Phase 3: Security and FIPS Compliance Audit

Author: kaleb-himes

configure.ac

@@ -6313,13 +6313,7 @@ AS_CASE([$FIPS_VERSION],
             -DWC_RSA_NO_PADDING \
             -DECC_USER_CURVES \
             -DHAVE_ECC384 \
-            -DHAVE_ECC521 \
-            -DWOLFSSL_VALIDATE_FFC_IMPORT \
-            -DHAVE_FFDHE_Q \
-            -DHAVE_FFDHE_3072 \
-            -DHAVE_FFDHE_4096 \
-            -DHAVE_FFDHE_6144 \
-            -DHAVE_FFDHE_8192"
+            -DHAVE_ECC521"
 
         # KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
         AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
@@ -6333,6 +6327,20 @@ AS_CASE([$FIPS_VERSION],
                 -DHAVE_ECC256"])
 
         DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
+
+# Classic DH and DSA are OUT OF SCOPE for the FIPS 140-3 v7 PQ module.
+# (FIPS 186-5 retires DSA; v7 boundary keeps only ECDH/ECDSA + PQ KEM/DSA.)
+# Hard-error if explicitly enabled; otherwise force off and add NO_DH/NO_DSA.
+        AS_IF([test "$enable_dh" = "yes"],
+            [AC_MSG_ERROR([--enable-dh is not supported with --enable-fips=$FIPS_VERSION. Classic finite-field DH is out of scope for the FIPS 140-3 v7 PQ module. Use --enable-fips=v6 if you need DH support.])],
+            [test "$ENABLED_DH" != "no"],
+            [ENABLED_DH="no"; enable_dh="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DH"])
+
+        AS_IF([test "$enable_dsa" = "yes"],
+            [AC_MSG_ERROR([--enable-dsa is not supported with --enable-fips=$FIPS_VERSION. DSA is retired by FIPS 186-5 and is out of scope for the FIPS 140-3 v7 PQ module. Use --enable-fips=v6 if you need DSA support.])],
+            [test "$ENABLED_DSA" != "no"],
+            [ENABLED_DSA="no"; enable_dsa="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DSA"])
+
 # optimizations section
 
 # protocol section
@@ -8887,8 +8895,17 @@ then
     fi
     if test "x$ENABLED_DH" = "xno"
     then
-        ENABLED_DH="yes"
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_DH"
+        # Classic DH is out of scope for the FIPS 140-3 v7 PQ module.
+        # JNI normally auto-enables DH for legacy TLS suites; with FIPS v7+
+        # we report and skip the auto-enable rather than silently turning DH
+        # back on (which would conflict with the boundary).
+        if test "$FIPS_VERSION" = "v7" || test "$FIPS_VERSION" = "ready" || test "$FIPS_VERSION" = "dev"
+        then
+            AC_MSG_NOTICE([JNI enabled but FIPS is $FIPS_VERSION, NOT turning on DH with this module])
+        else
+            ENABLED_DH="yes"
+            AM_CFLAGS="$AM_CFLAGS -DHAVE_DH"
+        fi
     fi
     if test "x$ENABLED_PSK" = "xno"
     then

fips-hash.sh

@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak

tests/api/test_aes.c

@@ -693,7 +693,14 @@ static int test_wc_AesCbcEncryptDecrypt_WithKey(Aes* aes, byte* key,
     ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, vector_len),
         0);
     ExpectBufEQ(cipher, vector_enc, vector_len);
-#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
+    /* The BAD_LENGTH_E enforcement is in the non-FIPS aes.c implementation
+     * (see WOLFSSL_AES_CBC_LENGTH_CHECKS guard there).  FIPSv2 (cert3389)
+     * routes through its own historical wc_AesCbcEncrypt_fips wrapper that
+     * predates this check and silently returns 0 on unaligned input.  Only
+     * v5.x and newer FIPS modules carry the wrapper-level check.  Skip the
+     * assertion for FIPSv2 builds. */
+#if defined(WOLFSSL_AES_CBC_LENGTH_CHECKS) && \
+    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,0))
     ExpectIntEQ(wc_AesCbcEncrypt(aes, cipher, vector, vector_len - 1),
         WC_NO_ERR_TRACE(BAD_LENGTH_E));
 #endif
@@ -703,7 +710,9 @@ static int test_wc_AesCbcEncryptDecrypt_WithKey(Aes* aes, byte* key,
     ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
         WC_AES_BLOCK_SIZE * 2), 0);
     ExpectBufEQ(decrypted, vector, vector_len);
-#ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
+#if defined(WOLFSSL_AES_CBC_LENGTH_CHECKS) && \
+    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,0))
+    /* Same FIPSv2 vs v5+ rationale as the encrypt assertion above. */
     ExpectIntEQ(wc_AesCbcDecrypt(aes, decrypted, cipher,
         WC_AES_BLOCK_SIZE * 2 - 1), WC_NO_ERR_TRACE(BAD_LENGTH_E));
 #else

tests/api/test_evp_pkey.c

@@ -1526,7 +1526,7 @@ static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType)
     !defined(HAVE_SELFTEST)
 #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))
         {
-            ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+            ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
             ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS);
         }
 #endif
@@ -2159,7 +2159,7 @@ int test_wolfSSL_EVP_PKEY_encrypt(void)
         XMEMSET(outDec, 0, rsaKeySz);
     }
 
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
     ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new());
     ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS);
     if (EXPECT_FAIL()) {

tests/api/test_ossl_rsa.c

@@ -65,7 +65,7 @@ int test_wolfSSL_RSA(void)
 
     RSA_free(rsa);
     rsa = NULL;
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
     ExpectIntEQ(RSA_size(rsa), 256);
 
 #if (!defined(HAVE_FIPS) || FIPS_VERSION3_GT(6,0,0)) && !defined(HAVE_SELFTEST)
@@ -306,7 +306,7 @@ int test_wolfSSL_RSA(void)
     rsa = NULL;
 
 #if !defined(USE_FAST_MATH) || (FP_MAX_BITS >= (3072*2))
-    ExpectNotNull(rsa = RSA_generate_key(3072, 17, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(3072, 65537, NULL, NULL));
     ExpectIntEQ(RSA_size(rsa), 384);
     ExpectIntEQ(RSA_bits(rsa), 3072);
     RSA_free(rsa);
@@ -461,7 +461,7 @@ int test_wolfSSL_RSA_print(void)
 
     RSA_free(rsa);
     rsa = NULL;
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
 
     ExpectIntEQ(RSA_print(bio, rsa, 0), 1);
     ExpectIntEQ(RSA_print(bio, rsa, 4), 1);
@@ -626,11 +626,11 @@ int test_wolfSSL_RSA_meth(void)
     RSA_METHOD *rsa_meth = NULL;
 
 #ifdef WOLFSSL_KEY_GEN
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
     RSA_free(rsa);
     rsa = NULL;
 #else
-    ExpectNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
 #endif
 
     ExpectNotNull(RSA_get_default_method());

tests/api/test_slhdsa.c

@@ -1081,12 +1081,14 @@ int test_wc_slhdsa_sign_hash(void)
         WC_HASH_TYPE_SHA256, sig, sigLen),
         WC_NO_ERR_TRACE(BAD_LENGTH_E));
 
-    /* Unsupported hashType (FIPS 205 doesn't list WC_HASH_TYPE_NONE) hits
-     * the default branch of slhdsakey_validate_prehash. */
+    /* WC_HASH_TYPE_NONE is the "pure SLH-DSA" sentinel and is never a valid
+     * pre-hash algorithm (FIPS 205 Section 10.2.2 / Table 9).  HashSLH-DSA
+     * signing rejects it with an explicit early check (BAD_FUNC_ARG), not via
+     * the slhdsa_check_hash_for_n() switch default. */
     sigLen = WC_SLHDSA_MAX_SIG_LEN;
     ExpectIntEQ(wc_SlhDsaKey_SignHash(&key, ctx, sizeof(ctx), hash, 32,
         WC_HASH_TYPE_NONE, sig, &sigLen, &rng),
-        WC_NO_ERR_TRACE(NOT_COMPILED_IN));
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
     /* Test SignHash with SHA-256. */
     sigLen = WC_SLHDSA_MAX_SIG_LEN;