Merge pull request #3170 from kaleb-himes/FIPS_USER_SETTINGS

Remove fixed len constraint in FIPS mode

IDE/GCC-ARM/Header/user_settings.h

@@ -171,16 +171,15 @@ extern "C" {
     #undef  ECC_TIMING_RESISTANT
     #define ECC_TIMING_RESISTANT
 
-    /* Enable cofactor support */
     #ifdef HAVE_FIPS
         #undef  HAVE_ECC_CDH
-        #define HAVE_ECC_CDH
+        #define HAVE_ECC_CDH /* Enable cofactor support */
-    #endif
+
+        #undef NO_STRICT_ECDSA_LEN
+        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */
 
-    /* Validate import */
-    #ifdef HAVE_FIPS
         #undef  WOLFSSL_VALIDATE_ECC_IMPORT
-        #define WOLFSSL_VALIDATE_ECC_IMPORT
+        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
     #endif
 
     /* Compressed Key Support */

wolfssl/wolfcrypt/settings.h

@@ -2269,6 +2269,15 @@ extern void uITRON4_free(void *p) ;
     #undef WOLFSSL_TLS13
 #endif
 
+/* For FIPSv2 make sure the ECDSA encoding allows extra bytes
+ * but make sure users consider enabling it */
+#if !defined(NO_STRICT_ECDSA_LEN) && defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    /* ECDSA length checks off by default for CAVP testing
+     * consider enabling strict checks in production */
+    #define NO_STRICT_ECDSA_LEN
+#endif
+
 
 #ifdef __cplusplus
     }   /* extern "C" */