diff --git a/src/ssl.c b/src/ssl.c index fb467f351..e3552ffcc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7562,6 +7562,8 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY(WOLFSSL_EVP_PKEY** out, #endif /* NO_DSA */ #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) + #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) { DhKey dh; word32 keyIdx = 0; @@ -7605,6 +7607,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY(WOLFSSL_EVP_PKEY** out, } wc_FreeDhKey(&dh); } + #endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif /* !NO_DH && (WOLFSSL_QT || OPENSSL_ALL) */ return pkey; @@ -7729,6 +7732,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out, break; #endif /* NO_DSA */ #ifndef NO_DH +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) case EVP_PKEY_DH: local->ownDh = 1; local->dh = wolfSSL_DH_new(); @@ -7743,6 +7747,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out, return NULL; } break; +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif /* HAVE_DH */ #endif /* WOLFSSL_QT || OPENSSL_ALL */ default: diff --git a/tests/api.c b/tests/api.c index 4b71aaa02..42e740894 100644 --- a/tests/api.c +++ b/tests/api.c @@ -26640,6 +26640,7 @@ static void test_wolfSSL_PEM_write_DHparams(void) { #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) #if defined(OPENSSL_EXTRA) && !defined(NO_DH) && !defined(NO_FILESYSTEM) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) DH* dh; BIO* bio; XFILE fp; @@ -26679,6 +26680,7 @@ tgZl96bcAGdru8OpQYP7x/rI4h5+rwA/kwIBAg==\n\ XFCLOSE(fp); printf(resultFmt, passed); +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif /* OPENSSL_ALL || OPENSSL_QT */ #endif } @@ -27585,6 +27587,7 @@ static void test_wolfSSL_X509_PUBKEY_get(void) static void test_wolfSSL_d2i_DHparams() { #if !defined(NO_DH) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) FILE* f = NULL; unsigned char buf[4096]; const unsigned char* pt = buf; @@ -27639,13 +27642,14 @@ static void test_wolfSSL_d2i_DHparams() DH_free(dh); printf(resultFmt, passed); - -#endif +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* !NO_DH */ } static void test_wolfSSL_i2d_DHparams() { #if !defined(NO_DH) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) FILE* f; unsigned char buf[4096]; const unsigned char* pt = buf; @@ -27698,6 +27702,7 @@ static void test_wolfSSL_i2d_DHparams() DH_free(dh); printf(resultFmt, passed); +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif } @@ -27913,6 +27918,7 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_EC_KEY (void) static void test_wolfSSL_EVP_PKEY_set1_get1_DH (void) { #if !defined(NO_DH) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) DH *dh = NULL; DH *setDh = NULL; EVP_PKEY *pkey = NULL; @@ -27955,6 +27961,7 @@ static void test_wolfSSL_EVP_PKEY_set1_get1_DH (void) DH_free(setDh); DH_free(dh); printf(resultFmt, passed); +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif /* NO_DH */ } /* END test_EVP_PKEY_set1_get1_DH */ @@ -28858,6 +28865,7 @@ static void test_wolfSSL_OCSP_get0_info() static void test_wolfSSL_EVP_PKEY_derive(void) { #ifdef OPENSSL_ALL +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) EVP_PKEY_CTX *ctx; unsigned char *skey; size_t skeylen; @@ -28904,13 +28912,15 @@ static void test_wolfSSL_EVP_PKEY_derive(void) EVP_PKEY_free(peerkey); EVP_PKEY_free(pkey); XFREE(skey, NULL, DYNAMIC_TYPE_OPENSSL); -#endif -#endif +#endif /* HAVE_ECC */ +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* OPENSSL_ALL */ } static void test_wolfSSL_RSA_padding_add_PKCS1_PSS(void) { #if defined(OPENSSL_ALL) && defined(WC_RSA_PSS) && !defined(WC_NO_RNG) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) RSA *rsa; const unsigned char *derBuf = client_key_der_2048; unsigned char em[256] = {0}; /* len = 2048/8 */ @@ -28926,7 +28936,8 @@ static void test_wolfSSL_RSA_padding_add_PKCS1_PSS(void) AssertIntEQ(RSA_verify_PKCS1_PSS(rsa, mHash, EVP_sha256(), em, -1), 1); RSA_free(rsa); -#endif +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ +#endif /* OPENSSL_ALL && WC_RSA_PSS && !WC_NO_RNG*/ } static void test_wolfSSL_EC_get_builtin_curves(void) @@ -31315,6 +31326,7 @@ static void test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS() { /* Testing code used in dpp.c in hostap */ #if defined(OPENSSL_ALL) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) EC_KEY *eckey; EVP_PKEY *key; size_t len; @@ -31364,6 +31376,7 @@ static void test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS() EVP_PKEY_free(key); EC_KEY_free(eckey); DPP_BOOTSTRAPPING_KEY_free(bootstrap); +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif /* WOLFSSL_WPAS && HAVE_ECC && USE_CERT_BUFFERS_256 */ } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 76a29144c..39b6c5fcb 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -11505,7 +11505,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int with_header) return MEMORY_E; #endif -#ifdef HAVE_SELFTEST +#if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) /* older version of ecc.c can not handle dp being NULL */ if (key != NULL && key->dp == NULL) { ret = BAD_FUNC_ARG; @@ -11612,7 +11612,7 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen, infoSz += TRAILING_ZERO; } -#ifdef HAVE_SELFTEST +#if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) /* older version of ecc.c can not handle dp being NULL */ if (key != NULL && key->dp == NULL) { keySz = 1 + 2 * MAX_ECC_BYTES; diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 6b73d87e1..9682adb4d 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -35,6 +35,19 @@ #if defined(OPENSSL_EXTRA) +#if !defined(HAVE_PKCS7) && \ + ((defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION >= 2)) || defined(HAVE_SELFTEST)) +enum { + /* In the event of fips cert 3389 or CAVP selftest build, these enums are + * not in aes.h for use with evp so enumerate it here outside the fips + * boundary */ + GCM_NONCE_MID_SZ = 12, /* The usual default nonce size for AES-GCM. */ + CCM_NONCE_MIN_SZ = 7, +}; +#endif + + #include #include @@ -5993,6 +6006,7 @@ WOLFSSL_DH* wolfSSL_EVP_PKEY_get0_DH(WOLFSSL_EVP_PKEY* key) return key->dh; } +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) WOLFSSL_DH* wolfSSL_EVP_PKEY_get1_DH(WOLFSSL_EVP_PKEY* key) { WOLFSSL_DH* local = NULL; @@ -6026,6 +6040,7 @@ WOLFSSL_DH* wolfSSL_EVP_PKEY_get1_DH(WOLFSSL_EVP_PKEY* key) return local; } +#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */ #endif /* NO_DH && NO_FILESYSTEM */ int wolfSSL_EVP_PKEY_assign(WOLFSSL_EVP_PKEY *pkey, int type, void *key) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 12beafc4c..f567f2b8c 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -24359,7 +24359,11 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, #if !defined(NO_PWDBASED) && !defined(NO_AES) && \ !defined(NO_SHA) && defined(WOLFSSL_AES_128) - char password[] = "password"; + #ifndef HAVE_FIPS + char password[] = "password"; /* NOTE: Password is too short for FIPS */ + #else + char password[] = "passwordFIPS_MODE"; + #endif byte salt[] = { 0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12 @@ -24914,7 +24918,11 @@ static int pkcs7authenveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, #if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AESGCM) && \ !defined(NO_SHA) && defined(WOLFSSL_AES_128) + #ifndef HAVE_FIPS char password[] = "password"; + #else + char password[] = "passwordFIPS_MODE"; + #endif byte salt[] = { 0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12