diff --git a/configure.ac b/configure.ac index b10d555bf..9d94b6188 100644 --- a/configure.ac +++ b/configure.ac @@ -223,8 +223,17 @@ AC_ARG_ENABLE([fips], [ENABLED_FIPS=$enableval], [ENABLED_FIPS="no"]) +# The FIPS options are: +# v4 - FIPS 140-3 +# v3 - FIPS Ready +# ready - same as v3 +# rand - wolfRand +# v2 - FIPS 140-2 Cert 3389 +# no - FIPS build disabled +# v1 - FIPS 140-2 Cert 2425 +# default - same as v1 AS_CASE([$ENABLED_FIPS], - [ready],[ + [ready|v3],[ ENABLED_FIPS="yes" FIPS_VERSION="v2" FIPS_READY="yes" @@ -233,7 +242,7 @@ AS_CASE([$ENABLED_FIPS], FIPS_VERSION="none" ENABLED_FIPS="no" ], - [rand|v1|v2|v3],[ + [rand|v1|v2|v4],[ FIPS_VERSION="$ENABLED_FIPS" ENABLED_FIPS="yes" ], @@ -267,9 +276,9 @@ AS_CASE([$FIPS_VERSION], # FIPS 140-3 AC_ARG_ENABLE([fips-3], [AS_HELP_STRING([--enable-fips-3],[Enable FIPS 140-3, Will NOT work w/o FIPS license (default: disabled)])], - [ENABLED_FIPS_3=$enableval], - [ENABLED_FIPS_3="no"]) -AS_IF([test "x$ENABLED_FIPS_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v3"]) + [ENABLED_FIPS_140_3=$enableval], + [ENABLED_FIPS_140_3="no"]) +AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v4"]) # Linux Kernel Module AC_ARG_ENABLE([linuxkm], @@ -2005,7 +2014,7 @@ fi SHA3_DEFAULT=no if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64") && test "$ENABLED_32BIT" = "no" then - if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" + if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4" then SHA3_DEFAULT=yes fi @@ -3337,8 +3346,8 @@ fi # FIPS AS_CASE([$FIPS_VERSION], - ["v3"], [ - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=3 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" + ["v4"], [ # FIPS 140-3 + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=4 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no" # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256" @@ -3364,13 +3373,48 @@ AS_CASE([$FIPS_VERSION], AS_IF([test "x$ENABLED_AESGCM" = "xno"], [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"]) ], - ["v2"],[ - AS_IF([test "x$FIPS_READY" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=3"; ENABLED_DES3="no"], - [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2"; ENABLED_DES3="yes"]) - AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" + ["v3"],[ # FIPS Ready + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=3 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" ENABLED_KEYGEN="yes" ENABLED_SHA224="yes" + ENABLED_DES3="yes" + # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256" + AS_IF([test "x$ENABLED_AESCCM" != "xyes"], + [ENABLED_AESCCM="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) + AS_IF([test "x$ENABLED_RSAPSS" != "xyes"], + [ENABLED_RSAPSS="yes" + AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"]) + AS_IF([test "x$ENABLED_ECC" != "xyes"], + [ENABLED_ECC="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT" + AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])], + [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"]) + AS_IF([test "x$ENABLED_AESCTR" != "xyes"], + [ENABLED_AESCTR="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) + AS_IF([test "x$ENABLED_CMAC" != "xyes"], + [ENABLED_CMAC="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) + AS_IF([test "x$ENABLED_HKDF" != "xyes"], + [ENABLED_HKDF="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"]) + AS_IF([test "x$ENABLED_INTELASM" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) + AS_IF([test "x$ENABLED_SHA512" = "xno"], + [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"]) + AS_IF([test "x$ENABLED_AESGCM" = "xno"], + [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"]) + ], + ["v2"],[ # Cert 3389 + AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" + ENABLED_KEYGEN="yes" + ENABLED_SHA224="yes" + ENABLED_DES3="yes" + # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256" AS_IF([test "x$ENABLED_AESCCM" != "xyes"], [ENABLED_AESCCM="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"]) @@ -3402,7 +3446,7 @@ AS_CASE([$FIPS_VERSION], ["rand"],[ AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2" ], - ["v1"],[ + ["v1"],[ # Cert 2425 AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" AS_IF([test "x$ENABLED_SHA512" = "xno"], [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"]) @@ -3444,26 +3488,6 @@ AS_CASE([$SELFTEST_VERSION], AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST" ]) -# Set SHA-3 and SHAKE256 flags - -if test "$ENABLED_SHA3" = "yes" && test "$ENABLED_32BIT" = "no" -then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3" -fi - - -if test "$ENABLED_SHAKE256" = "yes" || test "$ENABLED_SHAKE256" = "small" -then - if test "$ENABLED_32BIT" = "no" - then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256" - if test "$ENABLED_SHA3" = "no" - then - AC_MSG_ERROR([Must have SHA-3 enabled: --enable-sha3]) - fi - fi -fi - # set POLY1305 default POLY1305_DEFAULT=yes @@ -7049,6 +7073,8 @@ AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"]) AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"]) AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"]) AM_CONDITIONAL([BUILD_FIPS_V3],[test "x$FIPS_VERSION" = "xv3"]) +AM_CONDITIONAL([BUILD_FIPS_V4],[test "x$FIPS_VERSION" = "xv4"]) +AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4"]) AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"]) AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) diff --git a/fips-check.sh b/fips-check.sh index 1933e473b..26fdb08de 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -268,12 +268,12 @@ solaris) ;; linuxv3) FIPS_REPO='/Users/john/src/fips' - CRYPT_REPO='/Users/john/src/wolfssl' + CRYPT_REPO='/Users/john/src/wolfssl/FIPS-3' CRYPT_INC_PATH='wolfssl/wolfcrypt' CRYPT_SRC_PATH='wolfcrypt/src' FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) FIPS_INCS=( fips.h ) - FIPS_OPTION='v3' + FIPS_OPTION='v4' ;; *) Usage @@ -329,7 +329,7 @@ then elif [ "x$FIPS_OPTION" == "xready" ] then echo "Don't need to copy anything in particular for FIPS Ready." -elif [ "x$FIPS_OPTION" == "xv3" ] +elif [ "x$FIPS_OPTION" == "xv4" ] then echo "Don't need to copy anything in particular for FIPS 140-3, yet." else @@ -344,7 +344,7 @@ then echo "fips-check: Couldn't checkout the FIPS repository for FIPS Ready." exit 1 fi -elif test "x$FIPS_OPTION" = "xv3" +elif test "x$FIPS_OPTION" = "xv4" then if ! $GIT clone $FIPS_REPO fips; then echo "fips-check: Couldn't checkout the FIPS repository FIPS 140-3." diff --git a/src/include.am b/src/include.am index 18e2ce440..611db1af6 100644 --- a/src/include.am +++ b/src/include.am @@ -103,7 +103,7 @@ src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c # fips last file src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c -endif +endif BUILD_FIPS_V1 if BUILD_FIPS_V2 # FIPSv2 first file @@ -170,7 +170,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \ # fips last file src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c -endif +endif BUILD_FIPS_V2 if BUILD_FIPS_RAND src_libwolfssl_la_SOURCES += \ @@ -185,6 +185,72 @@ src_libwolfssl_la_SOURCES += \ endif BUILD_FIPS_RAND if BUILD_FIPS_V3 +# FIPS Ready first file +src_libwolfssl_la_SOURCES += \ + wolfcrypt/src/wolfcrypt_first.c + +src_libwolfssl_la_SOURCES += \ + wolfcrypt/src/hmac.c \ + wolfcrypt/src/random.c \ + wolfcrypt/src/sha256.c + +if BUILD_RSA +src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c +endif + +if BUILD_ECC +src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c +endif + +if BUILD_AES +src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c +endif + +if BUILD_AESNI +src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S +if BUILD_INTELASM +src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S +endif +endif + +if BUILD_DES3 +src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c +endif + +if BUILD_SHA +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c +if BUILD_INTELASM +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S +endif +endif + +if BUILD_SHA512 +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c +if BUILD_INTELASM +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S +endif +endif + +if BUILD_SHA3 +src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c +endif + +if BUILD_DH +src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c +endif + +if BUILD_CMAC +src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c +endif + +src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \ + wolfcrypt/src/fips_test.c + +# FIPS Ready last file +src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c +endif BUILD_FIPS_V3 + +if BUILD_FIPS_V4 # FIPS 140-3 first file src_libwolfssl_la_SOURCES += \ wolfcrypt/src/wolfcrypt_first.c @@ -256,7 +322,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \ # fips last file src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c -endif +endif BUILD_FIPS_V4 endif BUILD_FIPS @@ -267,11 +333,9 @@ if !BUILD_FIPS_RAND # For wolfRand, exclude just a couple files. # For old FIPS, keep the wolfCrypt versions of the # CtaoCrypt files included above. -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c -endif -endif +endif !BUILD_FIPS_CURRENT # CAVP self test if BUILD_SELFTEST @@ -286,16 +350,13 @@ src_libwolfssl_la_SOURCES += \ if !BUILD_FIPS_RAND -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_RNG src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c endif -endif -endif +endif !BUILD_FIPS_CURRENT -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c else @@ -304,8 +365,7 @@ if BUILD_INTELASM src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S endif endif -endif -endif +endif !BUILD_FIPS_CURRENT if BUILD_AFALG src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_hash.c @@ -333,11 +393,9 @@ if BUILD_RSA if BUILD_FAST_RSA src_libwolfssl_la_SOURCES += wolfcrypt/user-crypto/src/rsa.c else -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c -endif -endif +endif !BUILD_FIPS_CURRENT endif endif endif @@ -350,7 +408,7 @@ if BUILD_SP if BUILD_SP_C src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_c32.c src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_c64.c -endif +endif BUILD_SP_C if BUILD_SP_X86_64 src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_x86_64.c src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_x86_64_asm.S @@ -374,10 +432,9 @@ endif if BUILD_SP_ARM_CORTEX src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_cortexm.c endif -endif +endif BUILD_SP -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_AES src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c if BUILD_ARMASM @@ -387,33 +444,27 @@ if BUILD_AFALG src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_aes.c endif endif -endif -endif +endif !BUILD_FIPS_CURRENT -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_CMAC src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c endif -endif -endif +endif !BUILD_FIPS_CURRENT -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_DES3 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c endif -endif +endif !BUILD_FIPS_CURRENT -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_SHA src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c endif -endif -endif +endif !BUILD_FIPS_CURRENT -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_SHA512 if BUILD_ARMASM src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512.c @@ -426,17 +477,13 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S endif endif endif -endif -endif +endif !BUILD_FIPS_CURRENT -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_SHA3 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c endif -endif -endif - +endif !BUILD_FIPS_CURRENT endif !BUILD_FIPS_RAND @@ -457,13 +504,11 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c endif if !BUILD_FIPS_RAND -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_DH src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c endif endif -endif if BUILD_ASN src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c @@ -508,14 +553,12 @@ if BUILD_DSA src_libwolfssl_la_SOURCES += wolfcrypt/src/dsa.c endif -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_AESNI src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S endif endif -endif if BUILD_CAMELLIA src_libwolfssl_la_SOURCES += wolfcrypt/src/camellia.c @@ -570,8 +613,7 @@ if BUILD_SLOWMATH src_libwolfssl_la_SOURCES += wolfcrypt/src/integer.c endif -if !BUILD_FIPS_V3 -if !BUILD_FIPS_V2 +if !BUILD_FIPS_CURRENT if BUILD_ECC src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c endif @@ -582,7 +624,6 @@ if BUILD_SAKKE src_libwolfssl_la_SOURCES += wolfcrypt/src/sakke.c endif endif -endif if BUILD_CURVE25519 src_libwolfssl_la_SOURCES += wolfcrypt/src/curve25519.c diff --git a/src/internal.c b/src/internal.c index 0bc9b608e..2daec0f6c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4700,7 +4700,7 @@ int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, ecc_key* pub_key, #endif { #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \ + !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2)) && \ !defined(HAVE_SELFTEST) ret = wc_ecc_set_rng(priv_key, ssl->rng); if (ret == 0) diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c index eacc62bab..7e9550005 100644 --- a/wolfcrypt/src/des3.c +++ b/wolfcrypt/src/des3.c @@ -31,8 +31,8 @@ #ifndef NO_DES3 -#if defined(HAVE_FIPS) && \ - defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2) +#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3) /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ #define FIPS_NO_WRAPPERS diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h index 8eb2b8c3c..f05b54e49 100644 --- a/wolfssl/wolfcrypt/des3.h +++ b/wolfssl/wolfcrypt/des3.h @@ -30,15 +30,15 @@ #ifndef NO_DES3 -#if defined(HAVE_FIPS) && \ - defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2) +#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3) #include #endif /* HAVE_FIPS_VERSION >= 2 */ #if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) -/* included for fips @wc_fips */ -#include + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) + /* included for fips @wc_fips */ + #include #endif #ifdef __cplusplus @@ -54,8 +54,8 @@ enum { /* avoid redefinition of structs */ -#if !defined(HAVE_FIPS) || \ - (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3)) #ifdef WOLFSSL_ASYNC_CRYPT #include @@ -117,7 +117,7 @@ struct Des3 { typedef struct Des3 Des3; #define WC_DES3_TYPE_DEFINED #endif -#endif /* HAVE_FIPS */ +#endif /* HAVE_FIPS && HAVE_FIPS_VERSION >= 2 */ WOLFSSL_API int wc_Des_SetKey(Des* des, const byte* key, diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index eb944b4aa..5dae7ca72 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -173,3 +173,7 @@ nobase_include_HEADERS+= wolfssl/wolfcrypt/port/iotsafe/iotsafe.h if BUILD_FIPS_V3 nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h endif + +if BUILD_FIPS_V4 +nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h +endif