src/ssl.c: refine integration of wolfCrypt_SetPrivateKeyReadEnable_fips(), started by 52754123d9: depend on fips 5.1+, and call as matched pair in wolfSSL_Init() and wolfSSL_Cleanup().

2021-12-23 16:04:27 -06:00
parent f950f24b1a
commit 7b5b1f5a4d
1 changed files with 15 additions and 4 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@ -5177,6 +5177,14 @@ int wolfSSL_Init(void)

    WOLFSSL_ENTER("wolfSSL_Init");

+    #if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1)))
+        ret = wolfCrypt_SetPrivateKeyReadEnable_fips(1, WC_KEYTYPE_ALL);
+        if (ret != 0)
+            return ret;
+        else
+            ret = WOLFSSL_SUCCESS;
+    #endif
+
    if (initRefCount == 0) {
        /* Initialize crypto for use with TLS connection */
        if (wolfCrypt_Init() != 0) {
@ -5198,10 +5206,6 @@ int wolfSSL_Init(void)
        wc_SetSeed_Cb(wc_GenerateSeed);
    #endif

-    #if defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION == 5
-        wolfCrypt_SetPrivateKeyReadEnable_fips(1, WC_KEYTYPE_ALL);
-    #endif
-
 #ifdef OPENSSL_EXTRA
    #ifndef WOLFSSL_NO_OPENSSL_RAND_CB
        if ((ret == WOLFSSL_SUCCESS) && (wolfSSL_RAND_InitMutex() != 0)) {
@ -14887,6 +14891,13 @@ int wolfSSL_Cleanup(void)
            ret = WC_CLEANUP_E;
    }

+#if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1)))
+    if (wolfCrypt_SetPrivateKeyReadEnable_fips(0, WC_KEYTYPE_ALL) < 0) {
+        if (ret == WOLFSSL_SUCCESS)
+            ret = WC_CLEANUP_E;
+    }
+#endif
+
 #ifdef HAVE_GLOBAL_RNG
    if ((globalRNGMutex_valid == 1) && (wc_FreeMutex(&globalRNGMutex) != 0)) {
        if (ret == WOLFSSL_SUCCESS)