Allow DES3 with FIPS v5-dev.

configure.ac

@@ -3503,10 +3503,6 @@ AS_CASE([$FIPS_VERSION],
 
         DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
 
-        # DES3 is incompatible with FIPS 140-3
-        AS_IF([test "$ENABLED_DES3" != "no"],
-            [ENABLED_DES3="no"])
-
         # force various features to FIPS 140-3 defaults, unless overridden with v5-dev:
 
         AS_IF([test "$ENABLED_KEYGEN" != "yes" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_keygen" != "no")],
@@ -3558,6 +3554,9 @@ AS_CASE([$FIPS_VERSION],
         AS_IF([test "$ENABLED_MD5" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_md5" != "yes")],
             [ENABLED_MD5="no"; ENABLED_OLD_TLS="no"; AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"])
 
+        AS_IF([test "$ENABLED_DES3" != "no" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_des3" != "yes")],
+            [ENABLED_DES3="no"])
+
         AS_IF([test $HAVE_FIPS_VERSION_MINOR -ge 2],
             [AS_IF([test "x$ENABLED_AESOFB" = "xno" && (test "$FIPS_VERSION" != "v5-dev" || test "$enable_aesofb" != "no")],
                 [ENABLED_AESOFB="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_OFB"])])

src/include.am

@@ -452,11 +452,13 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/cmac.c
 endif
 endif !BUILD_FIPS_CURRENT
 
-if !BUILD_FIPS_CURRENT
+if !BUILD_FIPS_V2
+if !BUILD_FIPS_V3
 if BUILD_DES3
 src_libwolfssl_la_SOURCES += wolfcrypt/src/des3.c
-endif
-endif !BUILD_FIPS_CURRENT
+endif BUILD_DES3
+endif !BUILD_FIPS_V3
+endif !BUILD_FIPS_V2
 
 if !BUILD_FIPS_CURRENT
 if BUILD_SHA

wolfssl/wolfcrypt/des3.h

@@ -55,7 +55,7 @@ enum {
 
 /* avoid redefinition of structs */
 #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
-        (HAVE_FIPS_VERSION == 2 || HAVE_FIPS_VERSION == 3))
+    HAVE_FIPS_VERSION >= 2)
 
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>