Account for unmodifiable FIPS module files when adding new OpenSSL functionality

src/ssl.c

@@ -18553,6 +18553,8 @@ int wolfSSL_DH_check(const WOLFSSL_DH *dh, int *codes)
     return WOLFSSL_SUCCESS;
 }
 
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 /* Converts DER encoded DH parameters to a WOLFSSL_DH structure.
  *
  * dh   : structure to copy DH parameters into.
@@ -18601,6 +18603,7 @@ WOLFSSL_DH *wolfSSL_d2i_DHparams(WOLFSSL_DH **dh, const unsigned char **pp,
 
     return newDH;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 
 /* Converts internal WOLFSSL_DH structure to DER encoded DH.
  *
@@ -28576,6 +28579,8 @@ void wolfSSL_DH_free(WOLFSSL_DH* dh)
     }
 }
 
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 int SetDhInternal(WOLFSSL_DH* dh)
 {
     int            ret = WOLFSSL_FATAL_ERROR;
@@ -28715,6 +28720,7 @@ int SetDhExternal(WOLFSSL_DH *dh)
 
     return WOLFSSL_SUCCESS;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 #endif /* !NO_DH && (WOLFSSL_QT || OPENSSL_ALL) */
 
 /* return code compliant with OpenSSL :
@@ -29117,6 +29123,8 @@ WOLFSSL_BIGNUM* wolfSSL_DH_8192_prime(WOLFSSL_BIGNUM* bn)
     return bn;
 }
 
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 /* return code compliant with OpenSSL :
  *   1 if success, 0 if error
  */
@@ -29331,6 +29339,7 @@ int wolfSSL_DH_set0_pqg(WOLFSSL_DH *dh, WOLFSSL_BIGNUM *p,
     return WOLFSSL_SUCCESS;
 }
 #endif /* v1.1.0 or later */
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 
 #endif /* NO_DH */
 
@@ -32620,6 +32629,8 @@ int wolfSSL_ECPoint_i2d(const WOLFSSL_EC_GROUP *group,
     return WOLFSSL_SUCCESS;
 }
 
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 /* return code compliant with OpenSSL :
  *   1 if success, 0 if error
  */
@@ -32723,6 +32734,7 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group,
     return (size_t)min_len;
 }
 
+
 int wolfSSL_EC_POINT_oct2point(const WOLFSSL_EC_GROUP *group,
                                WOLFSSL_EC_POINT *p, const unsigned char *buf,
                                size_t len, WOLFSSL_BN_CTX *ctx)
@@ -32830,6 +32842,7 @@ WOLFSSL_BIGNUM *wolfSSL_EC_POINT_point2bn(const WOLFSSL_EC_GROUP *group,
 
     return ret;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 
 WOLFSSL_EC_POINT *wolfSSL_EC_POINT_new(const WOLFSSL_EC_GROUP *group)
 {
@@ -32963,6 +32976,8 @@ int wolfSSL_EC_POINT_set_affine_coordinates_GFp(const WOLFSSL_EC_GROUP *group,
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(HAVE_SELFTEST)
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 /* Calculate the value: generator * n + q * m
  * return code compliant with OpenSSL :
  *   1 if success, 0 if error
@@ -33102,6 +33117,7 @@ cleanup:
     wc_ecc_del_point(tmp);
     return ret;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 #endif /* !defined(WOLFSSL_ATECC508A) && defined(ECC_SHAMIR) &&
         * !defined(HAVE_SELFTEST) */
 
@@ -33225,6 +33241,8 @@ int wolfSSL_EC_POINT_is_at_infinity(const WOLFSSL_EC_GROUP *group,
 
 /* End EC_POINT */
 
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 size_t wolfSSL_EC_get_builtin_curves(WOLFSSL_EC_BUILTIN_CURVE *r, size_t nitems)
 {
     size_t i, min_nitems;
@@ -33246,6 +33264,7 @@ size_t wolfSSL_EC_get_builtin_curves(WOLFSSL_EC_BUILTIN_CURVE *r, size_t nitems)
 
     return ecc_sets_count;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 
 /* Start ECDSA_SIG */
 void wolfSSL_ECDSA_SIG_free(WOLFSSL_ECDSA_SIG *sig)
@@ -35002,6 +35021,8 @@ int wolfSSL_RSA_LoadDer_ex(WOLFSSL_RSA* rsa, const unsigned char* derBuf,
 
 #if defined(WC_RSA_PSS) && (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || \
         defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX))
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 static int hash2mgf(enum wc_HashType hType)
 {
     switch (hType) {
@@ -35251,7 +35272,10 @@ int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash,
     XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     return WOLFSSL_SUCCESS;
 }
-#endif
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
+#endif /* WC_RSA_PSS && (OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY
+        *                || WOLFSSL_NGINX)
+        */
 
 #if defined(OPENSSL_EXTRA)
 WOLFSSL_RSA_METHOD *wolfSSL_RSA_meth_new(const char *name, int flags)
@@ -35552,6 +35576,8 @@ int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* derBuf,
 
 #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH))
 /* return WOLFSSL_SUCCESS if success, WOLFSSL_FATAL_ERROR if error */
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 int wolfSSL_DH_LoadDer(WOLFSSL_DH* dh, const unsigned char* derBuf, int derSz)
 {
     word32 idx = 0;
@@ -35575,6 +35601,7 @@ int wolfSSL_DH_LoadDer(WOLFSSL_DH* dh, const unsigned char* derBuf, int derSz)
 
     return WOLFSSL_SUCCESS;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 #endif /* ! NO_DH && WOLFSSL_QT || OPENSSL_ALL */
 
 #endif /* OPENSSL_EXTRA */
@@ -39652,6 +39679,8 @@ WOLFSSL_BIO* wolfSSL_BIO_new_fp(XFILE fp, int close_flag)
 
 
 #ifndef NO_DH
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bio, WOLFSSL_DH **x,
         pem_password_cb *cb, void *u)
 {
@@ -39781,6 +39810,7 @@ end:
     return NULL;
 #endif
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 
 #ifndef NO_FILESYSTEM
 #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)
@@ -39866,6 +39896,8 @@ int wc_DhParamsToDer(DhKey* key, byte* out, word32* outSz)
     return idx;
 }
 
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 int wc_DhPubKeyToDer(DhKey*  key, byte* out, word32* outSz)
 {
     word32 sz = 0;
@@ -40131,6 +40163,7 @@ int wolfSSL_PEM_write_DHparams(XFILE fp, WOLFSSL_DH* dh)
     WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", WOLFSSL_SUCCESS);
     return WOLFSSL_SUCCESS;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 #endif /* WOLFSSL_QT || OPENSSL_ALL */
 #endif /* !NO_FILESYSTEM */
 #endif /* !NO_DH */

tests/api.c

@@ -1786,7 +1786,9 @@ static int test_wolfSSL_SetMinVersion(void)
     EC_GROUP_new_by_curve_name, EC_GROUP_order_bits
  */
 
-# if defined(OPENSSL_EXTRA)
+# if defined(OPENSSL_EXTRA) && ( !defined(HAVE_FIPS) || \
+                                 ( defined(HAVE_FIPS_VERSION) && \
+                                   (HAVE_FIPS_VERSION > 2) ) )
 static void test_wolfSSL_EC(void)
 {
 #if defined(HAVE_ECC)
@@ -1978,7 +1980,7 @@ static void test_wolfSSL_EC(void)
     BN_CTX_free(ctx);
 #endif /* HAVE_ECC */
 }
-#endif
+#endif /* OPENSSL_EXTRA && ( !HAVE_FIPS || HAVE_FIPS_VERSION > 2) */
 
 static void test_wolfSSL_PEM_read_bio_ECPKParameters(void)
 {
@@ -28046,6 +28048,8 @@ static void test_wolfSSL_OBJ_ln(void)
     AssertIntEQ(OBJ_ln2nid(NULL), NID_undef);
 
 #ifdef HAVE_ECC
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
     {
         int nCurves = 27;
         EC_builtin_curve r[nCurves];
@@ -28056,6 +28060,7 @@ static void test_wolfSSL_OBJ_ln(void)
             AssertStrEQ(OBJ_nid2ln(r[i].nid), r[i].comment);
         }
     }
+#endif
 #endif
 
     for (i = 0; i < maxIdx; i++) {
@@ -28713,6 +28718,8 @@ static void test_wolfSSL_RSA_padding_add_PKCS1_PSS(void)
 static void test_wolfSSL_EC_get_builtin_curves(void)
 {
 #if defined(HAVE_ECC) && (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL))
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
     EC_builtin_curve* curves = NULL;
     size_t crv_len = 0;
     size_t i = 0;
@@ -28733,6 +28740,7 @@ static void test_wolfSSL_EC_get_builtin_curves(void)
 
     XFREE(curves, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     printf(resultFmt, passed);
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 #endif /* defined(HAVE_ECC) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) */
 }
 
@@ -29290,6 +29298,8 @@ static void test_wolfSSL_EVP_PKEY_sign(void)
 {
 #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \
     !defined(HAVE_FAST_RSA) && !defined(HAVE_SELFTEST)
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
     WOLFSSL_RSA* rsa = NULL;
     WOLFSSL_EVP_PKEY* pkey = NULL;
     WOLFSSL_EVP_PKEY_CTX* ctx = NULL;
@@ -29346,6 +29356,7 @@ static void test_wolfSSL_EVP_PKEY_sign(void)
     wolfSSL_RSA_free(rsa);
     XFREE(sig, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(sigVerify, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
     printf(resultFmt, passed);
 #endif
 }
@@ -29372,6 +29383,8 @@ static void test_EVP_PKEY_rsa(void)
 static void test_EVP_PKEY_ec(void)
 {
 #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
     WOLFSSL_EC_KEY* ecKey;
     WOLFSSL_EVP_PKEY* pkey;
 
@@ -29384,6 +29397,7 @@ static void test_EVP_PKEY_ec(void)
 
     printf(resultFmt, passed);
 #endif
+#endif
 }
 
 static void test_EVP_PKEY_cmp(void)
@@ -32415,7 +32429,10 @@ void ApiTest(void)
     /*wolfSSL_EVP_get_cipherbynid test*/
     test_wolfSSL_EVP_get_cipherbynid();
     test_wolfSSL_EVP_CIPHER_CTX();
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
     test_wolfSSL_EC();
+#endif
     test_wolfSSL_ECDSA_SIG();
     test_ECDSA_size_sign();
 #endif

wolfcrypt/src/asn.c

@@ -141,6 +141,15 @@ extern int wc_InitRsaHw(RsaKey* key);
     };
     #endif
 #endif
+#if defined(HAVE_FIPS) && \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) )
+    /* aes.h is locked w/ FIPS, have to add new enums in non-boundary location
+     * when building in FIPS mode */
+enum {
+    GCM_NONCE_MID_SZ = 12 /* The usual default nonce size for AES-GCM. */
+};
+#endif
+
 #ifdef WOLFSSL_RENESAS_TSIP_TLS
 void tsip_inform_key_position(const word32 key_n_start,
                 const word32 key_n_len, const word32 key_e_start,

wolfcrypt/src/evp.c

@@ -33,6 +33,15 @@
 #elif defined(WOLFCRYPT_ONLY)
 #else
 
+#if defined(HAVE_FIPS) && \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2) )
+    /* aes.h is locked w/ FIPS, have to add new enums in non-boundary location
+     * when building in FIPS mode */
+enum {
+    GCM_NONCE_MID_SZ = 12 /* The usual default nonce size for AES-GCM. */
+};
+#endif
+
 #if defined(OPENSSL_EXTRA)
 
 #include <wolfssl/openssl/ecdsa.h>
@@ -1343,6 +1352,8 @@ int wolfSSL_EVP_PKEY_derive_set_peer(WOLFSSL_EVP_PKEY_CTX *ctx, WOLFSSL_EVP_PKEY
 }
 
 #if !defined(NO_DH) && defined(HAVE_ECC)
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 {
     int len;
@@ -1420,6 +1431,7 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
     }
     return WOLFSSL_SUCCESS;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 #endif
 
 /* Uses the WOLFSSL_EVP_PKEY_CTX to decrypt a buffer.
@@ -5893,6 +5905,8 @@ WOLFSSL_EC_KEY* wolfSSL_EVP_PKEY_get1_EC_KEY(WOLFSSL_EVP_PKEY* key)
 
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
 #if !defined(NO_DH) && !defined(NO_FILESYSTEM)
+#if !defined(HAVE_FIPS) || \
+    ( defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2) )
 /* with set1 functions the pkey struct does not own the DH structure
  * Build the following DH Key format from the passed in WOLFSSL_DH
  * then store in WOLFSSL_EVP_PKEY in DER format.
@@ -5971,6 +5985,7 @@ int wolfSSL_EVP_PKEY_set1_DH(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_DH *key)
 
     return WOLFSSL_SUCCESS;
 }
+#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
 
 WOLFSSL_DH* wolfSSL_EVP_PKEY_get0_DH(WOLFSSL_EVP_PKEY* key)
 {