SecurityReview FND 40.2 + 36.1 + 6.4 + 10.1 + 15.1 + 26.7 + 11.3 + 43.2 + 20.1 + 6.2 + 2.2 + 1.6 + 20.7: integrity, PCT, zeroize, CMAC/SHAKE/AES-KW CASTs, DH PCT + configurable DRBG_SHA512_SEED_LEN, ML-DSA sign privateKeyReadEnable parity, FIPS CAST benchmark deliverable, RSA 1024 removed from FIPS RsaSizeCheck, linuxkm AES-GCM tag-min 96-bit FIPS gate, AES-CBC block-alignment check forced on for FIPS, AES context init caller-responsibility documented, RSA exponent FIPS-186-5 minimum 65537 enforced

20.7 (Low): wc_MakeRsaKey now rejects e < 65537 in HAVE_FIPS builds per
FIPS 186-5 sec 5.2 (Public Verification Exponent: 2^16 + 1 <= e < 2^256
and e odd).  The general non-FIPS check (e >= 3 and e odd) remains
unchanged.  Tests updated: tests/api/test_ossl_rsa.c and
tests/api/test_evp_pkey.c sites that previously passed e=3 or e=17 to
RSA_generate_key now use 65537 (RSA-F4), matching FIPS-Approved use and
preserving non-FIPS test semantics (since 65537 is universally accepted).

Author: kaleb-himes

fips-hash.sh

@@ -13,7 +13,11 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# FIPS v7.0.0+ uses HMAC-SHA-512 (128 hex chars); older FIPS versions
+# use HMAC-SHA-256 (64 hex chars).  Take the whole captured hash; the
+# static_assert on sizeof(verifyCore) guards against wrong length at
+# compile time after this script runs.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak

tests/api/test_evp_pkey.c

@@ -1526,7 +1526,7 @@ static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType)
     !defined(HAVE_SELFTEST)
 #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))
         {
-            ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+            ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
             ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS);
         }
 #endif
@@ -2028,7 +2028,7 @@ int test_wolfSSL_EVP_PKEY_encrypt(void)
         XMEMSET(outDec, 0, rsaKeySz);
     }
 
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
     ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new());
     ExpectIntEQ(EVP_PKEY_assign_RSA(pkey, rsa), WOLFSSL_SUCCESS);
     if (EXPECT_FAIL()) {

tests/api/test_mldsa.c

@@ -752,9 +752,20 @@ int test_wc_dilithium_sign_pubonly_fails(void)
     /* Import only the public key into a fresh key object. */
     ExpectIntEQ(wc_dilithium_import_public(pubBuf, pubLen, pubOnlyKey), 0);
 
-    /* Signing with a public-key-only object must fail. */
+    /* Signing with a public-key-only object must fail.
+     *
+     * In FIPS v7.0.0 mode the ML-DSA sign wrappers enforce the
+     * privateKeyReadEnable contract (FIPS 140-3 sec 7.10.2 CSP access
+     * control); without unlocking, the wrapper short-circuits to
+     * FIPS_PRIVATE_KEY_LOCKED_E before reaching the no-private-key
+     * detection.  Unlock briefly so this test exercises the underlying
+     * BAD_FUNC_ARG path it is designed to verify.  The
+     * PRIVATE_KEY_UNLOCK / PRIVATE_KEY_LOCK macros expand to no-ops in
+     * non-FIPS builds. */
+    PRIVATE_KEY_UNLOCK();
     ExpectIntEQ(wc_dilithium_sign_ctx_msg(NULL, 0, msg, sizeof(msg), sig,
         &sigLen, pubOnlyKey, &rng), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    PRIVATE_KEY_LOCK();
 
     DoExpectIntEQ(wc_FreeRng(&rng), 0);
     wc_dilithium_free(pubOnlyKey);
@@ -1236,6 +1247,12 @@ int test_wc_dilithium_sign_vfy(void)
 
     ExpectIntEQ(wc_InitRng(&rng), 0);
 
+    /* FIPS v7.0.0 ML-DSA sign wrappers enforce the privateKeyReadEnable
+     * contract (FIPS 140-3 sec 7.10.2 CSP access control); unlock for the
+     * duration of this test's signing operations and re-lock at the end.
+     * Macros expand to no-ops in non-FIPS builds. */
+    PRIVATE_KEY_UNLOCK();
+
 #ifndef WOLFSSL_NO_ML_DSA_44
     ExpectIntEQ(wc_dilithium_init(key), 0);
     ExpectIntEQ(wc_dilithium_set_level(key, WC_ML_DSA_44), 0);
@@ -1300,6 +1317,8 @@ int test_wc_dilithium_sign_vfy(void)
     wc_dilithium_free(key);
 #endif
 
+    PRIVATE_KEY_LOCK();
+
     wc_FreeRng(&rng);
     XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);

tests/api/test_ossl_rsa.c

@@ -65,7 +65,7 @@ int test_wolfSSL_RSA(void)
 
     RSA_free(rsa);
     rsa = NULL;
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
     ExpectIntEQ(RSA_size(rsa), 256);
 
 #if (!defined(HAVE_FIPS) || FIPS_VERSION3_GT(6,0,0)) && !defined(HAVE_SELFTEST)
@@ -306,7 +306,7 @@ int test_wolfSSL_RSA(void)
     rsa = NULL;
 
 #if !defined(USE_FAST_MATH) || (FP_MAX_BITS >= (3072*2))
-    ExpectNotNull(rsa = RSA_generate_key(3072, 17, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(3072, 65537, NULL, NULL));
     ExpectIntEQ(RSA_size(rsa), 384);
     ExpectIntEQ(RSA_bits(rsa), 3072);
     RSA_free(rsa);
@@ -461,7 +461,7 @@ int test_wolfSSL_RSA_print(void)
 
     RSA_free(rsa);
     rsa = NULL;
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
 
     ExpectIntEQ(RSA_print(bio, rsa, 0), 1);
     ExpectIntEQ(RSA_print(bio, rsa, 4), 1);
@@ -626,11 +626,11 @@ int test_wolfSSL_RSA_meth(void)
     RSA_METHOD *rsa_meth = NULL;
 
 #ifdef WOLFSSL_KEY_GEN
-    ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNotNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
     RSA_free(rsa);
     rsa = NULL;
 #else
-    ExpectNull(rsa = RSA_generate_key(2048, 3, NULL, NULL));
+    ExpectNull(rsa = RSA_generate_key(2048, 65537, NULL, NULL));
 #endif
 
     ExpectNotNull(RSA_get_default_method());