Doing FIPS responsibly since 2014!
wolfSSL Inc. Stance:
OE Descriptions for software module “tested configurations” should include the toolchain used to compile the code and the OS the toolchain was employed on to allow for cross-compilation scenarios.
- OLD: <OS> running on <platform> with <processor>
- NEW: Compiled with <toolchain> on <OS> running on <OS> running on <platform> with <processor>
- OLD: <Guest OS> on <hypervisor> running on <platform> with <processor>
- NEW: Compiled with <toolchain> on <OS> running on <Guest OS> on <hypervisor> running on <platform> with <processor>
- OLD: <Guest OS> on <hypervisor> on <Host OS> running on <platform> with <processor>
- NEW: Compiled with <toolchain> on <OS> running on <Guest OS> on <hypervisor> on <Host OS> running on <platform> with <processor>
wolfSSL Inc. Reasoning and Justification:
wolfSSL Inc recently experienced how a toolchain change caused issues with the software crypto module where there were no change(s) to the OS, processor or module code.
- Scenario 1: Unmodified code, compiled for Intel silicon on Linux OS using gcc or older clang version
- All CAVP vectors passing
- Scenario 2: Same exact code, same exact intel silicon, same exact Linux OS. Compiler updated to clang 15.0.1.
- CAVP vectors for a single public key algorithm failing (all other algorithms passing)
- Problem: The n-th bit of a signature blob was being set or cleared non-deterministically. The failure was highly repeatable in testing.
- Fix: Use an alternate version of clang and submit a bug report to the toolchain dev team (still waiting on a fix).
- CAVP vectors for a single public key algorithm failing (all other algorithms passing)
If you have any other questions please contact either fips@wolfssl.com or facts@wolfssl.com anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!