Add SAKKE mask correctness regression test

JeremiahM37 · JeremiahM37 · commit e8e1b98785c4 · 2026-05-11T05:58:36.000Z
diff --git a/tests/unit.c b/tests/unit.c
@@ -209,6 +209,151 @@ static int sakke_xor_in_v_oob_test(void)
 }
 #endif
 
+#ifdef WOLFCRYPT_HAVE_SAKKE
+/* Verify sakke_hash_to_range produces the full RFC 6508 5.1 mask for
+ * ssvSz=48 with SHA-256, and that the public APIs reject ssvSz=0. The
+ * old broken offset math left ssv[16..31] never XORed; encapsulating
+ * an all-zero ssv exposes the gap (those bytes stay zero under the
+ * bug, become random mask material once fixed). */
+static int sakke_mask_correctness_test(void)
+{
+    SakkeKey key;
+    WC_RNG rng;
+    byte id[] = "user@example.com";
+    word16 ssvSz = 48;
+    word16 ssvSzZero = 0;
+    word16 ssvSzTooBig = 0xFFFF;  /* exceeds n for any supported curve */
+    word16 authSz = 0;
+    byte ssv[48];
+    byte* auth = NULL;
+    ecc_point* rsk = NULL;
+    int ret;
+    int i;
+    int allZero = 1;
+    int rc = 0;
+
+    if (wc_InitRng(&rng) != 0) {
+        printf("sakke_correctness: SKIP (rng init)\n");
+        return 0;
+    }
+    if (wc_InitSakkeKey_ex(&key, 128, ECC_SAKKE_1, NULL, INVALID_DEVID) != 0) {
+        wc_FreeRng(&rng);
+        printf("sakke_correctness: SKIP (sakke key init)\n");
+        return 0;
+    }
+    if (wc_MakeSakkeKey(&key, &rng) != 0) {
+        wc_FreeSakkeKey(&key);
+        wc_FreeRng(&rng);
+        printf("sakke_correctness: SKIP (sakke key gen)\n");
+        return 0;
+    }
+    if (wc_SetSakkeIdentity(&key, id, sizeof(id) - 1) != 0) {
+        wc_FreeSakkeKey(&key);
+        wc_FreeRng(&rng);
+        printf("sakke_correctness: SKIP (set identity)\n");
+        return 0;
+    }
+
+    ret = wc_MakeSakkeEncapsulatedSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSz,
+                                      NULL, &authSz);
+    if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) {
+        printf("sakke_correctness: SKIP (auth size query)\n");
+        goto cleanup;
+    }
+    auth = (byte*)XMALLOC(authSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (auth == NULL) {
+        printf("sakke_correctness: SKIP (alloc)\n");
+        goto cleanup;
+    }
+
+    XMEMSET(ssv, 0, ssvSz);
+    ret = wc_MakeSakkeEncapsulatedSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSz,
+                                      auth, &authSz);
+    if (ret != 0) {
+        printf("sakke_correctness: FAIL (encap ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+    for (i = 16; i < 32; i++) {
+        if (ssv[i] != 0) { allZero = 0; break; }
+    }
+    if (allZero) {
+        printf("sakke_correctness: FAIL (ssv[16..31] not XORed)\n");
+        rc = -1;
+        goto cleanup;
+    }
+
+    ret = wc_MakeSakkeEncapsulatedSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSzZero,
+                                      auth, &authSz);
+    if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
+        printf("sakke_correctness: FAIL (encap ssvSz=0 ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+    ret = wc_DeriveSakkeSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSzZero,
+                            auth, authSz);
+    if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
+        printf("sakke_correctness: FAIL (derive ssvSz=0 ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+
+    /* ssvSz > n on encap: reachable directly because encap doesn't
+     * require RSK to be set. */
+    ret = wc_MakeSakkeEncapsulatedSSV(&key, WC_HASH_TYPE_SHA256, ssv,
+                                      ssvSzTooBig, auth, &authSz);
+    if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
+        printf("sakke_correctness: FAIL (encap ssvSz>n ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+
+    /* ssvSz > n on derive: the check sits below the !rsk.set gate, so
+     * we must populate RSK first or derive returns BAD_STATE_E and the
+     * range check is never reached. Use this key as both KMS and
+     * recipient. */
+    rsk = wc_ecc_new_point();
+    if (rsk == NULL) {
+        printf("sakke_correctness: SKIP (rsk alloc)\n");
+        goto cleanup;
+    }
+    if (wc_MakeSakkeRsk(&key, id, sizeof(id) - 1, rsk) != 0) {
+        printf("sakke_correctness: SKIP (make rsk)\n");
+        goto cleanup;
+    }
+    if (wc_SetSakkeRsk(&key, rsk, NULL, 0) != 0) {
+        printf("sakke_correctness: SKIP (set rsk)\n");
+        goto cleanup;
+    }
+    ret = wc_DeriveSakkeSSV(&key, WC_HASH_TYPE_SHA256, ssv, ssvSzTooBig,
+                            auth, authSz);
+    if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
+        printf("sakke_correctness: FAIL (derive ssvSz>n ret=%d)\n", ret);
+        rc = -1;
+        goto cleanup;
+    }
+
+    printf("sakke_correctness: PASS\n");
+
+cleanup:
+    if (rsk != NULL) {
+        wc_ecc_del_point(rsk);
+    }
+    if (auth != NULL) {
+        XFREE(auth, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+    wc_FreeSakkeKey(&key);
+    wc_FreeRng(&rng);
+    return rc;
+}
+#else
+static int sakke_mask_correctness_test(void)
+{
+    printf("sakke_correctness: SKIP (WOLFCRYPT_HAVE_SAKKE not defined)\n");
+    return 0;
+}
+#endif
+
 int allTesting = 1;
 int apiTesting = 1;
 int myoptind = 0;
@@ -444,6 +589,11 @@ int unit_test(int argc, char** argv)
             fflush(stdout);
             goto exit;
         }
+        if (sakke_mask_correctness_test() != 0) {
+            ret = -1;
+            fflush(stdout);
+            goto exit;
+        }
         fflush(stdout);
 
         XMEMSET(&wc_args, 0, sizeof(wc_args));
