wolfSSL
diff --git a/‎src/wp_ecx_kmgmt.c‎
Lines changed: 9 additions & 0 deletions b/‎src/wp_ecx_kmgmt.c‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/wp_seed_src.c‎
Lines changed: 1 addition & 3 deletions b/‎src/wp_seed_src.c‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎test/test_aestag.c‎
Lines changed: 245 additions & 0 deletions b/‎test/test_aestag.c‎
Lines changed: 245 additions & 0 deletions
@@ -560,6 +560,15 @@ static int wp_ecx_get_params_priv_key(wp_Ecx* ecx, OSSL_PARAM params[])
                 WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "exportPriv", rc);
                 ok = 0;
             }
+            if (ok && ecx->clamped) {
+                if ((outLen < 2) || (p->data_size < outLen)) {
+                    ok = 0;
+                }
+                else {
+                    ((unsigned char*)p->data)[0         ] = ecx->unclamped[0];
+                    ((unsigned char*)p->data)[outLen - 1] = ecx->unclamped[1];
+                }
+            }
         }
         p->return_size = outLen;
     }
 
@@ -689,10 +689,8 @@ static size_t wp_seed_src_get_seed(wp_SeedSrcCtx* ctx, unsigned char** pSeed,
 static void wp_seed_src_clear_seed(wp_SeedSrcCtx* ctx, unsigned char* seed,
     size_t seedLen)
 {
+    (void)ctx;
     OPENSSL_secure_clear_free(seed, seedLen);
-    if (ctx != NULL) {
-        ctx->state = EVP_RAND_STATE_UNINITIALISED;
-    }
 }
 
 /**
 
@@ -1304,6 +1304,115 @@ int test_aes128_gcm_key_then_iv(void *data)
         PRINT_MSG("GCM key-then-iv with wolfProvider");
         err = test_gcm_key_then_iv_helper(wpLibCtx);
     }
+
+    return err;
+}
+
+/*
+ * GCM streaming decryption with a tampered authentication tag.
+ * Verifies that DecryptFinal correctly rejects a forged tag.
+ */
+static int test_aes_gcm_bad_tag_helper(OSSL_LIB_CTX *libCtx,
+    const char *cipherName, int keyLen)
+{
+    int err = 0;
+    EVP_CIPHER *cipher = NULL;
+    EVP_CIPHER_CTX *ctx = NULL;
+    unsigned char key[32];
+    unsigned char iv[12];
+    unsigned char aad[] = "additional data";
+    unsigned char pt[] = "GCM plaintext for tag test";
+    int ptLen = (int)(sizeof(pt) - 1);
+    unsigned char ct[64];
+    unsigned char tag[16];
+    unsigned char dec[64];
+    int outLen = 0, fLen = 0;
+
+    memset(key, 0xAA, keyLen);
+    memset(iv, 0xBB, sizeof(iv));
+
+    cipher = EVP_CIPHER_fetch(libCtx, cipherName, "");
+    if (cipher == NULL) {
+        err = 1;
+    }
+
+    /* Encrypt */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptUpdate(ctx, NULL, &outLen, aad,
+                                (int)(sizeof(aad) - 1)) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptUpdate(ctx, ct, &outLen, pt, ptLen) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptFinal_ex(ctx, ct + outLen, &fLen) != 1;
+        outLen += fLen;
+    }
+    if (err == 0) {
+        err = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, tag) != 1;
+    }
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = NULL;
+
+    /* Tamper with the tag */
+    if (err == 0) {
+        tag[0] ^= 0x01;
+    }
+
+    /* Decrypt with tampered tag -- must fail at DecryptFinal */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptUpdate(ctx, NULL, &fLen, aad,
+                                (int)(sizeof(aad) - 1)) != 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptUpdate(ctx, dec, &fLen, ct, outLen) != 1;
+    }
+    if (err == 0) {
+        err = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, tag) != 1;
+    }
+    if (err == 0) {
+        int ret = EVP_DecryptFinal_ex(ctx, dec + fLen, &fLen);
+        if (ret == 1) {
+            PRINT_ERR_MSG("%s bad-tag: DecryptFinal should have failed",
+                          cipherName);
+            err = 1;
+        }
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+    EVP_CIPHER_free(cipher);
+    return err;
+}
+
+int test_aes_gcm_bad_tag(void *data)
+{
+    int err = 0;
+
+    (void)data;
+
+    PRINT_MSG("AES-128-GCM streaming decryption with tampered tag");
+    err = test_aes_gcm_bad_tag_helper(wpLibCtx, "AES-128-GCM", 16);
+    if (err == 0) {
+        PRINT_MSG("AES-256-GCM streaming decryption with tampered tag");
+        err = test_aes_gcm_bad_tag_helper(wpLibCtx, "AES-256-GCM", 32);
+    }
+
     return err;
 }
 
@@ -1356,5 +1465,141 @@ int test_aes128_ccm_tls(void *data)
                             EVP_CCM_TLS_FIXED_IV_LEN, 1);
 }
 
+/******************************************************************************/
+
+/*
+ * CCM streaming decryption with a tampered authentication tag.
+ * Verifies that DecryptFinal correctly rejects a forged tag.
+ */
+static int test_aes_ccm_bad_tag_helper(OSSL_LIB_CTX *libCtx,
+    const char *cipherName, int keyLen)
+{
+    int err = 0;
+    EVP_CIPHER *cipher = NULL;
+    EVP_CIPHER_CTX *ctx = NULL;
+    unsigned char key[32];
+    unsigned char iv[13];
+    unsigned char aad[] = "additional data";
+    unsigned char pt[] = "CCM plaintext for tag test";
+    int ptLen = (int)(sizeof(pt) - 1);
+    unsigned char ct[64];
+    unsigned char tag[16];
+    unsigned char dec[64];
+    int outLen = 0, fLen = 0;
+
+    memset(key, 0xAA, keyLen);
+    memset(iv, 0xBB, sizeof(iv));
+
+    cipher = EVP_CIPHER_fetch(libCtx, cipherName, "");
+    if (cipher == NULL) {
+        err = 1;
+    }
+
+    /* Encrypt */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptInit(ctx, cipher, NULL, NULL) != 1;
+    }
+    if (err == 0) {
+        err = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN,
+                                  (int)sizeof(iv), NULL) != 1;
+    }
+    if (err == 0) {
+        err = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, NULL) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptInit(ctx, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptUpdate(ctx, NULL, &outLen, NULL, ptLen) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptUpdate(ctx, NULL, &outLen, aad,
+                                (int)(sizeof(aad) - 1)) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptUpdate(ctx, ct, &outLen, pt, ptLen) != 1;
+    }
+    if (err == 0) {
+        err = EVP_EncryptFinal_ex(ctx, ct + outLen, &fLen) != 1;
+        outLen += fLen;
+    }
+    if (err == 0) {
+        err = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, tag) != 1;
+    }
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = NULL;
+
+    /* Tamper with the tag */
+    if (err == 0) {
+        tag[0] ^= 0x01;
+    }
+
+    /* Decrypt with tampered tag -- must fail */
+    if (err == 0) {
+        ctx = EVP_CIPHER_CTX_new();
+        if (ctx == NULL)
+            err = 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptInit(ctx, cipher, NULL, NULL) != 1;
+    }
+    if (err == 0) {
+        err = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN,
+                                  (int)sizeof(iv), NULL) != 1;
+    }
+    if (err == 0) {
+        err = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, tag) != 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptInit(ctx, NULL, key, iv) != 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptUpdate(ctx, NULL, &fLen, NULL, outLen) != 1;
+    }
+    if (err == 0) {
+        err = EVP_DecryptUpdate(ctx, NULL, &fLen, aad,
+                                (int)(sizeof(aad) - 1)) != 1;
+    }
+    if (err == 0) {
+        /* CCM DecryptUpdate should fail with bad tag */
+        int ret = EVP_DecryptUpdate(ctx, dec, &fLen, ct, outLen);
+        if (ret == 1) {
+            /* If Update succeeded, Final must fail */
+            ret = EVP_DecryptFinal_ex(ctx, dec + fLen, &fLen);
+            if (ret == 1) {
+                PRINT_ERR_MSG("%s bad-tag: decryption should have failed",
+                              cipherName);
+                err = 1;
+            }
+        }
+        /* else: Update failed, which is also correct for CCM bad tag */
+    }
+
+    EVP_CIPHER_CTX_free(ctx);
+    EVP_CIPHER_free(cipher);
+    return err;
+}
+
+int test_aes_ccm_bad_tag(void *data)
+{
+    int err = 0;
+
+    (void)data;
+
+    PRINT_MSG("AES-128-CCM streaming decryption with tampered tag");
+    err = test_aes_ccm_bad_tag_helper(wpLibCtx, "AES-128-CCM", 16);
+    if (err == 0) {
+        PRINT_MSG("AES-256-CCM streaming decryption with tampered tag");
+        err = test_aes_ccm_bad_tag_helper(wpLibCtx, "AES-256-CCM", 32);
+    }
+
+    return err;
+}
+
 #endif /* WP_HAVE_AESCCM */
Original file line number	Diff line number	Diff line change
`@@ -560,6 +560,15 @@ static int wp_ecx_get_params_priv_key(wp_Ecx* ecx, OSSL_PARAM params[])`
`560`	`560`	`WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "exportPriv", rc);`
`561`	`561`	`ok = 0;`
`562`	`562`	`}`
	`563`	`+ if (ok && ecx->clamped) {`
	`564`	`+ if ((outLen < 2) \|\| (p->data_size < outLen)) {`
	`565`	`+ ok = 0;`
	`566`	`+ }`
	`567`	`+ else {`
	`568`	`+ ((unsigned char*)p->data)[0 ] = ecx->unclamped[0];`
	`569`	`+ ((unsigned char*)p->data)[outLen - 1] = ecx->unclamped[1];`
	`570`	`+ }`
	`571`	`+ }`
`563`	`572`	`}`
`564`	`573`	`p->return_size = outLen;`
`565`	`574`	`}`
Original file line number	Diff line number	Diff line change
`@@ -689,10 +689,8 @@ static size_t wp_seed_src_get_seed(wp_SeedSrcCtx* ctx, unsigned char** pSeed,`
`689`	`689`	`static void wp_seed_src_clear_seed(wp_SeedSrcCtx* ctx, unsigned char* seed,`
`690`	`690`	`size_t seedLen)`
`691`	`691`	`{`
	`692`	`+ (void)ctx;`
`692`	`693`	`OPENSSL_secure_clear_free(seed, seedLen);`
`693`		`- if (ctx != NULL) {`
`694`		`- ctx->state = EVP_RAND_STATE_UNINITIALISED;`
`695`		`- }`
`696`	`694`	`}`
`697`	`695`
`698`	`696`	`/**`