configure.ac: for FIPS v6 setup, explicitly set WOLFSSL_NOSHA512_224 and WOLFSSL_NOSHA512_256;

douzzer · douzzer · commit 0bfa206b74cc · 2026-04-25T12:21:26.000-05:00
wolfssl/wolfcrypt/hash.h: when WOLFSSL_NOSHA512_{224,256}, gate out prototypes for wc_Sha512_{224,256}Hash[_ex](), to shift build failures from link-time to compile-time.
diff --git a/configure.ac b/configure.ac
@@ -6480,7 +6480,8 @@ AS_CASE([$FIPS_VERSION],
                (test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
             [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 
-        # SHA512-224 and SHA512-256 are needed for HashML-DSA (FIPS 204)
+        # SHA512-224 and SHA512-256 are not in-boundary in FIPS v6.
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
 
         # Shake128 because we're testing SHAKE256
         AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h
@@ -310,14 +310,18 @@ WOLFSSL_API int wc_Sha384Hash_ex(const byte* data, word32 len, byte* hash,
 #ifdef WOLFSSL_SHA512
 #include <wolfssl/wolfcrypt/sha512.h>
 WOLFSSL_API int wc_Sha512Hash(const byte* data, word32 len, byte* hash);
-WOLFSSL_API int wc_Sha512_224Hash(const byte* data, word32 len, byte* hash);
-WOLFSSL_API int wc_Sha512_256Hash(const byte* data, word32 len, byte* hash);
 WOLFSSL_API int wc_Sha512Hash_ex(const byte* data, word32 len, byte* hash,
     void* heap, int devId);
-WOLFSSL_API int wc_Sha512_224Hash_ex(const byte* data, word32 len, byte* hash,
-    void* heap, int devId);
-WOLFSSL_API int wc_Sha512_256Hash_ex(const byte* data, word32 len, byte* hash,
-    void* heap, int devId);
+#ifndef WOLFSSL_NOSHA512_224
+    WOLFSSL_API int wc_Sha512_224Hash(const byte* data, word32 len, byte* hash);
+    WOLFSSL_API int wc_Sha512_224Hash_ex(const byte* data, word32 len,
+        byte* hash, void* heap, int devId);
+#endif
+#ifndef WOLFSSL_NOSHA512_256
+    WOLFSSL_API int wc_Sha512_256Hash(const byte* data, word32 len, byte* hash);
+    WOLFSSL_API int wc_Sha512_256Hash_ex(const byte* data, word32 len,
+        byte* hash, void* heap, int devId);
+#endif
 #endif /* WOLFSSL_SHA512 */
 
 #ifdef WOLFSSL_SHA3
