From dca2424aaef63843279e901b8e40f4eb8c602765 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 26 Mar 2018 17:30:07 -0700
Subject: [PATCH] FIPS Revalidation/Test Fixes 1. For FIPSv2 builds, changed
 the FP_MAX_BITS to 6144. 2. Fixed bug in HMAC-SHA-3 where the digest size was
 being used instead of the block size for processing the key.

---
 configure.ac         |  2 +-
 wolfcrypt/src/hmac.c | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/configure.ac b/configure.ac
index f8d17d94a..956a451af 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1982,7 +1982,7 @@ then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
     # Add the FIPS flag.
     AS_IF([test "x$FIPS_VERSION" = "xv2"],
-          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING"
+          [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DFP_MAX_BITS=6144"
            ENABLED_KEYGEN="yes"
            ENABLED_SHA224="yes"
            AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c
index edb678e7f..713034a14 100644
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@@ -479,7 +479,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
     #ifdef WOLFSSL_SHA3
         case WC_SHA3_224:
             hmac_block_size = WC_SHA3_224_BLOCK_SIZE;
-            if (length <= SHA3_224_DIGEST_SIZE) {
+            if (length <= WC_SHA3_224_BLOCK_SIZE) {
                 if (key != NULL) {
                     XMEMCPY(ip, key, length);
                 }
@@ -492,12 +492,12 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                 if (ret != 0)
                     break;
 
-                length = SHA3_224_DIGEST_SIZE;
+                length = WC_SHA3_224_DIGEST_SIZE;
             }
             break;
         case WC_SHA3_256:
             hmac_block_size = WC_SHA3_256_BLOCK_SIZE;
-            if (length <= SHA3_256_DIGEST_SIZE) {
+            if (length <= WC_SHA3_256_BLOCK_SIZE) {
                 if (key != NULL) {
                     XMEMCPY(ip, key, length);
                 }
@@ -510,12 +510,12 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                 if (ret != 0)
                     break;
 
-                length = SHA3_256_DIGEST_SIZE;
+                length = WC_SHA3_256_DIGEST_SIZE;
             }
             break;
         case WC_SHA3_384:
             hmac_block_size = WC_SHA3_384_BLOCK_SIZE;
-            if (length <= SHA3_384_DIGEST_SIZE) {
+            if (length <= WC_SHA3_384_BLOCK_SIZE) {
                 if (key != NULL) {
                     XMEMCPY(ip, key, length);
                 }
@@ -528,12 +528,12 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                 if (ret != 0)
                     break;
 
-                length = SHA3_384_DIGEST_SIZE;
+                length = WC_SHA3_384_DIGEST_SIZE;
             }
             break;
         case WC_SHA3_512:
             hmac_block_size = WC_SHA3_512_BLOCK_SIZE;
-            if (length <= SHA3_512_DIGEST_SIZE) {
+            if (length <= WC_SHA3_512_BLOCK_SIZE) {
                 if (key != NULL) {
                     XMEMCPY(ip, key, length);
                 }
@@ -546,7 +546,7 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
                 if (ret != 0)
                     break;
 
-                length = SHA3_512_DIGEST_SIZE;
+                length = WC_SHA3_512_DIGEST_SIZE;
             }
             break;
     #endif /* WOLFSSL_SHA3 */