mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 21:50:52 +02:00
configure.ac:
* allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev; * set ENABLED_SHA512_DRBG=no in lean-aesgcm setup; wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb(); .wolfssl_known_macro_extras: fix lexical order.
This commit is contained in:
@@ -842,6 +842,7 @@ WOLFSSL_NO_KCAPI_HMAC_SHA384
|
||||
WOLFSSL_NO_KCAPI_HMAC_SHA512
|
||||
WOLFSSL_NO_KCAPI_SHA224
|
||||
WOLFSSL_NO_KTRI_ORACLE_WARNING
|
||||
WOLFSSL_NO_LMS_SHAKE256_256
|
||||
WOLFSSL_NO_OCSP_DATE_CHECK
|
||||
WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
|
||||
WOLFSSL_NO_OCSP_OPTIONAL_CERTS
|
||||
@@ -1145,4 +1146,3 @@ ssize_t
|
||||
sun
|
||||
versal
|
||||
wc_Tls13_HKDF_Expand_Label
|
||||
WOLFSSL_NO_LMS_SHAKE256_256
|
||||
|
||||
+9
-8
@@ -6350,14 +6350,14 @@ AS_CASE([$FIPS_VERSION],
|
||||
SLHDSA_PARAM_SHA2_256F="yes"])
|
||||
|
||||
# SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
|
||||
AS_IF([test "$enable_sha256_drbg" = "no"],
|
||||
[AC_MSG_WARN([Can not disable SHA256-DRBG at build time in FIPS mode, disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
|
||||
ENABLED_SHA256_DRBG="yes"
|
||||
AS_IF([test "$ENABLED_SHA256_DRBG" != "yes" &&
|
||||
test "$FIPS_VERSION" != "dev"],
|
||||
[AC_MSG_ERROR([Can not disable SHA256-DRBG at build time in FIPS mode. Disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
|
||||
|
||||
# SHA-512 DRBG -- cannot be disabled at build time in FIPS mode
|
||||
AS_IF([test "$enable_sha512_drbg" = "no"],
|
||||
[AC_MSG_WARN([Can not disable SHA512-DRBG at build time in FIPS mode, disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
|
||||
ENABLED_SHA512_DRBG="yes"
|
||||
AS_IF([test "$ENABLED_SHA512_DRBG" != "yes" &&
|
||||
test "$FIPS_VERSION" != "dev"],
|
||||
[AC_MSG_ERROR([Can not disable SHA512-DRBG at build time in FIPS mode. Disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
|
||||
|
||||
# Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
|
||||
AS_IF([test "$ENABLED_OLD_TLS" != "no"],
|
||||
@@ -6683,7 +6683,7 @@ AS_CASE([$FIPS_VERSION],
|
||||
|
||||
AS_IF([test "$ENABLED_SHA512" != "no" &&
|
||||
(test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")],
|
||||
[enable_sha512="no"; ENABLED_SHA512="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
|
||||
[enable_sha512="no"; ENABLED_SHA512="no"; ENABLED_SHA512_DRBG="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
|
||||
|
||||
# SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
|
||||
@@ -7813,7 +7813,8 @@ then
|
||||
fi
|
||||
|
||||
# FIPS override: Hash DRBG is mandatory
|
||||
if test "x$ENABLED_HASHDRBG" != "xyes" && test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno"
|
||||
if test "$ENABLED_HASHDRBG" != "yes" && test "$ENABLED_FIPS" = "yes" &&
|
||||
test "$FIPS_VERSION" != "dev" && test "$ENABLED_KCAPI" = "no"
|
||||
then
|
||||
if test "$enable_hashdrbg" = "no"
|
||||
then
|
||||
|
||||
@@ -1272,7 +1272,7 @@ static void myFipsCb(int ok, int err, const char* hash)
|
||||
* fail, fire this callback, and produce millions of lines of
|
||||
* redundant output. Exit now -- the hash has been printed for
|
||||
* fips-hash.sh to extract, and no test can possibly pass. */
|
||||
exit(IN_CORE_FIPS_E);
|
||||
exit(IN_CORE_FIPS_E); /* NOLINT(concurrency-mt-unsafe) */
|
||||
#endif
|
||||
}
|
||||
#ifdef REALLY_LONG_DRBG_CONTINUOUS_TEST
|
||||
|
||||
Reference in New Issue
Block a user