-
Notifications
You must be signed in to change notification settings - Fork 832
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Srtp kdf optest #7470
Srtp kdf optest #7470
Conversation
NOTE: Do not merge this PR before merging #7462 (not sure what is taking so long on the other one?) This PR contains some of the same commits as work is progressing faster than merges are happening. |
526adee
to
39d3144
Compare
rebased on master. |
ac462a2
to
1ea3a9b
Compare
retest this please |
28d8cf6
to
76527c3
Compare
* non-testable requirement. wolfCrypt will log it when appropriate but | ||
* take no action */ | ||
if (iterations < 1000) { | ||
WOLFSSL_MSG("WARNING: Iteration < 1,000, see SP800-132 section 5.2"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this "warning" sufficient? Won't be noticed unless DEBUG_WOLFSSL is set. Should it return a new error code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this is sufficient per the comment this is not enforceable.
@@ -43,6 +43,10 @@ | |||
WOLFSSL_LOCAL int wolfCrypt_FIPS_HMAC_sanity(void); | |||
#endif | |||
|
|||
#if FIPS_VERSION3_GE(6,0,0) | |||
#define FIPS_ALLOW_SHORT 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this new FIPS macro include HMAC in the name? Would be nice if wc_HmacSetKey_ex
was unsigned and actually a flag / bit mask. Currently its 0 or non-zero only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By design.
Srtp kdf optest
Description
Exposing a service API for the new submission effort (module v6.0.0) makes these checks now being exposed passable while running in FIPS mode.
Testing
Using the operational test app
Checklist