SecurityReview FND 40.2 + 36.1 + 6.4 + 10.1 + 15.1 + 26.7: integrity, PCT, zeroize, CMAC/SHAKE CASTs, DH PCT + configurable DRBG_SHA512_SEED_LEN

Six findings from the v7.0.0 security review, squashed into one
commit per the Part3 branch invariant.

FND 40.2 (in-core integrity HMAC upgraded to SHA-512)
  - wolfssl/wolfcrypt/fips_test.h: add v7+ branch that selects SHA-512 /
    64-byte digest / 512-bit key / 64-byte verify-size.  Older versions
    (v5.3, v6.x) keep HMAC-SHA-256.
  - fips-hash.sh: drop the hardcoded cut -c1-64 so the script works for
    SHA-512 (128 hex chars) as well as SHA-256.
  Companion fips changes update verifyCore placeholder, coreKey, and
  static_assert on sizeof(verifyCore).  PL-R34 section 5.1 tracked-
  changes edit says HMAC-SHA2-512 with a 512-bit key.

FND 36.1 (SLH-DSA KeyGen now runs a Pairwise Consistency Test)
  - wolfssl/wolfcrypt/error-crypt.h: add SLH_DSA_PCT_E = -1019.
  - wolfcrypt/src/error.c: description string.
  - wolfcrypt/src/wc_slhdsa.c wc_SlhDsaKey_MakeKey: sign with
    SignDeterministic + verify under HAVE_FIPS.  Heap-allocated sig
    buffer (SLH-DSA sigs can be ~50 KB), ForceZero + free on failure.
  Companion fips: DEGRADE_STATE handler + optest case_1019.

FND 6.4 (AES-GCM decrypt zeroizes output on authentication failure)
  - wolfcrypt/src/aes.c wc_AesGcmDecrypt: ForceZero(out, sz) after
    VECTOR_REGISTERS_POP when ret == AES_GCM_AUTH_E.  All software
    sub-implementations funnel through that ret.
  - wc_AesGcmDecryptFinal: comment pointing callers at PL-R34 §2.7
    operational rule on streaming API.
  PL-R34 §2.7 tracked-changes paragraph documents the new rule.

FND 10.1 (AES-CMAC vendor-elected dedicated CAST)
  The v7.0.0 module now performs a dedicated AES-CMAC KAT at POST.
  FIPS 140-3 IG 10.3.A permits a single authenticated-mode KAT
  (AES-GCM, the "more complex" composition) to cover AES-CMAC as
  well and the prior v6.0.0 validation was approved on that basis.
  For v7.0.0 the vendor determined that the CMAC subkey-derivation
  path (K1/K2 via GF(2^128) doubling, final-block padding) is
  structurally distinct from GHASH and wished to exercise it with a
  dedicated CAST for additional assurance.  Voluntary enhancement
  exceeding the IG 10.3.A minimum.

  - wolfssl/wolfcrypt/fips_test.h: FIPS_CAST_AES_CMAC = 26.
  - wolfssl/wolfcrypt/error-crypt.h: CMAC_KAT_FIPS_E = -1020.
  - wolfcrypt/src/error.c: description string.
  Companion fips: AesCmac_KnownAnswerTest (SP 800-38B D.1 empty-msg
  KAT), FIPS_CAST_AES_CMAC case in DoCAST, DEGRADE_STATE handler,
  CastIdToStr entry, optest case_1020.  PL-R36 tracked-changes
  paragraph documents the vendor-elected framing.

FND 15.1 (SHAKE vendor-elected dedicated CAST)
  SHAKE was an approved algorithm in the v6.0.0 module; self-testing
  was covered by the SHA3-256 CAST (embedded in HMAC-SHA3-256 CAST)
  under IG 10.3.B via the shared Keccak-f[1600] permutation.  For
  v7.0.0 the vendor has elected to refactor SHAKE self-testing into
  a dedicated FIPS_CAST_SHAKE that exercises SHAKE's distinct 0x1F
  domain separator (vs SHA3's 0x06) and arbitrary-length squeeze.
  A single CAST identifier covers both SHAKE-128 and SHAKE-256 to
  minimize code footprint.  Voluntary enhancement exceeding the
  IG 10.3.B minimum.

  - wolfssl/wolfcrypt/fips_test.h: FIPS_CAST_SHAKE = 27, bump
    FIPS_CAST_COUNT = 28.
  - wolfssl/wolfcrypt/error-crypt.h: SHAKE_KAT_FIPS_E = -1021.
  - wolfcrypt/src/error.c: description string.
  Companion fips: Shake_KnownAnswerTest (variant + msg + outLen +
  expected parameters), FIPS_CAST_SHAKE case exercising SHAKE-128
  and SHAKE-256 with ACVTS vectors (vsId 2836391 tcId 1 for
  SHAKE-128, vsId 2836392 tcId 1 for SHAKE-256), DEGRADE_STATE
  handler, CastIdToStr entry, optest case_1021.  All 8 SHAKE
  wrappers in fips.c (Shake128/256 Update/Final/Absorb/SqueezeBlocks)
  now gate on FIPS_CAST_SHAKE and return SHAKE_KAT_FIPS_E on failure;
  a block comment above the SHAKE wrapper section records the v6->v7
  vendor-elected refactor rationale.  PL-R36 tracked-changes
  paragraph documents the framing and the updated CAST tally
  (28 total: 26 baseline + 2 vendor-elected).

Colleague request (not a finding): make DRBG_SHA512_SEED_LEN overridable
  at build time to mirror the existing DRBG_SEED_LEN pattern so a
  downstream consumer can pre-define it.
  - wolfssl/wolfcrypt/random.h: wrap #define DRBG_SHA512_SEED_LEN in
    #ifndef/#endif and add the matching "/* Size of the DRBG seed
    (SHA-512) */" header comment.

FND 26.7 (DH KeyGen now flags PCT failure as DH_PCT_E)
  Per SP 800-56A r3 sec 5.6.2.1.4 the DH (FFC) public key derived
  from a freshly-generated private key must equal the supplied public
  key (method (b) PCT).  wc_DhGenerateKeyPair_Sync (wolfcrypt/src/dh.c)
  has invoked _ffc_pairwise_consistency_test under FIPS since v5.0,
  but the math-layer error code that bubbled out of the test was not
  recognized by the FIPS module's degrade-state handler -- FIPS 140-3
  IG 10.3.B requires the module to enter the error state on PCT
  failure.

  - wolfssl/wolfcrypt/error-crypt.h: add DH_PCT_E = -1022; bump
    WC_SPAN2_LAST_E and WC_LAST_E to -1022.  Comment cites SP 800-56A
    r3 sec 5.6.2.1.4 and FIPS 140-3 IG 10.3.B.
  - wolfcrypt/src/error.c: description string for DH_PCT_E.
  - wolfcrypt/src/dh.c wc_DhGeneratePublic + wc_DhGenerateKeyPair_Sync:
    on _ffc_pairwise_consistency_test failure under HAVE_FIPS, remap
    the math error to DH_PCT_E so the FIPS module recognizes it.
    Inline comment at the remap sites cites SP 800-56A r3 sec
    5.6.2.1.4 and FIPS 140-3 IG 10.3.B.

  Companion fips changes add the DEGRADE_STATE(FIPS_CAST_DH_PRIMITIVE_Z)
  handler for DH_PCT_E and the optest case_1022.

  Paperwork (PL-R36 Compliance Summary): tracked-changes paragraph
  inserted after the existing DH PCT description, noting the v7.0.0
  enhancement (DH_PCT_E error code, degrade-state transition per
  IG 10.3.B).

Verified:
  make + fips-hash.sh + make; make check all pass (5 pass, 3 skip,
  0 fail) with default configure, AND with the CI-representative
  configure:
    --enable-fips=ready --enable-opensslall --enable-opensslextra
    --enable-crl --enable-harden --enable-asio --enable-certreq
    --enable-certgen --enable-certext --enable-aesni
    CFLAGS="-DHAVE_EX_DATA -DOPENSSL_COMPATIBLE_DEFAULTS
    -DWOLFSSL_ALT_NAMES -DWC_RNG_SEED_CB -DWOLFSSL_CUSTOM_OID
    -DWOLFSSL_FPKI -DASN_TEMPLATE_SKIP_ISCA_CHECK"
  (9 pass, 3 skip, 0 fail).

Author: kaleb-himes

fips-hash.sh

@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak

wolfcrypt/src/aes.c

@@ -10962,6 +10962,16 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 
     VECTOR_REGISTERS_POP;
 
+    /* FIPS 140-3 / SP 800-38D: on authentication failure, the decrypted-but-
+     * unauthenticated plaintext in `out` must not be released to the caller.
+     * Wipe it here so a caller that ignores the return value cannot observe
+     * plaintext derived from forged ciphertext.  All software paths (AES-NI,
+     * AVX1/2, ARM HW/NEON, C fallback) funnel through `ret` here, so this
+     * single guard covers every sub-implementation. */
+    if (ret == WC_NO_ERR_TRACE(AES_GCM_AUTH_E) && out != NULL && sz > 0) {
+        ForceZero(out, sz);
+    }
+
     return ret;
 }
 #endif
@@ -12665,6 +12675,10 @@ int wc_AesGcmDecryptFinal(Aes* aes, const byte* authTag, word32 authTagSz)
         }
     }
 
+    /* Streaming decrypt cannot zeroize prior Update output buffers from here
+     * (Final does not see them).  On AES_GCM_AUTH_E, the caller is responsible
+     * for treating all Update-produced plaintext as invalid and wiping it.
+     * See PL-R34 Security Policy section 8 (Operational Rules). */
     return ret;
 }
 #endif /* HAVE_AES_DECRYPT || HAVE_AESGCM_DECRYPT */

wolfcrypt/src/dh.c

@@ -1400,8 +1400,20 @@ int wc_DhGeneratePublic(DhKey* key, byte* priv, word32 privSz,
     #if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_DH_KEYGEN)
     if (ret == 0)
         ret = _ffc_validate_public_key(key, pub, *pubSz, NULL, 0, 0);
-    if (ret == 0)
-        ret = _ffc_pairwise_consistency_test(key, pub, *pubSz, priv, privSz);
+    if (ret == 0) {
+        /* Pairwise Consistency Test per SP 800-56A r3 sec 5.6.2.1.4
+         * (FFC key pair).  FIPS 140-3 IG 10.3.B requires a PCT after
+         * KeyGen for key-establishment algorithms; on failure under a
+         * FIPS build the error is remapped to DH_PCT_E so the FIPS
+         * module's DEGRADE_STATE handler transitions FIPS_CAST_DH_
+         * PRIMITIVE_Z to the error state. */
+        ret = _ffc_pairwise_consistency_test(key, pub, *pubSz, priv,
+                                             privSz);
+    #ifdef HAVE_FIPS
+        if (ret != 0)
+            ret = DH_PCT_E;
+    #endif
+    }
     #endif /* FIPS V5 or later || WOLFSSL_VALIDATE_DH_KEYGEN */
 
     RESTORE_VECTOR_REGISTERS();
@@ -1428,8 +1440,20 @@ static int wc_DhGenerateKeyPair_Sync(DhKey* key, WC_RNG* rng,
 #if FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_DH_KEYGEN)
     if (ret == 0)
         ret = _ffc_validate_public_key(key, pub, *pubSz, NULL, 0, 0);
-    if (ret == 0)
-        ret = _ffc_pairwise_consistency_test(key, pub, *pubSz, priv, *privSz);
+    if (ret == 0) {
+        /* Pairwise Consistency Test per SP 800-56A r3 sec 5.6.2.1.4
+         * (FFC key pair).  FIPS 140-3 IG 10.3.B requires a PCT after
+         * KeyGen for key-establishment algorithms; on failure under a
+         * FIPS build the error is remapped to DH_PCT_E so the FIPS
+         * module's DEGRADE_STATE handler transitions FIPS_CAST_DH_
+         * PRIMITIVE_Z to the error state. */
+        ret = _ffc_pairwise_consistency_test(key, pub, *pubSz, priv,
+                                             *privSz);
+    #ifdef HAVE_FIPS
+        if (ret != 0)
+            ret = DH_PCT_E;
+    #endif
+    }
 #endif /* FIPS V5 or later || WOLFSSL_VALIDATE_DH_KEYGEN */
 
 

wolfcrypt/src/error.c

@@ -692,6 +692,18 @@ const char* wc_GetErrorString(int error)
     case SLH_DSA_KAT_FIPS_E:
         return "SLH-DSA Known Answer Test check FIPS error";
 
+    case SLH_DSA_PCT_E:
+        return "wolfcrypt SLH-DSA Pairwise Consistency Test Failure";
+
+    case CMAC_KAT_FIPS_E:
+        return "AES-CMAC Known Answer Test FIPS error";
+
+    case SHAKE_KAT_FIPS_E:
+        return "SHAKE Known Answer Test FIPS error";
+
+    case DH_PCT_E:
+        return "wolfcrypt DH (FFC) Pairwise Consistency Test Failure";
+
     case SEQ_OVERFLOW_E:
         return "Sequence counter would overflow";
 

wolfcrypt/src/wc_slhdsa.c

@@ -6570,6 +6570,45 @@ int wc_SlhDsaKey_MakeKey(SlhDsaKey* key, WC_RNG* rng)
             key->sk + 2 * n, n);
     }
 
+#ifdef HAVE_FIPS
+    /* Pairwise Consistency Test (PCT) per FIPS 140-3 IG 10.3.A (TE10.35.02):
+     * sign with the new sk, verify with the matching pk.  SLH-DSA is a
+     * stateless hash-based signature scheme (FIPS 205), so the relaxed PCT
+     * rule for stateful HBS (LMS/XMSS) does not apply -- PCT runs on every
+     * KeyGen.  SignDeterministic avoids consuming RNG state; heap allocation
+     * is used because SLH-DSA signatures can reach ~50 KB. */
+    if (ret == 0) {
+        static const byte pct_msg[] = "wolfSSL SLH-DSA PCT";
+        byte* pct_sig = (byte*)XMALLOC(WC_SLHDSA_MAX_SIG_LEN, NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        word32 pct_sigSz = WC_SLHDSA_MAX_SIG_LEN;
+
+        if (pct_sig == NULL) {
+            ret = MEMORY_E;
+        }
+        if (ret == 0) {
+            ret = wc_SlhDsaKey_SignDeterministic(key, NULL, 0,
+                pct_msg, sizeof(pct_msg), pct_sig, &pct_sigSz);
+        }
+        if (ret == 0) {
+            ret = wc_SlhDsaKey_Verify(key, NULL, 0,
+                pct_msg, sizeof(pct_msg), pct_sig, pct_sigSz);
+            if (ret != 0) {
+                ret = SLH_DSA_PCT_E;
+            }
+        }
+        if (pct_sig != NULL) {
+            ForceZero(pct_sig, WC_SLHDSA_MAX_SIG_LEN);
+            XFREE(pct_sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        }
+        /* IG 10.3.A (TE10.35.02): a key pair that fails the PCT must be
+         * rendered unusable. */
+        if (ret != 0) {
+            wc_SlhDsaKey_Free(key);
+        }
+    }
+#endif /* HAVE_FIPS */
+
     return ret;
 }
 

wolfssl/wolfcrypt/error-crypt.h

@@ -327,9 +327,15 @@ enum wolfCrypt_ErrorCodes {
     ML_DSA_PCT_E        = -1016, /* ML-DSA Pairwise Consistency Test failure */
     DRBG_SHA512_KAT_FIPS_E = -1017, /* SHA-512 DRBG KAT failure */
     SLH_DSA_KAT_FIPS_E  = -1018, /* SLH-DSA CAST KAT failure */
-
-    WC_SPAN2_LAST_E     = -1018, /* Update to indicate last used error code */
-    WC_LAST_E           = -1018, /* the last code used either here or in
+    SLH_DSA_PCT_E       = -1019, /* SLH-DSA Pairwise Consistency Test failure */
+    CMAC_KAT_FIPS_E     = -1020, /* AES-CMAC KAT failure (vendor-elected) */
+    SHAKE_KAT_FIPS_E    = -1021, /* SHAKE KAT failure (vendor-elected) */
+    DH_PCT_E            = -1022, /* DH (FFC) Pairwise Consistency Test
+                                  * failure (SP 800-56A r3 sec 5.6.2.1.4,
+                                  * FIPS 140-3 IG 10.3.B) */
+
+    WC_SPAN2_LAST_E     = -1022, /* Update to indicate last used error code */
+    WC_LAST_E           = -1022, /* the last code used either here or in
                                   * error-ssl.h */
 
     WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */

wolfssl/wolfcrypt/fips_test.h

@@ -31,8 +31,23 @@
     extern "C" {
 #endif
 
-/* Added for FIPS v5.3 or later */
-#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
+/* Added for FIPS v5.3 or later.
+ *
+ * v7.0.0 and later upgrade the in-core integrity HMAC to SHA-512 (with a
+ * 512-bit key) for NSA 2.0 compliance.  Customers that must avoid SHA-256
+ * anywhere in the validated module can therefore use the v7 module without
+ * residual SHA-256 integrity material.  v5.3 and v6.x retain HMAC-SHA-256.
+ */
+#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(7,0)
+    #ifdef WOLFSSL_SHA512
+        #define FIPS_IN_CORE_DIGEST_SIZE 64
+        #define FIPS_IN_CORE_HASH_TYPE   WC_SHA512
+        #define FIPS_IN_CORE_KEY_SZ      64
+        #define FIPS_IN_CORE_VERIFY_SZ   FIPS_IN_CORE_KEY_SZ
+    #else
+        #error FIPS v7+ integrity test requires WOLFSSL_SHA512
+    #endif
+#elif defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
     /* Determine FIPS in core hash type and size */
     #ifndef NO_SHA256
         #define FIPS_IN_CORE_DIGEST_SIZE 32
@@ -80,7 +95,9 @@ enum FipsCastId {
     FIPS_CAST_XMSS              = 23,
     FIPS_CAST_DRBG_SHA512       = 24,
     FIPS_CAST_SLH_DSA           = 25,
-    FIPS_CAST_COUNT             = 26
+    FIPS_CAST_AES_CMAC          = 26,
+    FIPS_CAST_SHAKE             = 27,
+    FIPS_CAST_COUNT             = 28
 };
 
 enum FipsCastStateId {

wolfssl/wolfcrypt/random.h

@@ -57,8 +57,12 @@
     #define DRBG_SEED_LEN (440/8)
 #endif
 
+/* Size of the DRBG seed (SHA-512) */
 #ifdef WOLFSSL_DRBG_SHA512
-    #define DRBG_SHA512_SEED_LEN (888/8)  /* 111 bytes per SP 800-90A Table 2 */
+    #ifndef DRBG_SHA512_SEED_LEN
+        #define DRBG_SHA512_SEED_LEN (888/8)  /* 111 bytes per SP 800-90A
+                                               * Table 2 */
+    #endif
 #endif