From patchwork Wed Mar 8 17:18:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1754270 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=HxcrnAlD; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PWzgV6W2fz1yWs for ; Thu, 9 Mar 2023 04:23:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=TlWL772YydO4moVuZ2xKjmrvP3QQQPN4WW8xa3Kl5ms=; b=HxcrnAlDv/50fl nfCvaOq2KeOcL4MuXJOier6YtMSU48g/LOyFMe2LInwxxWuz1awurSImalo1JJafrPA/7PoWq7S9e hydHzXoji0fgWyMTOy1OMns2g7RVUUHzExrPXOexIFafugEM5QayRmqIl9+37Tat6qSnasXcviLFY lp2b6hst/itJ/4j7CKg8Eom/eGCoPWlyKONGjMfLBC8Abh12c7I5TD+H54EdXYtYcAhOBr7h+2egD IK5IyWMKyG33GSjXToZWqs1ygQ+quzlHUNo80e7dVnw4wCscXGfCJfyDO+dY7SAWCm9f7oAxDk5rk nwiTiIaBZgrQtPvlctgw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pZxV8-0068n9-5p; Wed, 08 Mar 2023 17:22:54 +0000 Received: from p3plsmtpa07-08.prod.phx3.secureserver.net ([173.201.192.237]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pZxSZ-0067gj-74 for hostap@lists.infradead.org; Wed, 08 Mar 2023 17:20:17 +0000 Received: from localhost.localdomain ([188.212.135.159]) by :SMTPAUTH: with ESMTPSA id ZxRlp2I9XoJ9VZxSYpM661; Wed, 08 Mar 2023 10:20:14 -0700 X-CMAE-Analysis: v=2.4 cv=fvwaJn0f c=1 sm=1 tr=0 ts=6408c3ce a=3NKXlI4tpxak3Hs97VqeiA==:117 a=3NKXlI4tpxak3Hs97VqeiA==:17 a=VTTltBjBAAAA:8 a=jWVZV7RqfMLTUg2Zzi4A:9 a=on_vo79ac8RWgsiwd8Ea:22 X-SECURESERVER-ACCT: juliusz@wolfssl.com From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 12/12] wolfssl: implement FIPS compatible code when CONFIG_FIPS Date: Wed, 8 Mar 2023 18:18:50 +0100 Message-Id: <20230308171850.267577-12-juliusz@wolfssl.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230308171850.267577-1-juliusz@wolfssl.com> References: <20230308171850.267577-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CMAE-Envelope: MS4xfCTaQ6PVRQpchTOF25Zm/25W/jX+pd7zl8076UBPsBDIoH5DWeaeU+YfUAx/lbW3QPG8IIUSQR/YZSZfCPRvkowoAbPXCzh0qIpXvxzP6BBcZkqmX8xM BHSP4YNYdbBWSQ+yU1v4dZqljoAVrCDc012f0nOU5Qb8nfPgZ8MSIr1gL48+DM2+uRNtMzD3ljLsnr4JNVCqEa/ARsvLC+tpkCIht8OMtMmmmSXNS80w4FX3 CmhFRkjTFc2Uc+uh1scIfA== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230308_092015_302820_08910293 X-CRM114-Status: GOOD ( 13.35 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- src/crypto/crypto_wolfssl.c | 77 +++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c index 7d3672f01..52f4c70c6 100644 --- a/src/crypto/crypto_wolfssl.c +++ b/src/crypto/crypto_wolfssl.c @@ -64,31 +64,79 @@ static [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [173.201.192.237 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [173.201.192.237 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- src/crypto/crypto_wolfssl.c | 77 +++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c index 7d3672f01..52f4c70c6 100644 --- a/src/crypto/crypto_wolfssl.c +++ b/src/crypto/crypto_wolfssl.c @@ -64,31 +64,79 @@ static WC_RNG * wc_rng_init(void) { WC_RNG * ret; +#ifdef CONFIG_FIPS + ret = os_zalloc(sizeof(WC_RNG)); +#else ret = wc_rng_new(NULL, 0, NULL); +#endif if (!ret) { +#ifdef CONFIG_FIPS + LOG_WOLF_ERROR_FUNC_NULL(os_zalloc); +#else LOG_WOLF_ERROR_FUNC_NULL(wc_rng_new); +#endif + } +#ifdef CONFIG_FIPS + else { + int err; + err = wc_InitRng(ret); + if (err != 0) { + LOG_WOLF_ERROR_FUNC(wc_InitRng, err); + os_free(ret); + ret = NULL; + } } +#endif /* CONFIG_FIPS */ return ret; } static void wc_rng_deinit(WC_RNG * rng) { +#ifdef CONFIG_FIPS + wc_FreeRng(rng); + os_free(rng); +#else /* CONFIG_FIPS */ wc_rng_free(rng); +#endif /* CONFIG_FIPS */ } static ecc_key * ecc_key_init(void) { ecc_key * ret; +#ifdef CONFIG_FIPS + int err; + ret = os_zalloc(sizeof(ecc_key)); +#else /* CONFIG_FIPS */ ret = wc_ecc_key_new(NULL); +#endif /* CONFIG_FIPS */ if (!ret) { +#ifdef CONFIG_FIPS + LOG_WOLF_ERROR_FUNC_NULL(os_zalloc); +#else /* CONFIG_FIPS */ LOG_WOLF_ERROR_FUNC_NULL(wc_ecc_key_new); +#endif /* CONFIG_FIPS */ + } +#ifdef CONFIG_FIPS + else { + err = wc_ecc_init_ex(ret, NULL, INVALID_DEVID); + if (err != 0) { + LOG_WOLF_ERROR("wc_ecc_init_ex failed"); + os_free(ret); + ret = NULL; + } } +#endif /* CONFIG_FIPS */ return ret; } static void ecc_key_deinit(ecc_key * key) { +#ifdef CONFIG_FIPS + wc_ecc_free(key); + os_free(key); +#else /* CONFIG_FIPS */ wc_ecc_key_free(key); +#endif /* CONFIG_FIPS */ } /* end of helper functions */ @@ -1606,11 +1654,34 @@ struct crypto_ec * crypto_ec_init(int group) LOG_WOLF_ERROR_FUNC_NULL(wc_ecc_new_point); goto done; } +#ifdef CONFIG_FIPS + /* Setup generator manually in FIPS mode */ + if (!e->key->dp) { + LOG_WOLF_ERROR_FUNC_NULL(e->key->dp); + goto done; + } + err = mp_read_radix(e->g->x, e->key->dp->Gx, MP_RADIX_HEX); + if (err != MP_OKAY) { + LOG_WOLF_ERROR_FUNC(mp_read_radix, err); + goto done; + } + err = mp_read_radix(e->g->y, e->key->dp->Gy, MP_RADIX_HEX); + if (err != MP_OKAY) { + LOG_WOLF_ERROR_FUNC(mp_read_radix, err); + goto done; + } + err = mp_set(e->g->z, 1); + if (err != MP_OKAY) { + LOG_WOLF_ERROR_FUNC(mp_set, err); + goto done; + } +#else err = wc_ecc_get_generator(e->g, wc_ecc_get_curve_idx(curve_id)); if (err != MP_OKAY) { LOG_WOLF_ERROR_FUNC(wc_ecc_get_generator, err); goto done; } +#endif #endif err = mp_init_multi(&e->a, &e->prime, &e->order, &e->b, NULL, NULL); if (err != MP_OKAY) { @@ -1689,7 +1760,13 @@ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) return; if (clear) { +#ifndef CONFIG_FIPS wc_ecc_forcezero_point(point); +#else + mp_forcezero(point->x); + mp_forcezero(point->y); + mp_forcezero(point->z); +#endif } wc_ecc_del_point(point); }