sp_set_bit(): check i is in range before use.
_sp_div_2(): Use a constant-time clamp as called by a constant-time
function.
_sp_sqr(): static buffer needs to be one larger for when ECC with P-521
is the largest size.
Add tests:
- Testing negative numbers with mp_read_raidx/mp_to_radix 10/16
- Testing negative numbers with mp_add_d/mp_sub_d
- Testing of mp_gcd without mp_lcm
- More testing of mp_mod_d and when negative numbers are used
- Check maximum values work for square. Check of _sp_sqr() bug
- Add testing of mp_add/sub_mod_ct
- Add testing of mp_cmp_mag
- Add testing of mp_mulmod/mp_sqrmod
- Add testing of mp_exch
- Add testing of mp_to_unsigned_bin_len_ct
- Add testing of mp_exptmod that uses base-2 windowing method.
- Add testing of mp_invmod_mont_ct
Modes (CTR, GCM, CCM, etc.) can be supported either directly or fallback
to invoking the crypto callback with a "direct" (ECB) mode.
Software implementation and AES tables are stripped under CB_ONLY_AES.
wc_swdev gains AES support so WOLF_CRYPTO_CB_ONLY_AES builds can be
tested.
crypto find cb support added to wc_AesSetKey in order to support current
CI tests that use INVALID_DEVID.
Add WOLF_CRYPTO_CB_ONLY_SHA256: when set, the SHA-256 software.
wc_Sha256FinalRaw is reduced to a stub returning NO_VALID_DEVID, and
sha256.h force-defines WOLFSSL_NO_HASH_RAW so the constant-time TLS HMAC
path falls back to its backend-opaque variant.
Incompatible with
WOLFSSL_SHA224, which aliases the SHA-256 statics; #error guard added.
Add wc_swdev support for SHA-256 for testing.
Extend the swdev callback to handle ECC operations: keygen, ECDH, sign,
verify, get-size, get-sig-size.
Relax WOLF_CRYPTO_CB_ONLY_ECC guards in the test suite so that tests run
under swdev, and wire wc_SwDev_Init/Cleanup into testsuite, client, and
server. Two tests are intentionally kept excluded even with swdev because
they call raw ECC math primitives (wc_ecc_mulmod, on-curve validation in
wc_ecc_import_x963) that are stripped below the cryptocb dispatch layer:
- ecc_mulmod_test (wolfcrypt/test/test.c)
- test_wc_ecc_import_x963_off_curve (tests/api/test_ecc.c)
Add a software crypto-callback device (wc_swdev) that lets the wolfcrypt
test suite run under WOLF_CRYPTO_CB_ONLY_* flags without per-test devId
plumbing. The bundle is a separately-compiled second copy of wolfcrypt
(software implementations enabled, WOLF_CRYPTO_CB_ONLY_* stripped) linked
into testwolfcrypt as a single relocatable object; every symbol is demoted
to local via objcopy --keep-global-symbol except wc_SwDev_Callback, so there
is no collision with the main libwolfssl.
A find callback routes unbound operations (devId == INVALID_DEVID) to the
swdev while letting real device IDs pass through.
wc_SwDev_Init / wc_SwDev_Cleanup hooks are wired into wolfcrypt/test/test.c.
cryptocb_test's WOLF_CRYPTO_CB_FIND and WOLF_CRYPTO_CB_ONLY_RSA blocks are
gated off under WOLFSSL_SWDEV.
Enable via --enable-swdev (requires --enable-cryptocb).
* in pbkdf2_test(), pwdbased_test(), and pkcs12_test(), add missing FIPS v7+
gates around stanzas that use wc_PBKDF_max_iterations_set() and
wc_PBKDF_max_iterations_get() or depend on erroring for excessive PBKDF
iterations (fixes#10050);
* in ecc_test_buffers(), omit new corrupt HMAC tag test on FIPS <v6 (fixes
8f2a3f9563).
tests/api/test_dtls.c: add FIPS v7+ gate to test_dtls13_frag_ch2_with_ch1_rtx().
wolfssl/wolfcrypt/memory.h: #include "../../linuxkm/linuxkm_memory.h" rather than "linuxkm/linuxkm_memory.h", following pattern in wc_port.h.
Top-level test extraction into typed sub-functions
- Digest tests (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
SHA-512/224, SHA-512/256, SHA-3 224/256/384/512, SHAKE128/256): each
test category (KAT, large-hash, copy-cleanup, unaligned-memory,
interleave, copy-Sha3 heap-allocation pattern) is now its own static
wc_test_ret_t function rather than inline blocks inside one giant
top-level test.
- rsa_test: extracted rsa_pkcs1_test, rsa_cert_parse_test,
rsa_pub_key_decode_test, rsa_certreq_test.
- ecc_test: extracted ecc_test_all_curves, ecc_test_all_deterministic_k
from the dispatcher; ecc_encrypt_combos_test from ecc_encrypt_test;
ecc_buffers_encrypt_test, ecc_buffers_sign_verify_test,
ecc_buffers_pub_key_decode_test from ecc_test_buffers.
- dh_test: extracted dh_keyagree_test, dh_check_priv_key_test,
dh_agree_ct_test, dh_key_import_export_test, dh_set_check_key_test.
- Curve25519 / Ed25519 / Curve448 / Ed448: extracted KAT, key-agreement,
ASN, and rare-sig sub-tests from each top-level dispatcher.
- Cipher tests: extracted streaming sub-tests from aesofb_test,
aescfb_test, aes_cts_test (aes_cts_192/256_stream_test).
Coverage additions
- Added state-copy testing inside the SHA-3 KAT loops (matching the
existing pattern in SHA-1/224/256/etc. KAT loops).
- Added a SHA-224 large-hash test (parity with the other digest
families).
- Added copy-cleanup tests for SHA-512/224 and SHA-512/256.
- Added Unaligned memory access testing to all *_large_hash_test
functions (MD5, SHA-1/224/256/384, SHA3-224/256/384/512), matching the
pattern that previously only existed for SHA-512/224/256.
* fix typography of wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() (peer review).
* refactor overflow prevention in wc_PKCS12_PBKDF_ex() to use WC_SAFE_SUM_UNSIGNED().
wolfcrypt/test/test.c: in pwdbased_test(), omit "INT_MAX MAC iterations" test if WOLFSSL_NO_MALLOC (uses wc_PKCS12_new_ex()).
* add correct gating around pbkdf1_test(), pkcs12_pbkdf_test(), and scrypt_test() prototypes;
* add unit tests for wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() in pbkdf2_test();
* fix pkcs12_test() to skip the evilPkcs12 test if evil_p12 can't be parsed for any reason, mirroring the new stanza around evil_p12 in pwdbased_test().
wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.
This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.
Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
- Reduce long keys in a separate state rather than reusing the state used
for the HMAC inner hash.
- Pad the rest of the buffer with zeros as required by the spec.
- Add regression tests