Support for Android KeyStore compatibility API's:

* Adds `EVP_PKCS82PKEY` and `d2i_PKCS8_PRIV_KEY_INFO`.
* Adds `EVP_PKEY2PKCS8` and `i2d_PKCS8_PRIV_KEY_INFO`.
* Adds `ECDSA_verify`.
* Fix to allow `SHA256()` and `MD5()` with FIPSv2.
* Decouple crypto callbacks and hash flags
* Fix for possible use of uninitialized when building TLS bench without TLS v1.3.
* Fix for building with `NO_CHECK_PRIVATE_KEY`. Test `./configure --disable-pkcs12 --enable-opensslextra CFLAGS="-DNO_CHECK_PRIVATE_KEY"`.
* Fix to support `RSA_public_decrypt` for PKCSv15 only with FIPS.
* Cleanup `RSA_public_encrypt`, `RSA_public_decrypt` and `RSA_private_decrypt`.
* Added instructions for building wolfSSL with Android kernel.

IDE/Android/Android.bp

@@ -0,0 +1,115 @@
+cc_library_shared {
+
+    name: "libwolfssl",
+
+    arch: {
+        arm: {
+            instruction_set: "arm",
+        },
+        arm64: {
+            cflags: ["-DARM64"],
+        },
+    },
+    compile_multilib: "both",
+    export_include_dirs: ["."],
+    shared_libs: ["liblog"],
+    cflags: [
+        "-DWOLFSSL_USER_SETTINGS",
+        "-Os",
+        "-fomit-frame-pointer",
+    ],
+    include_dirs: [
+        "external/wolfssl/wolfssl",
+        "external/wolfssl",
+    ],
+
+    srcs: [
+        "./src/crl.c",
+        "./src/internal.c",
+        "./src/keys.c",
+        "./src/ocsp.c",
+        "./src/sniffer.c",
+        "./src/ssl.c",
+        "./src/tls.c",
+        "./src/tls13.c",
+        "./src/wolfio.c",
+    ] + [
+        "./wolfcrypt/src/aes.c",
+        "./wolfcrypt/src/arc4.c",
+        "./wolfcrypt/src/asm.c",
+        "./wolfcrypt/src/asn.c",
+        "./wolfcrypt/src/blake2b.c",
+        "./wolfcrypt/src/blake2s.c",
+        "./wolfcrypt/src/camellia.c",
+        "./wolfcrypt/src/chacha.c",
+        "./wolfcrypt/src/chacha20_poly1305.c",
+        "./wolfcrypt/src/cmac.c",
+        "./wolfcrypt/src/coding.c",
+        "./wolfcrypt/src/compress.c",
+        "./wolfcrypt/src/cpuid.c",
+        "./wolfcrypt/src/cryptocb.c",
+        "./wolfcrypt/src/curve25519.c",
+        "./wolfcrypt/src/curve448.c",
+        "./wolfcrypt/src/des3.c",
+        "./wolfcrypt/src/dh.c",
+        "./wolfcrypt/src/dsa.c",
+        "./wolfcrypt/src/ecc.c",
+        "./wolfcrypt/src/ecc_fp.c",
+        "./wolfcrypt/src/ed25519.c",
+        "./wolfcrypt/src/ed448.c",
+        "./wolfcrypt/src/error.c",
+        "./wolfcrypt/src/fe_448.c",
+        "./wolfcrypt/src/fe_low_mem.c",
+        "./wolfcrypt/src/fe_operations.c",
+        "./wolfcrypt/src/fips.c",
+        "./wolfcrypt/src/fips_test.c",
+        "./wolfcrypt/src/ge_448.c",
+        "./wolfcrypt/src/ge_low_mem.c",
+        "./wolfcrypt/src/ge_operations.c",
+        "./wolfcrypt/src/hash.c",
+        "./wolfcrypt/src/hc128.c",
+        "./wolfcrypt/src/hmac.c",
+        "./wolfcrypt/src/idea.c",
+        "./wolfcrypt/src/integer.c",
+        "./wolfcrypt/src/logging.c",
+        "./wolfcrypt/src/md2.c",
+        "./wolfcrypt/src/md4.c",
+        "./wolfcrypt/src/md5.c",
+        "./wolfcrypt/src/memory.c",
+        "./wolfcrypt/src/pkcs12.c",
+        "./wolfcrypt/src/pkcs7.c",
+        "./wolfcrypt/src/poly1305.c",
+        "./wolfcrypt/src/pwdbased.c",
+        "./wolfcrypt/src/rabbit.c",
+        "./wolfcrypt/src/random.c",
+        "./wolfcrypt/src/rc2.c",
+        "./wolfcrypt/src/ripemd.c",
+        "./wolfcrypt/src/rsa.c",
+        "./wolfcrypt/src/selftest.c",
+        "./wolfcrypt/src/sha256.c",
+        "./wolfcrypt/src/sha3.c",
+        "./wolfcrypt/src/sha512.c",
+        "./wolfcrypt/src/sha.c",
+        "./wolfcrypt/src/signature.c",
+        "./wolfcrypt/src/sp_arm32.c",
+        "./wolfcrypt/src/sp_arm64.c",
+        "./wolfcrypt/src/sp_armthumb.c",
+        "./wolfcrypt/src/sp_c32.c",
+        "./wolfcrypt/src/sp_c64.c",
+        "./wolfcrypt/src/sp_cortexm.c",
+        "./wolfcrypt/src/sp_dsp32.c",
+        "./wolfcrypt/src/sp_int.c",
+        "./wolfcrypt/src/sp_x86_64.c",
+        "./wolfcrypt/src/srp.c",
+        "./wolfcrypt/src/tfm.c",
+        "./wolfcrypt/src/wc_dsp.c",
+        "./wolfcrypt/src/wc_encrypt.c",
+        "./wolfcrypt/src/wc_pkcs11.c",
+        "./wolfcrypt/src/wc_port.c",
+        "./wolfcrypt/src/wolfcrypt_first.c",
+        "./wolfcrypt/src/wolfcrypt_last.c",
+        "./wolfcrypt/src/wolfevent.c",
+        "./wolfcrypt/src/wolfmath.c",
+    ],
+
+}

IDE/Android/README.md

@@ -0,0 +1,37 @@
+# Android wolfSSL Support
+
+Tested on Android v8.1 with WPA Supplicant and KeyStore to replace BoringSSL.
+
+## Files
+
+* `Android.bp`: Template build system file for wolfSSL.
+* `user_settings.h`: Template build settings for wolfSSL
+
+## Installation
+
+1) Place the wolfSSL library into `./external/wolfssl`
+2) Copy `Android.bp` into `./external/wolfssl`
+3) Copy `user_settings.h` into `./external/wolfssl`
+4) Add `PRODUCT_PACKAGES += libwolfssl` to your device .mk.
+
+## Typical Android build instruction
+
+```sh
+source build/envsetup.sh
+lunch [num]
+mm -j8
+```
+
+## Using wolfSSL in your Application
+
+In your `Android.mk` build file for your application add the following:
+
+```makefile
+# Crypto Provider - wolfSSL
+LOCAL_CFLAGS += -DWOLFSSL_USER_SETTINGS -Iexternal/wolfssl -Iexternal/wolfssl/wolfssl
+LOCAL_SHARED_LIBRARIES += libwolfssl
+```
+
+## Support
+
+For questions please email support@wolfssl.com

IDE/Android/include.am

@@ -0,0 +1,8 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+EXTRA_DIST += \
+    IDE/Android/Android.bp \
+    IDE/Android/README.md \
+    IDE/Android/user_settings.h

IDE/Android/user_settings.h

@@ -0,0 +1,101 @@
+/* Custom build settings for Android */
+
+#ifndef _WOLF_USER_SETTINGS_H_
+#define _WOLF_USER_SETTINGS_H_
+
+#if 0
+    #define HAVE_FIPS_VERSION 2
+    #define HAVE_FIPS
+#endif
+
+/* WPA Supplicant Support */
+#define WOLFSSL_WPAS_SMALL
+#define OPENSSL_ALL
+#define HAVE_THREAD_LS
+
+#define USE_FAST_MATH
+#define TFM_TIMING_RESISTANT
+#define ECC_TIMING_RESISTANT
+#define WC_RSA_BLINDING
+
+#define HAVE_HASHDRBG
+
+#define WOLFSSL_TLS13
+#define HAVE_SESSION_TICKET
+#define HAVE_TLS_EXTENSIONS
+#define HAVE_SUPPORTED_CURVES
+#define HAVE_EXTENDED_MASTER
+#define HAVE_ENCRYPT_THEN_MAC
+#define WOLFSSL_ENCRYPTED_KEYS
+#define HAVE_KEYING_MATERIAL
+#define NO_OLD_TLS
+#define NO_CHECK_PRIVATE_KEY
+
+#define WOLF_CRYPTO_CB
+#define HAVE_PK_CALLBACKS
+
+#define KEEP_OUR_CERT
+#define KEEP_PEER_CERT
+#define WOLFSSL_ALWAYS_VERIFY_CB
+#define WOLFSSL_ALWAYS_KEEP_SNI
+#define HAVE_EX_DATA
+#define HAVE_EXT_CACHE
+#define WOLFSSL_EITHER_SIDE
+#define WOLFSSL_PUBLIC_MP
+#define WOLFSSL_DER_LOAD
+
+#define WOLFSSL_KEY_GEN
+#define WC_RSA_PSS
+#define WC_RSA_NO_PADDING
+
+#define HAVE_FFDHE_2048
+#define HAVE_DH_DEFAULT_PARAMS
+#ifdef HAVE_FIPS
+    #define WOLFSSL_VALIDATE_FFC_IMPORT
+    #define HAVE_FFDHE_Q
+#endif
+
+#define WOLFSSL_SHA224
+#define WOLFSSL_SHA512
+#define WOLFSSL_SHA384
+
+#define HAVE_HKDF
+#define HAVE_PKCS8
+
+#define HAVE_ECC
+#define TFM_ECC256
+#define ECC_SHAMIR
+#ifdef HAVE_FIPS
+    #define HAVE_ECC_CDH
+    #define WOLFSSL_VALIDATE_ECC_IMPORT
+#endif
+
+#define HAVE_AESGCM
+#define HAVE_AESCCM
+#define WOLFSSL_AES_DIRECT
+#define WOLFSSL_AES_COUNTER
+#define HAVE_AES_ECB
+#define WOLFSSL_CMAC
+
+#define WOLFSSL_BASE64_ENCODE
+#define HAVE_CRL
+
+#define NO_DSA
+#define NO_RC4
+#define NO_HC128
+#define NO_RABBIT
+#define NO_RC4
+#define NO_PSK
+#define WOLFSSL_NO_SHAKE256
+#define NO_MD4
+#define NO_OLD_MD5_NAME
+#define NO_OLD_SHA_NAMES
+#define NO_OLD_SHA256_NAMES
+#define NO_OLD_WC_NAMES
+
+#if 0
+    #define DEBUG_WOLFSSL
+    #define WOLFSSL_ANDROID_DEBUG
+#endif
+
+#endif /* _WOLF_USER_SETTINGS_H_ */

IDE/include.am

@@ -40,6 +40,7 @@ include IDE/VisualDSP/include.am
 include IDE/QNX/include.am
 include IDE/WINCE/include.am
 include IDE/iotsafe/include.am
+include IDE/Android/include.am
 
 EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MDK5-ARM IDE/MYSQL IDE/LPCXPRESSO IDE/HEXIWEAR IDE/Espressif
 EXTRA_DIST+= IDE/OPENSTM32/README.md

examples/benchmark/tls_bench.c

@@ -243,6 +243,7 @@ static const unsigned char dhg[] =
 #endif /* !NO_WOLFSSL_SERVER */
 #endif /* !NO_DH */
 
+#ifdef WOLFSSL_TLS13
 struct group_info {
     word16 group;
     const char *name;
@@ -300,6 +301,7 @@ static struct group_info groups[] = {
 #endif
     { 0, NULL }
 };
+#endif /* WOLFSSL_TLS13 */
 
 #ifdef HAVE_PTHREAD
 typedef struct {
@@ -1707,7 +1709,9 @@ int bench_tls(void* args)
     info_t *theadInfo = NULL, *info;
     stats_t cli_comb, srv_comb;
     int i;
-    int group_index;
+#ifdef WOLFSSL_TLS13
+    int group_index = 0;
+#endif
     char *cipher, *next_cipher, *ciphers = NULL;
     int     argc = 0;
     char**  argv = NULL;
@@ -1932,6 +1936,7 @@ int bench_tls(void* args)
 
     /* parse by : */
     while ((cipher != NULL) && (cipher[0] != '\0')) {
+        const char *gname = "N/A";
         next_cipher = strchr(cipher, ':');
         if (next_cipher != NULL) {
             cipher[next_cipher - cipher] = '\0';
@@ -1943,6 +1948,7 @@ int bench_tls(void* args)
 
 #ifdef WOLFSSL_TLS13
         for (group_index = 0; groups[group_index].name != NULL; group_index++) {
+            gname = theadInfo[0].group == 0 ? "N/A" : groups[group_index].name;
 
             if (argDoGroups && groups[group_index].group == 0) {
                 /* Skip unsupported group. */
@@ -2041,15 +2047,13 @@ int bench_tls(void* args)
             }
     #endif /* HAVE_PTHREAD */
 
-            const char *gname = theadInfo[0].group == 0 ?
-                                "N/A" : groups[group_index].name;
             if (argShowVerbose) {
                 /* print results */
                 for (i = 0; i < argThreadPairs; ++i) {
                     info = &theadInfo[i];
 
                     fprintf(stderr, "\nThread %d\n", i);
-                #ifndef NO_WOLFSSL_SERVER
+            #ifndef NO_WOLFSSL_SERVER
                     if (!argClientOnly)
                         print_stats(&info->server_stats, "Server", info->cipher, gname, 1);
             #endif

src/internal.c

@@ -6024,7 +6024,7 @@ int InitHandshakeHashes(WOLFSSL* ssl)
     ret = wc_InitMd5_ex(&ssl->hsHashes->hashMd5, ssl->heap, ssl->devId);
     if (ret != 0)
         return ret;
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         wc_Md5SetFlags(&ssl->hsHashes->hashMd5, WC_HASH_FLAG_WILLCOPY);
     #endif
 #endif
@@ -6032,7 +6032,7 @@ int InitHandshakeHashes(WOLFSSL* ssl)
     ret = wc_InitSha_ex(&ssl->hsHashes->hashSha, ssl->heap, ssl->devId);
     if (ret != 0)
         return ret;
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         wc_ShaSetFlags(&ssl->hsHashes->hashSha, WC_HASH_FLAG_WILLCOPY);
     #endif
 #endif
@@ -6041,7 +6041,7 @@ int InitHandshakeHashes(WOLFSSL* ssl)
     ret = wc_InitSha256_ex(&ssl->hsHashes->hashSha256, ssl->heap, ssl->devId);
     if (ret != 0)
         return ret;
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         wc_Sha256SetFlags(&ssl->hsHashes->hashSha256, WC_HASH_FLAG_WILLCOPY);
     #endif
 #endif
@@ -6049,7 +6049,7 @@ int InitHandshakeHashes(WOLFSSL* ssl)
     ret = wc_InitSha384_ex(&ssl->hsHashes->hashSha384, ssl->heap, ssl->devId);
     if (ret != 0)
         return ret;
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         wc_Sha384SetFlags(&ssl->hsHashes->hashSha384, WC_HASH_FLAG_WILLCOPY);
     #endif
 #endif
@@ -6057,7 +6057,7 @@ int InitHandshakeHashes(WOLFSSL* ssl)
     ret = wc_InitSha512_ex(&ssl->hsHashes->hashSha512, ssl->heap, ssl->devId);
     if (ret != 0)
         return ret;
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         wc_Sha512SetFlags(&ssl->hsHashes->hashSha512, WC_HASH_FLAG_WILLCOPY);
     #endif
 #endif
@@ -21902,7 +21902,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
 
 #if !defined(NO_CERTS)
 
-#ifdef WOLF_CRYPTO_CB
+#if defined(WOLF_CRYPTO_CB) && !defined(NO_CHECK_PRIVATE_KEY)
 /* Create a private key for a device.
  *
  * pkey    Key object.

src/ssl.c

@@ -7868,6 +7868,72 @@ WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX* ctx)
 
 #ifdef OPENSSL_EXTRA
 
+WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_d2i_PKCS8_PKEY(
+    WOLFSSL_PKCS8_PRIV_KEY_INFO** pkey, const unsigned char** keyBuf, long keyLen)
+{
+    WOLFSSL_PKCS8_PRIV_KEY_INFO* pkcs8 = NULL;
+#ifdef WOLFSSL_PEM_TO_DER
+    int ret;
+    DerBuffer* der = NULL;
+
+    if (keyBuf == NULL || *keyBuf == NULL || keyLen <= 0) {
+        WOLFSSL_MSG("Bad key PEM/DER args");
+        return NULL;
+    }
+
+    ret = PemToDer(*keyBuf, keyLen, PRIVATEKEY_TYPE, &der, NULL, NULL, NULL);
+    if (ret < 0) {
+        WOLFSSL_MSG("Not PEM format");
+        ret = AllocDer(&der, (word32)keyLen, PRIVATEKEY_TYPE, NULL);
+        if (ret == 0) {
+            XMEMCPY(der->buffer, *keyBuf, keyLen);
+        }
+    }
+
+    if (ret == 0) {
+        /* Verify this is PKCS8 Key */
+        word32 inOutIdx = 0;
+        word32 algId;
+        ret = ToTraditionalInline_ex(der->buffer, &inOutIdx, der->length, &algId);
+        if (ret >= 0) {
+            ret = 0; /* good DER */
+        }
+    }
+
+    if (ret == 0) {
+        pkcs8 = wolfSSL_EVP_PKEY_new();
+        if (pkcs8 == NULL)
+            ret = MEMORY_E;
+    }
+    if (ret == 0) {
+        pkcs8->pkey.ptr = (char*)XMALLOC(der->length, NULL,
+            DYNAMIC_TYPE_PUBLIC_KEY);
+        if (pkcs8->pkey.ptr == NULL) 
+            ret = MEMORY_E;
+    }
+    if (ret == 0) {
+        XMEMCPY(pkcs8->pkey.ptr, der->buffer, der->length);
+        pkcs8->pkey_sz = der->length;
+    }
+
+    FreeDer(&der);
+    if (ret != 0) {
+        wolfSSL_EVP_PKEY_free(pkcs8);
+        pkcs8 = NULL;
+    }
+    if (pkey != NULL) {
+        *pkey = pkcs8;
+    }
+
+#else
+    (void)bio;
+    (void)pkey;
+#endif /* WOLFSSL_PEM_TO_DER */
+
+    return pkcs8;
+}
+
+
 #ifndef NO_BIO
 /* put SSL type in extra for now, not very common */
 
@@ -7887,10 +7953,8 @@ WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_d2i_PKCS8_PKEY_bio(WOLFSSL_BIO* bio,
 #ifdef WOLFSSL_PEM_TO_DER
     unsigned char* mem = NULL;
     int memSz;
-    int keySz;
-    word32 algId;
 
-    WOLFSSL_MSG("wolfSSL_d2i_PKCS8_PKEY_bio()");
+    WOLFSSL_ENTER("wolfSSL_d2i_PKCS8_PKEY_bio");
 
     if (bio == NULL) {
         return NULL;
@@ -7900,30 +7964,7 @@ WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_d2i_PKCS8_PKEY_bio(WOLFSSL_BIO* bio,
         return NULL;
     }
 
-    if ((keySz = wc_KeyPemToDer(mem, memSz, mem, memSz, NULL)) < 0) {
-        WOLFSSL_MSG("Not PEM format");
-        keySz = memSz;
-        if ((keySz = ToTraditional_ex((byte*)mem, (word32)keySz, &algId)) < 0) {
-            return NULL;
-        }
-    }
-
-    pkcs8 = wolfSSL_EVP_PKEY_new();
-    if (pkcs8 == NULL) {
-        return NULL;
-    }
-
-    pkcs8->pkey.ptr = (char*)XMALLOC(keySz, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
-    if (pkcs8->pkey.ptr == NULL) {
-        wolfSSL_EVP_PKEY_free(pkcs8);
-        return NULL;
-    }
-    XMEMCPY(pkcs8->pkey.ptr, mem, keySz);
-    pkcs8->pkey_sz = keySz;
-
-    if (pkey != NULL) {
-        *pkey = pkcs8;
-    }
+    pkcs8 = wolfSSL_d2i_PKCS8_PKEY(pkey, (const unsigned char**)&mem, memSz);
 #else
     (void)bio;
     (void)pkey;
@@ -8576,6 +8617,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out,
 
 #ifndef NO_CERTS
 
+#ifndef NO_CHECK_PRIVATE_KEY
 int wolfSSL_check_private_key(const WOLFSSL* ssl)
 {
     DecodedCert der;
@@ -8657,6 +8699,7 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
     FreeDecodedCert(&der);
     return ret;
 }
+#endif /* !NO_CHECK_PRIVATE_KEY */
 
 #if defined(OPENSSL_ALL)
 unsigned int wolfSSL_X509_get_extension_flags(WOLFSSL_X509* x509)
@@ -19271,7 +19314,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
                     ssl->devId) != 0) {
                 return WOLFSSL_FAILURE;
             }
-        #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        #ifdef WOLFSSL_HASH_FLAGS
             wc_Md5SetFlags(&ssl->hsHashes->hashMd5, WC_HASH_FLAG_WILLCOPY);
         #endif
 #endif
@@ -19280,7 +19323,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
                     ssl->devId) != 0) {
                 return WOLFSSL_FAILURE;
             }
-        #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        #ifdef WOLFSSL_HASH_FLAGS
             wc_ShaSetFlags(&ssl->hsHashes->hashSha, WC_HASH_FLAG_WILLCOPY);
         #endif
 #endif
@@ -19290,7 +19333,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
                     ssl->devId) != 0) {
                 return WOLFSSL_FAILURE;
             }
-        #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        #ifdef WOLFSSL_HASH_FLAGS
             wc_Sha256SetFlags(&ssl->hsHashes->hashSha256, WC_HASH_FLAG_WILLCOPY);
         #endif
 #endif
@@ -19299,7 +19342,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
                     ssl->devId) != 0) {
                 return WOLFSSL_FAILURE;
             }
-        #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        #ifdef WOLFSSL_HASH_FLAGS
             wc_Sha384SetFlags(&ssl->hsHashes->hashSha384, WC_HASH_FLAG_WILLCOPY);
         #endif
 #endif
@@ -19308,7 +19351,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
                     ssl->devId) != 0) {
                 return WOLFSSL_FAILURE;
             }
-        #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        #ifdef WOLFSSL_HASH_FLAGS
             wc_Sha512SetFlags(&ssl->hsHashes->hashSha512, WC_HASH_FLAG_WILLCOPY);
         #endif
 #endif
@@ -36822,9 +36865,9 @@ int wolfSSL_ECDSA_size(const WOLFSSL_EC_KEY *key)
             2;
 }
 
-int wolfSSL_ECDSA_sign(int type, const unsigned char *digest,
-                       int digestSz, unsigned char *sig,
-                       unsigned int *sigSz, WOLFSSL_EC_KEY *key)
+int wolfSSL_ECDSA_sign(int type,
+    const unsigned char *digest, int digestSz,
+    unsigned char *sig, unsigned int *sigSz, WOLFSSL_EC_KEY *key)
 {
     int ret = WOLFSSL_SUCCESS;
     WC_RNG* rng = NULL;
@@ -36861,7 +36904,8 @@ int wolfSSL_ECDSA_sign(int type, const unsigned char *digest,
         }
     }
     if (rng) {
-        if (wc_ecc_sign_hash(digest, digestSz, sig, sigSz, rng, (ecc_key*)key->internal) != MP_OKAY) {
+        if (wc_ecc_sign_hash(digest, digestSz, sig, sigSz, rng,
+                (ecc_key*)key->internal) != 0) {
             ret = WOLFSSL_FAILURE;
         }
         if (initTmpRng) {
@@ -36880,6 +36924,32 @@ int wolfSSL_ECDSA_sign(int type, const unsigned char *digest,
     return ret;
 }
 
+int wolfSSL_ECDSA_verify(int type, 
+    const unsigned char *digest, int digestSz,
+    const unsigned char *sig, int sigSz, WOLFSSL_EC_KEY *key)
+{
+    int ret = WOLFSSL_SUCCESS;
+    int verify = 0;
+
+    WOLFSSL_ENTER("wolfSSL_ECDSA_verify");
+
+    if (key == NULL) {
+        return WOLFSSL_FAILURE;
+    }
+
+    if (wc_ecc_verify_hash(sig, sigSz, digest, digestSz,
+            &verify, (ecc_key*)key->internal) != 0) {
+        ret = WOLFSSL_FAILURE;
+    }
+    if (ret == WOLFSSL_SUCCESS && verify != 1) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_verify failed");
+        ret = WOLFSSL_FAILURE;
+    }
+
+    (void)type;
+    return ret;
+}
+
 #ifndef HAVE_SELFTEST
 /* ECC point compression types were not included in selftest ecc.h */
 
@@ -44827,10 +44897,15 @@ err:
             return WOLFSSL_FAILURE;
         }
 
+    #ifndef NO_CHECK_PRIVATE_KEY
         return wc_CheckPrivateKey((byte*)key->pkey.ptr, key->pkey_sz,
                 x509->pubKey.buffer, x509->pubKey.length,
                 (enum Key_Sum)x509->pubKeyOID) == 1 ?
                         WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
+    #else
+        /* not compiled in */
+        return WOLFSSL_SUCCESS;
+    #endif
     }
 
 /* wolfSSL uses negative values for error states. This function returns an
@@ -46218,6 +46293,11 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_bio(WOLFSSL_BIO* bio,
 }
 #endif /* !NO_BIO */
 
+#endif /* OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY || WOLFSSL_QT */
+
+
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) || \
+    defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(WOLFSSL_WPAS_SMALL)
 
 /* Converts a DER encoded private key to a WOLFSSL_EVP_PKEY structure.
  * returns a pointer to a new WOLFSSL_EVP_PKEY structure on success and NULL
@@ -46326,7 +46406,8 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_EVP(WOLFSSL_EVP_PKEY** out,
     #endif /* HAVE_ECC */
     return pkey;
 }
-#endif /* OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY || WOLFSSL_QT */
+
+#endif /* OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY || WOLFSSL_QT || WOLFSSL_WPAS_SMALL*/
 
 
 /* stunnel compatibility functions*/
@@ -51268,67 +51349,63 @@ int wolfSSL_RSA_public_encrypt(int len, const unsigned char* fr,
 #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
     int  mgf = WC_MGF1NONE;
     enum wc_HashType hash = WC_HASH_TYPE_NONE;
+    int pad_type;
 #endif
 
-    WOLFSSL_MSG("wolfSSL_RSA_public_encrypt");
+    WOLFSSL_ENTER("RSA_public_encrypt");
 
-    /* Check and remap the padding to internal values, if needed. */
 #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
-    if (padding == RSA_PKCS1_PADDING)
-        padding = WC_RSA_PKCSV15_PAD;
-    else if (padding == RSA_PKCS1_OAEP_PADDING) {
-        padding = WC_RSA_OAEP_PAD;
+    switch (padding) {
+    case RSA_PKCS1_PADDING:
+        pad_type = WC_RSA_PKCSV15_PAD;
+        break;
+    case RSA_PKCS1_OAEP_PADDING:
+        pad_type = WC_RSA_OAEP_PAD;
         hash = WC_HASH_TYPE_SHA;
         mgf = WC_MGF1SHA1;
-    }
-    else if (padding == RSA_PKCS1_PSS_PADDING) {
-        padding = WC_RSA_PSS_PAD;
+        break;
+    case RSA_PKCS1_PSS_PADDING:
+        pad_type = WC_RSA_PSS_PAD;
         hash = WC_HASH_TYPE_SHA256;
         mgf  = WC_MGF1SHA256;
+        break;
+    case RSA_NO_PADDING:
+        pad_type = WC_RSA_NO_PAD;
+        break;
+    default:
+        WOLFSSL_MSG("RSA_public_encrypt unsupported padding");
+        return WOLFSSL_FAILURE;
     }
-    else if (padding == RSA_NO_PADDING) {
-        padding = WC_RSA_NO_PAD;
-    }
-#else
-    if (padding == RSA_PKCS1_PADDING)
-      ;
 #endif
-    else {
-        WOLFSSL_MSG("wolfSSL_RSA_public_encrypt unsupported padding");
-        return 0;
-    }
 
-    if (rsa->inSet == 0)
-    {
+    if (rsa->inSet == 0) {
         if (SetRsaInternal(rsa) != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("SetRsaInternal failed");
-            return 0;
+            return WOLFSSL_FAILURE;
         }
     }
 
     outLen = wolfSSL_RSA_size(rsa);
-
-    rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRNG, &initTmpRng);
-
     if (outLen == 0) {
         WOLFSSL_MSG("Bad RSA size");
     }
 
+    rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRNG, &initTmpRng);
     if (rng) {
 #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
         ret = wc_RsaPublicEncrypt_ex(fr, len, to, outLen,
-                             (RsaKey*)rsa->internal, rng, padding,
+                             (RsaKey*)rsa->internal, rng, pad_type,
                              hash, mgf, NULL, 0);
 #else
-        ret = wc_RsaPublicEncrypt(fr, len, to, outLen,
-                             (RsaKey*)rsa->internal, rng);
-#endif
-        if (ret <= 0) {
-            WOLFSSL_MSG("Bad Rsa Encrypt");
+        if (padding == RSA_PKCS1_PADDING) {
+            ret = wc_RsaPublicEncrypt(fr, len, to, outLen,
+                                (RsaKey*)rsa->internal, rng);
         }
-        if (len <= 0) {
-            WOLFSSL_MSG("Bad Rsa Encrypt");
+        else {
+            WOLFSSL_MSG("RSA_public_encrypt pad type not supported in FIPS");
+            ret = WOLFSSL_FAILURE;
         }
+#endif
     }
 
     if (initTmpRng)
@@ -51338,18 +51415,16 @@ int wolfSSL_RSA_public_encrypt(int len, const unsigned char* fr,
         XFREE(tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
-    if (ret >= 0)
-        WOLFSSL_MSG("wolfSSL_RSA_public_encrypt success");
-    else {
-        WOLFSSL_MSG("wolfSSL_RSA_public_encrypt failed");
-        ret = WOLFSSL_FATAL_ERROR; /* return -1 on error case */
+    WOLFSSL_LEAVE("RSA_public_encrypt", ret);
+
+    if (ret <= 0) {
+        ret = WOLFSSL_FAILURE;
     }
     return ret;
 }
 
 
 
-
 /* return compliant with OpenSSL
  *   size of plain recovered data if success , -1 if error
  */
@@ -51361,40 +51436,39 @@ int wolfSSL_RSA_private_decrypt(int len, const unsigned char* fr,
   #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
     int mgf = WC_MGF1NONE;
     enum wc_HashType hash = WC_HASH_TYPE_NONE;
+    int pad_type;
   #endif
 
-    WOLFSSL_MSG("wolfSSL_RSA_private_decrypt");
+    WOLFSSL_ENTER("RSA_private_decrypt");
 
 #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
-    if (padding == RSA_PKCS1_PADDING)
-        padding = WC_RSA_PKCSV15_PAD;
-    else if (padding == RSA_PKCS1_OAEP_PADDING) {
-        padding = WC_RSA_OAEP_PAD;
+    switch (padding) {
+    case RSA_PKCS1_PADDING:
+        pad_type = WC_RSA_PKCSV15_PAD;
+        break;
+    case RSA_PKCS1_OAEP_PADDING:
+        pad_type = WC_RSA_OAEP_PAD;
         hash = WC_HASH_TYPE_SHA;
         mgf = WC_MGF1SHA1;
-    }
-    else if (padding == RSA_PKCS1_PSS_PADDING) {
-        padding = WC_RSA_PSS_PAD;
+        break;
+    case RSA_PKCS1_PSS_PADDING:
+        pad_type = WC_RSA_PSS_PAD;
         hash = WC_HASH_TYPE_SHA256;
         mgf  = WC_MGF1SHA256;
+        break;
+    case RSA_NO_PADDING:
+        pad_type = WC_RSA_NO_PAD;
+        break;
+    default:
+        WOLFSSL_MSG("RSA_private_decrypt unsupported padding");
+        return WOLFSSL_FAILURE;
     }
-    else if (padding == RSA_NO_PADDING) {
-        padding = WC_RSA_NO_PAD;
-    }
-#else
-    if (padding == RSA_PKCS1_PADDING)
-        ;
 #endif
-    else {
-        WOLFSSL_MSG("wolfSSL_RSA_private_decrypt unsupported padding");
-        return 0;
-    }
 
-    if (rsa->inSet == 0)
-    {
+    if (rsa->inSet == 0) {
         if (SetRsaInternal(rsa) != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("SetRsaInternal failed");
-            return 0;
+            return WOLFSSL_FAILURE;
         }
     }
 
@@ -51406,41 +51480,45 @@ int wolfSSL_RSA_private_decrypt(int len, const unsigned char* fr,
     /* size of 'to' buffer must be size of RSA key */
 #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
     ret = wc_RsaPrivateDecrypt_ex(fr, len, to, outLen,
-                            (RsaKey*)rsa->internal, padding,
+                            (RsaKey*)rsa->internal, pad_type,
                             hash, mgf, NULL, 0);
 #else
-    ret = wc_RsaPrivateDecrypt(fr, len, to, outLen,
-                            (RsaKey*)rsa->internal);
+    if (padding == RSA_PKCS1_PADDING) {
+        ret = wc_RsaPrivateDecrypt(fr, len, to, outLen,
+                                (RsaKey*)rsa->internal);
+    }
+    else {
+        WOLFSSL_MSG("RSA_private_decrypt pad type not supported in FIPS");
+        ret = WOLFSSL_FAILURE;
+    }
 #endif
 
-    if (len <= 0) {
-        WOLFSSL_MSG("Bad Rsa Decrypt");
+    if (ret <= 0) {
+        ret = WOLFSSL_FAILURE;
     }
+    WOLFSSL_LEAVE("RSA_private_decrypt", ret);
 
-    if (ret > 0)
-        WOLFSSL_MSG("wolfSSL_RSA_private_decrypt success");
-    else {
-        WOLFSSL_MSG("wolfSSL_RSA_private_decrypt failed");
-        ret = WOLFSSL_FATAL_ERROR;
-    }
     return ret;
 }
 
-#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
-    (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
 int wolfSSL_RSA_public_decrypt(int flen, const unsigned char* from,
                           unsigned char* to, WOLFSSL_RSA* rsa, int padding)
 {
-    int tlen = 0;
+    int ret = 0;
+#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
     int pad_type;
+#endif
 
-    WOLFSSL_ENTER("wolfSSL_RSA_public_decrypt");
+    WOLFSSL_ENTER("RSA_public_decrypt");
 
     if (rsa == NULL || rsa->internal == NULL || from == NULL) {
         WOLFSSL_MSG("Bad function arguments");
         return WOLFSSL_FAILURE;
     }
 
+#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
     switch (padding) {
     case RSA_PKCS1_PADDING:
         pad_type = WC_RSA_PKCSV15_PAD;
@@ -51455,12 +51533,12 @@ int wolfSSL_RSA_public_decrypt(int flen, const unsigned char* from,
         pad_type = WC_RSA_NO_PAD;
         break;
     default:
-        WOLFSSL_MSG("wolfSSL_RSA_public_decrypt unsupported padding");
+        WOLFSSL_MSG("RSA_public_decrypt unsupported padding");
         return WOLFSSL_FAILURE;
     }
+#endif
 
-    if (rsa->inSet == 0)
-    {
+    if (rsa->inSet == 0) {
         WOLFSSL_MSG("No RSA internal set, do it");
 
         if (SetRsaInternal(rsa) != WOLFSSL_SUCCESS) {
@@ -51469,17 +51547,30 @@ int wolfSSL_RSA_public_decrypt(int flen, const unsigned char* from,
         }
     }
 
+#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2))
     /* size of 'to' buffer must be size of RSA key */
-    tlen = wc_RsaSSL_Verify_ex(from, flen, to, wolfSSL_RSA_size(rsa),
+    ret = wc_RsaSSL_Verify_ex(from, flen, to, wolfSSL_RSA_size(rsa),
                                (RsaKey*)rsa->internal, pad_type);
-    if (tlen <= 0)
-        WOLFSSL_MSG("wolfSSL_RSA_public_decrypt failed");
+#else
+    /* For FIPS v1/v2 only PKCSV15 padding is supported */
+    if (padding == RSA_PKCS1_PADDING) {
+        ret = wc_RsaSSL_Verify(from, flen, to, wolfSSL_RSA_size(rsa),
+            (RsaKey*)rsa->internal);
+    }
     else {
-        WOLFSSL_MSG("wolfSSL_RSA_public_decrypt success");
+        WOLFSSL_MSG("RSA_public_decrypt pad type not supported in FIPS");
+        ret = WOLFSSL_FAILURE;
+    }
+#endif
+
+    WOLFSSL_LEAVE("RSA_public_decrypt", ret);
+
+    if (ret <= 0) {
+        ret = WOLFSSL_FAILURE;
     }
-    return tlen;
+    return ret;
 }
-#endif /* !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) */
 
 /* RSA private encrypt calls wc_RsaSSL_Sign. Similar function set up as RSA
  * public decrypt.

tests/api.c

@@ -2637,10 +2637,9 @@ static void test_ECDSA_size_sign(void)
     EC_KEY *key;
     int id;
     byte hash[WC_MAX_DIGEST_SIZE];
-    byte sig[ECC_BUFSIZE];
+    byte sig[ECC_MAX_SIG_SIZE];
     unsigned int sigSz = sizeof(sig);
 
-
     XMEMSET(hash, 123, sizeof(hash));
 
     id = wc_ecc_get_curve_id_from_name("SECP256R1");
@@ -2650,6 +2649,8 @@ static void test_ECDSA_size_sign(void)
     AssertIntEQ(EC_KEY_generate_key(key), 1);
     AssertIntEQ(ECDSA_sign(0, hash, sizeof(hash), sig, &sigSz, key), 1);
     AssertIntGE(ECDSA_size(key), sigSz);
+    AssertIntEQ(ECDSA_verify(0, hash, sizeof(hash), sig, sigSz, key), 1);
+
     EC_KEY_free(key);
 
 #endif /* HAVE_ECC && !NO_ECC256 && !NO_ECC_SECP */
@@ -9340,8 +9341,7 @@ static int test_wc_Sha256FinalRaw (void)
 static int test_wc_Sha256GetFlags (void)
 {
     int flag = 0;
-#if !defined(NO_SHA256) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if !defined(NO_SHA256) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha256 sha256;
     word32 flags = 0;
 
@@ -9796,8 +9796,7 @@ static int test_wc_Sha512Final (void)
 static int test_wc_Sha512GetFlags (void)
 {
     int flag = 0;
-#if defined(WOLFSSL_SHA512) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if defined(WOLFSSL_SHA512) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha512 sha512;
     word32 flags = 0;
 
@@ -10221,8 +10220,7 @@ static int test_wc_Sha512_224GetFlags (void)
 {
     int flag = 0;
 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)    
-#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha512 sha512, copy;
     word32 flags = 0;
 
@@ -10490,8 +10488,7 @@ static int test_wc_Sha512_256GetFlags (void)
 {
     int flag = 0;
 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)    
-#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha512 sha512, copy;
     word32 flags = 0;
 
@@ -10834,8 +10831,7 @@ static int test_wc_Sha384Final (void)
 static int test_wc_Sha384GetFlags (void)
 {
     int flag = 0;
-#if defined(WOLFSSL_SHA384) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha384 sha384;
     word32 flags = 0;
 
@@ -11261,8 +11257,7 @@ static int test_wc_Sha224Final (void)
 static int test_wc_Sha224SetFlags (void)
 {
     int flag = 0;
-#if defined(WOLFSSL_SHA224) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if defined(WOLFSSL_SHA224) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha224 sha224;
     word32 flags = 0;
 
@@ -11294,8 +11289,7 @@ static int test_wc_Sha224SetFlags (void)
 static int test_wc_Sha224GetFlags (void)
 {
     int flag = 0;
-#if defined(WOLFSSL_SHA224) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if defined(WOLFSSL_SHA224) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha224 sha224;
     word32 flags = 0;
 
@@ -12565,8 +12559,7 @@ static int test_wc_Sha3_512_Copy (void)
 static int test_wc_Sha3_GetFlags (void)
 {
     int ret = 0;
-#if defined(WOLFSSL_SHA3) && \
-    (defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB))
+#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_HASH_FLAGS)
     wc_Sha3            sha3;
     word32             flags = 0;
 
@@ -28683,7 +28676,7 @@ static int test_wc_HashInit(void)
 static int test_wc_HashSetFlags(void)
 {
     int ret = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     wc_HashAlg hash;
     word32 flags = 0;
     int i, j;
@@ -28785,7 +28778,7 @@ static int test_wc_HashSetFlags(void)
 static int test_wc_HashGetFlags(void)
 {
     int ret = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     wc_HashAlg hash;
     word32 flags = 0;
     int i, j;
@@ -29418,15 +29411,19 @@ static void test_wolfSSL_certs(void)
 #endif
     AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM));
     AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM));
-    #ifndef HAVE_USER_RSA
     AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM));
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(SSL_CTX_check_private_key(ctx), SSL_FAILURE);
+    #endif
     AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM));
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(SSL_CTX_check_private_key(ctx), SSL_SUCCESS);
     #endif
     AssertNotNull(ssl = SSL_new(ctx));
-
+    
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
 
     #ifdef HAVE_PK_CALLBACKS
     AssertIntEQ((int)SSL_set_tlsext_debug_arg(ssl, NULL), WOLFSSL_SUCCESS);
@@ -29441,7 +29438,7 @@ static void test_wolfSSL_certs(void)
     AssertNotNull(x509ext);
     AssertIntEQ(SSL_use_certificate(ssl, x509ext), WOLFSSL_SUCCESS);
 
-    #ifndef HAVE_USER_RSA
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     /* with loading in a new cert the check on private key should now fail */
     AssertIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
     #endif
@@ -29627,7 +29624,7 @@ static void test_wolfSSL_certs(void)
 static void test_wolfSSL_X509_check_private_key(void)
 {
 #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \
-        defined(USE_CERT_BUFFERS_2048)
+        defined(USE_CERT_BUFFERS_2048) && !defined(NO_CHECK_PRIVATE_KEY)
     X509*  x509;
     EVP_PKEY* pkey = NULL;
     const byte* key;
@@ -29817,12 +29814,18 @@ static void test_wolfSSL_private_keys(void)
     AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM));
     /* Have to load a cert before you can check the private key against that
      * certificates public key! */
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_FAILURE);
+    #endif
     AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM));
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS);
+    #endif
     AssertNotNull(ssl = SSL_new(ctx));
 
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
 
 #ifdef USE_CERT_BUFFERS_2048
     {
@@ -29833,33 +29836,36 @@ static void test_wolfSSL_private_keys(void)
     AssertIntEQ(SSL_use_RSAPrivateKey_ASN1(ssl,
                 (unsigned char*)client_key_der_2048,
                 sizeof_client_key_der_2048), WOLFSSL_SUCCESS);
-#ifndef HAVE_USER_RSA
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     /* Should mismatch now that a different private key loaded */
     AssertIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
-#endif
+    #endif
 
     AssertIntEQ(SSL_use_PrivateKey_ASN1(0, ssl,
                 (unsigned char*)server_key,
                 sizeof_server_key_der_2048), WOLFSSL_SUCCESS);
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     /* After loading back in DER format of original key, should match */
     AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
 
     /* test loading private key to the WOLFSSL_CTX */
     AssertIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx,
                 (unsigned char*)client_key_der_2048,
                 sizeof_client_key_der_2048), WOLFSSL_SUCCESS);
-#ifndef NO_CHECK_PRIVATE_KEY
-#ifndef HAVE_USER_RSA
+
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     /* Should mismatch now that a different private key loaded */
     AssertIntNE(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS);
-#endif
+    #endif
 
     AssertIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx,
                 (unsigned char*)server_key,
                 sizeof_server_key_der_2048), WOLFSSL_SUCCESS);
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     /* After loading back in DER format of original key, should match */
     AssertIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS);
-#endif /* !NO_CHECK_PRIVATE_KEY */
+    #endif
 
     /* pkey not set yet, expecting to fail */
     AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_FAILURE);
@@ -29907,7 +29913,9 @@ static void test_wolfSSL_private_keys(void)
                                                          WOLFSSL_FILETYPE_PEM));
     AssertNotNull(ssl = SSL_new(ctx));
 
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
     SSL_free(ssl);
 
 
@@ -29915,7 +29923,9 @@ static void test_wolfSSL_private_keys(void)
                                                          WOLFSSL_FILETYPE_PEM));
     AssertNotNull(ssl = SSL_new(ctx));
 
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
 
     SSL_free(ssl);
     SSL_CTX_free(ctx);
@@ -29933,7 +29943,9 @@ static void test_wolfSSL_private_keys(void)
                                                          WOLFSSL_FILETYPE_PEM));
     AssertNotNull(ssl = SSL_new(ctx));
 
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
     SSL_free(ssl);
 
 
@@ -29941,7 +29953,9 @@ static void test_wolfSSL_private_keys(void)
                                                          WOLFSSL_FILETYPE_PEM));
     AssertNotNull(ssl = SSL_new(ctx));
 
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
 
     SSL_free(ssl);
     SSL_CTX_free(ctx);
@@ -29959,7 +29973,9 @@ static void test_wolfSSL_private_keys(void)
                                                          WOLFSSL_FILETYPE_PEM));
     AssertNotNull(ssl = SSL_new(ctx));
 
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
     SSL_free(ssl);
 
 
@@ -29967,7 +29983,9 @@ static void test_wolfSSL_private_keys(void)
                                                          WOLFSSL_FILETYPE_PEM));
     AssertNotNull(ssl = SSL_new(ctx));
 
+    #if !defined(HAVE_USER_RSA) && !defined(NO_CHECK_PRIVATE_KEY)
     AssertIntNE(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS);
+    #endif
 
     SSL_free(ssl);
     SSL_CTX_free(ctx);

wolfcrypt/src/evp.c

@@ -7590,6 +7590,25 @@ int wolfSSL_EVP_PKEY_get_default_digest_nid(WOLFSSL_EVP_PKEY *pkey, int *pnid)
     }
 }
 
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL)
+WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKCS82PKEY(const WOLFSSL_PKCS8_PRIV_KEY_INFO* p8)
+{
+    if (p8 == NULL || p8->pkey.ptr == NULL) {
+        return NULL;
+    }
+
+    return wolfSSL_d2i_PrivateKey_EVP(NULL, (unsigned char**)&p8->pkey.ptr,
+        p8->pkey_sz);
+}
+
+/* in wolf PKCS8_PRIV_KEY_INFO and WOLFSSL_EVP_PKEY are same type */
+/* this function just casts and returns pointer */
+WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_EVP_PKEY2PKCS8(const WOLFSSL_EVP_PKEY* pkey)
+{
+    return (WOLFSSL_PKCS8_PRIV_KEY_INFO*)pkey;
+}
+#endif
+
 /* increments ref count of WOLFSSL_EVP_PKEY. Return 1 on success, 0 on error */
 int wolfSSL_EVP_PKEY_up_ref(WOLFSSL_EVP_PKEY* pkey)
 {

wolfcrypt/src/hash.c

@@ -996,7 +996,7 @@ int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
     return ret;
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_HashSetFlags(wc_HashAlg* hash, enum wc_HashType type, word32 flags)
 {
     int ret = HASH_TYPE_E; /* Default to hash type error */
@@ -1127,7 +1127,7 @@ int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
 
     return ret;
 }
-#endif
+#endif /* WOLFSSL_HASH_FLAGS */
 
 
 #if !defined(WOLFSSL_TI_HASH)

wolfcrypt/src/md5.c

@@ -303,7 +303,7 @@ static int _InitMd5(wc_Md5* md5)
     md5->buffLen = 0;
     md5->loLen   = 0;
     md5->hiLen   = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     md5->flags = 0;
 #endif
 
@@ -545,7 +545,7 @@ int wc_Md5Copy(wc_Md5* src, wc_Md5* dst)
 #ifdef WOLFSSL_PIC32MZ_HASH
     ret = wc_Pic32HashCopy(&src->cache, &dst->cache);
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
@@ -565,7 +565,7 @@ int wc_Md5Transform(wc_Md5* md5, const byte* data)
     return Transform(md5, data);
 }
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Md5SetFlags(wc_Md5* md5, word32 flags)
 {
     if (md5) {

wolfcrypt/src/port/arm/armv8-sha256.c

@@ -1390,7 +1390,7 @@ int wc_Sha256GetHash(wc_Sha256* sha256, byte* hash)
     return ret;
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha256SetFlags(wc_Sha256* sha256, word32 flags)
 {
     if (sha256) {
@@ -1532,7 +1532,7 @@ int wc_Sha256Transform(wc_Sha256* sha256, const unsigned char* data)
         return ret;
     }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     int wc_Sha224SetFlags(wc_Sha224* sha224, word32 flags)
     {
         if (sha224) {

wolfcrypt/src/port/arm/armv8-sha512.c

@@ -67,7 +67,7 @@ static int InitSha512(wc_Sha512* sha512)
     sha512->buffLen = 0;
     sha512->loLen   = 0;
     sha512->hiLen   = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha512->flags = 0;
 #endif
 
@@ -99,7 +99,7 @@ static int InitSha512_224(wc_Sha512* sha512)
     sha512->buffLen = 0;
     sha512->loLen   = 0;
     sha512->hiLen   = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha512->flags = 0;
 #endif
 
@@ -133,7 +133,7 @@ static int InitSha512_256(wc_Sha512* sha512)
     sha512->buffLen = 0;
     sha512->loLen   = 0;
     sha512->hiLen   = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha512->flags = 0;
 #endif
 
@@ -693,7 +693,7 @@ static int InitSha384(wc_Sha384* sha384)
     sha384->buffLen = 0;
     sha384->loLen   = 0;
     sha384->hiLen   = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha384->flags = 0;
 #endif
 
@@ -856,14 +856,14 @@ int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst)
     dst->W = NULL;
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
      dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
     return ret;
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha512SetFlags(wc_Sha512* sha512, word32 flags)
 {
     if (sha512) {
@@ -912,7 +912,7 @@ int wc_Sha512_224Copy(wc_Sha512* src, wc_Sha512* dst)
     return wc_Sha512Copy(src, dst);
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha512_224SetFlags(wc_Sha512* sha, word32 flags)
 {
     return wc_Sha512SetFlags(sha, flags);
@@ -921,7 +921,7 @@ int wc_Sha512_224GetFlags(wc_Sha512* sha, word32* flags)
 {
     return wc_Sha512GetFlags(sha, flags);
 }
-#endif /* WOLFSSL_HASH_FLAGS || WOLF_CRYPTO_CB */
+#endif /* WOLFSSL_HASH_FLAGS */
 
 #if defined(OPENSSL_EXTRA)
 int wc_Sha512_224Transform(wc_Sha512* sha, const unsigned char* data)
@@ -962,7 +962,7 @@ int wc_Sha512_256Copy(wc_Sha512* src, wc_Sha512* dst)
     return wc_Sha512Copy(src, dst);
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha512_256SetFlags(wc_Sha512* sha, word32 flags)
 {
     return wc_Sha512SetFlags(sha, flags);
@@ -971,7 +971,7 @@ int wc_Sha512_256GetFlags(wc_Sha512* sha, word32* flags)
 {
     return wc_Sha512GetFlags(sha, flags);
 }
-#endif /* WOLFSSL_HASH_FLAGS || WOLF_CRYPTO_CB */
+#endif /* WOLFSSL_HASH_FLAGS */
 
 #if defined(OPENSSL_EXTRA)
 int wc_Sha512_256Transform(wc_Sha512* sha, const unsigned char* data)
@@ -1013,14 +1013,14 @@ int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst)
     dst->W = NULL;
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
      dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
     return ret;
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha384SetFlags(wc_Sha384* sha384, word32 flags)
 {
     if (sha384) {

wolfcrypt/src/port/nxp/dcp_port.c

@@ -386,7 +386,7 @@ int wc_Sha256Final(wc_Sha256* sha256, byte* hash)
     return ret;
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha256SetFlags(wc_Sha256* sha256, word32 flags)
 {
     if (sha256) {
@@ -401,7 +401,7 @@ int wc_Sha256GetFlags(wc_Sha256* sha256, word32* flags)
     }
     return 0;
 }
-#endif /* WOLFSSL_HASH_FLAGS || WOLF_CRYPTO_CB */
+#endif /* WOLFSSL_HASH_FLAGS */
 
 int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
 {
@@ -498,7 +498,7 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash)
     return ret;
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_ShaSetFlags(wc_Sha* sha, word32 flags)
 {
     if (sha) {
@@ -513,7 +513,7 @@ int wc_ShaGetFlags(wc_Sha* sha, word32* flags)
     }
     return 0;
 }
-#endif /* WOLFSSL_HASH_FLAGS || WOLF_CRYPTO_CB */
+#endif /* WOLFSSL_HASH_FLAGS */
 
 int wc_ShaCopy(wc_Sha* src, wc_Sha* dst)
 {

wolfcrypt/src/sha.c

@@ -389,7 +389,7 @@
         sha->buffLen = 0;
         sha->loLen   = 0;
         sha->hiLen   = 0;
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         sha->flags = 0;
     #endif
 
@@ -924,7 +924,7 @@ int wc_ShaCopy(wc_Sha* src, wc_Sha* dst)
      dst->ctx.isfirstblock = src->ctx.isfirstblock;
      dst->ctx.sha_type = src->ctx.sha_type;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
      dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
     return ret;
@@ -933,7 +933,7 @@ int wc_ShaCopy(wc_Sha* src, wc_Sha* dst)
 #endif /* !WOLFSSL_TI_HASH && !WOLFSSL_IMXRT_DCP */
 
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_ShaSetFlags(wc_Sha* sha, word32 flags)
 {
     if (sha) {

wolfcrypt/src/sha256.c

@@ -207,7 +207,7 @@ static int InitSha256(wc_Sha256* sha256)
     sha256->buffLen = 0;
     sha256->loLen   = 0;
     sha256->hiLen   = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha256->flags = 0;
 #endif
 
@@ -1497,7 +1497,7 @@ static int InitSha256(wc_Sha256* sha256)
         /* choose best Transform function under this runtime environment */
         Sha256_SetTransform();
     #endif
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         sha224->flags = 0;
     #endif
 
@@ -1715,7 +1715,7 @@ void wc_Sha256Free(wc_Sha256* sha256)
     #ifdef WOLFSSL_ASYNC_CRYPT
         ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
     #endif
-    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    #ifdef WOLFSSL_HASH_FLAGS
         dst->flags |= WC_HASH_FLAG_ISCOPY;
     #endif
 
@@ -1724,7 +1724,7 @@ void wc_Sha256Free(wc_Sha256* sha256)
 
 #endif /* WOLFSSL_KCAPI_HASH && !WOLFSSL_NO_KCAPI_SHA224 */
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     int wc_Sha224SetFlags(wc_Sha224* sha224, word32 flags)
     {
         if (sha224) {
@@ -1821,7 +1821,7 @@ int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
      dst->ctx.isfirstblock = src->ctx.isfirstblock;
      dst->ctx.sha_type = src->ctx.sha_type;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
      dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
@@ -1829,7 +1829,7 @@ int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
 }
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha256SetFlags(wc_Sha256* sha256, word32 flags)
 {
     if (sha256) {

wolfcrypt/src/sha3.c

@@ -599,7 +599,7 @@ static int InitSha3(wc_Sha3* sha3)
     for (i = 0; i < 25; i++)
         sha3->s[i] = 0;
     sha3->i = 0;
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha3->flags = 0;
 #endif
 
@@ -844,7 +844,7 @@ static int wc_Sha3Copy(wc_Sha3* src, wc_Sha3* dst)
 #ifdef WOLFSSL_ASYNC_CRYPT
     ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
      dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
@@ -1164,7 +1164,7 @@ int wc_Sha3_512_Copy(wc_Sha3* src, wc_Sha3* dst)
     return wc_Sha3Copy(src, dst);
 }
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha3_SetFlags(wc_Sha3* sha3, word32 flags)
 {
     if (sha3) {

wolfcrypt/src/sha512.c

@@ -294,7 +294,7 @@ static int InitSha512(wc_Sha512* sha512)
     */
     sha512->ctx.mode = ESP32_SHA_INIT;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha512->flags = 0;
 #endif
     return 0;
@@ -341,7 +341,7 @@ static int InitSha512_224(wc_Sha512* sha512)
     */
     sha512->ctx.mode = ESP32_SHA_INIT;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha512->flags = 0;
 #endif
     return 0;
@@ -390,7 +390,7 @@ static int InitSha512_256(wc_Sha512* sha512)
     */
     sha512->ctx.mode = ESP32_SHA_INIT;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha512->flags = 0;
 #endif
     return 0;
@@ -1313,7 +1313,7 @@ static int InitSha384(wc_Sha384* sha384)
     sha384->ctx.mode = ESP32_SHA_INIT;
 
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     sha384->flags = 0;
 #endif
 
@@ -1538,7 +1538,7 @@ int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst)
     dst->ctx.isfirstblock = src->ctx.isfirstblock;
     dst->ctx.sha_type = src->ctx.sha_type;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
      dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
@@ -1547,7 +1547,7 @@ int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst)
 
 #endif /* WOLFSSL_KCAPI_HASH */
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha512SetFlags(wc_Sha512* sha512, word32 flags)
 {
     if (sha512) {
@@ -1562,7 +1562,7 @@ int wc_Sha512GetFlags(wc_Sha512* sha512, word32* flags)
     }
     return 0;
 }
-#endif /* WOLFSSL_HASH_FLAGS || WOLF_CRYPTO_CB */
+#endif /* WOLFSSL_HASH_FLAGS */
 
 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
 
@@ -1611,7 +1611,7 @@ int wc_Sha512_224Copy(wc_Sha512* src, wc_Sha512* dst)
 }
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha512_224SetFlags(wc_Sha512* sha, word32 flags)
 {
     return wc_Sha512SetFlags(sha, flags);
@@ -1620,7 +1620,7 @@ int wc_Sha512_224GetFlags(wc_Sha512* sha, word32* flags)
 {
     return wc_Sha512GetFlags(sha, flags);
 }
-#endif /* WOLFSSL_HASH_FLAGS || WOLF_CRYPTO_CB */
+#endif /* WOLFSSL_HASH_FLAGS */
 
 #if defined(OPENSSL_EXTRA)
 int wc_Sha512_224Transform(wc_Sha512* sha, const unsigned char* data)
@@ -1673,7 +1673,7 @@ int wc_Sha512_256Copy(wc_Sha512* src, wc_Sha512* dst)
 }
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha512_256SetFlags(wc_Sha512* sha, word32 flags)
 {
     return wc_Sha512SetFlags(sha, flags);
@@ -1682,7 +1682,7 @@ int wc_Sha512_256GetFlags(wc_Sha512* sha, word32* flags)
 {
     return wc_Sha512GetFlags(sha, flags);
 }
-#endif /* WOLFSSL_HASH_FLAGS || WOLF_CRYPTO_CB */
+#endif /* WOLFSSL_HASH_FLAGS */
 
 #if defined(OPENSSL_EXTRA)
 int wc_Sha512_256Transform(wc_Sha512* sha, const unsigned char* data)
@@ -1756,7 +1756,7 @@ int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst)
     dst->ctx.isfirstblock = src->ctx.isfirstblock;
     dst->ctx.sha_type = src->ctx.sha_type;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
      dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
@@ -1765,7 +1765,7 @@ int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst)
 
 #endif /* WOLFSSL_KCAPI_HASH */
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
 int wc_Sha384SetFlags(wc_Sha384* sha384, word32 flags)
 {
     if (sha384) {

wolfssl/openssl/ec.h

@@ -218,6 +218,10 @@ WOLFSSL_API int wolfSSL_ECDSA_size(const WOLFSSL_EC_KEY *key);
 WOLFSSL_API int wolfSSL_ECDSA_sign(int type, const unsigned char *digest,
                                    int digestSz, unsigned char *sig,
                                    unsigned int *sigSz, WOLFSSL_EC_KEY *key);
+WOLFSSL_API int wolfSSL_ECDSA_verify(int type, const unsigned char *digest,
+                                   int digestSz, const unsigned char *sig,
+                                   int sigSz, WOLFSSL_EC_KEY *key);
+
 WOLFSSL_API
 void wolfSSL_EC_GROUP_set_asn1_flag(WOLFSSL_EC_GROUP *group, int flag);
 WOLFSSL_API
@@ -310,6 +314,7 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
 
 #define ECDSA_size                      wolfSSL_ECDSA_size
 #define ECDSA_sign                      wolfSSL_ECDSA_sign
+#define ECDSA_verify                    wolfSSL_ECDSA_verify
 
 #define EC_GROUP_free                   wolfSSL_EC_GROUP_free
 #define EC_GROUP_set_asn1_flag          wolfSSL_EC_GROUP_set_asn1_flag

wolfssl/openssl/evp.h

@@ -73,6 +73,7 @@ typedef char WOLFSSL_EVP_CIPHER;
 typedef char   WOLFSSL_EVP_MD;
 typedef struct WOLFSSL_EVP_PKEY     WOLFSSL_EVP_PKEY;
 typedef struct WOLFSSL_EVP_MD_CTX   WOLFSSL_EVP_MD_CTX;
+typedef struct WOLFSSL_EVP_PKEY     WOLFSSL_PKCS8_PRIV_KEY_INFO;
 #define WOLFSSL_EVP_TYPE_DEFINED
 #endif
 
@@ -670,6 +671,9 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_type(int type);
 WOLFSSL_API int wolfSSL_EVP_PKEY_id(const WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API int wolfSSL_EVP_PKEY_base_id(const WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API int wolfSSL_EVP_PKEY_get_default_digest_nid(WOLFSSL_EVP_PKEY *pkey, int *pnid);
+WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKCS82PKEY(const WOLFSSL_PKCS8_PRIV_KEY_INFO* p8);
+WOLFSSL_API WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_EVP_PKEY2PKCS8(const WOLFSSL_EVP_PKEY* pkey);
+
 WOLFSSL_API int wolfSSL_EVP_SignFinal(WOLFSSL_EVP_MD_CTX *ctx, unsigned char *sigret,
                   unsigned int *siglen, WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API int wolfSSL_EVP_SignInit(WOLFSSL_EVP_MD_CTX *ctx, const WOLFSSL_EVP_MD *type);
@@ -960,6 +964,8 @@ typedef WOLFSSL_ASN1_PCTX      ASN1_PCTX;
 #define EVP_PKEY_get_default_digest_nid wolfSSL_EVP_PKEY_get_default_digest_nid
 #define EVP_PKEY_id                    wolfSSL_EVP_PKEY_id
 #define EVP_PKEY_CTX_ctrl_str          wolfSSL_EVP_PKEY_CTX_ctrl_str
+#define EVP_PKCS82PKEY                 wolfSSL_EVP_PKCS82PKEY
+#define EVP_PKEY2PKCS8                 wolfSSL_EVP_PKEY2PKCS8
 #define EVP_SignFinal                  wolfSSL_EVP_SignFinal
 #define EVP_SignInit                   wolfSSL_EVP_SignInit
 #define EVP_SignInit_ex                wolfSSL_EVP_SignInit_ex

wolfssl/openssl/md5.h

@@ -69,16 +69,30 @@ typedef WOLFSSL_MD5_CTX MD5_CTX;
     #define MD5Final wolfSSL_MD5_Final
 #endif
 
+/* "MD5" has some conflicts
+ * If not FIPS and NO_OLD_SHA_NAMES defined
+ * If FIPS V2 or higher and NO_OLD_MD5_NAME defined
+ * If FIPS V2 and NO_OLD_WC_NAMES defined
+ * If FIPS v1 not allowed
+ */
+#if (defined(NO_OLD_MD5_NAME) && !defined(HAVE_FIPS)) || \
+    (defined(NO_OLD_MD5_NAME)    && defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION >= 2) || \
+    (defined(NO_OLD_WC_NAMES) && defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION == 2)
+
+    #define MD5               wolfSSL_MD5
+#endif
+
+/* FIPS v1 uses old MD5_DIGEST_SIZE naming */
 #if (!defined(HAVE_FIPS) || \
-        (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) && \
+        (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION >= 2)) && \
          defined(OPENSSL_EXTRA)
-/* For fips v1 defined in wolfssl/wolfcrypt/md5.h as
- * WC_MD5 for compatibility */
-#define MD5               wolfSSL_MD5
+    #define MD5_DIGEST_LENGTH WC_MD5_DIGEST_SIZE
+#else
+    #define MD5_DIGEST_LENGTH MD5_DIGEST_SIZE
 #endif
 
-#define MD5_DIGEST_LENGTH MD5_DIGEST_SIZE
-
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif

wolfssl/openssl/sha.h

@@ -147,9 +147,20 @@ typedef WOLFSSL_SHA256_CTX SHA256_CTX;
 #define SHA256_Final  wolfSSL_SHA256_Final
 #define SHA256_Transform wolfSSL_SHA256_Transform
 
-#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
-    /* SHA256 is only available in non-fips mode because of SHA256 enum in FIPS
-     * build. */
+/* "SHA256" has some conflicts
+ * If not FIPS and NO_OLD_SHA_NAMES defined
+ * If FIPS V3 or higher and NO_OLD_SHA_NAMES defined
+ * If FIPS V2 and NO_OLD_SHA256_NAMES defined
+ * If FIPS v1 not allowed
+ * If HAVE_SELFTEST not allowed
+ */
+#if !defined(HAVE_SELFTEST) && \
+    (defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS)) || \
+    (defined(NO_OLD_SHA_NAMES)    && defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION >= 3) || \
+    (defined(NO_OLD_SHA256_NAMES) && defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION == 2)
+
     #define SHA256 wolfSSL_SHA256
 #endif
 

wolfssl/openssl/ssl.h

@@ -199,6 +199,8 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_use_certificate             wolfSSL_use_certificate
 #define SSL_use_certificate_ASN1        wolfSSL_use_certificate_ASN1
 #define d2i_PKCS8_PRIV_KEY_INFO_bio     wolfSSL_d2i_PKCS8_PKEY_bio
+#define d2i_PKCS8_PRIV_KEY_INFO         wolfSSL_d2i_PKCS8_PKEY
+#define i2d_PKCS8_PRIV_KEY_INFO         wolfSSL_i2d_PrivateKey
 #define d2i_PKCS8PrivateKey_bio         wolfSSL_d2i_PKCS8PrivateKey_bio
 #define i2d_PKCS8PrivateKey_bio         wolfSSL_PEM_write_bio_PKCS8PrivateKey
 #define PKCS8_PRIV_KEY_INFO_free        wolfSSL_EVP_PKEY_free

wolfssl/ssl.h

@@ -412,10 +412,11 @@ struct WOLFSSL_EVP_PKEY {
     byte ownDsa:1; /* if struct owns DSA and should free it */
     byte ownRsa:1; /* if struct owns RSA and should free it */
 };
-typedef struct WOLFSSL_EVP_PKEY WOLFSSL_PKCS8_PRIV_KEY_INFO;
+
 #ifndef WOLFSSL_EVP_TYPE_DEFINED /* guard on redeclaration */
 typedef struct WOLFSSL_EVP_PKEY     WOLFSSL_EVP_PKEY;
 typedef struct WOLFSSL_EVP_MD_CTX   WOLFSSL_EVP_MD_CTX;
+typedef struct WOLFSSL_EVP_PKEY     WOLFSSL_PKCS8_PRIV_KEY_INFO;
 typedef char   WOLFSSL_EVP_MD;
 #define WOLFSSL_EVP_TYPE_DEFINED
 #endif
@@ -1777,6 +1778,8 @@ WOLFSSL_API int       wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL*, WOLFSSL_EVP_PKE
 WOLFSSL_API void      wolfSSL_X509_OBJECT_free_contents(WOLFSSL_X509_OBJECT*);
 WOLFSSL_API WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_d2i_PKCS8_PKEY_bio(
         WOLFSSL_BIO* bio, WOLFSSL_PKCS8_PRIV_KEY_INFO** pkey);
+WOLFSSL_API WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_d2i_PKCS8_PKEY(
+        WOLFSSL_PKCS8_PRIV_KEY_INFO** pkey, const unsigned char** keyBuf, long keyLen);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY_bio(WOLFSSL_BIO* bio,
                                          WOLFSSL_EVP_PKEY** out);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY(WOLFSSL_EVP_PKEY** key,

wolfssl/wolfcrypt/hash.h

@@ -170,7 +170,7 @@ WOLFSSL_API int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type,
     byte* out);
 WOLFSSL_API int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type);
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_HashSetFlags(wc_HashAlg* hash, enum wc_HashType type,
         word32 flags);
     WOLFSSL_API int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type,

wolfssl/wolfcrypt/md5.h

@@ -100,7 +100,7 @@ typedef struct wc_Md5 {
 #ifdef WOLFSSL_ASYNC_CRYPT
     WC_ASYNC_DEV asyncDev;
 #endif /* WOLFSSL_ASYNC_CRYPT */
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     word32 flags; /* enum wc_HashFlags in hash.h */
 #endif
 } wc_Md5;
@@ -123,7 +123,7 @@ WOLFSSL_API int  wc_Md5Copy(wc_Md5*, wc_Md5*);
 WOLFSSL_API void wc_Md5SizeSet(wc_Md5* md5, word32 len);
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Md5SetFlags(wc_Md5* md5, word32 flags);
     WOLFSSL_API int wc_Md5GetFlags(wc_Md5* md5, word32* flags);
 #endif

wolfssl/wolfcrypt/settings.h

@@ -2510,6 +2510,16 @@ extern void uITRON4_free(void *p) ;
      */
 #endif
 
+/* Crypto callbacks should enable hash flag support */
+#if defined(WOLF_CRYPTO_CB) && !defined(WOLFSSL_HASH_FLAGS)
+    /* FIPS v1 and v2 do not support hash flags, so do not allow it with 
+     * crypto callbacks */
+    #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
+            defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION >= 3)
+        #define WOLFSSL_HASH_FLAGS
+    #endif
+#endif
+
 
 /* ---------------------------------------------------------------------------
  * Depricated Algorithm Handling

wolfssl/wolfcrypt/sha.h

@@ -153,7 +153,7 @@ struct wc_Sha {
    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
     WC_ESP32SHA ctx;
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     word32 flags; /* enum wc_HashFlags in hash.h */
 #endif
 };
@@ -185,7 +185,7 @@ WOLFSSL_API int wc_ShaTransform(wc_Sha*, const byte*);
 WOLFSSL_API void wc_ShaSizeSet(wc_Sha* sha, word32 len);
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_ShaSetFlags(wc_Sha* sha, word32 flags);
     WOLFSSL_API int wc_ShaGetFlags(wc_Sha* sha, word32* flags);
 #endif

wolfssl/wolfcrypt/sha256.h

@@ -203,7 +203,7 @@ struct wc_Sha256 {
     int    devId;
     void*  devCtx; /* generic crypto callback context */
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     word32 flags; /* enum wc_HashFlags in hash.h */
 #endif
 };
@@ -233,7 +233,7 @@ WOLFSSL_API int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst);
 WOLFSSL_API void wc_Sha256SizeSet(wc_Sha256*, word32);
 #endif
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Sha256SetFlags(wc_Sha256* sha256, word32 flags);
     WOLFSSL_API int wc_Sha256GetFlags(wc_Sha256* sha256, word32* flags);
 #endif
@@ -278,7 +278,7 @@ WOLFSSL_API void wc_Sha224Free(wc_Sha224*);
 WOLFSSL_API int wc_Sha224GetHash(wc_Sha224*, byte*);
 WOLFSSL_API int wc_Sha224Copy(wc_Sha224* src, wc_Sha224* dst);
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Sha224SetFlags(wc_Sha224* sha224, word32 flags);
     WOLFSSL_API int wc_Sha224GetFlags(wc_Sha224* sha224, word32* flags);
 #endif

wolfssl/wolfcrypt/sha3.h

@@ -107,7 +107,7 @@ struct wc_Sha3 {
 #ifdef WOLFSSL_ASYNC_CRYPT
     WC_ASYNC_DEV asyncDev;
 #endif /* WOLFSSL_ASYNC_CRYPT */
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     word32 flags; /* enum wc_HashFlags in hash.h */
 #endif
 };
@@ -156,7 +156,7 @@ WOLFSSL_API int wc_Shake256_Final(wc_Shake*, byte*, word32);
 WOLFSSL_API void wc_Shake256_Free(wc_Shake*);
 WOLFSSL_API int wc_Shake256_Copy(wc_Shake* src, wc_Sha3* dst);
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Sha3_SetFlags(wc_Sha3* sha3, word32 flags);
     WOLFSSL_API int wc_Sha3_GetFlags(wc_Sha3* sha3, word32* flags);
 #endif

wolfssl/wolfcrypt/sha512.h

@@ -180,7 +180,7 @@ struct wc_Sha512 {
     int    devId;
     void*  devCtx; /* generic crypto callback context */
 #endif
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     word32 flags; /* enum wc_HashFlags in hash.h */
 #endif
 #endif /* WOLFSSL_PSOC6_CRYPTO */
@@ -211,7 +211,7 @@ WOLFSSL_API void wc_Sha512Free(wc_Sha512*);
 WOLFSSL_API int wc_Sha512GetHash(wc_Sha512*, byte*);
 WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst);
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Sha512SetFlags(wc_Sha512* sha512, word32 flags);
     WOLFSSL_API int wc_Sha512GetFlags(wc_Sha512* sha512, word32* flags);
 #endif
@@ -229,7 +229,7 @@ WOLFSSL_API int wc_Sha512_224Final(wc_Sha512*, byte*);
 WOLFSSL_API void wc_Sha512_224Free(wc_Sha512*);
 WOLFSSL_API int wc_Sha512_224GetHash(wc_Sha512*, byte*);
 WOLFSSL_API int wc_Sha512_224Copy(wc_Sha512* src, wc_Sha512* dst);
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Sha512_224SetFlags(wc_Sha512* sha512, word32 flags);
     WOLFSSL_API int wc_Sha512_224GetFlags(wc_Sha512* sha512, word32* flags);
 #endif
@@ -249,7 +249,7 @@ WOLFSSL_API int wc_Sha512_256Final(wc_Sha512*, byte*);
 WOLFSSL_API void wc_Sha512_256Free(wc_Sha512*);
 WOLFSSL_API int wc_Sha512_256GetHash(wc_Sha512*, byte*);
 WOLFSSL_API int wc_Sha512_256Copy(wc_Sha512* src, wc_Sha512* dst);
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Sha512_256SetFlags(wc_Sha512* sha512, word32 flags);
     WOLFSSL_API int wc_Sha512_256GetFlags(wc_Sha512* sha512, word32* flags);
 #endif
@@ -306,7 +306,7 @@ WOLFSSL_API void wc_Sha384Free(wc_Sha384*);
 WOLFSSL_API int wc_Sha384GetHash(wc_Sha384*, byte*);
 WOLFSSL_API int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst);
 
-#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+#ifdef WOLFSSL_HASH_FLAGS
     WOLFSSL_API int wc_Sha384SetFlags(wc_Sha384* sha384, word32 flags);
     WOLFSSL_API int wc_Sha384GetFlags(wc_Sha384* sha384, word32* flags);
 #endif