diff --git a/include/wolfprovider/internal.h b/include/wolfprovider/internal.h index 7559832..120d16a 100644 --- a/include/wolfprovider/internal.h +++ b/include/wolfprovider/internal.h @@ -38,6 +38,17 @@ #include "wp_params.h" +#ifndef AES_BLOCK_SIZE + #include + #ifndef AES_BLOCK_SIZE + #ifdef WC_NO_COMPAT_AES_BLOCK_SIZE + #define AES_BLOCK_SIZE WC_AES_BLOCK_SIZE + #else + #error AES_BLOCK_SIZE not defined when it should be + #endif + #endif +#endif + #ifndef WP_INTERNAL_H #define WP_INTERNAL_H diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh index b0c8a09..cb4a378 100755 --- a/scripts/utils-wolfssl.sh +++ b/scripts/utils-wolfssl.sh @@ -22,7 +22,7 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" source ${SCRIPT_DIR}/utils-general.sh WOLFSSL_GIT=${WOLFSSL_GIT:-"https://github.com/wolfSSL/wolfssl.git"} -WOLFSSL_TAG=${WOLFSSL_TAG:-"v5.7.2-stable"} +WOLFSSL_TAG=${WOLFSSL_TAG:-"v5.7.4-stable"} WOLFSSL_SOURCE_DIR=${SCRIPT_DIR}/../wolfssl-source WOLFSSL_INSTALL_DIR=${SCRIPT_DIR}/../wolfssl-install WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0} @@ -78,10 +78,10 @@ install_wolfssl() { fi if [ "$WOLFSSL_ISFIPS" = "1" ]; then printf "with FIPS ... " - CONF_ARGS+=" --enable-fips=ready" + CONF_ARGS+=" --enable-fips=v5" if [ ! -e "XXX-fips-test" ]; then # Sometimes the system OpenSSL is different than the one we're using. So for the 'git' commands, we'll just use whatever the system comes with - LD_LIBRARY_PATH="" ./fips-check.sh keep nomakecheck fips-ready >>$LOG_FILE 2>&1 + LD_LIBRARY_PATH="" ./fips-check.sh keep nomakecheck linuxv5 >>$LOG_FILE 2>&1 if [ $? != 0 ]; then printf "ERROR checking out FIPS\n" rm -rf ${WOLFSSL_INSTALL_DIR} diff --git a/src/wp_digests.c b/src/wp_digests.c index 541e9b5..0980c29 100644 --- a/src/wp_digests.c +++ b/src/wp_digests.c @@ -583,7 +583,7 @@ static int name##_final(CTX* ctx, unsigned char* out, size_t* outLen, \ ok = 0; \ } \ if (ok) { \ - int rc = fin(&ctx->obj, out, ctx->outLen); \ + int rc = fin(&ctx->obj, out, (word32)ctx->outLen); \ if (rc != 0) { \ ok = 0; \ } \ diff --git a/src/wp_ecx_exch.c b/src/wp_ecx_exch.c index 077dff7..1d50682 100644 --- a/src/wp_ecx_exch.c +++ b/src/wp_ecx_exch.c @@ -230,7 +230,7 @@ static int wp_x25519_derive(wp_EcxCtx* ctx, unsigned char* secret, } else if (ok) { int rc; - word32 len = secSize; + word32 len = (word32)secSize; int i; rc = wc_curve25519_shared_secret(wp_ecx_get_key(ctx->key), @@ -316,7 +316,7 @@ static int wp_x448_derive(wp_EcxCtx* ctx, unsigned char* secret, } else if (ok) { int rc; - word32 len = secSize; + word32 len = (word32)secSize; rc = wc_curve448_shared_secret(wp_ecx_get_key(ctx->key), wp_ecx_get_key(ctx->peer), secret, &len); diff --git a/src/wp_ecx_kmgmt.c b/src/wp_ecx_kmgmt.c index 3d26baa..e0c86c3 100644 --- a/src/wp_ecx_kmgmt.c +++ b/src/wp_ecx_kmgmt.c @@ -404,7 +404,7 @@ static int wp_ecx_set_params(wp_Ecx* ecx, const OSSL_PARAM params[]) ok = 0; } if (ok && (data != NULL)) { - int rc = (*ecx->data->importPub)(data, len, (void*)&ecx->key, + int rc = (*ecx->data->importPub)(data, (word32)len, (void*)&ecx->key, ECX_LITTLE_ENDIAN); if (rc != 0) { ok = 0; @@ -479,7 +479,7 @@ static int wp_ecx_get_params_enc_pub_key(wp_Ecx* ecx, OSSL_PARAM params[], p = OSSL_PARAM_locate(params, key); if (p != NULL) { - word32 outLen = p->return_size; + word32 outLen = (word32)p->return_size; if (p->data == NULL) { outLen = ecx->data->len; @@ -513,7 +513,7 @@ static int wp_ecx_get_params_priv_key(wp_Ecx* ecx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PRIV_KEY); if (p != NULL) { - word32 outLen = p->return_size; + word32 outLen = (word32)p->return_size; if (p->data == NULL) { outLen = ecx->data->len; @@ -869,7 +869,7 @@ static int wp_ecx_import(wp_Ecx* ecx, int selection, const OSSL_PARAM params[]) if (ok && (privData != NULL)) { ecx->unclamped[0] = privData[0]; ecx->unclamped[1] = privData[len - 1]; - rc = (*ecx->data->importPriv)(privData, len, (void*)&ecx->key, + rc = (*ecx->data->importPriv)(privData, (word32)len, (void*)&ecx->key, ECX_LITTLE_ENDIAN); if (rc != 0) { ok = 0; @@ -886,7 +886,7 @@ static int wp_ecx_import(wp_Ecx* ecx, int selection, const OSSL_PARAM params[]) ok = 0; } if (ok && (pubData != NULL)) { - rc = (*ecx->data->importPub)(pubData, len, (void*)&ecx->key, + rc = (*ecx->data->importPub)(pubData, (word32)len, (void*)&ecx->key, ECX_LITTLE_ENDIAN); if (rc != 0) { ok = 0; @@ -2034,7 +2034,7 @@ static int wp_ecx_encode(wp_EcxEncDecCtx* ctx, OSSL_CORE_BIO *cBio, keyLen = derLen; } else if (ok && (ctx->encoding == WP_FORMAT_PEM)) { - rc = wc_DerToPemEx(derData, derLen, NULL, 0, cipherInfo, pemType); + rc = wc_DerToPemEx(derData, (word32)derLen, NULL, 0, cipherInfo, pemType); if (rc <= 0) { ok = 0; } @@ -2046,7 +2046,7 @@ static int wp_ecx_encode(wp_EcxEncDecCtx* ctx, OSSL_CORE_BIO *cBio, } } if (ok) { - rc = wc_DerToPemEx(derData, derLen, pemData, pemLen, cipherInfo, + rc = wc_DerToPemEx(derData, (word32)derLen, pemData, (word32)pemLen, cipherInfo, pemType); if (rc <= 0) { ok = 0; @@ -2058,7 +2058,7 @@ static int wp_ecx_encode(wp_EcxEncDecCtx* ctx, OSSL_CORE_BIO *cBio, } } if (ok) { - rc = BIO_write(out, keyData, keyLen); + rc = BIO_write(out, keyData, (int)keyLen); if (rc <= 0) { ok = 0; } diff --git a/src/wp_ecx_sig.c b/src/wp_ecx_sig.c index 9ffc77c..afcf98b 100644 --- a/src/wp_ecx_sig.c +++ b/src/wp_ecx_sig.c @@ -362,7 +362,7 @@ static int wp_ed25519_digest_sign(wp_EcxSigCtx *ctx, unsigned char *sig, if (sigSize == (size_t)-1) { sigSize = *sigLen; } - len = sigSize; + len = (word32)sigSize; if (!ed25519->pubKeySet) { unsigned char pubKey[ED25519_PUB_KEY_SIZE]; @@ -379,7 +379,7 @@ static int wp_ed25519_digest_sign(wp_EcxSigCtx *ctx, unsigned char *sig, } } if (ok) { - rc = wc_ed25519_sign_msg(tbs, tbsLen, sig, &len, ed25519); + rc = wc_ed25519_sign_msg(tbs, (word32)tbsLen, sig, &len, ed25519); if (rc != 0) { ok = 0; } @@ -434,8 +434,8 @@ static int wp_ed25519_digest_verify(wp_EcxSigCtx *ctx, unsigned char *sig, } if (ok) { int res; - int rc = wc_ed25519_verify_msg(sig, sigLen, tbs, tbsLen, &res, - wp_ecx_get_key(ctx->ecx)); + int rc = wc_ed25519_verify_msg(sig, (word32)sigLen, tbs, (word32)tbsLen, + &res, wp_ecx_get_key(ctx->ecx)); if (rc != 0) { ok = 0; } @@ -504,7 +504,7 @@ static int wp_ed448_digest_sign(wp_EcxSigCtx *ctx, unsigned char *sig, if (sigSize == (size_t)-1) { sigSize = *sigLen; } - len = sigSize; + len = (word32)sigSize; if (!ed448->pubKeySet) { unsigned char pubKey[ED448_PUB_KEY_SIZE]; @@ -521,7 +521,7 @@ static int wp_ed448_digest_sign(wp_EcxSigCtx *ctx, unsigned char *sig, } } if (ok) { - rc = wc_ed448_sign_msg(tbs, tbsLen, sig, &len, + rc = wc_ed448_sign_msg(tbs, (word32)tbsLen, sig, &len, (ed448_key*)wp_ecx_get_key(ctx->ecx), NULL, 0); if (rc != 0) { ok = 0; @@ -582,8 +582,8 @@ static int wp_ed448_digest_verify(wp_EcxSigCtx *ctx, unsigned char *sig, } if (ok) { int res; - int rc = wc_ed448_verify_msg(sig, sigLen, tbs, tbsLen, &res, - wp_ecx_get_key(ctx->ecx), NULL, 0); + int rc = wc_ed448_verify_msg(sig, (word32)sigLen, tbs, (word32)tbsLen, + &res, wp_ecx_get_key(ctx->ecx), NULL, 0); if (rc != 0) { ok = 0; } diff --git a/src/wp_rsa_sig.c b/src/wp_rsa_sig.c index e6b2386..ec4e761 100644 --- a/src/wp_rsa_sig.c +++ b/src/wp_rsa_sig.c @@ -1247,7 +1247,13 @@ static int wp_rsa_get_alg_id(wp_RsaSigCtx* ctx, OSSL_PARAM* p) /* TODO: implement */ (void)ctx; (void)p; - return 0; + const byte sha256WithRSAEncryptionOid[] = {0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x04, 0x10}; + int ok = 1; + + if (ok && (!OSSL_PARAM_set_octet_string(p, sha256WithRSAEncryptionOid, sizeof(sha256WithRSAEncryptionOid)))) { + ok = 0; + } + return ok; } /** diff --git a/src/wp_wolfprov.c b/src/wp_wolfprov.c index 90bf175..4d5abfb 100644 --- a/src/wp_wolfprov.c +++ b/src/wp_wolfprov.c @@ -1123,6 +1123,34 @@ static const OSSL_DISPATCH wolfprov_dispatch_table[] = { { 0, NULL } }; +#ifdef HAVE_FIPS + #include + + static void wp_fipsCb(int ok, int err, const char* hash) + { + (void)ok; + (void)err; + (void)hash; + WOLFPROVIDER_MSG(WE_LOG_PROVIDER, + "in my Fips callback, ok = %d, err = %d\n", ok, err); + WOLFPROVIDER_MSG(WE_LOG_PROVIDER, + "message = %s\n", wc_GetErrorString(err)); + WOLFPROVIDER_MSG(WE_LOG_PROVIDER, + "hash = %s\n", hash); + +#ifdef WC_NO_ERR_TRACE + if (err == WC_NO_ERR_TRACE(IN_CORE_FIPS_E)) { +#else + if (err == IN_CORE_FIPS_E) { +#endif + WOLFPROVIDER_MSG(WE_LOG_PROVIDER, + "In core integrity hash check failure, copy above hash\n"); + WOLFPROVIDER_MSG(WE_LOG_PROVIDER, + "into verifyCore[] in fips_test.c and rebuild\n"); + } + } +#endif + /* * Initializes the wolfSSL provider. * @@ -1144,6 +1172,10 @@ int wolfssl_provider_init(const OSSL_CORE_HANDLE* handle, wolfSSL_SetLoggingPrefix("wolfSSL"); #endif +#ifdef HAVE_FIPS + wolfCrypt_SetCb_fips(wp_fipsCb); +#endif + for (; in->function_id != 0; in++) { switch (in->function_id) { case OSSL_FUNC_CORE_GETTABLE_PARAMS: