diff --git a/configure.ac b/configure.ac index a936ead5a..2497c3e34 100644 --- a/configure.ac +++ b/configure.ac @@ -3514,10 +3514,6 @@ AS_CASE([$FIPS_VERSION], DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192 - # DES3 is incompatible with FIPS 140-3 - AS_IF([test "$ENABLED_DES3" != "no"], - [ENABLED_DES3="no"]) - # force various features to FIPS 140-3 defaults, unless overridden with v5-dev: AS_IF([test "$ENABLED_KEYGEN" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")], @@ -3569,6 +3565,9 @@ AS_CASE([$FIPS_VERSION], AS_IF([test "$ENABLED_MD5" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_md5" != "yes")], [ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"]) + AS_IF([test "$ENABLED_DES3" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_des3" != "yes")], + [ENABLED_DES3="no"]) + AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2], [AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")], [ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])]) diff --git a/src/include.am b/src/include.am index 152803015..e3dec427f 100644 --- a/src/include.am +++ b/src/include.am @@ -452,11 +452,13 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c endif endif !BUILD_FIPS_CURRENT -if !BUILD_FIPS_CURRENT +if !BUILD_FIPS_V2 +if !BUILD_FIPS_V3 if BUILD_DES3 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c -endif -endif !BUILD_FIPS_CURRENT +endif BUILD_DES3 +endif !BUILD_FIPS_V3 +endif !BUILD_FIPS_V2 if !BUILD_FIPS_CURRENT if BUILD_SHA diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h index d1a46393a..cb5b84181 100644 --- a/wolfssl/wolfcrypt/des3.h +++ b/wolfssl/wolfcrypt/des3.h @@ -55,7 +55,7 @@ enum { /* avoid redefinition of structs */ #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3)) + HAVE_FIPS_VERSION >= 2) #ifdef WOLFSSL_ASYNC_CRYPT #include