Add SAKKE mask correctness regression test

JeremiahM37 · JeremiahM37 · commit 1b22c51029b6 · 2026-05-08T17:24:44.000-06:00
diff --git a/tests/unit.c b/tests/unit.c
@@ -174,6 +174,109 @@ static int sakke_xor_in_v_oob_test(void)
 }
 #endif
 
+#ifdef WOLFCRYPT_HAVE_SAKKE
+/* Verify sakke_hash_to_range produces the full RFC 6508 5.1 mask for
+ * ssvSz=48 with SHA-256, and that the public APIs reject ssvSz=0. The
+ * old broken offset math left ssv[16..31] never XORed; encapsulating
+ * an all-zero ssv exposes the gap (those bytes stay zero under the
+ * bug, become random mask material once fixed). */
+static int sakke_mask_correctness_test(void)
+{
+    SakkeKey key;
+    WC_RNG rng;
+    unsigned char id[] = "user@example.com";
+    word16 ssvSz = 48;
+    word16 ssvSzZero = 0;
+    word16 authSz = 0;
+    unsigned char ssv[48];
+    unsigned char* auth = NULL;
+    int ret;
+    int i;
+    int allZero = 1;
+    int rc = 0;
+
+    if (wc_InitRng(&rng) != 0) {
+        printf("sakke_correctness: SKIP (rng init)\n");
+        return 0;
+    }
+    if (wc_InitSakkeKey_ex(&key, 128, ECC_SAKKE_1, NULL, INVALID_DEVID) != 0) {
+        wc_FreeRng(&rng);
+        printf("sakke_correctness: SKIP (sakke key init)\n");
+        return 0;
+    }
+    if (wc_MakeSakkeKey(&key, &rng) != 0) {
+        wc_FreeSakkeKey(&key);
+        wc_FreeRng(&rng);
+        printf("sakke_correctness: SKIP (sakke key gen)\n");
+        return 0;
+    }
+    if (wc_SetSakkeIdentity(&key, id, sizeof(id) - 1) != 0) {
+        wc_FreeSakkeKey(&key);
+        wc_FreeRng(&rng);
+        printf("sakke_correctness: SKIP (set identity)\n");
+        return 0;
+    }
+
+    ret = wc_MakeSakkeEncapsulatedSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSz,
+                                      NULL, &authSz);
+    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
+        printf("sakke_correctness: SKIP (auth size query)\n");
+        goto cleanup;
+    }
+    auth = (unsigned char*)malloc(authSz);
+    if (auth == NULL) {
+        printf("sakke_correctness: SKIP (alloc)\n");
+        goto cleanup;
+    }
+
+    XMEMSET(ssv, 0, ssvSz);
+    ret = wc_MakeSakkeEncapsulatedSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSz,
+                                      auth, &authSz);
+    if (ret != 0) {
+        printf("sakke_correctness: FAIL (encap ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+    for (i = 16; i < 32; i++) {
+        if (ssv[i] != 0) { allZero = 0; break; }
+    }
+    if (allZero) {
+        printf("sakke_correctness: FAIL (ssv[16..31] not XORed)\n");
+        rc = -1;
+        goto cleanup;
+    }
+
+    ret = wc_MakeSakkeEncapsulatedSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSzZero,
+                                      auth, &authSz);
+    if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
+        printf("sakke_correctness: FAIL (encap ssvSz=0 ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+    ret = wc_DeriveSakkeSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSzZero,
+                            auth, authSz);
+    if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
+        printf("sakke_correctness: FAIL (derive ssvSz=0 ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+
+    printf("sakke_correctness: PASS\n");
+
+cleanup:
+    if (auth != NULL) free(auth);
+    wc_FreeSakkeKey(&key);
+    wc_FreeRng(&rng);
+    return rc;
+}
+#else
+static int sakke_mask_correctness_test(void)
+{
+    printf("sakke_correctness: SKIP (WOLFCRYPT_HAVE_SAKKE not defined)\n");
+    return 0;
+}
+#endif
+
 int allTesting = 1;
 int apiTesting = 1;
 int myoptind = 0;
@@ -405,6 +508,11 @@ int unit_test(int argc, char** argv)
             fflush(stdout);
             goto exit;
         }
+        if (sakke_mask_correctness_test() != 0) {
+            ret = -1;
+            fflush(stdout);
+            goto exit;
+        }
         fflush(stdout);
 
         XMEMSET(&wc_args, 0, sizeof(wc_args));
