Merge pull request #247 from cconlon/fipsRunAllCasts

JacobBarthelmeh · web-flow · commit 925bf80281e7 · 2025-01-06T15:34:46.000-07:00
JNI/JSSE: call wc_RunAllCast_fips() for FIPS builds when available
diff --git a/native/com_wolfssl_WolfSSL.c b/native/com_wolfssl_WolfSSL.c
@@ -86,95 +86,139 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_init
     }
 #endif
 
-#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 5)
+#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
+    (HAVE_FIPS_VERSION >= 6)
+
+    ret = wc_RunAllCast_fips();
+    if (ret != 0) {
+        printf("FIPS CASTs failed to run");
+    }
+
+#elif defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
+    (HAVE_FIPS_VERSION == 5)
+
     /* run FIPS 140-3 conditional algorithm self tests early to prevent
      * multi threaded issues later on */
+#if !defined(NO_AES) && !defined(NO_AES_CBC)
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_AES_CBC);
         if (ret != 0) {
             printf("AES-CBC CAST failed");
         }
     }
+#endif
+#ifdef HAVE_AESGCM
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_AES_GCM);
         if (ret != 0) {
             printf("AES-GCM CAST failed");
         }
     }
+#endif
+#ifndef NO_SHA
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA1);
         if (ret != 0) {
             printf("HMAC-SHA1 CAST failed");
         }
     }
+#endif
+    /* the only non-optional CAST */
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_256);
         if (ret != 0) {
             printf("HMAC-SHA2-256 CAST failed");
         }
     }
+#ifdef WOLFSSL_SHA512
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_512);
         if (ret != 0) {
             printf("HMAC-SHA2-512 CAST failed");
         }
     }
-
+#endif
+#ifdef WOLFSSL_SHA3
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA3_256);
         if (ret != 0) {
             printf("HMAC-SHA3-256 CAST failed");
         }
     }
+#endif
+#ifdef HAVE_HASHDRBG
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_DRBG);
         if (ret != 0) {
             printf("Hash_DRBG CAST failed");
         }
     }
+#endif
+#ifndef NO_RSA
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_RSA_SIGN_PKCS1v15);
         if (ret != 0) {
             printf("RSA sign CAST failed");
         }
     }
+#endif
+#if defined(HAVE_ECC_CDH) && defined(HAVE_ECC_CDH_CAST)
     if (ret == 0) {
-        ret = wc_RunCast_fips(FIPS_CAST_ECC_PRIMITIVE_Z);
+        ret = wc_RunCast_fips(FIPS_CAST_ECC_CDH);
         if (ret != 0) {
-            printf("ECC Primitive Z CAST failed");
+            printf("ECC CDH CAST failed");
         }
     }
+#endif
+#ifdef HAVE_ECC_DHE
     if (ret == 0) {
-        ret = wc_RunCast_fips(FIPS_CAST_DH_PRIMITIVE_Z);
+        ret = wc_RunCast_fips(FIPS_CAST_ECC_PRIMITIVE_Z);
         if (ret != 0) {
-            printf("DH Primitive Z CAST failed");
+            printf("ECC Primitive Z CAST failed");
         }
     }
+#endif
+#ifdef HAVE_ECC
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_ECDSA);
         if (ret != 0) {
             printf("ECDSA CAST failed");
         }
     }
+#endif
+#ifndef NO_DH
+    if (ret == 0) {
+        ret = wc_RunCast_fips(FIPS_CAST_DH_PRIMITIVE_Z);
+        if (ret != 0) {
+            printf("DH Primitive Z CAST failed");
+        }
+    }
+#endif
+#ifdef WOLFSSL_HAVE_PRF
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_KDF_TLS12);
         if (ret != 0) {
             printf("KDF TLSv1.2 CAST failed");
         }
     }
+#endif
+#if defined(WOLFSSL_HAVE_PRF) && defined(WOLFSSL_TLS13)
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_KDF_TLS13);
         if (ret != 0) {
             printf("KDF TLSv1.3 CAST failed");
         }
     }
+#endif
+#ifdef WOLFSSL_WOLFSSH
     if (ret == 0) {
         ret = wc_RunCast_fips(FIPS_CAST_KDF_SSH);
         if (ret != 0) {
             printf("KDF SSHv2.0 CAST failed");
         }
     }
 #endif
+#endif /* HAVE_FIPS && HAVE_FIPS_VERSION == 5 */
 
     if (ret == 0) {
         return (jint)wolfSSL_Init();

Original file line number	Diff line number	Diff line change
`@@ -86,95 +86,139 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_init`
`86`	`86`	`}`
`87`	`87`	`#endif`
`88`	`88`
`89`		`-#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 5)`
	`89`	`+#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \`
	`90`	`+ (HAVE_FIPS_VERSION >= 6)`
	`91`	`+`
	`92`	`+ ret = wc_RunAllCast_fips();`
	`93`	`+ if (ret != 0) {`
	`94`	`+ printf("FIPS CASTs failed to run");`
	`95`	`+ }`
	`96`	`+`
	`97`	`+#elif defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \`
	`98`	`+ (HAVE_FIPS_VERSION == 5)`
	`99`	`+`
`90`	`100`	`/* run FIPS 140-3 conditional algorithm self tests early to prevent`
`91`	`101`	`* multi threaded issues later on */`
	`102`	`+#if !defined(NO_AES) && !defined(NO_AES_CBC)`
`92`	`103`	`if (ret == 0) {`
`93`	`104`	`ret = wc_RunCast_fips(FIPS_CAST_AES_CBC);`
`94`	`105`	`if (ret != 0) {`
`95`	`106`	`printf("AES-CBC CAST failed");`
`96`	`107`	`}`
`97`	`108`	`}`
	`109`	`+#endif`
	`110`	`+#ifdef HAVE_AESGCM`
`98`	`111`	`if (ret == 0) {`
`99`	`112`	`ret = wc_RunCast_fips(FIPS_CAST_AES_GCM);`
`100`	`113`	`if (ret != 0) {`
`101`	`114`	`printf("AES-GCM CAST failed");`
`102`	`115`	`}`
`103`	`116`	`}`
	`117`	`+#endif`
	`118`	`+#ifndef NO_SHA`
`104`	`119`	`if (ret == 0) {`
`105`	`120`	`ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA1);`
`106`	`121`	`if (ret != 0) {`
`107`	`122`	`printf("HMAC-SHA1 CAST failed");`
`108`	`123`	`}`
`109`	`124`	`}`
	`125`	`+#endif`
	`126`	`+ /* the only non-optional CAST */`
`110`	`127`	`if (ret == 0) {`
`111`	`128`	`ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_256);`
`112`	`129`	`if (ret != 0) {`
`113`	`130`	`printf("HMAC-SHA2-256 CAST failed");`
`114`	`131`	`}`
`115`	`132`	`}`
	`133`	`+#ifdef WOLFSSL_SHA512`
`116`	`134`	`if (ret == 0) {`
`117`	`135`	`ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA2_512);`
`118`	`136`	`if (ret != 0) {`
`119`	`137`	`printf("HMAC-SHA2-512 CAST failed");`
`120`	`138`	`}`
`121`	`139`	`}`
`122`		`-`
	`140`	`+#endif`
	`141`	`+#ifdef WOLFSSL_SHA3`
`123`	`142`	`if (ret == 0) {`
`124`	`143`	`ret = wc_RunCast_fips(FIPS_CAST_HMAC_SHA3_256);`
`125`	`144`	`if (ret != 0) {`
`126`	`145`	`printf("HMAC-SHA3-256 CAST failed");`
`127`	`146`	`}`
`128`	`147`	`}`
	`148`	`+#endif`
	`149`	`+#ifdef HAVE_HASHDRBG`
`129`	`150`	`if (ret == 0) {`
`130`	`151`	`ret = wc_RunCast_fips(FIPS_CAST_DRBG);`
`131`	`152`	`if (ret != 0) {`
`132`	`153`	`printf("Hash_DRBG CAST failed");`
`133`	`154`	`}`
`134`	`155`	`}`
	`156`	`+#endif`
	`157`	`+#ifndef NO_RSA`
`135`	`158`	`if (ret == 0) {`
`136`	`159`	`ret = wc_RunCast_fips(FIPS_CAST_RSA_SIGN_PKCS1v15);`
`137`	`160`	`if (ret != 0) {`
`138`	`161`	`printf("RSA sign CAST failed");`
`139`	`162`	`}`
`140`	`163`	`}`
	`164`	`+#endif`
	`165`	`+#if defined(HAVE_ECC_CDH) && defined(HAVE_ECC_CDH_CAST)`
`141`	`166`	`if (ret == 0) {`
`142`		`- ret = wc_RunCast_fips(FIPS_CAST_ECC_PRIMITIVE_Z);`
	`167`	`+ ret = wc_RunCast_fips(FIPS_CAST_ECC_CDH);`
`143`	`168`	`if (ret != 0) {`
`144`		`- printf("ECC Primitive Z CAST failed");`
	`169`	`+ printf("ECC CDH CAST failed");`
`145`	`170`	`}`
`146`	`171`	`}`
	`172`	`+#endif`
	`173`	`+#ifdef HAVE_ECC_DHE`
`147`	`174`	`if (ret == 0) {`
`148`		`- ret = wc_RunCast_fips(FIPS_CAST_DH_PRIMITIVE_Z);`
	`175`	`+ ret = wc_RunCast_fips(FIPS_CAST_ECC_PRIMITIVE_Z);`
`149`	`176`	`if (ret != 0) {`
`150`		`- printf("DH Primitive Z CAST failed");`
	`177`	`+ printf("ECC Primitive Z CAST failed");`
`151`	`178`	`}`
`152`	`179`	`}`
	`180`	`+#endif`
	`181`	`+#ifdef HAVE_ECC`
`153`	`182`	`if (ret == 0) {`
`154`	`183`	`ret = wc_RunCast_fips(FIPS_CAST_ECDSA);`
`155`	`184`	`if (ret != 0) {`
`156`	`185`	`printf("ECDSA CAST failed");`
`157`	`186`	`}`
`158`	`187`	`}`
	`188`	`+#endif`
	`189`	`+#ifndef NO_DH`
	`190`	`+ if (ret == 0) {`
	`191`	`+ ret = wc_RunCast_fips(FIPS_CAST_DH_PRIMITIVE_Z);`
	`192`	`+ if (ret != 0) {`
	`193`	`+ printf("DH Primitive Z CAST failed");`
	`194`	`+ }`
	`195`	`+ }`
	`196`	`+#endif`
	`197`	`+#ifdef WOLFSSL_HAVE_PRF`
`159`	`198`	`if (ret == 0) {`
`160`	`199`	`ret = wc_RunCast_fips(FIPS_CAST_KDF_TLS12);`
`161`	`200`	`if (ret != 0) {`
`162`	`201`	`printf("KDF TLSv1.2 CAST failed");`
`163`	`202`	`}`
`164`	`203`	`}`
	`204`	`+#endif`
	`205`	`+#if defined(WOLFSSL_HAVE_PRF) && defined(WOLFSSL_TLS13)`
`165`	`206`	`if (ret == 0) {`
`166`	`207`	`ret = wc_RunCast_fips(FIPS_CAST_KDF_TLS13);`
`167`	`208`	`if (ret != 0) {`
`168`	`209`	`printf("KDF TLSv1.3 CAST failed");`
`169`	`210`	`}`
`170`	`211`	`}`
	`212`	`+#endif`
	`213`	`+#ifdef WOLFSSL_WOLFSSH`
`171`	`214`	`if (ret == 0) {`
`172`	`215`	`ret = wc_RunCast_fips(FIPS_CAST_KDF_SSH);`
`173`	`216`	`if (ret != 0) {`
`174`	`217`	`printf("KDF SSHv2.0 CAST failed");`
`175`	`218`	`}`
`176`	`219`	`}`
`177`	`220`	`#endif`
	`221`	`+#endif /* HAVE_FIPS && HAVE_FIPS_VERSION == 5 */`
`178`	`222`
`179`	`223`	`if (ret == 0) {`
`180`	`224`	`return (jint)wolfSSL_Init();`