Reject ssvSz=0 in SAKKE public APIs

JeremiahM37 · JeremiahM37 · commit fc2026264c07 · 2026-05-08T17:24:44.000-06:00
diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c
@@ -6692,11 +6692,12 @@ static int sakke_compute_point_r(SakkeKey* key, const byte* id, word16 idSz,
  * @param  [out]     auth      Authentication data.
  * @param  [out]     authSz    Size of authentication data in bytes.
  * @return  0 on success.
- * @return  BAD_FUNC_ARG when key, ssv or encSz is NULL, ssvSz is to big or
- *          encSz is too small.
+ * @return  BAD_FUNC_ARG when key, ssv or authSz is NULL, when encapsulating
+ *          and ssvSz is 0 or larger than the curve modulus, or *authSz is
+ *          too small.
  * @return  BAD_STATE_E when identity not set.
  * @return  LENGTH_ONLY_E when auth is NULL. authSz contains required size of
- *          auth in bytes.
+ *          auth in bytes. ssvSz is not consulted on the size-query path.
  * @return  MEMORY_E when dynamic memory allocation fails.
  * @return  Other -ve value on internal failure.
  */
@@ -6728,8 +6729,17 @@ int wc_MakeSakkeEncapsulatedSSV(SakkeKey* key, enum wc_HashType hashType,
         /* Uncompressed point */
         outSz = (word16)(1 + 2 * n);
 
-        if ((auth != NULL) && (*authSz < outSz)) {
-            err = BAD_FUNC_ARG;
+        /* ssvSz is only meaningful when actually encapsulating; the
+         * size-query path (auth == NULL) only depends on the curve. RFC
+         * 6508 6.2.1 step 1 puts SSV in the range 0..2^n-1, so ssvSz must
+         * be in [1, n] octets. */
+        if (auth != NULL) {
+            if ((ssvSz == 0) || (ssvSz > n)) {
+                err = BAD_FUNC_ARG;
+            }
+            else if (*authSz < outSz) {
+                err = BAD_FUNC_ARG;
+            }
         }
     }
     if (err == 0) {
@@ -6867,7 +6877,8 @@ int wc_GenerateSakkeSSV(SakkeKey* key, WC_RNG* rng, byte* ssv, word16* ssvSz)
  * @param  [in]      auth      Authentication data.
  * @param  [in]      authSz    Size of authentication data in bytes.
  * @return  0 on success.
- * @return  BAD_FUNC_ARG when key, ssv or auth is NULL.
+ * @return  BAD_FUNC_ARG when key, ssv or auth is NULL, ssvSz is 0 or
+ *          larger than the curve modulus byte length.
  * @return  BAD_STATE_E when RSK or identity not set.
  * @return  SAKKE_VERIFY_FAIL_E when calculated R doesn't match the encapsulated
  *          data's R.
@@ -6886,7 +6897,7 @@ int wc_DeriveSakkeSSV(SakkeKey* key, enum wc_HashType hashType, byte* ssv,
     byte* test = NULL;
     byte a[WC_MAX_DIGEST_SIZE] = {0};
 
-    if ((key == NULL) || (ssv == NULL) || (auth == NULL)) {
+    if ((key == NULL) || (ssv == NULL) || (auth == NULL) || (ssvSz == 0)) {
         err = BAD_FUNC_ARG;
     }
     if ((err == 0) && (!key->rsk.set || (key->idSz == 0))) {
@@ -6905,6 +6916,10 @@ int wc_DeriveSakkeSSV(SakkeKey* key, enum wc_HashType hashType, byte* ssv,
         if (authSz != 2 * n + 1) {
             err = BAD_FUNC_ARG;
         }
+        /* RFC 6508 6.2.1: SSV is in 0..2^n-1, so ssvSz must be <= n. */
+        else if (ssvSz > n) {
+            err = BAD_FUNC_ARG;
+        }
     }
     if (err == 0) {
         err = sakke_load_base_point(key);
