@@ -11385,6 +11385,51 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ascon_aead128_test(void)
1138511385 }
1138611386 }
1138711387
11388+ /* Negative test: corrupted tag must be rejected with ASCON_AUTH_E. */
11389+ {
11390+ byte tkey[ASCON_AEAD128_KEY_SZ];
11391+ byte tnonce[ASCON_AEAD128_NONCE_SZ];
11392+ byte tpt[4] = { 0x00, 0x01, 0x02, 0x03 };
11393+ byte tct[4];
11394+ byte ttag[ASCON_AEAD128_TAG_SZ];
11395+ byte tbuf[4];
11396+
11397+ XMEMSET(tkey, 0xAA, sizeof(tkey));
11398+ XMEMSET(tnonce, 0xBB, sizeof(tnonce));
11399+
11400+ err = wc_AsconAEAD128_Init(&asconAEAD);
11401+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11402+ err = wc_AsconAEAD128_SetKey(&asconAEAD, tkey);
11403+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11404+ err = wc_AsconAEAD128_SetNonce(&asconAEAD, tnonce);
11405+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11406+ err = wc_AsconAEAD128_SetAD(&asconAEAD, NULL, 0);
11407+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11408+ err = wc_AsconAEAD128_EncryptUpdate(&asconAEAD, tct, tpt, sizeof(tpt));
11409+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11410+ err = wc_AsconAEAD128_EncryptFinal(&asconAEAD, ttag);
11411+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11412+
11413+ /* Corrupt one byte of the tag. */
11414+ ttag[0] ^= 0x01;
11415+
11416+ err = wc_AsconAEAD128_Init(&asconAEAD);
11417+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11418+ err = wc_AsconAEAD128_SetKey(&asconAEAD, tkey);
11419+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11420+ err = wc_AsconAEAD128_SetNonce(&asconAEAD, tnonce);
11421+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11422+ err = wc_AsconAEAD128_SetAD(&asconAEAD, NULL, 0);
11423+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11424+ err = wc_AsconAEAD128_DecryptUpdate(&asconAEAD, tbuf, tct, sizeof(tct));
11425+ if (err != 0) return WC_TEST_RET_ENC_EC(err);
11426+ err = wc_AsconAEAD128_DecryptFinal(&asconAEAD, ttag);
11427+ if (err != WC_NO_ERR_TRACE(ASCON_AUTH_E)) {
11428+ return WC_TEST_RET_ENC_EC(err);
11429+ }
11430+ wc_AsconAEAD128_Clear(&asconAEAD);
11431+ }
11432+
1138811433 return 0;
1138911434}
1139011435#endif /* HAVE_ASCON */
@@ -20003,6 +20048,25 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aeskeywrap_test(void)
2000320048 return WC_TEST_RET_ENC_I(i);
2000420049 }
2000520050
20051+ /* Negative test: corrupted wrapped data must be rejected with
20052+ * BAD_KEYWRAP_IV_E. */
20053+ {
20054+ wrapSz = wc_AesKeyWrap(test_wrap[0].kek, test_wrap[0].kekLen,
20055+ test_wrap[0].data, test_wrap[0].dataLen,
20056+ output, sizeof(output), NULL);
20057+ if (wrapSz < 0)
20058+ return WC_TEST_RET_ENC_EC(wrapSz);
20059+
20060+ /* Corrupt one byte of the wrapped data. */
20061+ output[0] ^= 0x01;
20062+
20063+ plainSz = wc_AesKeyUnWrap(test_wrap[0].kek, test_wrap[0].kekLen,
20064+ output, (word32)wrapSz,
20065+ plain, sizeof(plain), NULL);
20066+ if (plainSz != WC_NO_ERR_TRACE(BAD_KEYWRAP_IV_E))
20067+ return WC_TEST_RET_ENC_EC(plainSz);
20068+ }
20069+
2000620070 return 0;
2000720071}
2000820072#endif /* HAVE_AES_KEYWRAP */
@@ -28904,6 +28968,58 @@ static wc_test_ret_t srp_test_digest(SrpType dgstType)
2890428968
2890528969 if (!r) r = wc_SrpVerifyPeersProof(cli, serverProof, serverProofSz);
2890628970
28971+ /* Negative test: corrupted proof must be rejected with SRP_VERIFY_E. */
28972+ if (!r) {
28973+ int rNeg;
28974+ #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
28975+ Srp* cli2 = (Srp*)XMALLOC(sizeof *cli2, HEAP_HINT,
28976+ DYNAMIC_TYPE_TMP_BUFFER);
28977+ if (cli2 == NULL) {
28978+ r = WC_TEST_RET_ENC_NC;
28979+ }
28980+ #else
28981+ Srp cli2_buf[1];
28982+ Srp* cli2 = cli2_buf;
28983+ #endif
28984+ if (!r) {
28985+ XMEMSET(cli2, 0, sizeof *cli2);
28986+ /* Reset sizes consumed by the first exchange. */
28987+ clientPubKeySz = SRP_TEST_BUFFER_SIZE;
28988+ clientProofSz = SRP_MAX_DIGEST_SIZE;
28989+ rNeg = wc_SrpInit_ex(cli2, dgstType, SRP_CLIENT_SIDE, HEAP_HINT,
28990+ devId);
28991+ if (!rNeg) rNeg = wc_SrpSetUsername(cli2, username, usernameSz);
28992+ if (!rNeg) rNeg = wc_SrpSetParams(cli2, N, sizeof(N),
28993+ g, sizeof(g), salt,
28994+ sizeof(salt));
28995+ if (!rNeg) rNeg = wc_SrpSetPassword(cli2, password, passwordSz);
28996+ if (!rNeg) rNeg = wc_SrpGetPublic(cli2, clientPubKey,
28997+ &clientPubKeySz);
28998+ if (!rNeg) rNeg = wc_SrpComputeKey(cli2, clientPubKey,
28999+ clientPubKeySz, serverPubKey,
29000+ serverPubKeySz);
29001+ if (!rNeg) rNeg = wc_SrpGetProof(cli2, clientProof,
29002+ &clientProofSz);
29003+
29004+ /* Corrupt the server proof before verifying. */
29005+ serverProof[0] ^= 0x01;
29006+ if (!rNeg) {
29007+ rNeg = wc_SrpVerifyPeersProof(cli2, serverProof,
29008+ serverProofSz);
29009+ if (rNeg != WC_NO_ERR_TRACE(SRP_VERIFY_E)) {
29010+ r = WC_TEST_RET_ENC_EC(rNeg);
29011+ }
29012+ }
29013+ else {
29014+ r = WC_TEST_RET_ENC_EC(rNeg);
29015+ }
29016+ wc_SrpTerm(cli2);
29017+ }
29018+ #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
29019+ XFREE(cli2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
29020+ #endif
29021+ }
29022+
2890729023 wc_SrpTerm(cli);
2890829024 wc_SrpTerm(srv);
2890929025
@@ -40909,6 +41025,15 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ecc_test_buffers(void)
4090941025 ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
4091041026 if (XMEMCMP(plain, in, inLen))
4091141027 ERROR_OUT(WC_TEST_RET_ENC_NC, done);
41028+
41029+ /* Negative test: corrupt HMAC tag in encrypted msg, expect
41030+ * HASH_TYPE_E from wc_ecc_decrypt. */
41031+ out[x - 1] ^= 0x01;
41032+ y = sizeof(plain);
41033+ ret = wc_ecc_decrypt(servKey, tmpKey, out, x, plain, &y, NULL);
41034+ if (ret != WC_NO_ERR_TRACE(HASH_TYPE_E))
41035+ ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
41036+ ret = 0; /* reset ret for following tests */
4091241037 }
4091341038#endif
4091441039
@@ -70934,6 +71059,29 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_siv_test(void)
7093471059 }
7093571060 }
7093671061
71062+ /* Negative test: corrupted SIV must be rejected with AES_SIV_AUTH_E. */
71063+ {
71064+ ret = wc_AesSivEncrypt(testVectors[0].key, testVectors[0].keySz,
71065+ testVectors[0].assoc1, testVectors[0].assoc1Sz,
71066+ testVectors[0].nonce, testVectors[0].nonceSz,
71067+ testVectors[0].plaintext,
71068+ testVectors[0].plaintextSz, siv,
71069+ computedCiphertext);
71070+ if (ret != 0) {
71071+ return WC_TEST_RET_ENC_EC(ret);
71072+ }
71073+ /* Corrupt one byte of the SIV tag. */
71074+ siv[0] ^= 0x01;
71075+ ret = wc_AesSivDecrypt(testVectors[0].key, testVectors[0].keySz,
71076+ testVectors[0].assoc1, testVectors[0].assoc1Sz,
71077+ testVectors[0].nonce, testVectors[0].nonceSz,
71078+ computedCiphertext, testVectors[0].plaintextSz,
71079+ siv, computedPlaintext);
71080+ if (ret != WC_NO_ERR_TRACE(AES_SIV_AUTH_E)) {
71081+ return WC_TEST_RET_ENC_EC(ret);
71082+ }
71083+ }
71084+
7093771085 return 0;
7093871086}
7093971087#endif
0 commit comments