WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

add mutex locking and compat layer FIPS case

pull/8867/head
JacobBarthelmeh 2025-06-10 14:15:38 -06:00
parent 31490ab813
commit fbbb6b7707
1 changed files with 31 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
src/ssl.c
View File

@ -25500,6 +25500,12 @@ static int wolfSSL_RAND_InitMutex(void)
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
/* In older FIPS bundles add check for reseed here since it does not exist in
* the older random.c certified files. */
static pid_t currentRandPid = 0;
#endif
/* Checks if the global RNG has been created. If not then one is created. /* Checks if the global RNG has been created. If not then one is created.
* *
* Returns WOLFSSL_SUCCESS when no error is encountered. * Returns WOLFSSL_SUCCESS when no error is encountered.
@ -25513,8 +25519,8 @@ int wolfSSL_RAND_Init(void)
ret = wc_InitRng(&globalRNG); ret = wc_InitRng(&globalRNG);
if (ret == 0) { if (ret == 0) {
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
FIPS_VERSION3_LT(6,0,0))) FIPS_VERSION3_LT(6,0,0)
currentPid = getpid(); currentRandPid = getpid();
#endif #endif
initGlobalRNG = 1; initGlobalRNG = 1;
ret = WOLFSSL_SUCCESS; ret = WOLFSSL_SUCCESS;
@ -25950,28 +25956,6 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
return ret; return ret;
} }
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
/* In older FIPS bundles add check for reseed here since it does not exist in
* the older random.c certified files. */
static pid_t currentPid = 0;
/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
static int RandCheckReSeed()
{
int ret = WOLFSSL_SUCCESS;
pid_t p;
p = getpid();
if (p != currentPid) {
currentPid = p;
if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
ret = WOLFSSL_FAILURE;
}
}
return ret;
}
#endif
/* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0 /* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
* on failure */ * on failure */
int wolfSSL_RAND_bytes(unsigned char* buf, int num) int wolfSSL_RAND_bytes(unsigned char* buf, int num)
@ -26015,17 +25999,27 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
* have the lock. * have the lock.
*/ */
if (initGlobalRNG) { if (initGlobalRNG) {
rng = &globalRNG;
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
FIPS_VERSION3_LT(6,0,0))) FIPS_VERSION3_LT(6,0,0)
if (RandCheckReSeed() != WOLFSSL_SUCCESS) { pid_t p;
p = getpid();
if (p != currentRandPid) {
wc_UnLockMutex(&globalRNGMutex); wc_UnLockMutex(&globalRNGMutex);
WOLFSSL_MSG("Issue with check pid and reseed"); if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
return ret; WOLFSSL_MSG("Issue with check pid and reseed");
ret = WOLFSSL_FAILURE;
}
/* reclaim lock after wolfSSL_RAND_poll */
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return ret;
}
currentRandPid = p;
} }
#endif #endif
rng = &globalRNG;
used_global = 1; used_global = 1;
} }
else { else {
@ -26101,6 +26095,11 @@ int wolfSSL_RAND_poll(void)
} }
else { else {
#ifdef HAVE_HASHDRBG #ifdef HAVE_HASHDRBG
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return ret;
}
ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz); ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("Error reseeding DRBG"); WOLFSSL_MSG("Error reseeding DRBG");
@ -26109,6 +26108,7 @@ int wolfSSL_RAND_poll(void)
else { else {
ret = WOLFSSL_SUCCESS; ret = WOLFSSL_SUCCESS;
} }
wc_UnLockMutex(&globalRNGMutex);
#else #else
WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set"); WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
ret = WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;