Peer review fixes

dgarske · dgarske · commit c495f1c9d7f3 · 2026-04-09T09:33:13.000-07:00
diff --git a/wrapper/CSharp/README.md b/wrapper/CSharp/README.md
@@ -40,6 +40,8 @@ apt-get install mono-complete
 
 ### Build wolfSSL and install
 
+#### System-wide install
+
 ```
 ./autogen.sh
 cp wrapper/CSharp/user_settings.h .
@@ -49,6 +51,16 @@ make check
 sudo make install
 ```
 
+#### Local-only install (no sudo required)
+
+```
+./autogen.sh
+cp wrapper/CSharp/user_settings.h .
+./configure --enable-usersettings --prefix=$(pwd)/install
+make
+make install
+```
+
 ### Build and run the wolfCrypt test wrapper
 
 From the `wrapper/CSharp` directory (`cd wrapper/CSharp`):
@@ -57,9 +69,20 @@ Compile wolfCrypt test:
 
 ```
 mcs wolfCrypt-Test/wolfCrypt-Test.cs wolfSSL_CSharp/wolfCrypt.cs wolfSSL_CSharp/wolfSSL.cs wolfSSL_CSharp/X509.cs -OUT:wolfcrypttest.exe
+```
+
+Run with system-wide install:
+
+```
 mono wolfcrypttest.exe
 ```
 
+Run with local-only install (from the wolfSSL root directory):
+
+```
+LD_LIBRARY_PATH=./install/lib mono wrapper/CSharp/wolfcrypttest.exe
+```
+
 ### Build and run the wolfSSL client/server test
 
 From the `wrapper/CSharp` directory (`cd wrapper/CSharp`):
diff --git a/wrapper/CSharp/wolfCrypt-Test/wolfCrypt-Test.cs b/wrapper/CSharp/wolfCrypt-Test/wolfCrypt-Test.cs
@@ -880,17 +880,14 @@ private static void hash_test(uint hashType)
         }
     } /* END hash_test */
 
-    private static void hpke_test()
+    private static void hpke_test(wolfcrypt.HpkeKem kem,
+        wolfcrypt.HpkeKdf kdf, wolfcrypt.HpkeAead aead)
     {
         IntPtr hpke = IntPtr.Zero;
         IntPtr receiverKey = IntPtr.Zero;
         IntPtr deserializedKey = IntPtr.Zero;
         IntPtr ephemeralKey = IntPtr.Zero;
 
-        wolfcrypt.HpkeKem kem = wolfcrypt.HpkeKem.DHKEM_P256_HKDF_SHA256;
-        wolfcrypt.HpkeKdf kdf = wolfcrypt.HpkeKdf.HKDF_SHA256;
-        wolfcrypt.HpkeAead aead = wolfcrypt.HpkeAead.AES_128_GCM;
-
         try
         {
             Console.WriteLine("\nStarting HPKE Base mode test...");
@@ -988,7 +985,7 @@ private static void hpke_test()
             Console.WriteLine($"HpkeSealBase convenience passed. Output length: {encCiphertext2.Length}");
 
             byte[] decrypted2 = wolfcrypt.HpkeOpenBase(hpke, receiverKey,
-                encCiphertext2, info, aad, plaintext.Length);
+                encCiphertext2, info, aad, kem);
             if (decrypted2 == null)
             {
                 throw new Exception("HpkeOpenBase (convenience) failed");
@@ -998,6 +995,39 @@ private static void hpke_test()
                 throw new Exception("Convenience seal/open: decrypted text does not match");
             }
             Console.WriteLine("HPKE convenience overload test PASSED.");
+
+            /* Negative test: tampered ciphertext should fail */
+            Console.WriteLine("Testing HpkeOpenBase with tampered ciphertext...");
+            byte[] tampered = (byte[])encCiphertext.Clone();
+            tampered[tampered.Length - 1] ^= 0xFF; /* flip last byte (in tag) */
+            byte[] badResult = wolfcrypt.HpkeOpenBase(hpke, receiverKey,
+                tampered, info, aad, plaintext.Length);
+            if (badResult != null)
+            {
+                throw new Exception("HpkeOpenBase should fail with tampered ciphertext");
+            }
+            Console.WriteLine("Tampered ciphertext test PASSED (correctly rejected).");
+
+            /* Negative test: mismatched AAD should fail */
+            Console.WriteLine("Testing HpkeOpenBase with mismatched AAD...");
+            byte[] wrongAad = Encoding.UTF8.GetBytes("wrong aad");
+            badResult = wolfcrypt.HpkeOpenBase(hpke, receiverKey,
+                encCiphertext, info, wrongAad, plaintext.Length);
+            if (badResult != null)
+            {
+                throw new Exception("HpkeOpenBase should fail with mismatched AAD");
+            }
+            Console.WriteLine("Mismatched AAD test PASSED (correctly rejected).");
+
+            /* Negative test: invalid ptLen should fail */
+            Console.WriteLine("Testing HpkeOpenBase with invalid ptLen...");
+            badResult = wolfcrypt.HpkeOpenBase(hpke, receiverKey,
+                encCiphertext, info, aad, plaintext.Length + 1);
+            if (badResult != null)
+            {
+                throw new Exception("HpkeOpenBase should fail with incorrect ptLen");
+            }
+            Console.WriteLine("Invalid ptLen test PASSED (correctly rejected).");
         }
         finally
         {
@@ -1076,7 +1106,12 @@ public static void Main(string[] args)
 
             Console.WriteLine("\nStarting HPKE tests");
 
-            hpke_test(); /* HPKE Base mode test */
+            hpke_test(wolfcrypt.HpkeKem.DHKEM_P256_HKDF_SHA256,
+                wolfcrypt.HpkeKdf.HKDF_SHA256,
+                wolfcrypt.HpkeAead.AES_128_GCM);
+            hpke_test(wolfcrypt.HpkeKem.DHKEM_X25519_HKDF_SHA256,
+                wolfcrypt.HpkeKdf.HKDF_SHA256,
+                wolfcrypt.HpkeAead.AES_128_GCM);
 
             wolfcrypt.Cleanup();
 
diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
@@ -3259,8 +3259,10 @@ public enum HpkeAead : ushort {
         /* HPKE Nt (GCM tag length) */
         private static readonly int HPKE_Nt = 16;
 
-        /* Hpke struct is ~80 bytes on 64-bit (see hpke.h). Over-allocate to
-         * accommodate future growth and platform alignment differences. */
+        /* Hpke struct is ~80 bytes on 64-bit (see hpke.h). Allocate 512 bytes
+         * (6x headroom) to accommodate platform alignment and future growth.
+         * If the native struct ever exceeds this, wc_HpkeInit will write OOB —
+         * keep in sync with hpke.h if the struct grows significantly. */
         private static readonly int HPKE_STRUCT_SZ = 512;
 
         /// <summary>
@@ -3605,13 +3607,26 @@ public static byte[] HpkeOpenBase(IntPtr hpke, IntPtr receiverKey,
 
                 /* encCiphertext = enc || ciphertext || GCM tag
                  * where ciphertext is ptLen bytes, tag is Nt bytes */
+                if (ptLen < 0 || ptLen > int.MaxValue - HPKE_Nt)
+                {
+                    log(ERROR_LOG, "HPKE open base: invalid ptLen");
+                    return null;
+                }
+
                 int sealLen = ptLen + HPKE_Nt;
-                if (ptLen < 0 || encCiphertext.Length < sealLen)
+                if (encCiphertext.Length < sealLen)
                 {
                     log(ERROR_LOG, "HPKE open base: encCiphertext too short for given ptLen");
                     return null;
                 }
-                ushort pubKeySz = (ushort)(encCiphertext.Length - sealLen);
+
+                int pubKeySzInt = encCiphertext.Length - sealLen;
+                if (pubKeySzInt < 0 || pubKeySzInt > ushort.MaxValue)
+                {
+                    log(ERROR_LOG, "HPKE open base: invalid encapsulated public key size");
+                    return null;
+                }
+                ushort pubKeySz = (ushort)pubKeySzInt;
 
                 /* Split enc and sealed data (ciphertext || tag) */
                 byte[] pubKey = new byte[pubKeySz];
@@ -3625,7 +3640,7 @@ public static byte[] HpkeOpenBase(IntPtr hpke, IntPtr receiverKey,
                 byte[] plaintext = new byte[ptLen];
 
                 /* ctSz is just the ciphertext length (without tag);
-                 * wc_HpkeContextOpenBase reads the tag from ct + ctSz */
+                 * wc_HpkeOpenBase reads the tag from ct + ctSz */
                 int ret = wc_HpkeOpenBase(hpke, receiverKey, pubKey, pubKeySz,
                     info, infoSz, aad, aadSz, ct, (uint)ptLen, plaintext);
                 if (ret != 0)
@@ -3642,6 +3657,36 @@ public static byte[] HpkeOpenBase(IntPtr hpke, IntPtr receiverKey,
                 return null;
             }
         }
+
+        /// <summary>
+        /// Convenience SingleShot open (decrypt) using HPKE Base mode.
+        /// Derives the plaintext length from the KEM enc length, so the caller
+        /// does not need to know ptLen.
+        /// </summary>
+        /// <param name="hpke">HPKE context from HpkeInit()</param>
+        /// <param name="receiverKey">Receiver private keypair</param>
+        /// <param name="encCiphertext">enc||ciphertext blob from HpkeSealBase()</param>
+        /// <param name="info">Info context bytes (can be null)</param>
+        /// <param name="aad">Additional authenticated data (can be null)</param>
+        /// <param name="kem">KEM used (to derive enc length)</param>
+        /// <returns>Decrypted plaintext byte array or null on failure</returns>
+        public static byte[] HpkeOpenBase(IntPtr hpke, IntPtr receiverKey,
+            byte[] encCiphertext, byte[] info, byte[] aad, HpkeKem kem)
+        {
+            ushort encLen = HpkeEncLen(kem);
+            if (encLen == 0)
+            {
+                log(ERROR_LOG, "HPKE open base: unsupported KEM");
+                return null;
+            }
+            if (encCiphertext == null || encCiphertext.Length < encLen + HPKE_Nt)
+            {
+                log(ERROR_LOG, "HPKE open base: encCiphertext too short");
+                return null;
+            }
+            int ptLen = encCiphertext.Length - encLen - HPKE_Nt;
+            return HpkeOpenBase(hpke, receiverKey, encCiphertext, info, aad, ptLen);
+        }
         /* END HPKE */
 
 
