From 364e883941e75c2bda300c088e12ca0c81e5e28e Mon Sep 17 00:00:00 2001 From: Josh Holtrop Date: Fri, 29 May 2026 10:40:12 -0400 Subject: [PATCH] Rust wrapper: handle MAC_CMP_FAILED_E from CMAC::verify{,_ex}() Fix F-4468 --- wrapper/rust/wolfssl-wolfcrypt/src/cmac.rs | 6 ++++++ wrapper/rust/wolfssl-wolfcrypt/tests/test_cmac.rs | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/wrapper/rust/wolfssl-wolfcrypt/src/cmac.rs b/wrapper/rust/wolfssl-wolfcrypt/src/cmac.rs index f99c7c9687..b7ac1bc774 100644 --- a/wrapper/rust/wolfssl-wolfcrypt/src/cmac.rs +++ b/wrapper/rust/wolfssl-wolfcrypt/src/cmac.rs @@ -201,6 +201,9 @@ impl CMAC { data.as_ptr(), data_size, key.as_ptr(), key_size) }; + if rc == sys::wolfCrypt_ErrorCodes_MAC_CMP_FAILED_E { + return Ok(false); + } if rc < 0 { return Err(rc); } @@ -402,6 +405,9 @@ impl CMAC { data.as_ptr(), data_size, key.as_ptr(), key_size, heap, dev_id) }; + if rc == sys::wolfCrypt_ErrorCodes_MAC_CMP_FAILED_E { + return Ok(false); + } if rc < 0 { return Err(rc); } diff --git a/wrapper/rust/wolfssl-wolfcrypt/tests/test_cmac.rs b/wrapper/rust/wolfssl-wolfcrypt/tests/test_cmac.rs index 09dabcb8b8..9db8d13e3e 100644 --- a/wrapper/rust/wolfssl-wolfcrypt/tests/test_cmac.rs +++ b/wrapper/rust/wolfssl-wolfcrypt/tests/test_cmac.rs @@ -17,6 +17,10 @@ fn test_cmac() { 0x07u8, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c ]; + let incorrect_cmac = [ + 0x06u8, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, + 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c + ]; let mut cmac = CMAC::new(&key).expect("Error with new()"); cmac.update(&message).expect("Error with update()"); let mut finalize_out = [0u8; 16]; @@ -28,6 +32,8 @@ fn test_cmac() { assert_eq!(generate_out, finalize_out); let valid = CMAC::verify(&key, &message, &generate_out).expect("Error with verify()"); assert!(valid); + let valid = CMAC::verify(&key, &message, &incorrect_cmac).expect("Error with verify()"); + assert!(!valid); let mut cmac = CMAC::new(&key).expect("Error with new()"); let mut generate_out = [0u8; 16]; @@ -35,4 +41,6 @@ fn test_cmac() { assert_eq!(generate_out, finalize_out); let valid = cmac.verify_ex(&key, &message, &generate_out, None, None).expect("Error with verify_ex()"); assert!(valid); + let valid = cmac.verify_ex(&key, &message, &incorrect_cmac, None, None).expect("Error with verify_ex()"); + assert!(!valid); }