Run the FIPS CAST tests under lock during wolfprovider init (#319)

ColtonWilley · web-flow · commit 66703cc525d0 · 2025-10-28T14:40:43.000-07:00
* Run the FIPS CAST tests under lock during wolfprovider init

* Add error messages on FIPS CAST errors
diff --git a/include/wolfprovider/internal.h b/include/wolfprovider/internal.h
@@ -160,6 +160,10 @@ WC_RNG* wp_provctx_get_rng(WOLFPROV_CTX* provCtx);
 #ifndef WP_SINGLE_THREADED
 int wp_provctx_lock_rng(WOLFPROV_CTX* provCtx);
 void wp_provctx_unlock_rng(WOLFPROV_CTX* provCtx);
+
+#ifdef HAVE_FIPS
+wolfSSL_Mutex *wp_get_cast_mutex(void);
+#endif
 #endif
 
 int wolfssl_prov_get_capabilities(void *provctx, const char *capability,
diff --git a/src/wp_internal.c b/src/wp_internal.c
@@ -30,6 +30,27 @@
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/pwdbased.h>
 
+#if defined(HAVE_FIPS) && (!defined(WP_SINGLE_THREADED))
+static wolfSSL_Mutex castMutex;
+
+/**
+ * Initialize the cast mutex on library load.
+ *
+ * This constructor runs when libwolfprov.so is loaded via dlopen() or at
+ * program startup. It ensures the castMutex is initialized under lock.
+ */
+__attribute__((constructor))
+static void wolfprov_init_cast_mutex(void)
+{
+    wc_InitMutex(&castMutex);
+}
+
+wolfSSL_Mutex *wp_get_cast_mutex()
+{
+    return &castMutex;
+}
+#endif
+
 /**
  * Get the wolfSSL random number generator from the provider context.
  *
diff --git a/src/wp_wolfprov.c b/src/wp_wolfprov.c
@@ -214,10 +214,6 @@ static WOLFPROV_CTX* wolfssl_prov_ctx_new(void)
 {
     WOLFPROV_CTX* ctx;
 
-#ifdef WC_RNG_SEED_CB
-    wc_SetSeed_Cb(wc_GenerateSeed);
-#endif
-
     ctx = (WOLFPROV_CTX*)OPENSSL_zalloc(sizeof(WOLFPROV_CTX));
     if ((ctx != NULL) && (wc_InitRng(&ctx->rng) != 0)) {
         OPENSSL_free(ctx);
@@ -1312,6 +1308,31 @@ int wolfssl_provider_init(const OSSL_CORE_HANDLE* handle,
         }
     }
 
+    if (ok) {
+#ifdef WC_RNG_SEED_CB
+        wc_SetSeed_Cb(wc_GenerateSeed);
+#endif
+#if defined(HAVE_FIPS) && (!defined(WP_SINGLE_THREADED))
+        /* To avoid multi-threading issues in FIPS CAST tests, run all tests
+         * under a lock now */
+        if (wp_lock(wp_get_cast_mutex()) != 1) {
+            WOLFPROV_ERROR_MSG(WP_LOG_COMP_PROVIDER,
+              "Fatal Error: unable to acquire FIPS CAST lock");
+            ok = 0;
+        }
+        if (ok) {
+            if (wc_RunAllCast_fips() != 0) {
+                WOLFPROV_ERROR_MSG(WP_LOG_COMP_PROVIDER,
+                  "Fatal Error: FIPS algo selftest failure");
+                ok = 0;
+            }
+            if (wp_unlock(wp_get_cast_mutex()) != 1) {
+                ok = 0;
+            }
+        }
+#endif
+    }
+
     if (ok) {
         /* Create a new provider context. */
         *provCtx = wolfssl_prov_ctx_new();
