Expose additional features of opensslall in a compliant way

src/pk.c

@@ -13106,7 +13106,11 @@ int wolfSSL_EC_KEY_generate_key(WOLFSSL_EC_KEY *key)
         /* Check if we know which internal curve index to use. */
         if (key->group->curve_idx < 0) {
             /* Generate key using the default curve. */
+#if FIPS_VERSION3_GE(6,0,0)
+            key->group->curve_idx = ECC_SECP256R1; /* FIPS default to 256 */
+#else
             key->group->curve_idx = ECC_CURVE_DEF;
+#endif
         }
 
         /* Create a random number generator. */
@@ -13120,11 +13124,30 @@ int wolfSSL_EC_KEY_generate_key(WOLFSSL_EC_KEY *key)
         /* NIDToEccEnum returns -1 for invalid NID so if key->group->curve_nid
          * is 0 then pass ECC_CURVE_DEF as arg */
         int eccEnum = key->group->curve_nid ?
+#if FIPS_VERSION3_GE(6,0,0)
+            NIDToEccEnum(key->group->curve_nid) : ECC_SECP256R1;
+#else
             NIDToEccEnum(key->group->curve_nid) : ECC_CURVE_DEF;
+#endif
         /* Get the internal EC key. */
         ecc_key* ecKey = (ecc_key*)key->internal;
         /* Make the key using internal API. */
-        int ret = wc_ecc_make_key_ex(rng, 0, ecKey, eccEnum);
+        int ret = 0;
+
+#if FIPS_VERSION3_GE(6,0,0)
+        /* In the case of FIPS only allow key generation with approved curves */
+        if (eccEnum != ECC_SECP256R1 && eccEnum != ECC_SECP224R1 &&
+            eccEnum != ECC_SECP384R1 && eccEnum != ECC_SECP521R1) {
+            WOLFSSL_MSG("Unsupported curve selected in FIPS mode");
+            res = 0;
+        }
+        if (res == 1) {
+#endif
+        ret  = wc_ecc_make_key_ex(rng, 0, ecKey, eccEnum);
+#if FIPS_VERSION3_GE(6,0,0)
+        }
+#endif
+
     #if defined(WOLFSSL_ASYNC_CRYPT)
         /* Wait on asynchronouse operation. */
         ret = wc_AsyncWait(ret, &ecKey->asyncDev, WC_ASYNC_FLAG_NONE);

wolfcrypt/src/ecc.c

@@ -1836,6 +1836,15 @@ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id)
                 break;
             }
         }
+        /* Since we are allowing a pass-through of ecc_make_key_ex_fips when
+         * both keysize == 0 and curve_id == 0 ensure we select an appropriate
+         * keysize here when relying on default selection */
+        #if FIPS_VERSION3_GE(6,0,0)
+        if (ecc_sets[x].size < WC_ECC_FIPS_GEN_MIN) {
+            WOLFSSL_MSG("ECC curve too small for FIPS mode");
+            return ECC_CURVE_OID_E;
+        }
+        #endif
         if (ecc_sets[x].size == 0) {
             WOLFSSL_MSG("ECC Curve not found");
             return ECC_CURVE_OID_E;

wolfcrypt/src/evp.c

@@ -5468,7 +5468,7 @@ void wolfSSL_EVP_init(void)
     #endif /* HAVE_AES_CBC */
 
     #ifdef WOLFSSL_AES_CFB
-#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0))
     #ifdef WOLFSSL_AES_128
     const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cfb1(void)
     {

wolfcrypt/test/test.c

@@ -8354,7 +8354,8 @@ static const int fiducial1 = WC_TEST_RET_LN; /* source code reference point --
 #if defined(WOLFSSL_AES_OFB) || defined(WOLFSSL_AES_CFB) || \
     defined(WOLFSSL_AES_XTS)
 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
-    && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+    && !defined(HAVE_SELFTEST)
+#if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0)
 /* pass in the function, key, iv, plain text and expected and this function
  * tests that the encryption and decryption is successful */
 static wc_test_ret_t EVP_test(const WOLFSSL_EVP_CIPHER* type, const byte* key,
@@ -8458,7 +8459,8 @@ EVP_TEST_END:
 
     return ret;
 }
-#endif /* OPENSSL_EXTRA */
+#endif /* !HAVE_FIPS || FIPS_VERSION3_GE(6,0,0) */
+#endif /* OPENSSL_EXTRA && !WOLFCRYPT_ONLY && !HAVE_SELFTEST */
 #endif /* WOLFSSL_AES_OFB || WOLFSSL_AES_CFB */
 
 #ifdef WOLFSSL_AES_OFB