Commit Graph

14 Commits

Author SHA1 Message Date
Sameeh Jubran ba51fbd30b Zero TLS 1.3 traffic keys after AES SE offload
When WOLF_CRYPTO_CB_AES_SETKEY is enabled and a CryptoCB callback
imports the AES key into a Secure Element (aes->devCtx != NULL), the
TLS-layer copy in keys->{client,server}_write_key has no further
consumer: the software key schedule is not populated on offload.
ForceZero it in SetKeysSide() per provisioned side.

The static IVs (keys->{client,server}_write_IV and
keys->aead_{enc,dec}_imp_IV) are left intact because BuildTls13Nonce()
reads aead_{enc,dec}_imp_IV on every record (RFC 8446 Section 5.3).

Scope: TLS 1.3, non-DTLS, non-QUIC.  DTLS 1.3 needs the write keys
in Dtls13EpochCopyKeys; TLS 1.2 needs them for rehandshake; QUIC is
untouched pending audit.

Add two memio tests (test_wc_CryptoCb_Tls13_Key_{Zero_After_Offload,
No_Zero_Without_Offload}) that pin AES-GCM and check key / IV state
after the handshake and a KeyUpdate round.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-04-20 10:45:23 +03:00
Sean Parkinson c905033acf API tests: more cipher tests
1. Unaligned Buffer Tests
Verify correct output when input/output buffers are byte-offset by 1,
2, and 3 bytes.
  - AES-CBC, AES-CTS, AES-CTR, AES-GCM, AES-CCM, AES-XTS
- ChaCha20, ChaCha20-Poly1305

2. In-Place (Overlapping) Buffer Tests
Verify correct output when out == in (same pointer for input and
output).
  - AES-CTS, AES-GCM, AES-CCM, AES-XTS
- ChaCha20, ChaCha20-Poly1305

3. Cross-Cipher Verification Tests
Verify that a higher-level mode produces identical output when
manually reconstructed from a lower-level primitive (typically AES-ECB +
XOR).
- AES-CBC (= ECB + XOR chaining)
- AES-CFB (= ECB(ciphertext feedback) + XOR)
  - AES-OFB (= ECB(output feedback) + XOR)
- AES-CTR (= ECB(counter) + XOR with big-endian increment)
  - AES-GCM (ciphertext portion = CTR starting at counter J0+1)
- ChaCha20-Poly1305 (ciphertext = raw ChaCha20 keystream XOR; tag =
independent Poly1305)

4. Counter Overflow Tests
Verify correct carry propagation when the internal block counter wraps
around.
  - AES-CTR (32-bit big-endian carry across 4 bytes: 0xFFFFFFFE → wrap)
- ChaCha20 (32-bit counter: 0xFFFFFFFF → 0x00000000)

5. AEAD Edge Case Tests
Verify correct behavior for empty inputs, empty AAD, and invalid auth
tag rejection.
  - Ascon-AEAD128
  - AES-CCM
  - ChaCha20-Poly1305

6. Non-Standard Parameter Tests
  Verify behavior outside the common fast path.
- AES-GCM: non-96-bit nonce lengths (1-byte, 60-byte, variable-length
loop, zero-length rejection)

7. Streaming API State Tests
Verify mid-stream state behavior and re-initialization after a final
call.
  - AES-GCM stream, AES-XTS stream
  - ChaCha20-Poly1305 stream
2026-04-15 17:05:32 +10:00
Sean Parkinson 59a17dd598 Unit testing: Add Monte Carlo testing to ciphers
Monte Carlo testing is randomized test data.
These new tests have random keys, IVs, nonce, etc and random data to
encrypt.
100 sets of random test data are encrypted and decrypted with a check to
ensure the input to encrypt is the same as the output of decrypt.
Tags are generated and checked in the calls to encrypt and decrypt.
2026-04-14 13:25:15 +10:00
Sean Parkinson b764aac074 API testing additions: cipher tests
Fixed wc_AesEaxAuthDataUpdate to check eax for NULL before
dereferencing.

Fix AesSivCipher to delete/free AES if new/initialization succeeded.
Memsetting to 0 doesn't work when WC_DEBUG_CIPHER_LIFECYCLE is defined.

Added tests for:
 - AES-EAX streaming
 - AES-SIV
 - Poly1305
 - DES-CBC
2026-04-10 15:43:21 +10:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Sameeh Jubran 425dc1372d cryptocb: add AES CryptoCB key import support and tests
Add CryptoCB-based AES key import support to enable Secure Element
offload without exposing raw AES key material to wolfCrypt.

When WOLF_CRYPTO_CB_AES_SETKEY is defined, wolfCrypt invokes a CryptoCB
callback during AES key setup. Behavior is determined by the callback
return value:

- If callback returns 0: Key is imported to the device (aes->devCtx).
  Key is NOT copied to wolfCrypt RAM; GCM H/M tables are NOT generated.
  Full hardware offload is assumed.

- If callback returns CRYPTOCB_UNAVAILABLE: Device does not support
  SetKey. Normal software path is used; key is copied to devKey for
  optional encrypt/decrypt acceleration.

- Any other error: Propagated to the caller.

Key points:
- Add wc_CryptoCb_AesSetKey() callback for AES key import
- Update AES SetKey paths to call CryptoCB and branch on return value
- Skip GCM H/M table generation when callback succeeded (devCtx set)
- Preserve existing behavior when devId is INVALID_DEVID or
  WOLF_CRYPTO_CB_AES_SETKEY is not defined

Testing:
- Add unit test for CryptoCB AES SetKey (verifies key isolation when
  callback succeeds)
- Add end-to-end AES-GCM offload test (SetKey, Encrypt, Decrypt, Free
  via CryptoCB)
- Tests use a mock SE with software AES to validate routing

Enable with: CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-03 16:59:02 +02:00
Sean Parkinson 80b7ea638e Aarch64 no harware crypto assembly AES
Implementations of AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-XTS with base
instructions and NEON but not using crypto instructions.

Benchmark of AES-ECB added.
Updated AES tests.
2025-12-10 08:55:58 +10:00
Sean Parkinson 8533bc803b AES: Improve CFB and OFB and add tests
Improve performance of CFB and OFB.
Only have one implementation that is used by OFB encrypt and decrypt.

Update AES testing in unit.test.

Update benchmarking of CFB and OFb to include decrypt.
2025-10-22 12:19:56 +10:00
jordan 525c212d1c cmac kdf: add NIST SP 800-108, and NIST SP 800-56C two-step. 2025-10-20 08:20:23 -05:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
David Garske 0f4ce03c28 Fixes for NO_AES_192 and NO_AES_256. Added CI test. Fixed bad BUILD_ logic for ADH-AES256-GCM-SHA384. 2025-05-05 14:36:36 -07:00
Juliusz Sosinowicz 75ca54889c Implement AES-CTS in wolfCrypt 2025-04-09 12:11:08 +02:00
Sean Parkinson 663ca29a5d Split out tests: random, wolfmath, public key
Improved testing of random APIs.
wolfmath tests moved out.
Public key algorithm testing moved out: RSA, DSA, DH, ECC, SM2,
Curve25519, Ed25519, Curve448, Ed448, ML-DSA.
Signature API tests moved out.

Fix for OCSP testing to ensure RSA is available.

Added group names to API test cases.
Can select groups to run with --group <name>. --groups lists all known
group names.

Added option to stop API testing on first failure: --stopOnFail.
2025-03-17 09:32:00 +10:00
Sean Parkinson 48300352c6 Test api.c: split out MACs and ciphers 2025-02-27 15:52:39 +10:00