diff --git a/src/ssl.c b/src/ssl.c index fdf638152..a17f6a406 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -45625,7 +45625,9 @@ int wolfSSL_RSA_private_decrypt(int len, const unsigned char* fr, return ret; } -#if !defined(_WIN32) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) +#if !defined(_WIN32) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) int wolfSSL_RSA_public_decrypt(int flen, const unsigned char* from, unsigned char* to, WOLFSSL_RSA* rsa, int padding) { diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 899e44ca2..363149e61 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -1491,8 +1491,10 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_ } if (key) { word32 len32 = (word32)len; -#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) +#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \ + && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + WC_RNG rng; if (wc_InitRng(&rng) != MP_OKAY) { WOLFSSL_MSG("Init RNG failed"); @@ -1502,8 +1504,9 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_ #endif if (*keylen < len32) { WOLFSSL_MSG("buffer too short"); -#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) +#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \ + && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL; wc_FreeRng(&rng); #endif @@ -1513,15 +1516,17 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_ (ecc_point*)ctx->peerKey->ecc->pub_key->internal, key, &len32) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_shared_secret failed"); -#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) +#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \ + && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL; wc_FreeRng(&rng); #endif return WOLFSSL_FAILURE; } -#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) +#if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) \ + && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) ((ecc_key*)ctx->pkey->ecc->internal)->rng = NULL; wc_FreeRng(&rng); #endif diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index f5ea17764..ea6b40ddb 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -154,8 +154,7 @@ enum Pkcs7_Misc { MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ + MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ, #if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION >= 2)) || (defined(HAVE_SELFTEST) && \ - (!defined(HAVE_SELFTEST_VERSION) || HAVE_SELFTEST_VERSION < 2)) + (HAVE_FIPS_VERSION <= 2)) || (defined(HAVE_SELFTEST)) /* In the event of fips cert 3389 or CAVP selftest v1 build, these enums are * not in aes.h for use with pkcs7 so enumerate it here outside the fips * boundary */ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 4292df257..5c071ecb3 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -784,7 +784,8 @@ decouple library dependencies with standard string, memory and so on. /* hash types */ enum wc_HashType { - #if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) + #if defined(HAVE_SELFTEST) || defined(HAVE_FIPS) && \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION <= 2)) /* In selftest build, WC_* types are not mapped to WC_HASH_TYPE types. * Values here are based on old selftest hmac.h enum, with additions. * These values are fixed for backwards FIPS compatibility */