Top-level test extraction into typed sub-functions
- Digest tests (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
SHA-512/224, SHA-512/256, SHA-3 224/256/384/512, SHAKE128/256): each
test category (KAT, large-hash, copy-cleanup, unaligned-memory,
interleave, copy-Sha3 heap-allocation pattern) is now its own static
wc_test_ret_t function rather than inline blocks inside one giant
top-level test.
- rsa_test: extracted rsa_pkcs1_test, rsa_cert_parse_test,
rsa_pub_key_decode_test, rsa_certreq_test.
- ecc_test: extracted ecc_test_all_curves, ecc_test_all_deterministic_k
from the dispatcher; ecc_encrypt_combos_test from ecc_encrypt_test;
ecc_buffers_encrypt_test, ecc_buffers_sign_verify_test,
ecc_buffers_pub_key_decode_test from ecc_test_buffers.
- dh_test: extracted dh_keyagree_test, dh_check_priv_key_test,
dh_agree_ct_test, dh_key_import_export_test, dh_set_check_key_test.
- Curve25519 / Ed25519 / Curve448 / Ed448: extracted KAT, key-agreement,
ASN, and rare-sig sub-tests from each top-level dispatcher.
- Cipher tests: extracted streaming sub-tests from aesofb_test,
aescfb_test, aes_cts_test (aes_cts_192/256_stream_test).
Coverage additions
- Added state-copy testing inside the SHA-3 KAT loops (matching the
existing pattern in SHA-1/224/256/etc. KAT loops).
- Added a SHA-224 large-hash test (parity with the other digest
families).
- Added copy-cleanup tests for SHA-512/224 and SHA-512/256.
- Added Unaligned memory access testing to all *_large_hash_test
functions (MD5, SHA-1/224/256/384, SHA3-224/256/384/512), matching the
pattern that previously only existed for SHA-512/224/256.
Adds resp_certid_keyhash_mismatch — a forged response signed by the
legitimate ocsp-responder whose CertID pairs the legitimate root CA's
issuerNameHash with the imposter root CA's issuerKeyHash. The new
test_ocsp_responder_keyhash_binding asserts wolfSSL_OCSP_basic_verify
rejects it, exercising the fix that requires both halves of the
CertID to match the responder's issuer.
- Use KEYID_SIZE for Signer key-hash comparisons since
Signer.{subject,issuer}KeyHash is sized KEYID_SIZE, not OCSP_DIGEST_SIZE.
- Rename subjectHash/issuerHash to subjectNameHash/issuerNameHash in
CheckOcspResponder/CheckOcspResponderChain to make the name-vs-key
hash distinction explicit.
- Expand the Signer.issuerKeyHash field comment to clarify it is the
subject key hash of the immediate issuer CA.
- Add an imposter-root-ca cert (same DN as root-ca, different RSA key)
for tests that need to exercise the new CertID issuerKeyHash binding.
Follow up to PR #10450 with some minor fixes:
* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
decoder failure-rollback wording; tighter return-code lists for
Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
happens to equal the digest size of the chosen hashType.
On CHERI casting mp_int pointers to wc_ptr_t for the bitmask
arithmetic strips the hardware capability tag. The reconstructed
pointer won't have a valid tag and will cause a tag violation when it
is dereferenced.
Under __CHERI_PURE_CAPABILITY__, replace the pointer arithmetic with
four mp_cond_copy calls that operate on the digit data directly.
This preserves the capability tags and accesses both accumulators
unconditionally.
Non-CHERI builds retain the original wc_off_on_addr path unchanged.
Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
CHERI pointers are capabilities and are larger than other platforms.
They also require 16-byte alignment.
Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
The branchless code in casts sp_int pointers to size_t for bitmask
arithmetic, then casts the result back to sp_int*.
On CHERI, pointer-to-integer casts strip the hardware capability tag.
The reconstructed pointer is tagless and cannot be dereferenced,
causing a tag-violation fault.
Add _sp_cond_copy that uses the bitmask on the digit data itself rather
than the addresses, this avoids needed to do pointer arithmetic.
On non-CHERI targets the behaviour is the same.
Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
Fixes F-3478
Add a fuzzing test for each cipher that modifies a random byte at a
random offset of an encrypted message and checks that the reading fails
with an appropriate return and error code.
Fuzzes both sides 5 times each for each cipher suite.
AVX2 not decompressing 5-bit values correctly.
AVX2 not comparing last 32 bytes of ciphertext.
Protect mlkemkey_get_k to only be compiled when make key is compiled in.
Octeon_AesGcm_SetAAD unconditionally ran XOR0/XORMUL1 on the partial-block
buffer after the main loop, which processed an extra all-zero block when
aadSz was a non-zero multiple of 16, corrupting the GCM tag. Guard the
trailing XOR/MUL with `if (remainder > 0)`.
Issue: F-3335
* fix typography of wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() (peer review).
* refactor overflow prevention in wc_PKCS12_PBKDF_ex() to use WC_SAFE_SUM_UNSIGNED().
wolfcrypt/test/test.c: in pwdbased_test(), omit "INT_MAX MAC iterations" test if WOLFSSL_NO_MALLOC (uses wc_PKCS12_new_ex()).
* add correct gating around pbkdf1_test(), pkcs12_pbkdf_test(), and scrypt_test() prototypes;
* add unit tests for wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() in pbkdf2_test();
* fix pkcs12_test() to skip the evilPkcs12 test if evil_p12 can't be parsed for any reason, mirroring the new stanza around evil_p12 in pwdbased_test().