Merge pull request #177 from haydenroche5/fips_cb

anhu · web-flow · commit 9b08099d288d · 2022-02-01T20:00:40.000-05:00
diff --git a/include/wolfengine/we_internal.h b/include/wolfengine/we_internal.h
@@ -82,7 +82,10 @@
 #include <wolfssl/wolfcrypt/random.h>
 #include <wolfssl/wolfcrypt/pwdbased.h>
 #ifdef HAVE_WOLFSSL_WOLFCRYPT_KDF_H
-    #include <wolfssl/wolfcrypt/kdf.h>
+#include <wolfssl/wolfcrypt/kdf.h>
+#endif
+#ifdef HAVE_FIPS
+#include <wolfssl/wolfcrypt/fips_test.h>
 #endif
 
 /* The DES3-CBC code won't compile unless wolfCrypt has support for it. */
diff --git a/src/we_internal.c b/src/we_internal.c
@@ -1311,6 +1311,23 @@ static const ECDSA_METHOD *we_ecdsa(void)
 #endif
 #endif /* WE_HAVE_ECDSA */
 
+#ifdef HAVE_FIPS
+static void we_fips_cb(int ok, int err, const char* hash)
+{
+    printf("*******************************************\n");
+    printf("we_fips_cb: ok = %d, err = %d\n", ok, err);
+    printf("error message = %s\n", wc_GetErrorString(err));
+    printf("hash = %s\n", hash);
+
+    if (err == IN_CORE_FIPS_E) {
+        printf("FIPS module integrity check failure. Copy above hash value "
+               "into verifyCore[] in wolfSSL's (NOT wolfEngine) fips_test.c "
+               "and rebuild wolfSSL.\n");
+    }
+    printf("*******************************************\n");
+}
+#endif
+
 /**
  * Bind the wolfengine into an engine object.
  *
@@ -1324,6 +1341,10 @@ int wolfengine_bind(ENGINE *e, const char *id)
 
     WOLFENGINE_ENTER(WE_LOG_ENGINE, "wolfengine_bind");
 
+#ifdef HAVE_FIPS
+    wolfCrypt_SetCb_fips(we_fips_cb);
+#endif
+
     if ((id != NULL) &&
                  (XSTRNCMP(id, wolfengine_id, XSTRLEN(wolfengine_id)) != 0)) {
         ret = 0;
