AES-CCM FIPS

1. Add new error code for the AES-CCM FIPS KAT failure.
2. When enabling FIPSv2, force enable AES-CCM.

configure.ac

@@ -2044,6 +2044,9 @@ then
     AS_IF([test "x$FIPS_VERSION" = "xv2"],
           [AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN"
            ENABLED_KEYGEN="yes"
+		   AS_IF([test "x$ENABLED_AESCCM" != "xyes"],
+			     [ENABLED_AESCCM="yes"
+				  AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM"])
            AS_IF([test "x$ENABLED_RSAPSS" != "xyes"],
 			     [ENABLED_RSAPSS="yes"
 				  AM_CFLAGS="$AM_CFLAGS -DWC_RSA_PSS"])

wolfcrypt/src/aes.c

@@ -172,10 +172,11 @@
     #endif /* HAVE_AESGCM */
 
     /* AES-CCM */
-    #ifdef HAVE_AESCCM
-        void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
+    #if defined(HAVE_AESCCM) && \
+		defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+        int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
         {
-            AesCcmSetKey(aes, key, keySz);
+            return AesCcmSetKey(aes, key, keySz);
         }
         int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
                                       const byte* nonce, word32 nonceSz,
@@ -209,7 +210,7 @@
                     authTag, authTagSz, authIn, authInSz);
             }
         #endif /* HAVE_AES_DECRYPT */
-    #endif /* HAVE_AESCCM */
+    #endif /* HAVE_AESCCM && HAVE_FIPS_VERSION 2 */
 
     int  wc_AesInit(Aes* aes, void* h, int i)
     {

wolfcrypt/src/error.c

@@ -461,6 +461,9 @@ const char* wc_GetErrorString(int error)
     case DH_KAT_FIPS_E:
         return "wolfcrypt FIPS DH Known Answer Test Failure";
 
+    case AESCCM_KAT_FIPS_E:
+        return "AESCCM Known Answer Test check FIPS error";
+
     default:
         return "unknown error number";
 

wolfssl/wolfcrypt/error-crypt.h

@@ -205,8 +205,9 @@ enum {
     RSAPSS_PAT_FIPS_E   = -254,  /* RSA-PSS PAT failure */
     ECDSA_PAT_FIPS_E    = -255,  /* ECDSA PAT failure */
     DH_KAT_FIPS_E       = -256,  /* DH KAT failure */
+    AESCCM_KAT_FIPS_E   = -257,  /* AESCCM KAT failure */
 
-    WC_LAST_E           = -256,  /* Update this to indicate last error */
+    WC_LAST_E           = -257,  /* Update this to indicate last error */
     MIN_CODE_E          = -300   /* errors -101 - -299 */
 
     /* add new companion error id strings for any new error codes