Fix private key lock issues in master

This commit is contained in:
kaleb-himes
2026-05-08 17:08:38 -06:00
parent 867ce26474
commit afb90dd2da
2 changed files with 16 additions and 2 deletions
+8 -1
View File
@@ -31059,11 +31059,18 @@ static int DecodePrivateKey_ex(WOLFSSL *ssl, byte keyType, const DerBuffer* key,
/* Set start of data to beginning of buffer. */
idx = 0;
/* Decode the key assuming it is a Dilithium private key. */
/* Decode the key assuming it is a Dilithium private key. The FIPS
* wrapper for wc_dilithium_import_private gates on the per-thread
* privateKeyReadEnable flag, which is unset by default in any
* thread that hasn't called PRIVATE_KEY_UNLOCK(). Without the
* bracket, decoding a Dilithium/ML-DSA private key from a
* handshake worker thread fails with FIPS_PRIVATE_KEY_LOCKED_E. */
PRIVATE_KEY_UNLOCK();
ret = wc_Dilithium_PrivateKeyDecode(key->buffer,
&idx,
(dilithium_key*)*hsKey,
key->length);
PRIVATE_KEY_LOCK();
if (ret == 0) {
WOLFSSL_MSG("Using Dilithium private key");
+8 -1
View File
@@ -956,10 +956,17 @@ static int ProcessBufferTryDecodeDilithium(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
/* Initialize Dilithium key. */
ret = wc_dilithium_init(key);
if (ret == 0) {
/* Decode as a Dilithium private key. */
/* Decode as a Dilithium private key. The FIPS wrapper for
* wc_dilithium_import_private gates on the per-thread
* privateKeyReadEnable flag, which is unset by default in any
* thread that hasn't called PRIVATE_KEY_UNLOCK(). Without the
* bracket, loading a Dilithium/ML-DSA private key from a
* worker thread fails with FIPS_PRIVATE_KEY_LOCKED_E. */
idx = 0;
PRIVATE_KEY_UNLOCK();
ret = wc_Dilithium_PrivateKeyDecode(der->buffer, &idx, key,
der->length);
PRIVATE_KEY_LOCK();
if (ret == 0) {
ret = dilithium_get_oid_sum(key, &keyFormatTemp);
if (ret == 0) {