Home Explore Help
Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Browse Source

Allow using 3DES and MD5 with FIPS 140-3, as they fall outside of the FIPS boundary.

Kareem 2 years ago
parent
4a3ff40eb3
commit
832a7a40a6
3 changed files with 10 additions and 6 deletions
Split View Show Diff Stats
  1. 3 5
      configure.ac
  2. 1 1
      tests/api.c
  3. 6 0
      wolfcrypt/test/test.c

+ 3 - 5
configure.ac
View File 

@@ -3767,11 +3767,9 @@ AS_CASE([$FIPS_VERSION],
 
         AS_IF([test "$ENABLED_AESGCM" = "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm" != "no")],
 
             [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
 
 
-        AS_IF([test "$ENABLED_MD5" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_md5" != "yes")],
 
-            [ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
 
-
 
-        AS_IF([test "$ENABLED_DES3" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_des3" != "yes")],
 
-            [ENABLED_DES3="no"])
 
+        # Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
 
+        AS_IF([test "$ENABLED_OLD_TLS" != "no"],
 
+            [ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
 
 
         AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
 
             [AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],

+ 1 - 1
tests/api.c
View File 

@@ -41263,7 +41263,7 @@ static void test_wolfSSL_HMAC_CTX(void)
 
                           digest, digestSz), 0);
 
     #endif /* WOLFSSL_SHA512 */
 
 
-    #ifndef NO_MD5
 
+    #if !defined(NO_MD5) && (!defined(HAVE_FIPS_VERSION) || HAVE_FIPS_VERSION <= 2)
 
     AssertIntEQ((digestSz = test_HMAC_CTX_helper(EVP_md5(), digest)), 16);
 
     AssertIntEQ(XMEMCMP("\xB7\x27\xC4\x41\xE5\x2E\x62\xBA\x54\xED\x72\x70\x9F"
 
                           "\xE4\x98\xDD", digest, digestSz), 0);

+ 6 - 0
wolfcrypt/test/test.c
View File 

@@ -18403,9 +18403,15 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
 
     c.inLen  = XSTRLEN(c.input);
 
     c.outLen = WC_MD5_DIGEST_SIZE;
 
 
+#if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)
 
+    /* Expect failure with MD5 + HMAC when using FIPS 140-3. */
 
+    if (HMAC(EVP_md5(), "JefeJefeJefeJefe", 16, (byte*)c.input, (int)c.inLen,
 
+            hash, 0) != NULL)
 
+#else
 
     if (HMAC(EVP_md5(), "JefeJefeJefeJefe", 16, (byte*)c.input, (int)c.inLen,
 
             hash, 0) == NULL ||
 
         XMEMCMP(hash, c.output, WC_MD5_DIGEST_SIZE) != 0)
 
+#endif
 
     {
 
         return -8612;
 
     }