From 2b6dc31145d1521eb15cbb00dd2f98334a696ab5 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 12 Oct 2020 16:06:20 -0700
Subject: [PATCH] FIPS 140-3 1. Added enable option for FIPS 140-3 in configure
 script. 2. Modify DES3 source to disallow DES3 for the new option. 3. Added
 the new constants to fips_test.h. 4. Added some new test functions. 5. Added
 API for doing the POST. 6. Added a processing state for the CASTs. 7. Delete
 some unused prototypes from FIPS test API.

---
 configure.ac                  |  80 +++++++++++++++--------
 fips-check.sh                 |  28 ++++++--
 src/include.am                | 117 ++++++++++++++++++++++++++++------
 wolfcrypt/src/des3.c          |   2 +-
 wolfssl/wolfcrypt/des3.h      |   6 +-
 wolfssl/wolfcrypt/fips_test.h |  36 ++++++++++-
 wolfssl/wolfcrypt/include.am  |   4 ++
 7 files changed, 220 insertions(+), 53 deletions(-)

diff --git a/configure.ac b/configure.ac
index 90229e422..d3b3450e6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -174,7 +174,7 @@ ENABLED_CERTS="no"
 
 
 
-# FIPS
+# FIPS 140-2
 AC_ARG_ENABLE([fips],
     [AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
     [ENABLED_FIPS=$enableval],
@@ -190,7 +190,7 @@ AS_CASE([$ENABLED_FIPS],
         FIPS_VERSION="none"
         ENABLED_FIPS="no"
     ],
-    [rand|v1|v2],[
+    [rand|v1|v2|v3],[
         FIPS_VERSION="$ENABLED_FIPS"
         ENABLED_FIPS="yes"
     ],
@@ -221,6 +221,13 @@ AS_CASE([$FIPS_VERSION],
     ]
 )
 
+# FIPS 140-3
+AC_ARG_ENABLE([fips-3],
+    [AS_HELP_STRING([--enable-fips-3],[Enable FIPS 140-3, Will NOT work w/o FIPS license (default: disabled)])],
+    [ENABLED_FIPS_3=$enableval],
+    [ENABLED_FIPS_3="no"])
+AS_IF([test "x$ENABLED_FIPS_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v3"])
+
 # Linux Kernel Module
 AC_ARG_ENABLE([linuxkm],
     [AS_HELP_STRING([--enable-linuxkm],[Enable Linux Kernel Module (default: disabled)])],
@@ -2938,6 +2945,33 @@ fi
 
 # FIPS
 AS_CASE([$FIPS_VERSION],
+    ["v3"], [
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=3 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
+        ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
+        # Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
+        AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
+              [ENABLED_AESCCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
+        AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
+              [ENABLED_RSAPSS="yes"; AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])
+        AS_IF([test "x$ENABLED_ECC" != "xyes"],
+              [ENABLED_ECC="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DWOLFSSL_VALIDATE_ECC_IMPORT"
+               AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
+                     [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])],
+              [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT"])
+        AS_IF([test "x$ENABLED_AESCTR" != "xyes"],
+              [ENABLED_AESCTR="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_COUNTER"])
+        AS_IF([test "x$ENABLED_CMAC" != "xyes"],
+              [ENABLED_CMAC="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC"])
+        AS_IF([test "x$ENABLED_HKDF" != "xyes"],
+              [ENABLED_HKDF="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
+        AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
+              [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
+        AS_IF([test "x$ENABLED_SHA512" = "xno"],
+            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+    ],
     ["v2"],[
         AS_IF([test "x$FIPS_READY" = "xyes"],
             [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=3"],
@@ -2970,29 +3004,27 @@ AS_CASE([$FIPS_VERSION],
                AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"])
         AS_IF([test "x$ENABLED_INTELASM" = "xyes"],
               [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
+        AS_IF([test "x$ENABLED_SHA512" = "xno"],
+            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+        AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
     ],
     ["rand"],[
         AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
     ],
     ["v1"],[
         AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
+        AS_IF([test "x$ENABLED_SHA512" = "xno"],
+            [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
+        AS_IF([test "x$ENABLED_AESGCM" = "xno"],
+            [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
+        AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
     ])
 
 AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"],
     [AC_MSG_ERROR([FIPS requires Thread Local Storage])])
 
-AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$FIPS_VERSION" != "xrand"],
-[
-    # Force enable the prerequisites.
-    AS_IF([test "x$ENABLED_SHA512" = "xno"],
-        [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
-    AS_IF([test "x$ENABLED_AESGCM" = "xno"],
-        [ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
-    AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
-],
-[
-    AS_IF([test "x$ENABLED_FORTRESS" = "xyes"],[ENABLED_DES3="yes"])
-])
 
 
 # SELFTEST
@@ -3023,16 +3055,6 @@ AS_CASE([$SELFTEST_VERSION],
         AM_CFLAGS="$AM_CFLAGS -DHAVE_SELFTEST"
     ])
 
-
-
-# set POLY1305 default
-POLY1305_DEFAULT=yes
-
-if test "x$ENABLED_FIPS" = "xyes"
-then
-POLY1305_DEFAULT=no
-fi
-
 # Set SHA-3 and SHAKE256 flags
 
 if test "$ENABLED_SHA3" = "yes" && test "$ENABLED_32BIT" = "no"
@@ -3054,6 +3076,14 @@ then
 fi
 
 
+# set POLY1305 default
+POLY1305_DEFAULT=yes
+
+if test "x$ENABLED_FIPS" = "xyes"
+then
+POLY1305_DEFAULT=no
+fi
+
 # POLY1305
 AC_ARG_ENABLE([poly1305],
     [AS_HELP_STRING([--enable-poly1305],[Enable wolfSSL POLY1305 support (default: enabled)])],
@@ -6148,7 +6178,7 @@ AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"])
 AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"])
 AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"])
 AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"])
-AM_CONDITIONAL([BUILD_FIPS_READY],[test "x$FIPS_READY" = "xyes"])
+AM_CONDITIONAL([BUILD_FIPS_V3],[test "x$FIPS_VERSION" = "xv3"])
 AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
 AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
diff --git a/fips-check.sh b/fips-check.sh
index 9e2aaa723..1b4c999fb 100755
--- a/fips-check.sh
+++ b/fips-check.sh
@@ -36,6 +36,7 @@ Platform is one of:
     stm32l4-v2 (FIPSv2, use for STM32L4)
     wolfrand
     solaris
+    linuxv3 (FIPS 140-3)
 Keep (default off) retains the XXX-fips-test temp dir for inspection.
 
 Example:
@@ -265,6 +266,15 @@ solaris)
   FIPS_OPTION=v2
   MAKE=gmake
   ;;
+linuxv3)
+  FIPS_REPO='/Users/john/src/fips'
+  CRYPT_REPO='/Users/john/src/wolfssl'
+  CRYPT_INC_PATH='wolfssl/wolfcrypt'
+  CRYPT_SRC_PATH='wolfcrypt/src'
+  FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
+  FIPS_INCS=( fips.h )
+  FIPS_OPTION='v3'
+  ;;
 *)
   Usage
   exit 1
@@ -319,20 +329,30 @@ then
 elif [ "x$FIPS_OPTION" == "xready" ]
 then
     echo "Don't need to copy anything in particular for FIPS Ready."
+elif [ "x$FIPS_OPTION" == "xv3" ]
+then
+    echo "Don't need to copy anything in particular for FIPS 140-3, yet."
 else
     echo "fips-check: Invalid FIPS option."
     exit 1
 fi
 
 # clone the FIPS repository
-if [ "x$FIPS_OPTION" != "xready" ]
+if [ "x$FIPS_OPTION" = "xready" ]
 then
-    if ! $GIT clone --depth 1 -b $FIPS_VERSION $FIPS_REPO fips; then
-        echo "fips-check: Couldn't checkout the FIPS repository."
+    if ! $GIT clone --depth 1 $FIPS_REPO fips; then
+        echo "fips-check: Couldn't checkout the FIPS repository for FIPS Ready."
+        exit 1
+    fi
+    FIPS_OPTION="v2"
+elif test "x$FIPS_OPTION" = "xv3"
+then
+    if ! $GIT clone $FIPS_REPO fips; then
+        echo "fips-check: Couldn't checkout the FIPS repository FIPS 140-3."
         exit 1
     fi
 else
-    if ! $GIT clone --depth 1 $FIPS_REPO fips; then
+    if ! $GIT clone --depth 1 -b $FIPS_VERSION $FIPS_REPO fips; then
         echo "fips-check: Couldn't checkout the FIPS repository."
         exit 1
     fi
diff --git a/src/include.am b/src/include.am
index ee6be660e..c96b59789 100644
--- a/src/include.am
+++ b/src/include.am
@@ -66,7 +66,7 @@ endif
 if BUILD_FIPS_V2
 # FIPSv2 first file
 src_libwolfssl_la_SOURCES += \
-			   wolfcrypt/src/wolfcrypt_first.c
+               wolfcrypt/src/wolfcrypt_first.c
 
 src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/hmac.c \
@@ -83,11 +83,6 @@ endif
 
 if BUILD_AES
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
-if BUILD_ARMASM
-if BUILD_FIPS_READY
-src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
-endif
-endif
 endif
 
 if BUILD_AESNI
@@ -105,24 +100,12 @@ if BUILD_SHA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
 endif
 
-if BUILD_ARMASM
-if BUILD_FIPS_READY
-src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
-endif
-endif
 if BUILD_INTELASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
 endif
 
 if BUILD_SHA512
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
-if BUILD_ARMASM
-if BUILD_FIPS_READY
-src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512.c
-src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm.S
-src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
-endif
-endif
 if BUILD_INTELASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S
 endif
@@ -159,6 +142,80 @@ src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/wolfcrypt_last.c
 endif BUILD_FIPS_RAND
 
+if BUILD_FIPS_V3
+# FIPS 140-3 first file
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/wolfcrypt_first.c
+
+src_libwolfssl_la_SOURCES += \
+               wolfcrypt/src/hmac.c \
+               wolfcrypt/src/random.c \
+               wolfcrypt/src/sha256.c
+
+if BUILD_RSA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
+endif
+
+if BUILD_ECC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
+endif
+
+if BUILD_AES
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
+if BUILD_ARMASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-aes.c
+endif
+endif
+
+if BUILD_AESNI
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S
+endif
+endif
+
+if BUILD_SHA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
+endif
+
+if BUILD_ARMASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
+endif
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
+endif
+
+if BUILD_SHA512
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
+if BUILD_ARMASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512.c
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha512-asm.S
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
+endif
+if BUILD_INTELASM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512_asm.S
+endif
+endif
+
+if BUILD_SHA3
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
+endif
+
+if BUILD_DH
+src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
+endif
+
+if BUILD_CMAC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
+endif
+
+src_libwolfssl_la_SOURCES += wolfcrypt/src/fips.c \
+                             wolfcrypt/src/fips_test.c
+
+# fips last file
+src_libwolfssl_la_SOURCES += wolfcrypt/src/wolfcrypt_last.c
+endif
+
 endif BUILD_FIPS
 
 # For wolfRand, exclude everything else.
@@ -168,9 +225,11 @@ if !BUILD_FIPS_RAND
 # For wolfRand, exclude just a couple files.
 # For old FIPS, keep the wolfCrypt versions of the
 # CtaoCrypt files included above.
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 src_libwolfssl_la_SOURCES += wolfcrypt/src/hmac.c
 endif
+endif
 
 # CAVP self test
 if BUILD_SELFTEST
@@ -185,12 +244,15 @@ src_libwolfssl_la_SOURCES += \
 
 if !BUILD_FIPS_RAND
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_RNG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/random.c
 endif
 endif
+endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_ARMASM
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/arm/armv8-sha256.c
@@ -201,6 +263,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sha256_asm.S
 endif
 endif
 endif
+endif
 
 if BUILD_AFALG
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_hash.c
@@ -219,12 +282,14 @@ if BUILD_RSA
 if BUILD_FAST_RSA
 src_libwolfssl_la_SOURCES += wolfcrypt/user-crypto/src/rsa.c
 else
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
 endif
 endif
 endif
 endif
+endif
 
 if BUILD_RC2
 src_libwolfssl_la_SOURCES += wolfcrypt/src/rc2.c
@@ -260,6 +325,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/sp_cortexm.c
 endif
 endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_AES
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c
@@ -271,12 +337,15 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/port/af_alg/afalg_aes.c
 endif
 endif
 endif
+endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_CMAC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
 endif
 endif
+endif
 
 if !BUILD_FIPS_V2
 if BUILD_DES3
@@ -284,12 +353,15 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
 endif
 endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_SHA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha.c
 endif
 endif
+endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_SHA512
 if BUILD_ARMASM
@@ -304,12 +376,15 @@ endif
 endif
 endif
 endif
+endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_SHA3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
 endif
 endif
+endif
 
 
 endif !BUILD_FIPS_RAND
@@ -331,11 +406,13 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
 endif
 
 if !BUILD_FIPS_RAND
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_DH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dh.c
 endif
 endif
+endif
 
 if BUILD_ASN
 src_libwolfssl_la_SOURCES += wolfcrypt/src/asn.c
@@ -380,12 +457,14 @@ if BUILD_DSA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/dsa.c
 endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_AESNI
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_asm.S
 src_libwolfssl_la_SOURCES += wolfcrypt/src/aes_gcm_asm.S
 endif
 endif
+endif
 
 if BUILD_CAMELLIA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/camellia.c
@@ -440,11 +519,13 @@ if BUILD_SLOWMATH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/integer.c
 endif
 
+if !BUILD_FIPS_V3
 if !BUILD_FIPS_V2
 if BUILD_ECC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
 endif
 endif
+endif
 
 if BUILD_CURVE25519
 src_libwolfssl_la_SOURCES += wolfcrypt/src/curve25519.c
diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c
index a6548dc5d..de3d444b6 100644
--- a/wolfcrypt/src/des3.c
+++ b/wolfcrypt/src/des3.c
@@ -32,7 +32,7 @@
 #ifndef NO_DES3
 
 #if defined(HAVE_FIPS) && \
-	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
 
     /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
     #define FIPS_NO_WRAPPERS
diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h
index 705b59e63..b29ed99a0 100644
--- a/wolfssl/wolfcrypt/des3.h
+++ b/wolfssl/wolfcrypt/des3.h
@@ -31,12 +31,12 @@
 #ifndef NO_DES3
 
 #if defined(HAVE_FIPS) && \
-    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
     #include <wolfssl/wolfcrypt/fips.h>
 #endif /* HAVE_FIPS_VERSION >= 2 */
 
 #if defined(HAVE_FIPS) && \
-	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 /* included for fips @wc_fips */
 #include <cyassl/ctaocrypt/des3.h>
 #endif
@@ -55,7 +55,7 @@ enum {
 
 /* avoid redefinition of structs */
 #if !defined(HAVE_FIPS) || \
-    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2))
 
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>
diff --git a/wolfssl/wolfcrypt/fips_test.h b/wolfssl/wolfcrypt/fips_test.h
index a78b074c4..4ac07563a 100644
--- a/wolfssl/wolfcrypt/fips_test.h
+++ b/wolfssl/wolfcrypt/fips_test.h
@@ -31,8 +31,35 @@
     extern "C" {
 #endif
 
-/* Known Answer Test string inputs are hex, internal */
-WOLFSSL_LOCAL int DoKnownAnswerTests(char*, int);
+enum FipsCastId {
+    FIPS_CAST_AES_CBC,
+    FIPS_CAST_AES_GCM,
+    FIPS_CAST_HMAC_SHA1,
+    FIPS_CAST_HMAC_SHA2_256,
+    FIPS_CAST_HMAC_SHA2_512,
+    FIPS_CAST_HMAC_SHA3_256,
+    FIPS_CAST_DRBG,
+    FIPS_CAST_RSA_SIGN_PKCS1v15,
+    FIPS_CAST_ECC_CDH,
+    FIPS_CAST_ECC_PRIMITIVE_Z,
+    FIPS_CAST_DH_PRIMITIVE_Z,
+    FIPS_CAST_ECDSA_PAIRWISE,
+    FIPS_CAST_COUNT
+};
+
+enum FipsCastStateId {
+    FIPS_CAST_STATE_INIT,
+    FIPS_CAST_STATE_PROCESSING,
+    FIPS_CAST_STATE_SUCCESS,
+    FIPS_CAST_STATE_FAILURE
+};
+
+enum FipsModeId {
+    FIPS_MODE_INIT,
+    FIPS_MODE_NORMAL,
+    FIPS_MODE_DEGRADED,
+    FIPS_MODE_FAILED
+};
 
 
 /* FIPS failure callback */
@@ -50,6 +77,11 @@ WOLFSSL_API const char* wolfCrypt_GetCoreHash_fips(void);
     WOLFSSL_API int wolfCrypt_SetStatus_fips(int);
 #endif
 
+WOLFSSL_LOCAL int DoIntegrityTest(char*, int);
+WOLFSSL_API int wc_GetCastStatus_fips(int);
+WOLFSSL_LOCAL int DoPOST(char*, int);
+WOLFSSL_LOCAL int DoCAST(int);
+
 
 #ifdef __cplusplus
     } /* extern "C" */
diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am
index 647714956..9ce0ebe15 100644
--- a/wolfssl/wolfcrypt/include.am
+++ b/wolfssl/wolfcrypt/include.am
@@ -146,3 +146,7 @@ endif
 if BUILD_FIPS_RAND
 nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h
 endif
+
+if BUILD_FIPS_V3
+nobase_include_HEADERS+= wolfssl/wolfcrypt/fips.h
+endif