Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

20240920-fixes #7999

Merged
merged 1 commit into from
Sep 20, 2024
Merged

20240920-fixes #7999

merged 1 commit into from
Sep 20, 2024

Conversation

douzzer
Copy link
Contributor

@douzzer douzzer commented Sep 20, 2024
edited
Loading

FIPS v5 gating fixes:
configure.ac:

  • fix logic in "Forcing off" test expressions, first flubbed in 19106a9;
  • fix auto-enable of compkey to exclude v5 even if v5-dev.

src/tls13.c: fix gating for HKDF _ex() variants (>=6.0, not >=5.3);

wolfcrypt/src/error.c: snip out stray spaces at start of several ECC error message strings;

wolfcrypt/test/test.c:

  • in render_error_message(), use wolfSSL_ERR_reason_error_string() if available rather than wc_GetErrorString(), to render non-wolfcrypt error strings;
  • in ecc_test_deterministic_k(), ecc384_test_deterministic_k(), ecc521_test_deterministic_k(), on FIPS <6.0, gate out SHA384 and SHA512 tests (FIPS v5 only supports SHA256 in wc_ecc_gen_deterministic_k());
  • in cmac_test(), gate use of wc_AesCmacGenerate_ex() and wc_AesCmacVerify_ex() on >=6.0, not >=5.3.

tested with wolfssl-multi-test.sh ... fips-140-3-v5-ready-optest-acvp-sp-asm fips-140-3-v5-dev-all fips-140-3-dev-kcapi super-quick-check

@douzzer
FIPS v5 gating fixes:
55cd8a8 
configure.ac:
* fix logic in "Forcing off" test expressions, first flubbed in 19106a9;
* fix auto-enable of compkey to exclude v5 even if v5-dev.

src/tls13.c: fix gating for HKDF _ex() variants (>=6.0, not >=5.3).

wolfcrypt/src/error.c: snip out stray spaces at start of several ECC error message strings.

wolfcrypt/test/test.c:
* in render_error_message(), use wolfSSL_ERR_reason_error_string() if available rather than wc_GetErrorString(), to render non-wolfcrypt error strings;
* in ecc_test_deterministic_k(), ecc384_test_deterministic_k(), ecc521_test_deterministic_k(), on FIPS <6.0, gate out SHA384 and SHA512 tests (FIPS v5 only supports SHA256 in wc_ecc_gen_deterministic_k());
* in cmac_test(), gate use of wc_AesCmacGenerate_ex() and wc_AesCmacVerify_ex() on >=6.0, not >=5.3.
@douzzer
Copy link
Contributor Author

douzzer commented Sep 20, 2024

retest this please (PRB-FIPS-windows-test-ACVP 140-3-testing-dir/wolfACVP/140-3-known-tests\RSA_decryptionPrimitive_474674.json "Didn't fail the expected number of times, try again")

kaleb-himes
kaleb-himes approved these changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@kaleb-himes kaleb-himes left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @douzzer, to PR cap for merge.

@JacobBarthelmeh JacobBarthelmeh merged commit 9781c1f into wolfSSL:master Sep 20, 2024
135 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JacobBarthelmeh JacobBarthelmeh JacobBarthelmeh approved these changes

@kaleb-himes kaleb-himes kaleb-himes approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@douzzer @kaleb-himes @JacobBarthelmeh @wolfSSL-Bot