diff --git a/src/tools/clu_funcs.c b/src/tools/clu_funcs.c index 7597995..b8df782 100644 --- a/src/tools/clu_funcs.c +++ b/src/tools/clu_funcs.c @@ -1123,9 +1123,20 @@ void wolfCLU_stats(double start, int blockSize, int64_t blocks) /* returns WOLFCLU_SUCCESS on success */ int wolfCLU_version(void) { +#ifdef HAVE_FIPS + const char *isFIPS = " FIPS"; +#else + const char *isFIPS = ""; +#endif + WOLFCLU_LOG(WOLFCLU_L0, "You are using version %s of the wolfssl Command Line Utility." , CLUWOLFSSL_VERSION_STRING); - WOLFCLU_LOG(WOLFCLU_L0, "Linked to wolfSSL version %s", LIBWOLFSSL_VERSION_STRING); + WOLFCLU_LOG(WOLFCLU_L0, "Linked to wolfSSL version %s%s", + LIBWOLFSSL_VERSION_STRING, isFIPS); +#ifdef HAVE_FIPS + WOLFCLU_LOG(WOLFCLU_L0, "In FIPS builds there are algorithm restrictions " + "such as use of DES"); +#endif return WOLFCLU_SUCCESS; } diff --git a/tests/pkcs/pkcs12-test.sh b/tests/pkcs/pkcs12-test.sh index e2abec6..9736eac 100755 --- a/tests/pkcs/pkcs12-test.sh +++ b/tests/pkcs/pkcs12-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +if ./wolfssl -v 2>&1 | grep -q FIPS; then + #return 77 to indicate to automake that the test was skipped + exit 77 +fi + RESULT=`./wolfssl pkcs12 -nodes -passin pass:"wolfSSL test" -passout pass: -in ./certs/test-servercert.p12 2>&1` echo "$RESULT" | grep "Recompile wolfSSL with PKCS12 support" if [ $? == 0 ]; then diff --git a/tests/pkcs/pkcs8-test.sh b/tests/pkcs/pkcs8-test.sh index fdebc54..89e3212 100755 --- a/tests/pkcs/pkcs8-test.sh +++ b/tests/pkcs/pkcs8-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +IS_FIPS=0 +if ./wolfssl -v 2>&1 | grep -q FIPS; then + IS_FIPS=1 +fi + RESULT=`./wolfssl pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 2>&1` echo "$RESULT" | grep "Recompile wolfSSL with PKCS8 support" if [ $? == 0 ]; then @@ -37,9 +43,13 @@ run_fail() { fi } -run "pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 -outform DER -out keyEnc.der" - -run "pkcs8 -in keyEnc.der -inform DER -outform PEM -out key.pem" +if [ ${IS_FIPS} != "1" ]; then + # Can only decrypt server-keyEnc.pem using DES if not a FIPS build + run "pkcs8 -in certs/server-keyEnc.pem -passin pass:yassl123 -outform DER -out keyEnc.der" + run "pkcs8 -in keyEnc.der -inform DER -outform PEM -out key.pem" +else + run "pkcs8 -in certs/server-key.pem -outform PEM -out key.pem" +fi run "pkcs8 -in key.pem -topk8 -nocrypt" @@ -55,19 +65,21 @@ rm -rf pkcs1.pem rm -rf key.pem rm -rf keyEnc.der -#check stdin input -RESULT=`cat certs/server-keyEnc.pem | ./wolfssl pkcs8 -passin pass:yassl123` -echo $RESULT | grep "BEGIN PRIVATE" -if [ $? != 0 ]; then - echo "Couldn't parse PKCS8 from stdin" - exit 99 -fi +if [ ${IS_FIPS} != "1" ]; then + #check stdin input + RESULT=`cat certs/server-keyEnc.pem | ./wolfssl pkcs8 -passin pass:yassl123` + echo $RESULT | grep "BEGIN PRIVATE" + if [ $? != 0 ]; then + echo "Couldn't parse PKCS8 from stdin" + exit 99 + fi -run_fail "pkcs8 -in certs/server-cert.pem -passin pass:yassl123" + run_fail "pkcs8 -in certs/server-cert.pem -passin pass:yassl123" -run_fail "pkcs8 -in certs/server-keyEnc.pem -passin pass:wrongPass" + run_fail "pkcs8 -in certs/server-keyEnc.pem -passin pass:wrongPass" -run_fail "pkcs8 -in certs/server-keyEnc.pem -inform DER -passin pass:yassl123" + run_fail "pkcs8 -in certs/server-keyEnc.pem -inform DER -passin pass:yassl123" +fi echo "Done" exit 0 diff --git a/tests/pkey/rsa-test.sh b/tests/pkey/rsa-test.sh index a583fd4..2bb0e6c 100755 --- a/tests/pkey/rsa-test.sh +++ b/tests/pkey/rsa-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +IS_FIPS=0 +if ./wolfssl -v 2>&1 | grep -q FIPS; then + IS_FIPS=1 +fi + run() { if [ -z "$2" ]; then RESULT=`./wolfssl $1` @@ -67,30 +73,35 @@ run_fail "rsa -in ./certs/server-key.pem -pubin" # Test success cases for -RSAPublicKey_in run "rsa -in ./certs/server-keyPub.pem -RSAPublicKey_in" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" -run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" +if [ ${IS_FIPS} != "1" ]; then + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" + run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" + + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" +fi # Test success cases for -pubin run "rsa -in ./certs/server-keyPub.pem -pubin" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" -run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" +if [ ${IS_FIPS} != "1" ]; then + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123" + run_fail "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl12" -run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" + run "rsa -in ./certs/server-keyEnc.pem -passin pass:yassl123 -noout -modulus" -# Check that modulus was printed -echo $RESULT | grep "Modulus" -if [ $? != 0 ]; then - echo "ERROR with -modulus option" - exit 99 -fi + # Check that modulus was printed + echo $RESULT | grep "Modulus" + if [ $? != 0 ]; then + echo "ERROR with -modulus option" + exit 99 + fi -# Check that key was not printed -echo $RESULT | grep "BEGIN" -if [ $? == 0 ]; then - echo "ERROR found a key with -modulus option" - exit 99 + # Check that key was not printed + echo $RESULT | grep "BEGIN" + if [ $? == 0 ]; then + echo "ERROR found a key with -modulus option" + exit 99 + fi fi # Expexted result -RSAPublicKey_in diff --git a/tests/x509/expect-purpose.txt b/tests/x509/expect-purpose.txt index 9029b04..6d9f0f6 100644 --- a/tests/x509/expect-purpose.txt +++ b/tests/x509/expect-purpose.txt @@ -1,7 +1,7 @@ Certificate Purpose: Any Extended Key Usage : YES TLS Web Server Authentication : YES -TLS Web Client Authentication : NO +TLS Web Client Authentication : YES OCSP Signing : YES Email Protect : YES Time Stamp Signing : YES diff --git a/tests/x509/x509-req-test.sh b/tests/x509/x509-req-test.sh index 03c2f19..b86945f 100755 --- a/tests/x509/x509-req-test.sh +++ b/tests/x509/x509-req-test.sh @@ -12,6 +12,12 @@ then exit 77 fi +# Is this a FIPS build? +IS_FIPS=0 +if ./wolfssl -v 2>&1 | grep -q FIPS; then + IS_FIPS=1 +fi + run_success() { if [ -z "$2" ]; then RESULT=`./wolfssl $1` @@ -218,13 +224,16 @@ if [ $? != 0 ]; then fi rm -f tmp.cert -run_success "req -new -newkey rsa:2048 -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" -echo $RESULT | grep "ENCRYPTED" -if [ $? -ne 0 ]; then - echo "no encrypted key found in result" - exit 99 + +if [ ${IS_FIPS} != "1" ]; then + run_success "req -new -newkey rsa:2048 -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" + echo $RESULT | grep "ENCRYPTED" + if [ $? -ne 0 ]; then + echo "no encrypted key found in result" + exit 99 + fi + rm -f tmp.cert fi -rm -f tmp.cert #testing hash and key algos run_success "req -new -days 3650 -rsa -key ./certs/server-key.pem -config ./test.conf -out tmp.cert -x509" @@ -242,7 +251,9 @@ rm -f tmp.cert run_success "req -new -days 3650 -sha512 -key ./certs/server-key.pem -config ./test.conf -out tmp.cert -x509" rm -f tmp.cert -run_success "req -new -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" +if [ ${IS_FIPS} != "1" ]; then + run_success "req -new -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -x509 -out tmp.cert -passout stdin" "long test password" +fi run_success "req -new -key ./certs/ca-key.pem -config ./test.conf -extensions v3_alt_req_full -out tmp.cert" run_success "req -in ./tmp.cert -noout -text" @@ -252,9 +263,11 @@ if [ $? -ne 0 ]; then exit 99 fi +if [ ${IS_FIPS} != "1" ]; then #test passout -run_success "req -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -out tmp.cert -passout pass:123456789wolfssl -outform pem -sha256" -run_success "rsa -in new-key.pem -passin pass:123456789wolfssl" + run_success "req -newkey rsa:2048 -keyout new-key.pem -config ./test.conf -out tmp.cert -passout pass:123456789wolfssl -outform pem -sha256" + run_success "rsa -in new-key.pem -passin pass:123456789wolfssl" +fi run_success "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "AA" run_fail "req -new -x509 -key ./certs/ca-key.pem -config ./test-prompt.conf -out tmp.cert" "LONG"