Home Explore Help
Register Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Browse Source

Fix for FIPS ECC integrity check with crypto callback set (#6425)

Skip ECC private key check when the TPM is used to generate the key, since it doesn't release the private part. this option needs to be used with a FIPS approved TPM for the end result to be FIPS approved
John Bland 11 months ago
parent
f3b66a3e26
commit
7e3aafb60c
2 changed files with 6 additions and 2 deletions
Split View Show Diff Stats
  1. 0 1
      configure.ac
  2. 6 1
      wolfcrypt/src/ecc.c

+ 0 - 1
configure.ac
View File 

@@ -434,7 +434,6 @@ AS_CASE([$FIPS_VERSION],
 
     ]
 
 )
 
 
-
 
 # For reproducible build, gate out from the build anything that might
 
 # introduce semantically frivolous jitter, maximizing chance of
 
 # identical object files.

+ 6 - 1
wolfcrypt/src/ecc.c
View File 

@@ -5676,7 +5676,12 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
 
     if (err == MP_OKAY) {
 
         err = _ecc_validate_public_key(key, 0, 0);
 
     }
 
-    if (err == MP_OKAY) {
 
+    if (err == MP_OKAY
 
+#if defined(WOLF_CRYPTO_CB)
 
+        /* even if WOLF_CRYPTO_CB we generate the key if the devId is invalid */
 
+        && key->devId == INVALID_DEVID
 
+#endif
 
+        ) {
 
         err = _ecc_pairwise_consistency_test(key, rng);
 
     }
 
 #endif