Phase 3: SHA512 integrity check and closing the final FIPS requirements gaps

IDE/WIN-SRTP-KDF-140-3/test.vcxproj

@@ -162,7 +162,13 @@
       <OptimizeReferences>true</OptimizeReferences>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
+      <!-- FIPS in-core integrity (WIN-SRTP-KDF README): ASLR OFF so every
+           build loads at a fixed base and the in-core hash stays stable.
+           Mirrors the Release|x64 config; FixedBaseAddress (/FIXED) strips
+           the .reloc section so the i386 image is pinned at its preferred
+           ImageBase (0x00400000), matching the proven x86_64 (U4) behavior. -->
       <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <FixedBaseAddress>true</FixedBaseAddress>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -177,6 +183,10 @@
     </ClCompile>
     <Link>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <!-- FIPS in-core integrity (WIN-SRTP-KDF README): ASLR OFF so every
+           build loads at a fixed base and the in-core hash stays stable. -->
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <FixedBaseAddress>true</FixedBaseAddress>
       <SubSystem>Console</SubSystem>
       <AdditionalDependencies>ws2_32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <OptimizeReferences>true</OptimizeReferences>

IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.vcxproj

@@ -314,6 +314,16 @@
     <ClCompile Include="..\..\src\dtls13.c" />
     <ClCompile Include="..\..\src\dtls.c" />
     <ClCompile Include="..\..\wolfcrypt\src\wc_encrypt.c" />
+    <!-- FIPS v7.0.0 post-quantum module sources (FIPS 203/204/205, SP 800-208).
+         In-boundary placement is by .fipsA$/.fipsB$ section, not project order. -->
+    <ClCompile Include="..\..\wolfcrypt\src\wc_mlkem.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_mlkem_poly.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_mldsa.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_lms.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_lms_impl.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_xmss.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_xmss_impl.c" />
+    <ClCompile Include="..\..\wolfcrypt\src\wc_slhdsa.c" />
     <ClCompile Include="..\..\wolfcrypt\src\wolfcrypt_last.c" />
     <ClCompile Include="..\..\wolfcrypt\src\wolfmath.c" />
     <ClCompile Include="..\..\wolfcrypt\src\wolfevent.c" />

configure.ac

@@ -1494,6 +1494,15 @@ then
     enable_aesgcm_stream=no
 fi
 
+# FIPS 140-3 v7 guard support: capture whether DSA/DH were EXPLICITLY requested
+# (--enable-dsa / --enable-dh) here, before any default (enable_dsa=yes path,
+# --enable-all) sets them.  The v7 out-of-scope guard hard-errors only on an
+# explicit request, otherwise silently forces the algorithm off.  (FIPS 186-5
+# retires DSA; classic finite-field DH and DSA are out of scope for the FIPS
+# 140-3 v7 PQ module.)
+explicit_enable_dsa="$enable_dsa"
+explicit_enable_dh="$enable_dh"
+
 # All wolfCrypt features:
 AC_ARG_ENABLE([all-crypto],
     [AS_HELP_STRING([--enable-all-crypto],[Enable all wolfcrypt algorithms (default: disabled)])],
@@ -3777,13 +3786,21 @@ then
             AC_MSG_NOTICE([32bit ARMv4 found])
             ;;
         *)
-            AM_CPPFLAGS="$AM_CPPFLAGS -mfpu=crypto-neon-fp-armv8 -marm"
+            # AArch32 ARMv8 crypto-extension asm (armv8-32-*-asm.S: sha256h,
+            # aese/aesmc, pmull) needs an explicit -march=armv8-a+crypto: the
+            # ARMv8-A crypto extension is OPTIONAL, so "+crypto" gates these
+            # instructions -- not -mfpu alone, nor a bare -march=armv8-a (nor
+            # -mcpu=cortex-a53 on some toolchains).  Cross toolchains defaulting
+            # to ARMv7 (e.g. Xilinx Vitis cortex-a9) otherwise reject them:
+            # "selected processor does not support sha256h.32 in ARM mode".
+            # Mirrors the in-kernel ARM armasm enablement (port/arm/*.S crypto).
+            AM_CPPFLAGS="$AM_CPPFLAGS -march=armv8-a+crypto -mfpu=crypto-neon-fp-armv8 -marm"
             # Include options.h
             AM_CCASFLAGS="$AM_CCASFLAGS -DEXTERNAL_OPTS_OPENVPN"
             ENABLED_ARMASM_CRYPTO=yes
             ENABLED_ARMASM_NEON=yes
             ENABLED_ARM_32=yes
-            AC_MSG_NOTICE([32bit ARMv8 found, setting mfpu to crypto-neon-fp-armv8])
+            AC_MSG_NOTICE([32bit ARMv8 found, setting -march=armv8-a+crypto + mfpu=crypto-neon-fp-armv8])
             ;;
         esac
     esac
@@ -5772,6 +5789,13 @@ if test "x$ENABLED_WPAS" = "xyes"    || test "x$ENABLED_NGINX" = "xyes" || \
 then
     ENABLED_ANON=yes
 fi
+# Anonymous ciphers require classic DH (enforced below and by settings.h:
+# HAVE_ANON => DH).  DH is out of scope only for the LOCKED FIPS 140-3 v7
+# module, so force anon off there however it was enabled (--enable-all, a TLS-
+# integration option like wpas/nginx, or --enable-anon).  dev/ready keep DH
+# (and thus anon) when --enable-all/--enable-dh ask.
+AS_IF([test "$FIPS_VERSION" = "v7"],
+    [ENABLED_ANON=no])
 if test "x$ENABLED_ANON" = "xyes"
 then
     if test "$ENABLED_DH" = "no"
@@ -6315,13 +6339,7 @@ AS_CASE([$FIPS_VERSION],
             -DWC_RSA_NO_PADDING \
             -DECC_USER_CURVES \
             -DHAVE_ECC384 \
-            -DHAVE_ECC521 \
-            -DWOLFSSL_VALIDATE_FFC_IMPORT \
-            -DHAVE_FFDHE_Q \
-            -DHAVE_FFDHE_3072 \
-            -DHAVE_FFDHE_4096 \
-            -DHAVE_FFDHE_6144 \
-            -DHAVE_FFDHE_8192"
+            -DHAVE_ECC521"
 
         # KCAPI API does not support custom k for sign, don't force enable ECC key sizes and don't use seed callback
         AS_IF([test "x$ENABLED_KCAPI_ECC" = "xno"],
@@ -6335,6 +6353,28 @@ AS_CASE([$FIPS_VERSION],
                 -DHAVE_ECC256"])
 
         DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
+
+# Classic finite-field DH and DSA scope by FIPS mode (FIPS 186-5 retires DSA;
+# the v7 boundary keeps only ECDH/ECDSA + PQ KEM/DSA):
+#   v7        -- LOCKED release module: DH/DSA OUT OF SCOPE.  Hard-error on an
+#                explicit --enable-dh/--enable-dsa, otherwise force off.
+#   dev/ready -- pre-release: DH/DSA OFF BY DEFAULT but turn-on-able
+#                (--enable-all, --enable-dh/--enable-dsa) for test coverage and
+#                v6 migration.
+        AS_IF([test "$FIPS_VERSION" = "v7"],
+            [AS_IF([test "$explicit_enable_dh" = "yes"],
+                 [AC_MSG_ERROR([--enable-dh is not supported with --enable-fips=v7. Classic finite-field DH is out of scope for the FIPS 140-3 v7 PQ module. Use --enable-fips=v6 if you need DH support.])],
+                 [test "$ENABLED_DH" != "no"],
+                 [ENABLED_DH="no"; enable_dh="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DH"])
+             AS_IF([test "$explicit_enable_dsa" = "yes"],
+                 [AC_MSG_ERROR([--enable-dsa is not supported with --enable-fips=v7. DSA is retired by FIPS 186-5 and is out of scope for the FIPS 140-3 v7 PQ module. Use --enable-fips=v6 if you need DSA support.])],
+                 [test "$ENABLED_DSA" != "no"],
+                 [ENABLED_DSA="no"; enable_dsa="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DSA"])],
+            [AS_IF([test "$explicit_enable_dh" != "yes" && test "x$enable_all" != "xyes"],
+                 [ENABLED_DH="no"; enable_dh="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DH"])
+             AS_IF([test "$explicit_enable_dsa" != "yes" && test "x$enable_all" != "xyes"],
+                 [ENABLED_DSA="no"; enable_dsa="no"; AM_CFLAGS="$AM_CFLAGS -DNO_DSA"])])
+
 # optimizations section
 
 # protocol section
@@ -8889,8 +8929,16 @@ then
     fi
     if test "x$ENABLED_DH" = "xno"
     then
-        ENABLED_DH="yes"
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_DH"
+        # Classic DH is out of scope for the FIPS 140-3 v7 PQ module.  JNI
+        # normally auto-enables DH for legacy TLS suites; with FIPS v7+ we
+        # report and skip rather than silently re-enabling DH off-boundary.
+        if test "$FIPS_VERSION" = "v7" || test "$FIPS_VERSION" = "ready" || test "$FIPS_VERSION" = "dev"
+        then
+            AC_MSG_NOTICE([JNI enabled but FIPS is $FIPS_VERSION, NOT turning on DH with this module])
+        else
+            ENABLED_DH="yes"
+            AM_CFLAGS="$AM_CFLAGS -DHAVE_DH"
+        fi
     fi
     if test "x$ENABLED_PSK" = "xno"
     then

fips-hash.sh

@@ -13,7 +13,10 @@ then
 fi
 
 OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
-NEWHASH=$(echo "$OUT" | cut -c1-64)
+# Take the whole hash: FIPS v7.0.0+ is HMAC-SHA-512 (128 hex), older is
+# HMAC-SHA-256 (64 hex). static_assert on sizeof(verifyCore) catches a
+# wrong length at compile time.
+NEWHASH=$(echo "$OUT" | head -n1 | tr -d '[:space:]')
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak

linuxkm/Kbuild

@@ -99,6 +99,16 @@ $(LIBWOLFSSL_NAME)-y := $(WOLFSSL_OBJ_FILES) linuxkm/module_hooks.o linuxkm/modu
 
 ifeq "$(FIPS_OPTEST)" "1"
     $(LIBWOLFSSL_NAME)-y += linuxkm/optest-140-3/linuxkm_optest_wrapper.o
+    # The optest wrapper (#includes test.c / invalid_tests.c) aggregates several
+    # AES contexts per invalid-input test fn.  Under WOLFSSL_AESNI the Aes
+    # struct carries an inline ALIGN16 streamData[5*WC_AES_BLOCK_SIZE]
+    # (wolfssl/wolfcrypt/aes.h) plus use_aesni, so the
+    # aes_{,mac_,ofb_,cfb_,kw_}invalid_data_tests fns exceed the i386
+    # THREAD_SIZE/4 = 2048 frame *warning* (x86_64's 4096 already fits; runtime
+    # is fine in a kernel thread).  Relax to 4096 for the wrapper ONLY: it is
+    # test/evidence tooling OUTSIDE the FIPS module boundary, so module objects
+    # keep the strict MAX_STACK_FRAME_SIZE.  No effect on x86_64 (default 4096).
+    $(obj)/linuxkm/optest-140-3/linuxkm_optest_wrapper.o: ccflags-y += -Wframe-larger-than=4096
 endif
 
 WOLFSSL_CFLAGS_NO_VECTOR_INSNS := $(CFLAGS_SIMD_DISABLE) $(CFLAGS_FPU_DISABLE)
@@ -127,6 +137,10 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
           endif
         endif
       endif
+      ifeq ($(KERNEL_ARCH),i386)
+        NO_PIE_FLAG := 1
+        $(info Note: disabling -fPIE on 32-bit x86 -- i386 -fPIE routes every local symbol through the GOT (R_386_GOTOFF), which the wolfCrypt PIE containerization forbids.)
+      endif
     endif
 
     ifdef NO_PIE_FLAG
@@ -219,6 +233,24 @@ $(obj)/wolfcrypt/src/wc_mlkem_asm.o: OBJECT_FILES_NON_STANDARD := y
 $(obj)/wolfcrypt/src/wc_mldsa_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
 $(obj)/wolfcrypt/src/wc_mldsa_asm.o: OBJECT_FILES_NON_STANDARD := y
 
+# ARM/ARM64 crypto+NEON asm (wolfcrypt/src/port/arm/*.S) needs crypto/NEON
+# -march at assembly time.  The asm carries no .arch/.fpu directives and
+# configure leaves ASFLAGS_*_SIMD_ENABLE empty on ARM: userspace inherits
+# +crypto from the toolchain -mcpu, but the kernel forces its own baseline
+# -march without it, so AES/SHA/PMULL are rejected ("selected processor does not
+# support `aesd ...'").  Supply the right -march per kernel arch.  (Wrong-arch
+# port/arm files are #ifdef'd to empty objects, so it is a no-op for them;
+# OBJECT_FILES_NON_STANDARD silences objtool on the hand asm.)
+ifeq ($(CONFIG_ARM64),y)
+    WOLFSSL_ARM_ASM_MARCH := -march=armv8-a+crypto
+else ifeq ($(CONFIG_ARM),y)
+    WOLFSSL_ARM_ASM_MARCH := -march=armv8-a -mfpu=crypto-neon-fp-armv8
+endif
+ifdef WOLFSSL_ARM_ASM_MARCH
+$(obj)/wolfcrypt/src/port/arm/%.o: asflags-y := $(WOLFSSL_ASFLAGS) $(WOLFSSL_ARM_ASM_MARCH)
+$(obj)/wolfcrypt/src/port/arm/%.o: OBJECT_FILES_NON_STANDARD := y
+endif
+
 ifndef READELF
     READELF := readelf
 endif
@@ -327,7 +359,7 @@ RENAME_PIE_TEXT_AND_DATA_SECTIONS := \
 			next;						\
 		    }							\
 		    else if ($$4 == "OBJECT") {				\
-			if (! ($$7 in wolfcrypt_data_sections)) {	\
+			if (! ($$7 in wolfcrypt_data_sections) && ! ($$7 in wolfcrypt_text_sections)) {	\
 			    if ((other_sections[$$7] == ".printk_index") || \
 				(($$8 ~ /^_entry\.[0-9]+$$|^kernel_read_file_str$$/) &&		\
 				 (other_sections[$$7] == ".data.rel.ro.local"))) \

linuxkm/Makefile

@@ -45,7 +45,14 @@ ifndef SRC_TOP
     SRC_TOP=$(shell dirname $(MODULE_TOP))
 endif
 
-WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -Wno-declaration-after-statement -Wno-redundant-decls -DLIBWOLFSSL_GLOBAL_EXTRA_CFLAGS="\" $(KERNEL_EXTRA_CFLAGS)\""
+# -Wno-nested-externs: the kernel's _compiletime_assert (<linux/compiler_types.h>,
+# via atomic/per-CPU/printk-once macros in x86_vector_register_glue.c) emits an
+# "extern ... __compiletime_assert_N(void)" inside a function body, tripping
+# -Wnested-externs; with -Werror this breaks the i386 + AES-NI build (glue compiles
+# only when WOLFSSL_USE_SAVE_VECTOR_REGISTERS / a PAA is enabled).  Strip it
+# build-wide like the other kernel-incompatible warnings; diagnostic-only, so object
+# code (and the FIPS in-core hash) stays byte-identical on every arch.
+WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -Wno-declaration-after-statement -Wno-redundant-decls -Wno-nested-externs -DLIBWOLFSSL_GLOBAL_EXTRA_CFLAGS="\" $(KERNEL_EXTRA_CFLAGS)\""
 ifdef KERNEL_EXTRA_CFLAGS
     WOLFSSL_CFLAGS += $(KERNEL_EXTRA_CFLAGS)
 endif
@@ -55,7 +62,12 @@ endif
 
 WOLFSSL_ASFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CCASFLAGS) $(CCASFLAGS)
 
-WOLFSSL_OBJ_FILES=$(patsubst %.lo, %.o, $(patsubst src/src_libwolfssl_la-%, src/%, $(patsubst src/libwolfssl_la-%, src/%, $(patsubst wolfcrypt/src/src_libwolfssl_la-%, wolfcrypt/src/%, $(src_libwolfssl_la_OBJECTS)))))
+# Strip libtool's per-target object prefix (src_libwolfssl_la-) so Kbuild sees the
+# real object names.  The innermost patsubst covers wolfcrypt/src/port/arm/ asm
+# (armv8-*/armv8-32-*/thumb2-*), which the src/ and wolfcrypt/src/ patsubsts miss;
+# without it --enable-armasm kernel builds fail ("No rule to make target
+# .../src_libwolfssl_la-armv8-aes-asm.o").
+WOLFSSL_OBJ_FILES=$(patsubst %.lo, %.o, $(patsubst src/src_libwolfssl_la-%, src/%, $(patsubst src/libwolfssl_la-%, src/%, $(patsubst wolfcrypt/src/src_libwolfssl_la-%, wolfcrypt/src/%, $(patsubst wolfcrypt/src/port/arm/src_libwolfssl_la-%, wolfcrypt/src/port/arm/%, $(src_libwolfssl_la_OBJECTS))))))
 
 ifeq "$(ENABLED_CRYPT_TESTS)" "yes"
     WOLFSSL_OBJ_FILES+=wolfcrypt/test/test.o
@@ -160,7 +172,7 @@ GENERATE_RELOC_TAB := $(AWK) '								\
 	function open_seg(seg) {							\
 	    seen_seg[seg] = 1;								\
 	    printf("%s\n    ",								\
-		"WOLFSSL_LOCAL const struct wc_reloc_table_ent wc_linuxkm_pie_" seg "_reloc_tab[] = { ");	\
+		"WOLFSSL_LOCAL const struct wc_reloc_table_ent wc_linuxkm_pie_" seg "_reloc_tab[] = {");	\
 	    cur_seg = seg;								\
 	}										\
 	function close_cur_seg() {							\
@@ -197,7 +209,7 @@ GENERATE_RELOC_TAB := $(AWK) '								\
 		next;									\
 	}										\
 	/^0/ {										\
-		if ($$3 !~ "^(R_X86_.*|R_AARCH64_.*|R_ARM.*)$$") {			\
+		if ($$3 !~ "^(R_X86_.*|R_386_.*|R_AARCH64_.*|R_ARM.*)$$") {		\
 		    print "Unexpected relocation type in " cur_seg ":\n" $$0 >"/dev/stderr";		\
 		    ++bad_relocs;							\
 		}									\
@@ -361,12 +373,12 @@ module-update-fips-hash: $(LIBWOLFSSL_NAME).ko
 	readarray -t verifyCore_attrs < <($(READELF) --wide --symbols "$<" | \
 	    sed -E -n 's/^[[:space:]]*[0-9]+: ([0-9a-fA-F]+)[[:space:]]+([0-9]+)[[:space:]]+OBJECT[[:space:]]+[A-Z]+[[:space:]]+[A-Z]+[[:space:]]+'"$${rodata_segment[0]}"'[[:space:]]+verifyCore$$/\1\n\2/p'); \
 	if [[ $${#verifyCore_attrs[@]} != 2 ]]; then echo '  unexpected verifyCore_attrs.' >&2; exit 1; fi; \
-	if [[ "$${verifyCore_attrs[1]}" != "65" ]]; then echo "	 verifyCore has unexpected length $${verifyCore_attrs[1]}." >&2; exit 1; fi; \
+	if [[ "$${verifyCore_attrs[1]}" != "129" ]]; then echo "	 verifyCore has unexpected length $${verifyCore_attrs[1]}." >&2; exit 1; fi; \
 	verifyCore_offset=$$((0x$${rodata_segment[1]} + 0x$${verifyCore_attrs[0]})); \
-	current_verifyCore=$$(dd bs=1 if="$<" skip=$$verifyCore_offset count=64 status=none); \
+	current_verifyCore=$$(dd bs=1 if="$<" skip=$$verifyCore_offset count=128 status=none); \
 	if [[ ! "$$current_verifyCore" =~ [0-9a-fA-F]{64} ]]; then echo "  verifyCore at offset $$verifyCore_offset has unexpected value." >&2; exit 1; fi; \
 	if [[ '$(FIPS_HASH)' == "$$current_verifyCore" ]]; then echo '	Supplied FIPS_HASH matches existing verifyCore -- no update needed.'; exit 0; fi; \
-	echo -n '$(FIPS_HASH)' | dd bs=1 conv=notrunc of="$<" seek=$$verifyCore_offset count=64 status=none && \
+	echo -n '$(FIPS_HASH)' | dd bs=1 conv=notrunc of="$<" seek=$$verifyCore_offset count=128 status=none && \
 	echo "	FIPS verifyCore updated successfully." && \
             if [[ -f '$(LIBWOLFSSL_NAME).ko.signed' ]]; then $(MAKE) $(QFLAG) --no-print-directory --no-silent -C . '$(LIBWOLFSSL_NAME).ko.signed'; fi