_ctx_free(cliCtx); @@ -24700,7 +24701,7 @@ WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void) if (XMEMCMP(plain, msg, sizeof(msg)) != 0) { ret = -10419; goto done; } -#endif /* HAVE_COMP_KEY */ +#endif /* HAVE_COMP_KEY && (!FIPS || FIPS>=5.3) */ #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 ret = ecc_encrypt_kat(&rng);