wolfSSL Inc. Positioning on OE tested configuration listings

Doing FIPS responsibly since 2014!

wolfSSL Inc. Stance:

OE Descriptions for software module “tested configurations” should include the toolchain used to compile the code and the OS the toolchain was employed on to allow for cross-compilation scenarios.

  1. OLD: <OS> running on <platform> with <processor>
  2. NEW: Compiled with <toolchain> on <OS> running on <OS> running on <platform> with <processor>
  3. OLD: <Guest OS> on <hypervisor> running on <platform> with <processor>
  4. NEW: Compiled with <toolchain> on <OS> running on <Guest OS> on <hypervisor> running on <platform> with <processor>
  5. OLD: <Guest OS> on <hypervisor> on <Host OS> running on <platform> with <processor>
  6. NEW: Compiled with <toolchain> on <OS> running on <Guest OS> on <hypervisor> on <Host OS> running on <platform> with <processor>

wolfSSL Inc. Reasoning and Justification:

wolfSSL Inc recently experienced how a toolchain change caused issues with the software crypto module where there were no change(s) to the OS, processor or module code.

  • Scenario 1: Unmodified code, compiled for Intel silicon on Linux OS using gcc or older clang version
    • All CAVP vectors passing
  • Scenario 2: Same exact code, same exact intel silicon, same exact Linux OS. Compiler updated to clang 15.0.1.
    • CAVP vectors for a single public key algorithm failing (all other algorithms passing)
      • Problem: The n-th bit of a signature blob was being set or cleared non-deterministically. The failure was highly repeatable in testing.
      • Fix: Use an alternate version of clang and submit a bug report to the toolchain dev team (still waiting on a fix).

If you have any other questions please contact either fips@wolfssl.com or facts@wolfssl.com anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!