From eb032e0266691ea0d1ce96ba946a9e48c3be9234 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Tue, 14 Dec 2021 18:08:12 -0600
Subject: [PATCH 1/3] configure.ac: refactor changes of 7cccaa98b7 around FIPS
 v5*.

---
 configure.ac | 54 +++++++---------------------------------------------
 1 file changed, 7 insertions(+), 47 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3a00dac8e..fda8c1cb4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3425,7 +3425,7 @@ fi
 
 # FIPS
 AS_CASE([$FIPS_VERSION],
-    [v5], [ # FIPS 140-3
+    [v5*], [ # FIPS 140-3, including 140-3 ready
         AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
         ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
         # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
@@ -3452,8 +3452,9 @@ AS_CASE([$FIPS_VERSION],
               [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
         AS_IF([test "x$ENABLED_SHA512" = "xno"],
             [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
-        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
-            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+        # AES-GCM optional with fips-ready, required with real fips
+        AS_IF([test "x$ENABLED_AESGCM" = "xno" && (test "$FIPS_VERSION" != "v5-ready" || test "$enable_aesgcm" != "no")],
+	    [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
         AS_IF([test "x$ENABLED_MD5" = "xyes"],[ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DECC_USER_CURVES -DHAVE_ECC192 -DHAVE_ECC224 -DHAVE_ECC256 -DHAVE_ECC384 -DHAVE_ECC521"
         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_SET_K -DWC_RNG_SEED_CB"
@@ -3461,50 +3462,9 @@ AS_CASE([$FIPS_VERSION],
         AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192"
         DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
         if test $HAVE_FIPS_VERSION_MINOR -ge 2; then
-            if test "x$ENABLED_AESOFB" = "xno"; then
-                ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"
-            fi
-        fi
-    ],
-    [v5-ready], [ # FIPS 140-3 ready
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
-        ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
-        # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
-        ENABLED_SHAKE256=no
-        # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
-        AS_IF([test "x$ENABLED_AESCCM" = "xyes"], # AESCCM optional with fips-ready
-              [AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
-        AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
-              [ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
-        AS_IF([test "x$ENABLED_ECC" != "xyes"],
-              [ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
-               AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
-                     [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
-              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DWOLFSSL_VALIDATE_ECC_KEYGEN"])
-        AS_IF([test "x$ENABLED_AESCTR" = "xyes"],
-              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"]) # AESCTR optional with fips-ready
-        AS_IF([test "x$ENABLED_CMAC" = "xyes"],
-              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"]) # CMAC optional with fips-ready
-        AS_IF([test "x$ENABLED_HKDF" != "xyes"],
-              [ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
-        AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
-              [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
-        AS_IF([test "x$ENABLED_SHA512" = "xno"],
-            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
-        AS_IF([test "x$ENABLED_AESGCM" = "xyes"],
-            [AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"]) # GCM optional with fips-ready
-        AS_IF([test "x$ENABLED_MD5" = "xyes"],[ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DECC_USER_CURVES -DHAVE_ECC192 -DHAVE_ECC224 -DHAVE_ECC256 -DHAVE_ECC384 -DHAVE_ECC521"
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_SET_K -DWC_RNG_SEED_CB"
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192"
-        DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
-        if test $HAVE_FIPS_VERSION_MINOR -ge 2; then
-            if test "x$ENABLED_AESOFB" = "xyes"; then # AESOFB optional with fips-ready
-                AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"
-            fi
+            # AES-OFB optional with fips-ready, required with real fips
+            AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-ready" || test "$enable_aesofb" != "no")],
+	        [ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])
         fi
     ],
     ["v3"],[ # FIPS 140-2 Ready

From 242eb2dcf130ce158cdcd45c3702029f0ff82dfb Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Tue, 14 Dec 2021 18:08:54 -0600
Subject: [PATCH 2/3] wolfcrypt/src/pkcs12.c: fix scan-build
 deadcode.DeadStores gripe.

---
 wolfcrypt/src/pkcs12.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c
index 486e51137..6a4eb5619 100644
--- a/wolfcrypt/src/pkcs12.c
+++ b/wolfcrypt/src/pkcs12.c
@@ -730,9 +730,12 @@ int wc_d2i_PKCS12_fp(const char* file, WC_PKCS12** pkcs12)
     if (pkcs12 == NULL) {
         WOLFSSL_MSG("pkcs12 parameter NULL.");
         ret = BAD_FUNC_ARG;
+        buf = NULL;
     }
 
-    ret = wc_FileLoad(file, &buf, &bufSz, NULL);
+    if (ret == 0)
+        ret = wc_FileLoad(file, &buf, &bufSz, NULL);
+
     if (ret == 0) {
         if (*pkcs12 == NULL) {
             tmpPkcs12 = wc_PKCS12_new();

From a773cdfd5d45eafe7661a7e9ade4f5fcb4563681 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Tue, 14 Dec 2021 18:33:24 -0600
Subject: [PATCH 3/3] pkcs12.c wc_d2i_PKCS12_fp(): mollify Visual Studio (false
 positives C4701 and C4703).

---
 wolfcrypt/src/pkcs12.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c
index 6a4eb5619..e791508ae 100644
--- a/wolfcrypt/src/pkcs12.c
+++ b/wolfcrypt/src/pkcs12.c
@@ -720,8 +720,8 @@ int wc_d2i_PKCS12(const byte* der, word32 derSz, WC_PKCS12* pkcs12)
 int wc_d2i_PKCS12_fp(const char* file, WC_PKCS12** pkcs12)
 {
     int ret = 0;
-    byte* buf;
-    size_t bufSz;
+    byte* buf = NULL;
+    size_t bufSz = 0;
     WC_PKCS12* tmpPkcs12 = NULL;
     int callerAlloc = 1;
 
@@ -730,7 +730,6 @@ int wc_d2i_PKCS12_fp(const char* file, WC_PKCS12** pkcs12)
     if (pkcs12 == NULL) {
         WOLFSSL_MSG("pkcs12 parameter NULL.");
         ret = BAD_FUNC_ARG;
-        buf = NULL;
     }
 
     if (ret == 0)