Expose additional features of opensslall in a compliant way

2024-04-04 10:35:16 -04:00
parent afeb3f5358
commit ef2a636610
4 changed files with 38 additions and 4 deletions
--- a/src/pk.c
+++ b/src/pk.c
@@ -13106,7 +13106,11 @@ int wolfSSL_EC_KEY_generate_key(WOLFSSL_EC_KEY *key)
        /* Check if we know which internal curve index to use. */
        if (key->group->curve_idx < 0) {
            /* Generate key using the default curve. */
+#if FIPS_VERSION3_GE(6,0,0)
+            key->group->curve_idx = ECC_SECP256R1; /* FIPS default to 256 */
+#else
            key->group->curve_idx = ECC_CURVE_DEF;
+#endif
        }

        /* Create a random number generator. */
@@ -13120,11 +13124,30 @@ int wolfSSL_EC_KEY_generate_key(WOLFSSL_EC_KEY *key)
        /* NIDToEccEnum returns -1 for invalid NID so if key->group->curve_nid
         * is 0 then pass ECC_CURVE_DEF as arg */
        int eccEnum = key->group->curve_nid ?
+#if FIPS_VERSION3_GE(6,0,0)
+            NIDToEccEnum(key->group->curve_nid) : ECC_SECP256R1;
+#else
            NIDToEccEnum(key->group->curve_nid) : ECC_CURVE_DEF;
+#endif
        /* Get the internal EC key. */
        ecc_key* ecKey = (ecc_key*)key->internal;
        /* Make the key using internal API. */
-        int ret = wc_ecc_make_key_ex(rng, 0, ecKey, eccEnum);
+        int ret = 0;
+
+#if FIPS_VERSION3_GE(6,0,0)
+        /* In the case of FIPS only allow key generation with approved curves */
+        if (eccEnum != ECC_SECP256R1 && eccEnum != ECC_SECP224R1 &&
+            eccEnum != ECC_SECP384R1 && eccEnum != ECC_SECP521R1) {
+            WOLFSSL_MSG("Unsupported curve selected in FIPS mode");
+            res = 0;
+        }
+        if (res == 1) {
+#endif
+        ret  = wc_ecc_make_key_ex(rng, 0, ecKey, eccEnum);
+#if FIPS_VERSION3_GE(6,0,0)
+        }
+#endif
+
    #if defined(WOLFSSL_ASYNC_CRYPT)
        /* Wait on asynchronouse operation. */
        ret = wc_AsyncWait(ret, &ecKey->asyncDev, WC_ASYNC_FLAG_NONE);
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -1836,6 +1836,15 @@ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id)
                break;
            }
        }
+        /* Since we are allowing a pass-through of ecc_make_key_ex_fips when
+         * both keysize == 0 and curve_id == 0 ensure we select an appropriate
+         * keysize here when relying on default selection */
+        #if FIPS_VERSION3_GE(6,0,0)
+        if (ecc_sets[x].size < WC_ECC_FIPS_GEN_MIN) {
+            WOLFSSL_MSG("ECC curve too small for FIPS mode");
+            return ECC_CURVE_OID_E;
+        }
+        #endif
        if (ecc_sets[x].size == 0) {
            WOLFSSL_MSG("ECC Curve not found");
            return ECC_CURVE_OID_E;
--- a/wolfcrypt/src/evp.c
+++ b/wolfcrypt/src/evp.c
@@ -5468,7 +5468,7 @@ void wolfSSL_EVP_init(void)
    #endif /* HAVE_AES_CBC */

    #ifdef WOLFSSL_AES_CFB
-#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0))
    #ifdef WOLFSSL_AES_128
    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cfb1(void)
    {
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -8354,7 +8354,8 @@ static const int fiducial1 = WC_TEST_RET_LN; /* source code reference point --
 #if defined(WOLFSSL_AES_OFB) || defined(WOLFSSL_AES_CFB) || \
    defined(WOLFSSL_AES_XTS)
 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
-    && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+    && !defined(HAVE_SELFTEST)
+#if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0)
 /* pass in the function, key, iv, plain text and expected and this function
 * tests that the encryption and decryption is successful */
 static wc_test_ret_t EVP_test(const WOLFSSL_EVP_CIPHER* type, const byte* key,
@@ -8458,7 +8459,8 @@ EVP_TEST_END:

    return ret;
 }
-#endif /* OPENSSL_EXTRA */
+#endif /* !HAVE_FIPS || FIPS_VERSION3_GE(6,0,0) */
+#endif /* OPENSSL_EXTRA && !WOLFCRYPT_ONLY && !HAVE_SELFTEST */
 #endif /* WOLFSSL_AES_OFB || WOLFSSL_AES_CFB */

 #ifdef WOLFSSL_AES_OFB