Fix FIPS v6 or older build with crypto callbacks and SHA512#10557
Open
dgarske wants to merge 1 commit into
Open
Fix FIPS v6 or older build with crypto callbacks and SHA512#10557dgarske wants to merge 1 commit into
dgarske wants to merge 1 commit into
Conversation
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Commit 9cbc3f9 added a
size_t digestSzparameter towc_CryptoCb_Sha512Hash(to dispatch SHA-512/224 and SHA-512/256 tovariant-specific provider callbacks). The live
sha512.cwas updated to the5-arg call, but in a FIPS build
sha512.cis a frozen snapshot pulled from atag by
fips-check.sh, whilecryptocb.c/.hlive outside the FIPS boundaryand ship the latest signature. For FIPS v6 and earlier the snapshot still calls
the old 4-arg API, so the build fails with:
(reported on
--enable-fips=v5, e.g. wolfTPM builds).This conditionally drops the
digestSzparameter from the declaration anddefinition under
defined(HAVE_FIPS) && FIPS_VERSION_LT(7,0), with a shimmeddigestSz = WC_SHA512_DIGEST_SIZElocal so the single shared body behavesidentically to the pre-9cbc3f97 4-arg function. No
sha512.cchange; the publicwc_CryptoInfo.hashstruct is untouched, so callback providers (wolfTPM, HSMs)need no changes.
Fixes ZD21902 and ZD21780
Testing
FIPS_VERSION_LT(7,0)is the boundary, verified against the snapshot tags infips-check.shand the version assignments inconfigure.ac:v5.2.1-stable(frozen)WCv5.0-RC12(frozen)WCv6.0.0-RC5(frozen)The tagged
sha512.cfor v5.2.1, RC12, and v6.0.0-RC5 were each confirmed tocall the 4-arg form;
ready/devleavesha512.cas live master (5-arg) andreport version 8, so they fall on the new-API side without special handling.
cryptocb.ccompiles clean withWOLF_CRYPTO_CB+WOLFSSL_SHA512.FIPS v7 / ready / dev -> 5 args.
Checklist