Fixes for all FIPS 140-3 cases.

Author: dgarske

src/internal.c

@@ -3248,10 +3248,16 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
             ssh->kSz = MAX_KEX_KEY_SZ;
             if (!ssh->handshake->useEcc) {
 #ifndef WOLFSSH_NO_DH
+            #ifdef PRIVATE_KEY_UNLOCK
+                PRIVATE_KEY_UNLOCK();
+            #endif
                 ret = wc_DhAgree(&ssh->handshake->privKey.dh,
                                  ssh->k, &ssh->kSz,
                                  ssh->handshake->x, ssh->handshake->xSz,
                                  f, fSz);
+            #ifdef PRIVATE_KEY_LOCK
+                PRIVATE_KEY_LOCK();
+            #endif
                 ForceZero(ssh->handshake->x, ssh->handshake->xSz);
                 wc_FreeDhKey(&ssh->handshake->privKey.dh);
                 if (ret != 0) {
@@ -7262,9 +7268,16 @@ int SendKexDhReply(WOLFSSH* ssh)
                     if (ret == 0)
                         ret = wc_DhGenerateKeyPair(privKey, ssh->rng,
                                 y_ptr, &ySz, f_ptr, &fSz);
-                    if (ret == 0)
+                    if (ret == 0) {
+                    #ifdef PRIVATE_KEY_UNLOCK
+                        PRIVATE_KEY_UNLOCK();
+                    #endif
                         ret = wc_DhAgree(privKey, ssh->k, &ssh->kSz, y_ptr, ySz,
                                 ssh->handshake->e, ssh->handshake->eSz);
+                    #ifdef PRIVATE_KEY_LOCK
+                        PRIVATE_KEY_LOCK();
+                    #endif
+                    }
                     ForceZero(y_ptr, ySz);
                     wc_FreeDhKey(privKey);
                 }
@@ -7952,8 +7965,15 @@ int SendKexDhInit(WOLFSSH* ssh)
                 ret = wc_ecc_make_key_ex(ssh->rng,
                                      wc_ecc_get_curve_size_from_id(primeId),
                                      privKey, primeId);
-            if (ret == 0)
+            if (ret == 0) {
+            #ifdef PRIVATE_KEY_UNLOCK
+                PRIVATE_KEY_UNLOCK();
+            #endif
                 ret = wc_ecc_export_x963(privKey, e, &eSz);
+            #ifdef PRIVATE_KEY_LOCK
+                PRIVATE_KEY_LOCK();
+            #endif
+            }
 #else
             ret = WS_INVALID_ALGO_ID;
 #endif /* !defined(WOLFSSH_NO_ECDH) */

src/ssh.c

@@ -32,6 +32,8 @@
 #include <wolfssh/internal.h>
 #include <wolfssh/log.h>
 #include <wolfssl/wolfcrypt/wc_port.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/random.h>
 
 #ifdef NO_INLINE
     #include <wolfssh/misc.h>
@@ -40,6 +42,19 @@
     #include "src/misc.c"
 #endif
 
+#ifdef HAVE_FIPS
+static void myFipsCb(int ok, int err, const char* hash)
+{
+    printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
+    printf("message = %s\n", wc_GetErrorString(err));
+    printf("hash = %s\n", hash);
+
+    if (err == IN_CORE_FIPS_E) {
+        printf("In core integrity hash check failure, copy above hash\n");
+        printf("into verifyCore[] in fips_test.c and rebuild\n");
+    }
+}
+#endif /* HAVE_FIPS */
 
 int wolfSSH_Init(void)
 {
@@ -49,6 +64,13 @@ int wolfSSH_Init(void)
     if (wolfCrypt_Init() != 0)
         ret = WS_CRYPTO_FAILED;
 
+#ifdef HAVE_FIPS
+    wolfCrypt_SetCb_fips(myFipsCb);
+#endif
+#ifdef WC_RNG_SEED_CB
+    wc_SetSeed_Cb(wc_GenerateSeed);
+#endif
+
     WLOG(WS_LOG_DEBUG, "Leaving wolfSSH_Init(), returning %d", ret);
     return ret;
 }

tests/testsuite.c

@@ -103,10 +103,11 @@ int TestsuiteTest(int argc, char** argv)
 
     WSTARTTCP();
 
-    wolfSSH_Init();
     #if defined(DEBUG_WOLFSSH)
         wolfSSH_Debugging_ON();
     #endif
+
+    wolfSSH_Init();
     #if !defined(WOLFSSL_TIRTOS)
         ChangeToWolfSshRoot();
     #endif