account for FIPS ready build and SE050 test

Author: JacobBarthelmeh

wolfcrypt/src/port/nxp/se050_port.c

@@ -2113,6 +2113,10 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, MATH_INT_T* r, MATH_INT
     size_t sigSz = sizeof(sigBuf);
     word32 rLen = 0;
     word32 sLen = 0;
+#ifndef WC_ALLOW_ECC_ZERO_HASH
+    byte hashIsZero = 0;
+    word32 zIdx;
+#endif
 
 #ifdef SE050_DEBUG
     printf("se050_ecc_sign_hash_ex: key %p, in %p (%d), out %p (%d), "
@@ -2124,6 +2128,15 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, MATH_INT_T* r, MATH_INT
         return BAD_FUNC_ARG;
     }
 
+#ifndef WC_ALLOW_ECC_ZERO_HASH
+    /* SE050 hardware does not reject all-zero digests; mirror the
+     * software path's check so behavior is consistent. */
+    for (zIdx = 0; zIdx < inLen; zIdx++)
+        hashIsZero |= in[zIdx];
+    if (hashIsZero == 0)
+        return ECC_BAD_ARG_E;
+#endif
+
     if (cfg_se050_i2c_pi == NULL) {
         return WC_HW_E;
     }

wolfssl/wolfcrypt/settings.h

@@ -3514,10 +3514,12 @@ extern void uITRON4_free(void *p) ;
 #endif
 
 #ifdef HAVE_ECC
-    /* defined for all ECC non FIPS builds and for FIPS v7+, unless the user
-     * explicitly opts in to allowing an all-zero digest with
+    /* defined for all ECC non FIPS builds and for FIPS v7+ (including
+     * fips-ready/fips-dev which track the latest in-development source),
+     * unless the user explicitly opts in to allowing an all-zero digest with
      * WC_ALLOW_ECC_ZERO_HASH or is building with HAVE_SELFTEST */
-    #if (!defined(HAVE_FIPS) || FIPS_VERSION_GT(7,0)) && \
+    #if (!defined(HAVE_FIPS) || FIPS_VERSION_GT(7,0) || \
+         defined(WOLFSSL_FIPS_READY) || defined(WOLFSSL_FIPS_DEV)) && \
         !defined(HAVE_SELFTEST) && !defined(WC_ALLOW_ECC_ZERO_HASH)
         /* sign/verify of an all-zero digest in wolfCrypt rejected */
         #define WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST