FIPS Revalidation

1. Bug fixes to AES-GCM. Separated out the internal and external IV set functions.
FIPS Revalidation
2018-03-22 15:50:54 -07:00 · 2018-03-22 15:50:54 -07:00 · 2018-03-22 15:50:54 -07:00 · 2018-03-22 15:50:54 -07:00 · 2018-03-22 15:50:54 -07:00 · 2018-03-22 15:50:54 -07:00
31 changed files with 1041 additions and 381 deletions
--- a/.gitignore
+++ b/.gitignore
@ -40,9 +40,10 @@ wolfssl-config
 cyassl.sublime*
 fips.h
 fips.c
-fipsv2.c
 fips_test.c
 fips
+wolfcrypt_first.c
+wolfcrypt_last.c
 selftest.c
 src/async.c
 wolfssl/async.h
--- a/autogen.sh
+++ b/autogen.sh
@ -18,7 +18,10 @@ if test -e .git; then
  # touch fips files for non fips distribution
  touch ./ctaocrypt/src/fips.c
  touch ./ctaocrypt/src/fips_test.c
-  touch ./wolfcrypt/src/fipsv2.c
+  touch ./wolfcrypt/src/fips.c
+  touch ./wolfcrypt/src/fips_test.c
+  touch ./wolfcrypt/src/wolfcrypt_first.c
+  touch ./wolfcrypt/src/wolfcrypt_last.c
  touch ./wolfssl/wolfcrypt/fips.h

  # touch CAVP selftest files for non-selftest distribution
--- a/configure.ac
+++ b/configure.ac
@ -1881,7 +1881,8 @@ fi
 AS_IF([test "x$ENABLED_CMAC" = "xyes"],
      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])

-AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])
+#AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])
+#moved to FIPS section


 # AES-XTS
@ -1981,17 +1982,30 @@ then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
    # Add the FIPS flag.
    AS_IF([test "x$FIPS_VERSION" = "xv2"],
-          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN"
+          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING"
           ENABLED_KEYGEN="yes"
+           ENABLED_SHA224="yes"
+           AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
+                 [ENABLED_AESCCM="yes"
+                  AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
           AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
-			     [ENABLED_RSAPSS="yes"
-				  AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
+                 [ENABLED_RSAPSS="yes"
+                  AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
           AS_IF([test "x$ENABLED_ECC" != "xyes"],
-			     [ENABLED_ECC="yes"
-				  AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
+                 [ENABLED_ECC="yes"
+                  AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
                  AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
                        [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
-		  ])
+           AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
+                 [ENABLED_AESCTR="yes"
+                  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
+           AS_IF([test "x$ENABLED_CMAC" != "xyes"],
+                 [ENABLED_CMAC="yes"
+                  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
+           AS_IF([test "x$ENABLED_HKDF" != "xyes"],
+                 [ENABLED_HKDF="yes"
+                  AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
+          ])
 else
    if test "x$ENABLED_FORTRESS" = "xyes"
    then
@ -2001,6 +2015,7 @@ fi

 AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"])
 AM_CONDITIONAL([BUILD_FIPS_V2], [test "x$FIPS_VERSION" = "xv2"])
+AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])

 # SELFTEST
 AC_ARG_ENABLE([selftest],
@ -2021,7 +2036,7 @@ AM_CONDITIONAL([BUILD_SELFTEST], [test "x$ENABLED_SELFTEST" = "xyes"])
 SHA224_DEFAULT=no
 if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64"
 then
-    if test "x$ENABLED_FIPS" = "xno"
+    if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2"
    then
        SHA224_DEFAULT=yes
    fi
@ -2046,7 +2061,7 @@ AM_CONDITIONAL([BUILD_SHA224], [test "x$ENABLED_SHA224" = "xyes"])
 SHA3_DEFAULT=no
 if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64"
 then
-    if test "x$ENABLED_FIPS" = "xno"
+    if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2"
    then
        SHA3_DEFAULT=yes
    fi
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -23,11 +23,11 @@
 #ifdef HAVE_CONFIG_H
    #include <config.h>
 #endif
-#include <cyassl/ssl.h> /* name change portability layer */
+#include <wolfssl/ssl.h> /* name change portability layer */

-#include <cyassl/ctaocrypt/settings.h>
+#include <wolfssl/wolfcrypt/settings.h>
 #ifdef HAVE_ECC
-    #include <cyassl/ctaocrypt/ecc.h>   /* ecc_fp_free */
+    #include <wolfssl/wolfcrypt/ecc.h>   /* wc_ecc_fp_free */
 #endif

 #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
@ -39,10 +39,10 @@
        #include "wolfssl_MDK_ARM.h"
 #endif

-#include <cyassl/openssl/ssl.h>
-#include <cyassl/test.h>
-#ifdef CYASSL_DTLS
-    #include <cyassl/error-ssl.h>
+#include <wolfssl/openssl/ssl.h>
+#include <wolfssl/test.h>
+#ifdef WOLFSSL_DTLS
+    #include <wolfssl/error-ssl.h>
 #endif

 #include "examples/server/server.h"
@ -75,7 +75,7 @@ static const char webServerMsg[] =
 int runWithErrors = 0; /* Used with -x flag to run err_sys vs. print errors */


-#ifdef CYASSL_CALLBACKS
+#ifdef WOLFSSL_CALLBACKS
    Timeval srvTo;
    static int srvHandShakeCB(HandShakeInfo* info)
    {
@ -117,13 +117,13 @@ static void err_sys_ex(int out, const char* msg)

 static int NonBlockingSSL_Accept(SSL* ssl)
 {
-#ifndef CYASSL_CALLBACKS
+#ifndef WOLFSSL_CALLBACKS
    int ret = SSL_accept(ssl);
 #else
-    int ret = CyaSSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo);
+    int ret = SSL_accept_ex(ssl, srvHandShakeCB, srvTimeoutCB, srvTo);
 #endif
    int error = SSL_get_error(ssl, 0);
-    SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl);
+    SOCKET_T sockfd = (SOCKET_T)SSL_get_fd(ssl);
    int select_ret = 0;

    while (ret != WOLFSSL_SUCCESS &&
@ -149,8 +149,8 @@ static int NonBlockingSSL_Accept(SSL* ssl)
        else
    #endif
        {
-        #ifdef CYASSL_DTLS
-            currTimeout = CyaSSL_dtls_get_current_timeout(ssl);
+        #ifdef WOLFSSL_DTLS
+            currTimeout = wolfSSL_dtls_get_current_timeout(ssl);
        #endif
            select_ret = tcp_select(sockfd, currTimeout);
        }
@ -163,17 +163,17 @@ static int NonBlockingSSL_Accept(SSL* ssl)
            #ifndef CYASSL_CALLBACKS
                ret = SSL_accept(ssl);
            #else
-                ret = CyaSSL_accept_ex(ssl,
+                ret = SSL_accept_ex(ssl,
                                    srvHandShakeCB, srvTimeoutCB, srvTo);
            #endif
            error = SSL_get_error(ssl, 0);
        }
-        else if (select_ret == TEST_TIMEOUT && !CyaSSL_dtls(ssl)) {
+        else if (select_ret == TEST_TIMEOUT && !wolfSSL_dtls(ssl)) {
            error = WOLFSSL_ERROR_WANT_READ;
        }
-    #ifdef CYASSL_DTLS
-        else if (select_ret == TEST_TIMEOUT && CyaSSL_dtls(ssl) &&
-                                            CyaSSL_dtls_got_timeout(ssl) >= 0) {
+    #ifdef WOLFSSL_DTLS
+        else if (select_ret == TEST_TIMEOUT && wolfSSL_dtls(ssl) &&
+                                        wolfSSL_dtls_got_timeout(ssl) >= 0) {
            error = WOLFSSL_ERROR_WANT_READ;
        }
    #endif
@ -283,7 +283,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int throughput)
 static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
 {
    int ret, err;
-    char buffer[CYASSL_MAX_ERROR_SZ];
+    char buffer[WOLFSSL_MAX_ERROR_SZ];

    /* Read data */
    do {
@ -299,7 +299,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
            }
            else
        #endif
-        #ifdef CYASSL_DTLS
+        #ifdef WOLFSSL_DTLS
            if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) {
                printf("Dropped client's message due to a bad MAC\n");
            }
@ -321,7 +321,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
 static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
 {
    int ret, err;
-    char buffer[CYASSL_MAX_ERROR_SZ];
+    char buffer[WOLFSSL_MAX_ERROR_SZ];

    do {
        err = 0; /* reset error */
@ -346,10 +346,10 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)

 static void Usage(void)
 {
-    printf("server "    LIBCYASSL_VERSION_STRING
+    printf("server "    LIBWOLFSSL_VERSION_STRING
           " NOTE: All files relative to wolfSSL home dir\n");
    printf("-?          Help, print this usage\n");
-    printf("-p <num>    Port to listen on, not 0, default %d\n", yasslPort);
+    printf("-p <num>    Port to listen on, not 0, default %d\n", wolfSSLPort);
 #ifndef WOLFSSL_TLS13
    printf("-v <num>    SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n",
                                 SERVER_DEFAULT_VERSION);
@ -431,7 +431,7 @@ static void Usage(void)
 #endif
 }

-THREAD_RETURN CYASSL_THREAD server_test(void* args)
+THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 {
    SOCKET_T sockfd   = WOLFSSL_SOCKET_INVALID;
    SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
@ -514,7 +514,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #ifdef HAVE_WNR
    const char* wnrConfigFile = wnrConfig;
 #endif
-    char buffer[CYASSL_MAX_ERROR_SZ];
+    char buffer[WOLFSSL_MAX_ERROR_SZ];
 #ifdef WOLFSSL_TLS13
    int noPskDheKe = 0;
 #endif
@ -571,7 +571,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
    (void)mcastID;
    (void)useBadCert;

-#ifdef CYASSL_TIRTOS
+#ifdef WOLFSSL_TIRTOS
    fdOpenSession(Task_self());
 #endif

@ -913,7 +913,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
            break;
 #endif /* NO_TLS */

-#ifdef CYASSL_DTLS
+#ifdef WOLFSSL_DTLS
    #ifndef NO_OLD_TLS
        case -1:
            method = wolfDTLSv1_server_method_ex;
@ -972,7 +972,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
            err_sys_ex(runWithErrors, "server can't set cipher list 1");
    }

-#ifdef CYASSL_LEANPSK
+#ifdef WOLFSSL_LEANPSK
    if (!usePsk) {
        usePsk = 1;
    }
@ -985,7 +985,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #endif

    if (fewerPackets)
-        CyaSSL_CTX_set_group_messages(ctx);
+        wolfSSL_CTX_set_group_messages(ctx);

 #ifdef WOLFSSL_SCTP
    if (dtlsSCTP)
@ -1037,7 +1037,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)

 #ifdef HAVE_NTRU
    if (useNtruKey) {
-        if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
+        if (SSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey)
                                != WOLFSSL_SUCCESS)
            err_sys_ex(runWithErrors, "can't load ntru key file, "
                    "Please run from wolfSSL home dir");
@ -1093,7 +1093,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)

    if (useAnon) {
 #ifdef HAVE_ANON
-        CyaSSL_CTX_allow_anon_cipher(ctx);
+        wolfSSL_CTX_allow_anon_cipher(ctx);
        if (cipherList == NULL || (cipherList && useDefCipherList)) {
            if (SSL_CTX_set_cipher_list(ctx, "ADH-AES128-SHA") != WOLFSSL_SUCCESS)
                err_sys_ex(runWithErrors, "server can't set cipher list 4");
@ -1121,7 +1121,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
   }
 #endif

-#if defined(CYASSL_SNIFFER)
+#if defined(WOLFSSL_SNIFFER)
    /* don't use EDH, can't sniff tmp keys */
    if (cipherList == NULL) {
        if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS)
@ -1131,7 +1131,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)

 #ifdef HAVE_SNI
    if (sniHostName)
-        if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
+        if (wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
                    (word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS)
            err_sys_ex(runWithErrors, "UseSNI failed");
 #endif
@ -1237,25 +1237,25 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #endif
 #ifdef HAVE_CRL
 #ifdef HAVE_CRL_MONITOR
-        crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON;
+        crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON;
 #endif
-        if (CyaSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS)
+        if (wolfSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS)
            err_sys_ex(runWithErrors, "unable to enable CRL");
-        if (CyaSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags)
+        if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags)
                                                                 != WOLFSSL_SUCCESS)
            err_sys_ex(runWithErrors, "unable to load CRL");
-        if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS)
+        if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS)
            err_sys_ex(runWithErrors, "unable to set CRL callback url");
 #endif
 #ifdef HAVE_OCSP
        if (useOcsp) {
            if (ocspUrl != NULL) {
-                CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
-                CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
-                                                        | CYASSL_OCSP_URL_OVERRIDE);
+                wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
+                wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE
+                                                   | WOLFSSL_OCSP_URL_OVERRIDE);
            }
            else
-                CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
+                wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
        }
 #endif
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
@ -1316,20 +1316,20 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
        if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
                                                               || needDH == 1) {
            #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
-                CyaSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM);
+                wolfSSL_SetTmpDH_file(ssl, ourDhParam, WOLFSSL_FILETYPE_PEM);
            #elif !defined(NO_DH)
                SetDH(ssl);  /* repick suites with DHE, higher priority than PSK */
            #endif
        }

-#ifndef CYASSL_CALLBACKS
+#ifndef WOLFSSL_CALLBACKS
        if (nonBlocking) {
-            CyaSSL_set_using_nonblock(ssl, 1);
+            wolfSSL_set_using_nonblock(ssl, 1);
            tcp_set_nonblocking(&clientfd);
        }
 #endif

-#ifndef CYASSL_CALLBACKS
+#ifndef WOLFSSL_CALLBACKS
        if (nonBlocking) {
            ret = NonBlockingSSL_Accept(ssl);
        }
@ -1508,7 +1508,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)

 #if defined(WOLFSSL_MDK_SHELL) && defined(HAVE_MDK_RTX)
        os_dly_wait(500) ;
-#elif defined (CYASSL_TIRTOS)
+#elif defined (WOLFSSL_TIRTOS)
        Task_yield();
 #endif

@ -1560,10 +1560,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)

 #if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \
                            && defined(HAVE_THREAD_LS)
-    ecc_fp_free();  /* free per thread cache */
+    wc_ecc_fp_free();  /* free per thread cache */
 #endif

-#ifdef CYASSL_TIRTOS
+#ifdef WOLFSSL_TIRTOS
    fdCloseSession(Task_self());
 #endif

@ -1585,7 +1585,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
    (void) useNtruKey;
    (void) ourDhParam;
    (void) ourCert;
-#ifndef CYASSL_TIRTOS
+#ifndef WOLFSSL_TIRTOS
    return 0;
 #endif
 }
@ -1610,9 +1610,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
        InitTcpReady(&ready);

 #if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL)
-        CyaSSL_Debugging_ON();
+        wolfSSL_Debugging_ON();
 #endif
-        CyaSSL_Init();
+        wolfSSL_Init();
        ChangeToWolfRoot();

 #ifndef NO_WOLFSSL_SERVER
@ -1625,7 +1625,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
        printf("Server not compiled in!\n");
 #endif

-        CyaSSL_Cleanup();
+        wolfSSL_Cleanup();
        FreeTcpReady(&ready);

 #ifdef HAVE_WNR
--- a/fips-check.sh
+++ b/fips-check.sh
@ -11,58 +11,55 @@
 #
 #     $ ./fips-check [version] [keep]
 #
-#     - version: linux (default), ios, android, windows, freertos, linux-ecc
+#     - version: linux (default), ios, android, windows, freertos, linux-ecc, netbsd-selftest, linuxv2
 #
 #     - keep: (default off) XXX-fips-test temp dir around for inspection
 #

 function Usage() {
    echo "Usage: $0 [platform] [keep]"
-    echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc, netbsd-selftest"
+    echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc, netbsd-selftest, linuxv2"
    echo "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection"
 }

 LINUX_FIPS_VERSION=v3.2.6
 LINUX_FIPS_REPO=git@github.com:wolfSSL/fips.git
-LINUX_CTAO_VERSION=v3.2.6
-LINUX_CTAO_REPO=git@github.com:cyassl/cyassl.git
+LINUX_CRYPT_VERSION=v3.2.6
+LINUX_CRYPT_REPO=git@github.com:cyassl/cyassl.git

 LINUX_ECC_FIPS_VERSION=v3.10.3
 LINUX_ECC_FIPS_REPO=git@github.com:wolfSSL/fips.git
-LINUX_ECC_CTAO_VERSION=v3.2.6
-LINUX_ECC_CTAO_REPO=git@github.com:cyassl/cyassl.git
+LINUX_ECC_CRYPT_VERSION=v3.2.6
+LINUX_ECC_CRYPT_REPO=git@github.com:cyassl/cyassl.git
+
+LINUXV2_FIPS_VERSION=fipsv2
+LINUXV2_FIPS_REPO=git@github.com:ejohnstown/fips.git
+LINUXV2_CRYPT_VERSION=fipsv2

 IOS_FIPS_VERSION=v3.4.8a
 IOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
-IOS_CTAO_VERSION=v3.4.8.fips
-IOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
+IOS_CRYPT_VERSION=v3.4.8.fips
+IOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git

 ANDROID_FIPS_VERSION=v3.5.0
 ANDROID_FIPS_REPO=git@github.com:wolfSSL/fips.git
-ANDROID_CTAO_VERSION=v3.5.0
-ANDROID_CTAO_REPO=git@github.com:cyassl/cyassl.git
+ANDROID_CRYPT_VERSION=v3.5.0
+ANDROID_CRYPT_REPO=git@github.com:cyassl/cyassl.git

 WINDOWS_FIPS_VERSION=v3.6.6
 WINDOWS_FIPS_REPO=git@github.com:wolfSSL/fips.git
-WINDOWS_CTAO_VERSION=v3.6.6
-WINDOWS_CTAO_REPO=git@github.com:cyassl/cyassl.git
+WINDOWS_CRYPT_VERSION=v3.6.6
+WINDOWS_CRYPT_REPO=git@github.com:cyassl/cyassl.git

 FREERTOS_FIPS_VERSION=v3.6.1-FreeRTOS
 FREERTOS_FIPS_REPO=git@github.com:wolfSSL/fips.git
-FREERTOS_CTAO_VERSION=v3.6.1
-FREERTOS_CTAO_REPO=git@github.com:cyassl/cyassl.git
+FREERTOS_CRYPT_VERSION=v3.6.1
+FREERTOS_CRYPT_REPO=git@github.com:cyassl/cyassl.git

 OPENRTOS_3_9_2_FIPS_VERSION=v3.9.2-OpenRTOS
 OPENRTOS_3_9_2_FIPS_REPO=git@github.com:wolfSSL/fips.git
-OPENRTOS_3_9_2_CTAO_VERSION=v3.6.1
-OPENRTOS_3_9_2_CTAO_REPO=git@github.com:cyassl/cyassl.git
-
-FIPS_SRCS=( fips.c fips_test.c )
-WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
-TEST_DIR=XXX-fips-test
-WC_INC_PATH=cyassl/ctaocrypt
-WC_SRC_PATH=ctaocrypt/src
-CAVP_SELFTEST_ONLY="no"
+OPENRTOS_3_9_2_CRYPT_VERSION=v3.6.1
+OPENRTOS_3_9_2_CRYPT_REPO=git@github.com:cyassl/cyassl.git

 # non-FIPS, CAVP only but pull in selftest
 # will reset above variables below in platform switch
@ -71,6 +68,13 @@ NETBSD_FIPS_REPO=git@github.com:wolfssl/fips.git
 NETBSD_CTAO_VERSION=v3.14.2
 NETBSD_CTAO_REPO=git@github.com:wolfssl/wolfssl.git

+FIPS_SRCS=( fips.c fips_test.c )
+WC_MODS=( aes des3 sha sha256 sha512 rsa hmac random )
+TEST_DIR=XXX-fips-test
+CRYPT_INC_PATH=cyassl/ctaocrypt
+CRYPT_SRC_PATH=ctaocrypt/src
+FIPS_OPTION=v1
+CAVP_SELFTEST_ONLY="no"

 if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi

@ -80,45 +84,56 @@ case $PLATFORM in
 ios)
  FIPS_VERSION=$IOS_FIPS_VERSION
  FIPS_REPO=$IOS_FIPS_REPO
-  CTAO_VERSION=$IOS_CTAO_VERSION
-  CTAO_REPO=$IOS_CTAO_REPO
+  CRYPT_VERSION=$IOS_CRYPT_VERSION
+  CRYPT_REPO=$IOS_CRYPT_REPO
  ;;
 android)
  FIPS_VERSION=$ANDROID_FIPS_VERSION
  FIPS_REPO=$ANDROID_FIPS_REPO
-  CTAO_VERSION=$ANDROID_CTAO_VERSION
-  CTAO_REPO=$ANDROID_CTAO_REPO
+  CRYPT_VERSION=$ANDROID_CRYPT_VERSION
+  CRYPT_REPO=$ANDROID_CRYPT_REPO
  ;;
 windows)
  FIPS_VERSION=$WINDOWS_FIPS_VERSION
  FIPS_REPO=$WINDOWS_FIPS_REPO
-  CTAO_VERSION=$WINDOWS_CTAO_VERSION
-  CTAO_REPO=$WINDOWS_CTAO_REPO
+  CRYPT_VERSION=$WINDOWS_CRYPT_VERSION
+  CRYPT_REPO=$WINDOWS_CRYPT_REPO
  ;;
 freertos)
  FIPS_VERSION=$FREERTOS_FIPS_VERSION
  FIPS_REPO=$FREERTOS_FIPS_REPO
-  CTAO_VERSION=$FREERTOS_CTAO_VERSION
-  CTAO_REPO=$FREERTOS_CTAO_REPO
+  CRYPT_VERSION=$FREERTOS_CRYPT_VERSION
+  CRYPT_REPO=$FREERTOS_CRYPT_REPO
  ;;
 openrtos-3.9.2)
  FIPS_VERSION=$OPENRTOS_3_9_2_FIPS_VERSION
  FIPS_REPO=$OPENRTOS_3_9_2_FIPS_REPO
-  CTAO_VERSION=$OPENRTOS_3_9_2_CTAO_VERSION
-  CTAO_REPO=$OPENRTOS_3_9_2_CTAO_REPO
+  CRYPT_VERSION=$OPENRTOS_3_9_2_CRYPT_VERSION
+  CRYPT_REPO=$OPENRTOS_3_9_2_CRYPT_REPO
  FIPS_CONFLICTS=( aes hmac random sha256 )
  ;;
 linux)
  FIPS_VERSION=$LINUX_FIPS_VERSION
  FIPS_REPO=$LINUX_FIPS_REPO
-  CTAO_VERSION=$LINUX_CTAO_VERSION
-  CTAO_REPO=$LINUX_CTAO_REPO
+  CRYPT_VERSION=$LINUX_CRYPT_VERSION
+  CRYPT_REPO=$LINUX_CRYPT_REPO
  ;;
 linux-ecc)
  FIPS_VERSION=$LINUX_ECC_FIPS_VERSION
  FIPS_REPO=$LINUX_ECC_FIPS_REPO
-  CTAO_VERSION=$LINUX_ECC_CTAO_VERSION
-  CTAO_REPO=$LINUX_ECC_CTAO_REPO
+  CRYPT_VERSION=$LINUX_ECC_CRYPT_VERSION
+  CRYPT_REPO=$LINUX_ECC_CRYPT_REPO
+  ;;
+linuxv2)
+  FIPS_VERSION=$LINUXV2_FIPS_VERSION
+  FIPS_REPO=$LINUXV2_FIPS_REPO
+  CRYPT_VERSION=$LINUXV2_CRYPT_VERSION
+  CRYPT_INC_PATH=wolfssl/wolfcrypt
+  CRYPT_SRC_PATH=wolfcrypt/src
+  WC_MODS+=( cmac dh )
+  FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
+  FIPS_INCS=( fips.h )
+  FIPS_OPTION=v2
  ;;
 netbsd-selftest)
  FIPS_VERSION=$NETBSD_FIPS_VERSION
@ -127,8 +142,8 @@ netbsd-selftest)
  CTAO_REPO=$NETBSD_CTAO_REPO
  FIPS_SRCS=( selftest.c )
  WC_MODS=( dh ecc rsa dsa aes sha sha256 sha512 hmac random )
-  WC_INC_PATH=wolfssl/wolfcrypt
-  WC_SRC_PATH=wolfcrypt/src
+  CRYPT_INC_PATH=wolfssl/wolfcrypt
+  CRYPT_SRC_PATH=wolfcrypt/src
  CAVP_SELFTEST_ONLY="yes"
  ;;
 *)
@ -141,24 +156,34 @@ git clone . $TEST_DIR

 pushd $TEST_DIR

-# make a clone of the last FIPS release tag
-git clone -b $CTAO_VERSION $CTAO_REPO old-tree
-[ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
-
-for MOD in ${WC_MODS[@]}
-do
-    cp old-tree/$WC_SRC_PATH/${MOD}.c $WC_SRC_PATH
-    cp old-tree/$WC_INC_PATH/${MOD}.h $WC_INC_PATH
-done
-
-# The following is temporary. We are using random.c from a separate release
-if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
+if [ "x$FIPS_OPTION" == "xv1" ];
 then
-    pushd old-tree
-    git checkout v3.6.0
-    popd
-    cp old-tree/$WC_SRC_PATH/random.c $WC_SRC_PATH
-    cp old-tree/$WC_INC_PATH/random.h $WC_INC_PATH
+    # make a clone of the last FIPS release tag
+    git clone -b $CRYPT_VERSION $CRYPT_REPO old-tree
+    [ $? -ne 0 ] && echo "\n\nCouldn't checkout the FIPS release.\n\n" && exit 1
+
+    for MOD in ${WC_MODS[@]}
+    do
+        cp old-tree/$CRYPT_SRC_PATH/${MOD}.c $CRYPT_SRC_PATH
+        cp old-tree/$CRYPT_INC_PATH/${MOD}.h $CRYPT_INC_PATH
+    done
+
+    if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
+    then
+        # We are using random.c from a separate release
+        pushd old-tree
+        git checkout v3.6.0
+        popd
+        cp old-tree/$CRYPT_SRC_PATH/random.c $CRYPT_SRC_PATH
+        cp old-tree/$CRYPT_INC_PATH/random.h $CRYPT_INC_PATH
+    fi
+else
+    git branch --track $CRYPT_VERSION origin/$CRYPT_VERSION
+    # Checkout the fips versions of the wolfCrypt files from the repo.
+    for MOD in ${WC_MODS[@]}
+    do
+        git checkout $CRYPT_VERSION -- $CRYPT_SRC_PATH/$MOD.c $CRYPT_INC_PATH/$MOD.h
+    done
 fi

 # clone the FIPS repository
@ -167,7 +192,12 @@ git clone -b $FIPS_VERSION $FIPS_REPO fips

 for SRC in ${FIPS_SRCS[@]}
 do
-    cp fips/$SRC $WC_SRC_PATH
+    cp fips/$SRC $CRYPT_SRC_PATH
+done
+
+for INC in ${FIPS_INCS[@]}
+do
+    cp fips/$INC $CRYPT_INC_PATH
 done

 # run the make test
@ -176,7 +206,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xyes" ];
 then
    ./configure --enable-selftest
 else
-    ./configure --enable-fips
+    ./configure --enable-fips=$FIPS_OPTION
 fi
 make
 [ $? -ne 0 ] && echo "\n\nMake failed. Debris left for analysis." && exit 1
@ -185,7 +215,7 @@ if [ "x$CAVP_SELFTEST_ONLY" == "xno" ];
 then
    NEWHASH=`./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p'`
    if [ -n "$NEWHASH" ]; then
-        sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $WC_SRC_PATH/fips_test.c
+        sed -i.bak "s/^\".*\";/\"${NEWHASH}\";/" $CRYPT_SRC_PATH/fips_test.c
        make clean
    fi
 fi
--- a/src/include.am
+++ b/src/include.am
@ -23,8 +23,9 @@ ipp_DATA = $(IPPLIBS)
 include_HEADERS+=$(IPPHEADERS)
 endif # BUILD_FAST_RSA

-# fips first  file
 if BUILD_FIPS
+if !BUILD_FIPS_V2
+# fips first  file
 src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c

 src_libwolfssl_la_SOURCES += \
@ -33,16 +34,8 @@ src_libwolfssl_la_SOURCES += \
               ctaocrypt/src/sha256.c

 if BUILD_RSA
-if BUILD_FIPS_V2
-src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
-else
 src_libwolfssl_la_SOURCES += ctaocrypt/src/rsa.c
 endif
-endif
-
-if BUILD_ECC
-src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
-endif

 if BUILD_AES
 src_libwolfssl_la_SOURCES += ctaocrypt/src/aes.c
@ -61,11 +54,75 @@ src_libwolfssl_la_SOURCES += ctaocrypt/src/sha512.c
 endif

 src_libwolfssl_la_SOURCES += ctaocrypt/src/fips.c
-src_libwolfssl_la_SOURCES += wolfcrypt/src/fipsv2.c
 src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c

 # fips last file
 src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_last.c
+
+else
+
+# FIPSv2 first file
+src_libwolfssl_la_SOURCES += \
+			   wolfcrypt/src/wolfcrypt_first.c
+
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/hmac.c \
+               wolfcrypt/src/random.c \
+               wolfcrypt/src/sha256.c
+
+if BUILD_RSA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
+endif
+
+if BUILD_ECC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
+endif
+
+if BUILD_AES
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
+endif
+
+if BUILD_AESNI
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.s
+endif
+
+if BUILD_DES3
+src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
+endif
+
+if BUILD_SHA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
+endif
+
+if BUILD_SHA512
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
+endif
+
+if BUILD_SHA3
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
+endif
+
+if BUILD_DH
+src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
+endif
+
+if BUILD_CMAC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
+endif
+
+src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
+                             wolfcrypt/src/fips_test.c
+
+# fips last file
+src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
+endif
+endif
+
+# For FIPSV2, exclude the wolfCrypt files included above.
+# For old FIPS, keep the wolfCrypt versions of the
+# CtaoCrypt files included above.
+if !BUILD_FIPS_V2
+src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
 endif

 # CAVP self test
@ -74,19 +131,22 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/selftest.c
 endif

 src_libwolfssl_la_SOURCES += \
-               wolfcrypt/src/hmac.c \
               wolfcrypt/src/hash.c \
               wolfcrypt/src/cpuid.c

+if !BUILD_FIPS_V2
 if BUILD_RNG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c
 endif
+endif

+if !BUILD_FIPS_V2
 if BUILD_ARMASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
 else
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256.c
 endif
+endif

 if BUILD_WOLFEVENT
 src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfevent.c
@ -127,32 +187,44 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_int.c
 endif
 endif

+if !BUILD_FIPS_V2
 if BUILD_AES
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
 if BUILD_ARMASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
 endif
 endif
+endif

+if !BUILD_FIPS_V2
 if BUILD_CMAC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
 endif
+endif

+if !BUILD_FIPS_V2
 if BUILD_DES3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
 endif
+endif

+if !BUILD_FIPS_V2
 if BUILD_SHA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
 endif
+endif

+if !BUILD_FIPS_V2
 if BUILD_SHA512
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
 endif
+endif

+if !BUILD_FIPS_V2
 if BUILD_SHA3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
 endif
+endif

 src_libwolfssl_la_SOURCES += \
               wolfcrypt/src/logging.c \
@ -166,9 +238,11 @@ if BUILD_MEMORY
 src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
 endif

+if !BUILD_FIPS_V2
 if BUILD_DH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
 endif
+endif

 if BUILD_ASN
 src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c
@ -203,9 +277,11 @@ if BUILD_DSA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dsa.c
 endif

+if !BUILD_FIPS_V2
 if BUILD_AESNI
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.s
 endif
+endif

 if BUILD_CAMELLIA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/camellia.c
@ -250,7 +326,7 @@ if BUILD_SLOWMATH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/integer.c
 endif

-if !BUILD_FIPS
+if !BUILD_FIPS_V2
 if BUILD_ECC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
 endif
--- a/tests/api.c
+++ b/tests/api.c
@ -8352,19 +8352,28 @@ static int test_wc_AesGcmEncryptDecrypt (void)
                    sizeof(vector), iv, sizeof(iv)/sizeof(byte),
                    resultT, sizeof(resultT) - 5, a, sizeof(a));
        }
-        if (gcmE == BAD_FUNC_ARG) {
-            gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
-                            sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
-                            a, sizeof(a));
-        }
-        #ifdef HAVE_FIPS
-            if (gcmE == BAD_FUNC_ARG) {
-                gcmE = 0;
-            } else {
-                gcmE = WOLFSSL_FATAL_ERROR;
-            }
-        #endif
-    } /* END wc_AesGcmEncrypt */
+
+		if (gcmE == BAD_FUNC_ARG) {
+			gcmE = 0;
+		} else {
+			gcmE = WOLFSSL_FATAL_ERROR;
+		}
+	}
+
+    /* This case is now considered good. Long IVs are now allowed.
+     * Except for the original FIPS release, it still has an upper
+     * bound on the IV length. */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+	if (gcmE == 0) {
+		gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
+						sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
+						a, sizeof(a));
+	}
+#else
+    (void)longIV;
+#endif /* Old FIPS */
+    /* END wc_AesGcmEncrypt */

    printf(resultFmt, gcmE == 0 ? passed : failed);
    if (gcmE != 0) {
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -28,12 +28,27 @@
 #include <wolfssl/wolfcrypt/error-crypt.h>

 #if !defined(NO_AES)
+
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$g")
+        #pragma const_seg(".fipsB$g")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/aes.h>
 #include <wolfssl/wolfcrypt/cpuid.h>


 /* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
    int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
                              int dir)
    {
@ -172,10 +187,11 @@
    #endif /* HAVE_AESGCM */

    /* AES-CCM */
-    #ifdef HAVE_AESCCM
-        void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
+    #if defined(HAVE_AESCCM) && \
+        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+        int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
        {
-            AesCcmSetKey(aes, key, keySz);
+            return AesCcmSetKey(aes, key, keySz);
        }
        int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
                                      const byte* nonce, word32 nonceSz,
@ -209,7 +225,7 @@
                    authTag, authTagSz, authIn, authInSz);
            }
        #endif /* HAVE_AES_DECRYPT */
-    #endif /* HAVE_AESCCM */
+    #endif /* HAVE_AESCCM && HAVE_FIPS_VERSION 2 */

    int  wc_AesInit(Aes* aes, void* h, int i)
    {
@ -227,7 +243,7 @@
            AesFree(aes); */
    }

-#else /* HAVE_FIPS */
+#else /* else build without fips, or for FIPS v2 */


 #if defined(WOLFSSL_TI_CRYPT)
@ -3315,20 +3331,42 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
 #endif /* WOLFSSL_AES_COUNTER */


-#ifdef HAVE_AESGCM
-
 /*
- * The IV for AES GCM, stored in struct Aes's member reg, is comprised of
- * three parts in order:
- *   1. The implicit IV. This is generated from the PRF using the shared
- *      secrets between endpoints. It is 4 bytes long.
- *   2. The explicit IV. This is set by the user of the AES. It needs to be
- *      unique for each call to encrypt. The explicit IV is shared with the
- *      other end of the transaction in the clear.
- *   3. The counter. Each block of data is encrypted with its own sequence
- *      number counter.
+ * The IV for AES GCM and CCM, stored in struct Aes's member reg, is comprised
+ * of two parts in order:
+ *   1. The fixed field which may be 0 or 4 bytes long. In TLS, this is set
+ *      to the implicit IV.
+ *   2. The explicit IV is generated by wolfCrypt. It needs to be managed
+ *      by wolfCrypt to ensure the IV is unique for each call to encrypt.
+ * The IV may be a 96-bit random value, or the 32-bit fixed value and a
+ * 64-bit set of 0 or random data. The final 32-bits of reg is used as a
+ * block counter during the encryption.
 */

+enum {
+    GCM_NONCE_MAX_SZ = 16, /* wolfCrypt's maximum nonce size allowed. */
+    GCM_NONCE_MID_SZ = 12, /* The usual default nonce size for AES-GCM. */
+    GCM_NONCE_MIN_SZ = 8,  /* wolfCrypt's minimum nonce size allowed. */
+    CCM_NONCE_MIN_SZ = 7,
+    CCM_NONCE_MAX_SZ = 13,
+    CTR_SZ   = 4,
+    AES_IV_FIXED_SZ = 4
+};
+
+#if (defined(HAVE_AESGCM) && !defined(WC_NO_RNG)) || defined(HAVE_AESCCM)
+static INLINE void IncCtr(byte* ctr, word32 ctrSz)
+{
+    int i;
+    for (i = ctrSz-1; i >= 0; i--) {
+        if (++ctr[i])
+            break;
+    }
+}
+#endif /* HAVE_AESGCM || HAVE_AESCCM */
+
+
+#ifdef HAVE_AESGCM
+
 #if defined(HAVE_COLDFIRE_SEC)
    #error "Coldfire SEC doesn't currently support AES-GCM mode"

@ -3337,11 +3375,6 @@ int wc_AesSetIV(Aes* aes, const byte* iv)

 #endif

-enum {
-    NONCE_SZ = 12,
-    CTR_SZ   = 4
-};
-
 #if !defined(FREESCALE_LTC_AES_GCM)
 static INLINE void IncrementGcmCounter(byte* inOutCtr)
 {
@ -7436,7 +7469,7 @@ int AES_GCM_encrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,

    ctr = counter;
    XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
-    if (ivSz == NONCE_SZ) {
+    if (ivSz == GCM_NONCE_MID_SZ) {
        XMEMCPY(initialCounter, iv, ivSz);
        initialCounter[AES_BLOCK_SIZE - 1] = 1;
    }
@ -7448,10 +7481,10 @@ int AES_GCM_encrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
 #ifdef WOLFSSL_PIC32MZ_CRYPT
    if (blocks) {
        /* use intitial IV for PIC32 HW, but don't use it below */
-        XMEMCPY(aes->reg, ctr, AES_BLOCK_SIZE);
+        XMEMCPY(aes->tmp, ctr, AES_BLOCK_SIZE);

        ret = wc_Pic32AesCrypt(
-            aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
+            aes->key, aes->keylen, aes->tmp, AES_BLOCK_SIZE,
            out, in, (blocks * AES_BLOCK_SIZE),
            PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM);
        if (ret != 0)
@ -7523,7 +7556,7 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
                                                       defined(WOLFSSL_STM32F7))

    /* additional argument checks - STM32 HW only supports 12 byte IV */
-    if (ivSz != NONCE_SZ) {
+    if (ivSz != GCM_NONCE_MID_SZ) {
        return BAD_FUNC_ARG;
    }

@ -7664,7 +7697,7 @@ int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
    }

    /* additional argument checks - STM32 HW only supports 12 byte IV */
-    if (ivSz != NONCE_SZ) {
+    if (ivSz != GCM_NONCE_MID_SZ) {
        return BAD_FUNC_ARG;
    }

@ -7798,7 +7831,7 @@ int AES_GCM_decrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
    ctr = counter;

    XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
-    if (ivSz == NONCE_SZ) {
+    if (ivSz == GCM_NONCE_MID_SZ) {
        XMEMCPY(initialCounter, iv, ivSz);
        initialCounter[AES_BLOCK_SIZE - 1] = 1;
    }
@ -7819,10 +7852,10 @@ int AES_GCM_decrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
 #ifdef WOLFSSL_PIC32MZ_CRYPT
    if (blocks) {
        /* use intitial IV for PIC32 HW, but don't use it below */
-        XMEMCPY(aes->reg, ctr, AES_BLOCK_SIZE);
+        XMEMCPY(aes->tmp, ctr, AES_BLOCK_SIZE);

        ret = wc_Pic32AesCrypt(
-            aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
+            aes->key, aes->keylen, aes->tmp, AES_BLOCK_SIZE,
            out, in, (blocks * AES_BLOCK_SIZE),
            PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM);
        if (ret != 0)
@ -7880,8 +7913,11 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 #endif

    /* argument checks */
-    if (aes == NULL || out == NULL || in == NULL || iv == NULL ||
-        authTag == NULL || authTagSz > AES_BLOCK_SIZE) {
+    /* If the sz is non-zero, both in and out must be set. If sz is 0,
+     * in and out are don't cares, as this is is the GMAC case. */
+    if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
+        authTag == NULL || authTagSz > AES_BLOCK_SIZE || authTagSz == 0) {
+
        return BAD_FUNC_ARG;
    }

@ -7955,6 +7991,159 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 #endif /* HAVE_AES_DECRYPT || HAVE_AESGCM_DECRYPT */
 #endif /* (WOLFSSL_XILINX_CRYPT) */

+
+#ifndef WC_NO_RNG
+
+int wc_AesGcmSetExtIV(Aes* aes, const byte* iv, word32 ivSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || iv == NULL ||
+        (ivSz != GCM_NONCE_MIN_SZ && ivSz != GCM_NONCE_MID_SZ &&
+         ivSz != GCM_NONCE_MAX_SZ)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        XMEMCPY((byte*)aes->reg, iv, ivSz);
+
+        /* If the IV is 96, allow for a 2^64 invocation counter.
+         * For any other size for the nonce, limit the invocation
+         * counter to 32-bits. (SP 800-38D 8.3) */
+        aes->invokeCtr[0] = 0;
+        aes->invokeCtr[1] = (ivSz == GCM_NONCE_MID_SZ) ? 0 : 0xFFFFFFFF;
+        aes->nonceSz = ivSz;
+    }
+
+    return ret;
+}
+
+
+int wc_AesGcmSetIV(Aes* aes, word32 ivSz,
+                   const byte* ivFixed, word32 ivFixedSz,
+                   WC_RNG* rng)
+{
+    int ret = 0;
+
+    if (aes == NULL || rng == NULL ||
+        (ivSz != GCM_NONCE_MIN_SZ && ivSz != GCM_NONCE_MID_SZ &&
+         ivSz != GCM_NONCE_MAX_SZ) ||
+        (ivFixed == NULL && ivFixedSz != 0) ||
+        (ivFixed != NULL && ivFixedSz != AES_IV_FIXED_SZ)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        byte* iv = (byte*)aes->reg;
+
+        if (ivFixedSz)
+            XMEMCPY(iv, ivFixed, ivFixedSz);
+
+        ret = wc_RNG_GenerateBlock(rng, iv + ivFixedSz, ivSz - ivFixedSz);
+    }
+
+    if (ret == 0) {
+        /* If the IV is 96, allow for a 2^64 invocation counter.
+         * For any other size for the nonce, limit the invocation
+         * counter to 32-bits. (SP 800-38D 8.3) */
+        aes->invokeCtr[0] = 0;
+        aes->invokeCtr[1] = (ivSz == GCM_NONCE_MID_SZ) ? 0 : 0xFFFFFFFF;
+        aes->nonceSz = ivSz;
+    }
+
+    return ret;
+}
+
+
+int wc_AesGcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
+                        byte* ivOut, word32 ivOutSz,
+                        byte* authTag, word32 authTagSz,
+                        const byte* authIn, word32 authInSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
+        ivOut == NULL || ivOutSz != aes->nonceSz ||
+        (authIn == NULL && authInSz != 0)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        aes->invokeCtr[0]++;
+        if (aes->invokeCtr[0] == 0) {
+            aes->invokeCtr[1]++;
+            if (aes->invokeCtr[1] == 0)
+                ret = AES_GCM_OVERFLOW_E;
+        }
+    }
+
+    if (ret == 0) {
+        ret = wc_AesGcmEncrypt(aes, out, in, sz,
+                               (byte*)aes->reg, ivOutSz,
+                               authTag, authTagSz,
+                               authIn, authInSz);
+        XMEMCPY(ivOut, aes->reg, ivOutSz);
+        IncCtr((byte*)aes->reg, ivOutSz);
+    }
+
+    return ret;
+}
+
+int wc_Gmac(const byte* key, word32 keySz, byte* iv, word32 ivSz,
+            const byte* authIn, word32 authInSz,
+            byte* authTag, word32 authTagSz, WC_RNG* rng)
+{
+    Aes aes;
+    int ret = 0;
+
+    if (key == NULL || iv == NULL || (authIn == NULL && authInSz != 0) ||
+        authTag == NULL || authTagSz == 0 || rng == NULL) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0)
+        ret = wc_AesGcmSetKey(&aes, key, keySz);
+    if (ret == 0)
+        ret = wc_AesGcmSetIV(&aes, ivSz, NULL, 0, rng);
+    if (ret == 0)
+        ret = wc_AesGcmEncrypt_ex(&aes, NULL, NULL, 0, iv, ivSz,
+                                  authTag, authTagSz, authIn, authInSz);
+    ForceZero(&aes, sizeof(aes));
+
+    return ret;
+}
+
+int wc_GmacVerify(const byte* key, word32 keySz,
+                  const byte* iv, word32 ivSz,
+                  const byte* authIn, word32 authInSz,
+                  const byte* authTag, word32 authTagSz)
+{
+    Aes aes;
+    int ret = 0;
+
+    if (key == NULL || iv == NULL || (authIn == NULL && authInSz != 0) ||
+        authTag == NULL || authTagSz == 0 || authTagSz > AES_BLOCK_SIZE) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0)
+        ret = wc_AesGcmSetKey(&aes, key, keySz);
+    if (ret == 0)
+        ret = wc_AesGcmDecrypt(&aes, NULL, NULL, 0, iv, ivSz,
+                                  authTag, authTagSz, authIn, authInSz);
+    ForceZero(&aes, sizeof(aes));
+
+    return ret;
+}
+
+#endif /* WC_NO_RNG */
+
+
 WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
 {
    if (gmac == NULL || key == NULL) {
@ -8286,7 +8475,72 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,

    return result;
 }
+
 #endif /* HAVE_AES_DECRYPT */
+
+#ifndef WC_NO_RNG
+
+int wc_AesCcmSetNonce(Aes* aes, const byte* nonce, word32 nonceSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || nonce == NULL ||
+        nonceSz < CCM_NONCE_MIN_SZ || nonceSz > CCM_NONCE_MAX_SZ) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        XMEMCPY(aes->reg, nonce, nonceSz);
+        aes->nonceSz = nonceSz;
+
+        /* Invocation counter should be 2^61 */
+        aes->invokeCtr[0] = 0;
+        aes->invokeCtr[1] = 0xE0000000;
+    }
+
+    return ret;
+}
+
+
+int wc_AesCcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
+                        byte* ivOut, word32 ivOutSz,
+                        byte* authTag, word32 authTagSz,
+                        const byte* authIn, word32 authInSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || out == NULL ||
+        (in == NULL && sz != 0) ||
+        ivOut == NULL ||
+        (authIn == NULL && authInSz != 0) ||
+        (ivOutSz != aes->nonceSz)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        aes->invokeCtr[0]++;
+        if (aes->invokeCtr[0] == 0) {
+            aes->invokeCtr[1]++;
+            if (aes->invokeCtr[1] == 0)
+                ret = AES_CCM_OVERFLOW_E;
+        }
+    }
+
+    if (ret == 0) {
+        ret = wc_AesCcmEncrypt(aes, out, in, sz,
+                               (byte*)aes->reg, aes->nonceSz,
+                               authTag, authTagSz,
+                               authIn, authInSz);
+        XMEMCPY(ivOut, aes->reg, aes->nonceSz);
+        IncCtr((byte*)aes->reg, aes->nonceSz);
+    }
+
+    return ret;
+}
+
+#endif /* WC_NO_RNG */
 #endif /* software AES CCM */

 #endif /* HAVE_AESCCM */
--- a/wolfcrypt/src/cmac.c
+++ b/wolfcrypt/src/cmac.c
@ -28,6 +28,18 @@

 #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)

+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$n")
+        #pragma const_seg(".fipsB$n")
+    #endif
+#endif
+
 #ifdef NO_INLINE
    #include <wolfssl/wolfcrypt/misc.h>
 #else
@ -117,10 +129,10 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
 {
    const byte* subKey;

-    if (cmac == NULL || out == NULL)
+    if (cmac == NULL || out == NULL || outSz == NULL)
        return BAD_FUNC_ARG;

-    if (outSz != NULL && *outSz < AES_BLOCK_SIZE)
+    if (*outSz < WC_CMAC_TAG_MIN_SZ || *outSz > WC_CMAC_TAG_MAX_SZ)
        return BUFFER_E;

    if (cmac->bufferSz == AES_BLOCK_SIZE) {
@ -139,10 +151,10 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
    }
    xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
    xorbuf(cmac->buffer, subKey, AES_BLOCK_SIZE);
-    wc_AesEncryptDirect(&cmac->aes, out, cmac->buffer);
+    wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
+
+    XMEMCPY(out, cmac->digest, *outSz);

-    if (outSz != NULL)
-        *outSz = AES_BLOCK_SIZE;
    ForceZero(cmac, sizeof(Cmac));

    return 0;
--- a/wolfcrypt/src/des3.c
+++ b/wolfcrypt/src/des3.c
@ -31,10 +31,24 @@

 #ifndef NO_DES3

+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$i")
+        #pragma const_seg(".fipsB$i")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/des3.h>

 /* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
    int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
    {
        return Des_SetKey(des, key, iv, dir);
@ -107,7 +121,7 @@
            Des3Free(des3); */
    }

-#else /* build without fips */
+#else /* else build without fips, or for FIPS v2 */


 #if defined(WOLFSSL_TI_CRYPT)
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@ -28,6 +28,18 @@

 #ifndef NO_DH

+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$m")
+        #pragma const_seg(".fipsB$m")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/dh.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
@ -524,7 +536,7 @@ int wc_InitDhKey(DhKey* key)
 }


-void wc_FreeDhKey(DhKey* key)
+int wc_FreeDhKey(DhKey* key)
 {
    if (key) {
        mp_clear(&key->p);
@ -535,6 +547,7 @@ void wc_FreeDhKey(DhKey* key)
        wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_DH);
    #endif
    }
+    return 0;
 }


--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@ -98,8 +98,8 @@ ECC Curve Sizes:
    #define FIPS_NO_WRAPPERS

 	#ifdef USE_WINDOWS_API
-		#pragma code_seg(".fipsA$e2")
-		#pragma const_seg(".fipsB$e2")
+		#pragma code_seg(".fipsA$f")
+		#pragma const_seg(".fipsB$f")
 	#endif
 #endif

--- a/wolfcrypt/src/error.c
+++ b/wolfcrypt/src/error.c
@ -458,6 +458,21 @@ const char* wc_GetErrorString(int error)
    case DH_KAT_FIPS_E:
        return "wolfcrypt FIPS DH Known Answer Test Failure";

+    case AESCCM_KAT_FIPS_E:
+        return "AESCCM Known Answer Test check FIPS error";
+
+    case SHA3_KAT_FIPS_E:
+        return "SHA-3 Known Answer Test check FIPS error";
+
+    case ECDHE_KAT_FIPS_E:
+        return "wolfcrypt FIPS ECDHE Known Answer Test Failure";
+
+    case AES_GCM_OVERFLOW_E:
+        return "AES-GCM invocation counter overflow";
+
+    case AES_CCM_OVERFLOW_E:
+        return "AES-CCM invocation counter overflow";
+
    default:
        return "unknown error number";

--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@ -29,6 +29,18 @@

 #ifndef NO_HMAC

+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$b")
+        #pragma const_seg(".fipsB$b")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/hmac.h>

 #ifdef NO_INLINE
@ -40,7 +52,10 @@


 /* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
+/* If building for old FIPS. */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
    /* does init */
    int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 keySz)
    {
@ -101,10 +116,7 @@
        }
    #endif /* HAVE_HKDF */

-#else /* else build without fips */
-
-
-#include <wolfssl/wolfcrypt/error-crypt.h>
+#else /* else build without fips, or for new fips */


 int wc_HmacSizeByType(int type)
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@ -25,17 +25,34 @@
 #endif

 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>

 /* on HPUX 11 you may need to install /dev/random see
   http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I

 */

+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$c")
+        #pragma const_seg(".fipsB$c")
+    #endif
+#endif
+
+
 #include <wolfssl/wolfcrypt/random.h>
 #include <wolfssl/wolfcrypt/cpuid.h>


-#ifdef HAVE_FIPS
+/* If building for old FIPS. */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
 int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz)
 {
    return GenerateSeed(os, seed, sz);
@ -79,14 +96,13 @@ int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
    {
        return RNG_HealthTest_fips(reseed, entropyA, entropyASz,
                              entropyB, entropyBSz, output, outputSz);
-    }
+   }
 #endif /* HAVE_HASHDRBG */

-#else /* else build without fips */
+#else /* else build without fips, or for new fips */

 #ifndef WC_NO_RNG /* if not FIPS and RNG is disabled then do not compile */

-#include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/sha256.h>

 #ifdef NO_INLINE
--- a/wolfcrypt/src/sha.c
+++ b/wolfcrypt/src/sha.c
@ -28,11 +28,25 @@

 #if !defined(NO_SHA)

+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$j")
+        #pragma const_seg(".fipsB$j")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/sha.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>

 /* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
    int wc_InitSha(wc_Sha* sha)
    {
        if (sha == NULL) {
@ -71,7 +85,7 @@
        /* Not supported in FIPS */
    }

-#else /* else build without fips */
+#else /* else build without fips, or for FIPS v2 */


 #if defined(WOLFSSL_TI_HASH)
--- a/wolfcrypt/src/sha256.c
+++ b/wolfcrypt/src/sha256.c
@ -30,12 +30,25 @@

 #if !defined(NO_SHA256) && !defined(WOLFSSL_ARMASM)

+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$d")
+        #pragma const_seg(".fipsB$d")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/sha256.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/cpuid.h>

 /* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))

    int wc_InitSha256(wc_Sha256* sha)
    {
@ -79,7 +92,7 @@
        /* Not supported in FIPS */
    }

-#else /* else build without fips */
+#else /* else build without fips, or for FIPS v2 */


 #if defined(WOLFSSL_TI_HASH)
--- a/wolfcrypt/src/sha3.c
+++ b/wolfcrypt/src/sha3.c
@ -28,131 +28,21 @@

 #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT)

+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$l")
+        #pragma const_seg(".fipsB$l")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/sha3.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>

-/* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
-
-    int wc_InitSha3_224(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_224_fips(sha);
-    }
-    int wc_Sha3_224_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_224_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_224_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_224_Final_fips(sha, out);
-    }
-    void wc_Sha3_224_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-    int wc_InitSha3_256(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_256_fips(sha);
-    }
-    int wc_Sha3_256_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_256_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_256_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_256_Final_fips(sha, out);
-    }
-    void wc_Sha3_256_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-    int wc_InitSha3_384(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_384_fips(sha);
-    }
-    int wc_Sha3_384_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_384_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_384_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_384_Final_fips(sha, out);
-    }
-    void wc_Sha3_384_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-    int wc_InitSha3_512(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_512_fips(sha);
-    }
-    int wc_Sha3_512_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_512_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_512_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_512_Final_fips(sha, out);
-    }
-    void wc_Sha3_512_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-#else /* else build without fips */
-
-
 #ifdef NO_INLINE
    #include <wolfssl/wolfcrypt/misc.h>
 #else
@ -870,7 +760,7 @@ static void wc_Sha3Free(Sha3* sha3)
    wolfAsync_DevCtxFree(&sha3->asyncDev, WOLFSSL_ASYNC_MARKER_SHA3);
 #endif /* WOLFSSL_ASYNC_CRYPT */
 }
-#endif /* HAVE_FIPS */
+

 /* Copy the state of the SHA3 operation.
 *
--- a/wolfcrypt/src/sha512.c
+++ b/wolfcrypt/src/sha512.c
@ -27,6 +27,19 @@
 #include <wolfssl/wolfcrypt/settings.h>

 #ifdef WOLFSSL_SHA512
+
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$k")
+        #pragma const_seg(".fipsB$k")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/sha512.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/cpuid.h>
@ -37,7 +50,9 @@
 #endif

 /* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
    int wc_InitSha512(wc_Sha512* sha)
    {
        if (sha == NULL) {
@ -115,7 +130,7 @@
        }
    #endif /* WOLFSSL_SHA384 || HAVE_AESGCM */

-#else /* else build without using fips */
+#else /* else build without fips, or for FIPS v2 */

 #include <wolfssl/wolfcrypt/logging.h>

--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -3336,21 +3336,21 @@ int hmac_sha3_test(void)

    const char* key[3] =
    {
+        "Jefe",
+
        "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
        "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",

-        "Jefe",
-
        "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
        "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
    };

    const char* input[3] =
    {
-        "Hi There",
-
        "what do ya want for nothing?",

+        "Hi There",
+
        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
@ -3371,23 +3371,6 @@ int hmac_sha3_test(void)

    const char* output[12] =
    {
-        /* key = 0b..., input = Hi There */
-            /* HMAC-SHA3-224 */
-            "\x3b\x16\x54\x6b\xbc\x7b\xe2\x70\x6a\x03\x1d\xca\xfd\x56\x37\x3d"
-            "\x98\x84\x36\x76\x41\xd8\xc5\x9a\xf3\xc8\x60\xf7",
-            /* HMAC-SHA3-256 */
-            "\xba\x85\x19\x23\x10\xdf\xfa\x96\xe2\xa3\xa4\x0e\x69\x77\x43\x51"
-            "\x14\x0b\xb7\x18\x5e\x12\x02\xcd\xcc\x91\x75\x89\xf9\x5e\x16\xbb",
-            /* HMAC-SHA3-384 */
-            "\x68\xd2\xdc\xf7\xfd\x4d\xdd\x0a\x22\x40\xc8\xa4\x37\x30\x5f\x61"
-            "\xfb\x73\x34\xcf\xb5\xd0\x22\x6e\x1b\xc2\x7d\xc1\x0a\x2e\x72\x3a"
-            "\x20\xd3\x70\xb4\x77\x43\x13\x0e\x26\xac\x7e\x3d\x53\x28\x86\xbd",
-            /* HMAC-SHA3-512 */
-            "\xeb\x3f\xbd\x4b\x2e\xaa\xb8\xf5\xc5\x04\xbd\x3a\x41\x46\x5a\xac"
-            "\xec\x15\x77\x0a\x7c\xab\xac\x53\x1e\x48\x2f\x86\x0b\x5e\xc7\xba"
-            "\x47\xcc\xb2\xc6\xf2\xaf\xce\x8f\x88\xd2\x2b\x6d\xc6\x13\x80\xf2"
-            "\x3a\x66\x8f\xd3\x88\x8b\xb8\x05\x37\xc0\xa0\xb8\x64\x07\x68\x9e",
-
        /* key = jefe, input = what do ya want for nothing? */
            /* HMAC-SHA3-224 */
            "\x7f\xdb\x8d\xd8\x8b\xd2\xf6\x0d\x1b\x79\x86\x34\xad\x38\x68\x11"
@ -3405,6 +3388,23 @@ int hmac_sha3_test(void)
            "\x28\x7b\xae\xc9\x21\xfd\x7c\xa0\xee\x7a\x0c\x31\xd0\x22\xa9\x5e"
            "\x1f\xc9\x2b\xa9\xd7\x7d\xf8\x83\x96\x02\x75\xbe\xb4\xe6\x20\x24",

+        /* key = 0b..., input = Hi There */
+            /* HMAC-SHA3-224 */
+            "\x3b\x16\x54\x6b\xbc\x7b\xe2\x70\x6a\x03\x1d\xca\xfd\x56\x37\x3d"
+            "\x98\x84\x36\x76\x41\xd8\xc5\x9a\xf3\xc8\x60\xf7",
+            /* HMAC-SHA3-256 */
+            "\xba\x85\x19\x23\x10\xdf\xfa\x96\xe2\xa3\xa4\x0e\x69\x77\x43\x51"
+            "\x14\x0b\xb7\x18\x5e\x12\x02\xcd\xcc\x91\x75\x89\xf9\x5e\x16\xbb",
+            /* HMAC-SHA3-384 */
+            "\x68\xd2\xdc\xf7\xfd\x4d\xdd\x0a\x22\x40\xc8\xa4\x37\x30\x5f\x61"
+            "\xfb\x73\x34\xcf\xb5\xd0\x22\x6e\x1b\xc2\x7d\xc1\x0a\x2e\x72\x3a"
+            "\x20\xd3\x70\xb4\x77\x43\x13\x0e\x26\xac\x7e\x3d\x53\x28\x86\xbd",
+            /* HMAC-SHA3-512 */
+            "\xeb\x3f\xbd\x4b\x2e\xaa\xb8\xf5\xc5\x04\xbd\x3a\x41\x46\x5a\xac"
+            "\xec\x15\x77\x0a\x7c\xab\xac\x53\x1e\x48\x2f\x86\x0b\x5e\xc7\xba"
+            "\x47\xcc\xb2\xc6\xf2\xaf\xce\x8f\x88\xd2\x2b\x6d\xc6\x13\x80\xf2"
+            "\x3a\x66\x8f\xd3\x88\x8b\xb8\x05\x37\xc0\xa0\xb8\x64\x07\x68\x9e",
+
        /* key = aa..., output = dd... */
            /* HMAC-SHA3-224 */
            "\x67\x6c\xfc\x7d\x16\x15\x36\x38\x78\x03\x90\x69\x2b\xe1\x42\xd2"
@ -3423,11 +3423,16 @@ int hmac_sha3_test(void)
            "\xcb\x7b\x6e\x5a\xab\x7e\xa4\x2c\x66\x0f\x97\xfd\x85\x84\xbf\x03"
    };

-    int i, iMax = sizeof(input) / sizeof(input[0]),
+    int i = 0, iMax = sizeof(input) / sizeof(input[0]),
        j, jMax = sizeof(hashType) / sizeof(hashType[0]),
        ret;

-    for (i = 0; i < iMax; i++) {
+#ifdef HAVE_FIPS
+    /* FIPS requires a minimum length for HMAC keys, and "Jefe" is too
+     * short. Skip it in FIPS builds. */
+    i = 1;
+#endif
+    for (; i < iMax; i++) {
        for (j = 0; j < jMax; j++) {
            if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
                return -3114;
@ -6482,6 +6487,67 @@ int aesgcm_test(void)
        return -4325;
 #endif /* HAVE_AES_DECRYPT */
 #endif /* WOLFSSL_AES_256 */
+
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+    /* Test encrypt with internally generated IV */
+#ifndef WC_NO_RNG
+    {
+        WC_RNG rng;
+        byte randIV[12];
+
+        result = wc_InitRng(&rng);
+        if (result != 0)
+            return -8208;
+
+        XMEMSET(randIV, 0, sizeof(randIV));
+        XMEMSET(resultT, 0, sizeof(resultT));
+        XMEMSET(resultC, 0, sizeof(resultC));
+        XMEMSET(resultP, 0, sizeof(resultP));
+
+        wc_AesGcmSetKey(&enc, k1, sizeof(k1));
+        result = wc_AesGcmSetIV(&enc, sizeof(randIV), NULL, 0, &rng);
+        if (result != 0)
+            return -8213;
+
+        result = wc_AesGcmEncrypt_ex(&enc,
+                        resultC, p, sizeof(p),
+                        randIV, sizeof(randIV),
+                        resultT, sizeof(resultT),
+                        a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -8209;
+
+        /* Check the IV has been set. */
+        {
+            word32 i, ivSum = 0;
+
+            for (i = 0; i < sizeof(randIV); i++)
+                ivSum += randIV[i];
+            if (ivSum == 0)
+                return -8210;
+        }
+
+        result = wc_AesGcmDecrypt(&enc,
+                          resultP, resultC, sizeof(resultC),
+                          randIV, sizeof(randIV),
+                          resultT, sizeof(resultT),
+                          a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -8211;
+        if (XMEMCMP(p, resultP, sizeof(resultP)))
+            return -8212;
+        wc_FreeRng(&rng);
+    }
+#endif /* WC_NO_RNG */
+#endif
+
    wc_AesFree(&enc);

    return 0;
@ -6513,6 +6579,10 @@ int gmac_test(void)
        0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
    };

+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+	/* FIPS builds only allow 16-byte auth tags. */
+	/* This sample uses a 15-byte auth tag. */
    const byte k2[] =
    {
        0x40, 0xf7, 0xec, 0xb2, 0x52, 0x6d, 0xaa, 0xd4,
@ -6533,6 +6603,7 @@ int gmac_test(void)
        0xc6, 0x81, 0x79, 0x8e, 0x3d, 0xda, 0xb0, 0x9f,
        0x8d, 0x83, 0xb0, 0xbb, 0x14, 0xb6, 0x91
    };
+#endif

    byte tag[16];

@ -6543,12 +6614,56 @@ int gmac_test(void)
    if (XMEMCMP(t1, tag, sizeof(t1)) != 0)
        return -4400;

+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
    XMEMSET(tag, 0, sizeof(tag));
    wc_GmacSetKey(&gmac, k2, sizeof(k2));
    wc_GmacUpdate(&gmac, iv2, sizeof(iv2), a2, sizeof(a2), tag, sizeof(t2));
    if (XMEMCMP(t2, tag, sizeof(t2)) != 0)
        return -4401;

+#ifndef WC_NO_RNG
+    {
+        const byte badT[] =
+        {
+            0xde, 0xad, 0xbe, 0xef, 0x17, 0x2e, 0xd0, 0x43,
+            0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
+        };
+
+        WC_RNG rng;
+        byte iv[12];
+
+        #ifndef HAVE_FIPS
+            if (wc_InitRng_ex(&rng, HEAP_HINT, devId) != 0)
+                return -8214;
+        #else
+            if (wc_InitRng(&rng) != 0)
+                return -8214;
+        #endif
+
+        if (wc_GmacVerify(k1, sizeof(k1), iv1, sizeof(iv1), a1, sizeof(a1),
+                    t1, sizeof(t1)) != 0)
+            return -8215;
+        if (wc_GmacVerify(k1, sizeof(k1), iv1, sizeof(iv1), a1, sizeof(a1),
+                    badT, sizeof(badT)) != AES_GCM_AUTH_E)
+            return -8216;
+        if (wc_GmacVerify(k2, sizeof(k2), iv2, sizeof(iv2), a2, sizeof(a2),
+                    t2, sizeof(t2)) != 0)
+            return -8217;
+
+        XMEMSET(tag, 0, sizeof(tag));
+        XMEMSET(iv, 0, sizeof(iv));
+        if (wc_Gmac(k1, sizeof(k1), iv, sizeof(iv), a1, sizeof(a1),
+                    tag, sizeof(tag), &rng) != 0)
+            return -8218;
+        if (wc_GmacVerify(k1, sizeof(k1), iv, sizeof(iv), a1, sizeof(a1),
+                    tag, sizeof(tag)) != 0)
+            return -8219;
+        wc_FreeRng(&rng);
+    }
+#endif /* WC_NO_RNG */
+#endif /* HAVE_FIPS */
+
    return 0;
 }
 #endif /* WOLFSSL_AES_128 */
@ -6601,6 +6716,7 @@ int aesccm_test(void)
    byte t2[sizeof(t)];
    byte p2[sizeof(p)];
    byte c2[sizeof(c)];
+    byte iv2[sizeof(iv)];

    int result;

@ -6643,6 +6759,26 @@ int aesccm_test(void)
    if (XMEMCMP(p2, c2, sizeof(p2)))
        return -4507;

+    XMEMSET(&enc, 0, sizeof(Aes)); /* clear context */
+    XMEMSET(t2, 0, sizeof(t2));
+    XMEMSET(c2, 0, sizeof(c2));
+    XMEMSET(p2, 0, sizeof(p2));
+    XMEMSET(iv2, 0, sizeof(iv2));
+
+    if (wc_AesCcmSetKey(&enc, k, sizeof(k)) != 0)
+        return -8220;
+    if (wc_AesCcmSetNonce(&enc, iv, sizeof(iv)) != 0)
+        return -8221;
+    if (wc_AesCcmEncrypt_ex(&enc, c2, p, sizeof(c2), iv2, sizeof(iv2),
+                            t2, sizeof(t2), a, sizeof(a)) != 0)
+        return -8222;
+    if (XMEMCMP(iv, iv2, sizeof(iv2)))
+        return -8223;
+    if (XMEMCMP(c, c2, sizeof(c2)))
+        return -8224;
+    if (XMEMCMP(t, t2, sizeof(t2)))
+        return -8225;
+
    return 0;
 }
 #endif /* HAVE_AESCCM WOLFSSL_AES_128 */
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@ -31,8 +31,14 @@

 #ifndef NO_AES

+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
 /* included for fips @wc_fips */
-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 #include <cyassl/ctaocrypt/aes.h>
 #if defined(CYASSL_AES_COUNTER) && !defined(WOLFSSL_AES_COUNTER)
    #define WOLFSSL_AES_COUNTER
@ -42,7 +48,6 @@
 #endif
 #endif

-#ifndef HAVE_FIPS /* to avoid redefinition of macros */

 #ifdef WOLFSSL_AESNI

@ -52,17 +57,23 @@

 #endif /* WOLFSSL_AESNI */

+
 #ifdef WOLFSSL_XILINX_CRYPT
 #include "xsecure_aes.h"
 #endif

-#endif /* HAVE_FIPS */
+#if defined(HAVE_AESGCM) && !defined(WC_NO_RNG)
+    #include <wolfssl/wolfcrypt/random.h>
+#endif
+

 #ifdef __cplusplus
    extern "C" {
 #endif

-#ifndef HAVE_FIPS /* to avoid redefinition of structures */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifdef WOLFSSL_ASYNC_CRYPT
    #include <wolfssl/wolfcrypt/async.h>
@ -86,6 +97,10 @@ typedef struct Aes {
    ALIGN16 word32 reg[AES_BLOCK_SIZE / sizeof(word32)];      /* for CBC mode */
    ALIGN16 word32 tmp[AES_BLOCK_SIZE / sizeof(word32)];      /* same         */

+#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+    word32 invokeCtr[2];
+    word32 nonceSz;
+#endif
 #ifdef HAVE_AESGCM
    ALIGN16 byte H[AES_BLOCK_SIZE];
 #ifdef GCM_TABLE
@ -177,6 +192,7 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out,
 WOLFSSL_API int  wc_AesSetKeyDirect(Aes* aes, const byte* key, word32 len,
                                const byte* iv, int dir);
 #endif
+
 #ifdef HAVE_AESGCM
 #ifdef WOLFSSL_XILINX_CRYPT
 WOLFSSL_API int  wc_AesGcmSetKey_ex(Aes* aes, const byte* key, word32 len,
@ -194,10 +210,31 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out,
                                   const byte* authTag, word32 authTagSz,
                                   const byte* authIn, word32 authInSz);

+#ifndef WC_NO_RNG
+ WOLFSSL_API int  wc_AesGcmSetExtIV(Aes* aes, const byte* iv, word32 ivSz);
+ WOLFSSL_API int  wc_AesGcmSetIV(Aes* aes, word32 ivSz,
+                                   const byte* ivFixed, word32 ivFixedSz,
+                                   WC_RNG* rng);
+ WOLFSSL_API int  wc_AesGcmEncrypt_ex(Aes* aes, byte* out,
+                                   const byte* in, word32 sz,
+                                   byte* ivOut, word32 ivOutSz,
+                                   byte* authTag, word32 authTagSz,
+                                   const byte* authIn, word32 authInSz);
+#endif /* WC_NO_RNG */
+
 WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len);
 WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
                               const byte* authIn, word32 authInSz,
                               byte* authTag, word32 authTagSz);
+#ifndef WC_NO_RNG
+ WOLFSSL_API int wc_Gmac(const byte* key, word32 keySz, byte* iv, word32 ivSz,
+                               const byte* authIn, word32 authInSz,
+                               byte* authTag, word32 authTagSz, WC_RNG* rng);
+ WOLFSSL_API int wc_GmacVerify(const byte* key, word32 keySz,
+                               const byte* iv, word32 ivSz,
+                               const byte* authIn, word32 authInSz,
+                               const byte* authTag, word32 authTagSz);
+#endif /* WC_NO_RNG */
 WOLFSSL_LOCAL void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
                               word32 cSz, byte* s, word32 sSz);
 #endif /* HAVE_AESGCM */
@ -213,6 +250,13 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out,
                                   const byte* nonce, word32 nonceSz,
                                   const byte* authTag, word32 authTagSz,
                                   const byte* authIn, word32 authInSz);
+ WOLFSSL_API int  wc_AesCcmSetNonce(Aes* aes,
+                                   const byte* nonce, word32 nonceSz);
+ WOLFSSL_API int  wc_AesCcmEncrypt_ex(Aes* aes, byte* out,
+                                   const byte* in, word32 sz,
+                                   byte* ivOut, word32 ivOutSz,
+                                   byte* authTag, word32 authTagSz,
+                                   const byte* authIn, word32 authInSz);
 #endif /* HAVE_AESCCM */
 #ifdef HAVE_AES_KEYWRAP
 WOLFSSL_API int  wc_AesKeyWrap(const byte* key, word32 keySz,
--- a/wolfssl/wolfcrypt/cmac.h
+++ b/wolfssl/wolfcrypt/cmac.h
@ -28,10 +28,19 @@

 #if !defined(NO_AES) && defined(WOLFSSL_CMAC)

+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
 #ifdef __cplusplus
    extern "C" {
 #endif

+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+
 typedef struct Cmac {
    Aes aes;
    byte buffer[AES_BLOCK_SIZE]; /* partially stored block */
@ -47,6 +56,10 @@ typedef enum CmacType {
    WC_CMAC_AES = 1
 } CmacType;

+#define WC_CMAC_TAG_MAX_SZ AES_BLOCK_SIZE
+#define WC_CMAC_TAG_MIN_SZ (AES_BLOCK_SIZE/4)
+
+#endif /* HAVE_FIPS */

 WOLFSSL_API
 int wc_InitCmac(Cmac* cmac,
--- a/wolfssl/wolfcrypt/des3.h
+++ b/wolfssl/wolfcrypt/des3.h
@ -30,7 +30,13 @@

 #ifndef NO_DES3

-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
+#if defined(HAVE_FIPS) && \
+	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 /* included for fips @wc_fips */
 #include <cyassl/ctaocrypt/des3.h>
 #endif
@ -39,7 +45,9 @@
    extern "C" {
 #endif

-#ifndef HAVE_FIPS /* to avoid redefinition of macros */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifdef WOLFSSL_ASYNC_CRYPT
    #include <wolfssl/wolfcrypt/async.h>
--- a/wolfssl/wolfcrypt/dh.h
+++ b/wolfssl/wolfcrypt/dh.h
@ -30,6 +30,11 @@

 #ifndef NO_DH

+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
 #include <wolfssl/wolfcrypt/integer.h>
 #include <wolfssl/wolfcrypt/random.h>

@ -75,7 +80,7 @@ WOLFSSL_API const DhParams* wc_Dh_ffdhe8192_Get(void);

 WOLFSSL_API int wc_InitDhKey(DhKey* key);
 WOLFSSL_API int wc_InitDhKey_ex(DhKey* key, void* heap, int devId);
-WOLFSSL_API void wc_FreeDhKey(DhKey* key);
+WOLFSSL_API int wc_FreeDhKey(DhKey* key);

 WOLFSSL_API int wc_DhGenerateKeyPair(DhKey* key, WC_RNG* rng, byte* priv,
                                 word32* privSz, byte* pub, word32* pubSz);
--- a/wolfssl/wolfcrypt/error-crypt.h
+++ b/wolfssl/wolfcrypt/error-crypt.h
@ -204,8 +204,13 @@ enum {
    RSAPSS_PAT_FIPS_E   = -254,  /* RSA-PSS PAT failure */
    ECDSA_PAT_FIPS_E    = -255,  /* ECDSA PAT failure */
    DH_KAT_FIPS_E       = -256,  /* DH KAT failure */
+    AESCCM_KAT_FIPS_E   = -257,  /* AESCCM KAT failure */
+    SHA3_KAT_FIPS_E     = -258,  /* SHA-3 KAT failure */
+    ECDHE_KAT_FIPS_E    = -259,  /* ECDHE KAT failure */
+    AES_GCM_OVERFLOW_E  = -260,  /* AES-GCM invocation counter overflow. */
+    AES_CCM_OVERFLOW_E  = -261,  /* AES-CCM invocation counter overflow. */

-    WC_LAST_E           = -256,  /* Update this to indicate last error */
+    WC_LAST_E           = -261,  /* Update this to indicate last error */
    MIN_CODE_E          = -300   /* errors -101 - -299 */

    /* add new companion error id strings for any new error codes
--- a/wolfssl/wolfcrypt/hmac.h
+++ b/wolfssl/wolfcrypt/hmac.h
@ -30,17 +30,26 @@

 #include <wolfssl/wolfcrypt/hash.h>

-#ifdef HAVE_FIPS
-/* for fips */
+#if defined(HAVE_FIPS) && \
+	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+/* for fips @wc_fips */
    #include <cyassl/ctaocrypt/hmac.h>
    #define WC_HMAC_BLOCK_SIZE HMAC_BLOCK_SIZE
 #endif


+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+	#include <wolfssl/wolfcrypt/fips.h>
+#endif
+
 #ifdef __cplusplus
    extern "C" {
 #endif
-#ifndef HAVE_FIPS
+
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifdef WOLFSSL_ASYNC_CRYPT
    #include <wolfssl/wolfcrypt/async.h>
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@ -30,8 +30,14 @@

 #include <wolfssl/wolfcrypt/types.h>

-#ifdef HAVE_FIPS
-/* for fips @wc_fips */
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
+/* included for fips @wc_fips */
+#if defined(HAVE_FIPS) && \
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 #include <cyassl/ctaocrypt/random.h>
 #endif

@ -70,7 +76,9 @@
 #endif


-#ifndef HAVE_FIPS /* avoid redefining structs and macros */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 /* RNG supports the following sources (in order):
 * 1. CUSTOM_RAND_GENERATE_BLOCK: Defines name of function as RNG source and
@ -151,7 +159,7 @@ struct WC_RNG {
 #endif
 };

-#endif /* HAVE_FIPS */
+#endif /* NO FIPS or have FIPS v2*/

 /* NO_OLD_RNGNAME removes RNG struct name to prevent possible type conflicts,
 * can't be used with CTaoCrypt FIPS */
--- a/wolfssl/wolfcrypt/sha.h
+++ b/wolfssl/wolfcrypt/sha.h
@ -31,7 +31,13 @@

 #ifndef NO_SHA

-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
+#if defined(HAVE_FIPS) && \
+	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 #define wc_Sha             Sha
 #define WC_SHA             SHA
 #define WC_SHA_BLOCK_SIZE  SHA_BLOCK_SIZE
@ -50,7 +56,9 @@
    extern "C" {
 #endif

-#ifndef HAVE_FIPS /* avoid redefining structs */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifdef WOLFSSL_MICROCHIP_PIC32MZ
    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
--- a/wolfssl/wolfcrypt/sha256.h
+++ b/wolfssl/wolfcrypt/sha256.h
@ -33,7 +33,13 @@

 #ifndef NO_SHA256

-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
+#if defined(HAVE_FIPS) && \
+	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
    #define wc_Sha256             Sha256
    #define WC_SHA256             SHA256
    #define WC_SHA256_BLOCK_SIZE  SHA256_BLOCK_SIZE
@ -61,7 +67,9 @@
    extern "C" {
 #endif

-#ifndef HAVE_FIPS /* avoid redefinition of structs */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifdef WOLFSSL_MICROCHIP_PIC32MZ
    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
@ -148,7 +156,9 @@ WOLFSSL_API void wc_Sha256SizeSet(wc_Sha256*, word32);
 #endif

 #ifdef WOLFSSL_SHA224
-#ifndef HAVE_FIPS /* avoid redefinition of structs */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifndef NO_OLD_WC_NAMES
    #define Sha224             wc_Sha224
--- a/wolfssl/wolfcrypt/sha3.h
+++ b/wolfssl/wolfcrypt/sha3.h
@ -29,15 +29,13 @@

 #ifdef HAVE_FIPS
    /* for fips @wc_fips */
-    #include <cyassl/ctaocrypt/sha3.h>
+    #include <wolfssl/wolfcrypt/fips.h>
 #endif

 #ifdef __cplusplus
    extern "C" {
 #endif

-#ifndef HAVE_FIPS /* avoid redefinition of structs */
-
 #ifdef WOLFSSL_ASYNC_CRYPT
    #include <wolfssl/wolfcrypt/async.h>
 #endif
@ -75,7 +73,7 @@ enum {
    #include "wolfssl/wolfcrypt/port/xilinx/xil-sha3.h"
 #else
 /* Sha3 digest */
-typedef struct Sha3 {
+struct Sha3 {
    /* State data that is processed for each block. */
    word64 s[25];
    /* Unprocessed message data. */
@ -88,9 +86,13 @@ typedef struct Sha3 {
 #ifdef WOLFSSL_ASYNC_CRYPT
    WC_ASYNC_DEV asyncDev;
 #endif /* WOLFSSL_ASYNC_CRYPT */
-} Sha3;
+};
 #endif
-#endif /* HAVE_FIPS */
+#ifndef WC_SHA3_TYPE_DEFINED
+    typedef struct Sha3 Sha3;
+    #define WC_SHA3_TYPE_DEFINED
+#endif
+

 WOLFSSL_API int wc_InitSha3_224(Sha3*, void*, int);
 WOLFSSL_API int wc_Sha3_224_Update(Sha3*, const byte*, word32);
--- a/wolfssl/wolfcrypt/sha512.h
+++ b/wolfssl/wolfcrypt/sha512.h
@ -1,6 +1,6 @@
 /* sha512.h
 *
- * Copyright (C) 2006-2017 wolfSSL Inc.
+ * Copyright (C) 2006-2018 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
@ -31,8 +31,13 @@

 #ifdef WOLFSSL_SHA512

-/* for fips @wc_fips */
-#ifdef HAVE_FIPS
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
+#if defined(HAVE_FIPS) && \
+	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
    #define wc_Sha512             Sha512
    #define WC_SHA512             SHA512
    #define WC_SHA512_BLOCK_SIZE  SHA512_BLOCK_SIZE
@ -50,6 +55,7 @@
    #if defined(WOLFSSL_SHA384)
        #define CYASSL_SHA384
    #endif
+	/* for fips @wc_fips */
    #include <cyassl/ctaocrypt/sha512.h>
 #endif

@ -57,7 +63,9 @@
    extern "C" {
 #endif

-#ifndef HAVE_FIPS /* avoid redefinition of structs */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifdef WOLFSSL_ASYNC_CRYPT
    #include <wolfssl/wolfcrypt/async.h>
@ -121,7 +129,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst);

 #if defined(WOLFSSL_SHA384)

-#ifndef HAVE_FIPS /* avoid redefinition of structs */
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))

 #ifndef NO_OLD_WC_NAMES
    #define Sha384             wc_Sha384
Author	SHA1	Message	Date
John Safranek	ce1e987650	FIPS Revalidation 1. Bug fixes to AES-GCM. Separated out the internal and external IV set functions.	2018-03-22 15:50:54 -07:00
John Safranek	b760430423	FIPS Revalidation 1. Updated the configure.ac to add in the RSA direct function to FIPS builds	2018-03-22 15:50:54 -07:00
John Safranek	6108540c7c	FIPS Revalidation 1. Add new APIs for AES-GCM so it can manage the IV per SP 800-38D. 2. Add new APIs for AES-CCM so it can manage the IV, similar to the behavior in AES-GCM. 3. Add new APIs for GMAC that use the new AES-GCM APIs.	2018-03-22 15:50:54 -07:00
John Safranek	b92b8222ed	Test Fixes 1. Added error code for ECDHE FIPS KAT failure.	2018-03-22 15:50:54 -07:00
John Safranek	369c2debde	Test Fixes 1. Removed redundant forward declaration of RsaKey from hmac.h. 2. Updated gitignore with the first and last files. 3. Updated autogen with touching the first and last files.	2018-03-22 15:50:54 -07:00
John Safranek	9d4de6908c	Test Fixes 1. AesGcmEncrypt_ex requires the RNG, remove function if RNG disabled. 2. Fix a couple function name changes in the example server. 3. Removed the old FIPS wrapping added to dh.h, was redundant. 4. Move include of random.h in the aes.h file. 5. Fix where ecc.c was being left out of old FIPS builds. 6. Exclude the AES-GCM internal IV test case when building without the RNG. 7. Fix api test where AES-GCM Encrypt was called with a too-long IV in old FIPS mode. Non-FIPS and new FIPS are allowed longer IVs.	2018-03-22 15:50:54 -07:00
John Safranek	84e36f012a	FIPS Revalidation 1. AES-GCM encrypt IV length allowed to be 8-bits.	2018-03-22 15:50:54 -07:00
John Safranek	cc02098760	FIPS Revalidation 1. Update the const data and code segment tags for the Windown builds.	2018-03-22 15:50:54 -07:00
John Safranek	e3ea7e1efc	FIPS Revalidation 1. Enabled ECC Cofactor DH for the FIPSv2 build. 2. Updated the wolfCrypt HMAC-SHA-3 test to leave out the set of test cases that use the four-byte key in FIPS mode.	2018-03-22 15:50:54 -07:00
John Safranek	a74e419446	FIPS Revalidation 1. Change to configure.ac to automatically enable HKDF in FIPSv2 builds.	2018-03-22 15:50:54 -07:00
John Safranek	85b3c9652a	FIPS Revalidation 1. Change to configure.ac to automatically enable AES-CTR in FIPSv2 builds. 2. Move the aes-ni asm file into the boundary if enabled. 3. Enable AES-ECB by default.	2018-03-22 15:50:54 -07:00
John Safranek	5c452f26d7	AES-GCM 1. Updated the wolfCrypt GMAC test to leave out the test case with the 15-byte tag when building for FIPS. 2. Replace tabs with spaces.	2018-03-22 15:50:54 -07:00
John Safranek	94835b2c1b	FIPS Revalidation 1. Updated CMAC to allow tag length from 4 to 16 bytes, inclusive.	2018-03-22 15:50:54 -07:00
John Safranek	675480adf9	FIPS Revalidation 1. Enable SHA-224 by default if building for FIPSv2.	2018-03-22 15:50:54 -07:00
John Safranek	2683fb29df	FIPS Revalidation 1. Added new AES-GCM Encrypt API for FIPS where the IV is generated internally. 2. Fix the AES-NI guard flags so it can be used when FIPS enabled.	2018-03-22 15:50:54 -07:00
John Safranek	80e589c7d9	FIPS Revalidation 1. Added CMAC to the boundary. 2. Added DHE to the boundary.	2018-03-22 15:50:54 -07:00
John Safranek	8576dc4a6c	FIPS Update 1. Moved the rest of the FIPS algorithms to FIPSv2. 2. Updated the fips-check and autogen scripts. 3. Updated the automake include for the crypto files. 4. Updated the example server to use the wolfSSL API and wolfSSL-based OpenSSL compatibility layer. 5. Added error code for the SHA-3 KAT. 6. Updated an test case in the API test for AES-GCM encrypt that is now considered a success case, but the FIPS mode was still treating as a failure.	2018-03-22 15:50:54 -07:00
John Safranek	c56c2ea8e4	FIPS Update 1. Move SHA-224 and SHA-256 into FIPSv2. 2. Move HMAC into FIPSv2. 3. Move Hash_DRBG into FIPSv2.	2018-03-22 15:50:54 -07:00
John Safranek	5cc93bdda4	FIPS Update 1. Add SHA-3 to the src/include.am so that it is always included in FIPSv2. 2. Tweak the SHA-3 header to follow the new FIPS pattern.	2018-03-22 15:50:54 -07:00
John Safranek	786c1ef956	AES-CCM FIPS 1. Add new error code for the AES-CCM FIPS KAT failure. 2. When enabling FIPSv2, force enable AES-CCM.	2018-03-22 15:50:53 -07:00