wolfSSL: Fixes for FIPS builds

Some API is not available when using FIPS. We need to allocate memory and initialize the structs directly. Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-29 16:18:00 +02:00 · 2022-04-29 16:18:00 +02:00 · 013cd694d9
commit 013cd694d9
parent 9d5f8168fc
2 changed files with 8 additions and 2 deletions
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@ -1727,11 +1727,11 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
 	if (ret < 0)
 		goto fail;

-#ifdef ECC_TIMING_RESISTANT
+#if defined(ECC_TIMING_RESISTANT) && !defined(CONFIG_FIPS)
 	ret = wc_ecc_set_rng(&ecdh->ec->key, &ecdh->rng);
 	if (ret < 0)
 		goto fail;
-#endif /* ECC_TIMING_RESISTANT */
+#endif /* ECC_TIMING_RESISTANT && !CONFIG_FIPS */

 done:
 	return ecdh;
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@ -2082,9 +2082,15 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 			       _out, skip + out_len);
 		ret = 0;
 	} else {
+#ifdef CONFIG_FIPS
+		wpa_printf(MSG_ERROR,
+			   "wolfSSL: Can't use sha1_md5 in FIPS build");
+		ret = -1;
+#else /* CONFIG_FIPS */
 		ret = tls_prf_sha1_md5(master_key, master_key_len,
 				       "key expansion", seed, sizeof(seed),
 				       _out, skip + out_len);
+#endif /* CONFIG_FIPS */
 	}

 	forced_memzero(master_key, master_key_len);