From ffdc2eddf600281d6589e80fc93815871d557629 Mon Sep 17 00:00:00 2001
From: kaleb-himes <kaleb@wolfssl.com>
Date: Tue, 28 Jul 2020 13:34:52 -0600
Subject: [PATCH 1/3] Remove fixed len constraint in FIPS mode

---
 IDE/GCC-ARM/Header/user_settings.h | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/IDE/GCC-ARM/Header/user_settings.h b/IDE/GCC-ARM/Header/user_settings.h
index 80e3d0d62..aecd1e718 100644
--- a/IDE/GCC-ARM/Header/user_settings.h
+++ b/IDE/GCC-ARM/Header/user_settings.h
@@ -171,16 +171,15 @@ extern "C" {
     #undef  ECC_TIMING_RESISTANT
     #define ECC_TIMING_RESISTANT
 
-    /* Enable cofactor support */
     #ifdef HAVE_FIPS
         #undef  HAVE_ECC_CDH
-        #define HAVE_ECC_CDH
-    #endif
+        #define HAVE_ECC_CDH /* Enable cofactor support */
+
+        #undef NO_STRICT_ECDSA_LEN
+        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */
 
-    /* Validate import */
-    #ifdef HAVE_FIPS
         #undef  WOLFSSL_VALIDATE_ECC_IMPORT
-        #define WOLFSSL_VALIDATE_ECC_IMPORT
+        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
     #endif
 
     /* Compressed Key Support */

From 567f1b8be4d207c5fc934ece07f30f1af6042c3a Mon Sep 17 00:00:00 2001
From: Kaleb Himes <kaleb@wolfssl.com>
Date: Tue, 28 Jul 2020 15:52:36 -0600
Subject: [PATCH 2/3] Add to settings.h w a warning directive

---
 wolfssl/wolfcrypt/settings.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 3ee4a7dbc..c2837b722 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2272,6 +2272,15 @@ extern void uITRON4_free(void *p) ;
     #undef WOLFSSL_TLS13
 #endif
 
+/* For FIPSv2 make sure the ECDSA encoding allows extra bytes
+ * but make sure users consider enabling it */
+#if !defined(NO_STRICT_ECDSA_LEN) && defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION >= 2    
+    #define NO_STRICT_ECDSA_LEN
+    #warning "ECDSA length checks off by default for CAVP testing"
+    #warning "consider enabling strict checks in production"
+#endif
+
 
 #ifdef __cplusplus
     }   /* extern "C" */

From 80678d96b62818d976ef9893d5e7099137180081 Mon Sep 17 00:00:00 2001
From: Kaleb Himes <kaleb@wolfssl.com>
Date: Wed, 29 Jul 2020 10:10:33 -0600
Subject: [PATCH 3/3] Change to inline comment

---
 wolfssl/wolfcrypt/settings.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index c2837b722..2ad0e7710 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2275,10 +2275,10 @@ extern void uITRON4_free(void *p) ;
 /* For FIPSv2 make sure the ECDSA encoding allows extra bytes
  * but make sure users consider enabling it */
 #if !defined(NO_STRICT_ECDSA_LEN) && defined(HAVE_FIPS) && \
-        defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION >= 2    
+        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    /* ECDSA length checks off by default for CAVP testing
+     * consider enabling strict checks in production */
     #define NO_STRICT_ECDSA_LEN
-    #warning "ECDSA length checks off by default for CAVP testing"
-    #warning "consider enabling strict checks in production"
 #endif