FIPS Update

1. Add SHA-3 to the src/include.am so that it is always included in FIPSv2.
2. Tweak the SHA-3 header to follow the new FIPS pattern.

configure.ac

@@ -2049,7 +2049,7 @@ AM_CONDITIONAL([BUILD_SHA224], [test "x$ENABLED_SHA224" = "xyes"])
 SHA3_DEFAULT=no
 if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64"
 then
-    if test "x$ENABLED_FIPS" = "xno"
+    if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2"
     then
         SHA3_DEFAULT=yes
     fi

src/include.am

@@ -60,6 +60,10 @@ if BUILD_SHA512
 src_libwolfssl_la_SOURCES += ctaocrypt/src/sha512.c
 endif
 
+if BUILD_FIPS_V2
+src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
+endif
+
 src_libwolfssl_la_SOURCES += ctaocrypt/src/fips.c
 src_libwolfssl_la_SOURCES += wolfcrypt/src/fipsv2.c
 src_libwolfssl_la_SOURCES += ctaocrypt/src/fips_test.c
@@ -150,9 +154,11 @@ if BUILD_SHA512
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha512.c
 endif
 
+if !BUILD_FIPS_V2
 if BUILD_SHA3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sha3.c
 endif
+endif
 
 src_libwolfssl_la_SOURCES += \
                wolfcrypt/src/logging.c \

wolfcrypt/src/sha3.c

@@ -31,128 +31,6 @@
 #include <wolfssl/wolfcrypt/sha3.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 
-/* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
-
-    int wc_InitSha3_224(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_224_fips(sha);
-    }
-    int wc_Sha3_224_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_224_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_224_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_224_Final_fips(sha, out);
-    }
-    void wc_Sha3_224_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-    int wc_InitSha3_256(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_256_fips(sha);
-    }
-    int wc_Sha3_256_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_256_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_256_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_256_Final_fips(sha, out);
-    }
-    void wc_Sha3_256_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-    int wc_InitSha3_384(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_384_fips(sha);
-    }
-    int wc_Sha3_384_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_384_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_384_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_384_Final_fips(sha, out);
-    }
-    void wc_Sha3_384_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-    int wc_InitSha3_512(Sha3* sha, void* heap, int devId)
-    {
-        (void)heap;
-        (void)devId;
-        if (sha == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return InitSha3_512_fips(sha);
-    }
-    int wc_Sha3_512_Update(Sha3* sha, const byte* data, word32 len)
-    {
-        if (sha == NULL ||  (data == NULL && len > 0)) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_512_Update_fips(sha, data, len);
-    }
-    int wc_Sha3_512_Final(Sha3* sha, byte* out)
-    {
-        if (sha == NULL || out == NULL) {
-            return BAD_FUNC_ARG;
-        }
-        return Sha3_512_Final_fips(sha, out);
-    }
-    void wc_Sha3_512_Free(Sha3* sha)
-    {
-        (void)sha;
-        /* Not supported in FIPS */
-    }
-
-#else /* else build without fips */
-
-
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
@@ -870,7 +748,7 @@ static void wc_Sha3Free(Sha3* sha3)
     wolfAsync_DevCtxFree(&sha3->asyncDev, WOLFSSL_ASYNC_MARKER_SHA3);
 #endif /* WOLFSSL_ASYNC_CRYPT */
 }
-#endif /* HAVE_FIPS */
+
 
 /* Copy the state of the SHA3 operation.
  *

wolfssl/wolfcrypt/sha3.h

@@ -29,15 +29,13 @@
 
 #ifdef HAVE_FIPS
     /* for fips @wc_fips */
-    #include <cyassl/ctaocrypt/sha3.h>
+    #include <wolfssl/wolfcrypt/fips.h>
 #endif
 
 #ifdef __cplusplus
     extern "C" {
 #endif
 
-#ifndef HAVE_FIPS /* avoid redefinition of structs */
-
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>
 #endif
@@ -75,7 +73,7 @@ enum {
     #include "wolfssl/wolfcrypt/port/xilinx/xil-sha3.h"
 #else
 /* Sha3 digest */
-typedef struct Sha3 {
+struct Sha3 {
     /* State data that is processed for each block. */
     word64 s[25];
     /* Unprocessed message data. */
@@ -88,9 +86,13 @@ typedef struct Sha3 {
 #ifdef WOLFSSL_ASYNC_CRYPT
     WC_ASYNC_DEV asyncDev;
 #endif /* WOLFSSL_ASYNC_CRYPT */
-} Sha3;
+};
 #endif
-#endif /* HAVE_FIPS */
+#ifndef WC_SHA3_TYPE_DEFINED
+    typedef struct Sha3 Sha3;
+    #define WC_SHA3_TYPE_DEFINED
+#endif
+
 
 WOLFSSL_API int wc_InitSha3_224(Sha3*, void*, int);
 WOLFSSL_API int wc_Sha3_224_Update(Sha3*, const byte*, word32);