Also addressing opensslall, pkcs7 and combinations

2025-07-31 11:17:29 +02:00 · 2020-11-05 17:29:30 -07:00
parent d6b219bd38
commit 182a3e6bc2
3 changed files with 16 additions and 11 deletions
--- a/wolfcrypt/src/evp.c
+++ b/wolfcrypt/src/evp.c
@ -1491,8 +1491,10 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
        }
        if (key) {
            word32 len32 = (word32)len;
-#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
-                                                         !defined(HAVE_SELFTEST)
+    && (!defined(HAVE_FIPS) || \
         (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
            WC_RNG rng;
            if (wc_InitRng(&rng) != MP_OKAY) {
                WOLFSSL_MSG("Init RNG failed");
@ -1502,8 +1504,9 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
 #endif
            if (*keylen < len32) {
                WOLFSSL_MSG("buffer too short");
-#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
-                                                         !defined(HAVE_SELFTEST)
+    && (!defined(HAVE_FIPS) || \
         (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
                ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL;
                wc_FreeRng(&rng);
 #endif
@ -1513,15 +1516,17 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
                                         (ecc_point*)ctx->peerKey->ecc->pub_key->internal,
                                         key, &len32) != MP_OKAY) {
                WOLFSSL_MSG("wc_ecc_shared_secret failed");
-#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
-                                                         !defined(HAVE_SELFTEST)
+    && (!defined(HAVE_FIPS) || \
         (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
                ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL;
                wc_FreeRng(&rng);
 #endif
                return WOLFSSL_FAILURE;
            }
-#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
-                                                         !defined(HAVE_SELFTEST)
+    && (!defined(HAVE_FIPS) || \
         (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
            ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL;
            wc_FreeRng(&rng);
 #endif
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@ -154,8 +154,7 @@ enum Pkcs7_Misc {
                            MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ +
                            MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ,
 #if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
-     (HAVE_FIPS_VERSION >= 2)) || (defined(HAVE_SELFTEST) && \
+     (HAVE_FIPS_VERSION <= 2)) || (defined(HAVE_SELFTEST))
     (!defined(HAVE_SELFTEST_VERSION) || HAVE_SELFTEST_VERSION < 2))
    /* In the event of fips cert 3389 or CAVP selftest v1 build, these enums are
     * not in aes.h for use with pkcs7 so enumerate it here outside the fips
     * boundary */
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@ -784,7 +784,8 @@ decouple library dependencies with standard string, memory and so on.
    /* hash types */
    enum wc_HashType {
-    #if defined(HAVE_SELFTEST) || defined(HAVE_FIPS)
+    #if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) && \
        (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION <= 2))
        /* In selftest build, WC_* types are not mapped to WC_HASH_TYPE types.
         * Values here are based on old selftest hmac.h enum, with additions.
         * These values are fixed for backwards FIPS compatibility */