Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion scripts/utils-wolfssl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,9 @@ install_wolfssl() {
# So for the 'git' commands, we'll just use whatever the system comes with.
if [ "$fips_check_script" = "fips-check-PILOT.sh" ]; then
# PILOT script has different usage: [flavor] [keep]
LD_LIBRARY_PATH="" ./$fips_check_script "$fips_tag" keep >$LOG_FILE 2>&1
# v5.2.1 FIPS base predates DH_MIN_SIZE; add it to the FIPS wolfSSL build only - WOLFSSL_CONFIG_CFLAGS feeds the XXX-fips-test rebuilds, CPPFLAGS the PILOT's own configure.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: this comment is quite long

WOLFSSL_CONFIG_CFLAGS="${WOLFSSL_CONFIG_CFLAGS} -DDH_MIN_SIZE=2048"
CPPFLAGS="${CPPFLAGS:-} -DDH_MIN_SIZE=2048" LD_LIBRARY_PATH="" ./$fips_check_script "$fips_tag" keep >$LOG_FILE 2>&1
RET_CODE=$?
else
# Regular fips-check.sh usage: [flavor] [keep] [nomakecheck]
Expand Down
16 changes: 13 additions & 3 deletions test/test_rsa.c
Original file line number Diff line number Diff line change
Expand Up @@ -1192,9 +1192,12 @@ int test_rsa_pkey_keygen(void *data)
* we're using wolfCrypt FIPS. Can't do 2048 because that's the default. */
const int newKeySize = 3072;
const int badKeyGenSizes[] = {512, 1024};
/* FIPS 186 requires the RSA public exponent >= 65537; e=3 is rejected. */
const long newKeyExp = 65537;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be useful to check other values here to confirm the fix. Eg:

const int badKeyGenExps[] =  {3, 65535};

And maybe check another good value too, eg 65539.

Edit: maybe this belongs in wolfcrypt (as well?). AI tells me that there is no "too small" test there either.

#else
const int newKeySize = 1024;
const int badKeyGenSizes[] = {256};
const long newKeyExp = 3;
#endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
const int numBad = sizeof(badKeyGenSizes) / sizeof(*badKeyGenSizes);
int i = 0;
Expand All @@ -1217,7 +1220,7 @@ int test_rsa_pkey_keygen(void *data)
err = (eCmd = BN_new()) == NULL;
}
if (err == 0) {
err = BN_set_word(eCmd, 3) != 1;
err = BN_set_word(eCmd, newKeyExp) != 1;
}
if (err == 0) {
PRINT_MSG("Change the public exponent w/ ctrl command");
Expand Down Expand Up @@ -1268,6 +1271,13 @@ int test_rsa_get_params(void *data)
BIGNUM *eCmd = NULL;
BIGNUM *eRet = NULL;
const int newKeySize = 2048;
#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION) || \
(defined(RSA_MIN_SIZE) && RSA_MIN_SIZE >= 2048)
/* FIPS 186 requires the RSA public exponent >= 65537; e=3 is rejected. */
const long newKeyExp = 65537;
#else
const long newKeyExp = 3;
#endif
(void)data;

err = (ctx = EVP_PKEY_CTX_new_from_name(wpLibCtx, "RSA", NULL)) == NULL;
Expand All @@ -1284,7 +1294,7 @@ int test_rsa_get_params(void *data)
err = (eCmd = BN_new()) == NULL;
}
if (err == 0) {
err = BN_set_word(eCmd, 3) != 1;
err = BN_set_word(eCmd, newKeyExp) != 1;
}
if (err == 0) {
PRINT_MSG("Change the public exponent w/ ctrl command");
Expand Down Expand Up @@ -1314,7 +1324,7 @@ int test_rsa_get_params(void *data)
/* Check return sizes, then verify e matches the one we set */
if (err == 0) {
if ((params[0].return_size != (size_t)(newKeySize / 8)) ||
(params[1].return_size != 1)) {
(params[1].return_size != (size_t)BN_num_bytes(eCmd))) {
err = 1;
}
}
Expand Down
Loading