wolfSSL
diff --git a/‎.wolfssl_known_macro_extras‎
Lines changed: 1 addition & 0 deletions b/‎.wolfssl_known_macro_extras‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎doc/dox_comments/header_files/hash.h‎
Lines changed: 22 additions & 0 deletions b/‎doc/dox_comments/header_files/hash.h‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/internal.c‎
Lines changed: 7 additions & 0 deletions b/‎src/internal.c‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/pk_ec.c‎
Lines changed: 14 additions & 0 deletions b/‎src/pk_ec.c‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎tests/api.c‎
Lines changed: 2 additions & 2 deletions b/‎tests/api.c‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎tests/api/api.h‎
Lines changed: 7 additions & 2 deletions b/‎tests/api/api.h‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎wolfcrypt/src/asn.c‎
Lines changed: 115 additions & 0 deletions b/‎wolfcrypt/src/asn.c‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎wolfcrypt/src/dilithium.c‎
Lines changed: 9 additions & 2 deletions b/‎wolfcrypt/src/dilithium.c‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎wolfcrypt/src/dsa.c‎
Lines changed: 17 additions & 0 deletions b/‎wolfcrypt/src/dsa.c‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎wolfcrypt/src/ecc.c‎
Lines changed: 19 additions & 6 deletions b/‎wolfcrypt/src/ecc.c‎
Lines changed: 19 additions & 6 deletions
@@ -639,6 +639,7 @@ WC_DILITHIUM_FIXED_ARRAY
 WC_DISABLE_RADIX_ZERO_PAD
 WC_FLAG_DONT_USE_AESNI
 WC_FORCE_LINUXKM_FORTIFY_SOURCE
+WC_HASH_CUSTOM_MIN_DIGEST_SIZE
 WC_NO_ASYNC_SLEEP
 WC_NO_RNG_SIMPLE
 WC_NO_STATIC_ASSERT
 
@@ -52,6 +52,28 @@ int wc_HashGetOID(enum wc_HashType hash_type);
 */
 int wc_HashGetDigestSize(enum wc_HashType hash_type);
 
+/*!
+    \ingroup wolfCrypt
+
+    \brief This function returns the minimum size supported for any digest
+    enabled in the library.  In FIPS builds, the value is subject to floor
+    values controlled by FIPS 186-4 or 186-5 as appropriate.
+
+    \return A positive return value, the smallest supported digest size.
+
+    _Example_
+    \code
+    int min_hash_len = wc_HashGetMinDigestSize();
+    if (supplied_hash_len < min_hash_len) {
+        WOLFSSL_MSG("Invalid hash len");
+        return BAD_FUNC_ARG;
+    }
+    \endcode
+
+    \sa wc_Hash
+*/
+int wc_HashGetMinDigestSize(void);
+
 /*!
     \ingroup wolfCrypt
 
 
@@ -157,6 +157,7 @@
 #include <wolfssl/error-ssl.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/dh.h>
+#include <wolfssl/wolfcrypt/hash.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
@@ -5720,6 +5721,12 @@ int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out,
     }
 #endif
 
+    /* Check hash length */
+    if ((outSz > WC_MAX_DIGEST_SIZE) ||
+        (outSz < (word32)wc_HashGetMinDigestSize())) {
+        return BAD_LENGTH_E;
+    }
+
     (void)ssl;
     (void)keyBufInfo;
 
 
@@ -5264,6 +5264,13 @@ int wolfSSL_ECDSA_do_verify(const unsigned char *dgst, int dLen,
         ret = WOLFSSL_FATAL_ERROR;
     }
 
+    /* Check hash length */
+    if ((dLen > WC_MAX_DIGEST_SIZE) ||
+        (dLen < wc_HashGetMinDigestSize())) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_do_verify Bad digest size");
+        ret = WOLFSSL_FATAL_ERROR;
+    }
+
     /* Ensure internal EC key is set from external. */
     if ((ret == 1) && (key->inSet == 0)) {
         WOLFSSL_MSG("No EC key internal set, do it");
@@ -5388,6 +5395,13 @@ int wolfSSL_ECDSA_verify(int type, const unsigned char *digest, int digestSz,
         ret = 0;
     }
 
+    /* Check hash length */
+    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
+        (digestSz < wc_HashGetMinDigestSize())) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_verify Bad digest size");
+        ret = 0;
+    }
+
     /* Verify signature using digest and key. */
     if ((ret == 1) && (wc_ecc_verify_hash(sig, (word32)sigSz, digest,
             (word32)digestSz, &verify, (ecc_key*)key->internal) != 0)) {
 
@@ -12284,9 +12284,9 @@ static int test_wc_CheckCertSigPubKey(void)
     ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, 0,
         RSAk), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-    /* Wrong aglo. */
+    /* Wrong algo. */
     ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer,
-        keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_PARSE_E));
+        keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_SIG_OID_E));
 
     wc_FreeDecodedCert(&decoded);
     if (cert_der != NULL)
 
@@ -38,8 +38,13 @@
 #endif
 
 
-#define TEST_STRING    "Everyone gets Friday off."
-#define TEST_STRING_SZ 25
+#ifdef WC_FIPS_186_5_PLUS
+    #define TEST_STRING "Everyone works the weekends."
+    #define TEST_STRING_SZ 28
+#else
+    #define TEST_STRING    "Everyone gets Friday off."
+    #define TEST_STRING_SZ 25
+#endif
 
 
 #ifndef ONEK_BUF
 
@@ -16109,6 +16109,116 @@ static int DecodeDsaAsn1Sig(const byte* sig, word32 sigSz, byte* sigCpy,
 }
 #endif
 
+/* The certificate's signatureAlgorithm (sigOID) must match the issuer's
+ * key type (keyOID). sigOID picks the pre-hash; keyOID picks the
+ * verifier. They need to agree or the verifier gets the wrong input. */
+static int SigOidMatchesKeyOid(word32 sigOID, word32 keyOID)
+{
+    switch (keyOID) {
+    #ifndef NO_RSA
+        case RSAk:
+        #ifdef WC_RSA_PSS
+        case RSAPSSk:
+        #endif
+            switch (sigOID) {
+                case CTC_MD2wRSA:
+                case CTC_MD5wRSA:
+                case CTC_SHAwRSA:
+                case CTC_SHA224wRSA:
+                case CTC_SHA256wRSA:
+                case CTC_SHA384wRSA:
+                case CTC_SHA512wRSA:
+                case CTC_SHA3_224wRSA:
+                case CTC_SHA3_256wRSA:
+                case CTC_SHA3_384wRSA:
+                case CTC_SHA3_512wRSA:
+                case CTC_RSASSAPSS:
+                    return 1;
+            }
+            return 0;
+    #endif
+    #if !defined(NO_DSA) && !defined(HAVE_SELFTEST)
+        case DSAk:
+            switch (sigOID) {
+                case CTC_SHAwDSA:
+                case CTC_SHA256wDSA:
+                    return 1;
+            }
+            return 0;
+    #endif
+    #if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY)
+        case ECDSAk:
+        #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
+        case SM2k:
+        #endif
+            switch (sigOID) {
+                case CTC_SHAwECDSA:
+                case CTC_SHA224wECDSA:
+                case CTC_SHA256wECDSA:
+                case CTC_SHA384wECDSA:
+                case CTC_SHA512wECDSA:
+                case CTC_SHA3_224wECDSA:
+                case CTC_SHA3_256wECDSA:
+                case CTC_SHA3_384wECDSA:
+                case CTC_SHA3_512wECDSA:
+            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
+                case CTC_SM3wSM2:
+            #endif
+                    return 1;
+            }
+            return 0;
+    #endif
+    #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
+        case ED25519k:
+            return (sigOID == CTC_ED25519);
+    #endif
+    #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
+        case ED448k:
+            return (sigOID == CTC_ED448);
+    #endif
+    #if defined(HAVE_FALCON)
+        case FALCON_LEVEL1k:
+            return (sigOID == CTC_FALCON_LEVEL1);
+        case FALCON_LEVEL5k:
+            return (sigOID == CTC_FALCON_LEVEL5);
+    #endif
+    #if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \
+        !defined(WOLFSSL_DILITHIUM_NO_ASN1)
+        #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
+        case DILITHIUM_LEVEL2k:
+            return (sigOID == CTC_DILITHIUM_LEVEL2);
+        case DILITHIUM_LEVEL3k:
+            return (sigOID == CTC_DILITHIUM_LEVEL3);
+        case DILITHIUM_LEVEL5k:
+            return (sigOID == CTC_DILITHIUM_LEVEL5);
+        #endif
+        case ML_DSA_LEVEL2k:
+            return (sigOID == CTC_ML_DSA_LEVEL2);
+        case ML_DSA_LEVEL3k:
+            return (sigOID == CTC_ML_DSA_LEVEL3);
+        case ML_DSA_LEVEL5k:
+            return (sigOID == CTC_ML_DSA_LEVEL5);
+    #endif
+    #if defined(HAVE_SPHINCS)
+        case SPHINCS_FAST_LEVEL1k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL1);
+        case SPHINCS_FAST_LEVEL3k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL3);
+        case SPHINCS_FAST_LEVEL5k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL5);
+        case SPHINCS_SMALL_LEVEL1k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL1);
+        case SPHINCS_SMALL_LEVEL3k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL3);
+        case SPHINCS_SMALL_LEVEL5k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL5);
+    #endif
+    }
+
+    /* Default to reject unknown key types */
+    return 0;
+}
+
 /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
 int ConfirmSignature(SignatureCtx* sigCtx,
     const byte* buf, word32 bufSz,
@@ -16177,6 +16287,11 @@ int ConfirmSignature(SignatureCtx* sigCtx,
 
         case SIG_STATE_HASH:
         {
+            if (!SigOidMatchesKeyOid(sigOID, keyOID)) {
+                WOLFSSL_MSG("sigOID incompatible with issuer keyOID");
+                ERROR_OUT(ASN_SIG_OID_E, exit_cs);
+            }
+
         #if !defined(NO_RSA) && defined(WC_RSA_PSS)
             if (sigOID == RSAPSSk) {
                 word32 fakeSigOID = 0;
 
@@ -9273,8 +9273,9 @@ static int dilithium_sign_ctx_hash_with_seed(dilithium_key* key,
     byte oidMsgHash[DILITHIUM_HASH_OID_LEN + WC_MAX_DIGEST_SIZE];
     word32 oidMsgHashLen = 0;
 
-    if ((ret == 0) && (hashLen > WC_MAX_DIGEST_SIZE)) {
-        ret = BUFFER_E;
+    /* Check that the input hash length is valid. */
+    if ((int)hashLen != wc_HashGetDigestSize((enum wc_HashType)hashAlg)) {
+        ret = BAD_LENGTH_E;
     }
 
     if (ret == 0) {
@@ -9944,6 +9945,12 @@ static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx,
     if (key == NULL) {
         ret = BAD_FUNC_ARG;
     }
+    /* Check that the input hash length is valid. */
+    if ((ret == 0) &&
+        ((int)hashLen != wc_HashGetDigestSize((enum wc_HashType)hashAlg)))
+    {
+        ret = BAD_LENGTH_E;
+    }
 
     if (ret == 0) {
         /* Step 6: Hash public key. */
 
@@ -27,6 +27,7 @@
 #include <wolfssl/wolfcrypt/wolfmath.h>
 #include <wolfssl/wolfcrypt/sha.h>
 #include <wolfssl/wolfcrypt/dsa.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
@@ -689,6 +690,12 @@ int wc_DsaSign_ex(const byte* digest, word32 digestSz, byte* out, DsaKey* key,
     if (digest == NULL || out == NULL || key == NULL || rng == NULL)
         return BAD_FUNC_ARG;
 
+    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
+        (digestSz < (word32)wc_HashGetMinDigestSize()))
+    {
+        return BAD_LENGTH_E;
+    }
+
     SAVE_VECTOR_REGISTERS(return _svr_ret;);
 
     do {
@@ -1022,6 +1029,16 @@ int wc_DsaVerify_ex(const byte* digest, word32 digestSz, const byte* sig,
     if (digest == NULL || sig == NULL || key == NULL || answer == NULL)
         return BAD_FUNC_ARG;
 
+    /* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not
+     * wc_HashGetMinDigestSize(), to allow verify-only legacy DSA operations, as
+     * expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A.
+     */
+    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
+        (digestSz < WC_SHA_DIGEST_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
     do {
 #ifdef WOLFSSL_SMALL_STACK
         w = (mp_int *)XMALLOC(sizeof *w, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
@@ -213,6 +213,7 @@ ECC Curve Sizes:
 
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/asn.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
 #ifdef WOLFSSL_HAVE_SP_ECC
 #include <wolfssl/wolfcrypt/sp.h>
@@ -223,10 +224,6 @@ ECC Curve Sizes:
     #include <wolfssl/wolfcrypt/aes.h>
 #endif
 
-#ifdef HAVE_X963_KDF
-    #include <wolfssl/wolfcrypt/hash.h>
-#endif
-
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
 #endif
@@ -6778,7 +6775,9 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen,
     if (in == NULL || out == NULL || outlen == NULL || key == NULL) {
         return ECC_BAD_ARG_E;
     }
-    if (inlen > WC_MAX_DIGEST_SIZE) {
+    if ((inlen > WC_MAX_DIGEST_SIZE) ||
+        (inlen < (word32)wc_HashGetMinDigestSize()))
+    {
         return BAD_LENGTH_E;
     }
 
@@ -7299,6 +7298,11 @@ int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
    if (in == NULL || r == NULL || s == NULL || key == NULL || rng == NULL) {
        return ECC_BAD_ARG_E;
    }
+   if ((inlen > WC_MAX_DIGEST_SIZE) ||
+       (inlen < (word32)wc_HashGetMinDigestSize()))
+   {
+       return BAD_LENGTH_E;
+   }
 
    /* is this a private key? */
    if (key->type != ECC_PRIVATEKEY && key->type != ECC_PRIVATEKEY_ONLY) {
@@ -8576,7 +8580,10 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
     if (sig == NULL || hash == NULL || res == NULL || key == NULL) {
         return ECC_BAD_ARG_E;
     }
-    if (hashlen > WC_MAX_DIGEST_SIZE) {
+
+    /* Check hash length */
+    if ((hashlen > WC_MAX_DIGEST_SIZE) ||
+        (hashlen < (word32)wc_HashGetMinDigestSize())) {
         return BAD_LENGTH_E;
     }
 
@@ -9284,6 +9291,12 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
    if (r == NULL || s == NULL || hash == NULL || res == NULL || key == NULL)
        return ECC_BAD_ARG_E;
 
+    /* Check hash length */
+    if ((hashlen > WC_MAX_DIGEST_SIZE) ||
+        (hashlen < (word32)wc_HashGetMinDigestSize())) {
+        return BAD_LENGTH_E;
+    }
+
    /* default to invalid signature */
    *res = 0;