SecurityReview FND 40.2: upgrade in-core integrity HMAC to SHA-512

kaleb-himes · kaleb-himes · commit 73dc5a6214c6 · 2026-04-22T14:03:05.000-06:00
FIPS 140-3 v7.0.0 security review finding 40.2: the in-core integrity
test must use HMAC-SHA-512 with a 512-bit key for NSA 2.0 compliance
(customers requiring no SHA-256 usage anywhere in the validated module).

- wolfssl/wolfcrypt/fips_test.h: add v7+ branch that selects SHA-512 /
  64-byte digest / 512-bit key / 64-byte verify-size.  Older versions
  (v5.3, v6.x) keep HMAC-SHA-256.
- fips-hash.sh: drop the hardcoded cut -c1-64 so the script works for
  SHA-512 (128 hex chars) as well as SHA-256.  Length is guarded at
  compile time by the static_assert on sizeof(verifyCore).

Companion change in kh-fork-fips updates fips_test.c verifyCore
placeholder, coreKey (fresh 512-bit random), and the static_assert to
use FIPS_IN_CORE_DIGEST_SIZE.

Paperwork (PQ-FS-dev-area/Final_Submission_Paperwork/):
- PL-R36 compliance summary already reflects HMAC-SHA-512 (no change).
- PL-R34 Security Policy section 5.1 updated via tracked changes to
  say HMAC-SHA2-512 with a 512-bit key.

Verified: make + fips-hash.sh + make; make check all pass.
diff --git a/fips-hash.sh b/fips-hash.sh
@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
diff --git a/wolfssl/wolfcrypt/fips_test.h b/wolfssl/wolfcrypt/fips_test.h
@@ -31,8 +31,23 @@
     extern "C" {
 #endif
 
-/* Added for FIPS v5.3 or later */
-#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
+/* Added for FIPS v5.3 or later.
+ *
+ * v7.0.0 and later upgrade the in-core integrity HMAC to SHA-512 (with a
+ * 512-bit key) for NSA 2.0 compliance.  Customers that must avoid SHA-256
+ * anywhere in the validated module can therefore use the v7 module without
+ * residual SHA-256 integrity material.  v5.3 and v6.x retain HMAC-SHA-256.
+ */
+#if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(7,0)
+    #ifdef WOLFSSL_SHA512
+        #define FIPS_IN_CORE_DIGEST_SIZE 64
+        #define FIPS_IN_CORE_HASH_TYPE   WC_SHA512
+        #define FIPS_IN_CORE_KEY_SZ      64
+        #define FIPS_IN_CORE_VERIFY_SZ   FIPS_IN_CORE_KEY_SZ
+    #else
+        #error FIPS v7+ integrity test requires WOLFSSL_SHA512
+    #endif
+#elif defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)
     /* Determine FIPS in core hash type and size */
     #ifndef NO_SHA256
         #define FIPS_IN_CORE_DIGEST_SIZE 32
