Skip to content

Commit dadccc8

Browse files
ejohnstownejohnstown
authored
Merge pull request #400 from dgarske/fips
Fixes for building with FIPS
2 parents fd77d6f + 76ba904 commit dadccc8

3 files changed

Lines changed: 62 additions & 3 deletions

File tree

src/internal.c

Lines changed: 38 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3248,10 +3248,16 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
32483248
ssh->kSz = MAX_KEX_KEY_SZ;
32493249
if (!ssh->handshake->useEcc) {
32503250
#ifndef WOLFSSH_NO_DH
3251+
#ifdef PRIVATE_KEY_UNLOCK
3252+
PRIVATE_KEY_UNLOCK();
3253+
#endif
32513254
ret = wc_DhAgree(&ssh->handshake->privKey.dh,
32523255
ssh->k, &ssh->kSz,
32533256
ssh->handshake->x, ssh->handshake->xSz,
32543257
f, fSz);
3258+
#ifdef PRIVATE_KEY_LOCK
3259+
PRIVATE_KEY_LOCK();
3260+
#endif
32553261
ForceZero(ssh->handshake->x, ssh->handshake->xSz);
32563262
wc_FreeDhKey(&ssh->handshake->privKey.dh);
32573263
if (ret != 0) {
@@ -3272,10 +3278,14 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
32723278
if (ret == 0)
32733279
ret = wc_ecc_import_x963(f, fSz, key_ptr);
32743280
if (ret == 0) {
3281+
#ifdef PRIVATE_KEY_UNLOCK
32753282
PRIVATE_KEY_UNLOCK();
3283+
#endif
32763284
ret = wc_ecc_shared_secret(&ssh->handshake->privKey.ecc,
32773285
key_ptr, ssh->k, &ssh->kSz);
3286+
#ifdef PRIVATE_KEY_LOCK
32783287
PRIVATE_KEY_LOCK();
3288+
#endif
32793289
}
32803290
wc_ecc_free(key_ptr);
32813291
wc_ecc_free(&ssh->handshake->privKey.ecc);
@@ -7074,11 +7084,15 @@ int SendKexDhReply(WOLFSSH* ssh)
70747084
ssh->ctx->privateKeySz);
70757085
/* Flatten the public key into x963 value for the exchange hash. */
70767086
if (ret == 0) {
7087+
#ifdef PRIVATE_KEY_UNLOCK
70777088
PRIVATE_KEY_UNLOCK();
7089+
#endif
70787090
ret = wc_ecc_export_x963(&sigKeyBlock_ptr->sk.ecc.key,
70797091
sigKeyBlock_ptr->sk.ecc.q,
70807092
&sigKeyBlock_ptr->sk.ecc.qSz);
7093+
#ifdef PRIVATE_KEY_LOCK
70817094
PRIVATE_KEY_LOCK();
7095+
#endif
70827096
}
70837097
/* Hash in the length of the public key block. */
70847098
if (ret == 0) {
@@ -7254,9 +7268,16 @@ int SendKexDhReply(WOLFSSH* ssh)
72547268
if (ret == 0)
72557269
ret = wc_DhGenerateKeyPair(privKey, ssh->rng,
72567270
y_ptr, &ySz, f_ptr, &fSz);
7257-
if (ret == 0)
7271+
if (ret == 0) {
7272+
#ifdef PRIVATE_KEY_UNLOCK
7273+
PRIVATE_KEY_UNLOCK();
7274+
#endif
72587275
ret = wc_DhAgree(privKey, ssh->k, &ssh->kSz, y_ptr, ySz,
72597276
ssh->handshake->e, ssh->handshake->eSz);
7277+
#ifdef PRIVATE_KEY_LOCK
7278+
PRIVATE_KEY_LOCK();
7279+
#endif
7280+
}
72607281
ForceZero(y_ptr, ySz);
72617282
wc_FreeDhKey(privKey);
72627283
}
@@ -7307,15 +7328,23 @@ int SendKexDhReply(WOLFSSH* ssh)
73077328
wc_ecc_get_curve_size_from_id(primeId),
73087329
privKey, primeId);
73097330
if (ret == 0) {
7331+
#ifdef PRIVATE_KEY_UNLOCK
73107332
PRIVATE_KEY_UNLOCK();
7333+
#endif
73117334
ret = wc_ecc_export_x963(privKey, f_ptr, &fSz);
7335+
#ifdef PRIVATE_KEY_LOCK
73127336
PRIVATE_KEY_LOCK();
7337+
#endif
73137338
}
73147339
if (ret == 0) {
7340+
#ifdef PRIVATE_KEY_UNLOCK
73157341
PRIVATE_KEY_UNLOCK();
7342+
#endif
73167343
ret = wc_ecc_shared_secret(privKey, pubKey,
73177344
ssh->k, &ssh->kSz);
7345+
#ifdef PRIVATE_KEY_LOCK
73187346
PRIVATE_KEY_LOCK();
7347+
#endif
73197348
}
73207349
wc_ecc_free(privKey);
73217350
wc_ecc_free(pubKey);
@@ -7936,8 +7965,15 @@ int SendKexDhInit(WOLFSSH* ssh)
79367965
ret = wc_ecc_make_key_ex(ssh->rng,
79377966
wc_ecc_get_curve_size_from_id(primeId),
79387967
privKey, primeId);
7939-
if (ret == 0)
7968+
if (ret == 0) {
7969+
#ifdef PRIVATE_KEY_UNLOCK
7970+
PRIVATE_KEY_UNLOCK();
7971+
#endif
79407972
ret = wc_ecc_export_x963(privKey, e, &eSz);
7973+
#ifdef PRIVATE_KEY_LOCK
7974+
PRIVATE_KEY_LOCK();
7975+
#endif
7976+
}
79417977
#else
79427978
ret = WS_INVALID_ALGO_ID;
79437979
#endif /* !defined(WOLFSSH_NO_ECDH) */

src/ssh.c

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,8 @@
3232
#include <wolfssh/internal.h>
3333
#include <wolfssh/log.h>
3434
#include <wolfssl/wolfcrypt/wc_port.h>
35+
#include <wolfssl/wolfcrypt/error-crypt.h>
36+
#include <wolfssl/wolfcrypt/random.h>
3537

3638
#ifdef NO_INLINE
3739
#include <wolfssh/misc.h>
@@ -40,6 +42,19 @@
4042
#include "src/misc.c"
4143
#endif
4244

45+
#ifdef HAVE_FIPS
46+
static void myFipsCb(int ok, int err, const char* hash)
47+
{
48+
printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
49+
printf("message = %s\n", wc_GetErrorString(err));
50+
printf("hash = %s\n", hash);
51+
52+
if (err == IN_CORE_FIPS_E) {
53+
printf("In core integrity hash check failure, copy above hash\n");
54+
printf("into verifyCore[] in fips_test.c and rebuild\n");
55+
}
56+
}
57+
#endif /* HAVE_FIPS */
4358

4459
int wolfSSH_Init(void)
4560
{
@@ -49,6 +64,13 @@ int wolfSSH_Init(void)
4964
if (wolfCrypt_Init() != 0)
5065
ret = WS_CRYPTO_FAILED;
5166

67+
#ifdef HAVE_FIPS
68+
wolfCrypt_SetCb_fips(myFipsCb);
69+
#endif
70+
#ifdef WC_RNG_SEED_CB
71+
wc_SetSeed_Cb(wc_GenerateSeed);
72+
#endif
73+
5274
WLOG(WS_LOG_DEBUG, "Leaving wolfSSH_Init(), returning %d", ret);
5375
return ret;
5476
}

tests/testsuite.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,10 +103,11 @@ int TestsuiteTest(int argc, char** argv)
103103

104104
WSTARTTCP();
105105

106-
wolfSSH_Init();
107106
#if defined(DEBUG_WOLFSSH)
108107
wolfSSH_Debugging_ON();
109108
#endif
109+
110+
wolfSSH_Init();
110111
#if !defined(WOLFSSL_TIRTOS)
111112
ChangeToWolfSshRoot();
112113
#endif

0 commit comments

Comments
 (0)