The minimal changes needed to add KCAPI support with fips-ready
This commit is contained in:
kaleb-himes
parent
8609d98122
commit
7cccaa98b7
45
configure.ac
45
configure.ac
@ -1850,7 +1850,7 @@ then
|
|||||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
|
||||||
fi
|
fi
|
||||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_AES"
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_AES"
|
||||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HASH"
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HASH -DWOLFSSL_KCAPI_HASH_KEEP"
|
||||||
# Linux Kernel doesn't support truncated SHA512 algorithms
|
# Linux Kernel doesn't support truncated SHA512 algorithms
|
||||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
|
||||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HMAC"
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KCAPI_HMAC"
|
||||||
@ -3425,7 +3425,7 @@ fi
|
|||||||
|
|
||||||
# FIPS
|
# FIPS
|
||||||
AS_CASE([$FIPS_VERSION],
|
AS_CASE([$FIPS_VERSION],
|
||||||
[v5*], [ # FIPS 140-3, including 140-3 ready
|
[v5], [ # FIPS 140-3
|
||||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
|
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
|
||||||
ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
|
ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
|
||||||
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
|
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
|
||||||
@ -3466,6 +3466,47 @@ AS_CASE([$FIPS_VERSION],
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
],
|
],
|
||||||
|
[v5-ready], [ # FIPS 140-3 ready
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
|
||||||
|
ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
|
||||||
|
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
|
||||||
|
ENABLED_SHAKE256=no
|
||||||
|
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
|
||||||
|
AS_IF([test "x$ENABLED_AESCCM" = "xyes"], # AESCCM optional with fips-ready
|
||||||
|
[AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
|
||||||
|
AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
|
||||||
|
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
|
||||||
|
AS_IF([test "x$ENABLED_ECC" != "xyes"],
|
||||||
|
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
|
||||||
|
AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
|
||||||
|
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
|
||||||
|
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DWOLFSSL_VALIDATE_ECC_KEYGEN"])
|
||||||
|
AS_IF([test "x$ENABLED_AESCTR" = "xyes"],
|
||||||
|
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) # AESCTR optional with fips-ready
|
||||||
|
AS_IF([test "x$ENABLED_CMAC" = "xyes"],
|
||||||
|
[AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) # CMAC optional with fips-ready
|
||||||
|
AS_IF([test "x$ENABLED_HKDF" != "xyes"],
|
||||||
|
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
|
||||||
|
AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
|
||||||
|
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
|
||||||
|
AS_IF([test "x$ENABLED_SHA512" = "xno"],
|
||||||
|
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
|
||||||
|
AS_IF([test "x$ENABLED_AESGCM" = "xyes"],
|
||||||
|
[AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"]) # GCM optional with fips-ready
|
||||||
|
AS_IF([test "x$ENABLED_MD5" = "xyes"],[ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DECC_USER_CURVES -DHAVE_ECC192 -DHAVE_ECC224 -DHAVE_ECC256 -DHAVE_ECC384 -DHAVE_ECC521"
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_SET_K -DWC_RNG_SEED_CB"
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192"
|
||||||
|
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
|
||||||
|
if test $HAVE_FIPS_VERSION_MINOR -ge 2; then
|
||||||
|
if test "x$ENABLED_AESOFB" = "xyes"; then # AESOFB optional with fips-ready
|
||||||
|
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
],
|
||||||
["v3"],[ # FIPS 140-2 Ready
|
["v3"],[ # FIPS 140-2 Ready
|
||||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DWOLFSSL_ECDSA_SET_K"
|
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DWOLFSSL_ECDSA_SET_K"
|
||||||
ENABLED_KEYGEN="yes"
|
ENABLED_KEYGEN="yes"
|
||||||
|
|||||||
39
tests/unit.c
39
tests/unit.c
@ -78,50 +78,81 @@ int unit_test(int argc, char** argv)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 5)
|
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 5)
|
||||||
|
#if !defined(NO_AES) && !defined(NO_AES_CBC)
|
||||||
if (wc_RunCast_fips(FIPS_CAST_AES_CBC) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_AES_CBC) != 0) {
|
||||||
err_sys("AES-CBC CAST failed");
|
err_sys("AES-CBC CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_AESGCM
|
||||||
if (wc_RunCast_fips(FIPS_CAST_AES_GCM) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_AES_GCM) != 0) {
|
||||||
err_sys("AES-GCM CAST failed");
|
err_sys("AES-GCM CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#ifndef NO_SHA
|
||||||
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA1) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA1) != 0) {
|
||||||
err_sys("HMAC-SHA1 CAST failed");
|
err_sys("HMAC-SHA1 CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
/* the only non-optional CAST */
|
||||||
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_256) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_256) != 0) {
|
||||||
err_sys("HMAC-SHA2-256 CAST failed");
|
err_sys("HMAC-SHA2-256 CAST failed");
|
||||||
}
|
}
|
||||||
|
#ifdef WOLFSSL_SHA512
|
||||||
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_512) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_512) != 0) {
|
||||||
err_sys("HMAC-SHA2-512 CAST failed");
|
err_sys("HMAC-SHA2-512 CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef WOLFSSL_SHA3
|
||||||
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA3_256) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_HMAC_SHA3_256) != 0) {
|
||||||
err_sys("HMAC-SHA3-256 CAST failed");
|
err_sys("HMAC-SHA3-256 CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_HASHDRBG
|
||||||
if (wc_RunCast_fips(FIPS_CAST_DRBG) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_DRBG) != 0) {
|
||||||
err_sys("Hash_DRBG CAST failed");
|
err_sys("Hash_DRBG CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#ifndef NO_RSA
|
||||||
if (wc_RunCast_fips(FIPS_CAST_RSA_SIGN_PKCS1v15) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_RSA_SIGN_PKCS1v15) != 0) {
|
||||||
err_sys("RSA sign CAST failed");
|
err_sys("RSA sign CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#if defined(HAVE_ECC_CDH) && defined(HAVE_ECC_CDH_CAST)
|
||||||
|
if (wc_RunCast_fips(FIPS_CAST_ECC_CDH) != 0) {
|
||||||
|
err_sys("RSA sign CAST failed");
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_ECC_DHE
|
||||||
if (wc_RunCast_fips(FIPS_CAST_ECC_PRIMITIVE_Z) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_ECC_PRIMITIVE_Z) != 0) {
|
||||||
err_sys("ECC Primitive Z CAST failed");
|
err_sys("ECC Primitive Z CAST failed");
|
||||||
}
|
}
|
||||||
if (wc_RunCast_fips(FIPS_CAST_DH_PRIMITIVE_Z) != 0) {
|
#endif
|
||||||
err_sys("DH Primitive Z CAST failed");
|
#ifdef HAVE_ECC
|
||||||
}
|
|
||||||
if (wc_RunCast_fips(FIPS_CAST_ECDSA) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_ECDSA) != 0) {
|
||||||
err_sys("ECDSA CAST failed");
|
err_sys("ECDSA CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#ifndef NO_DH
|
||||||
|
if (wc_RunCast_fips(FIPS_CAST_DH_PRIMITIVE_Z) != 0) {
|
||||||
|
err_sys("DH Primitive Z CAST failed");
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef WOLFSSL_HAVE_PRF
|
||||||
if (wc_RunCast_fips(FIPS_CAST_KDF_TLS12) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_KDF_TLS12) != 0) {
|
||||||
err_sys("KDF TLSv1.2 CAST failed");
|
err_sys("KDF TLSv1.2 CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#if defined(WOLFSSL_HAVE_PRF) && defined(WOLFSSL_TLS13)
|
||||||
if (wc_RunCast_fips(FIPS_CAST_KDF_TLS13) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_KDF_TLS13) != 0) {
|
||||||
err_sys("KDF TLSv1.3 CAST failed");
|
err_sys("KDF TLSv1.3 CAST failed");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef WOLFSSL_WOLFSSH
|
||||||
if (wc_RunCast_fips(FIPS_CAST_KDF_SSH) != 0) {
|
if (wc_RunCast_fips(FIPS_CAST_KDF_SSH) != 0) {
|
||||||
err_sys("KDF SSHv2.0 CAST failed");
|
err_sys("KDF SSHv2.0 CAST failed");
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#endif /* HAVE_FIPS && HAVE_FIPS_VERSION == 5 */
|
||||||
#ifdef WOLFSSL_ALLOW_SKIP_UNIT_TESTS
|
#ifdef WOLFSSL_ALLOW_SKIP_UNIT_TESTS
|
||||||
if (argc == 1)
|
if (argc == 1)
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -603,6 +603,10 @@ int main(int argc, char** argv)
|
|||||||
wolfcrypt_test_args.argc = argc;
|
wolfcrypt_test_args.argc = argc;
|
||||||
wolfcrypt_test_args.argv = argv;
|
wolfcrypt_test_args.argv = argv;
|
||||||
|
|
||||||
|
#ifdef WC_RNG_SEED_CB
|
||||||
|
wc_SetSeed_Cb(wc_GenerateSeed);
|
||||||
|
#endif
|
||||||
|
|
||||||
wolfSSL_Init();
|
wolfSSL_Init();
|
||||||
ChangeToWolfRoot();
|
ChangeToWolfRoot();
|
||||||
|
|
||||||
|
|||||||
@ -1034,7 +1034,11 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
|
|||||||
|
|
||||||
#elif defined(WOLFSSL_KCAPI_AES)
|
#elif defined(WOLFSSL_KCAPI_AES)
|
||||||
/* Only CBC and GCM that are in wolfcrypt/src/port/kcapi/kcapi_aes.c */
|
/* Only CBC and GCM that are in wolfcrypt/src/port/kcapi/kcapi_aes.c */
|
||||||
|
#if defined(WOLFSSL_AES_COUNTER) || defined(HAVE_AESCCM) || \
|
||||||
|
defined(WOLFSSL_CMAC) || defined(WOLFSSL_AES_OFB) || \
|
||||||
|
defined(WOLFSSL_AES_CFB) || defined(HAVE_AES_ECB)
|
||||||
|
#define NEED_AES_TABLES
|
||||||
|
#endif
|
||||||
#else
|
#else
|
||||||
|
|
||||||
/* using wolfCrypt software implementation */
|
/* using wolfCrypt software implementation */
|
||||||
|
|||||||
@ -105,6 +105,11 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
|
|||||||
ret = BAD_FUNC_ARG;
|
ret = BAD_FUNC_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_FIPS
|
||||||
|
if (length < HMAC_FIPS_MIN_KEY)
|
||||||
|
return HMAC_MIN_KEYLEN_E;
|
||||||
|
#endif
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
switch (type) {
|
switch (type) {
|
||||||
#ifndef NO_MD5
|
#ifndef NO_MD5
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user