wolfcrypt: add additional enforcement of correct digest sizes in signature gen and verify ops:

* add WC_FIPS_186_4, WC_FIPS_186_4_PLUS, WC_FIPS_186_5, and WC_FIPS_186_5_PLUS feature macros.
* add support for WC_HASH_CUSTOM_MIN_DIGEST_SIZE, WC_HASH_CUSTOM_MAX_DIGEST_SIZE, and
  WC_HASH_CUSTOM_MAX_BLOCK_SIZE, for use with custom digest algorithms.
* add SigOidMatchesKeyOid() helper function and WC_MIN_DIGEST_SIZE macro.
* add additional size and OID agreement checks for sig gen and verify ops.
* update ecc_test_vector() with FIPS 186-5 vectors.

Co-authored-by: Tobias Frauenschläger <tobias@wolfssl.com>

Author: douzzer

.wolfssl_known_macro_extras

@@ -639,6 +639,9 @@ WC_DILITHIUM_FIXED_ARRAY
 WC_DISABLE_RADIX_ZERO_PAD
 WC_FLAG_DONT_USE_AESNI
 WC_FORCE_LINUXKM_FORTIFY_SOURCE
+WC_HASH_CUSTOM_MAX_BLOCK_SIZE
+WC_HASH_CUSTOM_MAX_DIGEST_SIZE
+WC_HASH_CUSTOM_MIN_DIGEST_SIZE
 WC_NO_ASYNC_SLEEP
 WC_NO_RNG_SIMPLE
 WC_NO_STATIC_ASSERT
@@ -651,9 +654,6 @@ WC_RSA_NONBLOCK
 WC_RSA_NONBLOCK_TIME
 WC_RSA_NO_FERMAT_CHECK
 WC_RWLOCK_OPS_INLINE
-WC_SHA384
-WC_SHA384_DIGEST_SIZE
-WC_SHA512
 WC_SKIP_INCLUDED_C_FILES
 WC_SSIZE_TYPE
 WC_STRICT_SIG

src/internal.c

@@ -157,6 +157,7 @@
 #include <wolfssl/error-ssl.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/dh.h>
+#include <wolfssl/wolfcrypt/hash.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
@@ -5720,6 +5721,12 @@ int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out,
     }
 #endif
 
+    /* Check hash length */
+    if ((outSz > WC_MAX_DIGEST_SIZE) ||
+        (outSz < WC_MIN_DIGEST_SIZE)) {
+        return BAD_LENGTH_E;
+    }
+
     (void)ssl;
     (void)keyBufInfo;
 

src/pk_ec.c

@@ -5264,6 +5264,14 @@ int wolfSSL_ECDSA_do_verify(const unsigned char *dgst, int dLen,
         ret = WOLFSSL_FATAL_ERROR;
     }
 
+    /* Check hash length */
+    if ((ret == 1) &&
+        ((dLen > WC_MAX_DIGEST_SIZE) ||
+         (dLen < WC_MIN_DIGEST_SIZE))) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_do_verify Bad digest size");
+        ret = WOLFSSL_FATAL_ERROR;
+    }
+
     /* Ensure internal EC key is set from external. */
     if ((ret == 1) && (key->inSet == 0)) {
         WOLFSSL_MSG("No EC key internal set, do it");
@@ -5388,6 +5396,14 @@ int wolfSSL_ECDSA_verify(int type, const unsigned char *digest, int digestSz,
         ret = 0;
     }
 
+    /* Check hash length */
+    if ((ret == 1) &&
+        ((digestSz > WC_MAX_DIGEST_SIZE) ||
+         (digestSz < WC_MIN_DIGEST_SIZE))) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_verify Bad digest size");
+        ret = 0;
+    }
+
     /* Verify signature using digest and key. */
     if ((ret == 1) && (wc_ecc_verify_hash(sig, (word32)sigSz, digest,
             (word32)digestSz, &verify, (ecc_key*)key->internal) != 0)) {

tests/api.c

@@ -12284,9 +12284,9 @@ static int test_wc_CheckCertSigPubKey(void)
     ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer, 0,
         RSAk), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-    /* Wrong aglo. */
+    /* Wrong algo. */
     ExpectIntEQ(wc_CheckCertSigPubKey(cert_der, cert_dersz, NULL, keyDer,
-        keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_PARSE_E));
+        keyDerSz, ECDSAk), WC_NO_ERR_TRACE(ASN_SIG_OID_E));
 
     wc_FreeDecodedCert(&decoded);
     if (cert_der != NULL)

tests/api/api.h

@@ -37,10 +37,32 @@
     #define HEAP_HINT NULL
 #endif
 
+#include <wolfssl/wolfcrypt/hash.h>
 
-#define TEST_STRING    "Everyone gets Friday off."
-#define TEST_STRING_SZ 25
-
+#if defined(WC_FIPS_186_5_PLUS)
+    #define TEST_STRING "WC_FIPS_186_5_PLUS test test"
+    #define TEST_STRING_SZ 28
+#elif defined(WC_FIPS_186_4_PLUS) || defined(HAVE_SELFTEST)
+    #define TEST_STRING "WC_FIPS_186_4_PLUS test.."
+    #define TEST_STRING_SZ 25
+#elif WC_MIN_DIGEST_SIZE <= 25
+    #define TEST_STRING "Everyone gets Friday off."
+    #define TEST_STRING_SZ 25
+#elif WC_MIN_DIGEST_SIZE <= 28
+    #define TEST_STRING "Everyone works the weekends."
+    #define TEST_STRING_SZ 28
+#elif WC_MIN_DIGEST_SIZE <= 32
+    #define TEST_STRING "Everyone works through the night"
+    #define TEST_STRING_SZ 32
+#elif WC_MIN_DIGEST_SIZE <= 48
+    #define TEST_STRING "Everyone gets to summer in Tuscany with Chianti."
+    #define TEST_STRING_SZ 48
+#elif WC_MIN_DIGEST_SIZE <= 64
+    #define TEST_STRING "Everyone works from Christmas Eve, clear through New Year's Day."
+    #define TEST_STRING_SZ 64
+#else
+    #error WC_MIN_DIGEST_SIZE value not supported by unit test.
+#endif
 
 #ifndef ONEK_BUF
     #define ONEK_BUF 1024

tests/api/test_dsa.c

@@ -61,7 +61,7 @@ int test_wc_InitDsaKey(void)
 int test_wc_DsaSignVerify(void)
 {
     EXPECT_DECLS;
-#if !defined(NO_DSA)
+#if !defined(NO_DSA) && !defined(WC_FIPS_186_5_PLUS)
     DsaKey key;
     WC_RNG rng;
     wc_Sha sha;
@@ -130,7 +130,8 @@ int test_wc_DsaSignVerify(void)
     DoExpectIntEQ(wc_FreeRng(&rng),0);
     wc_FreeDsaKey(&key);
     wc_ShaFree(&sha);
-#endif
+#endif /* !NO_DSA && !WC_FIPS_186_5_PLUS */
+
     return EXPECT_RESULT();
 } /* END test_wc_DsaSign */
 

tests/api/test_evp_pkey.c

@@ -742,7 +742,7 @@ int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
 {
     EXPECT_DECLS;
 #if defined(OPENSSL_ALL) && !defined (NO_DSA) && !defined(HAVE_SELFTEST) && \
-    defined(WOLFSSL_KEY_GEN)
+    !defined(WC_FIPS_186_5_PLUS) && defined(WOLFSSL_KEY_GEN)
     DSA       *dsa  = NULL;
     DSA       *setDsa  = NULL;
     EVP_PKEY  *pkey = NULL;
@@ -829,7 +829,8 @@ int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void)
     DSA_free(setDsa);
     EVP_PKEY_free(pkey);
     EVP_PKEY_free(set1Pkey);
-#endif /* OPENSSL_ALL && !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */
+#endif /* OPENSSL_ALL && !NO_DSA && !HAVE_SELFTEST && !WC_FIPS_186_5_PLUS */
+       /* && WOLFSSL_KEY_GEN */
     return EXPECT_RESULT();
 } /* END test_EVP_PKEY_set1_get1_DSA */
 
@@ -1606,7 +1607,8 @@ int test_wolfSSL_EVP_PKEY_sign_verify_dsa(void)
 {
     EXPECT_DECLS;
 #if defined(OPENSSL_EXTRA)
-#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)
+#if !defined (NO_DSA) && !defined(WC_FIPS_186_5_PLUS) && \
+    !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)
     ExpectIntEQ(test_wolfSSL_EVP_PKEY_sign_verify(EVP_PKEY_DSA), TEST_SUCCESS);
 #endif
 #endif

wolfcrypt/src/asn.c

@@ -16109,6 +16109,118 @@ static int DecodeDsaAsn1Sig(const byte* sig, word32 sigSz, byte* sigCpy,
 }
 #endif
 
+/* The certificate's signatureAlgorithm (sigOID) must match the issuer's
+ * key type (keyOID). sigOID picks the pre-hash; keyOID picks the
+ * verifier. They need to agree or the verifier gets the wrong input. */
+static int SigOidMatchesKeyOid(word32 sigOID, word32 keyOID)
+{
+    switch (keyOID) {
+    #ifndef NO_RSA
+        case RSAk:
+            switch (sigOID) {
+                case CTC_MD2wRSA:
+                case CTC_MD5wRSA:
+                case CTC_SHAwRSA:
+                case CTC_SHA224wRSA:
+                case CTC_SHA256wRSA:
+                case CTC_SHA384wRSA:
+                case CTC_SHA512wRSA:
+                case CTC_SHA3_224wRSA:
+                case CTC_SHA3_256wRSA:
+                case CTC_SHA3_384wRSA:
+                case CTC_SHA3_512wRSA:
+                case CTC_RSASSAPSS:
+                    return 1;
+            }
+            return 0;
+        #ifdef WC_RSA_PSS
+        case RSAPSSk:
+            return (sigOID == CTC_RSASSAPSS);
+        #endif
+    #endif
+    #if !defined(NO_DSA) && !defined(HAVE_SELFTEST)
+        case DSAk:
+            switch (sigOID) {
+                case CTC_SHAwDSA:
+                case CTC_SHA256wDSA:
+                    return 1;
+            }
+            return 0;
+    #endif
+    #if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY)
+        case ECDSAk:
+        #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
+        case SM2k:
+        #endif
+            switch (sigOID) {
+                case CTC_SHAwECDSA:
+                case CTC_SHA224wECDSA:
+                case CTC_SHA256wECDSA:
+                case CTC_SHA384wECDSA:
+                case CTC_SHA512wECDSA:
+                case CTC_SHA3_224wECDSA:
+                case CTC_SHA3_256wECDSA:
+                case CTC_SHA3_384wECDSA:
+                case CTC_SHA3_512wECDSA:
+            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
+                case CTC_SM3wSM2:
+            #endif
+                    return 1;
+            }
+            return 0;
+    #endif
+    #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
+        case ED25519k:
+            return (sigOID == CTC_ED25519);
+    #endif
+    #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
+        case ED448k:
+            return (sigOID == CTC_ED448);
+    #endif
+    #if defined(HAVE_FALCON)
+        case FALCON_LEVEL1k:
+            return (sigOID == CTC_FALCON_LEVEL1);
+        case FALCON_LEVEL5k:
+            return (sigOID == CTC_FALCON_LEVEL5);
+    #endif
+    #if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \
+        !defined(WOLFSSL_DILITHIUM_NO_ASN1)
+        #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
+        case DILITHIUM_LEVEL2k:
+            return (sigOID == CTC_DILITHIUM_LEVEL2);
+        case DILITHIUM_LEVEL3k:
+            return (sigOID == CTC_DILITHIUM_LEVEL3);
+        case DILITHIUM_LEVEL5k:
+            return (sigOID == CTC_DILITHIUM_LEVEL5);
+        #endif
+        case ML_DSA_LEVEL2k:
+            return (sigOID == CTC_ML_DSA_LEVEL2);
+        case ML_DSA_LEVEL3k:
+            return (sigOID == CTC_ML_DSA_LEVEL3);
+        case ML_DSA_LEVEL5k:
+            return (sigOID == CTC_ML_DSA_LEVEL5);
+    #endif
+    #if defined(HAVE_SPHINCS)
+        case SPHINCS_FAST_LEVEL1k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL1);
+        case SPHINCS_FAST_LEVEL3k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL3);
+        case SPHINCS_FAST_LEVEL5k:
+            return (sigOID == CTC_SPHINCS_FAST_LEVEL5);
+        case SPHINCS_SMALL_LEVEL1k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL1);
+        case SPHINCS_SMALL_LEVEL3k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL3);
+        case SPHINCS_SMALL_LEVEL5k:
+            return (sigOID == CTC_SPHINCS_SMALL_LEVEL5);
+    #endif
+    }
+
+    /* Default to reject unknown key types */
+    (void)sigOID;
+    return 0;
+}
+
 /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
 int ConfirmSignature(SignatureCtx* sigCtx,
     const byte* buf, word32 bufSz,
@@ -16177,6 +16289,11 @@ int ConfirmSignature(SignatureCtx* sigCtx,
 
         case SIG_STATE_HASH:
         {
+            if (!SigOidMatchesKeyOid(sigOID, keyOID)) {
+                WOLFSSL_MSG("sigOID incompatible with issuer keyOID");
+                ERROR_OUT(ASN_SIG_OID_E, exit_cs);
+            }
+
         #if !defined(NO_RSA) && defined(WC_RSA_PSS)
             if (sigOID == RSAPSSk) {
                 word32 fakeSigOID = 0;

wolfcrypt/src/dilithium.c

@@ -9273,8 +9273,9 @@ static int dilithium_sign_ctx_hash_with_seed(dilithium_key* key,
     byte oidMsgHash[DILITHIUM_HASH_OID_LEN + WC_MAX_DIGEST_SIZE];
     word32 oidMsgHashLen = 0;
 
-    if ((ret == 0) && (hashLen > WC_MAX_DIGEST_SIZE)) {
-        ret = BUFFER_E;
+    /* Check that the input hash length is valid. */
+    if ((int)hashLen != wc_HashGetDigestSize((enum wc_HashType)hashAlg)) {
+        ret = BAD_LENGTH_E;
     }
 
     if (ret == 0) {
@@ -9944,6 +9945,12 @@ static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx,
     if (key == NULL) {
         ret = BAD_FUNC_ARG;
     }
+    /* Check that the input hash length is valid. */
+    if ((ret == 0) &&
+        ((int)hashLen != wc_HashGetDigestSize((enum wc_HashType)hashAlg)))
+    {
+        ret = BAD_LENGTH_E;
+    }
 
     if (ret == 0) {
         /* Step 6: Hash public key. */

wolfcrypt/src/dsa.c

@@ -27,6 +27,7 @@
 #include <wolfssl/wolfcrypt/wolfmath.h>
 #include <wolfssl/wolfcrypt/sha.h>
 #include <wolfssl/wolfcrypt/dsa.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
@@ -689,6 +690,12 @@ int wc_DsaSign_ex(const byte* digest, word32 digestSz, byte* out, DsaKey* key,
     if (digest == NULL || out == NULL || key == NULL || rng == NULL)
         return BAD_FUNC_ARG;
 
+    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
+        (digestSz < WC_MIN_DIGEST_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
     SAVE_VECTOR_REGISTERS(return _svr_ret;);
 
     do {
@@ -1022,6 +1029,16 @@ int wc_DsaVerify_ex(const byte* digest, word32 digestSz, const byte* sig,
     if (digest == NULL || sig == NULL || key == NULL || answer == NULL)
         return BAD_FUNC_ARG;
 
+    /* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not
+     * WC_MIN_DIGEST_SIZE, to allow verify-only legacy DSA operations, as
+     * expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A.
+     */
+    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
+        (digestSz < WC_SHA_DIGEST_SIZE))
+    {
+        return BAD_LENGTH_E;
+    }
+
     do {
 #ifdef WOLFSSL_SMALL_STACK
         w = (mp_int *)XMALLOC(sizeof *w, key->heap, DYNAMIC_TYPE_TMP_BUFFER);