SecurityReview FND 40.2 + FND 36.1: integrity HMAC SHA-512 + SLH-DSA PCT

kaleb-himes · kaleb-himes · commit 8923ea543b08 · 2026-04-22T15:22:06.000-06:00
Two findings from the v7.0.0 security review, squashed into one
commit per the Part3 branch invariant.

FND 40.2 (in-core integrity HMAC upgraded to SHA-512)
  FIPS 140-3 v7.0.0 security review: the in-core integrity test must
  use HMAC-SHA-512 with a 512-bit key for NSA 2.0 compliance (customers
  requiring no SHA-256 usage anywhere in the validated module).

  - wolfssl/wolfcrypt/fips_test.h: add v7+ branch that selects SHA-512 /
    64-byte digest / 512-bit key / 64-byte verify-size.  Older versions
    (v5.3, v6.x) keep HMAC-SHA-256.
  - fips-hash.sh: drop the hardcoded cut -c1-64 so the script works for
    SHA-512 (128 hex chars) as well as SHA-256.  Length is guarded at
    compile time by the static_assert on sizeof(verifyCore).

  Companion change in kh-fork-fips updates fips_test.c verifyCore
  placeholder, coreKey (fresh 512-bit random), and the static_assert to
  use FIPS_IN_CORE_DIGEST_SIZE.

  Paperwork (PQ-FS-dev-area/Final_Submission_Paperwork/):
  - PL-R36 compliance summary already reflects HMAC-SHA-512 (no change).
  - PL-R34 Security Policy section 5.1 updated via tracked changes to
    say HMAC-SHA2-512 with a 512-bit key.

FND 36.1 (SLH-DSA KeyGen now runs a Pairwise Consistency Test)
  wc_SlhDsaKey_MakeKey previously generated random seeds and delegated
  to MakeKeyWithRandom without any PCT.  ML-KEM and ML-DSA both have
  inline PCTs citing FIPS 140-3 IG 10.3.A TE10.35.02; SLH-DSA had none.
  SLH-DSA is a stateless hash-based signature scheme (FIPS 205), so the
  relaxed PCT rule for stateful HBS (LMS/XMSS) does not apply -- PCT is
  mandatory on every KeyGen.

  Changes:
  - wolfssl/wolfcrypt/error-crypt.h: add SLH_DSA_PCT_E = -1013, shift
    WC_SPAN2_LAST_E / WC_LAST_E to -1013.
  - wolfcrypt/src/error.c: add a description string for SLH_DSA_PCT_E.
  - wolfcrypt/src/wc_slhdsa.c wc_SlhDsaKey_MakeKey: after MakeKeyWithRandom
    succeeds, sign a fixed PCT message with the new sk using
    wc_SlhDsaKey_SignDeterministic (no extra RNG state; reproducible)
    and verify with the matching pk.  Signature buffer is heap-allocated
    (SLH-DSA sigs can be ~50 KB) and ForceZero'd before XFREE.  On PCT
    failure the key is wc_SlhDsaKey_Free'd so a caller that ignores the
    return value cannot use the broken key pair.

  Companion fips change: fips.c DEGRADE_STATE handler for SLH_DSA_PCT_E
  and optest-140-3/optest.h case_1013 entry.

Verified: make + fips-hash.sh + make; make check all pass.
diff --git a/fips-hash.sh b/fips-hash.sh
@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c
@@ -692,6 +692,9 @@ const char* wc_GetErrorString(int error)
     case SLH_DSA_KAT_FIPS_E:
         return "SLH-DSA Known Answer Test check FIPS error";
 
+    case SLH_DSA_PCT_E:
+        return "wolfcrypt SLH-DSA Pairwise Consistency Test Failure";
+
     case SEQ_OVERFLOW_E:
         return "Sequence counter would overflow";
 
diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c
@@ -6570,6 +6570,45 @@ int wc_SlhDsaKey_MakeKey(SlhDsaKey* key, WC_RNG* rng)
             key->sk + 2 * n, n);
     }
 
+#ifdef HAVE_FIPS
+    /* Pairwise Consistency Test (PCT) per FIPS 140-3 IG 10.3.A (TE10.35.02):
+     * sign with the new sk, verify with the matching pk.  SLH-DSA is a
+     * stateless hash-based signature scheme (FIPS 205), so the relaxed PCT
+     * rule for stateful HBS (LMS/XMSS) does not apply -- PCT runs on every
+     * KeyGen.  SignDeterministic avoids consuming RNG state; heap allocation
+     * is used because SLH-DSA signatures can reach ~50 KB. */
+    if (ret == 0) {
+        static const byte pct_msg[] = "wolfSSL SLH-DSA PCT";
+        byte* pct_sig = (byte*)XMALLOC(WC_SLHDSA_MAX_SIG_LEN, NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        word32 pct_sigSz = WC_SLHDSA_MAX_SIG_LEN;
+
+        if (pct_sig == NULL) {
+            ret = MEMORY_E;
+        }
+        if (ret == 0) {
+            ret = wc_SlhDsaKey_SignDeterministic(key, NULL, 0,
+                pct_msg, sizeof(pct_msg), pct_sig, &pct_sigSz);
+        }
+        if (ret == 0) {
+            ret = wc_SlhDsaKey_Verify(key, NULL, 0,
+                pct_msg, sizeof(pct_msg), pct_sig, pct_sigSz);
+            if (ret != 0) {
+                ret = SLH_DSA_PCT_E;
+            }
+        }
+        if (pct_sig != NULL) {
+            ForceZero(pct_sig, WC_SLHDSA_MAX_SIG_LEN);
+            XFREE(pct_sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        }
+        /* IG 10.3.A (TE10.35.02): a key pair that fails the PCT must be
+         * rendered unusable. */
+        if (ret != 0) {
+            wc_SlhDsaKey_Free(key);
+        }
+    }
+#endif /* HAVE_FIPS */
+
     return ret;
 }
 
diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h
@@ -319,9 +319,10 @@ enum wolfCrypt_ErrorCodes {
     DRBG_SHA512_KAT_FIPS_E = -1010, /* SHA-512 DRBG KAT failure */
 
     SEQ_OVERFLOW_E      = -1011, /* Sequence counter would overflow */
-    SLH_DSA_KAT_FIPS_E = -1012, /* SLH-DSA CAST KAT failure */
-    WC_SPAN2_LAST_E     = -1012, /* Update to indicate last used error code */
-    WC_LAST_E           = -1012, /* the last code used either here or in
+    SLH_DSA_KAT_FIPS_E  = -1012, /* SLH-DSA CAST KAT failure */
+    SLH_DSA_PCT_E       = -1013, /* SLH-DSA Pairwise Consistency Test failure */
+    WC_SPAN2_LAST_E     = -1013, /* Update to indicate last used error code */
+    WC_LAST_E           = -1013, /* the last code used either here or in
                                   * error-ssl.h */
 
     WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */
diff --git a/wolfssl/wolfcrypt/fips_test.h b/wolfssl/wolfcrypt/fips_test.h
@@ -31,8 +31,23 @@
     extern "C" {
 #endif
 
-/* Added for FIPS v5.3 or later */
-#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
+/* Added for FIPS v5.3 or later.
+ *
+ * v7.0.0 and later upgrade the in-core integrity HMAC to SHA-512 (with a
+ * 512-bit key) for NSA 2.0 compliance.  Customers that must avoid SHA-256
+ * anywhere in the validated module can therefore use the v7 module without
+ * residual SHA-256 integrity material.  v5.3 and v6.x retain HMAC-SHA-256.
+ */
+#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(7,0)
+    #ifdef WOLFSSL_SHA512
+        #define FIPS_IN_CORE_DIGEST_SIZE 64
+        #define FIPS_IN_CORE_HASH_TYPE   WC_SHA512
+        #define FIPS_IN_CORE_KEY_SZ      64
+        #define FIPS_IN_CORE_VERIFY_SZ   FIPS_IN_CORE_KEY_SZ
+    #else
+        #error FIPS v7+ integrity test requires WOLFSSL_SHA512
+    #endif
+#elif defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
     /* Determine FIPS in core hash type and size */
     #ifndef NO_SHA256
         #define FIPS_IN_CORE_DIGEST_SIZE 32
