Fix hash copy semantics and add tests

Author: JeremiahM37

scripts/build_ffi.py

@@ -575,6 +575,7 @@ def build_ffi(local_wolfssl, features):
         int wc_ShaUpdate(wc_Sha*, const byte*, word32);
         int wc_ShaFinal(wc_Sha*, byte*);
         void wc_ShaFree(wc_Sha*);
+        int wc_ShaCopy(wc_Sha*, wc_Sha*);
         """
 
     if features["SHA256"]:
@@ -584,6 +585,7 @@ def build_ffi(local_wolfssl, features):
         int wc_Sha256Update(wc_Sha256*, const byte*, word32);
         int wc_Sha256Final(wc_Sha256*, byte*);
         void wc_Sha256Free(wc_Sha256*);
+        int wc_Sha256Copy(wc_Sha256*, wc_Sha256*);
         """
 
     if features["SHA384"]:
@@ -593,6 +595,7 @@ def build_ffi(local_wolfssl, features):
         int wc_Sha384Update(wc_Sha384*, const byte*, word32);
         int wc_Sha384Final(wc_Sha384*, byte*);
         void wc_Sha384Free(wc_Sha384*);
+        int wc_Sha384Copy(wc_Sha384*, wc_Sha384*);
         """
 
     if features["SHA512"]:
@@ -603,6 +606,7 @@ def build_ffi(local_wolfssl, features):
         int wc_Sha512Update(wc_Sha512*, const byte*, word32);
         int wc_Sha512Final(wc_Sha512*, byte*);
         void wc_Sha512Free(wc_Sha512*);
+        int wc_Sha512Copy(wc_Sha512*, wc_Sha512*);
         """
     if features["SHA3"]:
         cdef += """
@@ -623,6 +627,10 @@ def build_ffi(local_wolfssl, features):
         void wc_Sha3_256_Free(wc_Sha3*);
         void wc_Sha3_384_Free(wc_Sha3*);
         void wc_Sha3_512_Free(wc_Sha3*);
+        int wc_Sha3_224_Copy(wc_Sha3*, wc_Sha3*);
+        int wc_Sha3_256_Copy(wc_Sha3*, wc_Sha3*);
+        int wc_Sha3_384_Copy(wc_Sha3*, wc_Sha3*);
+        int wc_Sha3_512_Copy(wc_Sha3*, wc_Sha3*);
         """
 
     if features["DES3"]:

tests/test_aesgcmstream.py

@@ -126,12 +126,30 @@ def test_encrypt_aad_bad():
     def test_invalid_tag_bytes():
         key = "fedcba9876543210"
         iv = "0123456789abcdef"
-        with pytest.raises(ValueError, match="tag_bytes must be between 4 and 16"):
+        # Out of range
+        with pytest.raises(ValueError, match="tag_bytes must be one of"):
             AesGcmStream(key, iv, tag_bytes=0)
-        with pytest.raises(ValueError, match="tag_bytes must be between 4 and 16"):
+        with pytest.raises(ValueError, match="tag_bytes must be one of"):
             AesGcmStream(key, iv, tag_bytes=3)
-        with pytest.raises(ValueError, match="tag_bytes must be between 4 and 16"):
+        with pytest.raises(ValueError, match="tag_bytes must be one of"):
             AesGcmStream(key, iv, tag_bytes=17)
-        # valid edge cases
-        AesGcmStream(key, iv, tag_bytes=4)
-        AesGcmStream(key, iv, tag_bytes=16)
+        # Non-NIST sizes within 4-16 range
+        for bad in (5, 6, 7, 9, 10, 11):
+            with pytest.raises(ValueError, match="tag_bytes must be one of"):
+                AesGcmStream(key, iv, tag_bytes=bad)
+        # Valid NIST sizes: verify the resulting tag has the requested length.
+        for good in (4, 8, 12, 13, 14, 15, 16):
+            gcm = AesGcmStream(key, iv, tag_bytes=good)
+            gcm.encrypt("hello world")
+            tag = gcm.final()
+            assert len(tag) == good
+
+    def test_repeated_construction_destruction():
+        import gc
+        key = "fedcba9876543210"
+        iv = "0123456789abcdef"
+        for _ in range(1000):
+            gcm = AesGcmStream(key, iv)
+            gcm.encrypt("hello world")
+            del gcm
+        gc.collect()

tests/test_ciphers.py

@@ -881,6 +881,12 @@ def test_des3_rejects_mode_ctr():
         with pytest.raises(ValueError, match="Des3 only supports MODE_CBC"):
             Des3(key, MODE_CTR, iv)
 
+    def test_des3_rejects_mode_ecb():
+        key = b"\x01\x23\x45\x67\x89\xab\xcd\xef" * 3
+        iv = b"\xfe\xdc\xba\x98\x76\x54\x32\x10"
+        with pytest.raises(ValueError, match="Des3 only supports MODE_CBC"):
+            Des3(key, MODE_ECB, iv)
+
 
 if _lib.CHACHA_ENABLED:
     def test_chacha_non_block_aligned():
@@ -898,3 +904,15 @@ def test_chacha_non_block_aligned():
     def test_chacha_invalid_key_length():
         with pytest.raises(ValueError, match="key must be"):
             ChaCha(b"\x00" * 20)
+
+
+if _lib.RSA_ENABLED:
+    def test_encrypt_oaep_requires_hash_type(vectors):
+        rsa = RsaPublic(vectors[RsaPublic].key)
+        with pytest.raises(WolfCryptError, match="Hash type not set"):
+            rsa.encrypt_oaep(b"plaintext")
+
+    def test_decrypt_oaep_requires_hash_type(vectors):
+        rsa = RsaPrivate(vectors[RsaPrivate].key)
+        with pytest.raises(WolfCryptError, match="Hash type not set"):
+            rsa.decrypt_oaep(b"\x00" * rsa.output_size)

tests/test_hashes.py

@@ -184,3 +184,12 @@ def test_hash(hash_cls, vectors):
     copy.update("wolfcrypt")
 
     assert hash_obj.hexdigest() == copy.hexdigest() == digest
+
+
+def test_hash_repeated_construction_destruction(hash_cls):
+    import gc
+    for _ in range(1000):
+        h = hash_new(hash_cls, "wolfcrypt")
+        h.hexdigest()
+        del h
+    gc.collect()

wolfcrypt/ciphers.py

@@ -396,33 +396,38 @@ class AesGcmStream(object):
         block_size = 16
         _key_sizes = [16, 24, 32]
         _native_type = "Aes *"
-        _aad = bytes()
-        _tag_bytes = 16
-        _mode = None
+        _delete = _lib.wc_AesFree
 
         def __init__(self, key, IV, tag_bytes=16):
             """
             tag_bytes is the number of bytes to use for the authentication tag during encryption
             """
             key = t2b(key)
             IV = t2b(IV)
-            if tag_bytes < 4 or tag_bytes > 16:
-                raise ValueError("tag_bytes must be between 4 and 16")
+            # NIST SP 800-38D valid GCM tag lengths: 16, 15, 14, 13, 12, 8, 4 bytes.
+            if tag_bytes not in (4, 8, 12, 13, 14, 15, 16):
+                raise ValueError(
+                    "tag_bytes must be one of 4, 8, 12, 13, 14, 15, or 16")
+            # Per-instance state: AAD, tag length, and current mode (enc/dec).
+            self._aad = bytes()
             self._tag_bytes = tag_bytes
+            self._mode = None
             if len(key) not in self._key_sizes:
                 raise ValueError("key must be %s in length, not %d" %
                                  (self._key_sizes, len(key)))
+            self._init_done = False
             self._native_object = _ffi.new(self._native_type)
             ret = _lib.wc_AesInit(self._native_object, _ffi.NULL, -2)
             if ret < 0:
                 raise WolfCryptError("AES init error (%d)" % ret)
+            self._init_done = True
             ret = _lib.wc_AesGcmInit(self._native_object, key, len(key), IV, len(IV))
             if ret < 0:
                 raise WolfCryptError("Init error (%d)" % ret)
 
         def __del__(self):
-            if hasattr(self, '_native_object'):
-                _lib.wc_AesFree(self._native_object)
+            if getattr(self, '_init_done', False):
+                self._delete(self._native_object)
 
         def set_aad(self, data):
             """
@@ -446,11 +451,11 @@ def encrypt(self, data):
                 aad = self._aad
             elif self._mode == _DECRYPTION:
                 raise WolfCryptError("Class instance already in use for decryption")
-            self._buf = _ffi.new("byte[%d]" % (len(data)))
-            ret = _lib.wc_AesGcmEncryptUpdate(self._native_object, self._buf, data, len(data), aad, len(aad))
+            buf = _ffi.new("byte[%d]" % (len(data)))
+            ret = _lib.wc_AesGcmEncryptUpdate(self._native_object, buf, data, len(data), aad, len(aad))
             if ret < 0:
                 raise WolfCryptError("Encryption error (%d)" % ret)
-            return bytes(self._buf)
+            return bytes(buf)
 
         def decrypt(self, data):
             """
@@ -463,11 +468,11 @@ def decrypt(self, data):
                 aad = self._aad
             elif self._mode == _ENCRYPTION:
                 raise WolfCryptError("Class instance already in use for encryption")
-            self._buf = _ffi.new("byte[%d]" % (len(data)))
-            ret = _lib.wc_AesGcmDecryptUpdate(self._native_object, self._buf, data, len(data), aad, len(aad))
+            buf = _ffi.new("byte[%d]" % (len(data)))
+            ret = _lib.wc_AesGcmDecryptUpdate(self._native_object, buf, data, len(data), aad, len(aad))
             if ret < 0:
                 raise WolfCryptError("Decryption error (%d)" % ret)
-            return bytes(self._buf)
+            return bytes(buf)
 
         def final(self, authTag=None):
             """
@@ -505,7 +510,9 @@ class ChaCha(_Cipher):
         _IV_nonce = b""
         _IV_counter = 0
 
-        def __init__(self, key="", size=32):
+        def __init__(self, key="", size=32):  # pylint: disable=unused-argument
+            # size is kept for backwards compatibility; key length is now
+            # derived from the actual key and validated against _key_sizes.
             self._native_object = _ffi.new(self._native_type)
             self._enc = None
             self._dec = None
@@ -552,7 +559,9 @@ def set_iv(self, nonce, counter = 0):
                 raise ValueError("nonce must be %d bytes, got %d" %
                                  (self._NONCE_SIZE, len(self._IV_nonce)))
             self._IV_counter = counter
-            self._set_key(0)
+            ret = self._set_key(0)
+            if ret < 0:
+                raise WolfCryptError("ChaCha set_iv error (%d)" % ret)
 
 if _lib.CHACHA20_POLY1305_ENABLED:
     class ChaCha20Poly1305(object):
@@ -1231,7 +1240,11 @@ def make_key(cls, size, rng=None):
                 ret = _lib.wc_ecc_set_rng(ecc.native_object, rng.native_object)
                 if ret < 0:
                     raise WolfCryptError("Error setting ECC RNG (%d)" % ret)
-                ecc._rng = rng
+
+            # Retain the RNG so it outlives the ECC key. Even outside the
+            # timing-resistance path, wolfSSL internals may retain a pointer
+            # to the RNG; keeping the reference avoids any UAF risk.
+            ecc._rng = rng
 
             return ecc
 
@@ -1504,6 +1517,10 @@ def make_key(cls, size, rng=None):
             if ret < 0:
                 raise WolfCryptError("Key generation error (%d)" % ret)
 
+            # Retain RNG reference defensively; wolfSSL may retain a pointer
+            # internally on some builds.
+            ed25519._rng = rng
+
             return ed25519
 
         def decode_key(self, key, pub = None):
@@ -1706,6 +1723,10 @@ def make_key(cls, size, rng=None):
             if ret < 0:
                 raise WolfCryptError("Key generation error (%d)" % ret)
 
+            # Retain RNG reference defensively; wolfSSL may retain a pointer
+            # internally on some builds.
+            ed448._rng = rng
+
             return ed448
 
         def decode_key(self, key, pub = None):
@@ -1979,6 +2000,9 @@ def make_key(cls, mlkem_type, rng=None):
             if ret < 0:  # pragma: no cover
                 raise WolfCryptError("wc_KyberKey_MakeKey() error (%d)" % ret)
 
+            # Retain RNG reference defensively.
+            mlkem_priv._rng = rng
+
             return mlkem_priv
 
         @classmethod
@@ -2226,6 +2250,9 @@ def make_key(cls, mldsa_type, rng=None):
             if ret < 0:  # pragma: no cover
                 raise WolfCryptError("wc_dilithium_make_key() error (%d)" % ret)
 
+            # Retain RNG reference defensively.
+            mldsa_priv._rng = rng
+
             return mldsa_priv
 
         @property