From 013cd694d9d0ed3e10314b927f1f87a306a084e0 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 29 Apr 2022 16:18:00 +0200
Subject: [PATCH] wolfSSL: Fixes for FIPS builds

Some API is not available when using FIPS. We need to allocate memory
and initialize the structs directly.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
---
 src/crypto/crypto_wolfssl.c | 4 ++--
 src/crypto/tls_wolfssl.c    | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index 88aad3eb2..15c368e42 100644
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -1727,11 +1727,11 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
 	if (ret < 0)
 		goto fail;
 
-#ifdef ECC_TIMING_RESISTANT
+#if defined(ECC_TIMING_RESISTANT) && !defined(CONFIG_FIPS)
 	ret = wc_ecc_set_rng(&ecdh->ec->key, &ecdh->rng);
 	if (ret < 0)
 		goto fail;
-#endif /* ECC_TIMING_RESISTANT */
+#endif /* ECC_TIMING_RESISTANT && !CONFIG_FIPS */
 
 done:
 	return ecdh;
diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index d84e2a6f3..4a291fce1 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -2082,9 +2082,15 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 			       _out, skip + out_len);
 		ret = 0;
 	} else {
+#ifdef CONFIG_FIPS
+		wpa_printf(MSG_ERROR,
+			   "wolfSSL: Can't use sha1_md5 in FIPS build");
+		ret = -1;
+#else /* CONFIG_FIPS */
 		ret = tls_prf_sha1_md5(master_key, master_key_len,
 				       "key expansion", seed, sizeof(seed),
 				       _out, skip + out_len);
+#endif /* CONFIG_FIPS */
 	}
 
 	forced_memzero(master_key, master_key_len);