diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index ea10e62ee0..7f8cc3f886 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -842,6 +842,7 @@ WOLFSSL_NO_KCAPI_HMAC_SHA384 WOLFSSL_NO_KCAPI_HMAC_SHA512 WOLFSSL_NO_KCAPI_SHA224 WOLFSSL_NO_KTRI_ORACLE_WARNING +WOLFSSL_NO_LMS_SHAKE256_256 WOLFSSL_NO_OCSP_DATE_CHECK WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK WOLFSSL_NO_OCSP_OPTIONAL_CERTS @@ -1145,4 +1146,3 @@ ssize_t sun versal wc_Tls13_HKDF_Expand_Label -WOLFSSL_NO_LMS_SHAKE256_256 diff --git a/configure.ac b/configure.ac index 849e5aedd9..6e68f47f9b 100644 --- a/configure.ac +++ b/configure.ac @@ -6350,14 +6350,14 @@ AS_CASE([$FIPS_VERSION], SLHDSA_PARAM_SHA2_256F="yes"]) # SHA-256 DRBG -- cannot be disabled at build time in FIPS mode - AS_IF([test "$enable_sha256_drbg" = "no"], - [AC_MSG_WARN([Can not disable SHA256-DRBG at build time in FIPS mode, disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])]) - ENABLED_SHA256_DRBG="yes" + AS_IF([test "$ENABLED_SHA256_DRBG" != "yes" && + test "$FIPS_VERSION" != "dev"], + [AC_MSG_ERROR([Can not disable SHA256-DRBG at build time in FIPS mode. Disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])]) # SHA-512 DRBG -- cannot be disabled at build time in FIPS mode - AS_IF([test "$enable_sha512_drbg" = "no"], - [AC_MSG_WARN([Can not disable SHA512-DRBG at build time in FIPS mode, disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])]) - ENABLED_SHA512_DRBG="yes" + AS_IF([test "$ENABLED_SHA512_DRBG" != "yes" && + test "$FIPS_VERSION" != "dev"], + [AC_MSG_ERROR([Can not disable SHA512-DRBG at build time in FIPS mode. Disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])]) # Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3 AS_IF([test "$ENABLED_OLD_TLS" != "no"], @@ -6683,7 +6683,7 @@ AS_CASE([$FIPS_VERSION], AS_IF([test "$ENABLED_SHA512" != "no" && (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")], - [enable_sha512="no"; ENABLED_SHA512="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"]) + [enable_sha512="no"; ENABLED_SHA512="no"; ENABLED_SHA512_DRBG="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"]) # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256" @@ -7813,7 +7813,8 @@ then fi # FIPS override: Hash DRBG is mandatory -if test "x$ENABLED_HASHDRBG" != "xyes" && test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno" +if test "$ENABLED_HASHDRBG" != "yes" && test "$ENABLED_FIPS" = "yes" && + test "$FIPS_VERSION" != "dev" && test "$ENABLED_KCAPI" = "no" then if test "$enable_hashdrbg" = "no" then diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 7e00b45459..5e51093edd 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1272,7 +1272,7 @@ static void myFipsCb(int ok, int err, const char* hash) * fail, fire this callback, and produce millions of lines of * redundant output. Exit now -- the hash has been printed for * fips-hash.sh to extract, and no test can possibly pass. */ - exit(IN_CORE_FIPS_E); + exit(IN_CORE_FIPS_E); /* NOLINT(concurrency-mt-unsafe) */ #endif } #ifdef REALLY_LONG_DRBG_CONTINUOUS_TEST