SecurityReview FND 40.2 + 36.1 + 6.4 + 10.1 + 15.1 + 26.7 + 11.3 + 43.2 + 20.1 + 6.2: integrity, PCT, zeroize, CMAC/SHAKE/AES-KW CASTs, DH PCT + configurable DRBG_SHA512_SEED_LEN, ML-DSA sign privateKeyReadEnable parity, FIPS CAST benchmark deliverable, RSA 1024 removed from FIPS RsaSizeCheck, linuxkm AES-GCM tag-min 96-bit FIPS gate

6.2 (Medium): The pre-existing linuxkm relaxation of WOLFSSL_MIN_AUTH_TAG_SZ
to 4 bytes (32 bits) in wolfssl/wolfcrypt/settings.h is now gated by
#ifndef HAVE_FIPS.  FIPS-mode linuxkm builds revert to the standard 96-bit
(12-byte) minimum mandated by NIST SP 800-38D sec 5.2.1.2 / sec 8.2 and
FIPS 140-3 IG C.H.  Non-FIPS linuxkm builds retain the 32-bit-tag
relaxation for kernel crypto manager test vector compatibility.

Author: kaleb-himes

fips-hash.sh

@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak

tests/api/test_mldsa.c

@@ -752,9 +752,20 @@ int test_wc_dilithium_sign_pubonly_fails(void)
     /* Import only the public key into a fresh key object. */
     ExpectIntEQ(wc_dilithium_import_public(pubBuf, pubLen, pubOnlyKey), 0);
 
-    /* Signing with a public-key-only object must fail. */
+    /* Signing with a public-key-only object must fail.
+     *
+     * In FIPS v7.0.0 mode the ML-DSA sign wrappers enforce the
+     * privateKeyReadEnable contract (FIPS 140-3 sec 7.10.2 CSP access
+     * control); without unlocking, the wrapper short-circuits to
+     * FIPS_PRIVATE_KEY_LOCKED_E before reaching the no-private-key
+     * detection.  Unlock briefly so this test exercises the underlying
+     * BAD_FUNC_ARG path it is designed to verify.  The
+     * PRIVATE_KEY_UNLOCK / PRIVATE_KEY_LOCK macros expand to no-ops in
+     * non-FIPS builds. */
+    PRIVATE_KEY_UNLOCK();
     ExpectIntEQ(wc_dilithium_sign_ctx_msg(NULL, 0, msg, sizeof(msg), sig,
         &sigLen, pubOnlyKey, &rng), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    PRIVATE_KEY_LOCK();
 
     DoExpectIntEQ(wc_FreeRng(&rng), 0);
     wc_dilithium_free(pubOnlyKey);
@@ -1236,6 +1247,12 @@ int test_wc_dilithium_sign_vfy(void)
 
     ExpectIntEQ(wc_InitRng(&rng), 0);
 
+    /* FIPS v7.0.0 ML-DSA sign wrappers enforce the privateKeyReadEnable
+     * contract (FIPS 140-3 sec 7.10.2 CSP access control); unlock for the
+     * duration of this test's signing operations and re-lock at the end.
+     * Macros expand to no-ops in non-FIPS builds. */
+    PRIVATE_KEY_UNLOCK();
+
 #ifndef WOLFSSL_NO_ML_DSA_44
     ExpectIntEQ(wc_dilithium_init(key), 0);
     ExpectIntEQ(wc_dilithium_set_level(key, WC_ML_DSA_44), 0);
@@ -1300,6 +1317,8 @@ int test_wc_dilithium_sign_vfy(void)
     wc_dilithium_free(key);
 #endif
 
+    PRIVATE_KEY_LOCK();
+
     wc_FreeRng(&rng);
     XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);