Skip to content

Commit 9f759fa

Browse files
authored
Merge pull request #10446 from kaleb-himes/quickfix
Fix private key lock issues in master
2 parents 867ce26 + afb90dd commit 9f759fa

2 files changed

Lines changed: 16 additions & 2 deletions

File tree

src/internal.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31059,11 +31059,18 @@ static int DecodePrivateKey_ex(WOLFSSL *ssl, byte keyType, const DerBuffer* key,
3105931059

3106031060
/* Set start of data to beginning of buffer. */
3106131061
idx = 0;
31062-
/* Decode the key assuming it is a Dilithium private key. */
31062+
/* Decode the key assuming it is a Dilithium private key. The FIPS
31063+
* wrapper for wc_dilithium_import_private gates on the per-thread
31064+
* privateKeyReadEnable flag, which is unset by default in any
31065+
* thread that hasn't called PRIVATE_KEY_UNLOCK(). Without the
31066+
* bracket, decoding a Dilithium/ML-DSA private key from a
31067+
* handshake worker thread fails with FIPS_PRIVATE_KEY_LOCKED_E. */
31068+
PRIVATE_KEY_UNLOCK();
3106331069
ret = wc_Dilithium_PrivateKeyDecode(key->buffer,
3106431070
&idx,
3106531071
(dilithium_key*)*hsKey,
3106631072
key->length);
31073+
PRIVATE_KEY_LOCK();
3106731074
if (ret == 0) {
3106831075
WOLFSSL_MSG("Using Dilithium private key");
3106931076

src/ssl_load.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -956,10 +956,17 @@ static int ProcessBufferTryDecodeDilithium(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
956956
/* Initialize Dilithium key. */
957957
ret = wc_dilithium_init(key);
958958
if (ret == 0) {
959-
/* Decode as a Dilithium private key. */
959+
/* Decode as a Dilithium private key. The FIPS wrapper for
960+
* wc_dilithium_import_private gates on the per-thread
961+
* privateKeyReadEnable flag, which is unset by default in any
962+
* thread that hasn't called PRIVATE_KEY_UNLOCK(). Without the
963+
* bracket, loading a Dilithium/ML-DSA private key from a
964+
* worker thread fails with FIPS_PRIVATE_KEY_LOCKED_E. */
960965
idx = 0;
966+
PRIVATE_KEY_UNLOCK();
961967
ret = wc_Dilithium_PrivateKeyDecode(der->buffer, &idx, key,
962968
der->length);
969+
PRIVATE_KEY_LOCK();
963970
if (ret == 0) {
964971
ret = dilithium_get_oid_sum(key, &keyFormatTemp);
965972
if (ret == 0) {

0 commit comments

Comments
 (0)