FIPS Revalidation

1. Added CMAC to the boundary.
2. Added DHE to the boundary.

configure.ac

@@ -1881,7 +1881,8 @@ fi
 AS_IF([test "x$ENABLED_CMAC" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])
 
-AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])
+#AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])
+#moved to FIPS section
 
 
 # AES-XTS
@@ -1994,6 +1995,9 @@ then
 				  AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256"
                   AS_IF([test "x$ENABLED_ECC_SHAMIR" = "xyes"],
                         [AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR"])])
+           AS_IF([test "x$ENABLED_CMAC" != "xyes"],
+                 [ENABLED_CMAC="yes"
+                  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])
 		  ])
 else
     if test "x$ENABLED_FORTRESS" = "xyes"
@@ -2004,6 +2008,7 @@ fi
 
 AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"])
 AM_CONDITIONAL([BUILD_FIPS_V2], [test "x$FIPS_VERSION" = "xv2"])
+AM_CONDITIONAL([BUILD_CMAC], [test "x$ENABLED_CMAC" = "xyes"])
 
 # SELFTEST
 AC_ARG_ENABLE([selftest],

wolfcrypt/src/cmac.c

@@ -28,6 +28,18 @@
 
 #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
 
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$d")
+        #pragma const_seg(".fipsB$d")
+    #endif
+#endif
+
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else

wolfcrypt/src/dh.c

@@ -28,6 +28,18 @@
 
 #ifndef NO_DH
 
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$d")
+        #pragma const_seg(".fipsB$d")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/dh.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
@@ -524,7 +536,7 @@ int wc_InitDhKey(DhKey* key)
 }
 
 
-void wc_FreeDhKey(DhKey* key)
+int wc_FreeDhKey(DhKey* key)
 {
     if (key) {
         mp_clear(&key->p);
@@ -535,6 +547,7 @@ void wc_FreeDhKey(DhKey* key)
         wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_DH);
     #endif
     }
+    return 0;
 }
 
 

wolfssl/wolfcrypt/cmac.h

@@ -28,10 +28,19 @@
 
 #if !defined(NO_AES) && defined(WOLFSSL_CMAC)
 
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
 #ifdef __cplusplus
     extern "C" {
 #endif
 
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+
 typedef struct Cmac {
     Aes aes;
     byte buffer[AES_BLOCK_SIZE]; /* partially stored block */
@@ -47,6 +56,7 @@ typedef enum CmacType {
     WC_CMAC_AES = 1
 } CmacType;
 
+#endif /* HAVE_FIPS */
 
 WOLFSSL_API
 int wc_InitCmac(Cmac* cmac,

wolfssl/wolfcrypt/dh.h

@@ -30,6 +30,11 @@
 
 #ifndef NO_DH
 
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #include <wolfssl/wolfcrypt/fips.h>
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
 #include <wolfssl/wolfcrypt/integer.h>
 #include <wolfssl/wolfcrypt/random.h>
 
@@ -37,6 +42,10 @@
     extern "C" {
 #endif
 
+/* avoid redefinition of structs */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>
 #endif
@@ -56,6 +65,7 @@ typedef struct DhKey {
 #endif
 } DhKey;
 
+#endif /* HAVE_FIPS */
 
 #ifdef HAVE_FFDHE_2048
 WOLFSSL_API const DhParams* wc_Dh_ffdhe2048_Get(void);
@@ -75,7 +85,7 @@ WOLFSSL_API const DhParams* wc_Dh_ffdhe8192_Get(void);
 
 WOLFSSL_API int wc_InitDhKey(DhKey* key);
 WOLFSSL_API int wc_InitDhKey_ex(DhKey* key, void* heap, int devId);
-WOLFSSL_API void wc_FreeDhKey(DhKey* key);
+WOLFSSL_API int wc_FreeDhKey(DhKey* key);
 
 WOLFSSL_API int wc_DhGenerateKeyPair(DhKey* key, WC_RNG* rng, byte* priv,
                                  word32* privSz, byte* pub, word32* pubSz);