Skip to content

Commit a2b054e

Browse files
authored
Merge pull request #10155 from aidangarske/fenrir-fixes-2
Add Negative Testing and Zeroization
2 parents 218ddb4 + bf03de6 commit a2b054e

4 files changed

Lines changed: 185 additions & 0 deletions

File tree

tests/api/test_ascon.c

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,39 @@ int test_ascon_aead128(void)
180180
}
181181
}
182182

183+
/* Negative test: corrupted tag must be rejected with ASCON_AUTH_E. */
184+
{
185+
byte key[ASCON_AEAD128_KEY_SZ];
186+
byte nonce[ASCON_AEAD128_NONCE_SZ];
187+
byte pt[4] = { 0x00, 0x01, 0x02, 0x03 };
188+
byte ct[4];
189+
byte tag[ASCON_AEAD128_TAG_SZ];
190+
byte buf[4];
191+
192+
XMEMSET(key, 0xAA, sizeof(key));
193+
XMEMSET(nonce, 0xBB, sizeof(nonce));
194+
195+
ExpectIntEQ(wc_AsconAEAD128_Init(asconAEAD), 0);
196+
ExpectIntEQ(wc_AsconAEAD128_SetKey(asconAEAD, key), 0);
197+
ExpectIntEQ(wc_AsconAEAD128_SetNonce(asconAEAD, nonce), 0);
198+
ExpectIntEQ(wc_AsconAEAD128_SetAD(asconAEAD, NULL, 0), 0);
199+
ExpectIntEQ(wc_AsconAEAD128_EncryptUpdate(asconAEAD, ct, pt,
200+
sizeof(pt)), 0);
201+
ExpectIntEQ(wc_AsconAEAD128_EncryptFinal(asconAEAD, tag), 0);
202+
203+
/* Corrupt one byte of the tag. */
204+
tag[0] ^= 0x01;
205+
206+
ExpectIntEQ(wc_AsconAEAD128_Init(asconAEAD), 0);
207+
ExpectIntEQ(wc_AsconAEAD128_SetKey(asconAEAD, key), 0);
208+
ExpectIntEQ(wc_AsconAEAD128_SetNonce(asconAEAD, nonce), 0);
209+
ExpectIntEQ(wc_AsconAEAD128_SetAD(asconAEAD, NULL, 0), 0);
210+
ExpectIntEQ(wc_AsconAEAD128_DecryptUpdate(asconAEAD, buf, ct,
211+
sizeof(ct)), 0);
212+
ExpectIntEQ(wc_AsconAEAD128_DecryptFinal(asconAEAD, tag),
213+
WC_NO_ERR_TRACE(ASCON_AUTH_E));
214+
}
215+
183216
wc_AsconAEAD128_Free(asconAEAD);
184217
#endif
185218
return EXPECT_RESULT();

wolfcrypt/src/rsa.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2510,6 +2510,8 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
25102510
#endif
25112511
}
25122512

2513+
if (d != NULL)
2514+
ForceZero(d, dSz);
25132515
XFREE(d, key->heap, DYNAMIC_TYPE_PRIVATE_KEY);
25142516
}
25152517
#endif

wolfcrypt/src/wc_pkcs11.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1562,6 +1562,8 @@ static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey,
15621562
ret = WC_HW_E;
15631563
}
15641564
}
1565+
if (priv != NULL)
1566+
ForceZero(priv, privLen);
15651567
XFREE(priv, private_key->heap, DYNAMIC_TYPE_TMP_BUFFER);
15661568
}
15671569

wolfcrypt/test/test.c

Lines changed: 148 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11385,6 +11385,51 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ascon_aead128_test(void)
1138511385
}
1138611386
}
1138711387

11388+
/* Negative test: corrupted tag must be rejected with ASCON_AUTH_E. */
11389+
{
11390+
byte tkey[ASCON_AEAD128_KEY_SZ];
11391+
byte tnonce[ASCON_AEAD128_NONCE_SZ];
11392+
byte tpt[4] = { 0x00, 0x01, 0x02, 0x03 };
11393+
byte tct[4];
11394+
byte ttag[ASCON_AEAD128_TAG_SZ];
11395+
byte tbuf[4];
11396+
11397+
XMEMSET(tkey, 0xAA, sizeof(tkey));
11398+
XMEMSET(tnonce, 0xBB, sizeof(tnonce));
11399+
11400+
err = wc_AsconAEAD128_Init(&asconAEAD);
11401+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11402+
err = wc_AsconAEAD128_SetKey(&asconAEAD, tkey);
11403+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11404+
err = wc_AsconAEAD128_SetNonce(&asconAEAD, tnonce);
11405+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11406+
err = wc_AsconAEAD128_SetAD(&asconAEAD, NULL, 0);
11407+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11408+
err = wc_AsconAEAD128_EncryptUpdate(&asconAEAD, tct, tpt, sizeof(tpt));
11409+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11410+
err = wc_AsconAEAD128_EncryptFinal(&asconAEAD, ttag);
11411+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11412+
11413+
/* Corrupt one byte of the tag. */
11414+
ttag[0] ^= 0x01;
11415+
11416+
err = wc_AsconAEAD128_Init(&asconAEAD);
11417+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11418+
err = wc_AsconAEAD128_SetKey(&asconAEAD, tkey);
11419+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11420+
err = wc_AsconAEAD128_SetNonce(&asconAEAD, tnonce);
11421+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11422+
err = wc_AsconAEAD128_SetAD(&asconAEAD, NULL, 0);
11423+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11424+
err = wc_AsconAEAD128_DecryptUpdate(&asconAEAD, tbuf, tct, sizeof(tct));
11425+
if (err != 0) return WC_TEST_RET_ENC_EC(err);
11426+
err = wc_AsconAEAD128_DecryptFinal(&asconAEAD, ttag);
11427+
if (err != WC_NO_ERR_TRACE(ASCON_AUTH_E)) {
11428+
return WC_TEST_RET_ENC_EC(err);
11429+
}
11430+
wc_AsconAEAD128_Clear(&asconAEAD);
11431+
}
11432+
1138811433
return 0;
1138911434
}
1139011435
#endif /* HAVE_ASCON */
@@ -20003,6 +20048,25 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aeskeywrap_test(void)
2000320048
return WC_TEST_RET_ENC_I(i);
2000420049
}
2000520050

20051+
/* Negative test: corrupted wrapped data must be rejected with
20052+
* BAD_KEYWRAP_IV_E. */
20053+
{
20054+
wrapSz = wc_AesKeyWrap(test_wrap[0].kek, test_wrap[0].kekLen,
20055+
test_wrap[0].data, test_wrap[0].dataLen,
20056+
output, sizeof(output), NULL);
20057+
if (wrapSz < 0)
20058+
return WC_TEST_RET_ENC_EC(wrapSz);
20059+
20060+
/* Corrupt one byte of the wrapped data. */
20061+
output[0] ^= 0x01;
20062+
20063+
plainSz = wc_AesKeyUnWrap(test_wrap[0].kek, test_wrap[0].kekLen,
20064+
output, (word32)wrapSz,
20065+
plain, sizeof(plain), NULL);
20066+
if (plainSz != WC_NO_ERR_TRACE(BAD_KEYWRAP_IV_E))
20067+
return WC_TEST_RET_ENC_EC(plainSz);
20068+
}
20069+
2000620070
return 0;
2000720071
}
2000820072
#endif /* HAVE_AES_KEYWRAP */
@@ -28904,6 +28968,58 @@ static wc_test_ret_t srp_test_digest(SrpType dgstType)
2890428968

2890528969
if (!r) r = wc_SrpVerifyPeersProof(cli, serverProof, serverProofSz);
2890628970

28971+
/* Negative test: corrupted proof must be rejected with SRP_VERIFY_E. */
28972+
if (!r) {
28973+
int rNeg;
28974+
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
28975+
Srp* cli2 = (Srp*)XMALLOC(sizeof *cli2, HEAP_HINT,
28976+
DYNAMIC_TYPE_TMP_BUFFER);
28977+
if (cli2 == NULL) {
28978+
r = WC_TEST_RET_ENC_NC;
28979+
}
28980+
#else
28981+
Srp cli2_buf[1];
28982+
Srp* cli2 = cli2_buf;
28983+
#endif
28984+
if (!r) {
28985+
XMEMSET(cli2, 0, sizeof *cli2);
28986+
/* Reset sizes consumed by the first exchange. */
28987+
clientPubKeySz = SRP_TEST_BUFFER_SIZE;
28988+
clientProofSz = SRP_MAX_DIGEST_SIZE;
28989+
rNeg = wc_SrpInit_ex(cli2, dgstType, SRP_CLIENT_SIDE, HEAP_HINT,
28990+
devId);
28991+
if (!rNeg) rNeg = wc_SrpSetUsername(cli2, username, usernameSz);
28992+
if (!rNeg) rNeg = wc_SrpSetParams(cli2, N, sizeof(N),
28993+
g, sizeof(g), salt,
28994+
sizeof(salt));
28995+
if (!rNeg) rNeg = wc_SrpSetPassword(cli2, password, passwordSz);
28996+
if (!rNeg) rNeg = wc_SrpGetPublic(cli2, clientPubKey,
28997+
&clientPubKeySz);
28998+
if (!rNeg) rNeg = wc_SrpComputeKey(cli2, clientPubKey,
28999+
clientPubKeySz, serverPubKey,
29000+
serverPubKeySz);
29001+
if (!rNeg) rNeg = wc_SrpGetProof(cli2, clientProof,
29002+
&clientProofSz);
29003+
29004+
/* Corrupt the server proof before verifying. */
29005+
serverProof[0] ^= 0x01;
29006+
if (!rNeg) {
29007+
rNeg = wc_SrpVerifyPeersProof(cli2, serverProof,
29008+
serverProofSz);
29009+
if (rNeg != WC_NO_ERR_TRACE(SRP_VERIFY_E)) {
29010+
r = WC_TEST_RET_ENC_EC(rNeg);
29011+
}
29012+
}
29013+
else {
29014+
r = WC_TEST_RET_ENC_EC(rNeg);
29015+
}
29016+
wc_SrpTerm(cli2);
29017+
}
29018+
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
29019+
XFREE(cli2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
29020+
#endif
29021+
}
29022+
2890729023
wc_SrpTerm(cli);
2890829024
wc_SrpTerm(srv);
2890929025

@@ -40909,6 +41025,15 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ecc_test_buffers(void)
4090941025
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
4091041026
if (XMEMCMP(plain, in, inLen))
4091141027
ERROR_OUT(WC_TEST_RET_ENC_NC, done);
41028+
41029+
/* Negative test: corrupt HMAC tag in encrypted msg, expect
41030+
* HASH_TYPE_E from wc_ecc_decrypt. */
41031+
out[x - 1] ^= 0x01;
41032+
y = sizeof(plain);
41033+
ret = wc_ecc_decrypt(servKey, tmpKey, out, x, plain, &y, NULL);
41034+
if (ret != WC_NO_ERR_TRACE(HASH_TYPE_E))
41035+
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
41036+
ret = 0; /* reset ret for following tests */
4091241037
}
4091341038
#endif
4091441039

@@ -70934,6 +71059,29 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_siv_test(void)
7093471059
}
7093571060
}
7093671061

71062+
/* Negative test: corrupted SIV must be rejected with AES_SIV_AUTH_E. */
71063+
{
71064+
ret = wc_AesSivEncrypt(testVectors[0].key, testVectors[0].keySz,
71065+
testVectors[0].assoc1, testVectors[0].assoc1Sz,
71066+
testVectors[0].nonce, testVectors[0].nonceSz,
71067+
testVectors[0].plaintext,
71068+
testVectors[0].plaintextSz, siv,
71069+
computedCiphertext);
71070+
if (ret != 0) {
71071+
return WC_TEST_RET_ENC_EC(ret);
71072+
}
71073+
/* Corrupt one byte of the SIV tag. */
71074+
siv[0] ^= 0x01;
71075+
ret = wc_AesSivDecrypt(testVectors[0].key, testVectors[0].keySz,
71076+
testVectors[0].assoc1, testVectors[0].assoc1Sz,
71077+
testVectors[0].nonce, testVectors[0].nonceSz,
71078+
computedCiphertext, testVectors[0].plaintextSz,
71079+
siv, computedPlaintext);
71080+
if (ret != WC_NO_ERR_TRACE(AES_SIV_AUTH_E)) {
71081+
return WC_TEST_RET_ENC_EC(ret);
71082+
}
71083+
}
71084+
7093771085
return 0;
7093871086
}
7093971087
#endif

0 commit comments

Comments
 (0)