From 788cc39498311a37951ecb4abf006317cadbd31f Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 7 Dec 2017 10:58:55 -0800
Subject: [PATCH] FIPS Update 1. Switch in different versions of rsa.c
 depending on FIPS v1 or v2. 2. Add the Windows pragmas to rsa.c if building
 for FIPS v2. 3. Leave out FIPS wrappers from rsa.c if not building for FIPS
 v1.

---
 configure.ac        |  1 +
 src/include.am      |  6 ++++
 wolfcrypt/src/rsa.c | 79 +++++++++++++++++----------------------------
 3 files changed, 37 insertions(+), 49 deletions(-)

diff --git a/configure.ac b/configure.ac
index d45cc9111..828b52c40 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1944,6 +1944,7 @@ else
 fi
 
 AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"])
+AM_CONDITIONAL([BUILD_FIPS_V2], [test "x$FIPS_VERSION" = "xv2"])
 
 
 # set sha224 default
diff --git a/src/include.am b/src/include.am
index 81f9c9faa..c0f132d43 100644
--- a/src/include.am
+++ b/src/include.am
@@ -33,8 +33,12 @@ src_libwolfssl_la_SOURCES += \
                ctaocrypt/src/sha256.c
 
 if BUILD_RSA
+if BUILD_FIPS_V2
+src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
+else
 src_libwolfssl_la_SOURCES += ctaocrypt/src/rsa.c
 endif
+endif
 
 if BUILD_ECC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
@@ -92,10 +96,12 @@ if BUILD_RSA
 if BUILD_FAST_RSA
 src_libwolfssl_la_SOURCES += wolfcrypt/user-crypto/src/rsa.c
 else
+if !BUILD_FIPS_V2
 src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c
 endif
 endif
 endif
+endif
 if BUILD_SP
 src_libwolfssl_la_SOURCES += wolfcrypt/src/sp.c
 endif
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index a333f4636..a53a36863 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -29,6 +29,18 @@
 
 #ifndef NO_RSA
 
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+       #ifdef USE_WINDOWS_API
+               #pragma code_seg(".fipsA$e")
+               #pragma const_seg(".fipsB$e")
+       #endif
+#endif
+
 #include <wolfssl/wolfcrypt/rsa.h>
 
 #ifdef WOLFSSL_HAVE_SP_RSA
@@ -54,7 +66,10 @@ RSA Key Size Configuration:
 */
 
 
-#ifdef HAVE_FIPS
+/* If building for old FIPS. */
+#if defined(HAVE_FIPS) && \
+	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
 int  wc_InitRsaKey(RsaKey* key, void* ptr)
 {
     if (key == NULL) {
@@ -64,6 +79,7 @@ int  wc_InitRsaKey(RsaKey* key, void* ptr)
     return InitRsaKey_fips(key, ptr);
 }
 
+
 int  wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
 {
     (void)devId;
@@ -73,6 +89,7 @@ int  wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
     return InitRsaKey_fips(key, ptr);
 }
 
+
 int  wc_FreeRsaKey(RsaKey* key)
 {
     return FreeRsaKey_fips(key);
@@ -102,7 +119,7 @@ int  wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
 int  wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
                                   word32 outLen, RsaKey* key)
 {
-    if (in == NULL || out == NULL || key == NULL) {
+	if (in == NULL || out == NULL || key == NULL) {
         return BAD_FUNC_ARG;
     }
     return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key);
@@ -147,56 +164,20 @@ int  wc_RsaEncryptSize(RsaKey* key)
 }
 
 
-/* New FIPS functions. */
-#if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
+						   word32* bSz)
+{
 
-    int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
-                               word32* bSz)
-    {
-        return RsaFlattenPublicKey_fips(key, a, aSz, b, bSz);
-    }
+	/* not specified as fips so not needing _fips */
+	return RsaFlattenPublicKey(key, a, aSz, b, bSz);
+}
 
-    int wc_RsaExportKey(RsaKey* key,
-                        byte* e, word32* eSz, byte* n, word32* nSz,
-                        byte* d, word32* dSz, byte* p, word32* pSz,
-                        byte* q, word32* qSz)
-    {
-        return RsaExportKey_fips(key, e, eSz, n, nSz, d, dSz, p, pSz, q, qSz);
-    }
-
-    int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
-                              const byte* qRaw, word32 qRawSz,
-                              const byte* eRaw, word32 eRawSz,
-                              int nlen, int* isPrime)
-    {
-        return CheckProbablePrime_fips(pRaw, pRawSz,
-                                       qRaw, qRawSz,
-                                       eRaw, eRawSz,
-                                       nlen, isPrime);
-    }
-
-    int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
-    {
-        return MakeRsaKey_fips(key, size, e, rng);
-    }
-
-#else /* Use old version of FIPS functions. */
-
-    int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
-                               word32* bSz)
-    {
-
-        /* not specified as fips so not needing _fips */
-        return RsaFlattenPublicKey(key, a, aSz, b, bSz);
-    }
-
-    #ifdef WOLFSSL_KEY_GEN
-        int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
-        {
-            return MakeRsaKey(key, size, e, rng);
-        }
-    #endif
 
+#ifdef WOLFSSL_KEY_GEN
+	int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
+	{
+		return MakeRsaKey(key, size, e, rng);
+	}
 #endif