From 38214bd0831131deece548965ce5556aca6c9e3c Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 21 Dec 2021 16:21:52 -0800
Subject: [PATCH] Disable the FIPS consistency checks in ECC and DH for key
 generation by default.

---
 tests/api.c         |  2 +-
 wolfcrypt/src/dh.c  | 10 +++++++---
 wolfcrypt/src/ecc.c | 36 ++++++++++++++++++++----------------
 3 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index e5a943ef3..a031f34ae 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -30938,7 +30938,7 @@ static void test_wolfSSL_private_keys(void)
                                                          WOLFSSL_FILETYPE_PEM));
     AssertNotNull(ssl = SSL_new(ctx));
 
-    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
+    #ifdef WOLFSSL_VALIDATE_ECC_IMPORT
     AssertIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
     #endif
 
diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index 38425aaa8..26c62832f 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -63,7 +63,8 @@ Possible DH enable options:
                         directly effect this file, but it does speed up DH
                         removing the testing. It is not recommended to
                         disable the prime checking.           default: off
-
+ * WOLFSSL_VALIDATE_DH_KEYGEN: Enable DH key gen consistency checking
+ *                             (on for FIPS 140-3 or later)   default: off
 */
 
 
@@ -995,8 +996,10 @@ int wc_FreeDhKey(DhKey* key)
 
 static int _ffc_validate_public_key(DhKey* key, const byte* pub, word32 pubSz,
        const byte* prime, word32 primeSz, int partial);
+#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_DH_KEYGEN)
 static int _ffc_pairwise_consistency_test(DhKey* key,
         const byte* pub, word32 pubSz, const byte* priv, word32 privSz);
+#endif
 
 #ifndef WOLFSSL_KCAPI_DH
 
@@ -1364,12 +1367,13 @@ static int wc_DhGenerateKeyPair_Sync(DhKey* key, WC_RNG* rng,
 
     if (ret == 0)
         ret = GeneratePublicDh(key, priv, *privSz, pub, pubSz);
-#if defined(WOLFSSL_SP_MATH) || defined(HAVE_FFDHE)
+#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_DH_KEYGEN)
     if (ret == 0)
         ret = _ffc_validate_public_key(key, pub, *pubSz, NULL, 0, 0);
-#endif
     if (ret == 0)
         ret = _ffc_pairwise_consistency_test(key, pub, *pubSz, priv, *privSz);
+#endif /* FIPS V5 or later || WOLFSSL_VALIDATE_DH_KEYGEN */
+
 
     RESTORE_VECTOR_REGISTERS();
 
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index bbdb2f6e2..938c0652c 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -1242,14 +1242,15 @@ static int wc_ecc_export_x963_compressed(ecc_key*, byte* out, word32* outLen);
 #endif
 
 
-#if (defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || !defined(WOLFSSL_SP_MATH)) && \
+
+#if !defined(WOLFSSL_SP_MATH) && \
     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050)
 static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
-        mp_int* prime, mp_int* order);
+    mp_int* prime, mp_int* order);
 #endif
 static int _ecc_validate_public_key(ecc_key* key, int partial, int priv);
-#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(WOLFSSL_VALIDATE_ECC_IMPORT)
+#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN)
 static int _ecc_pairwise_consistency_test(ecc_key* key, WC_RNG* rng);
 #endif
 
@@ -5087,10 +5088,10 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
 
     err = _ecc_make_key_ex(rng, keysize, key, curve_id, flags);
 
+#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN)
     if (err == MP_OKAY) {
         err = _ecc_validate_public_key(key, 0, 0);
     }
-#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(WOLFSSL_VALIDATE_ECC_IMPORT)
     if (err == MP_OKAY) {
         err = _ecc_pairwise_consistency_test(key, rng);
     }
@@ -8381,7 +8382,8 @@ int wc_ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime)
 #endif
 }
 
-#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_VALIDATE_ECC_IMPORT)
+#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || \
+    (defined(WOLFSSL_VALIDATE_ECC_IMPORT) && !defined(WOLFSSL_SP_MATH))
 /* validate privkey * generator == pubkey, 0 on success */
 static int ecc_check_privkey_gen(ecc_key* key, mp_int* a, mp_int* prime)
 {
@@ -8508,9 +8510,10 @@ static int ecc_check_privkey_gen(ecc_key* key, mp_int* a, mp_int* prime)
 
     return err;
 }
-#endif /* !WOLFSSL_SP_MATH || WOLFSSL_VALIDATE_ECC_IMPORT */
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN ||
+        * (!WOLFSSL_SP_MATH && WOLFSSL_VALIDATE_ECC_IMPORT) */
 
-#ifdef WOLFSSL_VALIDATE_ECC_IMPORT
+#if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN)
 
 /* check privkey generator helper, creates prime needed */
 static int ecc_check_privkey_gen_helper(ecc_key* key)
@@ -8549,18 +8552,16 @@ static int ecc_check_privkey_gen_helper(ecc_key* key)
     return err;
 }
 
-#endif /* WOLFSSL_VALIDATE_ECC_IMPORT */
-
-
-#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(WOLFSSL_VALIDATE_ECC_IMPORT)
 /* Performs a Pairwise Consistency Test on an ECC key pair. */
 static int _ecc_pairwise_consistency_test(ecc_key* key, WC_RNG* rng)
 {
     int err = 0;
     int flags = key->flags;
 
-    if ((flags & (WC_ECC_FLAG_COFACTOR | WC_ECC_FLAG_DEC_SIGN)) == 0)
+    /* If flags not set default to cofactor and dec/sign */
+    if ((flags & (WC_ECC_FLAG_COFACTOR | WC_ECC_FLAG_DEC_SIGN)) == 0) {
         flags = (WC_ECC_FLAG_COFACTOR | WC_ECC_FLAG_DEC_SIGN);
+    }
 
     if (flags & WC_ECC_FLAG_COFACTOR) {
         err = ecc_check_privkey_gen_helper(key);
@@ -8606,16 +8607,16 @@ static int _ecc_pairwise_consistency_test(ecc_key* key, WC_RNG* rng)
         ForceZero(sig, sigLen + digestLen);
         XFREE(sig, NULL, DYNAMIC_TYPE_ECC);
     }
+    (void)rng;
 
     if (err != 0)
         err = ECC_PCT_E;
 
     return err;
 }
-#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || WOLFSSL_VALIDATE_ECC_IMPORT */
+#endif /* FIPS v5 or later || WOLFSSL_VALIDATE_ECC_KEYGEN */
 
-
-#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || !defined(WOLFSSL_SP_MATH)
+#ifndef WOLFSSL_SP_MATH
 /* validate order * pubkey = point at infinity, 0 on success */
 static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
         mp_int* prime, mp_int* order)
@@ -8668,7 +8669,8 @@ static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
 
     return err;
 }
-#endif
+#endif /* !WOLFSSL_SP_MATH */
+
 #endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL*/
 
 #ifdef OPENSSL_EXTRA
@@ -8858,10 +8860,12 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
             err = ECC_PRIV_KEY_E;
         }
 
+    #ifdef WOLFSSL_VALIDATE_ECC_IMPORT
         /* SP 800-56Ar3, section 5.6.2.1.4, method (b) for ECC */
         /* private * base generator must equal pubkey */
         if (err == MP_OKAY && key->type == ECC_PRIVATEKEY)
             err = ecc_check_privkey_gen(key, curve->Af, curve->prime);
+    #endif
     }
 
     wc_ecc_curve_free(curve);