JCE: remove HMAC-MD5 from wolfJCE provider if not available in underlying FIPS library

2023-10-27 15:22:36 -06:00 · 2023-10-27 15:22:36 -06:00 · e6f3a9e823
parent e37699d2fa
commit e6f3a9e823
4 changed files with 34 additions and 1 deletions
--- a/jni/include/com_wolfssl_wolfcrypt_FeatureDetect.h
+++ b/jni/include/com_wolfssl_wolfcrypt_FeatureDetect.h
@ -47,6 +47,14 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Sha384Enable
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Sha512Enabled
  (JNIEnv *, jclass);

+/*
+ * Class:     com_wolfssl_wolfcrypt_FeatureDetect
+ * Method:    HmacMd5Enabled
+ * Signature: ()Z
+ */
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_HmacMd5Enabled
+  (JNIEnv *, jclass);
+
 #ifdef __cplusplus
 }
 #endif
--- a/jni/jni_feature_detect.c
+++ b/jni/jni_feature_detect.c
@ -25,6 +25,7 @@
    #include <wolfssl/options.h>
 #endif
 #include <jni.h>
+#include <wolfssl/wolfcrypt/types.h>
 #include <wolfcrypt_jni_debug.h>

 JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Md5Enabled
@ -87,3 +88,15 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_Sha512Enable
 #endif
 }

+JNIEXPORT jboolean JNICALL Java_com_wolfssl_wolfcrypt_FeatureDetect_HmacMd5Enabled
+  (JNIEnv* env, jclass jcl)
+{
+    (void)env;
+    (void)jcl;
+#if !defined(NO_HMAC) && !defined(NO_MD5) && FIPS_VERSION_LT(5,2)
+    return JNI_TRUE;
+#else
+    return JNI_FALSE;
+#endif
+}
+
--- a/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java
+++ b/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java
@ -97,7 +97,7 @@ public final class WolfCryptProvider extends Provider {
        }

        /* Mac */
-        if (FeatureDetect.Md5Enabled()) {
+        if (FeatureDetect.HmacMd5Enabled()) {
            put("Mac.HmacMD5",
                    "com.wolfssl.provider.jce.WolfCryptMac$wcHmacMD5");
        }
--- a/src/main/java/com/wolfssl/wolfcrypt/FeatureDetect.java
+++ b/src/main/java/com/wolfssl/wolfcrypt/FeatureDetect.java
@ -62,6 +62,18 @@ public class FeatureDetect {
     */
    public static native boolean Sha512Enabled();

+    /**
+     * Tests if HMAC-MD5 is compiled into the native wolfSSL library and
+     * available for use.
+     *
+     * For FIPS 140-3, even if MD5 is compiled into the
+     * library, HMAC-MD5 is not available and will throw BAD_FUNC_ARG.
+     * Use this helper to prevent people from calling it in the first place.
+     *
+     * @return true if enabled, otherwise false.
+     */
+    public static native boolean HmacMd5Enabled();
+
    /**
     * Loads JNI library.
     *