Merge pull request #2354 from ejohnstown/fixes

Fixes for FIPS
2025-07-30 02:37:28 +02:00 · 2019-07-19 09:59:21 -07:00
parent 45abd67bd1 3aad9a2673
commit ab01cd9be1
3 changed files with 10 additions and 4 deletions
--- a/tests/api.c
+++ b/tests/api.c
@ -11341,7 +11341,7 @@ static int test_wc_RsaPublicKeyDecodeRaw (void)
    /* In FIPS builds, wc_MakeRsaKey() will return an error if it cannot find
     * a probable prime in 5*(modLen/2) attempts. In non-FIPS builds, it keeps
     * trying until it gets a probable prime. */
-    #ifdef WOLFSSL_FIPS
+    #ifdef HAVE_FIPS
        static int MakeRsaKeyRetry(RsaKey* key, int size, long e, WC_RNG* rng)
        {
            int ret;
@ -20664,6 +20664,10 @@ static void test_wolfSSL_PKCS8_Compat(void)

 static void test_wolfSSL_PKCS8_d2i(void)
 {
+#ifndef HAVE_FIPS
+    /* This test ends up using HMAC as a part of PBKDF2, and HMAC
+     * requires a 12 byte password in FIPS mode. This test ends up
+     * trying to use an 8 byte password. */
 #ifdef OPENSSL_ALL
    WOLFSSL_EVP_PKEY* pkey = NULL;
 #ifndef NO_FILESYSTEM
@ -20817,6 +20821,7 @@ static void test_wolfSSL_PKCS8_d2i(void)

    printf(resultFmt, passed);
 #endif
+#endif /* HAVE_FIPS */
 }

 static void test_wolfSSL_ERR_put_error(void)
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -1628,7 +1628,8 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
        #endif

        /* if input and output same will overwrite input iv */
-        XMEMCPY(aes->tmp, inBlock, AES_BLOCK_SIZE);
+        if ((const byte*)aes->tmp != inBlock)
+            XMEMCPY(aes->tmp, inBlock, AES_BLOCK_SIZE);
        AES_ECB_decrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key,
                        aes->rounds);
        return;
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@ -3654,7 +3654,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
            if (err == MP_OKAY)
                err = _CheckProbablePrime(&p, NULL, &tmp3, size, &isPrime, rng);

-#ifdef WOLFSSL_FIPS
+#ifdef HAVE_FIPS
            i++;
 #else
            /* Keep the old retry behavior in non-FIPS build. */
@ -3689,7 +3689,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
            if (err == MP_OKAY)
                err = _CheckProbablePrime(&p, &q, &tmp3, size, &isPrime, rng);

-#ifdef WOLFSSL_FIPS
+#ifdef HAVE_FIPS
            i++;
 #else
            /* Keep the old retry behavior in non-FIPS build. */