Fix hash copy semantics and add tests

Author: JeremiahM37

scripts/build_ffi.py

@@ -575,6 +575,7 @@ def build_ffi(local_wolfssl, features):
         int wc_ShaUpdate(wc_Sha*, const byte*, word32);
         int wc_ShaFinal(wc_Sha*, byte*);
         void wc_ShaFree(wc_Sha*);
+        int wc_ShaCopy(wc_Sha*, wc_Sha*);
         """
 
     if features["SHA256"]:
@@ -584,6 +585,7 @@ def build_ffi(local_wolfssl, features):
         int wc_Sha256Update(wc_Sha256*, const byte*, word32);
         int wc_Sha256Final(wc_Sha256*, byte*);
         void wc_Sha256Free(wc_Sha256*);
+        int wc_Sha256Copy(wc_Sha256*, wc_Sha256*);
         """
 
     if features["SHA384"]:
@@ -593,6 +595,7 @@ def build_ffi(local_wolfssl, features):
         int wc_Sha384Update(wc_Sha384*, const byte*, word32);
         int wc_Sha384Final(wc_Sha384*, byte*);
         void wc_Sha384Free(wc_Sha384*);
+        int wc_Sha384Copy(wc_Sha384*, wc_Sha384*);
         """
 
     if features["SHA512"]:
@@ -603,6 +606,7 @@ def build_ffi(local_wolfssl, features):
         int wc_Sha512Update(wc_Sha512*, const byte*, word32);
         int wc_Sha512Final(wc_Sha512*, byte*);
         void wc_Sha512Free(wc_Sha512*);
+        int wc_Sha512Copy(wc_Sha512*, wc_Sha512*);
         """
     if features["SHA3"]:
         cdef += """
@@ -623,6 +627,10 @@ def build_ffi(local_wolfssl, features):
         void wc_Sha3_256_Free(wc_Sha3*);
         void wc_Sha3_384_Free(wc_Sha3*);
         void wc_Sha3_512_Free(wc_Sha3*);
+        int wc_Sha3_224_Copy(wc_Sha3*, wc_Sha3*);
+        int wc_Sha3_256_Copy(wc_Sha3*, wc_Sha3*);
+        int wc_Sha3_384_Copy(wc_Sha3*, wc_Sha3*);
+        int wc_Sha3_512_Copy(wc_Sha3*, wc_Sha3*);
         """
 
     if features["DES3"]:

tests/test_aesgcmstream.py

@@ -135,3 +135,13 @@ def test_invalid_tag_bytes():
         # valid edge cases
         AesGcmStream(key, iv, tag_bytes=4)
         AesGcmStream(key, iv, tag_bytes=16)
+
+    def test_repeated_construction_destruction():
+        import gc
+        key = "fedcba9876543210"
+        iv = "0123456789abcdef"
+        for _ in range(1000):
+            gcm = AesGcmStream(key, iv)
+            gcm.encrypt("hello world")
+            del gcm
+        gc.collect()

tests/test_ciphers.py

@@ -898,3 +898,15 @@ def test_chacha_non_block_aligned():
     def test_chacha_invalid_key_length():
         with pytest.raises(ValueError, match="key must be"):
             ChaCha(b"\x00" * 20)
+
+
+if _lib.RSA_ENABLED:
+    def test_encrypt_oaep_requires_hash_type(vectors):
+        rsa = RsaPublic(vectors[RsaPublic].key)
+        with pytest.raises(WolfCryptError, match="Hash type not set"):
+            rsa.encrypt_oaep(b"plaintext")
+
+    def test_decrypt_oaep_requires_hash_type(vectors):
+        rsa = RsaPrivate(vectors[RsaPrivate].key)
+        with pytest.raises(WolfCryptError, match="Hash type not set"):
+            rsa.decrypt_oaep(b"\x00" * rsa.output_size)

wolfcrypt/ciphers.py

@@ -396,9 +396,6 @@ class AesGcmStream(object):
         block_size = 16
         _key_sizes = [16, 24, 32]
         _native_type = "Aes *"
-        _aad = bytes()
-        _tag_bytes = 16
-        _mode = None
 
         def __init__(self, key, IV, tag_bytes=16):
             """
@@ -408,20 +405,25 @@ def __init__(self, key, IV, tag_bytes=16):
             IV = t2b(IV)
             if tag_bytes < 4 or tag_bytes > 16:
                 raise ValueError("tag_bytes must be between 4 and 16")
+            # Per-instance state: AAD, tag length, and current mode (enc/dec).
+            self._aad = bytes()
             self._tag_bytes = tag_bytes
+            self._mode = None
             if len(key) not in self._key_sizes:
                 raise ValueError("key must be %s in length, not %d" %
                                  (self._key_sizes, len(key)))
+            self._init_done = False
             self._native_object = _ffi.new(self._native_type)
             ret = _lib.wc_AesInit(self._native_object, _ffi.NULL, -2)
             if ret < 0:
                 raise WolfCryptError("AES init error (%d)" % ret)
+            self._init_done = True
             ret = _lib.wc_AesGcmInit(self._native_object, key, len(key), IV, len(IV))
             if ret < 0:
                 raise WolfCryptError("Init error (%d)" % ret)
 
         def __del__(self):
-            if hasattr(self, '_native_object'):
+            if getattr(self, '_init_done', False):
                 _lib.wc_AesFree(self._native_object)
 
         def set_aad(self, data):
@@ -446,11 +448,11 @@ def encrypt(self, data):
                 aad = self._aad
             elif self._mode == _DECRYPTION:
                 raise WolfCryptError("Class instance already in use for decryption")
-            self._buf = _ffi.new("byte[%d]" % (len(data)))
-            ret = _lib.wc_AesGcmEncryptUpdate(self._native_object, self._buf, data, len(data), aad, len(aad))
+            buf = _ffi.new("byte[%d]" % (len(data)))
+            ret = _lib.wc_AesGcmEncryptUpdate(self._native_object, buf, data, len(data), aad, len(aad))
             if ret < 0:
                 raise WolfCryptError("Encryption error (%d)" % ret)
-            return bytes(self._buf)
+            return bytes(buf)
 
         def decrypt(self, data):
             """
@@ -463,11 +465,11 @@ def decrypt(self, data):
                 aad = self._aad
             elif self._mode == _ENCRYPTION:
                 raise WolfCryptError("Class instance already in use for encryption")
-            self._buf = _ffi.new("byte[%d]" % (len(data)))
-            ret = _lib.wc_AesGcmDecryptUpdate(self._native_object, self._buf, data, len(data), aad, len(aad))
+            buf = _ffi.new("byte[%d]" % (len(data)))
+            ret = _lib.wc_AesGcmDecryptUpdate(self._native_object, buf, data, len(data), aad, len(aad))
             if ret < 0:
                 raise WolfCryptError("Decryption error (%d)" % ret)
-            return bytes(self._buf)
+            return bytes(buf)
 
         def final(self, authTag=None):
             """
@@ -505,7 +507,9 @@ class ChaCha(_Cipher):
         _IV_nonce = b""
         _IV_counter = 0
 
-        def __init__(self, key="", size=32):
+        def __init__(self, key="", size=32):  # pylint: disable=unused-argument
+            # size is kept for backwards compatibility; key length is now
+            # derived from the actual key and validated against _key_sizes.
             self._native_object = _ffi.new(self._native_type)
             self._enc = None
             self._dec = None

wolfcrypt/hashes.py

@@ -56,11 +56,26 @@ def copy(self):
         Returns a separate copy of this hashing object. An update
         to this copy won't affect the original object.
         """
-        copy = self.new("")
-
-        _ffi.memmove(copy._native_object,  # pylint: disable=protected-access
-                     self._native_object,
-                     self._native_size)
+        # Bypass __init__ to avoid calling _init() on a state that _copy
+        # immediately overwrites (which would leak internal resources in
+        # async/HW-accelerated builds). Mark as shallow up front so __del__
+        # skips the free if we bail out before the copy completes.
+        copy = type(self).__new__(type(self))
+        copy._shallow_copy = True  # pylint: disable=protected-access
+        copy._native_object = _ffi.new(self._native_type)  # pylint: disable=protected-access
+
+        if hasattr(self, '_copy'):
+            ret = self._copy(self._native_object,
+                             copy._native_object)  # pylint: disable=protected-access
+            if ret < 0:  # pragma: no cover
+                raise WolfCryptError("Hash copy error (%d)" % ret)
+            copy._shallow_copy = False  # pylint: disable=protected-access
+        else:
+            _ffi.memmove(copy._native_object,  # pylint: disable=protected-access
+                         self._native_object,
+                         self._native_size)
+            # Keep _shallow_copy = True: memmove shares internal state with
+            # self, so __del__ must not free it separately.
 
         return copy
 
@@ -87,12 +102,26 @@ def digest(self):
 
         if self._native_object:
             obj = _ffi.new(self._native_type)
-
-            _ffi.memmove(obj, self._native_object, self._native_size)
-
-            ret = self._final(obj, result)
-            if ret < 0:  # pragma: no cover
-                raise WolfCryptError("Hash finalize error (%d)" % ret)
+            used_deep_copy = hasattr(self, '_copy')
+
+            if used_deep_copy:
+                ret = self._copy(self._native_object, obj)
+                if ret < 0:  # pragma: no cover
+                    raise WolfCryptError("Hash copy error (%d)" % ret)
+            else:
+                _ffi.memmove(obj, self._native_object, self._native_size)
+
+            try:
+                ret = self._final(obj, result)
+                if ret < 0:  # pragma: no cover
+                    raise WolfCryptError("Hash finalize error (%d)" % ret)
+            finally:
+                # Only free when we did a deep copy; memmove'd temps share
+                # internal resources with self and must not be separately freed.
+                if used_deep_copy:
+                    delete = getattr(self, '_delete', None)
+                    if delete:
+                        delete(obj)
 
         return _ffi.buffer(result, self.digest_size)[:]
 
@@ -117,9 +146,11 @@ class Sha(_Hash):
         _native_type = "wc_Sha *"
         _native_size = _ffi.sizeof("wc_Sha")
         _delete = _lib.wc_ShaFree
+        _copy = _lib.wc_ShaCopy
 
         def __del__(self):
-            self._delete(self._native_object)
+            if hasattr(self, '_native_object') and not getattr(self, '_shallow_copy', False):
+                self._delete(self._native_object)
 
         def _init(self):
             return _lib.wc_InitSha(self._native_object)
@@ -143,9 +174,11 @@ class Sha256(_Hash):
         _native_type = "wc_Sha256 *"
         _native_size = _ffi.sizeof("wc_Sha256")
         _delete = _lib.wc_Sha256Free
+        _copy = _lib.wc_Sha256Copy
 
         def __del__(self):
-            self._delete(self._native_object)
+            if hasattr(self, '_native_object') and not getattr(self, '_shallow_copy', False):
+                self._delete(self._native_object)
 
         def _init(self):
             return _lib.wc_InitSha256(self._native_object)
@@ -169,9 +202,11 @@ class Sha384(_Hash):
         _native_type = "wc_Sha384 *"
         _native_size = _ffi.sizeof("wc_Sha384")
         _delete = _lib.wc_Sha384Free
+        _copy = _lib.wc_Sha384Copy
 
         def __del__(self):
-            self._delete(self._native_object)
+            if hasattr(self, '_native_object') and not getattr(self, '_shallow_copy', False):
+                self._delete(self._native_object)
 
         def _init(self):
             return _lib.wc_InitSha384(self._native_object)
@@ -195,9 +230,11 @@ class Sha512(_Hash):
         _native_type = "wc_Sha512 *"
         _native_size = _ffi.sizeof("wc_Sha512")
         _delete = _lib.wc_Sha512Free
+        _copy = _lib.wc_Sha512Copy
 
         def __del__(self):
-            self._delete(self._native_object)
+            if hasattr(self, '_native_object') and not getattr(self, '_shallow_copy', False):
+                self._delete(self._native_object)
 
         def _init(self):
             return _lib.wc_InitSha512(self._native_object)
@@ -232,14 +269,27 @@ class Sha3(_Hash):
             64: _lib.wc_Sha3_512_Free,
         }
 
+        _SHA3_COPY = {
+            28: _lib.wc_Sha3_224_Copy,
+            32: _lib.wc_Sha3_256_Copy,
+            48: _lib.wc_Sha3_384_Copy,
+            64: _lib.wc_Sha3_512_Copy,
+        }
+
         def __del__(self):
-            if hasattr(self, '_delete'):
+            # Unlike the SHA-1/2 classes, Sha3's _delete is set per-instance
+            # from a size->function dict and is None for invalid sizes, so
+            # we need the extra truthiness check.
+            if (hasattr(self, '_native_object')
+                    and not getattr(self, '_shallow_copy', False)
+                    and getattr(self, '_delete', None)):
                 self._delete(self._native_object)
 
         def __init__(self, string=None, size=SHA3_384_DIGEST_SIZE):  # pylint: disable=W0231
             self._native_object = _ffi.new(self._native_type)
             self.digest_size = size
             self._delete = self._SHA3_FREE.get(size)
+            self._copy = self._SHA3_COPY.get(size)
             ret = self._init()
             if ret < 0:  # pragma: no cover
                 raise WolfCryptError("Sha3 init error (%d)" % ret)
@@ -251,8 +301,24 @@ def new(cls, string=None, size=SHA3_384_DIGEST_SIZE):
             return cls(string, size)
 
         def copy(self):
-            c = Sha3(size=self.digest_size)
-            _ffi.memmove(c._native_object, self._native_object, self._native_size)
+            # Bypass __init__ to avoid calling _init() on a state that _copy
+            # immediately overwrites (which would leak internal resources in
+            # async/HW-accelerated builds). Mark as shallow up front so
+            # __del__ skips the free if we bail out before the copy completes.
+            c = type(self).__new__(type(self))
+            c._shallow_copy = True
+            c._native_object = _ffi.new(self._native_type)
+            c.digest_size = self.digest_size
+            c._delete = self._delete
+            c._copy = self._copy
+            if self._copy:
+                ret = self._copy(self._native_object, c._native_object)
+                if ret < 0:  # pragma: no cover
+                    raise WolfCryptError("Hash copy error (%d)" % ret)
+                c._shallow_copy = False
+            else:
+                _ffi.memmove(c._native_object, self._native_object, self._native_size)
+                # Keep _shallow_copy = True: memmove shares state with self.
             return c
 
         def _init(self):
@@ -309,14 +375,23 @@ class _Hmac(_Hash):
         """
         A **PEP 247: Cryptographic Hash Functions** compliant
         **Keyed Hash Function Interface**.
+
+        Note: wolfSSL does not provide a `wc_HmacCopy` equivalent, so
+        `copy()` falls back to a byte-level memmove. In default builds the
+        Hmac struct is self-contained and this is safe. In async or
+        hardware-accelerated builds where the struct contains internal
+        pointers, the copy shares those pointers with the original; the
+        copy must not outlive the original or be used after the original
+        is freed.
         """
         digest_size = None
         _native_type = "Hmac *"
         _native_size = _ffi.sizeof("Hmac")
         _delete = _lib.wc_HmacFree
 
         def __del__(self):
-            self._delete(self._native_object)
+            if hasattr(self, '_native_object') and not getattr(self, '_shallow_copy', False):
+                self._delete(self._native_object)
 
         def __init__(self, key, string=None):  # pylint: disable=W0231
             key = t2b(key)