From 58789991f987cd0fe9f1428c85cd7b828ea17b3e Mon Sep 17 00:00:00 2001
From: Hayden Roche <hayden@wolfssl.com>
Date: Mon, 24 Jan 2022 12:44:57 -0800
Subject: [PATCH] Allow DES3 with FIPS v5-dev.

---
 configure.ac             | 7 +++----
 src/include.am           | 8 +++++---
 wolfssl/wolfcrypt/des3.h | 2 +-
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/configure.ac b/configure.ac
index b96ee01e8..f5cc183df 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3503,10 +3503,6 @@ AS_CASE([$FIPS_VERSION],
 
         DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
 
-        # DES3 is incompatible with FIPS 140-3
-        AS_IF([test "$ENABLED_DES3" != "no"],
-            [ENABLED_DES3="no"])
-
         # force various features to FIPS 140-3 defaults, unless overridden with v5-dev:
 
         AS_IF([test "$ENABLED_KEYGEN" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")],
@@ -3558,6 +3554,9 @@ AS_CASE([$FIPS_VERSION],
         AS_IF([test "$ENABLED_MD5" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_md5" != "yes")],
             [ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
 
+        AS_IF([test "$ENABLED_DES3" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_des3" != "yes")],
+            [ENABLED_DES3="no"])
+
         AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
             [AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],
                 [ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])])
diff --git a/src/include.am b/src/include.am
index 152803015..e3dec427f 100644
--- a/src/include.am
+++ b/src/include.am
@@ -452,11 +452,13 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
 endif
 endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_CURRENT
+if !BUILD_FIPS_V2
+if !BUILD_FIPS_V3
 if BUILD_DES3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
-endif
-endif !BUILD_FIPS_CURRENT
+endif BUILD_DES3
+endif !BUILD_FIPS_V3
+endif !BUILD_FIPS_V2
 
 if !BUILD_FIPS_CURRENT
 if BUILD_SHA
diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h
index f05b54e49..96c566f49 100644
--- a/wolfssl/wolfcrypt/des3.h
+++ b/wolfssl/wolfcrypt/des3.h
@@ -55,7 +55,7 @@ enum {
 
 /* avoid redefinition of structs */
 #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
-        (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3))
+    HAVE_FIPS_VERSION >= 2)
 
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>