configure.ac:

* allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev;
* set ENABLED_SHA512_DRBG=no in lean-aesgcm setup;

wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb();

 .wolfssl_known_macro_extras: fix lexical order.
This commit is contained in:
Daniel Pouzzner
2026-04-24 15:16:57 -05:00
parent 72a39bfa57
commit 363bb0e216
3 changed files with 11 additions and 10 deletions
+1 -1
View File
@@ -842,6 +842,7 @@ WOLFSSL_NO_KCAPI_HMAC_SHA384
WOLFSSL_NO_KCAPI_HMAC_SHA512
WOLFSSL_NO_KCAPI_SHA224
WOLFSSL_NO_KTRI_ORACLE_WARNING
WOLFSSL_NO_LMS_SHAKE256_256
WOLFSSL_NO_OCSP_DATE_CHECK
WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
WOLFSSL_NO_OCSP_OPTIONAL_CERTS
@@ -1145,4 +1146,3 @@ ssize_t
sun
versal
wc_Tls13_HKDF_Expand_Label
WOLFSSL_NO_LMS_SHAKE256_256
+9 -8
View File
@@ -6350,14 +6350,14 @@ AS_CASE([$FIPS_VERSION],
SLHDSA_PARAM_SHA2_256F="yes"])
# SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
AS_IF([test "$enable_sha256_drbg" = "no"],
[AC_MSG_WARN([Can not disable SHA256-DRBG at build time in FIPS mode, disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
ENABLED_SHA256_DRBG="yes"
AS_IF([test "$ENABLED_SHA256_DRBG" != "yes" &&
test "$FIPS_VERSION" != "dev"],
[AC_MSG_ERROR([Can not disable SHA256-DRBG at build time in FIPS mode. Disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
# SHA-512 DRBG -- cannot be disabled at build time in FIPS mode
AS_IF([test "$enable_sha512_drbg" = "no"],
[AC_MSG_WARN([Can not disable SHA512-DRBG at build time in FIPS mode, disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
ENABLED_SHA512_DRBG="yes"
AS_IF([test "$ENABLED_SHA512_DRBG" != "yes" &&
test "$FIPS_VERSION" != "dev"],
[AC_MSG_ERROR([Can not disable SHA512-DRBG at build time in FIPS mode. Disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
@@ -6683,7 +6683,7 @@ AS_CASE([$FIPS_VERSION],
AS_IF([test "$ENABLED_SHA512" != "no" &&
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")],
[enable_sha512="no"; ENABLED_SHA512="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
[enable_sha512="no"; ENABLED_SHA512="no"; ENABLED_SHA512_DRBG="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
@@ -7813,7 +7813,8 @@ then
fi
# FIPS override: Hash DRBG is mandatory
if test "x$ENABLED_HASHDRBG" != "xyes" && test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno"
if test "$ENABLED_HASHDRBG" != "yes" && test "$ENABLED_FIPS" = "yes" &&
test "$FIPS_VERSION" != "dev" && test "$ENABLED_KCAPI" = "no"
then
if test "$enable_hashdrbg" = "no"
then
+1 -1
View File
@@ -1272,7 +1272,7 @@ static void myFipsCb(int ok, int err, const char* hash)
* fail, fire this callback, and produce millions of lines of
* redundant output. Exit now -- the hash has been printed for
* fips-hash.sh to extract, and no test can possibly pass. */
exit(IN_CORE_FIPS_E);
exit(IN_CORE_FIPS_E); /* NOLINT(concurrency-mt-unsafe) */
#endif
}
#ifdef REALLY_LONG_DRBG_CONTINUOUS_TEST