Add regression tests for fixes

anhu · anhu · commit a0019fbd27cb · 2026-03-27T09:44:49.000-04:00
diff --git a/tests/api.c b/tests/api.c
@@ -165,6 +165,19 @@
     #include <sys/uio.h>
 #endif
 
+#ifdef HAVE_DILITHIUM
+    #include <wolfssl/wolfcrypt/dilithium.h>
+#endif
+#if defined(WOLFSSL_HAVE_MLKEM)
+    #include <wolfssl/wolfcrypt/mlkem.h>
+#endif
+#if defined(HAVE_PKCS7)
+    #include <wolfssl/wolfcrypt/pkcs7.h>
+#endif
+#if !defined(NO_BIG_INT)
+    #include <wolfssl/wolfcrypt/sp_int.h>
+#endif
+
 /* include misc.c here regardless of NO_INLINE, because misc.c implementations
  * have default (hidden) visibility, and in the absence of visibility, it's
  * benign to mask out the library implementation.
@@ -34387,6 +34400,264 @@ static int test_sniffer_chain_input_overflow(void)
 }
 #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_CHAIN_INPUT */
 
+/*----------------------------------------------------------------------------*
+ | ZD 21412-21426: Regression tests for reported vulnerabilities
+ *----------------------------------------------------------------------------*/
+
+/* ZD 21412: ML-DSA HashML-DSA verify must reject hashLen > WC_MAX_DIGEST_SIZE */
+static int test_zd21412_mldsa_verify_hash_overflow(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_DILITHIUM) && defined(WOLFSSL_WC_DILITHIUM) && \
+    !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \
+    !defined(WOLFSSL_DILITHIUM_NO_VERIFY)
+    dilithium_key key;
+    WC_RNG rng;
+    int res = 0;
+    byte sig[4000];
+    byte hash[4096]; /* larger than WC_MAX_DIGEST_SIZE */
+
+    XMEMSET(&key, 0, sizeof(key));
+    XMEMSET(&rng, 0, sizeof(rng));
+    XMEMSET(sig, 0x41, sizeof(sig));
+    XMEMSET(hash, 'A', sizeof(hash));
+
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+    ExpectIntEQ(wc_dilithium_init(&key), 0);
+#ifndef WOLFSSL_NO_ML_DSA_65
+    ExpectIntEQ(wc_dilithium_set_level(&key, WC_ML_DSA_65), 0);
+#elif !defined(WOLFSSL_NO_ML_DSA_44)
+    ExpectIntEQ(wc_dilithium_set_level(&key, WC_ML_DSA_44), 0);
+#else
+    ExpectIntEQ(wc_dilithium_set_level(&key, WC_ML_DSA_87), 0);
+#endif
+    ExpectIntEQ(wc_dilithium_make_key(&key, &rng), 0);
+
+    /* hashLen=4096 must be rejected with BUFFER_E, not overflow the stack */
+    ExpectIntEQ(wc_dilithium_verify_ctx_hash(sig, sizeof(sig), NULL, 0,
+        WC_HASH_TYPE_SHA256, hash, sizeof(hash), &res, &key),
+        WC_NO_ERR_TRACE(BUFFER_E));
+
+    wc_dilithium_free(&key);
+    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+#endif
+    return EXPECT_RESULT();
+}
+
+/* ZD 21414: PKCS7 ORI OID must be bounds-checked against MAX_OID_SZ.
+ * This DER was generated by encoding a valid EnvelopedData with ORI, then
+ * patching the OID length from 10 to 64 (exceeds MAX_OID_SZ=32) and inserting
+ * 54 extra bytes. Without the fix, wc_PKCS7_DecryptOri copies 64 bytes into
+ * oriOID[32], causing a stack buffer overflow. */
+#if defined(HAVE_PKCS7) && !defined(NO_AES) && defined(HAVE_AES_CBC) && \
+    defined(WOLFSSL_AES_256)
+static int oriDecryptCb_zd21414(PKCS7* pkcs7, byte* oriType, word32 oriTypeSz,
+    byte* oriValue, word32 oriValueSz, byte* decryptedKey,
+    word32* decryptedKeySz, void* ctx)
+{
+    word32 keySz;
+    (void)pkcs7; (void)oriType; (void)oriTypeSz; (void)ctx;
+    if (oriValueSz < 2) return -1;
+    keySz = oriValue[1];
+    if (*decryptedKeySz < keySz) return -1;
+    XMEMCPY(decryptedKey, oriValue + 2, keySz);
+    *decryptedKeySz = keySz;
+    return 0;
+}
+#endif /* HAVE_PKCS7 && AES_CBC && AES_256 */
+static int test_zd21414_pkcs7_ori_oid_overflow(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_PKCS7) && !defined(NO_AES) && defined(HAVE_AES_CBC) && \
+    defined(WOLFSSL_AES_256)
+    /* Pre-built malformed EnvelopedData: ORI OID length patched from 10 to 64
+     * (0x40 at offset 26), with 54 extra 'X' bytes inserted after original OID.
+     * Generated by POC's encode-then-patch approach. */
+    static const byte malformed[] = {
+        0x30,0x81,0x82,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
+        0x07,0x03,0xA0,0x75,0x30,0x73,0x02,0x01,0x03,0x31,0x30,0xA4,
+        0x2E,0x06,0x40,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,
+        0x00,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,
+        0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,
+        0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,
+        0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,
+        0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x04,0x20,0xEB,0xCE,0xF2,
+        0x43,0xC1,0xCE,0xF8,0xCD,0xE2,0xC1,0x12,0xDB,0x46,0xFE,0x39,
+        0xF0,0x2C,0xF2,0x9A,0x6A,0xD4,0x90,0xB8,0xAC,0x72,0x17,0x54,
+        0x97,0xAE,0xE2,0x59,0xEA,0x30,0x3C,0x06,0x09,0x2A,0x86,0x48,
+        0x86,0xF7,0x0D,0x01,0x07,0x01,0x30,0x1D,0x06,0x09,0x60,0x86,
+        0x48,0x01,0x65,0x03,0x04,0x01,0x2A,0x04,0x10,0x98,0xBC,0x3A,
+        0xF9,0x15,0xF3,0x6B,0x53,0x9D,0x81,0xBD,0x44,0x7E,0xA1,0x01,
+        0x4D,0x80,0x10,0xBD,0x36,0x26,0xF5,0x6E,0x11,0xD0,0xBB,0x5C,
+        0x15,0x19,0xA7,0x6B,0xC2,0xC2,0xB6
+    }; /* 187 bytes */
+    PKCS7* pkcs7 = NULL;
+    byte decoded[256];
+
+    ExpectNotNull(pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID));
+    if (pkcs7 != NULL) {
+        /* ORI decrypt callback must be set or parser skips ORI processing */
+        wc_PKCS7_SetOriDecryptCb(pkcs7, oriDecryptCb_zd21414);
+        /* Without fix: overflows oriOID[32] → crash.
+         * With fix: returns BUFFER_E before the copy. */
+        ExpectIntLT(wc_PKCS7_DecodeEnvelopedData(pkcs7, (byte*)malformed,
+            (word32)sizeof(malformed), decoded, sizeof(decoded)), 0);
+        wc_PKCS7_Free(pkcs7);
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
+
+/* ZD 21417: Dilithium verify_ctx_msg must reject absurdly large msgLen */
+static int test_zd21417_dilithium_hash_int_overflow(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_DILITHIUM) && defined(WOLFSSL_WC_DILITHIUM) && \
+    !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \
+    !defined(WOLFSSL_DILITHIUM_NO_VERIFY)
+    dilithium_key key;
+    WC_RNG rng;
+    int res = 0;
+    byte sig[4000];
+    byte msg[64];
+
+    XMEMSET(&key, 0, sizeof(key));
+    XMEMSET(&rng, 0, sizeof(rng));
+    XMEMSET(sig, 0, sizeof(sig));
+    XMEMSET(msg, 'A', sizeof(msg));
+
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+    ExpectIntEQ(wc_dilithium_init(&key), 0);
+#ifndef WOLFSSL_NO_ML_DSA_65
+    ExpectIntEQ(wc_dilithium_set_level(&key, WC_ML_DSA_65), 0);
+#elif !defined(WOLFSSL_NO_ML_DSA_44)
+    ExpectIntEQ(wc_dilithium_set_level(&key, WC_ML_DSA_44), 0);
+#else
+    ExpectIntEQ(wc_dilithium_set_level(&key, WC_ML_DSA_87), 0);
+#endif
+    ExpectIntEQ(wc_dilithium_make_key(&key, &rng), 0);
+
+    /* msgLen=0xFFFFFFC0 would cause integer overflow in hash computation.
+     * Must be rejected with BAD_FUNC_ARG. */
+    ExpectIntEQ(wc_dilithium_verify_ctx_msg(sig, sizeof(sig), NULL, 0,
+        msg, 0xFFFFFFC0u, &res, &key), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+
+    wc_dilithium_free(&key);
+    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+#endif
+    return EXPECT_RESULT();
+}
+
+/* ZD 21418: ECC import must validate point is on curve */
+static int test_zd21418_ecc_invalid_curve_point(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_ECC) && !defined(NO_ECC256)
+    ecc_key peerKey;
+    /* Invalid point (3, 3) — NOT on P-256 curve y^2 = x^3 - 3x + b */
+    byte badPt[65];
+
+    XMEMSET(&peerKey, 0, sizeof(peerKey));
+    XMEMSET(badPt, 0, sizeof(badPt));
+    badPt[0] = 0x04; /* uncompressed */
+    badPt[32] = 3;   /* x = 3 */
+    badPt[64] = 3;   /* y = 3 */
+
+    ExpectIntEQ(wc_ecc_init(&peerKey), 0);
+
+    /* Import of invalid point as untrusted (TLS peer) must be rejected.
+     * Uses _ex2 with untrusted=1 to match the TLS key exchange path. */
+    ExpectIntNE(wc_ecc_import_x963_ex2(badPt, sizeof(badPt), &peerKey,
+        ECC_SECP256R1, 1), 0);
+
+    wc_ecc_free(&peerKey);
+#endif
+    return EXPECT_RESULT();
+}
+
+/* ZD 21422: PKCS7 CBC padding must validate all padding bytes */
+static int test_zd21422_pkcs7_padding_oracle(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_PKCS7) && !defined(NO_AES) && defined(HAVE_AES_CBC) && \
+    defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
+    PKCS7 pkcs7;
+    byte key[32];
+    byte plaintext[27]; /* 27 bytes → padded to 32 → padding = 05 05 05 05 05 */
+    byte encoded[4096];
+    byte output[256];
+    byte modified[4096];
+    int encodedSz;
+    int outSz;
+    int ctOff = -1;
+    int ctLen = 0;
+    int i;
+
+    XMEMSET(key, 0xAA, sizeof(key));
+    XMEMSET(plaintext, 'X', sizeof(plaintext));
+
+    /* Encode EncryptedData */
+    XMEMSET(&pkcs7, 0, sizeof(pkcs7));
+    ExpectIntEQ(wc_PKCS7_Init(&pkcs7, NULL, 0), 0);
+    pkcs7.content      = plaintext;
+    pkcs7.contentSz    = sizeof(plaintext);
+    pkcs7.contentOID   = DATA;
+    pkcs7.encryptOID   = AES256CBCb;
+    pkcs7.encryptionKey   = key;
+    pkcs7.encryptionKeySz = sizeof(key);
+
+    ExpectIntGT(encodedSz = wc_PKCS7_EncodeEncryptedData(&pkcs7, encoded,
+        sizeof(encoded)), 0);
+
+    /* Verify normal decrypt works */
+    ExpectIntEQ(outSz = wc_PKCS7_DecodeEncryptedData(&pkcs7, encoded,
+        (word32)encodedSz, output, sizeof(output)), (int)sizeof(plaintext));
+    wc_PKCS7_Free(&pkcs7);
+
+    /* Find ciphertext block in encoded DER */
+    if (EXPECT_SUCCESS()) {
+        for (i = encodedSz - 10; i > 10; i--) {
+            if (encoded[i] == 0x04 || encoded[i] == 0x80) {
+                int len, lbytes;
+                if (encoded[i+1] < 0x80) { len = encoded[i+1]; lbytes = 1; }
+                else if (encoded[i+1] == 0x81) { len = encoded[i+2]; lbytes = 2; }
+                else continue;
+                if (len > 0 && len % 16 == 0 &&
+                    i + 1 + lbytes + len <= encodedSz) {
+                    ctOff = i + 1 + lbytes;
+                    ctLen = len;
+                    break;
+                }
+            }
+        }
+    }
+    ExpectIntGT(ctOff, 0);
+    ExpectIntGE(ctLen, 32);
+
+    /* Corrupt an interior padding byte via CBC bit-flip */
+    if (EXPECT_SUCCESS()) {
+        XMEMCPY(modified, encoded, (size_t)encodedSz);
+        /* Flip byte in penultimate block to corrupt interior padding */
+        modified[ctOff + ctLen - 32 + 11] ^= 0x42;
+
+        /* Decrypt modified ciphertext — must fail, not succeed */
+        XMEMSET(&pkcs7, 0, sizeof(pkcs7));
+        ExpectIntEQ(wc_PKCS7_Init(&pkcs7, NULL, 0), 0);
+        pkcs7.encryptionKey   = key;
+        pkcs7.encryptionKeySz = sizeof(key);
+
+        outSz = wc_PKCS7_DecodeEncryptedData(&pkcs7, modified,
+            (word32)encodedSz, output, sizeof(output));
+        /* Must return an error — if it returns plaintext size, padding
+         * oracle vulnerability exists */
+        ExpectIntLT(outSz, 0);
+        wc_PKCS7_Free(&pkcs7);
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
 TEST_CASE testCases[] = {
     TEST_DECL(test_fileAccess),
 
@@ -35203,6 +35474,14 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_sniffer_chain_input_overflow),
 #endif
 
+    /*********************************
+     * ZD 21412-21426 Regression Tests
+     *********************************/
+    TEST_DECL(test_zd21412_mldsa_verify_hash_overflow),
+    TEST_DECL(test_zd21414_pkcs7_ori_oid_overflow),
+    TEST_DECL(test_zd21417_dilithium_hash_int_overflow),
+    TEST_DECL(test_zd21418_ecc_invalid_curve_point),
+    TEST_DECL(test_zd21422_pkcs7_padding_oracle),
     /* This test needs to stay at the end to clean up any caches allocated. */
     TEST_DECL(test_wolfSSL_Cleanup)
 };
