Merge tag 'v5.2.1-stable' into merge-fips-builds

Check-in FIPS 140-3 PILOT
2023-09-05 13:50:29 -07:00 · 2023-09-05 13:50:29 -07:00 · db858fd052
commit db858fd052
parent b13294623b 3a5e171636
6 changed files with 26 additions and 5 deletions
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -4570,6 +4570,19 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
            return 0;
        }

+        int wc_AesCtrSetKey(Aes* aes, const byte* key, word32 len,
+                                        const byte* iv, int dir)
+        {
+            if (aes == NULL) {
+                return BAD_FUNC_ARG;
+            }
+            if (len > sizeof(aes->key)) {
+                return BAD_FUNC_ARG;
+            }
+
+            return wc_AesSetKeyLocal(aes, key, len, iv, dir, 0);
+        }
+
    #endif /* NEED_AES_CTR_SOFT */

 #endif /* WOLFSSL_AES_COUNTER */
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@ -1352,7 +1352,7 @@ static int GeneratePublicDh(DhKey* key, byte* priv, word32 privSz,
        *pubSz = (word32)mp_unsigned_bin_size(y);

    mp_clear(y);
-    mp_clear(x);
+    mp_forcezero(x);
 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
    XFREE(y, key->heap, DYNAMIC_TYPE_DH);
    XFREE(x, key->heap, DYNAMIC_TYPE_DH);
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@ -1233,6 +1233,7 @@ int wolfSSL_GetHmacMaxSize(void)
                ret = wc_HmacUpdate(myHmac, inKey, inKeySz);
            if (ret == 0)
                ret = wc_HmacFinal(myHmac,  out);
+            ForceZero(myHmac, sizeof(Hmac));
            wc_HmacFree(myHmac);
        }
    #ifdef WOLFSSL_SMALL_STACK
@ -1324,6 +1325,7 @@ int wolfSSL_GetHmacMaxSize(void)
            n++;
        }

+        ForceZero(myHmac, sizeof(Hmac));
        wc_HmacFree(myHmac);
    #ifdef WOLFSSL_SMALL_STACK
        XFREE(myHmac, NULL, DYNAMIC_TYPE_HMAC);
--- a/wolfcrypt/src/kdf.c
+++ b/wolfcrypt/src/kdf.c
@ -863,6 +863,7 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,
        }
    }

+    ForceZero(&hash, sizeof(hash));
    _HashFree(enmhashId, &hash);

    return ret;
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@ -415,6 +415,9 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out,
 #ifdef WOLFSSL_AES_COUNTER
 WOLFSSL_API int wc_AesCtrEncrypt(Aes* aes, byte* out,
                                   const byte* in, word32 sz);
+ WOLFSSL_API int wc_AesCtrSetKey(Aes* aes, const byte* key, word32 len,
+                                        const byte* iv, int dir);
+
 #endif
 /* AES-DIRECT */
 #if defined(WOLFSSL_AES_DIRECT)
--- a/wolfssl/wolfcrypt/fips_test.h
+++ b/wolfssl/wolfcrypt/fips_test.h
@ -77,10 +77,10 @@ enum FipsCastStateId {
 };

 enum FipsModeId {
-    FIPS_MODE_INIT,
-    FIPS_MODE_NORMAL,
-    FIPS_MODE_DEGRADED,
-    FIPS_MODE_FAILED
+    FIPS_MODE_INIT = 0,
+    FIPS_MODE_NORMAL = 1,
+    FIPS_MODE_DEGRADED = 2,
+    FIPS_MODE_FAILED = 3
 };


@ -92,6 +92,7 @@ WOLFSSL_API int wolfCrypt_SetCb_fips(wolfCrypt_fips_cb cbf);

 /* Public get status functions */
 WOLFSSL_API int wolfCrypt_GetStatus_fips(void);
+WOLFSSL_API int wolfCrypt_GetMode_fips(void);
 WOLFSSL_API const char* wolfCrypt_GetCoreHash_fips(void);

 #ifdef HAVE_FORCE_FIPS_FAILURE
@ -105,6 +106,7 @@ WOLFSSL_LOCAL int DoKnownAnswerTests(char* base16_hash, int base16_hashSz); /* F

 WOLFSSL_API int wc_RunCast_fips(int type);
 WOLFSSL_API int wc_GetCastStatus_fips(int type);
+WOLFSSL_API int wc_RunAllCast_fips(void);

 #ifdef __cplusplus
    } /* extern "C" */