Phase 2: PQ in boundary and SHA512 DRBG

Author: kaleb-himes

configure.ac

@@ -583,3 +583,241 @@ int wc_Entropy_Get(int bits, unsigned char* entropy, word32 len);
     \sa wc_Entropy_Get
 */
 int wc_Entropy_OnDemandTest(void);
+
+/*!
+    \ingroup Random
+
+    \brief Runs the SHA-512 Hash_DRBG Known Answer Test (KAT) per
+    SP 800-90A.  Instantiates a SHA-512 DRBG with seedA, optionally
+    reseeds with seedB, generates output, and compares against known
+    test vectors.  Available when WOLFSSL_DRBG_SHA512 is defined.
+
+    \return 0 On success
+    \return BAD_FUNC_ARG If seedA or output is NULL, or if reseed is
+    set and seedB is NULL
+    \return -1 Test failed
+
+    \param reseed Non-zero to test reseeding
+    \param seedA Initial entropy seed
+    \param seedASz Size of seedA in bytes
+    \param seedB Reseed entropy (required if reseed is set)
+    \param seedBSz Size of seedB in bytes
+    \param output Buffer to receive generated output
+    \param outputSz Size of output in bytes
+
+    _Example_
+    \code
+    byte output[WC_SHA512_DIGEST_SIZE * 4];
+    const byte seedA[] = { ... };
+    const byte seedB[] = { ... };
+
+    ret = wc_RNG_HealthTest_SHA512(0, seedA, sizeof(seedA), NULL, 0,
+                                   output, sizeof(output));
+    if (ret != 0)
+        return -1;
+
+    ret = wc_RNG_HealthTest_SHA512(1, seedA, sizeof(seedA),
+                                   seedB, sizeof(seedB),
+                                   output, sizeof(output));
+    if (ret != 0)
+        return -1;
+    \endcode
+
+    \sa wc_RNG_HealthTest
+    \sa wc_RNG_HealthTest_SHA512_ex
+*/
+int wc_RNG_HealthTest_SHA512(int reseed, const byte* seedA, word32 seedASz,
+        const byte* seedB, word32 seedBSz,
+        byte* output, word32 outputSz);
+
+/*!
+    \ingroup Random
+
+    \brief Extended SHA-512 Hash_DRBG health test with nonce,
+    personalization string, and additional input support.  Suitable
+    for full ACVP / CAVP test vector validation.  Available when
+    WOLFSSL_DRBG_SHA512 is defined.
+
+    \return 0 On success
+    \return BAD_FUNC_ARG If required params are NULL
+    \return -1 Test failed
+
+    \param reseed Non-zero to test reseeding
+    \param nonce Nonce buffer (can be NULL)
+    \param nonceSz Nonce size
+    \param persoString Personalization string (can be NULL)
+    \param persoStringSz Personalization string size
+    \param seedA Initial entropy seed
+    \param seedASz Initial seed size
+    \param seedB Reseed entropy (required if reseed is set)
+    \param seedBSz Reseed size
+    \param additionalA Additional input for first generate (can be NULL)
+    \param additionalASz Additional input A size
+    \param additionalB Additional input for second generate (can be NULL)
+    \param additionalBSz Additional input B size
+    \param output Output buffer
+    \param outputSz Output size
+    \param heap Heap hint (can be NULL)
+    \param devId Device ID (INVALID_DEVID for software)
+
+    _Example_
+    \code
+    byte output[WC_SHA512_DIGEST_SIZE * 4];
+    const byte seedA[] = { ... };
+    const byte nonce[] = { ... };
+
+    int ret = wc_RNG_HealthTest_SHA512_ex(0, nonce, sizeof(nonce),
+                                          NULL, 0,
+                                          seedA, sizeof(seedA),
+                                          NULL, 0,
+                                          NULL, 0, NULL, 0,
+                                          output, sizeof(output),
+                                          NULL, INVALID_DEVID);
+    \endcode
+
+    \sa wc_RNG_HealthTest_SHA512
+    \sa wc_RNG_HealthTest_ex
+*/
+int wc_RNG_HealthTest_SHA512_ex(int reseed, const byte* nonce, word32 nonceSz,
+        const byte* persoString, word32 persoStringSz,
+        const byte* seedA, word32 seedASz,
+        const byte* seedB, word32 seedBSz,
+        const byte* additionalA, word32 additionalASz,
+        const byte* additionalB, word32 additionalBSz,
+        byte* output, word32 outputSz,
+        void* heap, int devId);
+
+/*!
+    \ingroup Random
+
+    \brief Disables the SHA-256 Hash_DRBG at runtime.  When disabled,
+    newly initialized WC_RNG instances will not use the SHA-256 DRBG.
+    If the SHA-512 DRBG is enabled (WOLFSSL_DRBG_SHA512), new RNG
+    instances will use SHA-512 instead.  Requires HAVE_HASHDRBG.
+
+    \return 0 On success
+
+    _Example_
+    \code
+    wc_Sha256Drbg_Disable();
+    // New WC_RNG instances will now use SHA-512 DRBG if available
+    WC_RNG rng;
+    wc_InitRng(&rng);
+    \endcode
+
+    \sa wc_Sha256Drbg_Enable
+    \sa wc_Sha256Drbg_GetStatus
+    \sa wc_Sha512Drbg_Disable
+*/
+int wc_Sha256Drbg_Disable(void);
+
+/*!
+    \ingroup Random
+
+    \brief Re-enables the SHA-256 Hash_DRBG at runtime after a prior
+    call to wc_Sha256Drbg_Disable().  Requires HAVE_HASHDRBG.
+
+    \return 0 On success
+
+    _Example_
+    \code
+    wc_Sha256Drbg_Disable();
+    // ... use SHA-512 DRBG only ...
+    wc_Sha256Drbg_Enable();
+    // New WC_RNG instances can use SHA-256 DRBG again
+    \endcode
+
+    \sa wc_Sha256Drbg_Disable
+    \sa wc_Sha256Drbg_GetStatus
+*/
+int wc_Sha256Drbg_Enable(void);
+
+/*!
+    \ingroup Random
+
+    \brief Returns the current status of the SHA-256 Hash_DRBG
+    (disabled or enabled).  Requires HAVE_HASHDRBG.
+
+    \return 1 SHA-256 DRBG is disabled
+    \return 0 SHA-256 DRBG is enabled
+
+    _Example_
+    \code
+    if (wc_Sha256Drbg_GetStatus()) {
+        printf("SHA-256 DRBG is off\n");
+    }
+    \endcode
+
+    \sa wc_Sha256Drbg_Disable
+    \sa wc_Sha256Drbg_Enable
+*/
+int wc_Sha256Drbg_GetStatus(void);
+
+/*!
+    \ingroup Random
+
+    \brief Disables the SHA-512 Hash_DRBG at runtime.  When disabled,
+    newly initialized WC_RNG instances will not use the SHA-512 DRBG.
+    If the SHA-256 DRBG is still enabled, new RNG instances will fall
+    back to SHA-256.  Available when WOLFSSL_DRBG_SHA512 is defined.
+    Requires HAVE_HASHDRBG.
+
+    \return 0 On success
+
+    _Example_
+    \code
+    wc_Sha512Drbg_Disable();
+    // New WC_RNG instances will now use SHA-256 DRBG
+    WC_RNG rng;
+    wc_InitRng(&rng);
+    \endcode
+
+    \sa wc_Sha512Drbg_Enable
+    \sa wc_Sha512Drbg_GetStatus
+    \sa wc_Sha256Drbg_Disable
+*/
+int wc_Sha512Drbg_Disable(void);
+
+/*!
+    \ingroup Random
+
+    \brief Re-enables the SHA-512 Hash_DRBG at runtime after a prior
+    call to wc_Sha512Drbg_Disable().  Available when WOLFSSL_DRBG_SHA512
+    is defined.  Requires HAVE_HASHDRBG.
+
+    \return 0 On success
+
+    _Example_
+    \code
+    wc_Sha512Drbg_Disable();
+    // ... use SHA-256 DRBG only ...
+    wc_Sha512Drbg_Enable();
+    // New WC_RNG instances can use SHA-512 DRBG again
+    \endcode
+
+    \sa wc_Sha512Drbg_Disable
+    \sa wc_Sha512Drbg_GetStatus
+*/
+int wc_Sha512Drbg_Enable(void);
+
+/*!
+    \ingroup Random
+
+    \brief Returns the current status of the SHA-512 Hash_DRBG
+    (disabled or enabled).  Available when WOLFSSL_DRBG_SHA512 is
+    defined.  Requires HAVE_HASHDRBG.
+
+    \return 1 SHA-512 DRBG is disabled
+    \return 0 SHA-512 DRBG is enabled
+
+    _Example_
+    \code
+    if (wc_Sha512Drbg_GetStatus()) {
+        printf("SHA-512 DRBG is off\n");
+    }
+    \endcode
+
+    \sa wc_Sha512Drbg_Disable
+    \sa wc_Sha512Drbg_Enable
+*/
+int wc_Sha512Drbg_GetStatus(void);

doc/dox_comments/header_files/random.h

@@ -26098,8 +26098,6 @@ static int error_test(void)
         {27, 26 },
 #endif
         { -9, WC_SPAN1_FIRST_E + 1 },
-        { -124, -124 },
-        { -167, -169 },
         { -300, -300 },
         { -335, -336 },
         { -346, -349 },

tests/api.c

@@ -553,6 +553,8 @@ int test_wc_dilithium(void)
     ExpectIntEQ(wc_InitRng(&rng), 0);
 #endif
 
+    PRIVATE_KEY_UNLOCK();
+
     ExpectIntEQ(wc_dilithium_init(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_dilithium_init_ex(NULL, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     wc_dilithium_free(NULL);
@@ -673,6 +675,8 @@ int test_wc_dilithium(void)
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 #endif
 
+    PRIVATE_KEY_LOCK();
+
     wc_dilithium_free(key);
 #if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \
     !defined(WOLFSSL_DILITHIUM_NO_SIGN)
@@ -765,6 +769,8 @@ int test_wc_dilithium_sign(void)
     ExpectIntEQ(wc_InitRng(&rng), 0);
     ExpectIntEQ(wc_dilithium_init(key), 0);
 
+    PRIVATE_KEY_UNLOCK();
+
 #ifndef WOLFSSL_NO_ML_DSA_44
     ExpectIntEQ(wc_dilithium_set_level(key, WC_ML_DSA_44), 0);
 #elif !defined(WOLFSSL_NO_ML_DSA_65)
@@ -878,6 +884,8 @@ int test_wc_dilithium_sign(void)
 #endif
     wc_dilithium_free(importKey);
 
+    PRIVATE_KEY_LOCK();
+
     wc_dilithium_free(key);
     wc_FreeRng(&rng);
 
@@ -1251,6 +1259,8 @@ int test_wc_dilithium_check_key(void)
 
     ExpectIntEQ(wc_InitRng(&rng), 0);
 
+    PRIVATE_KEY_UNLOCK();
+
     ExpectIntEQ(wc_dilithium_check_key(NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
     ExpectIntEQ(wc_dilithium_init(checkKey), 0);
@@ -1337,6 +1347,8 @@ int test_wc_dilithium_check_key(void)
         pubCheckKey[48] ^= 0x80;
     }
 
+    PRIVATE_KEY_LOCK();
+
     wc_dilithium_free(checkKey);
     wc_FreeRng(&rng);
 
@@ -2940,6 +2952,8 @@ int test_wc_dilithium_der(void)
     ExpectIntEQ(wc_InitRng(&rng), 0);
     ExpectIntEQ(wc_dilithium_init(key), 0);
 
+    PRIVATE_KEY_UNLOCK();
+
     ExpectIntEQ(wc_Dilithium_PublicKeyToDer(key, der, DILITHIUM_MAX_DER_SIZE,
         0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_Dilithium_PublicKeyToDer(key, der, DILITHIUM_MAX_DER_SIZE,
@@ -3091,6 +3105,7 @@ int test_wc_dilithium_der(void)
     idx = 0;
     ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &idx, key, len), 0);
 
+    PRIVATE_KEY_LOCK();
 
     wc_dilithium_free(key);
     wc_FreeRng(&rng);
@@ -12346,6 +12361,9 @@ int test_wc_dilithium_sig_kats(void)
     }
 
     ExpectIntEQ(wc_dilithium_init_ex(key, NULL, INVALID_DEVID), 0);
+
+    PRIVATE_KEY_UNLOCK();
+
 #ifndef WOLFSSL_NO_ML_DSA_44
     ExpectIntEQ(wc_dilithium_set_level(key, WC_ML_DSA_44), 0);
     ExpectIntEQ(wc_dilithium_import_private(sk_44, (word32)sizeof(sk_44), key),
@@ -12377,6 +12395,8 @@ int test_wc_dilithium_sig_kats(void)
     ExpectIntEQ(XMEMCMP(sig, sig_87, sizeof(sig_87)), 0);
 #endif
 
+    PRIVATE_KEY_LOCK();
+
     wc_dilithium_free(key);
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -16745,6 +16765,8 @@ int test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form(void)
     ExpectNotNull(der = (byte*) XMALLOC(derMaxSz, NULL,
         DYNAMIC_TYPE_TMP_BUFFER));
 
+    PRIVATE_KEY_UNLOCK();
+
     for (size_t i = 0; i < sizeof(ossl_form) / sizeof(ossl_form[0]); ++i) {
         ExpectNotNull(fp = XFOPEN(ossl_form[i].fileName, "rb"));
         ExpectIntGT(derSz = XFREAD(der, 1, derMaxSz, fp), 0);
@@ -16811,6 +16833,8 @@ int test_wc_Dilithium_PrivateKeyDecode_OpenSSL_form(void)
         wc_dilithium_free(&key);
     }
 
+    PRIVATE_KEY_LOCK();
+
     XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
     return EXPECT_RESULT();

tests/api/test_mldsa.c

@@ -1451,6 +1451,8 @@ int test_wc_mlkem_make_key_kats(void)
         XMEMSET(key, 0, sizeof(MlKemKey));
     }
 
+    PRIVATE_KEY_UNLOCK();
+
 #ifndef WOLFSSL_NO_ML_KEM_512
     ExpectIntEQ(wc_MlKemKey_Init(key, WC_ML_KEM_512, NULL, INVALID_DEVID), 0);
     ExpectIntEQ(wc_MlKemKey_MakeKeyWithRandom(key, seed_512, sizeof(seed_512)),
@@ -1488,6 +1490,8 @@ int test_wc_mlkem_make_key_kats(void)
     wc_MlKemKey_Free(key);
 #endif
 
+    PRIVATE_KEY_LOCK();
+
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
     return EXPECT_RESULT();
@@ -3845,6 +3849,8 @@ int test_wc_mlkem_decapsulate_kats(void)
         XMEMSET(key, 0, sizeof(MlKemKey));
     }
 
+    PRIVATE_KEY_UNLOCK();
+
 #ifndef WOLFSSL_NO_ML_KEM_512
     ExpectIntEQ(wc_MlKemKey_Init(key, WC_ML_KEM_512, NULL, INVALID_DEVID), 0);
     ExpectIntEQ(wc_MlKemKey_DecodePrivateKey(key, dk_512, sizeof(dk_512)), 0);
@@ -3867,6 +3873,8 @@ int test_wc_mlkem_decapsulate_kats(void)
     wc_MlKemKey_Free(key);
 #endif
 
+    PRIVATE_KEY_LOCK();
+
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
     return EXPECT_RESULT();