Add negative tests for AEAD, PKCS7, PSS, DSA, DRBG, and PQ key

tests/api/test_aes.c

@@ -4392,6 +4392,72 @@ int test_wc_AesGcmStream_ReinitAfterFinal(void)
     return EXPECT_RESULT();
 } /* END test_wc_AesGcmStream_ReinitAfterFinal */
 
+int test_wc_AesGcmStream_BadAuthTag(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_AES) && defined(HAVE_AESGCM) && defined(HAVE_AES_DECRYPT) && \
+    defined(WOLFSSL_AES_128) && defined(WOLFSSL_AESGCM_STREAM)
+    static const byte key[AES_128_KEY_SIZE] = {
+        0xfe,0xff,0xe9,0x92, 0x86,0x65,0x73,0x1c,
+        0x6d,0x6a,0x8f,0x94, 0x67,0x30,0x83,0x08
+    };
+    static const byte iv[GCM_NONCE_MID_SZ] = {
+        0xca,0xfe,0xba,0xbe, 0xfa,0xce,0xdb,0xad,
+        0xde,0xca,0xf8,0x88
+    };
+    static const byte aad[20] = {
+        0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
+        0xfe,0xed,0xfa,0xce, 0xde,0xad,0xbe,0xef,
+        0xab,0xad,0xda,0xd2
+    };
+    static const byte plain[16] = {
+        0xd9,0x31,0x32,0x25, 0xf8,0x84,0x06,0xe5,
+        0xa5,0x59,0x09,0xc5, 0xaf,0xf5,0x26,0x9a
+    };
+    Aes enc[1];
+    Aes dec[1];
+    byte ct[sizeof(plain)];
+    byte pt[sizeof(plain)];
+    byte tag[WC_AES_BLOCK_SIZE];
+
+    XMEMSET(enc, 0, sizeof(Aes));
+    XMEMSET(dec, 0, sizeof(Aes));
+    XMEMSET(tag, 0, sizeof(tag));
+
+    ExpectIntEQ(wc_AesInit(enc, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesGcmInit(enc, key, sizeof(key), iv, sizeof(iv)), 0);
+    ExpectIntEQ(wc_AesGcmEncryptUpdate(enc, ct, plain, sizeof(plain),
+        aad, sizeof(aad)), 0);
+    ExpectIntEQ(wc_AesGcmEncryptFinal(enc, tag, sizeof(tag)), 0);
+    wc_AesFree(enc);
+
+    tag[0] ^= 0x01;
+
+    ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0);
+    ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct),
+        aad, sizeof(aad)), 0);
+    ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)),
+        WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
+    wc_AesFree(dec);
+
+    tag[0] ^= 0x01;
+    ExpectIntEQ(wc_AesInit(dec, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_AesGcmDecryptInit(dec, key, sizeof(key), iv, sizeof(iv)), 0);
+    {
+        byte bad_aad[sizeof(aad)];
+        XMEMCPY(bad_aad, aad, sizeof(aad));
+        bad_aad[0] ^= 0x01;
+        ExpectIntEQ(wc_AesGcmDecryptUpdate(dec, pt, ct, sizeof(ct),
+            bad_aad, sizeof(bad_aad)), 0);
+    }
+    ExpectIntEQ(wc_AesGcmDecryptFinal(dec, tag, sizeof(tag)),
+        WC_NO_ERR_TRACE(AES_GCM_AUTH_E));
+    wc_AesFree(dec);
+#endif
+    return EXPECT_RESULT();
+}
+
 /*******************************************************************************
  * GMAC
  ******************************************************************************/

tests/api/test_aes.h

@@ -54,6 +54,7 @@ int test_wc_AesGcmNonStdNonce(void);
 int test_wc_AesGcmStream(void);
 int test_wc_AesGcmStream_MidStreamState(void);
 int test_wc_AesGcmStream_ReinitAfterFinal(void);
+int test_wc_AesGcmStream_BadAuthTag(void);
 int test_wc_AesCcmSetKey(void);
 int test_wc_AesCcmEncryptDecrypt(void);
 int test_wc_AesCcmEncryptDecrypt_InPlace(void);
@@ -133,6 +134,7 @@ int test_wc_CryptoCb_AesGcm_EncryptDecrypt(void);
     TEST_DECL_GROUP("aes", test_wc_AesGcmStream),               \
     TEST_DECL_GROUP("aes", test_wc_AesGcmStream_MidStreamState),  \
     TEST_DECL_GROUP("aes", test_wc_AesGcmStream_ReinitAfterFinal), \
+    TEST_DECL_GROUP("aes", test_wc_AesGcmStream_BadAuthTag),       \
     TEST_DECL_GROUP("aes", test_wc_AesCcmSetKey),               \
     TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt),        \
     TEST_DECL_GROUP("aes", test_wc_AesCcmEncryptDecrypt_InPlace),            \

tests/api/test_chacha20_poly1305.c

@@ -284,6 +284,68 @@ int test_wc_XChaCha20Poly1305_aead(void)
     return EXPECT_RESULT();
 } /* END test_wc_XChaCha20Poly1305_aead */
 
+int test_wc_XChaCha20Poly1305_BadAuthTag(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_POLY1305) && defined(HAVE_XCHACHA)
+    const byte key[32] = {
+        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+    };
+    const byte nonce[24] = {
+        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+        0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+        0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57
+    };
+    const byte plaintext[] = {
+        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x73
+    };
+    const byte aad[] = {
+        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3
+    };
+    byte ct[sizeof(plaintext) + 16];
+    byte pt[sizeof(plaintext)];
+    byte ct_bad[sizeof(ct)];
+
+    XMEMSET(ct, 0, sizeof(ct));
+
+    ExpectIntEQ(wc_XChaCha20Poly1305_Encrypt(ct, sizeof(ct),
+        plaintext, sizeof(plaintext), aad, sizeof(aad),
+        nonce, sizeof(nonce), key, sizeof(key)), 0);
+
+    ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct, sizeof(ct),
+        aad, sizeof(aad), nonce, sizeof(nonce), key, sizeof(key)), 0);
+
+    XMEMCPY(ct_bad, ct, sizeof(ct));
+    ct_bad[sizeof(ct) - 1] ^= 0x01;
+    ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct_bad,
+        sizeof(ct_bad), aad, sizeof(aad), nonce, sizeof(nonce),
+        key, sizeof(key)),
+        WC_NO_ERR_TRACE(MAC_CMP_FAILED_E));
+
+    XMEMCPY(ct_bad, ct, sizeof(ct));
+    ct_bad[0] ^= 0x01;
+    ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct_bad,
+        sizeof(ct_bad), aad, sizeof(aad), nonce, sizeof(nonce),
+        key, sizeof(key)),
+        WC_NO_ERR_TRACE(MAC_CMP_FAILED_E));
+
+    {
+        byte aad_bad[sizeof(aad)];
+        XMEMCPY(aad_bad, aad, sizeof(aad));
+        aad_bad[0] ^= 0x01;
+        ExpectIntEQ(wc_XChaCha20Poly1305_Decrypt(pt, sizeof(pt), ct, sizeof(ct),
+            aad_bad, sizeof(aad_bad), nonce, sizeof(nonce),
+            key, sizeof(key)),
+            WC_NO_ERR_TRACE(MAC_CMP_FAILED_E));
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
 #include <wolfssl/wolfcrypt/random.h>
 
 #define MC_CIPHER_TEST_COUNT     100

tests/api/test_chacha20_poly1305.h

@@ -26,6 +26,7 @@
 
 int test_wc_ChaCha20Poly1305_aead(void);
 int test_wc_XChaCha20Poly1305_aead(void);
+int test_wc_XChaCha20Poly1305_BadAuthTag(void);
 int test_wc_ChaCha20Poly1305_MonteCarlo(void);
 int test_wc_ChaCha20Poly1305_Stream(void);
 int test_wc_ChaCha20Poly1305_AeadEdgeCases(void);
@@ -38,6 +39,7 @@ int test_wc_ChaCha20Poly1305_CrossCipher(void);
 #define TEST_CHACHA20_POLY1305_DECLS                                                        \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_aead),                   \
     TEST_DECL_GROUP("xchacha20-poly1305", test_wc_XChaCha20Poly1305_aead),                 \
+    TEST_DECL_GROUP("xchacha20-poly1305", test_wc_XChaCha20Poly1305_BadAuthTag),           \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_MonteCarlo),             \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_Stream),                 \
     TEST_DECL_GROUP("chacha20-poly1305", test_wc_ChaCha20Poly1305_AeadEdgeCases),          \

tests/api/test_dsa.c

@@ -117,6 +117,16 @@ int test_wc_DsaSignVerify(void)
     ExpectIntEQ(wc_DsaVerify(hash, signature, NULL, &answer), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_DsaVerify(hash, signature, &key, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
+    {
+        byte badHash[WC_SHA_DIGEST_SIZE];
+
+        XMEMCPY(badHash, hash, sizeof(badHash));
+        badHash[0] ^= 0x01;
+        answer = 1;
+        ExpectIntEQ(wc_DsaVerify(badHash, signature, &key, &answer), 0);
+        ExpectIntEQ(answer, 0);
+    }
+
 #if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_PUBLIC_MP)
     /* hard set q to 0 and test fail case */
     mp_free(&key.q);

tests/api/test_mlkem.c

@@ -4018,3 +4018,54 @@ int test_wc_mlkem_decap_fo_reject(void)
     return EXPECT_RESULT();
 } /* END test_wc_mlkem_decap_fo_reject */
 
+int test_wc_mlkem_decode_privkey_bad_pubhash(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_HAVE_MLKEM) && defined(WOLFSSL_WC_MLKEM) && \
+    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY)
+    MlKemKey* key = NULL;
+    WC_RNG rng;
+    byte   priv[WC_ML_KEM_MAX_PRIVATE_KEY_SIZE];
+    word32 privLen = 0;
+#ifndef WOLFSSL_NO_ML_KEM_768
+    const int mlkemType = WC_ML_KEM_768;
+#elif !defined(WOLFSSL_NO_ML_KEM_512)
+    const int mlkemType = WC_ML_KEM_512;
+#else
+    const int mlkemType = WC_ML_KEM_1024;
+#endif
+
+    XMEMSET(&rng, 0, sizeof(rng));
+    XMEMSET(priv, 0, sizeof(priv));
+
+    key = (MlKemKey*)XMALLOC(sizeof(*key), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    ExpectNotNull(key);
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+
+    ExpectIntEQ(wc_MlKemKey_Init(key, mlkemType, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_MlKemKey_MakeKey(key, &rng), 0);
+    ExpectIntEQ(wc_MlKemKey_PrivateKeySize(key, &privLen), 0);
+    ExpectTrue(privLen > (word32)(2 * WC_ML_KEM_SYM_SZ));
+    ExpectIntEQ(wc_MlKemKey_EncodePrivateKey(key, priv, privLen), 0);
+
+    wc_MlKemKey_Free(key);
+    ExpectIntEQ(wc_MlKemKey_Init(key, mlkemType, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_MlKemKey_DecodePrivateKey(key, priv, privLen), 0);
+    wc_MlKemKey_Free(key);
+
+    /* Tamper H(ek) (32 bytes before z). */
+    if (privLen > (word32)(2 * WC_ML_KEM_SYM_SZ)) {
+        priv[privLen - 2 * WC_ML_KEM_SYM_SZ] ^= 0x01;
+    }
+
+    ExpectIntEQ(wc_MlKemKey_Init(key, mlkemType, NULL, INVALID_DEVID), 0);
+    ExpectIntEQ(wc_MlKemKey_DecodePrivateKey(key, priv, privLen),
+        WC_NO_ERR_TRACE(MLKEM_PUB_HASH_E));
+    wc_MlKemKey_Free(key);
+
+    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+    XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    return EXPECT_RESULT();
+} /* END test_wc_mlkem_decode_privkey_bad_pubhash */
+

tests/api/test_mlkem.h

@@ -29,12 +29,14 @@ int test_wc_mlkem_encapsulate_kats(void);
 int test_wc_mlkem_decapsulate_kats(void);
 int test_wc_mlkem_decapsulate_pubonly_fails(void);
 int test_wc_mlkem_decap_fo_reject(void);
+int test_wc_mlkem_decode_privkey_bad_pubhash(void);
 
 #define TEST_MLKEM_DECLS                                                \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_make_key_kats),              \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_encapsulate_kats),           \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_decapsulate_kats),           \
     TEST_DECL_GROUP("mlkem", test_wc_mlkem_decapsulate_pubonly_fails),  \
-    TEST_DECL_GROUP("mlkem", test_wc_mlkem_decap_fo_reject)
+    TEST_DECL_GROUP("mlkem", test_wc_mlkem_decap_fo_reject),            \
+    TEST_DECL_GROUP("mlkem", test_wc_mlkem_decode_privkey_bad_pubhash)
 
 #endif /* WOLFCRYPT_TEST_MLKEM_H */

tests/api/test_pkcs7.c

@@ -2103,6 +2103,54 @@ int test_wc_PKCS7_VerifySignedData_RSA(void)
     return EXPECT_RESULT();
 } /* END test_wc_PKCS7_VerifySignedData()_RSA */
 
+int test_wc_PKCS7_VerifySignedData_TamperedAttribs(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && !defined(NO_RSA)
+    PKCS7* pkcs7 = NULL;
+    byte   output[6000];
+    word32 outputSz = sizeof(output);
+    byte   data[] = "Test data to encode.";
+    /* SCEP messageType OID + SET { PrintableString "19" } */
+    const byte pattern[] = {
+        0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8,
+        0x45, 0x01, 0x09, 0x02,
+        0x31, 0x04, 0x13, 0x02, 0x31, 0x39
+    };
+    word32 i;
+    int    found = -1;
+    int    matches = 0;
+
+    XMEMSET(output, 0, outputSz);
+    ExpectIntGT((outputSz = (word32)CreatePKCS7SignedData(output, (int)outputSz,
+        data, (word32)sizeof(data),
+        1 /* withAttribs */, 0 /* detached */, 0, RSA_TYPE)), 0);
+
+    if (outputSz > 0 && outputSz <= sizeof(output)) {
+        for (i = 0; i + sizeof(pattern) <= outputSz; i++) {
+            if (XMEMCMP(output + i, pattern, sizeof(pattern)) == 0) {
+                if (matches == 0)
+                    found = (int)i;
+                matches++;
+            }
+        }
+        ExpectIntEQ(matches, 1);
+    }
+
+    if (matches == 1 && found >= 0) {
+        output[found + (int)sizeof(pattern) - 1] ^= 0x01;
+
+        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+        ExpectIntEQ(wc_PKCS7_VerifySignedData(pkcs7, output, outputSz),
+            WC_NO_ERR_TRACE(SIG_VERIFY_E));
+        wc_PKCS7_Free(pkcs7);
+        pkcs7 = NULL;
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
 /*
  * Testing wc_PKCS_VerifySignedData()
  */
@@ -2292,6 +2340,54 @@ int test_wc_PKCS7_VerifySignedData_ECC(void)
     return EXPECT_RESULT();
 } /* END test_wc_PKCS7_VerifySignedData_ECC() */
 
+int test_wc_PKCS7_VerifySignedData_ECC_TamperedAttribs(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && defined(HAVE_ECC)
+    PKCS7* pkcs7 = NULL;
+    byte   output[6000];
+    word32 outputSz = sizeof(output);
+    byte   data[] = "Test data to encode.";
+    /* SCEP messageType OID + SET { PrintableString "19" } */
+    const byte pattern[] = {
+        0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8,
+        0x45, 0x01, 0x09, 0x02,
+        0x31, 0x04, 0x13, 0x02, 0x31, 0x39
+    };
+    word32 i;
+    int    found = -1;
+    int    matches = 0;
+
+    XMEMSET(output, 0, outputSz);
+    ExpectIntGT((outputSz = (word32)CreatePKCS7SignedData(output, (int)outputSz,
+        data, (word32)sizeof(data),
+        1 /* withAttribs */, 0 /* detached */, 0, ECC_TYPE)), 0);
+
+    if (outputSz > 0 && outputSz <= sizeof(output)) {
+        for (i = 0; i + sizeof(pattern) <= outputSz; i++) {
+            if (XMEMCMP(output + i, pattern, sizeof(pattern)) == 0) {
+                if (matches == 0)
+                    found = (int)i;
+                matches++;
+            }
+        }
+        ExpectIntEQ(matches, 1);
+    }
+
+    if (matches == 1 && found >= 0) {
+        output[found + (int)sizeof(pattern) - 1] ^= 0x01;
+
+        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+        ExpectIntEQ(wc_PKCS7_VerifySignedData(pkcs7, output, outputSz),
+            WC_NO_ERR_TRACE(SIG_VERIFY_E));
+        wc_PKCS7_Free(pkcs7);
+        pkcs7 = NULL;
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
 
 #if defined(HAVE_PKCS7) && !defined(NO_AES) && defined(HAVE_AES_CBC) && \
     defined(WOLFSSL_AES_256) && defined(HAVE_AES_KEYWRAP)

tests/api/test_pkcs7.h

@@ -40,7 +40,9 @@ int test_wc_PKCS7_EnvelopedData_KTRI_RSA_PSS(void);
 #endif
 int test_wc_PKCS7_EncodeSignedData_ex(void);
 int test_wc_PKCS7_VerifySignedData_RSA(void);
+int test_wc_PKCS7_VerifySignedData_TamperedAttribs(void);
 int test_wc_PKCS7_VerifySignedData_ECC(void);
+int test_wc_PKCS7_VerifySignedData_ECC_TamperedAttribs(void);
 int test_wc_PKCS7_DecodeEnvelopedData_stream(void);
 int test_wc_PKCS7_EncodeDecodeEnvelopedData(void);
 int test_wc_PKCS7_SetAESKeyWrapUnwrapCb(void);
@@ -89,7 +91,9 @@ int test_wc_PKCS7_VerifySignedData_IndefLenOOB(void);
     TEST_PKCS7_RSA_PSS_SD_DECL                                           \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_EncodeSignedData_ex),     \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_RSA),    \
+    TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_TamperedAttribs), \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_ECC),    \
+    TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_ECC_TamperedAttribs), \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_Degenerate),              \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_BER),                     \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_NoDefaultSignedAttribs),  \