From 31f1692cbf91448be1a0e0276e1a6e048ed098bd Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 26 Jul 2018 16:01:08 -0700 Subject: [PATCH] Prime Number Testing 1. Disable the new prime test from TLS while using FIPS or setting the flag WOLFSSL_OLD_PRIME_CHECK. --- src/internal.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 787d10b7f..c42f00f0b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -19108,12 +19108,20 @@ int SendClientKeyExchange(WOLFSSL* ssl) goto exit_scke; } +#if !defined(HAVE_FIPS) && !defined(WOLFSSL_OLD_PRIME_CHECK) ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length, NULL, 0, 0, ssl->rng); +#else + ret = wc_DhSetKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length); +#endif if (ret != 0) { goto exit_scke; } @@ -19204,12 +19212,20 @@ int SendClientKeyExchange(WOLFSSL* ssl) goto exit_scke; } +#if !defined(HAVE_FIPS) && !defined(WOLFSSL_OLD_PRIME_CHECK) ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length, NULL, 0, 0, ssl->rng); +#else + ret = wc_DhSetKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length); +#endif if (ret != 0) { goto exit_scke; } @@ -20919,12 +20935,20 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, goto exit_sske; } +#if !defined(HAVE_FIPS) && !defined(WOLFSSL_OLD_PRIME_CHECK) ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length, - NULL, 0, 1, ssl->rng); + NULL, 0, 0, ssl->rng); +#else + ret = wc_DhSetKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length); +#endif if (ret != 0) { goto exit_sske; } @@ -24450,12 +24474,20 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, goto exit_dcke; } +#if !defined(HAVE_FIPS) && !defined(WOLFSSL_OLD_PRIME_CHECK) ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length, - NULL, 0, 1, ssl->rng); + NULL, 0, 0, ssl->rng); +#else + ret = wc_DhSetKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length); +#endif /* set the max agree result size */ ssl->arrays->preMasterSz = ENCRYPT_LEN; @@ -24507,12 +24539,20 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, goto exit_dcke; } +#if !defined(HAVE_FIPS) && !defined(WOLFSSL_OLD_PRIME_CHECK) ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length, - NULL, 0, 1, ssl->rng); + NULL, 0, 0, ssl->rng); +#else + ret = wc_DhSetKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length); +#endif break; }