From 8e75de88e87b3fe9e24569caf6352e1e074ec548 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 6 Mar 2018 16:45:44 -0800
Subject: [PATCH] Test Fixes 1. AesGcmEncrypt_ex requires the RNG, remove
 function if RNG disabled. 2. Fix a couple function name changes in the
 example server. 3. Removed the old FIPS wrapping added to dh.h, was
 redundant. 4. Move include of random.h in the aes.h file. 5. Fix where ecc.c
 was being left out of old FIPS builds. 6. Exclude the AES-GCM internal IV
 test case when building without the RNG. 7. Fix api test where AES-GCM
 Encrypt was called with a too-long IV in old FIPS mode. Non-FIPS and new FIPS
 are allowed longer IVs.

---
 examples/server/server.c   |  8 ++++----
 src/include.am             |  2 +-
 tests/api.c                |  9 ++++++++-
 wolfcrypt/src/aes.c        |  4 ++++
 wolfcrypt/test/test.c      |  3 +++
 wolfssl/wolfcrypt/aes.h    | 10 +++++++---
 wolfssl/wolfcrypt/dh.h     |  5 -----
 wolfssl/wolfcrypt/random.h |  6 ++++++
 8 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/examples/server/server.c b/examples/server/server.c
index 5c5e52894..8ab1e59b9 100644
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -27,7 +27,7 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 #ifdef HAVE_ECC
-    #include <wolfssl/wolfcrypt/ecc.h>   /* ecc_fp_free */
+    #include <wolfssl/wolfcrypt/ecc.h>   /* wc_ecc_fp_free */
 #endif
 
 #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
@@ -1093,7 +1093,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 
     if (useAnon) {
 #ifdef HAVE_ANON
-        SSL_CTX_allow_anon_cipher(ctx);
+        wolfSSL_CTX_allow_anon_cipher(ctx);
         if (cipherList == NULL || (cipherList && useDefCipherList)) {
             if (SSL_CTX_set_cipher_list(ctx, "ADH-AES128-SHA") != WOLFSSL_SUCCESS)
                 err_sys_ex(runWithErrors, "server can't set cipher list 4");
@@ -1131,7 +1131,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 
 #ifdef HAVE_SNI
     if (sniHostName)
-        if (SSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
+        if (wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
                     (word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS)
             err_sys_ex(runWithErrors, "UseSNI failed");
 #endif
@@ -1560,7 +1560,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 
 #if defined(NO_MAIN_DRIVER) && defined(HAVE_ECC) && defined(FP_ECC) \
                             && defined(HAVE_THREAD_LS)
-    ecc_fp_free();  /* free per thread cache */
+    wc_ecc_fp_free();  /* free per thread cache */
 #endif
 
 #ifdef WOLFSSL_TIRTOS
diff --git a/src/include.am b/src/include.am
index a292d939a..4b5e8e08f 100644
--- a/src/include.am
+++ b/src/include.am
@@ -326,7 +326,7 @@ if BUILD_SLOWMATH
 src_libwolfssl_la_SOURCES += wolfcrypt/src/integer.c
 endif
 
-if !BUILD_FIPS
+if !BUILD_FIPS_V2
 if BUILD_ECC
 src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc.c
 endif
diff --git a/tests/api.c b/tests/api.c
index 93939f04e..16e28a807 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -8408,12 +8408,19 @@ static int test_wc_AesGcmEncryptDecrypt (void)
 		}
 	}
 
-	/* This case is now considered good. Long IVs are now allowed. */
+    /* This case is now considered good. Long IVs are now allowed.
+     * Except for the original FIPS release, it still has an upper
+     * bound on the IV length. */
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
 	if (gcmE == 0) {
 		gcmE = wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
 						sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT),
 						a, sizeof(a));
 	}
+#else
+    (void)longIV;
+#endif /* Old FIPS */
     /* END wc_AesGcmEncrypt */
 
     printf(resultFmt, gcmE == 0 ? passed : failed);
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 099d0ce17..1c8d569ed 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -8016,6 +8016,8 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 #endif /* (WOLFSSL_XILINX_CRYPT) */
 
 
+#ifndef WC_NO_RNG
+
 int wc_AesGcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
                         byte* iv, word32 ivSz, byte* authTag, word32 authTagSz,
                         const byte* authIn, word32 authInSz, WC_RNG* rng)
@@ -8039,6 +8041,8 @@ int wc_AesGcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
     return ret;
 }
 
+#endif /* WC_NO_RNG */
+
 
 WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
 {
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index a918a442f..2d5e926c2 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -6582,6 +6582,8 @@ int aesgcm_test(void)
 #endif /* WOLFSSL_AES_256 */
 
     /* Test encrypt with internally generated IV */
+#if !defined(WC_NO_RNG) && \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
     {
         WC_RNG rng;
         byte randIV[12];
@@ -6627,6 +6629,7 @@ int aesgcm_test(void)
             return -8212;
         wc_FreeRng(&rng);
     }
+#endif /* WC_NO_RNG && FIPSv2 */
 
     wc_AesFree(&enc);
 
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index 418b50b10..44b77df11 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -38,7 +38,7 @@
 
 /* included for fips @wc_fips */
 #if defined(HAVE_FIPS) && \
-	(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 #include <cyassl/ctaocrypt/aes.h>
 #if defined(CYASSL_AES_COUNTER) && !defined(WOLFSSL_AES_COUNTER)
     #define WOLFSSL_AES_COUNTER
@@ -62,6 +62,10 @@
 #include "xsecure_aes.h"
 #endif
 
+#if defined(HAVE_AESGCM) && !defined(WC_NO_RNG)
+    #include <wolfssl/wolfcrypt/random.h>
+#endif
+
 
 #ifdef __cplusplus
     extern "C" {
@@ -140,8 +144,6 @@ typedef struct XtsAes {
 #endif
 
 #ifdef HAVE_AESGCM
-#include <wolfssl/wolfcrypt/random.h>
-
 typedef struct Gmac {
     Aes aes;
 } Gmac;
@@ -215,12 +217,14 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out,
                                    const byte* authTag, word32 authTagSz,
                                    const byte* authIn, word32 authInSz);
 
+#ifndef WC_NO_RNG
  WOLFSSL_API int  wc_AesGcmEncrypt_ex(Aes* aes, byte* out,
                                       const byte* in, word32 sz,
                                       byte* iv, word32 ivSz,
                                       byte* authTag, word32 authTagSz,
                                       const byte* authIn, word32 authInSz,
                                       WC_RNG* rng);
+#endif /* WC_NO_RNG */
 
  WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len);
  WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
diff --git a/wolfssl/wolfcrypt/dh.h b/wolfssl/wolfcrypt/dh.h
index 4c6c8fd29..f53885393 100644
--- a/wolfssl/wolfcrypt/dh.h
+++ b/wolfssl/wolfcrypt/dh.h
@@ -42,10 +42,6 @@
     extern "C" {
 #endif
 
-/* avoid redefinition of structs */
-#if !defined(HAVE_FIPS) || \
-    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
-
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>
 #endif
@@ -65,7 +61,6 @@ typedef struct DhKey {
 #endif
 } DhKey;
 
-#endif /* HAVE_FIPS */
 
 #ifdef HAVE_FFDHE_2048
 WOLFSSL_API const DhParams* wc_Dh_ffdhe2048_Get(void);
diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
index 2e0f9f6b8..ead4fe8b3 100644
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@@ -35,6 +35,12 @@
     #include <wolfssl/wolfcrypt/fips.h>
 #endif /* HAVE_FIPS_VERSION >= 2 */
 
+/* included for fips @wc_fips */
+#if defined(HAVE_FIPS) && \
+        (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+#include <cyassl/ctaocrypt/random.h>
+#endif
+
 #ifdef __cplusplus
     extern "C" {
 #endif