wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3461 from dgarske/fips_ready_wopensslextra

Browse Source 
Fix for FIPS ready with openssl compat
This commit is contained in:
John Safranek
2020-11-06 13:14:06 -08:00
committed by GitHub
parent ac4c8a0112 182a3e6bc2
commit 884a9b59ab
4 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl.c
View File

@@ -45625,7 +45625,9 @@ int wolfSSL_RSA_private_decrypt(int len, const unsigned char* fr,
return ret; return ret;
} }
#if !defined(_WIN32) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) #if !defined(_WIN32) && !defined(HAVE_SELFTEST) && \
(!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
int wolfSSL_RSA_public_decrypt(int flen, const unsigned char* from, int wolfSSL_RSA_public_decrypt(int flen, const unsigned char* from,
unsigned char* to, WOLFSSL_RSA* rsa, int padding) unsigned char* to, WOLFSSL_RSA* rsa, int padding)
{ {

21
wolfcrypt/src/evp.c
View File

@@ -1491,8 +1491,10 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
} }
if (key) { if (key) {
word32 len32 = (word32)len; word32 len32 = (word32)len;
#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ #if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
!defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
WC_RNG rng; WC_RNG rng;
if (wc_InitRng(&rng) != MP_OKAY) { if (wc_InitRng(&rng) != MP_OKAY) {
WOLFSSL_MSG("Init RNG failed"); WOLFSSL_MSG("Init RNG failed");
@@ -1502,8 +1504,9 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
#endif #endif
if (*keylen < len32) { if (*keylen < len32) {
WOLFSSL_MSG("buffer too short"); WOLFSSL_MSG("buffer too short");
#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ #if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
!defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL; ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL;
wc_FreeRng(&rng); wc_FreeRng(&rng);
#endif #endif
@@ -1513,15 +1516,17 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
(ecc_point*)ctx->peerKey->ecc->pub_key->internal, (ecc_point*)ctx->peerKey->ecc->pub_key->internal,
key, &len32) != MP_OKAY) { key, &len32) != MP_OKAY) {
WOLFSSL_MSG("wc_ecc_shared_secret failed"); WOLFSSL_MSG("wc_ecc_shared_secret failed");
#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ #if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
!defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL; ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL;
wc_FreeRng(&rng); wc_FreeRng(&rng);
#endif #endif
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ #if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \
!defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL; ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL;
wc_FreeRng(&rng); wc_FreeRng(&rng);
#endif #endif

3
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -154,8 +154,7 @@ enum Pkcs7_Misc {
MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ + MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ +
MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ, MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ,
#if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ #if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
(HAVE_FIPS_VERSION >= 2)) || (defined(HAVE_SELFTEST) && \ (HAVE_FIPS_VERSION <= 2)) || (defined(HAVE_SELFTEST))
(!defined(HAVE_SELFTEST_VERSION) || HAVE_SELFTEST_VERSION < 2))
/* In the event of fips cert 3389 or CAVP selftest v1 build, these enums are /* In the event of fips cert 3389 or CAVP selftest v1 build, these enums are
* not in aes.h for use with pkcs7 so enumerate it here outside the fips * not in aes.h for use with pkcs7 so enumerate it here outside the fips
* boundary */ * boundary */

3
wolfssl/wolfcrypt/types.h
View File

@@ -784,7 +784,8 @@ decouple library dependencies with standard string, memory and so on.
/* hash types */ /* hash types */
enum wc_HashType { enum wc_HashType {
#if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) #if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) && \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION <= 2))
/* In selftest build, WC_* types are not mapped to WC_HASH_TYPE types. /* In selftest build, WC_* types are not mapped to WC_HASH_TYPE types.
* Values here are based on old selftest hmac.h enum, with additions. * Values here are based on old selftest hmac.h enum, with additions.
* These values are fixed for backwards FIPS compatibility */ * These values are fixed for backwards FIPS compatibility */