From 7b5b1f5a4d184a9620ee8edafeaa906ffd89f631 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Thu, 23 Dec 2021 16:04:27 -0600
Subject: [PATCH] src/ssl.c: refine integration of
 wolfCrypt_SetPrivateKeyReadEnable_fips(), started by 52754123d9: depend on
 fips 5.1+, and call as matched pair in wolfSSL_Init() and wolfSSL_Cleanup().

---
 src/ssl.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 077ac200f..f815f4dbb 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -5177,6 +5177,14 @@ int wolfSSL_Init(void)
 
     WOLFSSL_ENTER("wolfSSL_Init");
 
+    #if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1)))
+        ret = wolfCrypt_SetPrivateKeyReadEnable_fips(1, WC_KEYTYPE_ALL);
+        if (ret != 0)
+            return ret;
+        else
+            ret = WOLFSSL_SUCCESS;
+    #endif
+
     if (initRefCount == 0) {
         /* Initialize crypto for use with TLS connection */
         if (wolfCrypt_Init() != 0) {
@@ -5198,10 +5206,6 @@ int wolfSSL_Init(void)
         wc_SetSeed_Cb(wc_GenerateSeed);
     #endif
 
-    #if defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION == 5
-        wolfCrypt_SetPrivateKeyReadEnable_fips(1, WC_KEYTYPE_ALL);
-    #endif
-
 #ifdef OPENSSL_EXTRA
     #ifndef WOLFSSL_NO_OPENSSL_RAND_CB
         if ((ret == WOLFSSL_SUCCESS) && (wolfSSL_RAND_InitMutex() != 0)) {
@@ -14887,6 +14891,13 @@ int wolfSSL_Cleanup(void)
             ret = WC_CLEANUP_E;
     }
 
+#if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1)))
+    if (wolfCrypt_SetPrivateKeyReadEnable_fips(0, WC_KEYTYPE_ALL) < 0) {
+        if (ret == WOLFSSL_SUCCESS)
+            ret = WC_CLEANUP_E;
+    }
+#endif
+
 #ifdef HAVE_GLOBAL_RNG
     if ((globalRNGMutex_valid == 1) && (wc_FreeMutex(&globalRNGMutex) != 0)) {
         if (ret == WOLFSSL_SUCCESS)