New hash modes and features for PQ submission

Author: kaleb-himes

configure.ac

@@ -1972,6 +1972,9 @@ do
   sha256-192)
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192"
     ;;
+  shake256)
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHAKE256"
+    ;;
   *)
     AC_MSG_ERROR([Invalid choice for LMS []: $ENABLED_LMS.])
     break;;
@@ -6134,8 +6137,8 @@ AS_CASE([$FIPS_VERSION],
                (test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
             [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 
-        # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
+        # SHA512-224 and SHA512-256 enabled for FIPS v7+ (needed for ML-DSA
+        # HashML-DSA ACVP test vectors with SHA2-512/224 and SHA2-512/256)
 
         # Shake128 because we're testing SHAKE256
         AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&
@@ -6224,6 +6227,8 @@ AS_CASE([$FIPS_VERSION],
         AS_IF([test "$ENABLED_LMS" != "yes" &&
                (test "$FIPS_VERSION" != "dev" || test "$enable_lms" != "no")],
             [ENABLED_LMS="yes"])
+        # LMS: enable SHA-256/192 and SHAKE256 parameter sets for FIPS v7
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LMS_SHA256_192 -DWOLFSSL_LMS_SHAKE256"
 
 # SHA-256 DRBG -- cannot be disabled at build time in FIPS mode
         AS_IF([test "$enable_sha256_drbg" = "no"],
@@ -6356,8 +6361,7 @@ AS_CASE([$FIPS_VERSION],
                (test "$FIPS_VERSION" != "dev" || test "$enable_sha512" != "no")],
             [ENABLED_SHA512="yes"; AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384"])
 
-        # SHA512-224 and SHA512-256 are SHA-2 algorithms not in our FIPS algorithm list
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NOSHA512_224 -DWOLFSSL_NOSHA512_256"
+        # SHA512-224 and SHA512-256 are needed for HashML-DSA (FIPS 204)
 
         # Shake128 because we're testing SHAKE256
         AS_IF([test "x$ENABLED_SHAKE128" = "xno" &&

wolfcrypt/benchmark/benchmark.c

@@ -11546,6 +11546,13 @@ static void bench_lms_sign_verify(enum wc_LmsParm parm, byte* pub)
     case WC_LMS_PARM_L4_H5_W4:
     case WC_LMS_PARM_L4_H10_W4:
     case WC_LMS_PARM_L4_H10_W8:
+    case WC_LMS_PARM_L1_H25_W1:
+    case WC_LMS_PARM_L1_H25_W2:
+    case WC_LMS_PARM_L1_H25_W4:
+    case WC_LMS_PARM_L1_H25_W8:
+    case WC_LMS_PARM_L1_H10_W1:
+    case WC_LMS_PARM_L1_H15_W1:
+    case WC_LMS_PARM_L1_H20_W1:
 #endif
 
 #ifdef WOLFSSL_LMS_SHA256_192
@@ -11569,6 +11576,57 @@ static void bench_lms_sign_verify(enum wc_LmsParm parm, byte* pub)
     case WC_LMS_PARM_SHA256_192_L3_H5_W8:
     case WC_LMS_PARM_SHA256_192_L3_H10_W4:
     case WC_LMS_PARM_SHA256_192_L4_H5_W8:
+    case WC_LMS_PARM_SHA256_192_L1_H25_W1:
+    case WC_LMS_PARM_SHA256_192_L1_H25_W2:
+    case WC_LMS_PARM_SHA256_192_L1_H25_W4:
+    case WC_LMS_PARM_SHA256_192_L1_H25_W8:
+    case WC_LMS_PARM_SHA256_192_L1_H10_W1:
+    case WC_LMS_PARM_SHA256_192_L1_H15_W1:
+    case WC_LMS_PARM_SHA256_192_L1_H20_W1:
+    case WC_LMS_PARM_SHA256_192_L1_H15_W8:
+#endif
+
+#ifdef WOLFSSL_LMS_SHAKE256
+    case WC_LMS_PARM_SHAKE_L1_H5_W1:
+    case WC_LMS_PARM_SHAKE_L1_H5_W2:
+    case WC_LMS_PARM_SHAKE_L1_H5_W4:
+    case WC_LMS_PARM_SHAKE_L1_H5_W8:
+    case WC_LMS_PARM_SHAKE_L1_H10_W1:
+    case WC_LMS_PARM_SHAKE_L1_H10_W2:
+    case WC_LMS_PARM_SHAKE_L1_H10_W4:
+    case WC_LMS_PARM_SHAKE_L1_H10_W8:
+    case WC_LMS_PARM_SHAKE_L1_H15_W1:
+    case WC_LMS_PARM_SHAKE_L1_H15_W2:
+    case WC_LMS_PARM_SHAKE_L1_H15_W4:
+    case WC_LMS_PARM_SHAKE_L1_H15_W8:
+    case WC_LMS_PARM_SHAKE_L1_H20_W1:
+    case WC_LMS_PARM_SHAKE_L1_H20_W2:
+    case WC_LMS_PARM_SHAKE_L1_H20_W4:
+    case WC_LMS_PARM_SHAKE_L1_H20_W8:
+    case WC_LMS_PARM_SHAKE_L1_H25_W1:
+    case WC_LMS_PARM_SHAKE_L1_H25_W2:
+    case WC_LMS_PARM_SHAKE_L1_H25_W4:
+    case WC_LMS_PARM_SHAKE_L1_H25_W8:
+    case WC_LMS_PARM_SHAKE192_L1_H5_W1:
+    case WC_LMS_PARM_SHAKE192_L1_H5_W2:
+    case WC_LMS_PARM_SHAKE192_L1_H5_W4:
+    case WC_LMS_PARM_SHAKE192_L1_H5_W8:
+    case WC_LMS_PARM_SHAKE192_L1_H10_W1:
+    case WC_LMS_PARM_SHAKE192_L1_H10_W2:
+    case WC_LMS_PARM_SHAKE192_L1_H10_W4:
+    case WC_LMS_PARM_SHAKE192_L1_H10_W8:
+    case WC_LMS_PARM_SHAKE192_L1_H15_W1:
+    case WC_LMS_PARM_SHAKE192_L1_H15_W2:
+    case WC_LMS_PARM_SHAKE192_L1_H15_W4:
+    case WC_LMS_PARM_SHAKE192_L1_H15_W8:
+    case WC_LMS_PARM_SHAKE192_L1_H20_W1:
+    case WC_LMS_PARM_SHAKE192_L1_H20_W2:
+    case WC_LMS_PARM_SHAKE192_L1_H20_W4:
+    case WC_LMS_PARM_SHAKE192_L1_H20_W8:
+    case WC_LMS_PARM_SHAKE192_L1_H25_W1:
+    case WC_LMS_PARM_SHAKE192_L1_H25_W2:
+    case WC_LMS_PARM_SHAKE192_L1_H25_W4:
+    case WC_LMS_PARM_SHAKE192_L1_H25_W8:
 #endif
 
     default:

wolfcrypt/src/asn.c

@@ -4279,6 +4279,12 @@ static word32 SetBitString16Bit(word16 val, byte* output)
 #ifndef WOLFSSL_NOSHA3_512
     static const byte hashSha3_512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 10};
 #endif /* WOLFSSL_NOSHA3_512 */
+#ifdef WOLFSSL_SHAKE128
+    static const byte hashShake128hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 11};
+#endif /* WOLFSSL_SHAKE128 */
+#ifdef WOLFSSL_SHAKE256
+    static const byte hashShake256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 12};
+#endif /* WOLFSSL_SHAKE256 */
 #endif /* WOLFSSL_SHA3 */
 
 /* hmacType */
@@ -5152,6 +5158,18 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                     *oidSz = sizeof(hashSha3_512hOid);
                     break;
             #endif /* WOLFSSL_NOSHA3_512 */
+            #ifdef WOLFSSL_SHAKE128
+                case SHAKE128h:
+                    oid = hashShake128hOid;
+                    *oidSz = sizeof(hashShake128hOid);
+                    break;
+            #endif /* WOLFSSL_SHAKE128 */
+            #ifdef WOLFSSL_SHAKE256
+                case SHAKE256h:
+                    oid = hashShake256hOid;
+                    *oidSz = sizeof(hashShake256hOid);
+                    break;
+            #endif /* WOLFSSL_SHAKE256 */
             #endif /* WOLFSSL_SHA3 */
                 default:
                     break;

wolfcrypt/src/dh.c

@@ -1063,6 +1063,11 @@ static int CheckDhLN(word32 modLen, word32 divLen)
             if (divLen == 224 || divLen == 256)
                 ret = 0;
             break;
+        /* Per SP 800-56Ar3 Table 2 */
+        case 3072:
+            if (divLen == 256)
+                ret = 0;
+            break;
         default:
             break;
     }

wolfcrypt/src/dilithium.c

@@ -739,6 +739,15 @@ static int dilithium_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen)
         oid = sha512Oid;
     }
     else
+#ifndef WOLFSSL_NOSHA512_224
+    if (hash == WC_HASH_TYPE_SHA512_224) {
+        static byte sha512_224Oid[DILITHIUM_HASH_OID_LEN] = {
+            0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05
+        };
+        oid = sha512_224Oid;
+    }
+    else
+#endif
 #ifndef WOLFSSL_NOSHA512_256
     if (hash == WC_HASH_TYPE_SHA512_256) {
         static byte sha512_256Oid[DILITHIUM_HASH_OID_LEN] = {
@@ -9347,7 +9356,7 @@ static void dilithium_make_pub_vec(dilithium_key* key, sword32* t1)
  * @return  MEMORY_E when memory allocation fails.
  * @return  Other negative when an error occurs.
  */
-static int dilithium_verify_mu(dilithium_key* key, const byte* mu,
+static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu,
     const byte* sig, word32 sigLen, int* res)
 {
 #ifndef WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
@@ -9806,7 +9815,7 @@ static int dilithium_verify_ctx_msg(dilithium_key* key, const byte* ctx,
             ctx, (byte)ctxLen, msg, msgLen, mu, DILITHIUM_MU_SZ);
     }
     if (ret == 0) {
-        ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
+        ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
     }
 
     return ret;
@@ -9849,7 +9858,7 @@ static int dilithium_verify_msg(dilithium_key* key, const byte* msg,
             mu, DILITHIUM_MU_SZ);
     }
     if (ret == 0) {
-        ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
+        ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
     }
 
     return ret;
@@ -9904,7 +9913,7 @@ static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx,
             ctx, (byte)ctxLen, oidMsgHash, oidMsgHashLen, mu, DILITHIUM_MU_SZ);
     }
     if (ret == 0) {
-        ret = dilithium_verify_mu(key, mu, sig, sigLen, res);
+        ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
     }
 
     return ret;
@@ -10475,6 +10484,53 @@ int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen,
 
     return ret;
 }
+
+/* Sign using the ML-DSA internal interface with a pre-computed mu value.
+ *
+ * This implements ML-DSA.Sign_internal from FIPS 204 Section 6.2.
+ * The caller provides mu directly (already computed from tr||M'), bypassing
+ * the external message hashing step. Used by ACVP internal interface tests.
+ *
+ *  mu          [in]      Pre-computed mu value (64 bytes).
+ *  muLen       [in]      Length of mu in bytes (must be 64).
+ *  sig         [out]     Buffer to write signature into.
+ *  sigLen      [in/out]  On in, size of buffer.
+ *                        On out, the length of the signature in bytes.
+ *  key         [in]      Dilithium key to use when signing.
+ *  seed        [in]      32-byte random seed (rnd).
+ *  returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64,
+ *          BUFFER_E when sigLen is too small,
+ *          0 otherwise.
+ */
+int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen,
+    byte* sig, word32 *sigLen, dilithium_key* key, const byte* seed)
+{
+    int ret = 0;
+
+    /* Validate parameters. */
+    if ((mu == NULL) || (sig == NULL) || (sigLen == NULL) || (key == NULL) ||
+            (seed == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+    if ((ret == 0) && (muLen != DILITHIUM_MU_SZ)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+    #ifdef WOLFSSL_WC_DILITHIUM
+        /* Build [seed||mu] buffer and call internal sign function. */
+        byte seedMu[DILITHIUM_RND_SZ + DILITHIUM_MU_SZ];
+        XMEMCPY(seedMu, seed, DILITHIUM_RND_SZ);
+        XMEMCPY(seedMu + DILITHIUM_RND_SZ, mu, DILITHIUM_MU_SZ);
+        ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen);
+    #elif defined(HAVE_LIBOQS)
+        ret = NOT_COMPILED_IN;
+        (void)muLen;
+    #endif
+    }
+
+    return ret;
+}
 #endif /* !WOLFSSL_DILITHIUM_NO_SIGN */
 
 #ifndef WOLFSSL_DILITHIUM_NO_VERIFY
@@ -10650,6 +10706,47 @@ int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen,
 
     return ret;
 }
+
+/* Verify using the ML-DSA internal interface with a pre-computed mu value.
+ *
+ * This implements ML-DSA.Verify_internal from FIPS 204 Section 6.3.
+ * The caller provides mu directly (already computed from tr||M'), bypassing
+ * the external message hashing step. Used by ACVP internal interface tests.
+ *
+ *  sig         [in]  Signature to verify.
+ *  sigLen      [in]  Size of signature in bytes.
+ *  mu          [in]  Pre-computed mu value (64 bytes).
+ *  muLen       [in]  Length of mu in bytes (must be 64).
+ *  res         [out] *res is set to 1 on successful verification.
+ *  key         [in]  Dilithium key to use to verify.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64,
+ *          0 otherwise.
+ */
+int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu,
+    word32 muLen, int* res, dilithium_key* key)
+{
+    int ret = 0;
+
+    /* Validate parameters. */
+    if ((key == NULL) || (sig == NULL) || (mu == NULL) || (res == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+    if ((ret == 0) && (muLen != DILITHIUM_MU_SZ)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+    #ifdef WOLFSSL_WC_DILITHIUM
+        ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res);
+    #elif defined(HAVE_LIBOQS)
+        ret = NOT_COMPILED_IN;
+        (void)sigLen;
+        (void)muLen;
+    #endif
+    }
+
+    return ret;
+}
 #endif /* WOLFSSL_DILITHIUM_NO_VERIFY */
 
 #ifndef WC_NO_CONSTRUCTORS