[PATCH 12/12] wolfssl: implement FIPS compatible code when CONFIG_FIPS

Juliusz Sosinowicz <juliusz@xxxxxxxxxxx> · Wed, 8 Mar 2023 18:18:50 +0100

Signed-off-by: Juliusz Sosinowicz <juliusz@xxxxxxxxxxx>
---
 src/crypto/crypto_wolfssl.c | 77 +++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index 7d3672f01..52f4c70c6 100644
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -64,31 +64,79 @@
 static WC_RNG * wc_rng_init(void)
 {
 	WC_RNG * ret;
+#ifdef CONFIG_FIPS
+	ret = os_zalloc(sizeof(WC_RNG));
+#else
 	ret = wc_rng_new(NULL, 0, NULL);
+#endif
 	if (!ret) {
+#ifdef CONFIG_FIPS
+		LOG_WOLF_ERROR_FUNC_NULL(os_zalloc);
+#else
 		LOG_WOLF_ERROR_FUNC_NULL(wc_rng_new);
+#endif
+	}
+#ifdef CONFIG_FIPS
+	else {
+		int err;
+		err = wc_InitRng(ret);
+		if (err != 0) {
+			LOG_WOLF_ERROR_FUNC(wc_InitRng, err);
+			os_free(ret);
+			ret = NULL;
+		}
 	}
+#endif /* CONFIG_FIPS */
 	return ret;
 }
 
 static void wc_rng_deinit(WC_RNG * rng)
 {
+#ifdef CONFIG_FIPS
+    wc_FreeRng(rng);
+	os_free(rng);
+#else /* CONFIG_FIPS */
 	wc_rng_free(rng);
+#endif /* CONFIG_FIPS */
 }
 
 static ecc_key * ecc_key_init(void)
 {
 	ecc_key * ret;
+#ifdef CONFIG_FIPS
+	int err;
+	ret = os_zalloc(sizeof(ecc_key));
+#else /* CONFIG_FIPS */
 	ret = wc_ecc_key_new(NULL);
+#endif /* CONFIG_FIPS */
 	if (!ret) {
+#ifdef CONFIG_FIPS
+		LOG_WOLF_ERROR_FUNC_NULL(os_zalloc);
+#else /* CONFIG_FIPS */
 		LOG_WOLF_ERROR_FUNC_NULL(wc_ecc_key_new);
+#endif /* CONFIG_FIPS */
+	}
+#ifdef CONFIG_FIPS
+	else {
+		err = wc_ecc_init_ex(ret, NULL, INVALID_DEVID);
+		if (err != 0) {
+			LOG_WOLF_ERROR("wc_ecc_init_ex failed");
+			os_free(ret);
+			ret = NULL;
+		}
 	}
+#endif /* CONFIG_FIPS */
 	return ret;
 }
 
 static void ecc_key_deinit(ecc_key * key)
 {
+#ifdef CONFIG_FIPS
+    wc_ecc_free(key);
+	os_free(key);
+#else /* CONFIG_FIPS */
 	wc_ecc_key_free(key);
+#endif /* CONFIG_FIPS */
 }
 
 /* end of helper functions */
@@ -1606,11 +1654,34 @@ struct crypto_ec * crypto_ec_init(int group)
 		LOG_WOLF_ERROR_FUNC_NULL(wc_ecc_new_point);
 		goto done;
 	}
+#ifdef CONFIG_FIPS
+	/* Setup generator manually in FIPS mode */
+	if (!e->key->dp) {
+		LOG_WOLF_ERROR_FUNC_NULL(e->key->dp);
+		goto done;
+	}
+	err = mp_read_radix(e->g->x, e->key->dp->Gx, MP_RADIX_HEX);
+	if (err != MP_OKAY) {
+		LOG_WOLF_ERROR_FUNC(mp_read_radix, err);
+		goto done;
+	}
+	err = mp_read_radix(e->g->y, e->key->dp->Gy, MP_RADIX_HEX);
+	if (err != MP_OKAY) {
+		LOG_WOLF_ERROR_FUNC(mp_read_radix, err);
+		goto done;
+	}
+    err = mp_set(e->g->z, 1);
+	if (err != MP_OKAY) {
+		LOG_WOLF_ERROR_FUNC(mp_set, err);
+		goto done;
+	}
+#else
 	err = wc_ecc_get_generator(e->g, wc_ecc_get_curve_idx(curve_id));
 	if (err != MP_OKAY) {
 		LOG_WOLF_ERROR_FUNC(wc_ecc_get_generator, err);
 		goto done;
 	}
+#endif
 #endif
 	err = mp_init_multi(&e->a, &e->prime, &e->order, &e->b, NULL, NULL);
 	if (err != MP_OKAY) {
@@ -1689,7 +1760,13 @@ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
 		return;
 
 	if (clear) {
+#ifndef CONFIG_FIPS
 		wc_ecc_forcezero_point(point);
+#else
+        mp_forcezero(point->x);
+        mp_forcezero(point->y);
+        mp_forcezero(point->z);
+#endif
 	}
 	wc_ecc_del_point(point);
 }
-- 
2.25.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






