Add CASTs for TLSv1.2, TLSv1.3, and SSH KDFs.

1. Remove the CAST IDs for the redundant RSA tests.
2. Remove the flags in configure.ac that enable the keys for the redundant RSA tests.

configure.ac

@@ -174,23 +174,32 @@ ENABLED_CERTS="no"
 
 
 
-# FIPS
+# FIPS 140-2
 AC_ARG_ENABLE([fips],
     [AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
     [ENABLED_FIPS=$enableval],
     [ENABLED_FIPS="no"])
 
+# The FIPS options are:
+#   v4 - FIPS 140-3
+#   v3 - FIPS Ready
+#   ready - same as v3
+#   rand - wolfRand
+#   v2 - FIPS 140-2 Cert 3389
+#   no - FIPS build disabled
+#   v1 - FIPS 140-2 Cert 2425
+#   default - same as v1
 AS_CASE([$ENABLED_FIPS],
-    [ready],[
+    [ready|v3],[
         ENABLED_FIPS="yes"
-        FIPS_VERSION="v2"
+        FIPS_VERSION="v3"
         FIPS_READY="yes"
     ],
     [no],[
         FIPS_VERSION="none"
         ENABLED_FIPS="no"
     ],
-    [rand|v1|v2],[
+    [rand|v1|v2|v4],[
         FIPS_VERSION="$ENABLED_FIPS"
         ENABLED_FIPS="yes"
     ],
@@ -221,6 +230,13 @@ AS_CASE([$FIPS_VERSION],
     ]
 )
 
+# FIPS 140-3
+AC_ARG_ENABLE([fips-3],
+    [AS_HELP_STRING([--enable-fips-3],[Enable FIPS 140-3, Will NOT work w/o FIPS license (default: disabled)])],
+    [ENABLED_FIPS_140_3=$enableval],
+    [ENABLED_FIPS_140_3="no"])
+AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v4"])
+
 # Linux Kernel Module
 AC_ARG_ENABLE([linuxkm],
     [AS_HELP_STRING([--enable-linuxkm],[Enable Linux Kernel Module (default: disabled)])],
@@ -1701,7 +1717,7 @@ fi
 SHA3_DEFAULT=no
 if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64"
 then
-    if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2"
+    if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4"
     then
         SHA3_DEFAULT=yes
     fi
@@ -2938,13 +2954,41 @@ fi
 
 # FIPS
 AS_CASE([$FIPS_VERSION],
-    ["v2"],[
-        AS_IF([test "x$FIPS_READY" = "xyes"],
-            [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=3"],
-            [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2"])
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
+    ["v4"], [ # FIPS 140-3
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=4 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING"
+        ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
+        # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
+        AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
+              [ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
+        AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
+              [ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
+        AS_IF([test "x$ENABLED_ECC" != "xyes"],
+              [ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
+               AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
+                     [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
+              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
+        AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
+              [ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
+        AS_IF([test "x$ENABLED_CMAC" != "xyes"],
+              [ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
+        AS_IF([test "x$ENABLED_HKDF" != "xyes"],
+              [ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
+        AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
+              [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
+        AS_IF([test "x$ENABLED_SHA512" = "xno"],
+            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ECDSA_SET_K"
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DFP_MAX_BITS=16384"
+    ],
+    ["v3"],[ # FIPS Ready
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=3 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
         ENABLED_KEYGEN="yes"
         ENABLED_SHA224="yes"
+        ENABLED_DES3="yes"
         # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
         AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
@@ -2970,29 +3014,61 @@ AS_CASE([$FIPS_VERSION],
                AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
         AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
               [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
+        AS_IF([test "x$ENABLED_SHA512" = "xno"],
+            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+    ],
+    ["v2"],[ # Cert 3389
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
+        ENABLED_KEYGEN="yes"
+        ENABLED_SHA224="yes"
+        ENABLED_DES3="yes"
+        # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
+        AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
+              [ENABLED_AESCCM="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
+        AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
+              [ENABLED_RSAPSS="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
+        AS_IF([test "x$ENABLED_ECC" != "xyes"],
+              [ENABLED_ECC="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
+               AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
+                     [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
+              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
+        AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
+              [ENABLED_AESCTR="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
+        AS_IF([test "x$ENABLED_CMAC" != "xyes"],
+              [ENABLED_CMAC="yes"
+               AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
+        AS_IF([test "x$ENABLED_HKDF" != "xyes"],
+              [ENABLED_HKDF="yes"
+               AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
+        AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
+              [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
+        AS_IF([test "x$ENABLED_SHA512" = "xno"],
+            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
     ],
     ["rand"],[
         AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
     ],
-    ["v1"],[
+    ["v1"],[ # Cert 2425
         AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
+        AS_IF([test "x$ENABLED_SHA512" = "xno"],
+            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+        AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
     ])
 
 AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"],
     [AC_MSG_ERROR([FIPS requires Thread Local Storage])])
 
-AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" != "xrand"],
-[
-    # Force enable the prerequisites.
-    AS_IF([test "x$ENABLED_SHA512" = "xno"],
-        [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
-    AS_IF([test "x$ENABLED_AESGCM" = "xno"],
-        [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
-    AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
-],
-[
-    AS_IF([test "x$ENABLED_FORTRESS" = "xyes"],[ENABLED_DES3="yes"])
-])
 
 
 # SELFTEST
@@ -3024,22 +3100,12 @@ AS_CASE([$SELFTEST_VERSION],
     ])
 
 
-
-# set POLY1305 default
-POLY1305_DEFAULT=yes
-
-if test "x$ENABLED_FIPS" = "xyes"
-then
-POLY1305_DEFAULT=no
-fi
-
 # Set SHA-3 and SHAKE256 flags
-
 if test "$ENABLED_SHA3" = "yes" && test "$ENABLED_32BIT" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
 fi
-
+AS_IF([test "x$ENABLED_FIPS" = "xyes"],[ENABLED_SHAKE256="no"])
 
 if test "$ENABLED_SHAKE256" = "yes" || test "$ENABLED_SHAKE256" = "small"
 then
@@ -3053,6 +3119,13 @@ then
     fi
 fi
 
+# set POLY1305 default
+POLY1305_DEFAULT=yes
+
+if test "x$ENABLED_FIPS" = "xyes"
+then
+POLY1305_DEFAULT=no
+fi
 
 # POLY1305
 AC_ARG_ENABLE([poly1305],
@@ -5940,6 +6013,8 @@ if test "x$ENABLED_OPENSSLCOEXIST" = "xyes"; then
     fi
 fi
 
+AS_IF([test "x$ENABLED_WOLFSSH" = "xyes"],[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_WOLFSSH"])
+
 if test "x$ENABLED_CERTS" = "xno" || test "x$ENABLED_LEANPSK" = "xyes" || test "x$ENABLED_ASN" = "xno"; then
    AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS"
 fi
@@ -6148,7 +6223,9 @@ AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"])
 AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"])
 AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"])
 AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"])
-AM_CONDITIONAL([BUILD_FIPS_READY],[test "x$FIPS_READY" = "xyes"])
+AM_CONDITIONAL([BUILD_FIPS_V3],[test "x$FIPS_VERSION" = "xv3"])
+AM_CONDITIONAL([BUILD_FIPS_V4],[test "x$FIPS_VERSION" = "xv4"])
+AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv4"])
 AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
 AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])

fips-check.sh

@@ -36,6 +36,7 @@ Platform is one of:
     stm32l4-v2 (FIPSv2, use for STM32L4)
     wolfrand
     solaris
+    linuxv3 (FIPS 140-3)
 Keep (default off) retains the XXX-fips-test temp dir for inspection.
 
 Example:
@@ -265,6 +266,19 @@ solaris)
   FIPS_OPTION=v2
   MAKE=gmake
   ;;
+linuxv3)
+  FIPS_REPO="git@github.com:ejohnstown/fips.git"
+  FIPS_VERSION="fipsv3"
+  CRYPT_REPO="git@github.com:ejohnstown/wolfssl.git"
+  CRYPT_VERSION="fipsv3"
+  CRYPT_INC_PATH="wolfssl/wolfcrypt"
+  CRYPT_SRC_PATH="wolfcrypt/src"
+  WC_MODS=( aes sha sha256 sha512 rsa hmac random cmac dh ecc sha3 )
+  RNG_VERSION="fipsv3"
+  FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
+  FIPS_INCS=( fips.h )
+  FIPS_OPTION="v4"
+  ;;
 *)
   Usage
   exit 1
@@ -304,7 +318,7 @@ then
         cp "old-tree/$CRYPT_SRC_PATH/random.c" $CRYPT_SRC_PATH
         cp "old-tree/$CRYPT_INC_PATH/random.h" $CRYPT_INC_PATH
     fi
-elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ]
+elif [ "x$FIPS_OPTION" == "xv2" ] || [ "x$FIPS_OPTION" == "xrand" ] || [ "x$FIPS_OPTION" == "xv4" ]
 then
     $GIT branch --no-track "my$CRYPT_VERSION" $CRYPT_VERSION
     # Checkout the fips versions of the wolfCrypt files from the repo.
@@ -313,9 +327,9 @@ then
         $GIT checkout "my$CRYPT_VERSION" -- "$CRYPT_SRC_PATH/$MOD.c" "$CRYPT_INC_PATH/$MOD.h"
     done
 
-    $GIT branch --no-track "my$RNG_VERSION" $RNG_VERSION
+    $GIT branch --no-track "myrng$RNG_VERSION" $RNG_VERSION
     # Checkout the fips versions of the wolfCrypt files from the repo.
-    $GIT checkout "my$RNG_VERSION" -- "$CRYPT_SRC_PATH/random.c" "$CRYPT_INC_PATH/random.h"
+    $GIT checkout "myrng$RNG_VERSION" -- "$CRYPT_SRC_PATH/random.c" "$CRYPT_INC_PATH/random.h"
 elif [ "x$FIPS_OPTION" == "xready" ]
 then
     echo "Don't need to copy anything in particular for FIPS Ready."
@@ -325,14 +339,14 @@ else
 fi
 
 # clone the FIPS repository
-if [ "x$FIPS_OPTION" != "xready" ]
+if [ "x$FIPS_OPTION" = "xready" ]
 then
-    if ! $GIT clone --depth 1 -b $FIPS_VERSION $FIPS_REPO fips; then
-        echo "fips-check: Couldn't checkout the FIPS repository."
+    if ! $GIT clone --depth 1 $FIPS_REPO fips; then
+        echo "fips-check: Couldn't checkout the FIPS repository for FIPS Ready."
         exit 1
     fi
 else
-    if ! $GIT clone --depth 1 $FIPS_REPO fips; then
+    if ! $GIT clone --depth 1 -b $FIPS_VERSION $FIPS_REPO fips; then
         echo "fips-check: Couldn't checkout the FIPS repository."
         exit 1
     fi

src/include.am

@@ -61,12 +61,12 @@ src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c
 
 # fips last file
 src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c
-endif
+endif BUILD_FIPS_V1
 
 if BUILD_FIPS_V2
 # FIPSv2 first file
 src_libwolfssl_la_SOURCES += \
-			   wolfcrypt/src/wolfcrypt_first.c
+               wolfcrypt/src/wolfcrypt_first.c
 
 src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/hmac.c \
@@ -83,11 +83,6 @@ endif
 
 if BUILD_AES
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
-if BUILD_ARMASM
-if BUILD_FIPS_READY
-src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
-endif
-endif
 endif
 
 if BUILD_AESNI
@@ -105,10 +100,152 @@ if BUILD_SHA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
 endif
 
-if BUILD_ARMASM
-if BUILD_FIPS_READY
-src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
 endif
+
+if BUILD_SHA512
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S
+endif
+endif
+
+if BUILD_SHA3
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
+endif
+
+if BUILD_DH
+src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
+endif
+
+if BUILD_CMAC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
+endif
+
+src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
+                             wolfcrypt/src/fips_test.c
+
+# fips last file
+src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
+endif BUILD_FIPS_V2
+
+if BUILD_FIPS_RAND
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/wolfcrypt_first.c \
+               wolfcrypt/src/hmac.c \
+               wolfcrypt/src/random.c \
+               wolfcrypt/src/sha256.c \
+               wolfcrypt/src/sha256_asm.S \
+               wolfcrypt/src/fips.c \
+               wolfcrypt/src/fips_test.c \
+               wolfcrypt/src/wolfcrypt_last.c
+endif BUILD_FIPS_RAND
+
+if BUILD_FIPS_V3
+# FIPS Ready first file
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/wolfcrypt_first.c
+
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/hmac.c \
+               wolfcrypt/src/random.c \
+               wolfcrypt/src/sha256.c
+
+if BUILD_RSA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
+endif
+
+if BUILD_ECC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
+endif
+
+if BUILD_AES
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
+endif
+
+if BUILD_AESNI
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S
+endif
+endif
+
+if BUILD_DES3
+src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
+endif
+
+if BUILD_SHA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
+endif
+endif
+
+if BUILD_SHA512
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S
+endif
+endif
+
+if BUILD_SHA3
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
+endif
+
+if BUILD_DH
+src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
+endif
+
+if BUILD_CMAC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
+endif
+
+src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
+                             wolfcrypt/src/fips_test.c
+
+# FIPS Ready last file
+src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
+endif BUILD_FIPS_V3
+
+if BUILD_FIPS_V4
+# FIPS 140-3 first file
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/wolfcrypt_first.c
+
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/hmac.c \
+               wolfcrypt/src/random.c \
+               wolfcrypt/src/sha256.c
+
+if BUILD_RSA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
+endif
+
+if BUILD_ECC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
+endif
+
+if BUILD_AES
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
+if BUILD_ARMASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
+endif
+endif
+
+if BUILD_AESNI
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S
+endif
+endif
+
+if BUILD_SHA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
+endif
+
+if BUILD_ARMASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
 endif
 if BUILD_INTELASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
@@ -117,12 +254,10 @@ endif
 if BUILD_SHA512
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
 if BUILD_ARMASM
-if BUILD_FIPS_READY
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512.c
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm.S
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
 endif
-endif
 if BUILD_INTELASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S
 endif
@@ -145,19 +280,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
 
 # fips last file
 src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
-endif
-
-if BUILD_FIPS_RAND
-src_libwolfssl_la_SOURCES += \
-               wolfcrypt/src/wolfcrypt_first.c \
-               wolfcrypt/src/hmac.c \
-               wolfcrypt/src/random.c \
-               wolfcrypt/src/sha256.c \
-               wolfcrypt/src/sha256_asm.S \
-               wolfcrypt/src/fips.c \
-               wolfcrypt/src/fips_test.c \
-               wolfcrypt/src/wolfcrypt_last.c
-endif BUILD_FIPS_RAND
+endif BUILD_FIPS_V4
 
 endif BUILD_FIPS
 
@@ -168,9 +291,9 @@ if !BUILD_FIPS_RAND
 # For wolfRand, exclude just a couple files.
 # For old FIPS, keep the wolfCrypt versions of the
 # CtaoCrypt files included above.
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
-endif
+endif !BUILD_FIPS_CURRENT
 
 # CAVP self test
 if BUILD_SELFTEST
@@ -185,13 +308,13 @@ src_libwolfssl_la_SOURCES += \
 
 if !BUILD_FIPS_RAND
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_RNG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c
 endif
-endif
+endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_ARMASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
 else
@@ -200,7 +323,7 @@ if BUILD_INTELASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
 endif
 endif
-endif
+endif !BUILD_FIPS_CURRENT
 
 if BUILD_AFALG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_hash.c
@@ -219,9 +342,9 @@ if BUILD_RSA
 if BUILD_FAST_RSA
 src_libwolfssl_la_SOURCES += wolfcrypt/user-crypto/src/rsa.c
 else
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
-endif
+endif !BUILD_FIPS_CURRENT
 endif
 endif
 endif
@@ -234,7 +357,7 @@ if BUILD_SP
 if BUILD_SP_C
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_c32.c
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_c64.c
-endif
+endif BUILD_SP_C
 if BUILD_SP_X86_64
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_x86_64.c
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_x86_64_asm.S
@@ -258,9 +381,9 @@ endif
 if BUILD_SP_ARM_CORTEX
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_cortexm.c
 endif
-endif
+endif BUILD_SP
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_AES
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
 if BUILD_ARMASM
@@ -270,27 +393,27 @@ if BUILD_AFALG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_aes.c
 endif
 endif
-endif
+endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_CMAC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
 endif
-endif
+endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_DES3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
 endif
-endif
+endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_SHA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
 endif
-endif
+endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_SHA512
 if BUILD_ARMASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512.c
@@ -303,14 +426,13 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S
 endif
 endif
 endif
-endif
+endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_SHA3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
 endif
-endif
-
+endif !BUILD_FIPS_CURRENT
 
 endif !BUILD_FIPS_RAND
 
@@ -331,7 +453,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
 endif
 
 if !BUILD_FIPS_RAND
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_DH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
 endif
@@ -380,7 +502,7 @@ if BUILD_DSA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dsa.c
 endif
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_AESNI
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S
@@ -440,7 +562,7 @@ if BUILD_SLOWMATH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/integer.c
 endif
 
-if !BUILD_FIPS_V2
+if !BUILD_FIPS_CURRENT
 if BUILD_ECC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
 endif

src/internal.c

@@ -4307,7 +4307,7 @@ int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, ecc_key* pub_key,
 #endif
     {
 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
-    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
+    !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2)) && \
     !defined(HAVE_SELFTEST)
         ret = wc_ecc_set_rng(priv_key, ssl->rng);
         if (ret == 0)

src/tls.c

@@ -32,6 +32,7 @@
 #include <wolfssl/ssl.h>
 #include <wolfssl/internal.h>
 #include <wolfssl/error-ssl.h>
+#include <wolfssl/wolfcrypt/hash.h>
 #include <wolfssl/wolfcrypt/hmac.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>

src/tls13.c

@@ -134,6 +134,18 @@
  */
 #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
 
+#if (defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))) || \
+    defined(HAVE_SELFTEST)
+
+enum {
+/*
+    MAX_HKDF_LABEL_SZ   = OPAQUE16_LEN +
+                          OPAQUE8_LEN + PROTOCOL_LABEL_SZ + MAX_LABEL_SZ +
+                          OPAQUE8_LEN + WC_MAX_DIGEST_SIZE
+*/
+    MAX_TLS13_HKDF_LABEL_SZ = 47 + WC_MAX_DIGEST_SIZE
+};
 
 /* Extract data using HMAC, salt and input.
  * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
@@ -143,37 +155,35 @@
  * saltLen  The length of the salt.
  * ikm      The input keying material.
  * ikmLen   The length of the input keying material.
- * mac      The type of digest to use.
+ * digest   The type of digest to use.
  * returns 0 on success, otherwise failure.
  */
-static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
-                             byte* ikm, int ikmLen, int mac)
+static int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
+                             byte* ikm, int ikmLen, int digest)
 {
     int ret;
-    int hash = 0;
     int len = 0;
 
-    switch (mac) {
+    switch (digest) {
         #ifndef NO_SHA256
-        case sha256_mac:
-            hash = WC_SHA256;
+        case WC_SHA256:
             len = WC_SHA256_DIGEST_SIZE;
             break;
         #endif
 
         #ifdef WOLFSSL_SHA384
-        case sha384_mac:
-            hash = WC_SHA384;
+        case WC_SHA384:
             len = WC_SHA384_DIGEST_SIZE;
             break;
         #endif
 
         #ifdef WOLFSSL_TLS13_SHA512
-        case sha512_mac:
-            hash = WC_SHA512;
+        case WC_SHA512:
             len = WC_SHA512_DIGEST_SIZE;
             break;
         #endif
+        default:
+            return BAD_FUNC_ARG;
     }
 
     /* When length is 0 then use zeroed data of digest length. */
@@ -189,7 +199,7 @@ static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
     WOLFSSL_BUFFER(ikm, ikmLen);
 #endif
 
-    ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk);
+    ret = wc_HKDF_Extract(digest, salt, saltLen, ikm, ikmLen, prk);
 
 #ifdef WOLFSSL_DEBUG_TLS
     WOLFSSL_MSG("  PRK");
@@ -199,6 +209,7 @@ static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
     return ret;
 }
 
+
 /* Expand data using HMAC, salt and label and info.
  * TLS v1.3 defines this function.
  *
@@ -213,7 +224,7 @@ static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
  * digest       The type of digest to use.
  * returns 0 on success, otherwise failure.
  */
-static int HKDF_Expand_Label(byte* okm, word32 okmLen,
+static int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen,
                              const byte* prk, word32 prkLen,
                              const byte* protocol, word32 protocolLen,
                              const byte* label, word32 labelLen,
@@ -222,7 +233,7 @@ static int HKDF_Expand_Label(byte* okm, word32 okmLen,
 {
     int    ret = 0;
     int    idx = 0;
-    byte   data[MAX_HKDF_LABEL_SZ];
+    byte   data[MAX_TLS13_HKDF_LABEL_SZ];
 
     /* Output length. */
     data[idx++] = (byte)(okmLen >> 8);
@@ -262,6 +273,8 @@ static int HKDF_Expand_Label(byte* okm, word32 okmLen,
     return ret;
 }
 
+#endif /* HAVE_FIPS */
+
 /* Size of the TLS v1.3 label use when deriving keys. */
 #define TLS13_PROTOCOL_LABEL_SZ    6
 /* The protocol label for TLS v1.3. */
@@ -355,7 +368,7 @@ static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
     if (outputLen == -1)
         outputLen = hashSz;
 
-    return HKDF_Expand_Label(output, outputLen, secret, hashSz,
+    return wc_Tls13_HKDF_Expand_Label(output, outputLen, secret, hashSz,
                              protocol, protocolLen, label, labelLen,
                              hash, hashSz, digestAlg);
 }
@@ -424,11 +437,41 @@ static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
     if (includeMsgs)
         hashOutSz = hashSz;
 
-    return HKDF_Expand_Label(output, outputLen, secret, hashSz,
+    return wc_Tls13_HKDF_Expand_Label(output, outputLen, secret, hashSz,
                              protocol, protocolLen, label, labelLen,
                              hash, hashOutSz, digestAlg);
 }
 
+/* Convert TLS mac ID to a hash algorithm ID
+ *
+ * mac Mac ID to convert
+ * returns hash ID on success, or the NONE type.
+ */
+static WC_INLINE int mac2hash(int mac)
+{
+    int hash = WC_HASH_TYPE_NONE;
+    switch (mac) {
+        #ifndef NO_SHA256
+        case sha256_mac:
+            hash = WC_SHA256;
+            break;
+        #endif
+
+        #ifdef WOLFSSL_SHA384
+        case sha384_mac:
+            hash = WC_SHA384;
+            break;
+        #endif
+
+        #ifdef WOLFSSL_TLS13_SHA512
+        case sha512_mac:
+            hash = WC_SHA512;
+            break;
+        #endif
+    }
+    return hash;
+}
+
 #ifndef NO_PSK
 /* The length of the binder key label. */
 #define BINDER_KEY_LABEL_SZ         10
@@ -803,7 +846,7 @@ int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen,
     }
 
     /* Derive-Secret(Secret, label, "") */
-    ret = HKDF_Expand_Label(firstExpand, hashLen,
+    ret = wc_Tls13_HKDF_Expand_Label(firstExpand, hashLen,
             ssl->arrays->exporterSecret, hashLen,
             protocol, protocolLen, (byte*)label, (word32)labelLen,
             emptyHash, hashLen, hashType);
@@ -815,7 +858,7 @@ int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen,
     if (ret != 0)
         return ret;
 
-    ret = HKDF_Expand_Label(out, (word32)outLen, firstExpand, hashLen,
+    ret = wc_Tls13_HKDF_Expand_Label(out, (word32)outLen, firstExpand, hashLen,
             protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ,
             hashOut, hashLen, hashType);
 
@@ -904,12 +947,12 @@ int DeriveEarlySecret(WOLFSSL* ssl)
         return BAD_FUNC_ARG;
     }
 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
-    return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
+    return wc_Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
             ssl->arrays->psk_key, ssl->arrays->psk_keySz,
-            ssl->specs.mac_algorithm);
+            mac2hash(ssl->specs.mac_algorithm));
 #else
-    return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
-            ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
+    return wc_Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
+            ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm));
 #endif
 }
 
@@ -937,10 +980,10 @@ int DeriveHandshakeSecret(WOLFSSL* ssl)
     if (ret != 0)
         return ret;
 
-    return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
+    return wc_Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
             key, ssl->specs.hash_size,
             ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
-            ssl->specs.mac_algorithm);
+            mac2hash(ssl->specs.mac_algorithm));
 }
 
 /* Derive the master secret using HKDF Extract.
@@ -961,9 +1004,9 @@ int DeriveMasterSecret(WOLFSSL* ssl)
     if (ret != 0)
         return ret;
 
-    ret = Tls13_HKDF_Extract(ssl->arrays->masterSecret,
+    ret = wc_Tls13_HKDF_Extract(ssl->arrays->masterSecret,
             key, ssl->specs.hash_size,
-            ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
+            ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm));
 
 #ifdef HAVE_KEYING_MATERIAL
     if (ret != 0)
@@ -1021,7 +1064,7 @@ int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret)
             return BAD_FUNC_ARG;
     }
 
-    return HKDF_Expand_Label(secret, ssl->specs.hash_size,
+    return wc_Tls13_HKDF_Expand_Label(secret, ssl->specs.hash_size,
                              ssl->session.masterSecret, ssl->specs.hash_size,
                              protocol, protocolLen, resumptionLabel,
                              RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);

tests/api.c

@@ -399,7 +399,8 @@ static const char* failed = "failed";
 #define TEST_STRING    "Everyone gets Friday off."
 #define TEST_STRING_SZ 25
 
-#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+#if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
 #define TEST_RSA_BITS 1024
 #else
 #define TEST_RSA_BITS 2048
@@ -14467,7 +14468,8 @@ static int test_wc_MakeRsaKey (void)
 
     RsaKey  genKey;
     WC_RNG  rng;
-    #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
     int     bits = 1024;
     #else
     int     bits = 2048;
@@ -15128,7 +15130,8 @@ static int test_wc_RsaKeyToDer (void)
     RsaKey  genKey;
     WC_RNG  rng;
     byte*   der;
-    #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
     int     bits = 1024;
     word32  derSz = 611;
     /* (2 x 128) + 2 (possible leading 00) + (5 x 64) + 5 (possible leading 00)
@@ -15238,7 +15241,8 @@ static int test_wc_RsaKeyToPublicDer (void)
     RsaKey      key;
     WC_RNG      rng;
     byte*       der;
-    #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
     int         bits = 1024;
     word32      derLen = 162;
     #else
@@ -15716,7 +15720,8 @@ static int test_wc_RsaEncryptSize (void)
     }
 
     printf(testingFmt, "wc_RsaEncryptSize()");
-#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+#if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
     if (ret == 0) {
         ret = MAKE_RSA_KEY(&key, 1024, WC_RSA_EXPONENT, &rng);
         if (ret == 0) {
@@ -15786,7 +15791,8 @@ static int test_wc_RsaFlattenPublicKey (void)
     byte    n[256];
     word32  eSz = sizeof(e);
     word32  nSz = sizeof(n);
-    #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) && \
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
     int         bits = 1024;
     #else
     int         bits = 2048;

wolfcrypt/src/des3.c

@@ -31,8 +31,8 @@
 
 #ifndef NO_DES3
 
-#if defined(HAVE_FIPS) && \
-	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
+    (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3)
 
     /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
     #define FIPS_NO_WRAPPERS

wolfcrypt/src/dh.c

@@ -944,6 +944,7 @@ int wc_InitDhKey_ex(DhKey* key, void* heap, int devId)
 #else
     (void)devId;
 #endif
+    key->trustedGroup = 0;
 
     return ret;
 }
@@ -1066,7 +1067,9 @@ static int GeneratePrivateDh186(DhKey* key, WC_RNG* rng, byte* priv,
     pSz = mp_unsigned_bin_size(&key->p);
 
     /* verify (L,N) pair bit lengths */
-    if (CheckDhLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
+    /* Trusted primes don't need to be checked. */
+    if (!key->trustedGroup &&
+            CheckDhLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
         WOLFSSL_MSG("DH param sizes do not match SP 800-56A requirements");
         return BAD_FUNC_ARG;
     }
@@ -2293,6 +2296,8 @@ static int _DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
     if (ret == 0 && q != NULL) {
         if (mp_read_unsigned_bin(&key->q, q, qSz) != MP_OKAY)
             ret = MP_INIT_E;
+        else
+            key->trustedGroup = trusted;
     }
 
     if (ret != 0 && key != NULL) {
@@ -2328,7 +2333,6 @@ int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
     return _DhSetKey(key, p, pSz, g, gSz, NULL, 0, 1, NULL);
 }
 
-
 #ifdef WOLFSSL_KEY_GEN
 
 /* modulus_size in bits */

wolfcrypt/src/error.c

@@ -518,6 +518,21 @@ const char* wc_GetErrorString(int error)
     case ASN_SELF_SIGNED_E:
         return "ASN self-signed certificate error";
 
+    case ECDSA_KAT_FIPS_E:
+        return "wolfcrypt FIPS ECDSA Known Answer Test Failure";
+
+    case RSA_PAT_FIPS_E:
+        return "wolfcrypt FIPS RSA Pairwise Agreement Test Failure";
+
+    case KDF_TLS12_KAT_FIPS_E:
+        return "wolfcrypt FIPS TLSv1.2 KDF Known Answer Test Failure";
+
+    case KDF_TLS13_KAT_FIPS_E:
+        return "wolfcrypt FIPS TLSv1.3 KDF Known Answer Test Failure";
+
+    case KDF_SSH_KAT_FIPS_E:
+        return "wolfcrypt FIPS SSH KDF Known Answer Test Failure";
+
     default:
         return "unknown error number";
 

wolfcrypt/src/hash.c

@@ -1423,7 +1423,8 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
 
 #endif /* !NO_HASH_WRAPPER */
 
-#ifdef WOLFSSL_HAVE_PRF
+#if defined(WOLFSSL_HAVE_PRF) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))
 
 #ifdef WOLFSSL_SHA384
     #define P_HASH_MAX_SIZE WC_SHA384_DIGEST_SIZE

wolfcrypt/src/hmac.c

@@ -1172,6 +1172,289 @@ int wolfSSL_GetHmacMaxSize(void)
     return WC_MAX_DIGEST_SIZE;
 }
 
+
+#if defined(WOLFSSL_HAVE_PRF) && defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 4)
+
+#ifdef WOLFSSL_SHA512
+    #define P_HASH_MAX_SIZE WC_SHA512_DIGEST_SIZE
+#elif defined(WOLFSSL_SHA384)
+    #define P_HASH_MAX_SIZE WC_SHA384_DIGEST_SIZE
+#else
+    #define P_HASH_MAX_SIZE WC_SHA256_DIGEST_SIZE
+#endif
+
+/* Pseudo Random Function for MD5, SHA-1, SHA-256, SHA-384, or SHA-512 */
+int wc_PRF(byte* result, word32 resLen, const byte* secret,
+                  word32 secLen, const byte* seed, word32 seedLen, int hash,
+                  void* heap, int devId)
+{
+    word32 len = P_HASH_MAX_SIZE;
+    word32 times;
+    word32 lastLen;
+    word32 lastTime;
+    word32 i;
+    word32 idx = 0;
+    int    ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    byte*  previous;
+    byte*  current;
+    Hmac*  hmac;
+#else
+    byte   previous[P_HASH_MAX_SIZE];  /* max size */
+    byte   current[P_HASH_MAX_SIZE];   /* max size */
+    Hmac   hmac[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
+    current  = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
+    hmac     = (Hmac*)XMALLOC(sizeof(Hmac),    heap, DYNAMIC_TYPE_HMAC);
+
+    if (previous == NULL || current == NULL || hmac == NULL) {
+        if (previous) XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
+        if (current)  XFREE(current,  heap, DYNAMIC_TYPE_DIGEST);
+        if (hmac)     XFREE(hmac,     heap, DYNAMIC_TYPE_HMAC);
+
+        return MEMORY_E;
+    }
+#endif
+
+    switch (hash) {
+    #ifndef NO_MD5
+        case md5_mac:
+            hash = WC_MD5;
+            len  = WC_MD5_DIGEST_SIZE;
+        break;
+    #endif
+
+    #ifndef NO_SHA256
+        case sha256_mac:
+            hash = WC_SHA256;
+            len  = WC_SHA256_DIGEST_SIZE;
+        break;
+    #endif
+
+    #ifdef WOLFSSL_SHA384
+        case sha384_mac:
+            hash = WC_SHA384;
+            len  = WC_SHA384_DIGEST_SIZE;
+        break;
+    #endif
+
+    #ifdef WOLFSSL_SHA512
+        case sha512_mac:
+            hash = WC_SHA512;
+            len  = WC_SHA512_DIGEST_SIZE;
+        break;
+    #endif
+
+    #ifndef NO_SHA
+        case sha_mac:
+        default:
+            hash = WC_SHA;
+            len  = WC_SHA_DIGEST_SIZE;
+        break;
+    #endif
+    }
+
+    times   = resLen / len;
+    lastLen = resLen % len;
+
+    if (lastLen)
+        times += 1;
+
+    lastTime = times - 1;
+
+    ret = wc_HmacInit(hmac, heap, devId);
+    if (ret == 0) {
+        ret = wc_HmacSetKey(hmac, hash, secret, secLen);
+        if (ret == 0)
+            ret = wc_HmacUpdate(hmac, seed, seedLen); /* A0 = seed */
+        if (ret == 0)
+            ret = wc_HmacFinal(hmac, previous);       /* A1 */
+        if (ret == 0) {
+            for (i = 0; i < times; i++) {
+                ret = wc_HmacUpdate(hmac, previous, len);
+                if (ret != 0)
+                    break;
+                ret = wc_HmacUpdate(hmac, seed, seedLen);
+                if (ret != 0)
+                    break;
+                ret = wc_HmacFinal(hmac, current);
+                if (ret != 0)
+                    break;
+
+                if ((i == lastTime) && lastLen)
+                    XMEMCPY(&result[idx], current,
+                                             min(lastLen, P_HASH_MAX_SIZE));
+                else {
+                    XMEMCPY(&result[idx], current, len);
+                    idx += len;
+                    ret = wc_HmacUpdate(hmac, previous, len);
+                    if (ret != 0)
+                        break;
+                    ret = wc_HmacFinal(hmac, previous);
+                    if (ret != 0)
+                        break;
+                }
+            }
+        }
+        wc_HmacFree(hmac);
+    }
+
+    ForceZero(previous,  P_HASH_MAX_SIZE);
+    ForceZero(current,   P_HASH_MAX_SIZE);
+    ForceZero(hmac,      sizeof(Hmac));
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(current,  heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(hmac,     heap, DYNAMIC_TYPE_HMAC);
+#endif
+
+    return ret;
+}
+#undef P_HASH_MAX_SIZE
+
+/* compute PRF (pseudo random function) using SHA1 and MD5 for TLSv1 */
+int wc_PRF_TLSv1(byte* digest, word32 digLen, const byte* secret,
+           word32 secLen, const byte* label, word32 labLen,
+           const byte* seed, word32 seedLen, void* heap, int devId)
+{
+    int    ret  = 0;
+    word32 half = (secLen + 1) / 2;
+
+#ifdef WOLFSSL_SMALL_STACK
+    byte* md5_half;
+    byte* sha_half;
+    byte* md5_result;
+    byte* sha_result;
+#else
+    byte  md5_half[MAX_PRF_HALF];     /* half is real size */
+    byte  sha_half[MAX_PRF_HALF];     /* half is real size */
+    byte  md5_result[MAX_PRF_DIG];    /* digLen is real size */
+    byte  sha_result[MAX_PRF_DIG];    /* digLen is real size */
+#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+    DECLARE_VAR(labelSeed, byte, MAX_PRF_LABSEED, heap);
+    if (labelSeed == NULL)
+        return MEMORY_E;
+#else
+    byte labelSeed[MAX_PRF_LABSEED];
+#endif
+
+    if (half > MAX_PRF_HALF ||
+        labLen + seedLen > MAX_PRF_LABSEED ||
+        digLen > MAX_PRF_DIG)
+    {
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        FREE_VAR(labelSeed, heap);
+    #endif
+        return BUFFER_E;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    md5_half   = (byte*)XMALLOC(MAX_PRF_HALF,    heap, DYNAMIC_TYPE_DIGEST);
+    sha_half   = (byte*)XMALLOC(MAX_PRF_HALF,    heap, DYNAMIC_TYPE_DIGEST);
+    md5_result = (byte*)XMALLOC(MAX_PRF_DIG,     heap, DYNAMIC_TYPE_DIGEST);
+    sha_result = (byte*)XMALLOC(MAX_PRF_DIG,     heap, DYNAMIC_TYPE_DIGEST);
+
+    if (md5_half == NULL || sha_half == NULL || md5_result == NULL ||
+                                                           sha_result == NULL) {
+        if (md5_half)   XFREE(md5_half,   heap, DYNAMIC_TYPE_DIGEST);
+        if (sha_half)   XFREE(sha_half,   heap, DYNAMIC_TYPE_DIGEST);
+        if (md5_result) XFREE(md5_result, heap, DYNAMIC_TYPE_DIGEST);
+        if (sha_result) XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        FREE_VAR(labelSeed, heap);
+    #endif
+
+        return MEMORY_E;
+    }
+#endif
+
+    XMEMSET(md5_result, 0, digLen);
+    XMEMSET(sha_result, 0, digLen);
+
+    XMEMCPY(md5_half, secret, half);
+    XMEMCPY(sha_half, secret + half - secLen % 2, half);
+
+    XMEMCPY(labelSeed, label, labLen);
+    XMEMCPY(labelSeed + labLen, seed, seedLen);
+
+    if ((ret = wc_PRF(md5_result, digLen, md5_half, half, labelSeed,
+                                labLen + seedLen, md5_mac, heap, devId)) == 0) {
+        if ((ret = wc_PRF(sha_result, digLen, sha_half, half, labelSeed,
+                                labLen + seedLen, sha_mac, heap, devId)) == 0) {
+            /* calculate XOR for TLSv1 PRF */
+            XMEMCPY(digest, md5_result, digLen);
+            xorbuf(digest, sha_result, digLen);
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(md5_half,   heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(sha_half,   heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(md5_result, heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+    FREE_VAR(labelSeed, heap);
+#endif
+
+    return ret;
+}
+
+/* Wrapper for TLS 1.2 and TLSv1 cases to calculate PRF */
+/* In TLS 1.2 case call straight thru to wc_PRF */
+int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
+            const byte* label, word32 labLen, const byte* seed, word32 seedLen,
+            int useAtLeastSha256, int hash_type, void* heap, int devId)
+{
+    int ret = 0;
+
+    if (useAtLeastSha256) {
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        DECLARE_VAR(labelSeed, byte, MAX_PRF_LABSEED, heap);
+        if (labelSeed == NULL)
+            return MEMORY_E;
+    #else
+        byte labelSeed[MAX_PRF_LABSEED];
+    #endif
+
+        if (labLen + seedLen > MAX_PRF_LABSEED)
+            return BUFFER_E;
+
+        XMEMCPY(labelSeed, label, labLen);
+        XMEMCPY(labelSeed + labLen, seed, seedLen);
+
+        /* If a cipher suite wants an algorithm better than sha256, it
+         * should use better. */
+        if (hash_type < sha256_mac || hash_type == blake2b_mac)
+            hash_type = sha256_mac;
+        /* compute PRF for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1.2 PRF */
+        ret = wc_PRF(digest, digLen, secret, secLen, labelSeed,
+                     labLen + seedLen, hash_type, heap, devId);
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        FREE_VAR(labelSeed, heap);
+    #endif
+    }
+#ifndef NO_OLD_TLS
+    else {
+        /* compute TLSv1 PRF (pseudo random function using HMAC) */
+        ret = wc_PRF_TLSv1(digest, digLen, secret, secLen, label, labLen, seed,
+                          seedLen, heap, devId);
+    }
+#endif
+
+    return ret;
+}
+#endif /* WOLFSSL_HAVE_PRF */
+
+
 #ifdef HAVE_HKDF
     /* HMAC-KDF-Extract.
      * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
@@ -1314,7 +1597,378 @@ int wolfSSL_GetHmacMaxSize(void)
         return wc_HKDF_Expand(type, prk, hashSz, info, infoSz, out, outSz);
     }
 
+#if !defined(HAVE_FIPS) || \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 4)
+    /* Extract data using HMAC, salt and input.
+     * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
+     *
+     * prk      The generated pseudorandom key.
+     * salt     The salt.
+     * saltLen  The length of the salt.
+     * ikm      The input keying material.
+     * ikmLen   The length of the input keying material.
+     * digest   The type of digest to use.
+     * returns 0 on success, otherwise failure.
+     */
+    int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
+                                 byte* ikm, int ikmLen, int digest)
+    {
+        int ret;
+        int len = 0;
+
+        switch (digest) {
+            #ifndef NO_SHA256
+            case WC_SHA256:
+                len = WC_SHA256_DIGEST_SIZE;
+                break;
+            #endif
+
+            #ifdef WOLFSSL_SHA384
+            case WC_SHA384:
+                len = WC_SHA384_DIGEST_SIZE;
+                break;
+            #endif
+
+            #ifdef WOLFSSL_TLS13_SHA512
+            case WC_SHA512:
+                len = WC_SHA512_DIGEST_SIZE;
+                break;
+            #endif
+            default:
+                return BAD_FUNC_ARG;
+        }
+
+        /* When length is 0 then use zeroed data of digest length. */
+        if (ikmLen == 0) {
+            ikmLen = len;
+            XMEMSET(ikm, 0, len);
+        }
+
+#ifdef WOLFSSL_DEBUG_TLS
+        WOLFSSL_MSG("  Salt");
+        WOLFSSL_BUFFER(salt, saltLen);
+        WOLFSSL_MSG("  IKM");
+        WOLFSSL_BUFFER(ikm, ikmLen);
+#endif
+
+        ret = wc_HKDF_Extract(digest, salt, saltLen, ikm, ikmLen, prk);
+
+#ifdef WOLFSSL_DEBUG_TLS
+        WOLFSSL_MSG("  PRK");
+        WOLFSSL_BUFFER(prk, len);
+#endif
+
+        return ret;
+    }
+
+    /* Expand data using HMAC, salt and label and info.
+     * TLS v1.3 defines this function.
+     *
+     * okm          The generated pseudorandom key - output key material.
+     * okmLen       The length of generated pseudorandom key -
+     *              output key material.
+     * prk          The salt - pseudo-random key.
+     * prkLen       The length of the salt - pseudo-random key.
+     * protocol     The TLS protocol label.
+     * protocolLen  The length of the TLS protocol label.
+     * info         The information to expand.
+     * infoLen      The length of the information.
+     * digest       The type of digest to use.
+     * returns 0 on success, otherwise failure.
+     */
+    int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen,
+                                 const byte* prk, word32 prkLen,
+                                 const byte* protocol, word32 protocolLen,
+                                 const byte* label, word32 labelLen,
+                                 const byte* info, word32 infoLen,
+                                 int digest)
+    {
+        int    ret = 0;
+        int    idx = 0;
+        byte   data[MAX_TLS13_HKDF_LABEL_SZ];
+
+        /* Output length. */
+        data[idx++] = (byte)(okmLen >> 8);
+        data[idx++] = (byte)okmLen;
+        /* Length of protocol | label. */
+        data[idx++] = (byte)(protocolLen + labelLen);
+        /* Protocol */
+        XMEMCPY(&data[idx], protocol, protocolLen);
+        idx += protocolLen;
+        /* Label */
+        XMEMCPY(&data[idx], label, labelLen);
+        idx += labelLen;
+        /* Length of hash of messages */
+        data[idx++] = (byte)infoLen;
+        /* Hash of messages */
+        XMEMCPY(&data[idx], info, infoLen);
+        idx += infoLen;
+
+#ifdef WOLFSSL_DEBUG_TLS
+        WOLFSSL_MSG("  PRK");
+        WOLFSSL_BUFFER(prk, prkLen);
+        WOLFSSL_MSG("  Info");
+        WOLFSSL_BUFFER(data, idx);
+#endif
+
+        ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
+
+#ifdef WOLFSSL_DEBUG_TLS
+        WOLFSSL_MSG("  OKM");
+        WOLFSSL_BUFFER(okm, okmLen);
+#endif
+
+        ForceZero(data, idx);
+
+        return ret;
+    }
+#endif /* newer HAVE_FIPS */
+
 #endif /* HAVE_HKDF */
 
+
+#ifdef WOLFSSL_WOLFSSH
+
+static
+int _HashInit(byte hashId, wc_Hmac_Hash* hash)
+{
+    int ret = BAD_FUNC_ARG;
+
+    switch (hashId) {
+    #ifndef NO_SHA
+        case WC_SHA:
+            ret = wc_InitSha(&hash->sha);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            ret = wc_InitSha256(&hash->sha256);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            ret = wc_InitSha384(&hash->sha384);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            ret = wc_InitSha512(&hash->sha512);
+            break;
+    #endif /* WOLFSSL_SHA512 */
+    }
+
+    return ret;
+}
+
+static
+int _HashUpdate(byte hashId, wc_Hmac_Hash* hash,
+        const byte* data, word32 dataSz)
+{
+    int ret = BAD_FUNC_ARG;
+
+    switch (hashId) {
+    #ifndef NO_SHA
+        case WC_SHA:
+            ret = wc_ShaUpdate(&hash->sha, data, dataSz);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            ret = wc_Sha256Update(&hash->sha256, data, dataSz);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            ret = wc_Sha384Update(&hash->sha384, data, dataSz);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            ret = wc_Sha512Update(&hash->sha512, data, dataSz);
+            break;
+    #endif /* WOLFSSL_SHA512 */
+    }
+
+    return ret;
+}
+
+static
+int _HashFinal(byte hashId, wc_Hmac_Hash* hash, byte* digest)
+{
+    int ret = BAD_FUNC_ARG;
+
+    switch (hashId) {
+    #ifndef NO_SHA
+        case WC_SHA:
+            ret = wc_ShaFinal(&hash->sha, digest);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            ret = wc_Sha256Final(&hash->sha256, digest);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            ret = wc_Sha384Final(&hash->sha384, digest);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            ret = wc_Sha512Final(&hash->sha512, digest);
+            break;
+    #endif /* WOLFSSL_SHA512 */
+    }
+
+    return ret;
+}
+
+static
+void _HashFree(byte hashId, wc_Hmac_Hash* hash)
+{
+    switch (hashId) {
+    #ifndef NO_SHA
+        case WC_SHA:
+            wc_ShaFree(&hash->sha);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            wc_Sha256Free(&hash->sha256);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            wc_Sha384Free(&hash->sha384);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            wc_Sha512Free(&hash->sha512);
+            break;
+    #endif /* WOLFSSL_SHA512 */
+    }
+}
+
+
+#define LENGTH_SZ 4
+
+int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,
+        const byte* k, word32 kSz, const byte* h, word32 hSz,
+        const byte* sessionId, word32 sessionIdSz)
+{
+    word32 blocks, remainder;
+    wc_Hmac_Hash hash;
+    enum wc_HashType enmhashId = (enum wc_HashType)hashId;
+    byte kPad = 0;
+    byte pad = 0;
+    byte kSzFlat[LENGTH_SZ];
+    int digestSz;
+    int ret;
+
+    if (key == NULL || keySz == 0 ||
+        k == NULL || kSz == 0 ||
+        h == NULL || hSz == 0 ||
+        sessionId == NULL || sessionIdSz == 0) {
+
+        return BAD_FUNC_ARG;
+    }
+
+    digestSz = wc_HmacSizeByType(enmhashId);
+    if (digestSz < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (k[0] & 0x80) kPad = 1;
+    c32toa(kSz + kPad, kSzFlat);
+
+    blocks = keySz / digestSz;
+    remainder = keySz % digestSz;
+
+    ret = _HashInit(enmhashId, &hash);
+    if (ret == 0)
+        ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ);
+    if (ret == 0 && kPad)
+        ret = _HashUpdate(enmhashId, &hash, &pad, 1);
+    if (ret == 0)
+        ret = _HashUpdate(enmhashId, &hash, k, kSz);
+    if (ret == 0)
+        ret = _HashUpdate(enmhashId, &hash, h, hSz);
+    if (ret == 0)
+        ret = _HashUpdate(enmhashId, &hash, &keyId, sizeof(keyId));
+    if (ret == 0)
+        ret = _HashUpdate(enmhashId, &hash, sessionId, sessionIdSz);
+
+    if (ret == 0) {
+        if (blocks == 0) {
+            if (remainder > 0) {
+                byte lastBlock[WC_MAX_DIGEST_SIZE];
+                ret = _HashFinal(enmhashId, &hash, lastBlock);
+                if (ret == 0)
+                    XMEMCPY(key, lastBlock, remainder);
+            }
+        }
+        else {
+            word32 runningKeySz, curBlock;
+
+            runningKeySz = digestSz;
+            ret = _HashFinal(enmhashId, &hash, key);
+
+            for (curBlock = 1; curBlock < blocks; curBlock++) {
+                ret = _HashInit(enmhashId, &hash);
+                if (ret != 0) break;
+                ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ);
+                if (ret != 0) break;
+                if (kPad)
+                    ret = _HashUpdate(enmhashId, &hash, &pad, 1);
+                if (ret != 0) break;
+                ret = _HashUpdate(enmhashId, &hash, k, kSz);
+                if (ret != 0) break;
+                ret = _HashUpdate(enmhashId, &hash, h, hSz);
+                if (ret != 0) break;
+                ret = _HashUpdate(enmhashId, &hash, key, runningKeySz);
+                if (ret != 0) break;
+                ret = _HashFinal(enmhashId, &hash, key + runningKeySz);
+                if (ret != 0) break;
+                runningKeySz += digestSz;
+            }
+
+            if (remainder > 0) {
+                byte lastBlock[WC_MAX_DIGEST_SIZE];
+                if (ret == 0)
+                    ret = _HashInit(enmhashId, &hash);
+                if (ret == 0)
+                    ret = _HashUpdate(enmhashId, &hash, kSzFlat, LENGTH_SZ);
+                if (ret == 0 && kPad)
+                    ret = _HashUpdate(enmhashId, &hash, &pad, 1);
+                if (ret == 0)
+                    ret = _HashUpdate(enmhashId, &hash, k, kSz);
+                if (ret == 0)
+                    ret = _HashUpdate(enmhashId, &hash, h, hSz);
+                if (ret == 0)
+                    ret = _HashUpdate(enmhashId, &hash, key, runningKeySz);
+                if (ret == 0)
+                    ret = _HashFinal(enmhashId, &hash, lastBlock);
+                if (ret == 0)
+                    XMEMCPY(key + runningKeySz, lastBlock, remainder);
+            }
+        }
+    }
+
+    _HashFree(enmhashId, &hash);
+
+    return ret;
+}
+
+#endif /* WOLFSSL_SSH */
+
 #endif /* HAVE_FIPS */
 #endif /* NO_HMAC */

wolfcrypt/test/test.c

@@ -370,6 +370,7 @@ WOLFSSL_TEST_SUBROUTINE int  hmac_sha384_test(void);
 WOLFSSL_TEST_SUBROUTINE int  hmac_sha512_test(void);
 WOLFSSL_TEST_SUBROUTINE int  hmac_sha3_test(void);
 /* WOLFSSL_TEST_SUBROUTINE */ static int  hkdf_test(void);
+WOLFSSL_TEST_SUBROUTINE int  sshkdf_test(void);
 WOLFSSL_TEST_SUBROUTINE int  x963kdf_test(void);
 WOLFSSL_TEST_SUBROUTINE int  arc4_test(void);
 WOLFSSL_TEST_SUBROUTINE int  rc2_test(void);
@@ -934,6 +935,13 @@ initDefaultName();
     #endif
 #endif /* !NO_HMAC */
 
+#ifdef WOLFSSL_WOLFSSH
+        if ( (ret = sshkdf_test()) != 0)
+            return err_sys("SSH-KDF     test failed!\n", ret);
+        else
+            test_pass("SSH-KDF     test passed!\n");
+#endif /* WOLFSSL_WOLFSSH */
+
 #if defined(HAVE_X963_KDF) && defined(HAVE_ECC)
     if ( (ret = x963kdf_test()) != 0)
         return err_sys("X963-KDF    test failed!\n", ret);
@@ -19905,6 +19913,167 @@ WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
 #endif /* HAVE_HKDF */
 
 
+#ifdef WOLFSSL_WOLFSSH
+
+typedef struct {
+    byte hashId;
+    byte keyId;
+    const byte* k;
+    word32 kSz;
+    const byte* h;
+    word32 hSz;
+    const byte* sessionId;
+    word32 sessionIdSz;
+    const byte* expectedKey;
+    word32 expectedKeySz;
+} SshKdfTestVector;
+
+
+/** Test Vector Set #3: SHA-256 **/
+const byte sshKdfTvSet3k[] = {
+    0x6A, 0xC3, 0x82, 0xEA, 0xAC, 0xA0, 0x93, 0xE1,
+    0x25, 0xE2, 0x5C, 0x24, 0xBE, 0xBC, 0x84, 0x64,
+    0x0C, 0x11, 0x98, 0x75, 0x07, 0x34, 0x4B, 0x5C,
+    0x73, 0x9C, 0xEB, 0x84, 0xA9, 0xE0, 0xB2, 0x22,
+    0xB9, 0xA8, 0xB5, 0x1C, 0x83, 0x9E, 0x5E, 0xBE,
+    0x49, 0xCF, 0xAD, 0xBF, 0xB3, 0x95, 0x99, 0x76,
+    0x4E, 0xD5, 0x22, 0x09, 0x9D, 0xC9, 0x12, 0x75,
+    0x19, 0x50, 0xDC, 0x7D, 0xC9, 0x7F, 0xBD, 0xC0,
+    0x63, 0x28, 0xB6, 0x8F, 0x22, 0x78, 0x1F, 0xD3,
+    0x15, 0xAF, 0x56, 0x80, 0x09, 0xA5, 0x50, 0x9E,
+    0x5B, 0x87, 0xA1, 0x1B, 0xF5, 0x27, 0xC0, 0x56,
+    0xDA, 0xFF, 0xD8, 0x2A, 0xB6, 0xCB, 0xC2, 0x5C,
+    0xCA, 0x37, 0x14, 0x34, 0x59, 0xE7, 0xBC, 0x63,
+    0xBC, 0xDE, 0x52, 0x75, 0x7A, 0xDE, 0xB7, 0xDF,
+    0x01, 0xCF, 0x12, 0x17, 0x3F, 0x1F, 0xEF, 0x81,
+    0x02, 0xEC, 0x5A, 0xB1, 0x42, 0xC2, 0x13, 0xDD,
+    0x9D, 0x30, 0x69, 0x62, 0x78, 0xA8, 0xD8, 0xBC,
+    0x32, 0xDD, 0xE9, 0x59, 0x2D, 0x28, 0xC0, 0x78,
+    0xC6, 0xD9, 0x2B, 0x94, 0x7D, 0x82, 0x5A, 0xCA,
+    0xAB, 0x64, 0x94, 0x84, 0x6A, 0x49, 0xDE, 0x24,
+    0xB9, 0x62, 0x3F, 0x48, 0x89, 0xE8, 0xAD, 0xC3,
+    0x8E, 0x8C, 0x66, 0x9E, 0xFF, 0xEF, 0x17, 0x60,
+    0x40, 0xAD, 0x94, 0x5E, 0x90, 0xA7, 0xD3, 0xEE,
+    0xC1, 0x5E, 0xFE, 0xEE, 0x78, 0xAE, 0x71, 0x04,
+    0x3C, 0x96, 0x51, 0x11, 0x03, 0xA1, 0x6B, 0xA7,
+    0xCA, 0xF0, 0xAC, 0xD0, 0x64, 0x2E, 0xFD, 0xBE,
+    0x80, 0x99, 0x34, 0xFA, 0xA1, 0xA5, 0xF1, 0xBD,
+    0x11, 0x04, 0x36, 0x49, 0xB2, 0x5C, 0xCD, 0x1F,
+    0xEE, 0x2E, 0x38, 0x81, 0x5D, 0x4D, 0x5F, 0x5F,
+    0xC6, 0xB4, 0x10, 0x29, 0x69, 0xF2, 0x1C, 0x22,
+    0xAE, 0x1B, 0x0E, 0x7D, 0x36, 0x03, 0xA5, 0x56,
+    0xA1, 0x32, 0x62, 0xFF, 0x62, 0x8D, 0xE2, 0x22
+};
+const byte sshKdfTvSet3h[] = {
+    0x7B, 0x70, 0x01, 0x18, 0x5E, 0x25, 0x6D, 0x44,
+    0x93, 0x44, 0x5F, 0x39, 0xA5, 0x5F, 0xB9, 0x05,
+    0xE6, 0x32, 0x1F, 0x4B, 0x5D, 0xD8, 0xBB, 0xF3,
+    0x10, 0x0D, 0x51, 0xBA, 0x0B, 0xDA, 0x3D, 0x2D
+};
+const byte sshKdfTvSet3sid[] = {
+    0x7B, 0x70, 0x01, 0x18, 0x5E, 0x25, 0x6D, 0x44,
+    0x93, 0x44, 0x5F, 0x39, 0xA5, 0x5F, 0xB9, 0x05,
+    0xE6, 0x32, 0x1F, 0x4B, 0x5D, 0xD8, 0xBB, 0xF3,
+    0x10, 0x0D, 0x51, 0xBA, 0x0B, 0xDA, 0x3D, 0x2D
+};
+const byte sshKdfTvSet3a[] = {
+    0x81, 0xF0, 0x33, 0x0E, 0xF6, 0xF0, 0x53, 0x61,
+    0xB3, 0x82, 0x3B, 0xFD, 0xED, 0x6E, 0x1D, 0xE9
+};
+const byte sshKdfTvSet3b[] = {
+    0x3F, 0x6F, 0xD2, 0x06, 0x5E, 0xEB, 0x2B, 0x0B,
+    0x1D, 0x93, 0x19, 0x5A, 0x1F, 0xED, 0x48, 0xA5
+};
+const byte sshKdfTvSet3c[] = {
+    0xC3, 0x54, 0x71, 0x03, 0x4E, 0x6F, 0xD6, 0x54,
+    0x76, 0x13, 0x17, 0x8E, 0x23, 0x43, 0x5F, 0x21
+};
+const byte sshKdfTvSet3d[] = {
+    0x7E, 0x9D, 0x79, 0x03, 0x20, 0x90, 0xD9, 0x9F,
+    0x98, 0xB0, 0x15, 0x63, 0x4D, 0xD9, 0xF4, 0x62
+};
+const byte sshKdfTvSet3e[] = {
+    0x24, 0xEE, 0x55, 0x9A, 0xD7, 0xCE, 0x71, 0x2B,
+    0x68, 0x5D, 0x0B, 0x22, 0x71, 0xE4, 0x43, 0xC1,
+    0x7A, 0xB1, 0xD1, 0xDC, 0xEB, 0x5A, 0x36, 0x05,
+    0x69, 0xD2, 0x5D, 0x5D, 0xC2, 0x43, 0x00, 0x2F
+};
+const byte sshKdfTvSet3f[] = {
+    0xC3, 0x41, 0x9C, 0x2B, 0x96, 0x62, 0x35, 0x86,
+    0x9D, 0x71, 0x4B, 0xA5, 0xAC, 0x48, 0xDD, 0xB7,
+    0xD9, 0xE3, 0x5C, 0x8C, 0x19, 0xAA, 0xC7, 0x34,
+    0x22, 0x33, 0x7A, 0x37, 0x34, 0x53, 0x60, 0x7E
+};
+
+static const SshKdfTestVector sshKdfTestVectors[] = {
+    {WC_HASH_TYPE_SHA256, 'A',
+        sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
+        sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
+        sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
+        sshKdfTvSet3a, sizeof(sshKdfTvSet3a)},
+    {WC_HASH_TYPE_SHA256, 'B',
+        sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
+        sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
+        sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
+        sshKdfTvSet3b, sizeof(sshKdfTvSet3b)},
+    {WC_HASH_TYPE_SHA256, 'C',
+        sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
+        sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
+        sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
+        sshKdfTvSet3c, sizeof(sshKdfTvSet3c)},
+    {WC_HASH_TYPE_SHA256, 'D',
+        sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
+        sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
+        sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
+        sshKdfTvSet3d, sizeof(sshKdfTvSet3d)},
+    {WC_HASH_TYPE_SHA256, 'E',
+        sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
+        sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
+        sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
+        sshKdfTvSet3e, sizeof(sshKdfTvSet3e)},
+    {WC_HASH_TYPE_SHA256, 'F',
+        sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
+        sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
+        sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
+        sshKdfTvSet3f, sizeof(sshKdfTvSet3f)},
+};
+
+
+int sshkdf_test(void)
+{
+    int result = 0;
+    word32 i;
+    word32 tc = sizeof(sshKdfTestVectors)/sizeof(SshKdfTestVector);
+    const SshKdfTestVector* tv = NULL;
+    byte cKey[32]; /* Greater of SHA256_DIGEST_SIZE and AES_BLOCK_SIZE */
+    /* sId - Session ID, eKey - Expected Key, cKey - Calculated Key */
+
+    for (i = 0, tv = sshKdfTestVectors; i < tc; i++, tv++) {
+        result = wc_SSH_KDF(tv->hashId, tv->keyId,
+                cKey, tv->expectedKeySz,
+                tv->k, tv->kSz, tv->h, tv->hSz,
+                tv->sessionId, tv->sessionIdSz);
+
+        if (result != 0) {
+            printf("KDF: Could not derive key.\n");
+            result = -101;
+        }
+        else {
+            if (memcmp(cKey, tv->expectedKey, tv->expectedKeySz) != 0) {
+                printf("KDF: Calculated Key does not match Expected Key.\n");
+                result = -102;
+            }
+        }
+
+        if (result != 0) break;
+    }
+
+    return result;
+}
+
+#endif /* WOLFSSL_WOLFSSH */
+
+
 #if defined(HAVE_ECC) && defined(HAVE_X963_KDF)
 
 WOLFSSL_TEST_SUBROUTINE int x963kdf_test(void)

wolfssl/internal.h

@@ -1362,9 +1362,6 @@ enum Misc {
     KEY_LABEL_SZ        = 13,  /* TLS key block expansion sz */
     PROTOCOL_LABEL_SZ   = 9,   /* Length of the protocol label */
     MAX_LABEL_SZ        = 34,  /* Maximum length of a label */
-    MAX_HKDF_LABEL_SZ   = OPAQUE16_LEN +
-                          OPAQUE8_LEN + PROTOCOL_LABEL_SZ + MAX_LABEL_SZ +
-                          OPAQUE8_LEN + WC_MAX_DIGEST_SIZE,
     MAX_REQUEST_SZ      = 256, /* Maximum cert req len (no auth yet */
     SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */
     TLS_MAX_PAD_SZ      = 255, /* Max padding in TLS */

wolfssl/wolfcrypt/des3.h

@@ -30,15 +30,15 @@
 
 #ifndef NO_DES3
 
-#if defined(HAVE_FIPS) && \
-    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
+        (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3)
     #include <wolfssl/wolfcrypt/fips.h>
 #endif /* HAVE_FIPS_VERSION >= 2 */
 
 #if defined(HAVE_FIPS) && \
-	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
-/* included for fips @wc_fips */
-#include <cyassl/ctaocrypt/des3.h>
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+    /* included for fips @wc_fips */
+    #include <cyassl/ctaocrypt/des3.h>
 #endif
 
 #ifdef __cplusplus
@@ -54,8 +54,8 @@ enum {
 
 
 /* avoid redefinition of structs */
-#if !defined(HAVE_FIPS) || \
-    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
+        (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3))
 
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>
@@ -117,7 +117,7 @@ struct Des3 {
     typedef struct Des3 Des3;
     #define WC_DES3_TYPE_DEFINED
 #endif
-#endif /* HAVE_FIPS */
+#endif /* HAVE_FIPS && HAVE_FIPS_VERSION >= 2 */
 
 
 WOLFSSL_API int  wc_Des_SetKey(Des* des, const byte* key,

wolfssl/wolfcrypt/dh.h

@@ -75,6 +75,7 @@ struct DhKey {
 #ifdef WOLFSSL_ASYNC_CRYPT
     WC_ASYNC_DEV asyncDev;
 #endif
+    int trustedGroup;
 };
 
 #ifndef WC_DH_TYPE_DEFINED

wolfssl/wolfcrypt/error-crypt.h

@@ -234,8 +234,13 @@ enum {
     PSS_SALTLEN_RECOVER_E=-273,  /* PSS slat length not recoverable */
     CHACHA_POLY_OVERFLOW =-274,  /* ChaCha20Poly1305 limit overflow */
     ASN_SELF_SIGNED_E   = -275,  /* ASN self-signed certificate error */
+    ECDSA_KAT_FIPS_E    = -276,  /* ECDSA KAT failure */
+    RSA_PAT_FIPS_E      = -277,  /* RSA Pairwise failure */
+    KDF_TLS12_KAT_FIPS_E = -278,  /* TLS12 KDF KAT failure */
+    KDF_TLS13_KAT_FIPS_E = -279,  /* TLS13 KDF KAT failure */
+    KDF_SSH_KAT_FIPS_E  = -280,  /* SSH KDF KAT failure */
 
-    WC_LAST_E           = -275,  /* Update this to indicate last error */
+    WC_LAST_E           = -280,  /* Update this to indicate last error */
     MIN_CODE_E          = -300   /* errors -101 - -299 */
 
     /* add new companion error id strings for any new error codes

wolfssl/wolfcrypt/fips_test.h

@@ -31,8 +31,41 @@
     extern "C" {
 #endif
 
-/* Known Answer Test string inputs are hex, internal */
-WOLFSSL_LOCAL int DoKnownAnswerTests(char*, int);
+enum FipsCastId {
+    FIPS_CAST_AES_CBC,
+    FIPS_CAST_AES_GCM,
+    FIPS_CAST_HMAC_SHA1,
+    FIPS_CAST_HMAC_SHA2_256,
+    FIPS_CAST_HMAC_SHA2_512,
+    FIPS_CAST_HMAC_SHA3_256,
+    FIPS_CAST_DRBG,
+    FIPS_CAST_RSA_SIGN_PKCS1v15,
+    FIPS_CAST_RSA_PAIRWISE,
+    FIPS_CAST_ECC_CDH,
+    FIPS_CAST_ECC_PRIMITIVE_Z,
+    FIPS_CAST_DH_PRIMITIVE_Z,
+    FIPS_CAST_ECDSA,
+    FIPS_CAST_ECDSA_PAIRWISE,
+    FIPS_CAST_ECDSA_SHA3_PAIRWISE,
+    FIPS_CAST_KDF_TLS12,
+    FIPS_CAST_KDF_TLS13,
+    FIPS_CAST_KDF_SSH,
+    FIPS_CAST_COUNT
+};
+
+enum FipsCastStateId {
+    FIPS_CAST_STATE_INIT,
+    FIPS_CAST_STATE_PROCESSING,
+    FIPS_CAST_STATE_SUCCESS,
+    FIPS_CAST_STATE_FAILURE
+};
+
+enum FipsModeId {
+    FIPS_MODE_INIT,
+    FIPS_MODE_NORMAL,
+    FIPS_MODE_DEGRADED,
+    FIPS_MODE_FAILED
+};
 
 
 /* FIPS failure callback */
@@ -50,6 +83,13 @@ WOLFSSL_API const char* wolfCrypt_GetCoreHash_fips(void);
     WOLFSSL_API int wolfCrypt_SetStatus_fips(int);
 #endif
 
+WOLFSSL_LOCAL int DoIntegrityTest(char*, int);
+WOLFSSL_LOCAL int DoPOST(char*, int);
+WOLFSSL_LOCAL int DoCAST(int);
+WOLFSSL_LOCAL int DoKnownAnswerTests(char*, int); /* FIPSv1 and FIPSv2 */
+
+WOLFSSL_API int wc_RunCast_fips(int);
+WOLFSSL_API int wc_GetCastStatus_fips(int);
 
 #ifdef __cplusplus
     } /* extern "C" */

wolfssl/wolfcrypt/hash.h

@@ -215,6 +215,10 @@ WOLFSSL_API int wc_Shake256Hash(const byte*, word32, byte*, word32);
 #endif
 #endif /* WOLFSSL_SHA3 */
 
+
+#if (defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))) || \
+    defined(HAVE_SELFTEST)
 enum max_prf {
 #ifdef HAVE_FFDHE_8192
     MAX_PRF_HALF        = 516, /* Maximum half secret len */
@@ -226,8 +230,11 @@ enum max_prf {
     MAX_PRF_LABSEED     = 128, /* Maximum label + seed len */
     MAX_PRF_DIG         = 224  /* Maximum digest len      */
 };
+#endif
+
+#if defined(WOLFSSL_HAVE_PRF) && ((defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 4))) || defined(HAVE_SELFTEST))
 
-#ifdef WOLFSSL_HAVE_PRF
 WOLFSSL_API int wc_PRF(byte* result, word32 resLen, const byte* secret,
                     word32 secLen, const byte* seed, word32 seedLen, int hash,
                     void* heap, int devId);

wolfssl/wolfcrypt/hmac.h

@@ -189,6 +189,38 @@ WOLFSSL_API int wolfSSL_GetHmacMaxSize(void);
 
 WOLFSSL_LOCAL int _InitHmac(Hmac* hmac, int type, void* heap);
 
+#if (!defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 4))) && \
+    !defined(HAVE_SELFTEST)
+enum max_prf {
+#ifdef HAVE_FFDHE_8192
+    MAX_PRF_HALF        = 516, /* Maximum half secret len */
+#elif defined(HAVE_FFDHE_6144)
+    MAX_PRF_HALF        = 388, /* Maximum half secret len */
+#else
+    MAX_PRF_HALF        = 260, /* Maximum half secret len */
+#endif
+    MAX_PRF_LABSEED     = 128, /* Maximum label + seed len */
+    MAX_PRF_DIG         = 224  /* Maximum digest len      */
+};
+#endif
+
+#if defined(WOLFSSL_HAVE_PRF) && ((!defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 4))) && \
+    !defined(HAVE_SELFTEST))
+
+WOLFSSL_API int wc_PRF(byte* result, word32 resLen, const byte* secret,
+                    word32 secLen, const byte* seed, word32 seedLen, int hash,
+                    void* heap, int devId);
+WOLFSSL_API int wc_PRF_TLSv1(byte* digest, word32 digLen, const byte* secret,
+                    word32 secLen, const byte* label, word32 labLen,
+                    const byte* seed, word32 seedLen, void* heap, int devId);
+WOLFSSL_API int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret,
+                    word32 secLen, const byte* label, word32 labLen,
+                    const byte* seed, word32 seedLen, int useAtLeastSha256,
+                    int hash_type, void* heap, int devId);
+#endif /* WOLFSSL_HAVE_PRF */
+
 #ifdef HAVE_HKDF
 
 WOLFSSL_API int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz,
@@ -202,8 +234,42 @@ WOLFSSL_API int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
                     const byte* info, word32 infoSz,
                     byte* out, word32 outSz);
 
+#if (!defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 4))) && \
+    !defined(HAVE_SELFTEST)
+
+enum {
+/*
+    MAX_HKDF_LABEL_SZ   = OPAQUE16_LEN +
+                          OPAQUE8_LEN + PROTOCOL_LABEL_SZ + MAX_LABEL_SZ +
+                          OPAQUE8_LEN + WC_MAX_DIGEST_SIZE
+*/
+    MAX_TLS13_HKDF_LABEL_SZ = 47 + WC_MAX_DIGEST_SIZE
+};
+
+WOLFSSL_API int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
+                             byte* ikm, int ikmLen, int digest);
+
+WOLFSSL_API int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen,
+                             const byte* prk, word32 prkLen,
+                             const byte* protocol, word32 protocolLen,
+                             const byte* label, word32 labelLen,
+                             const byte* info, word32 infoLen,
+                             int digest);
+
+#endif /* HAVE_FIPS */
 #endif /* HAVE_HKDF */
 
+#ifdef WOLFSSL_WOLFSSH
+
+WOLFSSL_API int wc_SSH_KDF(byte hashId, byte keyId,
+        byte* key, word32 keySz,
+        const byte* k, word32 kSz,
+        const byte* h, word32 hSz,
+        const byte* sessionId, word32 sessionIdSz);
+
+#endif /* WOLFSSL_SSH */
+
 #ifdef __cplusplus
     } /* extern "C" */
 #endif

wolfssl/wolfcrypt/include.am

@@ -146,3 +146,11 @@ endif
 if BUILD_FIPS_RAND
 nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h
 endif
+
+if BUILD_FIPS_V3
+nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h
+endif
+
+if BUILD_FIPS_V4
+nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h
+endif