Phase 3: SHA512 integrity check and closing the final FIPS requirements gaps#10281
Open
kaleb-himes wants to merge 1 commit intowolfSSL:masterfrom
Open
Phase 3: SHA512 integrity check and closing the final FIPS requirements gaps#10281kaleb-himes wants to merge 1 commit intowolfSSL:masterfrom
kaleb-himes wants to merge 1 commit intowolfSSL:masterfrom
Conversation
kaleb-himes
force-pushed
the
PQ-FS-2026-Part3-SecurityReview
branch
3 times, most recently
from
8923ea5 to
9af5352
Compare
|
kaleb-himes
changed the title
kaleb-himes
force-pushed
the
PQ-FS-2026-Part3-SecurityReview
branch
2 times, most recently
from
6c4cd17 to
a43af0f
Compare
…egrity, PCT, zeroize, CMAC/SHAKE/AES-KW CASTs, DH PCT + configurable DRBG_SHA512_SEED_LEN
Seven findings from the v7.0.0 security review, squashed into one
commit per the Part3 branch invariant.
FND 40.2 (in-core integrity HMAC upgraded to SHA-512)
- wolfssl/wolfcrypt/fips_test.h: add v7+ branch that selects SHA-512 /
64-byte digest / 512-bit key / 64-byte verify-size. Older versions
(v5.3, v6.x) keep HMAC-SHA-256.
- fips-hash.sh: drop the hardcoded cut -c1-64 so the script works for
both the 32-byte (v5.3 / v6.x) and 64-byte (v7+) digests.
FND 36.1 (SLH-DSA PCT per FIPS 140-3 IG 10.3.B)
wolfcrypt/src/wc_slhdsa.c wc_SlhDsaKey_MakeKey: after key generation
performs a sign+verify pairwise consistency test on a fixed prehashed
message, returning SLH_DSA_PCT_E on failure. Companion fips.c
DEGRADE_STATE entry is in the kh-fork-fips commit.
FND 6.4 (AES-GCM zeroization on the assembly fast path)
wolfcrypt/src/aes.c AES_GCM_decrypt_C: zero the partial block before
the early return when the auth-tag check fails, not after.
FND 10.1 (AES-CMAC dedicated CAST: companion error code)
wolfssl/wolfcrypt/error-crypt.h: add CMAC_KAT_FIPS_E = -1020 with a
comment citing the IG 10.3.A authenticated-mode allowance and the
vendor-elected enhancement rationale.
wolfcrypt/src/error.c: description string for CMAC_KAT_FIPS_E.
FND 15.1 (SHAKE dedicated CAST: companion error code)
wolfssl/wolfcrypt/error-crypt.h: add SHAKE_KAT_FIPS_E = -1021 with
the IG 10.3.B comment.
wolfcrypt/src/error.c: description string for SHAKE_KAT_FIPS_E.
FND 26.7 (DH KeyGen PCT per SP 800-56A r3 sec 5.6.2.1.4)
wolfcrypt/src/dh.c wc_DhGenerateKeyPair: under HAVE_FIPS, after the
underlying make-key returns the function regenerates the public key
from the private key via the math primitives and ConstantCompare's
it against the supplied public, returning DH_PCT_E on mismatch.
wolfssl/wolfcrypt/error-crypt.h: add DH_PCT_E = -1022 with comment
citing SP 800-56A r3 sec 5.6.2.1.4 / FIPS 140-3 IG 10.3.B.
wolfcrypt/src/error.c: description string for DH_PCT_E.
FND 11.3 (AES-KW dedicated CAST per SP 800-38F sec 6.2 / RFC 3394)
wolfssl/wolfcrypt/fips_test.h: add FIPS_CAST_AES_KW = 28 and bump
FIPS_CAST_COUNT to 29.
wolfssl/wolfcrypt/error-crypt.h: add AES_KW_KAT_FIPS_E = -1023 with
comment citing SP 800-38F sec 6.2 / RFC 3394 (vendor-elected
enhancement). WC_SPAN2_LAST_E / WC_LAST_E updated.
wolfcrypt/src/error.c: description string for AES_KW_KAT_FIPS_E.
Companion changes (kh-fork-fips):
- fips_test.c: AesKw_KnownAnswerTest helper; new DoCAST case
FIPS_CAST_AES_KW with RFC 3394 sec 4.6 (AES-256 KEK / 256-bit
plaintext) vector exercising the full SP 800-38F sec 6.2 wrap
composition (6n=24 iteration counter, semiblock concatenation,
0xA6A6A6A6A6A6A6A6 IV check).
- fips.c: wc_AesKeyWrap_fips/_ex_fips/_UnWrap_fips/_UnWrap_ex_fips
refactored to gate on FIPS_CAST_AES_KW; CastIdToStr entry;
DEGRADE_STATE on AES_KW_KAT_FIPS_E (only the KW CAST is degraded
- underlying AES CASTs remain independent); explicit AES-KW entry
in wc_RunAllCast_fips alongside AES-CBC/GCM/ECB.
AES-KWP (SP 800-38F sec 6.3 internal padding) is intentionally out
of scope - the module does not implement padding for any AES mode
and requires inputs to be 8-byte aligned at the boundary. This is
a voluntary enhancement exceeding the IG 10.3.A minimum.
Companion paperwork updates (tracked changes) live in
Final_Submission_Paperwork/PL-R34-...-Security-Policy.docx and
PL-R36-...-Compliance-Summary.docx (CAST count 28 -> 29, AES-KW
coverage paragraph, no-padding policy clarification).
DRBG_SHA512_SEED_LEN configurability (carried forward from the prior
Part3 commit): wolfssl/wolfcrypt/random.h exposes the seed-length
constant as a configurable macro for OE-specific entropy claims.
Verified:
POST passes, make check passes (5 pass, 3 skip, 0 fail) with the
default --enable-fips=v7 configure, AND with the CI-representative
configure (9 pass, 3 skip, 0 fail).
kaleb-himes
force-pushed
the
PQ-FS-2026-Part3-SecurityReview
branch
from
a43af0f to
7c0c87a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Please describe the scope of the fix or feature addition.
Fixes zd#
Testing
How did you test?
Checklist