configure.ac:

* allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev;
* set ENABLED_SHA512_DRBG=no in lean-aesgcm setup;

wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb();

 .wolfssl_known_macro_extras: fix lexical order.

Author: douzzer

.wolfssl_known_macro_extras

@@ -832,6 +832,7 @@ WOLFSSL_NO_KCAPI_HMAC_SHA384
 WOLFSSL_NO_KCAPI_HMAC_SHA512
 WOLFSSL_NO_KCAPI_SHA224
 WOLFSSL_NO_KTRI_ORACLE_WARNING
+WOLFSSL_NO_LMS_SHAKE256_256
 WOLFSSL_NO_OCSP_DATE_CHECK
 WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
 WOLFSSL_NO_OCSP_OPTIONAL_CERTS
@@ -1134,4 +1135,3 @@ ssize_t
 sun
 versal
 wc_Tls13_HKDF_Expand_Label
-WOLFSSL_NO_LMS_SHAKE256_256

configure.ac

@@ -6350,14 +6350,14 @@ AS_CASE([$FIPS_VERSION],
              SLHDSA_PARAM_SHA2_256F="yes"])
 
 # SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
-        AS_IF([test "$enable_sha256_drbg" = "no"],
-            [AC_MSG_WARN([Can not disable SHA256-DRBG at build time in FIPS mode, disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
-        ENABLED_SHA256_DRBG="yes"
+        AS_IF([test "$ENABLED_SHA256_DRBG" != "yes" &&
+               test "$FIPS_VERSION" != "dev"],
+            [AC_MSG_ERROR([Can not disable SHA256-DRBG at build time in FIPS mode.  Disable at run-time with wc_Sha256Drbg_Disable() or wc_Sha256Drbg_Disable_fips()])])
 
 # SHA-512 DRBG -- cannot be disabled at build time in FIPS mode
-        AS_IF([test "$enable_sha512_drbg" = "no"],
-            [AC_MSG_WARN([Can not disable SHA512-DRBG at build time in FIPS mode, disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
-        ENABLED_SHA512_DRBG="yes"
+        AS_IF([test "$ENABLED_SHA512_DRBG" != "yes" &&
+               test "$FIPS_VERSION" != "dev"],
+            [AC_MSG_ERROR([Can not disable SHA512-DRBG at build time in FIPS mode.  Disable it at run-time with wc_Sha512Drbg_Disable() or wc_Sha512Drbg_Disable_fips()])])
 
 # Old TLS requires MD5 + HMAC, which is not allowed under FIPS 140-3
         AS_IF([test "$ENABLED_OLD_TLS" != "no"],
@@ -6683,7 +6683,7 @@ AS_CASE([$FIPS_VERSION],
 
         AS_IF([test "$ENABLED_SHA512" != "no" &&
                (test "$FIPS_VERSION" != "lean-aesgcm-dev" || test "$enable_sha512" != "yes")],
-            [enable_sha512="no"; ENABLED_SHA512="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
+            [enable_sha512="no"; ENABLED_SHA512="no"; ENABLED_SHA512_DRBG="no"; AM_CFLAGS="$AM_CFLAGS -UWOLFSSL_SHA512 -UWOLFSSL_SHA384"])
 
         # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
@@ -7813,7 +7813,8 @@ then
 fi
 
 # FIPS override: Hash DRBG is mandatory
-if test "x$ENABLED_HASHDRBG" != "xyes" && test "x$ENABLED_FIPS" = "xyes" && test "x$ENABLED_KCAPI" = "xno"
+if test "$ENABLED_HASHDRBG" != "yes" && test "$ENABLED_FIPS" = "yes" &&
+   test "$FIPS_VERSION" != "dev" && test "$ENABLED_KCAPI" = "no"
 then
     if test "$enable_hashdrbg" = "no"
     then

wolfcrypt/test/test.c

@@ -1272,7 +1272,7 @@ static void myFipsCb(int ok, int err, const char* hash)
          * fail, fire this callback, and produce millions of lines of
          * redundant output. Exit now -- the hash has been printed for
          * fips-hash.sh to extract, and no test can possibly pass. */
-        exit(IN_CORE_FIPS_E);
+        exit(IN_CORE_FIPS_E); /* NOLINT(concurrency-mt-unsafe) */
 #endif
     }
 #ifdef REALLY_LONG_DRBG_CONTINUOUS_TEST