Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions fips-check.sh
Original file line number Diff line number Diff line change
Expand Up @@ -672,8 +672,10 @@ if [ "$DOCONFIGURE" = "yes" ]; then
fi

if [ -s wolfcrypt/src/fips_test.c ]; then
OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
NEWHASH=$(echo "$OUT" | cut -c1-64)
# Take the hash exactly as long as reported: the in core digest is
# SHA-256 (64 hex) up to FIPS v6.0.0 and SHA-512 (128 hex) from v7.0.0.
NEWHASH=$(./wolfcrypt/test/testwolfcrypt | \
sed -n 's/^hash = \([0-9A-Fa-f][0-9A-Fa-f]*\).*$/\1/p' | head -1)
if [ -n "$NEWHASH" ]; then
cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak > \
Expand Down
6 changes: 4 additions & 2 deletions fips-hash.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@ then
exit 1
fi

OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
NEWHASH=$(echo "$OUT" | cut -c1-64)
# Take the hash exactly as long as reported: the in core digest is SHA-256 (64
# hex) up to FIPS v6.0.0 and SHA-512 (128 hex) from v7.0.0 on.
NEWHASH=$(./wolfcrypt/test/testwolfcrypt | \
sed -n 's/^hash = \([0-9A-Fa-f][0-9A-Fa-f]*\).*$/\1/p' | head -1)
if test -n "$NEWHASH"
then
cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
Expand Down
15 changes: 15 additions & 0 deletions wolfcrypt/src/error.c
Original file line number Diff line number Diff line change
Expand Up @@ -695,6 +695,21 @@ const char* wc_GetErrorString(int error)
case TSP_VERIFY_E:
return "TSP token invalid or response doesn't match request error";

case SLH_DSA_PCT_E:
return "wolfcrypt SLH-DSA Pairwise Consistency Test Failure";

case CMAC_KAT_FIPS_E:
return "wolfCrypt FIPS AES-CMAC Known Answer Test Failure";

case SHAKE_KAT_FIPS_E:
return "wolfCrypt FIPS SHAKE Known Answer Test Failure";

case DH_PCT_E:
return "wolfcrypt DH Pairwise Consistency Test Failure";

case AES_KW_KAT_FIPS_E:
return "wolfCrypt FIPS AES Key Wrap Known Answer Test Failure";

case SEQ_OVERFLOW_E:
return "Sequence counter would overflow";

Expand Down
14 changes: 12 additions & 2 deletions wolfssl/wolfcrypt/error-crypt.h
Original file line number Diff line number Diff line change
Expand Up @@ -331,8 +331,18 @@ enum wolfCrypt_ErrorCodes {
TSP_VERIFY_E = -1019, /* TSP token invalid or response doesn't
* match request */

WC_SPAN2_LAST_E = -1019, /* Update to indicate last used error code */
WC_LAST_E = -1019, /* the last code used either here or in
SLH_DSA_PCT_E = -1020, /* SLH-DSA Pairwise Consistency Test failure */
CMAC_KAT_FIPS_E = -1021, /* AES-CMAC KAT failure */
SHAKE_KAT_FIPS_E = -1022, /* SHAKE KAT failure */
DH_PCT_E = -1023, /* DH Pairwise Consistency Test failure.
* Retired in FIPS v7+ (classic DH left the
* module boundary); the code stays allocated
* so fips.c can report it as retired rather
* than unknown. */
AES_KW_KAT_FIPS_E = -1024, /* AES Key Wrap KAT failure */

WC_SPAN2_LAST_E = -1024, /* Update to indicate last used error code */
WC_LAST_E = -1024, /* the last code used either here or in
* error-ssl.h */

WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */
Expand Down
22 changes: 20 additions & 2 deletions wolfssl/wolfcrypt/fips_test.h
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,21 @@
extern "C" {
#endif

/* Added for FIPS v7.0.0 or later */
#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(7,0)
/* The v7 integrity test is HMAC-SHA-512 keyed with a full SHA-512
* block-size (128-byte) key, so the key is used as-is rather than being
* hashed down by HMAC. This makes FIPS_CAST_HMAC_SHA2_512 boot-critical;
* it was FIPS_CAST_HMAC_SHA2_256 through v6.0.0. */
#ifndef WOLFSSL_SHA512
#error FIPS v7 in core integrity check requires SHA2-512
#endif
#define FIPS_IN_CORE_DIGEST_SIZE 64
#define FIPS_IN_CORE_HASH_TYPE WC_SHA512
#define FIPS_IN_CORE_KEY_SZ 128
#define FIPS_IN_CORE_VERIFY_SZ FIPS_IN_CORE_KEY_SZ
/* Added for FIPS v5.3 or later */
#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
#elif defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
/* Determine FIPS in core hash type and size */
#ifndef NO_SHA256
#define FIPS_IN_CORE_DIGEST_SIZE 32
Expand Down Expand Up @@ -80,7 +93,12 @@ enum FipsCastId {
FIPS_CAST_XMSS = 23,
FIPS_CAST_DRBG_SHA512 = 24,
FIPS_CAST_SLH_DSA = 25,
FIPS_CAST_COUNT = 26
/* Vendor-elected enhanced self-tests, appended so the ids above keep
* their v7.0.0 values. */
FIPS_CAST_AES_CMAC = 26,
FIPS_CAST_SHAKE = 27,
FIPS_CAST_AES_KW = 28,
FIPS_CAST_COUNT = 29
};

enum FipsCastStateId {
Expand Down
Loading