Adding FIPS 140-3 Windows build support

Author: tim-weller-wolfssl

windows/README.md

@@ -41,6 +41,12 @@ First, replace the contents of `IDE\WIN10\user_settings.h` in wolfSSL with the
 contents of `windows\fips_140_2\user_settings.h` from wolfEngine. Then, compile
 wolfSSL using `IDE\WIN10\wolfssl-fips.sln`.
 
+### FIPS 140-3
+
+First, replace the contents of `IDE\WIN10\user_settings.h` in wolfSSL with the
+contents of `windows\fips_140_3\user_settings.h` from wolfEngine. Then, compile
+wolfSSL using `IDE\WIN10\wolfssl-fips.sln`.
+
 ### FIPS Ready
 
 First, replace the contents of `IDE\WIN10\user_settings.h` in wolfSSL with the
@@ -94,6 +100,37 @@ out and replace the `verifyCore` value in wolfSSL's `wolfcrypt\src\fips_test.c`
 with it. Rebuild wolfSSL, rebuild wolfEngine, and run the wolfEngine tests
 again. The integrity check should pass this time.
 
+### FIPS 140-3
+
+Build wolfEngine using `windows\wolfEngine.sln`. Select one of the 2 FIPS 140-3
+configurations (e.g. DLL Debug FIPS 140-3 or DLL Release FIPS 140-3). 
+
+NOTE: wolfEngine does NOT support building as a static library for FIP 140-3
+      configurations due to per-thread private key read access support.
+
+Run the test suite by right-clicking on the "test" project in the
+Solution Explorer > Debug > Start New Instance. You are likely to encounter 
+this error message:
+
+```
+in FIPS callback, ok = 0, err = -203
+message = In Core Integrity check FIPS error
+hash = 550122FD59F12AFA94F1B0D95AB361FF03E3EB8708C68974C36D6571524B675C
+In core integrity hash check failure, copy above hash
+into verifyCore[] in wolfSSL's (NOT wolfEngine) fips_test.c and rebuild
+ERR: Failed to find engine!
+```
+
+As mentioned earlier, part of wolfSSL's FIPS self-test is an integrity check
+of the FIPS module. At startup, the self-test computes an HMAC of the code and
+read-only data of the FIPS module and compares the result to an expected value
+compiled into the library. If these don't match, the FIPS module enters an error
+state and cannot be used. The wolfEngine test program will print the above error
+message in this case. If this happens, you should take the hash value printed
+out and replace the `verifyCore` value in wolfSSL's `wolfcrypt\src\fips_test.c`
+with it. Rebuild wolfSSL, rebuild wolfEngine, and run the wolfEngine tests
+again. The integrity check should pass this time.
+
 ### FIPS Ready
 
 Build wolfEngine using `windows\wolfEngine.sln`. Select one of the 4 FIPS Ready

windows/fips_140_3/user_settings.h

@@ -0,0 +1,122 @@
+#ifndef USER_SETTINGS_H
+#define USER_SETTINGS_H
+
+/* Uncomment WOLFENGINE_DEBUG to enable wolfEngine debug messages
+#define WOLFENGINE_DEBUG */
+
+#define WE_USE_HASH
+#define WE_HAVE_SHA384
+#define WE_HAVE_SHA512
+#define WE_HAVE_SHA1
+#define WE_HAVE_SHA224
+#define WE_HAVE_SHA256
+#define WE_HAVE_CMAC
+#define WE_HAVE_MAC
+#define WE_HAVE_HMAC
+#define WE_HAVE_MAC
+
+/* The DES3CBC cipher is no longer supported with our 140-3 certificate 
+#define WE_HAVE_DES3CBC */
+
+#define WE_HAVE_AESECB
+#define WE_HAVE_AESCBC
+#define WE_HAVE_AESCTR
+#define WE_HAVE_RANDOM
+#define WE_HAVE_RSA
+#define WE_HAVE_DH
+#define WE_HAVE_ECC
+#define WE_HAVE_EVP_PKEY
+#define WE_HAVE_ECDSA
+#define WE_HAVE_ECDH
+#define WE_HAVE_ECKEYGEN
+#define WE_HAVE_EC_P192
+#define WE_HAVE_EC_P224
+#define WE_HAVE_EC_P256
+#define WE_HAVE_EC_P384
+#define WE_HAVE_EC_P521
+#define WE_HAVE_DIGEST
+
+#ifdef _WIN32
+
+/* The wolfSSL Visual Studio project may define these FIPS macros. We want to
+ * override them if that's the case. */
+#undef  HAVE_FIPS
+#define HAVE_FIPS
+#undef  HAVE_FIPS_VERSION
+#define HAVE_FIPS_VERSION 5
+#undef  HAVE_FIPS_VERSION_MINOR
+#define HAVE_FIPS_VERSION_MINOR 2
+
+#define WOLFSSL_ECDSA_SET_K
+#define HAVE_AES_ECB
+#define WC_RSA_NO_PADDING
+#define WOLFSSL_PUBLIC_MP
+#define ECC_MIN_KEY_SZ 192
+#define WOLFSSL_TLS13
+#define HAVE_TLS_EXTENSIONS
+#define HAVE_SUPPORTED_CURVES
+#define HAVE_THREAD_LS
+#define ECC_TIMING_RESISTANT
+#define WC_RSA_BLINDING
+#define HAVE_AESCCM
+#define WOLFSSL_AES_COUNTER
+#define WOLFSSL_AES_DIRECT
+#define WOLFSSL_SHA224
+#define WOLFSSL_SHA512
+#define WOLFSSL_SHA384
+#define WOLFSSL_KEY_GEN
+#define HAVE_HKDF
+#define HAVE_X963_KDF
+#define NO_DSA
+#define HAVE_ECC
+#define ECC_SHAMIR
+#define HAVE_ECC_CDH
+#define WC_RSA_PSS
+#define WOLFSSL_BASE64_ENCODE
+#define NO_RC4
+#define WOLFSSL_CMAC
+#define NO_HC128
+#define NO_RABBIT
+#define WOLFSSL_SHA3
+#define HAVE_ONE_TIME_AUTH
+#define HAVE_HASHDRBG
+#define HAVE_EXTENDED_MASTER
+#define HAVE_ENCRYPT_THEN_MAC
+#define NO_PSK
+#define NO_MD4
+#define NO_PWDBASED
+#define WC_NO_ASYNC_THREADING
+#define HAVE_DH_DEFAULT_PARAMS
+#define GCM_TABLE_4BIT
+#define HAVE_AESGCM
+#define HAVE_WC_INTROSPECTION
+#define OPENSSL_COEXIST
+#define NO_OLD_RNGNAME
+#define NO_OLD_WC_NAMES
+#define NO_OLD_SSL_NAMES
+#define NO_OLD_SHA_NAMES
+#define NO_OLD_MD5_NAME
+#define NO_OLD_SHA256_NAMES
+#define HAVE_PUBLIC_FFDHE
+#define HAVE_FFDHE_2048
+#define HAVE_FFDHE_3072
+#define HAVE_FFDHE_4096
+#define Sha3 wc_Sha3
+#define WOLFSSL_VALIDATE_ECC_IMPORT
+#define WOLFSSL_VALIDATE_FFC_IMPORT
+#define HAVE_FFDHE_Q
+#define WOLFSSL_NO_SHAKE256
+#define WOLFSSL_NOSHA512_224
+#define WOLFSSL_NOSHA512_256
+
+#ifdef _WIN64
+#define WOLFSSL_AESNI
+#endif
+
+/* Needed to export symbols in the final DLL */
+#define OPENSSL_SYS_WINDOWS
+#define OPENSSL_OPT_WINDLL
+
+#endif /* _WIN32 */
+
+#endif

windows/props/fips_140_3.props

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ImportGroup Label="PropertySheets" />
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_PropertySheetDisplayName>FIPS 140-3</_PropertySheetDisplayName>
+  </PropertyGroup>
+  <ItemDefinitionGroup>
+    <ClCompile>
+      <AdditionalIncludeDirectories>.\fips_140_3;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemGroup />
+</Project>

windows/test.vcxproj

@@ -33,6 +33,14 @@
       <Configuration>DLL Debug FIPS 140-2</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
+    <ProjectConfiguration Include="DLL Debug FIPS 140-3|Win32">
+      <Configuration>DLL Debug FIPS 140-3</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="DLL Debug FIPS 140-3|x64">
+      <Configuration>DLL Debug FIPS 140-3</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
     <ProjectConfiguration Include="DLL Debug FIPS Ready|Win32">
       <Configuration>DLL Debug FIPS Ready</Configuration>
       <Platform>Win32</Platform>
@@ -57,6 +65,14 @@
       <Configuration>DLL Release FIPS 140-2</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
+    <ProjectConfiguration Include="DLL Release FIPS 140-3|Win32">
+      <Configuration>DLL Release FIPS 140-3</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="DLL Release FIPS 140-3|x64">
+      <Configuration>DLL Release FIPS 140-3</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
     <ProjectConfiguration Include="DLL Release FIPS Ready|Win32">
       <Configuration>DLL Release FIPS Ready</Configuration>
       <Platform>Win32</Platform>
@@ -115,9 +131,15 @@
   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-2|Win32'">
     <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-3|Win32'" Label="Configuration">
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-2|x64'">
     <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-3|x64'" Label="Configuration">
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Debug FIPS Ready|x64'">
     <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
@@ -172,12 +194,18 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-2|Win32'" Label="Configuration">
     <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-3|Win32'" Label="Configuration">
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS Ready|x64'">
     <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-2|x64'" Label="Configuration">
     <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-3|x64'" Label="Configuration">
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
   </ImportGroup>
@@ -191,6 +219,10 @@
     <Import Project="props\dll_debug_fips_test.props" />
     <Import Project="props\fips_140_2.props" />
   </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-3|x64'" Label="PropertySheets">
+    <Import Project="props\dll_debug_fips_test.props" />
+    <Import Project="props\fips_140_3.props" />
+  </ImportGroup>
   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug FIPS Ready|x64'">
     <Import Project="props\static_debug_fips_test.props" />
     <Import Project="props\fips_ready.props" />
@@ -239,6 +271,10 @@
     <Import Project="props\dll_release_fips_test.props" />
     <Import Project="props\fips_140_2.props" />
   </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-3|Win32'" Label="PropertySheets">
+    <Import Project="props\dll_release_fips_test.props" />
+    <Import Project="props\fips_140_3.props" />
+  </ImportGroup>
   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release FIPS 140-2|x64'">
     <Import Project="props\static_release_fips_test.props" />
     <Import Project="props\fips_140_2.props" />
@@ -247,6 +283,10 @@
     <Import Project="props\dll_release_fips_test.props" />
     <Import Project="props\fips_140_2.props" />
   </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-3|x64'" Label="PropertySheets">
+    <Import Project="props\dll_release_fips_test.props" />
+    <Import Project="props\fips_140_3.props" />
+  </ImportGroup>
   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release Non-FIPS|Win32'">
     <Import Project="props\static_release_non_fips_test.props" />
   </ImportGroup>
@@ -257,6 +297,10 @@
     <Import Project="props\dll_debug_fips_test.props" />
     <Import Project="props\fips_140_2.props" />
   </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-3|Win32'" Label="PropertySheets">
+    <Import Project="props\dll_debug_fips_test.props" />
+    <Import Project="props\fips_140_3.props" />
+  </ImportGroup>
   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='DLL Debug Non-FIPS|Win32'">
     <Import Project="props\dll_debug_non_fips_test.props" />
   </ImportGroup>
@@ -295,4 +339,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

windows/test.vcxproj.user

@@ -36,4 +36,22 @@ $(LocalDebuggerEnvironment)</LocalDebuggerEnvironment>
     <LocalDebuggerEnvironment>OPENSSL_ENGINES=$(OutDir)</LocalDebuggerEnvironment>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
-</Project>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-3|Win32'">
+    <LocalDebuggerEnvironment>OPENSSL_ENGINES=$(OutDir)
+$(LocalDebuggerEnvironment)</LocalDebuggerEnvironment>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release FIPS 140-3|x64'">
+    <LocalDebuggerEnvironment>OPENSSL_ENGINES=$(OutDir)</LocalDebuggerEnvironment>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-3|Win32'">
+    <LocalDebuggerEnvironment>OPENSSL_ENGINES=$(OutDir)
+$(LocalDebuggerEnvironment)</LocalDebuggerEnvironment>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug FIPS 140-3|x64'">
+    <LocalDebuggerEnvironment>OPENSSL_ENGINES=$(OutDir)</LocalDebuggerEnvironment>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+</Project>