From 363bb0e2163e9522039c3ab6cd4b26d0913b0bae Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 24 Apr 2026 15:16:57 -0500 Subject: [PATCH] configure.ac: * allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev; * set ENABLED_SHA512_DRBG=no in lean-aesgcm setup; wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb(); .wolfssl_known_macro_extras: fix lexical order. --- .wolfssl_known_macro_extras | 2 +- configure.ac | 17 +++++++++-------- wolfcrypt/test/test.c | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index ea10e62ee0..7f8cc3f886 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -842,6 +842,7 @@ WOLFSSL_NO_KCAPI_HMAC_SHA384 WOLFSSL_NO_KCAPI_HMAC_SHA512 WOLFSSL_NO_KCAPI_SHA224 WOLFSSL_NO_KTRI_ORACLE_WARNING +WOLFSSL_NO_LMS_SHAKE256_256 WOLFSSL_NO_OCSP_DATE_CHECK WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK WOLFSSL_NO_OCSP_OPTIONAL_CERTS @@ -1145,4 +1146,3 @@ ssize_t sun versal wc_Tls13_HKDF_Expand_Label -WOLFSSL_NO_LMS_SHAKE256_256 diff --git a/configure.ac b/configure.ac index 849e5aedd9..6e68f47f9b 100644 --- a/configure.ac +++ b/configure.ac @@ -6350,14 +6350,14 @@ AS_CASE([$FIPS_VERSION], SLHDSA_PARAM_SHA2_256F="yes"]) # SHA-256 DRBG -- cannot be disabled at build time in FIPS mode - AS_IF([test "$enable_sha256_drbg" = "no"], - [AC_MSG_WARN([Can not disable SHA256-DRBG at build time in FIPS mode, disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])]) - ENABLED_SHA256_DRBG="yes" + AS_IF([test "$ENABLED_SHA256_DRBG" != "yes" && + test "$FIPS_VERSION" != "dev"], + [AC_MSG_ERROR([Can not disable SHA256-DRBG at build time in FIPS mode. Disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])]) # SHA-512 DRBG -- cannot be disabled at build time in FIPS mode - AS_IF([test "$enable_sha512_drbg" = "no"], - [AC_MSG_WARN([Can not disable SHA512-DRBG at build time in FIPS mode, disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])]) - ENABLED_SHA512_DRBG="yes" + AS_IF([test "$ENABLED_SHA512_DRBG" != "yes" && + test "$FIPS_VERSION" != "dev"], + [AC_MSG_ERROR([Can not disable SHA512-DRBG at build time in FIPS mode. Disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])]) # Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3 AS_IF([test "$ENABLED_OLD_TLS" != "no"], @@ -6683,7 +6683,7 @@ AS_CASE([$FIPS_VERSION], AS_IF([test "$ENABLED_SHA512" != "no" && (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")], - [enable_sha512="no"; ENABLED_SHA512="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"]) + [enable_sha512="no"; ENABLED_SHA512="no"; ENABLED_SHA512_DRBG="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"]) # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256" @@ -7813,7 +7813,8 @@ then fi # FIPS override: Hash DRBG is mandatory -if test "x$ENABLED_HASHDRBG" != "xyes" && test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno" +if test "$ENABLED_HASHDRBG" != "yes" && test "$ENABLED_FIPS" = "yes" && + test "$FIPS_VERSION" != "dev" && test "$ENABLED_KCAPI" = "no" then if test "$enable_hashdrbg" = "no" then diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 7e00b45459..5e51093edd 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1272,7 +1272,7 @@ static void myFipsCb(int ok, int err, const char* hash) * fail, fire this callback, and produce millions of lines of * redundant output. Exit now -- the hash has been printed for * fips-hash.sh to extract, and no test can possibly pass. */ - exit(IN_CORE_FIPS_E); + exit(IN_CORE_FIPS_E); /* NOLINT(concurrency-mt-unsafe) */ #endif } #ifdef REALLY_LONG_DRBG_CONTINUOUS_TEST