SecurityReview FND 40.2 + 36.1 + 6.4 + 10.1 + 15.1 + 26.7 + 11.3 + 43.2: integrity, PCT, zeroize, CMAC/SHAKE/AES-KW CASTs, DH PCT + configurable DRBG_SHA512_SEED_LEN, ML-DSA sign privateKeyReadEnable parity, FIPS CAST benchmark deliverable

fips_cast_bench.c now registers the default DRBG seed callback via
wc_SetSeed_Cb(WC_GENERATE_SEED_DEFAULT) under #ifdef WC_RNG_SEED_CB,
mirroring the pattern in benchmark.c and wolfcrypt/test/test.c.  Without
it, wc_InitRng() called from inside the FIPS_CAST_ECC_PRIMITIVE_Z and
FIPS_CAST_ECDSA KATs returned -199 (RNG_FAILURE_E) and those CASTs
cascade-failed - this was the previously-flagged "wc_RunCast_fips chain
bug" tracked in the project memory file; with the seed-callback
registration the benchmark now reports clean for all 29 CASTs across both
default --enable-fips=v7 and CI-representative --enable-fips=ready
configurations.

Author: kaleb-himes

fips-hash.sh

@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak

tests/api/test_mldsa.c

@@ -752,9 +752,20 @@ int test_wc_dilithium_sign_pubonly_fails(void)
     /* Import only the public key into a fresh key object. */
     ExpectIntEQ(wc_dilithium_import_public(pubBuf, pubLen, pubOnlyKey), 0);
 
-    /* Signing with a public-key-only object must fail. */
+    /* Signing with a public-key-only object must fail.
+     *
+     * In FIPS v7.0.0 mode the ML-DSA sign wrappers enforce the
+     * privateKeyReadEnable contract (FIPS 140-3 sec 7.10.2 CSP access
+     * control); without unlocking, the wrapper short-circuits to
+     * FIPS_PRIVATE_KEY_LOCKED_E before reaching the no-private-key
+     * detection.  Unlock briefly so this test exercises the underlying
+     * BAD_FUNC_ARG path it is designed to verify.  The
+     * PRIVATE_KEY_UNLOCK / PRIVATE_KEY_LOCK macros expand to no-ops in
+     * non-FIPS builds. */
+    PRIVATE_KEY_UNLOCK();
     ExpectIntEQ(wc_dilithium_sign_ctx_msg(NULL, 0, msg, sizeof(msg), sig,
         &sigLen, pubOnlyKey, &rng), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    PRIVATE_KEY_LOCK();
 
     DoExpectIntEQ(wc_FreeRng(&rng), 0);
     wc_dilithium_free(pubOnlyKey);
@@ -1236,6 +1247,12 @@ int test_wc_dilithium_sign_vfy(void)
 
     ExpectIntEQ(wc_InitRng(&rng), 0);
 
+    /* FIPS v7.0.0 ML-DSA sign wrappers enforce the privateKeyReadEnable
+     * contract (FIPS 140-3 sec 7.10.2 CSP access control); unlock for the
+     * duration of this test's signing operations and re-lock at the end.
+     * Macros expand to no-ops in non-FIPS builds. */
+    PRIVATE_KEY_UNLOCK();
+
 #ifndef WOLFSSL_NO_ML_DSA_44
     ExpectIntEQ(wc_dilithium_init(key), 0);
     ExpectIntEQ(wc_dilithium_set_level(key, WC_ML_DSA_44), 0);
@@ -1300,6 +1317,8 @@ int test_wc_dilithium_sign_vfy(void)
     wc_dilithium_free(key);
 #endif
 
+    PRIVATE_KEY_LOCK();
+
     wc_FreeRng(&rng);
     XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);