From 92569c25bd72e2db6771762fe9606d46fbd8d8ed Mon Sep 17 00:00:00 2001 From: Shizuka Ishikiriyama Date: Tue, 27 May 2025 14:02:34 -0700 Subject: [PATCH] Created FIPS FAQ --- .DS_Store | Bin 0 -> 14340 bytes wolfBoot/.DS_Store | Bin 0 -> 6148 bytes wolfCLU/.DS_Store | Bin 0 -> 6148 bytes wolfCrypt-JNI/.DS_Store | Bin 0 -> 6148 bytes wolfEngine/.DS_Store | Bin 0 -> 6148 bytes wolfHSM/.DS_Store | Bin 0 -> 6148 bytes wolfMQTT/.DS_Store | Bin 0 -> 6148 bytes wolfProvider/.DS_Store | Bin 0 -> 6148 bytes wolfSSH/.DS_Store | Bin 0 -> 6148 bytes wolfSSL-FAQ/.DS_Store | Bin 0 -> 6148 bytes wolfSSL-FIPS-FAQ/Makefile | 22 ++ wolfSSL-FIPS-FAQ/header.txt | 21 ++ wolfSSL-FIPS-FAQ/mkdocs.yml | 25 +++ wolfSSL-FIPS-FAQ/src/section01.md | 14 ++ wolfSSL-FIPS-FAQ/src/section02.md | 323 ++++++++++++++++++++++++++++++ wolfSSL-FIPS-Ready/.DS_Store | Bin 0 -> 6148 bytes wolfSSL-JNI/.DS_Store | Bin 0 -> 6148 bytes wolfSSL-Porting/.DS_Store | Bin 0 -> 6148 bytes wolfSSL-Tuning/.DS_Store | Bin 0 -> 6148 bytes wolfSSL/.DS_Store | Bin 0 -> 6148 bytes wolfSentry/.DS_Store | Bin 0 -> 6148 bytes wolfTPM/.DS_Store | Bin 0 -> 6148 bytes 22 files changed, 405 insertions(+) create mode 100644 .DS_Store create mode 100644 wolfBoot/.DS_Store create mode 100644 wolfCLU/.DS_Store create mode 100644 wolfCrypt-JNI/.DS_Store create mode 100644 wolfEngine/.DS_Store create mode 100644 wolfHSM/.DS_Store create mode 100644 wolfMQTT/.DS_Store create mode 100644 wolfProvider/.DS_Store create mode 100644 wolfSSH/.DS_Store create mode 100644 wolfSSL-FAQ/.DS_Store create mode 100644 wolfSSL-FIPS-FAQ/Makefile create mode 100644 wolfSSL-FIPS-FAQ/header.txt create mode 100644 wolfSSL-FIPS-FAQ/mkdocs.yml create mode 100644 wolfSSL-FIPS-FAQ/src/section01.md create mode 100644 wolfSSL-FIPS-FAQ/src/section02.md create mode 100644 wolfSSL-FIPS-Ready/.DS_Store create mode 100644 wolfSSL-JNI/.DS_Store create mode 100644 wolfSSL-Porting/.DS_Store create mode 100644 wolfSSL-Tuning/.DS_Store create mode 100644 wolfSSL/.DS_Store create mode 100644 wolfSentry/.DS_Store create mode 100644 wolfTPM/.DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..4ae1fac011a5406686adc82b9e17e65bb9e8f194 GIT binary patch literal 14340 zcmeHNO>7%g5T147#A)+m5Pym&GUCFaNn@&36-da<57bo(X`RvoMQt3L#?3YSmK=%T>qo6pN$G)XR0Zbk)gn)yb;2Y}GRq%V`~YDMy^F zj9Z$kVZbmDW?%x3n&#e%3+ddvU0HNg;y1bI^>XwBl%qr0vOQnV&N1j>ryz0Zo^!Bp zP`Z3d)Yl)s6qcyilU}xeZOqH|1Fgz6foLgZ{eWXn!n6Jm9i~~D4cPw^q@?{Jd4(YU z>q*FmWF&^+^pLk=5o}wcXeFm`^ju&d{a#%&w1hR2GgxaWP?452o-XcLi6>G|;j(UU zKSs(*d>=gO^-&9Xe+8!#d4)H2o$>nKnFGoy)qwh}#!CA!;SUPmYpSDg#=ch*)R9#X#b(NfC#$8WLq+r4qb+)vX8y#PNt z96<4I07ZmWesy`VJ{NwIUo4lFYhz=ZR;;T#-qV}tO>9rRmRqn_bG5nJ%JTT!(yRR6 ztZkR`jr+O$E2ZMkfo)q=e`Zm(1e%Z_f&eUa!(^qoi! zudSu`K9k;=8rd^;Zf9yOy?fv8ovD3$cb_}gmw5Q8UC$jkak^Zo+UFTI@YF*na_2?& zAz$Ca8G%pr7JYsrT2l7f=ta-xBI=dB*Irunq8sT&)O#kkR4v<8p34|*vPoZOX$JjX z?{$su=-p0qB+`wGPv<_p<*ZJ(ZA)U_ik?DG7hobi*aFuP%$9TbG6d#I>vq7SJE}wR zV?8n2Y1@*cnV9Dd9knTW+N!SN%DT*4g+1jUy+m0(-Z_d+LAnsta))$%QmDhbgH8`aA!#WdpV04 zFA%jmk<*(ZatcT*oc+H~0cSu$B76V#KqFcTN%=h*Ev2j<_=zu3 zqs}k(H96X?ZBO2l@8me=-{0%ej;AYUt7h-z*tQ->F{0i^yR?8=IWJpBX!B24LfY`# z@kjR7_X7m#k(NYDNqgM=4-}_7>?mOuLP6SMrT6>-Tf|#w$JoYZ`ZG83Qxg7s*IYuj zZ#{bx4Nwow<6B+9pG{T$rRI5>M#Vg>WTmxOs^z#|y_fd>_>RY0K*qN?N=DjD&(nggnX^q*^Ki#CN7sqmPu01NCSm71orXP2*y+NaQViIE=vwLYBD2iGmML(O zqbV)zteMGPP0%6WS+7}(``rw08@RCWeIMvkucofMsF@ODT930wI(~J@OYfE{> z(ctDC$cO5btbCaDV!tMGJ`b(r6!PRrG$~@T3HaMljlvll5``a|InoM4S1uo}Pa-(> zb(0v+sYlMc(NfC#o(x+*;EnqUUfaVMuQ}sAl$}{TA|;X*nhF(t_g3q6B*HhYcxz29 z>X&Fc(@@B*3yj=fQ*7*-!>+eL@9~TxF*nswXuCHai>h1V^mf!WcHa5xV2!mAZw*1! zZ}R`F;=|XHOfw)V< z81MhX%3jp|e^<&}4FiUO|0M%f_hfEz9MBp+3!CDo#Fd@2KFyBK(iD z9S{HTcD#N3ta0F7hVN0XyCv>$-1m)uGM5VF;5zp*`9D^!u$~~J_~^`DM(xp3DoQu` LeGAGCdAc+)&VmSiQyX6v`gqniOP|@?|6Jmp* zLI}i+wEH&m*ORjAAtD~%&PPN;BFeA?Sq>c{>Q2*^JByJe$7nLE%9Uz61Kj^Nf%Ms< z8@i_1a?$Mn@ML2ttD=}Lt0^?u{bK+4;ra2jX`O#zU0pV^?jVY2VD;#TuIQpwb#T{v zZ*SIqdD>goZsjPeO$VR(wEEcAK4J?7f`MQl82FzI;LR4vb`4_>27-ZL;Ee&f9}<>e z?pPb@)qzb%0AL?#6`W<3keK9{JJyDm4K1A5hY$A3>*0m9 zI`SuVC(aFH4+esPHUlziLWc7GpW!d_S7vtYI<{aS82AC6%#FN{_h-g4W1%@EYqC-U8Y1%PoF|yPYc>RkHUU z-O!rm%ggru$46UB-Bi_V+039RUW(!I!}H^5+q(F|y1Hs*<$HwDuGXUix~7Y~>dE1I zd%O1C)BdJ*mZNUAJNV2e-^btjk%TlCXTTY72AqL!V*q!yNU^8rvoqifI0J7C$oUX3 z1WUuHn2ruisRaP`p-zIe^b!&i3`@hP2n&QY6sVzWEe2~i^uhc}!>Fj?#MXSURo*l& zoT?*#Nbba?qR-BNGmtaT)5n3_|7ZBibT;{Uh(9?4&cHuofcw?7n&74EZvF6ja@Pio ta|{vji?V=VoqYu0LC%q3GO9hu8h)i=RFo{DPvJoS5J-gh>ViHg!!vw{BAISr_7H{JfeAQJZ(>l5o zF;&q0dg|NrV7jM>h^LS13DJm%DhxrEMURNO*K}mgVr0oNnXlSr+mqt&s$}m2dZ2q+ zZEm{zU%c)uObwH}?)9bK1IFRnh@yR~O$ zyV^yLrrq!0JD+kNN%rC53^)VMfHQEI4B*ZdsZJDqb_SdQXJE&GoDTs*Fd8Psd~{&S zEdX!`br!6pmynoX7!8vmED+XEpoX%w7_8yY2lI=DNm0Xzt@&W9{L#E{u8#a6yAwx6 zpPd0`pk!d6k0ZJNXZU1#oBT4wpPT__;GZ$T!+Ks%@ltlTetA8)YXimtLqz_k+{tx0g}dyZFYtzHZO@h%`FXdUQ-nnx<7R z9zOcpwV!TwwUarjdcT6NV$yZI$~s(}0cXG&a0dP-130rqvLi+BodIXS8Q3u(`$Iqz zEDRgPxOJe5*L+|f<|xo}QGmg)Fl-dzfv~0mHI?m&!I}%Ayh7%Wx-a7-%K*~T*hq;{p=lEqhANgsDkDLK#;EyrD{c=){@lkfRe)>E)YXjOP snux?TqClW0mjDc89~nfa`h)0*D-0V&nMLd|9q1QJ5FL{&T8SoQ=-g2uktVf?mJ{RxkVFDSS#3l_?^AFLPC%VoP*ZXR-gqX- z8Wu`~U`Dc^?fH41w6=$c+~i>~A{r1;iN@%7&>_6ssX9_)RyvL`n$DYgomTs*`|ZGc z@6m?tX}-E`@Bg(pXzHe_W~*j~m2!J_I(~lJUbeN1Z?x;XR@5TEjgBQBozs$TvaH3$ z(?@+f_v6cOmphA5H-{a3Ws~nC@;*$A0b{@zFb4i71GuwU$`e8BjR9l87}ztw=YvOM z42n@O9UbUW2>{$b_c7*Lf_=PVP>h1mK%BS&#nowv;lv&5UhRTn6cl%IT6{RoyenQ@ z%8vLxnUf2G)*A!HK+Zr3VePx zX+j#Q3kV@wdj1msJUd^iyqbvI_$e6?4T-3a#n>4@9T4{OYDh;dXF%uoSkePs(T3*f zsu695zsLZ;y8*3fNpnh|%l9{$F7j;aTXvI|!%$N22mtKC z>;>06OK?u07%CQm@IaiT0wvYyh~Xq1_CVu8#X?Zh$?5Rnw6fC)#rf*kKk(t?LP68U zfH6>KpewgSKL2mq=l^<=-5CSMz`tU^^`dDs#v|$3+IToVYXhtq77ND}f@KOW{85Zp eK8i1}yucpt1u#@B1Yv>L9|2E;DP!PQ8TbSg9cZBd literal 0 HcmV?d00001 diff --git a/wolfProvider/.DS_Store b/wolfProvider/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..c740f7827b12859732aeccda445ff1c90bb4d405 GIT binary patch literal 6148 zcmeHKJ5Iwu5S>jTnp$&I02#siHe#da09Nu zo1K-tiwPx)(2TVE*7MnCKS!P{5t-~}IVGA9QG&rZ7-RauIL@PI1Mk@b8s1|%TU2G; z%TvepD!}huL^9lHDF0J%7F(htcIP(fT6X^%Z5{yQV8z z#C*j|7YX@J9|AsCS5_TgKN|DBGvAKz(IKtqJZ8P;-*6NUxyN@c_qUwx4mRb)_wm8^ zp{5F`0;<5aD1e^Lmh1}ZtO}?Csz9p%e;+IcW9qRHbe|4P?g#)J!R-udK1*J5S>XPv=U89pz;MM(oiqaa)MkSB#}TUtBv^dJ{AQvmq45$qM_!EXQHfO zNr^-z}+B-zVY1|`S=Ja$=1sjyTFn22$lm+( zK=(9X-n94sx!zjprmAMkW(H01$Y&QX>(|S+b+N;`x^1o6iwL75%}3{SN7s4Q_mA)P zcJAl5(@pMdjk?+H;5VOqA5+2IPJSXo96- zR7_U~x>N!H2T&)$SZWE035KO%RD=b>8Vb}rD0UmaAGSy*fMX57f#u+ zen{@brK0!FfHROY(AViu-v29nGMz literal 0 HcmV?d00001 diff --git a/wolfSSL-FAQ/.DS_Store b/wolfSSL-FAQ/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..d104a8c4ca6d8ce3ec81c5ff1a9cd56f9ce7a695 GIT binary patch literal 6148 zcmeHK&u`N(6n<{YmUbHIVMx;?P$aHhX{lCCaLGzJaNvgsf&-wgX~G(o##NG1P*o{+ z;BVoMxFNxRz`wzn6TD}8qsdy12r)nD`E%^|IeuRfI|cyOnYc}WDgYShgry1=ON{!- z&sagV5SfWFJcytU3A{$vrWMc%{ObzPw_AZBc+dwI%hT`oPQV9Fz#Z(Tm;?0sPhnW2 z1>r6-j*;;KdEqw$Ruilqx{>&CjVVLZ2od}=5CWDa9U?7H#!ch87- zyDC%T{?<hl`^=purXIl^ulv509{gX16A_m(Mu+1PT>q#{ZxQ%4LY>DX?nI7?wFQPP2_!v|A$X6l5( z#NBaxQ-lMvB: +PRIVATE_KEY_UNLOCK() ; +PRIVATE_KEY_LOCK() ; +``` + +the key access can optionally be unlocked* only once on startup and locked again prior to shutdown** or... If the application wishes to be very strict, these can be called immediately before and after each call that involves a private key load or use. +*Be aware that LOCK and UNLOCK are thread-local. Aas this is a semaphore, each UNLOCK must be paired with a corresponding LOCK at the same scope to properly decrement the lock count. Alternatively doing a "true lock" (example provided below) may be the best approach for proper lock management. +** "application shall lock again before terminating" - This is a documentation requirement, this is not enforced at run-time by any error or prevention from exiting. Failing to re-lock key access before exiting makes the application "not FIPS compliant" however. + +``` +/* true_lock will always decrement the lock counter to 0 regardless of scope */ +static inline int true_lock(void) +{ +int i; +int lockStatus = wolfCrypt_GetPrivateKeyReadEnable_fips(WC_KEYTYPE_ALL); +#ifdef VERBOSE_LOGGING +printf("lockStatus (pre-loop) is %d\n", lockStatus); +#endif +for (i = lockStatus; i > 0; i--) { +wolfCrypt_SetPrivateKeyReadEnable_fips(0, WC_KEYTYPE_ALL); +lockStatus = wolfCrypt_GetPrivateKeyReadEnable_fips(WC_KEYTYPE_ALL); +#ifdef VERBOSE_LOGGING +printf("lockStatus (loop %d) is %d\n", i, lockStatus); +#endif +} +return lockStatus; +} +... +if (true_lock() != 0) { +printf("true_lock failed to lock\n”); +return error_code; +} +``` + +g. To support an application that can link to both a wolfSSL FIPS library version and a wolfSSL non-FIPS library version users can implement NO-OP versions of the macros at the application level for the non-FIPS cases like so: + +... +#if !defined(PRIVATE_KEY_LOCK) && !defined(PRIVATE_KEY_UNLOCK) +#define PRIVATE_KEY_LOCK() do {} while (0) +#define PRIVATE_KEY_UNLOCK() do {} while (0) +#endif +``` + +API's that require UNLOCK before first use (should also be re-LOCKED after use): + +... +● wc_PRF +● wc_PRF_TLSv12 +● wc_HKDF_Extract +● wc_HKDF_Extract_ex +● wc_HKDF_Expand +● wc_HKDF_Expand_ex +● wc_HKDF +● wc_Tls13_HKDF_Extract +● wc_Tls13_HKDF_Extract_ex +● wc_Tls13_HKDF_Expand_Label +● wc_Tls13_HKDF_Expand_Label_ex +● wc_SSH_KDF +● wc_RsaExportKey +● wc_ecc_export_x963 +● wc_ecc_export_ex +● wc_ecc_export_private_only +● wc_ecc_export_private_raw +● wc_ecc_export_x963_ex +● wc_ecc_shared_secret +● wc_ecc_shared_secret_ex +● wc_DhGenerateKeyPair +● wc_DhAgree +● wc_SRTP_KDF +● wc_SRTCP_KDF +● wc_SRTCP_KDF_ex +● wc_SRTP_KDF_label +● wc_SRTCP_KDF_label +● wc_ed25519_export_private_only +● wc_ed25519_export_private +● wc_ed25519_export_key +● wc_ed448_export_private_only +● wc_ed448_export_private +● wc_ed448_export_key +● wc_PBKDF2_ex +● wc_PBKDF2 +... + diff --git a/wolfSSL-FIPS-Ready/.DS_Store b/wolfSSL-FIPS-Ready/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..1a03011dc63342f64eaac324329d7782609dc152 GIT binary patch literal 6148 zcmeHKyGjE=6uo1DETl;(R)dv|MH;)n7}m}%KcGp#AXzpj_WJ{Z|6wE8TKhZxg6GT~ zlO0_xMf6^nIWzY;dtm1wB5rcK7>Nu;q(CD&4myPDPSZ|urqMCSXgaT}bw`TdtK!;w zawFF=UtPA>U!QF)Rb7^|RXu~IcpC2?Kfk`5w5^M8tm|bv>pj9`SL?}x}_pz!=yt!2Q9a5kta8 zF>W2`;u8SahdK(zd`mFKCkzQ2MOYwCLxCFV(i6jJIP^aGg@lcwhKq}pktbDtf4sO@ z9eN+##RWy{jR9jIXP~FkAqVUa literal 0 HcmV?d00001 diff --git a/wolfSSL-JNI/.DS_Store b/wolfSSL-JNI/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..9882128fe419571bc2e506f845341d847acf7aff GIT binary patch literal 6148 zcmeHKJ5Iwu5S<|rvP6>-QSAjN(omboT!0ja4w6Wq$d)4z66GF%jtkIp1!`(;!WDS4 zGbCOxlnB9$wENccT|ddY9wOq&&0}GvH7;S4k+NUL*=T&cy zKia#s?@rdWvm8yk*}+#n`95A`A1=;-GvEw31OJl&+}R?tQnB=Az%oW zhEXvc9hg!J031S{1Z(LfBqkV^hEWj~2x}-%L)lsk)^O;9`IUxIQNxL?`CzO3-n?+C zj{G6H6PJoUI|I%@&cHw)M{@rk;gjiY^79aXat54%KgIwLt7$dCOWED}>GkBU4H#z_ sBH|Zi0l_-^3BZG#BfH6{_8@Ecm4;DKvWPx~1N}!J5#p0G@B<9I0sC-9hX4Qo literal 0 HcmV?d00001 diff --git a/wolfSSL-Porting/.DS_Store b/wolfSSL-Porting/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..d9586356a700d8d7bd36949b1017302c53f0ceac GIT binary patch literal 6148 zcmeHKy-EW?5S}qX4s0S=h}9Oh7HO>4aF$ki0ZoDtNw}a`3i}fFc@S$~$5-&1oiVx9 z(^5odVE5ab-@OlR_lAgg^e`I|4Tz}15M)_&h^RYFJLW7#mK?+Jv{|k?Qv6<(?7c_# zbVt+0yuJU6{jFu$)b(W1OrWW**GH$%uP+Bor>ZYAFle4S!=!9pm|rwZiW*LA%?DfM_vVFjb>t7( zoj5A`>;M1& literal 0 HcmV?d00001 diff --git a/wolfSSL-Tuning/.DS_Store b/wolfSSL-Tuning/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..812a7748652ea35a32f59aa0d9ef15871ebbd679 GIT binary patch literal 6148 zcmeHKy-EW?5T5aZ9N453t1WC5(pazI?1j8QOae;CaY3=ar?RpWdc$A5Xj1#W&XVRX6K7!f03P(Ge}_BCmS<`qAF4 z{c^Xdo#m*T?GC>3$@ejpeYiLS&VV!E4E#?9aA%8@dx}0g1I~amuwg*Xhkzj%4O_)@ zbYMy?0B`_x60D_{keFZ?4O>N6AgrN44P|RFSi_+Y<`)fHMGYsm=7X*Bd-KAnI`W6) zP8=0|b_Se*oPk0ghjRa);gjiY^79aXat54%KgIwLs!27*OWED}>GkBU4H#1l5%Ftf o0l_-^3BZG#Bm2py_8@EcMZ;E6vWPx~1N}!J5#p0G@B<9I0WV8O761SM literal 0 HcmV?d00001 diff --git a/wolfSSL/.DS_Store b/wolfSSL/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..6d6c4075d119835130d8036403dcfd962c2f99b3 GIT binary patch literal 6148 zcmeHKy-ve05I(mN3baEX zK9ky{Wdwxor1R(8kI()hiR}(I1Y>V(zS4 zjc7IeMF#lYwdsP+X*@d(-{14=(o>XqKAM#ySkkNao&DRl$Ai#2`Nlh+2CH_SkVYF) zkM`({j-#rbhwHEYu=dTgt{tsWl*=8gi;4Epec^p1w4f90WfARx%w6aU>)*F`KhIw0 zhP7Auqq=0du8K0C3@8J?%>a5fOWG0CQ5jGMl!2N7{ytbJW9G3Ebe|3k?g{`*V0MBz z-z7N5ddxglg783$qyiR8{pa59;oj>>>C z5Hrx0#~%0p!}a(7I7y$B0cGG{F<_E>m=ACy-&-4p<6di_M^F}ys|4#5Ok68QEVtrq as1w*NPk@=nN)Q%^{s=f4bWjF4Q=8QZJ55UaGtMCeZ=exEs z1V)75PO?Ayetga+#r6>qPw$r%QAtDvnjp(yKtw%g8kw^gS=Oj#i?&%O?Z##CrZ}$-PoCdiPW#s7H`euaf7OUE+S7b=OgD6yWu?cX zkM@4<*K(UXTcc@rJNU{c+Xp?#K3tpuXTTY72L2}lxU)ryeMRq`0cXG&*fJpJLqHRZ zhMi(MI?$zOK5znc5{#vmkeFZ?4Le0xAgrN44P`4aSi_+Y<`)e+MGYsm0)s8{rg-6$ z9qWhWP8=1zcLtn+oPn`UOS%8g@XHJq`FV)XoB?Oxk1@cLdR9;IQFga}`aHR71KI_e ri1>9ffMA?G0x*$t~@tB^!E literal 0 HcmV?d00001 diff --git a/wolfTPM/.DS_Store b/wolfTPM/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..727ad45fb47623593f1ebeae08161d760fda75b7 GIT binary patch literal 6148 zcmeHLJ5Iwu5S>jdN(pRv|3;H}o~_-;ySES9v$8ynXK6k|G`v4QJbrn9J?+X& zzL~jR)jL1)0DZc~T=R5Ui}^-i+6K zKi-wS8`r2$(3R7iLx|^LRFnZ_KpFS}2C!$dgnNQ&l>ucy87LXx_k)EpMji`6_v(Og zM*v^|w-c=SEWtI_W8|?AL?JN(wA zlYG(1TCFmm3{(vCWjW;i|E&A`Ulr&|8BhlP9RntaCo%uA;rG_o59GbpLNA~!oL2~z kC0Mwv7`eO^A3&YJZ+QWXJQjlRK=ebv(V#{d_*Diz0fBL9X8-^I literal 0 HcmV?d00001