SecurityReview FND 40.2 + 36.1 + 6.4 + 10.1 + 15.1: integrity, PCT, zeroize, CMAC/SHAKE CASTs

Five findings from the v7.0.0 security review, squashed into one
commit per the Part3 branch invariant.

FND 40.2 (in-core integrity HMAC upgraded to SHA-512)
  - wolfssl/wolfcrypt/fips_test.h: add v7+ branch that selects SHA-512 /
    64-byte digest / 512-bit key / 64-byte verify-size.  Older versions
    (v5.3, v6.x) keep HMAC-SHA-256.
  - fips-hash.sh: drop the hardcoded cut -c1-64 so the script works for
    SHA-512 (128 hex chars) as well as SHA-256.
  Companion fips changes update verifyCore placeholder, coreKey, and
  static_assert on sizeof(verifyCore).  PL-R34 section 5.1 tracked-
  changes edit says HMAC-SHA2-512 with a 512-bit key.

FND 36.1 (SLH-DSA KeyGen now runs a Pairwise Consistency Test)
  - wolfssl/wolfcrypt/error-crypt.h: add SLH_DSA_PCT_E = -1013.
  - wolfcrypt/src/error.c: description string.
  - wolfcrypt/src/wc_slhdsa.c wc_SlhDsaKey_MakeKey: sign with
    SignDeterministic + verify under HAVE_FIPS.  Heap-allocated sig
    buffer (SLH-DSA sigs can be ~50 KB), ForceZero + free on failure.
  Companion fips: DEGRADE_STATE handler + optest case_1013.

FND 6.4 (AES-GCM decrypt zeroizes output on authentication failure)
  - wolfcrypt/src/aes.c wc_AesGcmDecrypt: ForceZero(out, sz) after
    VECTOR_REGISTERS_POP when ret == AES_GCM_AUTH_E.  All software
    sub-implementations funnel through that ret.
  - wc_AesGcmDecryptFinal: comment pointing callers at PL-R34 §2.7
    operational rule on streaming API.
  PL-R34 §2.7 tracked-changes paragraph documents the new rule.

FND 10.1 (AES-CMAC vendor-elected dedicated CAST)
  The v7.0.0 module now performs a dedicated AES-CMAC KAT at POST.
  FIPS 140-3 IG 10.3.A permits a single authenticated-mode KAT
  (AES-GCM, the "more complex" composition) to cover AES-CMAC as
  well and the prior v6.0.0 validation was approved on that basis.
  For v7.0.0 the vendor determined that the CMAC subkey-derivation
  path (K1/K2 via GF(2^128) doubling, final-block padding) is
  structurally distinct from GHASH and wished to exercise it with a
  dedicated CAST for additional assurance.  Voluntary enhancement
  exceeding the IG 10.3.A minimum.

  - wolfssl/wolfcrypt/fips_test.h: FIPS_CAST_AES_CMAC = 26.
  - wolfssl/wolfcrypt/error-crypt.h: CMAC_KAT_FIPS_E = -1014.
  - wolfcrypt/src/error.c: description string.
  Companion fips: AesCmac_KnownAnswerTest (SP 800-38B D.1 empty-msg
  KAT), FIPS_CAST_AES_CMAC case in DoCAST, DEGRADE_STATE handler,
  CastIdToStr entry, optest case_1014.  PL-R36 tracked-changes
  paragraph documents the vendor-elected framing.

FND 15.1 (SHAKE vendor-elected dedicated CAST)
  SHAKE was an approved algorithm in the v6.0.0 module; self-testing
  was covered by the SHA3-256 CAST (embedded in HMAC-SHA3-256 CAST)
  under IG 10.3.B via the shared Keccak-f[1600] permutation.  For
  v7.0.0 the vendor has elected to refactor SHAKE self-testing into
  a dedicated FIPS_CAST_SHAKE that exercises SHAKE's distinct 0x1F
  domain separator (vs SHA3's 0x06) and arbitrary-length squeeze.
  A single CAST identifier covers both SHAKE-128 and SHAKE-256 to
  minimize code footprint.  Voluntary enhancement exceeding the
  IG 10.3.B minimum.

  - wolfssl/wolfcrypt/fips_test.h: FIPS_CAST_SHAKE = 27, bump
    FIPS_CAST_COUNT = 28.
  - wolfssl/wolfcrypt/error-crypt.h: SHAKE_KAT_FIPS_E = -1015.
  - wolfcrypt/src/error.c: description string.
  Companion fips: Shake_KnownAnswerTest (variant + msg + outLen +
  expected parameters), FIPS_CAST_SHAKE case exercising SHAKE-128
  and SHAKE-256 with ACVTS vectors (vsId 2836391 tcId 1 for
  SHAKE-128, vsId 2836392 tcId 1 for SHAKE-256), DEGRADE_STATE
  handler, CastIdToStr entry, optest case_1015.  All 8 SHAKE
  wrappers in fips.c (Shake128/256 Update/Final/Absorb/SqueezeBlocks)
  now gate on FIPS_CAST_SHAKE and return SHAKE_KAT_FIPS_E on failure;
  a block comment above the SHAKE wrapper section records the v6->v7
  vendor-elected refactor rationale.  PL-R36 tracked-changes
  paragraph documents the framing and the updated CAST tally
  (28 total: 26 baseline + 2 vendor-elected).

Verified:
  make + fips-hash.sh + make; make check all pass (5 pass, 3 skip,
  0 fail) with default configure, AND with the CI-representative
  configure:
    --enable-fips=ready --enable-opensslall --enable-opensslextra
    --enable-crl --enable-harden --enable-asio --enable-certreq
    --enable-certgen --enable-certext --enable-aesni
    CFLAGS="-DHAVE_EX_DATA -DOPENSSL_COMPATIBLE_DEFAULTS
    -DWOLFSSL_ALT_NAMES -DWC_RNG_SEED_CB -DWOLFSSL_CUSTOM_OID
    -DWOLFSSL_FPKI -DASN_TEMPLATE_SKIP_ISCA_CHECK"
  (9 pass, 3 skip, 0 fail).

Author: kaleb-himes

fips-hash.sh

@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak

wolfcrypt/src/aes.c

@@ -10959,6 +10959,16 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 
     VECTOR_REGISTERS_POP;
 
+    /* FIPS 140-3 / SP 800-38D: on authentication failure, the decrypted-but-
+     * unauthenticated plaintext in `out` must not be released to the caller.
+     * Wipe it here so a caller that ignores the return value cannot observe
+     * plaintext derived from forged ciphertext.  All software paths (AES-NI,
+     * AVX1/2, ARM HW/NEON, C fallback) funnel through `ret` here, so this
+     * single guard covers every sub-implementation. */
+    if (ret == WC_NO_ERR_TRACE(AES_GCM_AUTH_E) && out != NULL && sz > 0) {
+        ForceZero(out, sz);
+    }
+
     return ret;
 }
 #endif
@@ -12662,6 +12672,10 @@ int wc_AesGcmDecryptFinal(Aes* aes, const byte* authTag, word32 authTagSz)
         }
     }
 
+    /* Streaming decrypt cannot zeroize prior Update output buffers from here
+     * (Final does not see them).  On AES_GCM_AUTH_E, the caller is responsible
+     * for treating all Update-produced plaintext as invalid and wiping it.
+     * See PL-R34 Security Policy section 8 (Operational Rules). */
     return ret;
 }
 #endif /* HAVE_AES_DECRYPT || HAVE_AESGCM_DECRYPT */

wolfcrypt/src/error.c

@@ -692,6 +692,15 @@ const char* wc_GetErrorString(int error)
     case SLH_DSA_KAT_FIPS_E:
         return "SLH-DSA Known Answer Test check FIPS error";
 
+    case SLH_DSA_PCT_E:
+        return "wolfcrypt SLH-DSA Pairwise Consistency Test Failure";
+
+    case CMAC_KAT_FIPS_E:
+        return "AES-CMAC Known Answer Test FIPS error";
+
+    case SHAKE_KAT_FIPS_E:
+        return "SHAKE Known Answer Test FIPS error";
+
     case SEQ_OVERFLOW_E:
         return "Sequence counter would overflow";
 

wolfcrypt/src/wc_slhdsa.c

@@ -6570,6 +6570,45 @@ int wc_SlhDsaKey_MakeKey(SlhDsaKey* key, WC_RNG* rng)
             key->sk + 2 * n, n);
     }
 
+#ifdef HAVE_FIPS
+    /* Pairwise Consistency Test (PCT) per FIPS 140-3 IG 10.3.A (TE10.35.02):
+     * sign with the new sk, verify with the matching pk.  SLH-DSA is a
+     * stateless hash-based signature scheme (FIPS 205), so the relaxed PCT
+     * rule for stateful HBS (LMS/XMSS) does not apply -- PCT runs on every
+     * KeyGen.  SignDeterministic avoids consuming RNG state; heap allocation
+     * is used because SLH-DSA signatures can reach ~50 KB. */
+    if (ret == 0) {
+        static const byte pct_msg[] = "wolfSSL SLH-DSA PCT";
+        byte* pct_sig = (byte*)XMALLOC(WC_SLHDSA_MAX_SIG_LEN, NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        word32 pct_sigSz = WC_SLHDSA_MAX_SIG_LEN;
+
+        if (pct_sig == NULL) {
+            ret = MEMORY_E;
+        }
+        if (ret == 0) {
+            ret = wc_SlhDsaKey_SignDeterministic(key, NULL, 0,
+                pct_msg, sizeof(pct_msg), pct_sig, &pct_sigSz);
+        }
+        if (ret == 0) {
+            ret = wc_SlhDsaKey_Verify(key, NULL, 0,
+                pct_msg, sizeof(pct_msg), pct_sig, pct_sigSz);
+            if (ret != 0) {
+                ret = SLH_DSA_PCT_E;
+            }
+        }
+        if (pct_sig != NULL) {
+            ForceZero(pct_sig, WC_SLHDSA_MAX_SIG_LEN);
+            XFREE(pct_sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        }
+        /* IG 10.3.A (TE10.35.02): a key pair that fails the PCT must be
+         * rendered unusable. */
+        if (ret != 0) {
+            wc_SlhDsaKey_Free(key);
+        }
+    }
+#endif /* HAVE_FIPS */
+
     return ret;
 }
 

wolfssl/wolfcrypt/error-crypt.h

@@ -319,9 +319,12 @@ enum wolfCrypt_ErrorCodes {
     DRBG_SHA512_KAT_FIPS_E = -1010, /* SHA-512 DRBG KAT failure */
 
     SEQ_OVERFLOW_E      = -1011, /* Sequence counter would overflow */
-    SLH_DSA_KAT_FIPS_E = -1012, /* SLH-DSA CAST KAT failure */
-    WC_SPAN2_LAST_E     = -1012, /* Update to indicate last used error code */
-    WC_LAST_E           = -1012, /* the last code used either here or in
+    SLH_DSA_KAT_FIPS_E  = -1012, /* SLH-DSA CAST KAT failure */
+    SLH_DSA_PCT_E       = -1013, /* SLH-DSA Pairwise Consistency Test failure */
+    CMAC_KAT_FIPS_E     = -1014, /* AES-CMAC KAT failure (vendor-elected) */
+    SHAKE_KAT_FIPS_E    = -1015, /* SHAKE KAT failure (vendor-elected) */
+    WC_SPAN2_LAST_E     = -1015, /* Update to indicate last used error code */
+    WC_LAST_E           = -1015, /* the last code used either here or in
                                   * error-ssl.h */
 
     WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */

wolfssl/wolfcrypt/fips_test.h

@@ -31,8 +31,23 @@
     extern "C" {
 #endif
 
-/* Added for FIPS v5.3 or later */
-#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
+/* Added for FIPS v5.3 or later.
+ *
+ * v7.0.0 and later upgrade the in-core integrity HMAC to SHA-512 (with a
+ * 512-bit key) for NSA 2.0 compliance.  Customers that must avoid SHA-256
+ * anywhere in the validated module can therefore use the v7 module without
+ * residual SHA-256 integrity material.  v5.3 and v6.x retain HMAC-SHA-256.
+ */
+#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(7,0)
+    #ifdef WOLFSSL_SHA512
+        #define FIPS_IN_CORE_DIGEST_SIZE 64
+        #define FIPS_IN_CORE_HASH_TYPE   WC_SHA512
+        #define FIPS_IN_CORE_KEY_SZ      64
+        #define FIPS_IN_CORE_VERIFY_SZ   FIPS_IN_CORE_KEY_SZ
+    #else
+        #error FIPS v7+ integrity test requires WOLFSSL_SHA512
+    #endif
+#elif defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
     /* Determine FIPS in core hash type and size */
     #ifndef NO_SHA256
         #define FIPS_IN_CORE_DIGEST_SIZE 32
@@ -80,7 +95,9 @@ enum FipsCastId {
     FIPS_CAST_XMSS              = 23,
     FIPS_CAST_DRBG_SHA512       = 24,
     FIPS_CAST_SLH_DSA           = 25,
-    FIPS_CAST_COUNT             = 26
+    FIPS_CAST_AES_CMAC          = 26,
+    FIPS_CAST_SHAKE             = 27,
+    FIPS_CAST_COUNT             = 28
 };
 
 enum FipsCastStateId {