wolfSSL: Fixes for FIPS builds

Some API is not available when using FIPS. We need to allocate memory
and initialize the structs directly.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>

diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index 88aad3eb29edf81d03e2a553444b1864d1868bd4..15c368e42677e1bfeb742ef94d866516887372af 100644 (file)
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -1727,11 +1727,11 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
        if (ret < 0)
                goto fail;
 
-#ifdef ECC_TIMING_RESISTANT
+#if defined(ECC_TIMING_RESISTANT) && !defined(CONFIG_FIPS)
        ret = wc_ecc_set_rng(&ecdh->ec->key, &ecdh->rng);
        if (ret < 0)
                goto fail;
-#endif /* ECC_TIMING_RESISTANT */
+#endif /* ECC_TIMING_RESISTANT && !CONFIG_FIPS */
 
 done:
        return ecdh;

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index d84e2a6f3b60500cc0a65f132fafc15484b19b32..4a291fce106a92d272c4f169864389a0444e02bc 100644 (file)
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -2082,9 +2082,15 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
                               _out, skip + out_len);
                ret = 0;
        } else {
+#ifdef CONFIG_FIPS
+               wpa_printf(MSG_ERROR,
+                          "wolfSSL: Can't use sha1_md5 in FIPS build");
+               ret = -1;
+#else /* CONFIG_FIPS */
                ret = tls_prf_sha1_md5(master_key, master_key_len,
                                       "key expansion", seed, sizeof(seed),
                                       _out, skip + out_len);
+#endif /* CONFIG_FIPS */
        }
 
        forced_memzero(master_key, master_key_len);