Skip to content

Commit 9b92aea

Browse files
JacobBarthelmehJacobBarthelmeh
authored
Merge pull request #7422 from douzzer/20240412-fips-v5-v6-linuxkm-fixes
20240412-fips-v5-v6-linuxkm-fixes
2 parents be74cb7 + 281c2a4 commit 9b92aea

5 files changed

Lines changed: 169 additions & 57 deletions

File tree

configure.ac

Lines changed: 84 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -370,46 +370,46 @@ AS_CASE([$ENABLED_FIPS],
370370
],
371371
[v1|yes|cert2425],[
372372
FIPS_VERSION="v1"
373-
HAVE_FIPS_VERSION=1
373+
HAVE_FIPS_VERSION_MAJOR=1
374374
ENABLED_FIPS="yes"
375375
DEF_SP_MATH="no"
376376
DEF_FAST_MATH="yes"
377377
],
378378
[v2|cert3389],[
379379
FIPS_VERSION="v2"
380-
HAVE_FIPS_VERSION=2
380+
HAVE_FIPS_VERSION_MAJOR=2
381381
HAVE_FIPS_VERSION_MINOR=0
382382
ENABLED_FIPS="yes"
383383
DEF_SP_MATH="no"
384384
DEF_FAST_MATH="yes"
385385
],
386386
[rand],[
387387
FIPS_VERSION="rand"
388-
HAVE_FIPS_VERSION=2
388+
HAVE_FIPS_VERSION_MAJOR=2
389389
HAVE_FIPS_VERSION_MINOR=1
390390
ENABLED_FIPS="yes"
391391
DEF_SP_MATH="no"
392392
DEF_FAST_MATH="no"
393393
],
394394
[v5|v5-RC12],[
395395
FIPS_VERSION="v5-RC12"
396-
HAVE_FIPS_VERSION=5
396+
HAVE_FIPS_VERSION_MAJOR=5
397397
HAVE_FIPS_VERSION_MINOR=2
398398
ENABLED_FIPS="yes"
399399
DEF_SP_MATH="no"
400400
DEF_FAST_MATH="yes"
401401
],
402402
[v5-ready],[
403403
FIPS_VERSION="v5-ready"
404-
HAVE_FIPS_VERSION=5
404+
HAVE_FIPS_VERSION_MAJOR=5
405405
HAVE_FIPS_VERSION_MINOR=3
406406
ENABLED_FIPS="yes"
407407
DEF_SP_MATH="no"
408408
DEF_FAST_MATH="yes"
409409
],
410410
[v5-dev],[
411-
FIPS_VERSION="dev"
412-
HAVE_FIPS_VERSION=5
411+
FIPS_VERSION="v5-dev"
412+
HAVE_FIPS_VERSION_MAJOR=5
413413
HAVE_FIPS_VERSION_MINOR=3
414414
ENABLED_FIPS="yes"
415415
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
@@ -436,24 +436,33 @@ AS_CASE([$ENABLED_FIPS],
436436
DEF_SP_MATH="yes"
437437
DEF_FAST_MATH="no"
438438
],
439-
[dev],[
439+
[dev|v6-dev],[
440440
FIPS_VERSION="dev"
441-
HAVE_FIPS_VERSION=7
441+
HAVE_FIPS_VERSION_MAJOR=7
442442
HAVE_FIPS_VERSION_MINOR=0
443+
HAVE_FIPS_VERSION_PATCH=0
443444
ENABLED_FIPS="yes"
444445
# for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all)
445446
],
446447
[
447448
AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (main options: v1, v2, v5, v6, ready, dev, rand, no, disabled)])
448449
])
449450

451+
if test -z "$HAVE_FIPS_VERSION_MAJOR"
452+
then
453+
HAVE_FIPS_VERSION_MAJOR=0
454+
fi
450455
if test -z "$HAVE_FIPS_VERSION_MINOR"
451456
then
452457
HAVE_FIPS_VERSION_MINOR=0
453458
fi
459+
if test -z "$HAVE_FIPS_VERSION_PATCH"
460+
then
461+
HAVE_FIPS_VERSION_PATCH=0
462+
fi
454463
if test -z "$HAVE_FIPS_VERSION"
455464
then
456-
HAVE_FIPS_VERSION=0
465+
HAVE_FIPS_VERSION="$HAVE_FIPS_VERSION_MAJOR"
457466
fi
458467

459468
if test "$ENABLED_FIPS" != "no"
@@ -833,7 +842,6 @@ then
833842
test "$enable_base64encode" = "" && enable_base64encode=yes
834843
test "$enable_base16" = "" && enable_base16=yes
835844
test "$enable_arc4" = "" && enable_arc4=yes
836-
test "$enable_des3" = "" && enable_des3=yes
837845
test "$enable_blake2" = "" && enable_blake2=yes
838846
test "$enable_blake2s" = "" && enable_blake2s=yes
839847
test "$enable_md2" = "" && enable_md2=yes
@@ -876,8 +884,10 @@ then
876884
if test "$ENABLED_SP_MATH" = "no"
877885
then
878886
test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes
879-
test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes
880-
test "$enable_brainpool" = "" && enable_brainpool=yes
887+
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
888+
test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes
889+
test "$enable_brainpool" = "" && enable_brainpool=yes
890+
fi
881891
test "$enable_srp" = "" && enable_srp=yes
882892
# linuxkm is incompatible with opensslextra and its dependents.
883893
if test "$ENABLED_LINUXKM_DEFAULTS" != "yes"
@@ -899,7 +909,9 @@ then
899909
test "$enable_openvpn" = "" && enable_openvpn=yes
900910
test "$enable_asio" = "" && enable_asio=yes
901911
test "$enable_libwebsockets" = "" && enable_libwebsockets=yes
902-
test "$enable_qt" = "" && enable_qt=yes
912+
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
913+
test "$enable_qt" = "" && enable_qt=yes
914+
fi
903915
fi
904916
fi
905917

@@ -931,11 +943,15 @@ then
931943
fi
932944
fi
933945

934-
if test "$ENABLED_FIPS" = "no" || test "$FIPS_VERSION" = "dev"; then
946+
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6 || test "$FIPS_VERSION" = "v5-dev"; then
935947
test "$enable_aesxts" = "" && enable_aesxts=yes
936948
test "$enable_aessiv" = "" && enable_aessiv=yes
937949
fi
938950

951+
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
952+
test "$enable_des3" = "" && enable_des3=yes
953+
fi
954+
939955
# Enable DH const table speedups (eliminates `-lm` math lib dependency)
940956
AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072"
941957
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=4096
@@ -1022,7 +1038,6 @@ then
10221038
test "$enable_base64encode" = "" && enable_base64encode=yes
10231039
test "$enable_base16" = "" && enable_base16=yes
10241040
test "$enable_arc4" = "" && enable_arc4=yes
1025-
test "$enable_des3" = "" && enable_des3=yes
10261041
test "$enable_blake2" = "" && enable_blake2=yes
10271042
test "$enable_blake2s" = "" && enable_blake2s=yes
10281043
test "$enable_md2" = "" && enable_md2=yes
@@ -1046,8 +1061,10 @@ then
10461061
if test "$ENABLED_SP_MATH" = "no"
10471062
then
10481063
test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes
1049-
test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes
1050-
test "$enable_brainpool" = "" && enable_brainpool=yes
1064+
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
1065+
test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes
1066+
test "$enable_brainpool" = "" && enable_brainpool=yes
1067+
fi
10511068
test "$enable_srp" = "" && enable_srp=yes
10521069
fi
10531070

@@ -1072,11 +1089,15 @@ then
10721089
fi
10731090
fi
10741091

1075-
if test "$ENABLED_FIPS" = "no" || test "$FIPS_VERSION" = "dev"; then
1092+
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6 || test "$FIPS_VERSION" = "v5-dev"; then
10761093
test "$enable_aesxts" = "" && enable_aesxts=yes
10771094
test "$enable_aessiv" = "" && enable_aessiv=yes
10781095
fi
10791096

1097+
if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
1098+
test "$enable_des3" = "" && enable_des3=yes
1099+
fi
1100+
10801101
# Enable AES Decrypt, AES ECB, Alt Names, DER Load
10811102
AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD"
10821103

@@ -5001,7 +5022,7 @@ AS_CASE([$FIPS_VERSION],
50015022
AS_IF([test "x$ENABLED_ED448_STREAM" != "xyes"],
50025023
[ENABLED_ED448_STREAM="yes"])
50035024
5004-
AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno"],
5025+
AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" && test "$FIPS_VERSION" != "dev"],
50055026
[ENABLED_ECCCUSTCURVES="no"])
50065027
50075028
# Hashing section
@@ -5038,8 +5059,9 @@ AS_CASE([$FIPS_VERSION],
50385059
AS_IF([test "$ENABLED_AESGCM" = "no"],
50395060
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
50405061
5041-
# AES-GCM streaming is part of SRTP-KDF FS
5042-
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes"],
5062+
# AES-GCM streaming is part of the v6 FIPS suite, but isn't implemented
5063+
# for armasm on arm-v7 or earlier (see armasm setup above).
5064+
AS_IF([test "$ENABLED_AESGCM_STREAM" != "yes" && ! (test "$ENABLED_ARMASM" = "yes" && test "$ENABLED_ARMASM_CRYPTO" = "no")],
50435065
[ENABLED_AESGCM_STREAM="yes"])
50445066
50455067
AS_IF([test "x$ENABLED_AESOFB" = "xno"],
@@ -5072,7 +5094,9 @@ AS_CASE([$FIPS_VERSION],
50725094
AM_CFLAGS="$AM_CFLAGS \
50735095
-DHAVE_FIPS \
50745096
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
5097+
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
50755098
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
5099+
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
50765100
-DHAVE_ECC_CDH \
50775101
-DWC_RSA_NO_PADDING \
50785102
-DECC_USER_CURVES \
@@ -5100,71 +5124,71 @@ AS_CASE([$FIPS_VERSION],
51005124
51015125
# force various features to FIPS 140-3 defaults, unless overridden with dev:
51025126
5103-
AS_IF([test "$ENABLED_KEYGEN" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_keygen" != "no")],
5127+
AS_IF([test "$ENABLED_KEYGEN" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")],
51045128
[ENABLED_KEYGEN="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"])
51055129
5106-
AS_IF([test "$ENABLED_COMPKEY" = "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_compkey" != "yes")],
5130+
AS_IF([test "$ENABLED_COMPKEY" = "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_compkey" != "yes")],
51075131
[ENABLED_COMPKEY="no"])
51085132
5109-
AS_IF([test "$ENABLED_SHA224" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_sha224" != "no")],
5133+
AS_IF([test "$ENABLED_SHA224" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha224" != "no")],
51105134
[ENABLED_SHA224="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA224"])
51115135
5112-
AS_IF([test "$ENABLED_WOLFSSH" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_ssh" != "no")],
5136+
AS_IF([test "$ENABLED_WOLFSSH" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_ssh" != "no")],
51135137
[enable_ssh="yes"])
51145138
5115-
# Shake128 is a SHA-3 algorithm not in our FIPS algorithm list
5116-
AS_IF([test "$ENABLED_SHAKE128" != "no" && (test "$FIPS_VERSION" != "dev" || test "$enable_shake128" != "yes")],
5139+
# Shake128 is a SHA-3 algorithm outside the v5 FIPS algorithm list
5140+
AS_IF([test "$ENABLED_SHAKE128" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_shake128" != "yes")],
51175141
[ENABLED_SHAKE128=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"])
51185142
5119-
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
5120-
AS_IF([test "$ENABLED_SHAKE256" != "no" && (test "$FIPS_VERSION" != "dev" || test "$enable_shake256" != "yes")],
5143+
# Shake256 is a SHA-3 algorithm outside the v5 FIPS algorithm list
5144+
AS_IF([test "$ENABLED_SHAKE256" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_shake256" != "yes")],
51215145
[ENABLED_SHAKE256=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"])
51225146
5123-
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
5147+
# SHA512-224 and SHA512-256 are SHA-2 algorithms outside the v5 FIPS algorithm list
51245148
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
51255149
5126-
AS_IF([test "$ENABLED_AESCCM" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_aesccm" != "no")],
5150+
AS_IF([test "$ENABLED_AESCCM" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesccm" != "no")],
51275151
[ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
51285152
5129-
AS_IF([test "$ENABLED_AESXTS" = "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_aesxts" != "yes")],
5153+
AS_IF([test "$ENABLED_AESXTS" = "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesxts" != "yes")],
51305154
[ENABLED_AESXTS="no"])
51315155
5132-
AS_IF([test "$ENABLED_RSAPSS" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_rsapss" != "no")],
5156+
AS_IF([test "$ENABLED_RSAPSS" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_rsapss" != "no")],
51335157
[ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
51345158
5135-
AS_IF([test "$ENABLED_ECC" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_ecc" != "no")],
5159+
AS_IF([test "$ENABLED_ECC" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_ecc" != "no")],
51365160
[ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
5137-
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_eccshamir" != "no")],
5161+
AS_IF([test "$ENABLED_ECC_SHAMIR" = "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_eccshamir" != "no")],
51385162
[AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
51395163
5140-
AS_IF([test "$ENABLED_AESCTR" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_aesctr" != "no")],
5164+
AS_IF([test "$ENABLED_AESCTR" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesctr" != "no")],
51415165
[ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
51425166
5143-
AS_IF([test "$ENABLED_CMAC" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_cmac" != "no")],
5167+
AS_IF([test "$ENABLED_CMAC" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_cmac" != "no")],
51445168
[ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
51455169
5146-
AS_IF([test "$ENABLED_HKDF" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_hkdf" != "no")],
5170+
AS_IF([test "$ENABLED_HKDF" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_hkdf" != "no")],
51475171
[ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
51485172
51495173
AS_IF([test "$ENABLED_INTELASM" = "yes"],
51505174
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
51515175
5152-
AS_IF([test "$ENABLED_SHA512" = "no" && (test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
5176+
AS_IF([test "$ENABLED_SHA512" = "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha512" != "no")],
51535177
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
51545178
5155-
AS_IF([test "$ENABLED_AESGCM" = "no" && (test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm" != "no")],
5179+
AS_IF([test "$ENABLED_AESGCM" = "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm" != "no")],
51565180
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"; AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
51575181
5158-
# AES-GCM streaming isn't part of the current FIPS suite.
5159-
AS_IF([test "$ENABLED_AESGCM_STREAM" = "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_aesgcm_stream" != "yes")],
5182+
# AES-GCM streaming isn't part of the v5 FIPS suite.
5183+
AS_IF([test "$ENABLED_AESGCM_STREAM" = "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm_stream" != "yes")],
51605184
[ENABLED_AESGCM_STREAM="no"])
51615185
51625186
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
51635187
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
51645188
[ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
51655189
51665190
AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
5167-
[AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "dev" || test "$enable_aesofb" != "no")],
5191+
[AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],
51685192
[ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])])
51695193
51705194
AS_IF([(test "$ENABLED_AESCCM" = "yes" && test "$HAVE_AESCCM_PORT" != "yes") ||
@@ -5179,7 +5203,9 @@ AS_CASE([$FIPS_VERSION],
51795203
AM_CFLAGS="$AM_CFLAGS \
51805204
-DHAVE_FIPS \
51815205
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
5206+
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
51825207
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
5208+
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH \
51835209
-DWOLFSSL_KEY_GEN \
51845210
-DWOLFSSL_SHA224 \
51855211
-DWOLFSSL_AES_DIRECT \
@@ -5230,11 +5256,22 @@ AS_CASE([$FIPS_VERSION],
52305256
],
52315257
52325258
["rand"],[
5233-
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR"
5259+
AM_CFLAGS="$AM_CFLAGS \
5260+
-DWOLFCRYPT_FIPS_RAND \
5261+
-DHAVE_FIPS \
5262+
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
5263+
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
5264+
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
5265+
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH"
52345266
],
52355267
52365268
["v1"],[ # FIPS 140-2, Cert 2425
5237-
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
5269+
AM_CFLAGS="$AM_CFLAGS \
5270+
-DHAVE_FIPS \
5271+
-DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION \
5272+
-DHAVE_FIPS_VERSION_MAJOR=$HAVE_FIPS_VERSION_MAJOR \
5273+
-DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR \
5274+
-DHAVE_FIPS_VERSION_PATCH=$HAVE_FIPS_VERSION_PATCH"
52385275
AS_IF([test "x$ENABLED_SHA512" = "xno"],
52395276
[ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
52405277
AS_IF([test "x$ENABLED_AESGCM" = "xno"],
@@ -5245,7 +5282,7 @@ AS_CASE([$FIPS_VERSION],
52455282
AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno" && test "$ENABLE_LINUXKM" = "no"],
52465283
[AC_MSG_ERROR([FIPS requires Thread Local Storage])])
52475284
5248-
AS_IF([(test "$ENABLED_NULL_CIPHER" = "yes" || test "$ENABLED_LEANPSK" = "yes") && test "$ENABLED_FIPS" != "no" && test "$FIPS_VERSION" != "dev"],
5285+
AS_IF([(test "$ENABLED_NULL_CIPHER" = "yes" || test "$ENABLED_LEANPSK" = "yes") && test "$ENABLED_FIPS" != "no" && test "$FIPS_VERSION" != "dev" && test "$FIPS_VERSION" != "v5-dev"],
52495286
[AC_MSG_ERROR([FIPS is incompatible with nullcipher])])
52505287
52515288
# SELFTEST

linuxkm/linuxkm_wc_port.h

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -393,6 +393,25 @@
393393
#ifdef HAVE_FIPS
394394
extern int wolfCrypt_FIPS_first(void);
395395
extern int wolfCrypt_FIPS_last(void);
396+
#if FIPS_VERSION3_GE(6,0,0)
397+
extern int wolfCrypt_FIPS_AES_sanity(void);
398+
extern int wolfCrypt_FIPS_CMAC_sanity(void);
399+
extern int wolfCrypt_FIPS_DH_sanity(void);
400+
extern int wolfCrypt_FIPS_ECC_sanity(void);
401+
extern int wolfCrypt_FIPS_ED25519_sanity(void);
402+
extern int wolfCrypt_FIPS_ED448_sanity(void);
403+
extern int wolfCrypt_FIPS_HMAC_sanity(void);
404+
extern int wolfCrypt_FIPS_KDF_sanity(void);
405+
extern int wolfCrypt_FIPS_PBKDF_sanity(void);
406+
extern int wolfCrypt_FIPS_DRBG_sanity(void);
407+
extern int wolfCrypt_FIPS_RSA_sanity(void);
408+
extern int wolfCrypt_FIPS_SHA_sanity(void);
409+
extern int wolfCrypt_FIPS_SHA256_sanity(void);
410+
extern int wolfCrypt_FIPS_SHA512_sanity(void);
411+
extern int wolfCrypt_FIPS_SHA3_sanity(void);
412+
extern int wolfCrypt_FIPS_FT_sanity(void);
413+
extern int wc_RunAllCast_fips(void);
414+
#endif
396415
#endif
397416

398417
#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
@@ -553,6 +572,25 @@
553572
#ifdef HAVE_FIPS
554573
typeof(wolfCrypt_FIPS_first) *wolfCrypt_FIPS_first;
555574
typeof(wolfCrypt_FIPS_last) *wolfCrypt_FIPS_last;
575+
#if FIPS_VERSION3_GE(6,0,0)
576+
typeof(wolfCrypt_FIPS_AES_sanity) *wolfCrypt_FIPS_AES_sanity;
577+
typeof(wolfCrypt_FIPS_CMAC_sanity) *wolfCrypt_FIPS_CMAC_sanity;
578+
typeof(wolfCrypt_FIPS_DH_sanity) *wolfCrypt_FIPS_DH_sanity;
579+
typeof(wolfCrypt_FIPS_ECC_sanity) *wolfCrypt_FIPS_ECC_sanity;
580+
typeof(wolfCrypt_FIPS_ED25519_sanity) *wolfCrypt_FIPS_ED25519_sanity;
581+
typeof(wolfCrypt_FIPS_ED448_sanity) *wolfCrypt_FIPS_ED448_sanity;
582+
typeof(wolfCrypt_FIPS_HMAC_sanity) *wolfCrypt_FIPS_HMAC_sanity;
583+
typeof(wolfCrypt_FIPS_KDF_sanity) *wolfCrypt_FIPS_KDF_sanity;
584+
typeof(wolfCrypt_FIPS_PBKDF_sanity) *wolfCrypt_FIPS_PBKDF_sanity;
585+
typeof(wolfCrypt_FIPS_DRBG_sanity) *wolfCrypt_FIPS_DRBG_sanity;
586+
typeof(wolfCrypt_FIPS_RSA_sanity) *wolfCrypt_FIPS_RSA_sanity;
587+
typeof(wolfCrypt_FIPS_SHA_sanity) *wolfCrypt_FIPS_SHA_sanity;
588+
typeof(wolfCrypt_FIPS_SHA256_sanity) *wolfCrypt_FIPS_SHA256_sanity;
589+
typeof(wolfCrypt_FIPS_SHA512_sanity) *wolfCrypt_FIPS_SHA512_sanity;
590+
typeof(wolfCrypt_FIPS_SHA3_sanity) *wolfCrypt_FIPS_SHA3_sanity;
591+
typeof(wolfCrypt_FIPS_FT_sanity) *wolfCrypt_FIPS_FT_sanity;
592+
typeof(wc_RunAllCast_fips) *wc_RunAllCast_fips;
593+
#endif
556594
#endif
557595

558596
#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)

0 commit comments

Comments
 (0)