configure.ac: render warnings when FIPS setup forces off options supplied to configure.

2025-07-30 02:37:28 +02:00 · 2024-09-10 21:50:24 -05:00
parent 723d8efd1c
commit 430d104430
1 changed files with 16 additions and 8 deletions
--- a/configure.ac
+++ b/configure.ac
@ -5265,7 +5265,8 @@ AS_CASE([$FIPS_VERSION],

        AS_IF([test "x$ENABLED_ECCCUSTCURVES" != "xno" &&
               test "$FIPS_VERSION" != "dev"],
-            [ENABLED_ECCCUSTCURVES="no"])
+            [AC_MSG_WARN([Forcing off ecccustcurves for FIPS ${FIPS_VERSION}.])
+             ENABLED_ECCCUSTCURVES="no"])

 # Hashing section
        AS_IF([test "x$ENABLED_SHA3" != "xyes" &&
@ -5348,7 +5349,8 @@ AS_CASE([$FIPS_VERSION],

 # Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
        AS_IF([test "$ENABLED_OLD_TLS" != "no"],
-            [ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
+            [AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
+             ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])

    ],
    [v5*], [ # FIPS 140-3
@ -5392,7 +5394,8 @@ AS_CASE([$FIPS_VERSION],

        AS_IF([test "$ENABLED_COMPKEY" = "yes" &&
               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_compkey" != "yes")],
-            [ENABLED_COMPKEY="no"])
+            [AC_MSG_WARN([Forcing off compkey for FIPS ${FIPS_VERSION}.])
+             ENABLED_COMPKEY="no"])

        AS_IF([test "$ENABLED_SHA224" != "yes" &&
               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_sha224" != "no")],
@ -5409,12 +5412,14 @@ AS_CASE([$FIPS_VERSION],
        # Shake128 is a SHA-3 algorithm outside the v5 FIPS algorithm list
        AS_IF([test "$ENABLED_SHAKE128" != "no" &&
               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_shake128" != "yes")],
-            [ENABLED_SHAKE128=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"])
+            [AC_MSG_WARN([Forcing off shake128 for FIPS ${FIPS_VERSION}.])
+             ENABLED_SHAKE128=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"])

        # Shake256 is a SHA-3 algorithm outside the v5 FIPS algorithm list
        AS_IF([test "$ENABLED_SHAKE256" != "no" &&
               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_shake256" != "yes")],
-            [ENABLED_SHAKE256=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"])
+            [AC_MSG_WARN([Forcing off shake256 for FIPS ${FIPS_VERSION}.])
+             ENABLED_SHAKE256=no; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"])

        # SHA512-224 and SHA512-256 are SHA-2 algorithms outside the v5 FIPS algorithm list
        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
@ -5425,7 +5430,8 @@ AS_CASE([$FIPS_VERSION],

        AS_IF([test "$ENABLED_AESXTS" = "yes" &&
               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesxts" != "yes")],
-            [ENABLED_AESXTS="no"])
+            [AC_MSG_WARN([Forcing off aesxts for FIPS ${FIPS_VERSION}.])
+             ENABLED_AESXTS="no"])

        AS_IF([test "$ENABLED_RSAPSS" != "yes" &&
               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_rsapss" != "no")],
@ -5464,11 +5470,13 @@ AS_CASE([$FIPS_VERSION],
        # AES-GCM streaming isn't part of the v5 FIPS suite.
        AS_IF([test "$ENABLED_AESGCM_STREAM" = "yes" &&
               (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesgcm_stream" != "yes")],
-            [ENABLED_AESGCM_STREAM="no"])
+            [AC_MSG_WARN([Forcing off aesgcm-stream for FIPS ${FIPS_VERSION}.])
+             ENABLED_AESGCM_STREAM="no"])

        # Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
        AS_IF([test "$ENABLED_OLD_TLS" != "no"],
-            [ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])
+            [AC_MSG_WARN([Forcing off oldtls for FIPS ${FIPS_VERSION}.])
+             ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"])

        AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
            [AS_IF([test "x$ENABLED_AESOFB" = "xno" &&