Merge pull request #5060 from cconlon/ecFipsReady

ECDH_compute_key: allow setting of globalRNG with FIPS 140-3 / Ready
2025-07-30 18:57:27 +02:00 · 2022-04-18 16:15:14 -07:00
parent 9172abc969 35cb3c8a79
commit 52b176b6a1
1 changed files with 6 additions and 6 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@ -33443,8 +33443,8 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outlen,
    word32 len;
    ecc_key* key;
    int ret;
-#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
-    && !defined(HAVE_FIPS)
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) && \
+    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,0)))
    int setGlobalRNG = 0;
 #endif
    (void)KDF;
@ -33471,8 +33471,8 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outlen,
    len = (word32)outlen;
    key = (ecc_key*)ecdh->internal;

-#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
-    && !defined(HAVE_FIPS)
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) && \
+    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,0)))
    if (key->rng == NULL) {
        if (initGlobalRNG == 0 && wolfSSL_RAND_Init() != WOLFSSL_SUCCESS) {
            WOLFSSL_MSG("No RNG to use");
@ -33486,8 +33486,8 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outlen,
    ret = wc_ecc_shared_secret_ssh(key, (ecc_point*)pub_key->internal,
            (byte *)out, &len);
    PRIVATE_KEY_LOCK();
-#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
-    && !defined(HAVE_FIPS)
+#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) && \
+    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,0)))
    if (setGlobalRNG)
        key->rng = NULL;
 #endif