From b31e485dc9171cb2a052399d6c862a78a291471a Mon Sep 17 00:00:00 2001 From: Andras Fekete Date: Wed, 2 Aug 2023 17:08:03 -0400 Subject: [PATCH] Remove 'HAVE_FIPS_VERSION < 2' blocks --- src/internal.c | 22 --- src/ssl.c | 76 +------- src/tls13.c | 14 -- wolfcrypt/src/aes.c | 210 ---------------------- wolfcrypt/src/des3.c | 80 --------- wolfcrypt/src/hmac.c | 72 -------- wolfcrypt/src/port/kcapi/kcapi_dh.c | 63 ------- wolfcrypt/src/port/kcapi/kcapi_hash.c | 95 ---------- wolfcrypt/src/port/kcapi/kcapi_hmac.c | 25 --- wolfcrypt/src/port/kcapi/kcapi_rsa.c | 158 ---------------- wolfcrypt/src/random.c | 53 ------ wolfcrypt/src/rsa.c | 131 -------------- wolfcrypt/src/sha.c | 46 ----- wolfcrypt/src/sha256.c | 50 ------ wolfcrypt/src/sha512.c | 88 --------- wolfcrypt/test/test.c | 3 - wolfssl/internal.h | 19 +- wolfssl/wolfcrypt/aes.h | 8 +- wolfssl/wolfcrypt/hmac.h | 6 - wolfssl/wolfcrypt/port/kcapi/kcapi_hmac.h | 6 - wolfssl/wolfcrypt/sha.h | 10 -- wolfssl/wolfcrypt/sha256.h | 17 -- wolfssl/wolfcrypt/sha512.h | 21 --- wolfssl/wolfcrypt/visibility.h | 10 -- 24 files changed, 10 insertions(+), 1273 deletions(-) diff --git a/src/internal.c b/src/internal.c index 71f6a1ebc..98e66e394 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17907,14 +17907,6 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input, * IV length minus the authentication tag size. */ c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, ssl->encrypt.additional + AEAD_LEN_OFFSET); -#if !defined(NO_PUBLIC_GCM_SET_IV) && \ - ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) - XMEMCPY(ssl->encrypt.nonce, - ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ); - XMEMCPY(ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, - ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); -#endif #ifdef HAVE_PK_CALLBACKS ret = NOT_COMPILED_IN; if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { @@ -18259,11 +18251,6 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm) { /* finalize authentication cipher */ -#if !defined(NO_PUBLIC_GCM_SET_IV) && \ - ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) - AeadIncrementExpIV(ssl); -#endif if (ssl->encrypt.nonce) ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ); } @@ -21726,15 +21713,6 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, if (ret != 0) goto exit_buildmsg; } -#if !defined(NO_PUBLIC_GCM_SET_IV) && \ - ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) && \ - defined(HAVE_AEAD)) - if (ssl->specs.cipher_type == aead) { - if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - XMEMCPY(args->iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); - } -#endif args->size = (word16)(args->sz - args->headerSz); /* include mac and digest */ AddRecordHeader(output, args->size, (byte)type, ssl, epochOrder); diff --git a/src/ssl.c b/src/ssl.c index e5820b422..acb737458 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -213,6 +213,8 @@ #include "src/ssl_certman.c" #endif +#define _HMAC_Init _InitHmac + #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ !defined(WOLFCRYPT_ONLY) /* Convert shortname to NID. @@ -25461,80 +25463,6 @@ int wolfSSL_HMAC_CTX_copy(WOLFSSL_HMAC_CTX* des, WOLFSSL_HMAC_CTX* src) return wolfSSL_HmacCopy(&des->hmac, &src->hmac); } - -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - -static int _HMAC_Init(Hmac* hmac, int type, void* heap) -{ - int ret = 0; - - switch (type) { - #ifndef NO_MD5 - case WC_MD5: - ret = wc_InitMd5(&hmac->hash.md5); - break; - #endif /* !NO_MD5 */ - - #ifndef NO_SHA - case WC_SHA: - ret = wc_InitSha(&hmac->hash.sha); - break; - #endif /* !NO_SHA */ - - #ifdef WOLFSSL_SHA224 - case WC_SHA224: - ret = wc_InitSha224(&hmac->hash.sha224); - break; - #endif /* WOLFSSL_SHA224 */ - - #ifndef NO_SHA256 - case WC_SHA256: - ret = wc_InitSha256(&hmac->hash.sha256); - break; - #endif /* !NO_SHA256 */ - - #ifdef WOLFSSL_SHA384 - case WC_SHA384: - ret = wc_InitSha384(&hmac->hash.sha384); - break; - #endif /* WOLFSSL_SHA384 */ - #ifdef WOLFSSL_SHA512 - case WC_SHA512: - ret = wc_InitSha512(&hmac->hash.sha512); - break; - #endif /* WOLFSSL_SHA512 */ - - #ifdef WOLFSSL_SHA3 - case WC_SHA3_224: - ret = wc_InitSha3_224(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - case WC_SHA3_256: - ret = wc_InitSha3_256(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - case WC_SHA3_384: - ret = wc_InitSha3_384(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - case WC_SHA3_512: - ret = wc_InitSha3_512(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - #endif - - default: - ret = BAD_FUNC_ARG; - break; - } - - (void)heap; - - return ret; -} - -#else - #define _HMAC_Init _InitHmac -#endif - - int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, const EVP_MD* type) { diff --git a/src/tls13.c b/src/tls13.c index f393abc06..fbdd30191 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -2572,12 +2572,6 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, #endif { - #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) - ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input, - dataSz, ssl->encrypt.nonce, nonceSz, - output + dataSz, macSz, aad, aadSz); - #else ret = wc_AesGcmSetExtIV(ssl->encrypt.aes, ssl->encrypt.nonce, nonceSz); if (ret == 0) { @@ -2585,7 +2579,6 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, input, dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz, macSz, aad, aadSz); } - #endif } break; #endif @@ -2613,12 +2606,6 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, if (ret == NOT_COMPILED_IN) #endif { - #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) - ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input, - dataSz, ssl->encrypt.nonce, nonceSz, - output + dataSz, macSz, aad, aadSz); - #else ret = wc_AesCcmSetNonce(ssl->encrypt.aes, ssl->encrypt.nonce, nonceSz); if (ret == 0) { @@ -2626,7 +2613,6 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, input, dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz, macSz, aad, aadSz); } - #endif } break; #endif diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 36ace1f08..17da9d652 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -84,215 +84,6 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits #include #endif -/* fips wrapper calls, user can call direct */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - - int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv, - int dir) - { - if (aes == NULL || !( (len == 16) || (len == 24) || (len == 32)) ) { - return BAD_FUNC_ARG; - } - - return AesSetKey_fips(aes, key, len, iv, dir); - } - int wc_AesSetIV(Aes* aes, const byte* iv) - { - if (aes == NULL) { - return BAD_FUNC_ARG; - } - - return AesSetIV_fips(aes, iv); - } - #ifdef HAVE_AES_CBC - int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) - { - if (aes == NULL || out == NULL || in == NULL) { - return BAD_FUNC_ARG; - } - - return AesCbcEncrypt_fips(aes, out, in, sz); - } - #ifdef HAVE_AES_DECRYPT - int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) - { - if (aes == NULL || out == NULL || in == NULL - || sz % AES_BLOCK_SIZE != 0) { - return BAD_FUNC_ARG; - } - - return AesCbcDecrypt_fips(aes, out, in, sz); - } - #endif /* HAVE_AES_DECRYPT */ - #endif /* HAVE_AES_CBC */ - - /* AES-CTR */ - #ifdef WOLFSSL_AES_COUNTER - int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) - { - if (aes == NULL || out == NULL || in == NULL) { - return BAD_FUNC_ARG; - } - - return AesCtrEncrypt(aes, out, in, sz); - } - #endif - - /* AES-DIRECT */ - #if defined(WOLFSSL_AES_DIRECT) - void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in) - { - AesEncryptDirect(aes, out, in); - } - - #ifdef HAVE_AES_DECRYPT - void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in) - { - AesDecryptDirect(aes, out, in); - } - #endif /* HAVE_AES_DECRYPT */ - - int wc_AesSetKeyDirect(Aes* aes, const byte* key, word32 len, - const byte* iv, int dir) - { - return AesSetKeyDirect(aes, key, len, iv, dir); - } - #endif /* WOLFSSL_AES_DIRECT */ - - /* AES-GCM */ - #ifdef HAVE_AESGCM - int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len) - { - if (aes == NULL || !( (len == 16) || (len == 24) || (len == 32)) ) { - return BAD_FUNC_ARG; - } - - return AesGcmSetKey_fips(aes, key, len); - } - int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, - const byte* iv, word32 ivSz, - byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz) - { - if (aes == NULL || authTagSz > AES_BLOCK_SIZE || - authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ || - ivSz == 0 || ivSz > AES_BLOCK_SIZE) { - return BAD_FUNC_ARG; - } - - return AesGcmEncrypt_fips(aes, out, in, sz, iv, ivSz, authTag, - authTagSz, authIn, authInSz); - } - - #ifdef HAVE_AES_DECRYPT - int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, - const byte* iv, word32 ivSz, - const byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz) - { - if (aes == NULL || out == NULL || in == NULL || iv == NULL - || authTag == NULL || authTagSz > AES_BLOCK_SIZE || - ivSz == 0 || ivSz > AES_BLOCK_SIZE) { - return BAD_FUNC_ARG; - } - - return AesGcmDecrypt_fips(aes, out, in, sz, iv, ivSz, authTag, - authTagSz, authIn, authInSz); - } - #endif /* HAVE_AES_DECRYPT */ - - int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len) - { - if (gmac == NULL || key == NULL || !((len == 16) || - (len == 24) || (len == 32)) ) { - return BAD_FUNC_ARG; - } - - return GmacSetKey(gmac, key, len); - } - int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz, - const byte* authIn, word32 authInSz, - byte* authTag, word32 authTagSz) - { - if (gmac == NULL || authTagSz > AES_BLOCK_SIZE || - authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - return BAD_FUNC_ARG; - } - - return GmacUpdate(gmac, iv, ivSz, authIn, authInSz, - authTag, authTagSz); - } - #endif /* HAVE_AESGCM */ - - /* AES-CCM */ - #if defined(HAVE_AESCCM) && \ - defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) - int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz) - { - return AesCcmSetKey(aes, key, keySz); - } - int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz, - const byte* nonce, word32 nonceSz, - byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz) - { - /* sanity check on arguments */ - if (aes == NULL || out == NULL || in == NULL || nonce == NULL - || authTag == NULL || nonceSz < 7 || nonceSz > 13) - return BAD_FUNC_ARG; - - AesCcmEncrypt(aes, out, in, inSz, nonce, nonceSz, authTag, - authTagSz, authIn, authInSz); - return 0; - } - - #ifdef HAVE_AES_DECRYPT - int wc_AesCcmDecrypt(Aes* aes, byte* out, - const byte* in, word32 inSz, - const byte* nonce, word32 nonceSz, - const byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz) - { - - if (aes == NULL || out == NULL || in == NULL || nonce == NULL - || authTag == NULL || nonceSz < 7 || nonceSz > 13) { - return BAD_FUNC_ARG; - } - - return AesCcmDecrypt(aes, out, in, inSz, nonce, nonceSz, - authTag, authTagSz, authIn, authInSz); - } - #endif /* HAVE_AES_DECRYPT */ - #endif /* HAVE_AESCCM && HAVE_FIPS_VERSION 2 */ - - int wc_AesInit(Aes* aes, void* h, int i) - { - if (aes == NULL) - return BAD_FUNC_ARG; - - (void)h; - (void)i; - - /* FIPS doesn't support */ - #ifdef WOLFSSL_KCAPI_AES - return AesInit(aes, h, i); - #else - return 0; - #endif - } - void wc_AesFree(Aes* aes) - { - (void)aes; - /* FIPS doesn't support */ - #ifdef WOLFSSL_KCAPI_AES - AesFree(aes); - #endif - } - -#else /* else build without fips, or for FIPS v2+ */ - - #if defined(WOLFSSL_TI_CRYPT) #include #else @@ -11590,5 +11381,4 @@ int wc_AesSivDecrypt(const byte* key, word32 keySz, const byte* assoc, #endif /* WOLFSSL_AES_SIV */ -#endif /* HAVE_FIPS */ #endif /* !NO_AES */ diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c index e6c8e2d8f..741cfce65 100644 --- a/wolfcrypt/src/des3.c +++ b/wolfcrypt/src/des3.c @@ -49,85 +49,6 @@ #include #endif -/* fips wrapper calls, user can call direct */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - - int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir) - { - return Des_SetKey(des, key, iv, dir); - } - int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir) - { - if (des == NULL || key == NULL || dir < 0) { - return BAD_FUNC_ARG; - } - - return Des3_SetKey_fips(des, key, iv, dir); - } - int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz) - { - return Des_CbcEncrypt(des, out, in, sz); - } - int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz) - { - return Des_CbcDecrypt(des, out, in, sz); - } - int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz) - { - if (des == NULL || out == NULL || in == NULL) { - return BAD_FUNC_ARG; - } - return Des3_CbcEncrypt_fips(des, out, in, sz); - } - int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz) - { - if (des == NULL || out == NULL || in == NULL) { - return BAD_FUNC_ARG; - } - return Des3_CbcDecrypt_fips(des, out, in, sz); - } - - #ifdef WOLFSSL_DES_ECB - /* One block, compatibility only */ - int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz) - { - return Des_EcbEncrypt(des, out, in, sz); - } - int wc_Des3_EcbEncrypt(Des3* des, byte* out, const byte* in, word32 sz) - { - return Des3_EcbEncrypt(des, out, in, sz); - } - #endif /* WOLFSSL_DES_ECB */ - - void wc_Des_SetIV(Des* des, const byte* iv) - { - Des_SetIV(des, iv); - } - int wc_Des3_SetIV(Des3* des, const byte* iv) - { - return Des3_SetIV_fips(des, iv); - } - - int wc_Des3Init(Des3* des3, void* heap, int devId) - { - (void)des3; - (void)heap; - (void)devId; - /* FIPS doesn't support: - return Des3Init(des3, heap, devId); */ - return 0; - } - void wc_Des3Free(Des3* des3) - { - (void)des3; - /* FIPS doesn't support: - Des3Free(des3); */ - } - -#else /* else build without fips, or for FIPS v2 */ - - #if defined(WOLFSSL_TI_CRYPT) #include #else @@ -1889,5 +1810,4 @@ void wc_Des3Free(Des3* des3) } #endif /* WOLFSSL_TI_CRYPT */ -#endif /* HAVE_FIPS */ #endif /* NO_DES3 */ diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index 84dae0869..ee9352bc2 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -65,77 +65,6 @@ #endif -/* fips wrapper calls, user can call direct */ -/* If building for old FIPS. */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - - /* does init */ - int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 keySz) - { - if (hmac == NULL || (key == NULL && keySz != 0) || - !(type == WC_MD5 || type == WC_SHA || type == WC_SHA256 || - type == WC_SHA384 || type == WC_SHA512)) { - return BAD_FUNC_ARG; - } - - return HmacSetKey_fips(hmac, type, key, keySz); - } - int wc_HmacUpdate(Hmac* hmac, const byte* in, word32 sz) - { - if (hmac == NULL || (in == NULL && sz > 0)) { - return BAD_FUNC_ARG; - } - - return HmacUpdate_fips(hmac, in, sz); - } - int wc_HmacFinal(Hmac* hmac, byte* out) - { - if (hmac == NULL) { - return BAD_FUNC_ARG; - } - - return HmacFinal_fips(hmac, out); - } - int wolfSSL_GetHmacMaxSize(void) - { - return WC_MAX_DIGEST_SIZE; - } - - int wc_HmacInit(Hmac* hmac, void* heap, int devId) - { - #ifndef WOLFSSL_KCAPI_HMAC - (void)hmac; - (void)heap; - (void)devId; - return 0; - #else - return HmacInit(hmac, heap, devId); - #endif - } - void wc_HmacFree(Hmac* hmac) - { - #ifndef WOLFSSL_KCAPI_HMAC - (void)hmac; - #else - HmacFree(hmac); - #endif - } - - #ifdef HAVE_HKDF - int wc_HKDF(int type, const byte* inKey, word32 inKeySz, - const byte* salt, word32 saltSz, - const byte* info, word32 infoSz, - byte* out, word32 outSz) - { - return HKDF(type, inKey, inKeySz, salt, saltSz, - info, infoSz, out, outSz); - } - #endif /* HAVE_HKDF */ - -#else /* else build without fips, or for new fips */ - - int wc_HmacSizeByType(int type) { int ret; @@ -1440,5 +1369,4 @@ int wolfSSL_GetHmacMaxSize(void) #endif /* HAVE_HKDF */ -#endif /* HAVE_FIPS */ #endif /* NO_HMAC */ diff --git a/wolfcrypt/src/port/kcapi/kcapi_dh.c b/wolfcrypt/src/port/kcapi/kcapi_dh.c index 0b1bf4e12..cceaf2521 100644 --- a/wolfcrypt/src/port/kcapi/kcapi_dh.c +++ b/wolfcrypt/src/port/kcapi/kcapi_dh.c @@ -47,68 +47,6 @@ void KcapiDh_Free(DhKey* key) static int KcapiDh_SetParams(DhKey* key) { -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - int ret = 0; - unsigned char* pkcs3 = NULL; - word32 len = 0, idx = 0, len2; - - len = MAX_SEQ_SZ; /* Sequence */ - len += ASN_TAG_SZ + MAX_LENGTH_SZ; /* Integer */ - len += mp_leading_bit(&key->p) ? 1 : 0; - len += mp_unsigned_bin_size(&key->p); - len += ASN_TAG_SZ + MAX_LENGTH_SZ; /* Integer */ - len += mp_leading_bit(&key->g) ? 1 : 0; - len += mp_unsigned_bin_size(&key->g); - - pkcs3 = (unsigned char*)XMALLOC(len, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (pkcs3 == NULL) { - ret = MEMORY_E; - } - - if (ret == 0) { - idx = len; - len2 = mp_unsigned_bin_size(&key->g); - idx -= len2; - ret = mp_to_unsigned_bin(&key->g, pkcs3 + idx); - } - if (ret >= 0) { - if (mp_leading_bit(&key->g)) { - pkcs3[--idx] = 0x00; - len2++; - } - idx -= SetLength(len2, NULL); - SetLength(len2, pkcs3 + idx); - pkcs3[--idx] = ASN_INTEGER; - - len2 = mp_unsigned_bin_size(&key->p); - idx -= len2; - ret = mp_to_unsigned_bin(&key->p, pkcs3 + idx); - } - if (ret >= 0) { - if (mp_leading_bit(&key->p)) { - pkcs3[--idx] = 0x00; - len2++; - } - idx -= SetLength(len2, NULL); - SetLength(len2, pkcs3 + idx); - pkcs3[--idx] = ASN_INTEGER; - - len2 = len - idx; - idx -= SetSequence(len2, NULL); - SetSequence(len2, pkcs3 + idx); - - ret = kcapi_kpp_dh_setparam_pkcs3(key->handle, pkcs3 + idx, len - idx); - if (ret != 0) { - WOLFSSL_MSG("KcapiDh_SetParams: Failed to set"); - } - } - - if (pkcs3 != NULL) { - XFREE(pkcs3, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - return ret; -#else int ret; unsigned char* pkcs3 = NULL; word32 len; @@ -136,7 +74,6 @@ static int KcapiDh_SetParams(DhKey* key) XFREE(pkcs3, key->heap, DYNAMIC_TYPE_TMP_BUFFER); } return ret; -#endif } int KcapiDh_MakeKey(DhKey* key, byte* pub, word32* pubSz) diff --git a/wolfcrypt/src/port/kcapi/kcapi_hash.c b/wolfcrypt/src/port/kcapi/kcapi_hash.c index 844f1f6f7..f4a3b43c0 100644 --- a/wolfcrypt/src/port/kcapi/kcapi_hash.c +++ b/wolfcrypt/src/port/kcapi/kcapi_hash.c @@ -318,36 +318,6 @@ int wc_Sha224Copy(wc_Sha224* src, wc_Sha224* dst) static const char WC_NAME_SHA256[] = "sha256"; -/* create KCAPI handle for SHA256 operation */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -int InitSha256(wc_Sha256* sha) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashInit(&sha->kcapi, NULL, INVALID_DEVID, WC_NAME_SHA256); -} - - -int Sha256Update(wc_Sha256* sha, const byte* in, word32 sz) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashUpdate(&sha->kcapi, in, sz); -} - - -int Sha256Final(wc_Sha256* sha, byte* hash) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashFinal(&sha->kcapi, hash, WC_SHA256_DIGEST_SIZE, - WC_NAME_SHA256); -} -#else int wc_InitSha256_ex(wc_Sha256* sha, void* heap, int devid) { if (sha == NULL) { @@ -374,8 +344,6 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash) return KcapiHashFinal(&sha->kcapi, hash, WC_SHA256_DIGEST_SIZE, WC_NAME_SHA256); } -#endif - int wc_Sha256GetHash(wc_Sha256* sha, byte* hash) { @@ -400,37 +368,6 @@ int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst) static const char WC_NAME_SHA384[] = "sha384"; - -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -/* create KCAPI handle for SHA384 operation */ -int InitSha384(wc_Sha384* sha) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashInit(&sha->kcapi, NULL, INVALID_DEVID, WC_NAME_SHA384); -} - - -int Sha384Update(wc_Sha384* sha, const byte* in, word32 sz) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashUpdate(&sha->kcapi, in, sz); -} - - -int Sha384Final(wc_Sha384* sha, byte* hash) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashFinal(&sha->kcapi, hash, WC_SHA384_DIGEST_SIZE, - WC_NAME_SHA384); -} -#else /* create KCAPI handle for SHA384 operation */ int wc_InitSha384_ex(wc_Sha384* sha, void* heap, int devid) { @@ -458,7 +395,6 @@ int wc_Sha384Final(wc_Sha384* sha, byte* hash) return KcapiHashFinal(&sha->kcapi, hash, WC_SHA384_DIGEST_SIZE, WC_NAME_SHA384); } -#endif int wc_Sha384GetHash(wc_Sha384* sha, byte* hash) { @@ -483,36 +419,6 @@ int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst) static const char WC_NAME_SHA512[] = "sha512"; -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -/* create KCAPI handle for SHA512 operation */ -int InitSha512(wc_Sha512* sha) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashInit(&sha->kcapi, NULL, INVALID_DEVID, WC_NAME_SHA512); -} - - -int Sha512Update(wc_Sha512* sha, const byte* in, word32 sz) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashUpdate(&sha->kcapi, in, sz); -} - - -int Sha512Final(wc_Sha512* sha, byte* hash) -{ - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return KcapiHashFinal(&sha->kcapi, hash, WC_SHA512_DIGEST_SIZE, - WC_NAME_SHA512); -} -#else /* create KCAPI handle for SHA512 operation */ int wc_InitSha512_ex(wc_Sha512* sha, void* heap, int devid) { @@ -540,7 +446,6 @@ int wc_Sha512Final(wc_Sha512* sha, byte* hash) return KcapiHashFinal(&sha->kcapi, hash, WC_SHA512_DIGEST_SIZE, WC_NAME_SHA512); } -#endif int wc_Sha512GetHash(wc_Sha512* sha, byte* hash) { diff --git a/wolfcrypt/src/port/kcapi/kcapi_hmac.c b/wolfcrypt/src/port/kcapi/kcapi_hmac.c index a233d9996..0a5d46751 100644 --- a/wolfcrypt/src/port/kcapi/kcapi_hmac.c +++ b/wolfcrypt/src/port/kcapi/kcapi_hmac.c @@ -52,12 +52,7 @@ static const char WC_NAME_HMAC_SHA384[] = "hmac(sha384)"; static const char WC_NAME_HMAC_SHA512[] = "hmac(sha512)"; #endif -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -int HmacInit(Hmac* hmac, void* heap, int devId) -#else int wc_HmacInit(Hmac* hmac, void* heap, int devId) -#endif { int ret = 0; @@ -76,12 +71,7 @@ int wc_HmacInit(Hmac* hmac, void* heap, int devId) return ret; } -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -void HmacFree(Hmac* hmac) -#else void wc_HmacFree(Hmac* hmac) -#endif { if (hmac != NULL) { if (hmac->handle != NULL) { @@ -91,12 +81,7 @@ void wc_HmacFree(Hmac* hmac) } } -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -int HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) -#else int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) -#endif { int ret = 0; const char* ciphername = NULL; @@ -197,12 +182,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) return ret; } -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -int HmacUpdate(Hmac* hmac, const byte* msg, word32 length) -#else int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length) -#endif { int ret = 0; @@ -244,12 +224,7 @@ int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length) return ret; } -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -int HmacFinal(Hmac* hmac, byte* hash) -#else int wc_HmacFinal(Hmac* hmac, byte* hash) -#endif { int ret = 0; int len = 0; diff --git a/wolfcrypt/src/port/kcapi/kcapi_rsa.c b/wolfcrypt/src/port/kcapi/kcapi_rsa.c index 602c50b80..cafca14e7 100644 --- a/wolfcrypt/src/port/kcapi/kcapi_rsa.c +++ b/wolfcrypt/src/port/kcapi/kcapi_rsa.c @@ -45,164 +45,6 @@ void KcapiRsa_Free(RsaKey* key) } } -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -/* Set the DER/BER encoding of the ASN.1 INTEGER header. - * - * len Length of data to encode. - * firstByte First byte of data, most significant byte of integer, to encode. - * output Buffer to write into. - * returns the number of bytes added to the buffer. - */ -static int SetASNInt(int len, byte firstByte, byte* output) -{ - word32 idx = 0; - - if (output) - output[idx] = ASN_INTEGER; - idx++; - if (firstByte & 0x80) - len++; - idx += SetLength(len, output ? output + idx : NULL); - if (firstByte & 0x80) { - if (output) - output[idx] = 0x00; - idx++; - } - - return idx; -} - -static int SetASNIntMP(mp_int* n, int maxSz, byte* output) -{ - int idx = 0; - int leadingBit; - int length; - int err; - - leadingBit = mp_leading_bit(n); - length = mp_unsigned_bin_size(n); - idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output); - if (maxSz >= 0 && (idx + length) > maxSz) - return BUFFER_E; - - if (output) { - err = mp_to_unsigned_bin(n, output + idx); - if (err != MP_OKAY) - return MP_TO_E; - } - idx += length; - - return idx; -} - -static mp_int* GetRsaInt(RsaKey* key, int idx) -{ - if (idx == 0) - return &key->n; - if (idx == 1) - return &key->e; - if (idx == 2) - return &key->d; - if (idx == 3) - return &key->p; - if (idx == 4) - return &key->q; - if (idx == 5) - return &key->dP; - if (idx == 6) - return &key->dQ; - if (idx == 7) - return &key->u; - - return NULL; -} - -/* Release Tmp RSA resources */ -static WC_INLINE void FreeTmpRsas(byte** tmps, void* heap) -{ - int i; - - (void)heap; - - for (i = 0; i < RSA_INTS; i++) - XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA); -} - - -/* Convert RsaKey key to DER format, write to output (inLen), return bytes - written */ -static int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) -{ - word32 seqSz, verSz, rawLen, intTotalLen = 0; - word32 sizes[RSA_INTS]; - int i, j, outLen, ret = 0; - - byte seq[MAX_SEQ_SZ]; - byte ver[MAX_VERSION_SZ]; - byte* tmps[RSA_INTS]; - - if (!key || !output) - return BAD_FUNC_ARG; - - if (key->type != RSA_PRIVATE) - return BAD_FUNC_ARG; - - for (i = 0; i < RSA_INTS; i++) - tmps[i] = NULL; - - /* write all big ints from key to DER tmps */ - for (i = 0; i < RSA_INTS; i++) { - int mpSz; - mp_int* keyInt = GetRsaInt(key, i); - - rawLen = mp_unsigned_bin_size(keyInt) + 1; - tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, - DYNAMIC_TYPE_RSA); - if (tmps[i] == NULL) { - ret = MEMORY_E; - break; - } - - mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, tmps[i]); - if (mpSz < 0) { - ret = mpSz; - break; - } - intTotalLen += (sizes[i] = mpSz); - } - - if (ret != 0) { - FreeTmpRsas(tmps, key->heap); - return ret; - } - - /* make headers */ - verSz = SetMyVersion(0, ver, FALSE); - seqSz = SetSequence(verSz + intTotalLen, seq); - - outLen = seqSz + verSz + intTotalLen; - if (outLen > (int)inLen) { - FreeTmpRsas(tmps, key->heap); - return BAD_FUNC_ARG; - } - - /* write to output */ - XMEMCPY(output, seq, seqSz); - j = seqSz; - XMEMCPY(output + j, ver, verSz); - j += verSz; - - for (i = 0; i < RSA_INTS; i++) { - XMEMCPY(output + j, tmps[i], sizes[i]); - j += sizes[i]; - } - FreeTmpRsas(tmps, key->heap); - - return outLen; -} -#endif - #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY) static int KcapiRsa_SetPrivKey(RsaKey* key) { diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index a8f873f2d..9edc3f07e 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -63,58 +63,6 @@ This library contains implementation for the random number generator. #endif -/* If building for old FIPS. */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - -int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz) -{ - return GenerateSeed(os, seed, sz); -} - -int wc_InitRng_ex(WC_RNG* rng, void* heap, int devId) -{ - (void)heap; - (void)devId; - return InitRng_fips(rng); -} - -WOLFSSL_ABI -int wc_InitRng(WC_RNG* rng) -{ - return InitRng_fips(rng); -} - - -int wc_RNG_GenerateBlock(WC_RNG* rng, byte* b, word32 sz) -{ - return RNG_GenerateBlock_fips(rng, b, sz); -} - - -int wc_RNG_GenerateByte(WC_RNG* rng, byte* b) -{ - return RNG_GenerateByte(rng, b); -} - -#ifdef HAVE_HASHDRBG - - int wc_FreeRng(WC_RNG* rng) - { - return FreeRng_fips(rng); - } - - int wc_RNG_HealthTest(int reseed, const byte* seedA, word32 seedASz, - const byte* seedB, word32 seedBSz, - byte* output, word32 outputSz) - { - return RNG_HealthTest_fips(reseed, seedA, seedASz, - seedB, seedBSz, output, outputSz); - } -#endif /* HAVE_HASHDRBG */ - -#else /* else build without fips, or for new fips */ - #ifndef WC_NO_RNG /* if not FIPS and RNG is disabled then do not compile */ #include @@ -3878,4 +3826,3 @@ int wc_hwrng_generate_block(byte *output, word32 sz) #endif #endif /* WC_NO_RNG */ -#endif /* HAVE_FIPS */ diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 4141498cd..3d66a541a 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -88,134 +88,6 @@ RSA Key Size Configuration: */ -/* If building for old FIPS. */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - -int wc_InitRsaKey(RsaKey* key, void* ptr) -{ - if (key == NULL) { - return BAD_FUNC_ARG; - } - - return InitRsaKey_fips(key, ptr); -} - - -int wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId) -{ - (void)devId; - if (key == NULL) { - return BAD_FUNC_ARG; - } - return InitRsaKey_fips(key, ptr); -} - - -int wc_FreeRsaKey(RsaKey* key) -{ - return FreeRsaKey_fips(key); -} - - -#ifndef WOLFSSL_RSA_VERIFY_ONLY -int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, - word32 outLen, RsaKey* key, WC_RNG* rng) -{ - if (in == NULL || out == NULL || key == NULL || rng == NULL) { - return BAD_FUNC_ARG; - } - return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng); -} -#endif - - -#ifndef WOLFSSL_RSA_PUBLIC_ONLY -int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, - RsaKey* key) -{ - if (in == NULL || out == NULL || key == NULL) { - return BAD_FUNC_ARG; - } - return RsaPrivateDecryptInline_fips(in, inLen, out, key); -} - - -int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, - word32 outLen, RsaKey* key) -{ - if (in == NULL || out == NULL || key == NULL) { - return BAD_FUNC_ARG; - } - return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key); -} - - -int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, - word32 outLen, RsaKey* key, WC_RNG* rng) -{ - if (in == NULL || out == NULL || key == NULL || inLen == 0) { - return BAD_FUNC_ARG; - } - return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng); -} -#endif - - -int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) -{ - if (in == NULL || out == NULL || key == NULL) { - return BAD_FUNC_ARG; - } - return RsaSSL_VerifyInline_fips(in, inLen, out, key); -} - - -int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, - word32 outLen, RsaKey* key) -{ - if (in == NULL || out == NULL || key == NULL || inLen == 0) { - return BAD_FUNC_ARG; - } - return RsaSSL_Verify_fips(in, inLen, out, outLen, key); -} - - -int wc_RsaEncryptSize(const RsaKey* key) -{ - if (key == NULL) { - return BAD_FUNC_ARG; - } - return RsaEncryptSize_fips((RsaKey*)key); -} - - -#ifndef WOLFSSL_RSA_VERIFY_ONLY -int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b, - word32* bSz) -{ - - /* not specified as fips so not needing _fips */ - return RsaFlattenPublicKey(key, a, aSz, b, bSz); -} -#endif - - -#ifdef WOLFSSL_KEY_GEN - int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) - { - return MakeRsaKey(key, size, e, rng); - } -#endif - - -/* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c -* wc_RsaPrivateKeyDecode -* wc_RsaPublicKeyDecode -*/ - -#else /* else build without fips, or for new fips */ - #include #include #ifdef WOLF_CRYPTO_CB @@ -4355,9 +4227,6 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, } #endif -#endif /* HAVE_FIPS */ - - #ifndef WOLFSSL_RSA_VERIFY_ONLY static int RsaGetValue(mp_int* in, byte* out, word32* outSz) { diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 75c2d2de5..fcd0aef9a 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -81,51 +81,6 @@ #undef WOLFSSL_USE_ESP32_CRYPT_HASH_HW #endif -/* fips wrapper calls, user can call direct */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - - int wc_InitSha(wc_Sha* sha) - { - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return InitSha_fips(sha); - } - int wc_InitSha_ex(wc_Sha* sha, void* heap, int devId) - { - (void)heap; - (void)devId; - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return InitSha_fips(sha); - } - - int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len) - { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } - return ShaUpdate_fips(sha, data, len); - } - - int wc_ShaFinal(wc_Sha* sha, byte* out) - { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } - return ShaFinal_fips(sha,out); - } - void wc_ShaFree(wc_Sha* sha) - { - (void)sha; - /* Not supported in FIPS */ - } - -#else /* else build without fips, or for FIPS v2 */ - - #if defined(WOLFSSL_TI_HASH) /* #include included by wc_port.c */ @@ -942,7 +897,6 @@ void wc_ShaFree(wc_Sha* sha) #endif /* !defined(WOLFSSL_HAVE_PSA) || defined(WOLFSSL_PSA_NO_HASH) */ #endif /* !WOLFSSL_TI_HASH */ -#endif /* !HAVE_FIPS ... */ #if !defined(WOLFSSL_TI_HASH) && !defined(WOLFSSL_IMXRT_DCP) diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index b59bb81af..7a75c4bba 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -111,55 +111,6 @@ on the specific device platform. static const char* TAG = "wc_sha256"; #endif -/* fips wrapper calls, user can call direct */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - - int wc_InitSha256(wc_Sha256* sha) - { - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return InitSha256_fips(sha); - } - int wc_InitSha256_ex(wc_Sha256* sha, void* heap, int devId) - { - (void)heap; - (void)devId; - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return InitSha256_fips(sha); - } - int wc_Sha256Update(wc_Sha256* sha, const byte* data, word32 len) - { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } - - if (data == NULL && len == 0) { - /* valid, but do nothing */ - return 0; - } - - return Sha256Update_fips(sha, data, len); - } - int wc_Sha256Final(wc_Sha256* sha, byte* out) - { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } - return Sha256Final_fips(sha, out); - } - void wc_Sha256Free(wc_Sha256* sha) - { - (void)sha; - /* Not supported in FIPS */ - } - -#else /* else build without fips, or for FIPS v2 */ - - #if defined(WOLFSSL_TI_HASH) /* #include included by wc_port.c */ #elif defined(WOLFSSL_CRYPTOCELL) @@ -1883,7 +1834,6 @@ int wc_Sha224_Grow(wc_Sha224* sha224, const byte* in, int inSz) #endif /* WOLFSSL_HASH_KEEP */ #endif /* !WOLFSSL_TI_HASH */ -#endif /* HAVE_FIPS */ #ifndef WOLFSSL_TI_HASH diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 0b754768d..ab774f504 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -71,92 +71,6 @@ #define USE_SLOW_SHA512 #endif -/* fips wrapper calls, user can call direct */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - - #ifdef WOLFSSL_SHA512 - - int wc_InitSha512(wc_Sha512* sha) - { - if (sha == NULL) { - return BAD_FUNC_ARG; - } - - return InitSha512_fips(sha); - } - int wc_InitSha512_ex(wc_Sha512* sha, void* heap, int devId) - { - (void)heap; - (void)devId; - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return InitSha512_fips(sha); - } - int wc_Sha512Update(wc_Sha512* sha, const byte* data, word32 len) - { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } - - return Sha512Update_fips(sha, data, len); - } - int wc_Sha512Final(wc_Sha512* sha, byte* out) - { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } - - return Sha512Final_fips(sha, out); - } - void wc_Sha512Free(wc_Sha512* sha) - { - (void)sha; - /* Not supported in FIPS */ - } - #endif - - #if defined(WOLFSSL_SHA384) || defined(HAVE_AESGCM) - int wc_InitSha384(wc_Sha384* sha) - { - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return InitSha384_fips(sha); - } - int wc_InitSha384_ex(wc_Sha384* sha, void* heap, int devId) - { - (void)heap; - (void)devId; - if (sha == NULL) { - return BAD_FUNC_ARG; - } - return InitSha384_fips(sha); - } - int wc_Sha384Update(wc_Sha384* sha, const byte* data, word32 len) - { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } - return Sha384Update_fips(sha, data, len); - } - int wc_Sha384Final(wc_Sha384* sha, byte* out) - { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } - return Sha384Final_fips(sha, out); - } - void wc_Sha384Free(wc_Sha384* sha) - { - (void)sha; - /* Not supported in FIPS */ - } - #endif /* WOLFSSL_SHA384 || HAVE_AESGCM */ - -#else /* else build without fips, or for FIPS v2 */ - #include #ifdef NO_INLINE @@ -1564,8 +1478,6 @@ void wc_Sha384Free(wc_Sha384* sha384) #endif /* WOLFSSL_SHA384 */ -#endif /* HAVE_FIPS */ - #ifdef WOLFSSL_SHA512 #if defined(WOLFSSL_KCAPI_HASH) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 6e0a4cce3..7735f2a7a 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -15465,9 +15465,6 @@ static wc_test_ret_t rsa_flatten_test(RsaKey* key) * -101 = USER_CRYPTO_ERROR */ if (ret == 0) -#elif defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - if (ret != 0) #else if (ret != RSA_BUFFER_E) #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d8752091a..a2efe7bea 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1687,21 +1687,16 @@ enum Misc { SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ TLS_MAX_PAD_SZ = 255, /* Max padding in TLS */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - MAX_SYM_KEY_SIZE = AES_256_KEY_SIZE, -#else - #if defined(HAVE_NULL_CIPHER) && defined(WOLFSSL_TLS13) - #if defined(WOLFSSL_SHA384) && WC_MAX_SYM_KEY_SIZE < 48 - MAX_SYM_KEY_SIZE = WC_SHA384_DIGEST_SIZE, - #elif !defined(NO_SHA256) && WC_MAX_SYM_KEY_SIZE < 32 - MAX_SYM_KEY_SIZE = WC_SHA256_DIGEST_SIZE, - #else - MAX_SYM_KEY_SIZE = WC_MAX_SYM_KEY_SIZE, - #endif +#if defined(HAVE_NULL_CIPHER) && defined(WOLFSSL_TLS13) + #if defined(WOLFSSL_SHA384) && WC_MAX_SYM_KEY_SIZE < 48 + MAX_SYM_KEY_SIZE = WC_SHA384_DIGEST_SIZE, + #elif !defined(NO_SHA256) && WC_MAX_SYM_KEY_SIZE < 32 + MAX_SYM_KEY_SIZE = WC_SHA256_DIGEST_SIZE, #else MAX_SYM_KEY_SIZE = WC_MAX_SYM_KEY_SIZE, #endif +#else + MAX_SYM_KEY_SIZE = WC_MAX_SYM_KEY_SIZE, #endif #if defined(HAVE_SELFTEST) && \ diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index 7d55c6fad..c28f23cef 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -417,13 +417,7 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out, #endif /* AES-DIRECT */ #if defined(WOLFSSL_AES_DIRECT) -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - WOLFSSL_API void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in); - WOLFSSL_API void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in); - WOLFSSL_API int wc_AesSetKeyDirect(Aes* aes, const byte* key, word32 len, - const byte* iv, int dir); -#elif defined(BUILDING_WOLFSSL) +#if defined(BUILDING_WOLFSSL) WOLFSSL_API WARN_UNUSED_RESULT int wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in); WOLFSSL_API WARN_UNUSED_RESULT int wc_AesDecryptDirect(Aes* aes, byte* out, diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h index 09a9f71fc..f325dd35d 100644 --- a/wolfssl/wolfcrypt/hmac.h +++ b/wolfssl/wolfcrypt/hmac.h @@ -30,12 +30,6 @@ #ifndef NO_HMAC -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - #define WC_HMAC_BLOCK_SIZE HMAC_BLOCK_SIZE -#endif - - #if defined(HAVE_FIPS) && \ defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) #include diff --git a/wolfssl/wolfcrypt/port/kcapi/kcapi_hmac.h b/wolfssl/wolfcrypt/port/kcapi/kcapi_hmac.h index a987527e8..cfd841fe2 100644 --- a/wolfssl/wolfcrypt/port/kcapi/kcapi_hmac.h +++ b/wolfssl/wolfcrypt/port/kcapi/kcapi_hmac.h @@ -27,11 +27,5 @@ #include #include -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -int HmacInit(Hmac* hmac, void* heap, int devId); -void HmacFree(Hmac* hmac); -#endif - #endif /* WOLF_CRYPT_KCAPI_HMAC_H */ diff --git a/wolfssl/wolfcrypt/sha.h b/wolfssl/wolfcrypt/sha.h index d168da592..b2ba007df 100644 --- a/wolfssl/wolfcrypt/sha.h +++ b/wolfssl/wolfcrypt/sha.h @@ -36,16 +36,6 @@ #include #endif /* HAVE_FIPS_VERSION >= 2 */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -#define wc_Sha Sha -#define WC_SHA SHA -#define WC_SHA_BLOCK_SIZE SHA_BLOCK_SIZE -#define WC_SHA_DIGEST_SIZE SHA_DIGEST_SIZE -#define WC_SHA_PAD_SIZE SHA_PAD_SIZE - -#endif - #ifdef FREESCALE_LTC_SHA #include "fsl_ltc.h" #endif diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h index 0bc7bf1a1..525e13602 100644 --- a/wolfssl/wolfcrypt/sha256.h +++ b/wolfssl/wolfcrypt/sha256.h @@ -37,23 +37,6 @@ #include #endif /* HAVE_FIPS_VERSION >= 2 */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - #define wc_Sha256 Sha256 - #define WC_SHA256 SHA256 - #define WC_SHA256_BLOCK_SIZE SHA256_BLOCK_SIZE - #define WC_SHA256_DIGEST_SIZE SHA256_DIGEST_SIZE - #define WC_SHA256_PAD_SIZE SHA256_PAD_SIZE - - #ifdef WOLFSSL_SHA224 - #define wc_Sha224 Sha224 - #define WC_SHA224 SHA224 - #define WC_SHA224_BLOCK_SIZE SHA224_BLOCK_SIZE - #define WC_SHA224_DIGEST_SIZE SHA224_DIGEST_SIZE - #define WC_SHA224_PAD_SIZE SHA224_PAD_SIZE - #endif -#endif - #ifdef FREESCALE_LTC_SHA #include "fsl_ltc.h" #endif diff --git a/wolfssl/wolfcrypt/sha512.h b/wolfssl/wolfcrypt/sha512.h index 4d6c5f43e..0d9c75bbb 100644 --- a/wolfssl/wolfcrypt/sha512.h +++ b/wolfssl/wolfcrypt/sha512.h @@ -37,27 +37,6 @@ #include #endif /* HAVE_FIPS_VERSION >= 2 */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - #ifdef WOLFSSL_SHA512 - #define wc_Sha512 Sha512 - #define WC_SHA512 SHA512 - #define WC_SHA512_BLOCK_SIZE SHA512_BLOCK_SIZE - #define WC_SHA512_DIGEST_SIZE SHA512_DIGEST_SIZE - #define WC_SHA512_PAD_SIZE SHA512_PAD_SIZE - #define wc_Sha512_224 Sha512_224 - #define wc_Sha512_256 Sha512_256 - #endif /* WOLFSSL_SHA512 */ - #ifdef WOLFSSL_SHA384 - #define wc_Sha384 Sha384 - #define WC_SHA384 SHA384 - #define WC_SHA384_BLOCK_SIZE SHA384_BLOCK_SIZE - #define WC_SHA384_DIGEST_SIZE SHA384_DIGEST_SIZE - #define WC_SHA384_PAD_SIZE SHA384_PAD_SIZE - #endif /* WOLFSSL_SHA384 */ - -#endif - #ifdef __cplusplus extern "C" { #endif diff --git a/wolfssl/wolfcrypt/visibility.h b/wolfssl/wolfcrypt/visibility.h index 68a6df275..6ee10dfc7 100644 --- a/wolfssl/wolfcrypt/visibility.h +++ b/wolfssl/wolfcrypt/visibility.h @@ -25,14 +25,6 @@ #ifndef WOLF_CRYPT_VISIBILITY_H #define WOLF_CRYPT_VISIBILITY_H - -/* for compatibility and so that fips is using same name of macro @wc_fips */ -/* The following visibility wrappers are for old FIPS. New FIPS should use - * the same as a non-FIPS build. */ -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -#else - /* WOLFSSL_API is used for the public API symbols. It either imports or exports (or does nothing for static builds) @@ -73,8 +65,6 @@ #endif #endif /* BUILDING_WOLFSSL */ -#endif /* HAVE_FIPS */ - /* WOLFSSL_ABI is used for public API symbols that must not change * their signature. This tag is used for all APIs that are a * part of the fixed ABI.