Fixes 20260422#13
Merged
Merged
Conversation
Member
danielinux
commented
Apr 22, 2026
danielinux
commented
- 30701ac F/2819 added negative coverage proving invalid signatures are rejected.
- bed6c06 F/2823 added ML-DSA negative coverage for invalid signature verification.
- 39956d1 F/2812 fixed psa_copy_key() so unspecified destination type correctly inherits the source type.
- 141fdc2 F/3174 fixed psa_import_key() to preserve the original volatile-store failure instead of collapsing it to a generic error.
- 98df05e F/3175 fixed persistent import so failed store writes are aborted instead of leaving partial state behind.
- 6019cd0 F/2816 fixed AEAD policy validation to reject invalid GCM tag lengths.
- 9bbb382 F/2817 fixed HKDF setup to assign the correct default derivation capacity.
- f248c85 F/3177 fixed key import to reject unsupported 2-key 3DES material.
- 2a49b43 F/2820 added coverage for MAC verification failure paths that could previously be deleted undetected.
- 351ee43 F/2821 added negative PSA usage-policy tests so missing enforcement is caught by the harness.
- 7a8efee F/3176 fixed psa_key_agreement() dispatch so KDF-backed agreements route to the correct implementation.
- fbe5c8b F/2829 fixed missing PSA support for Montgomery key operations.
- 409226f F/3182 fixed RSA PKCS#1 v1.5 raw verify so valid signatures over inputs larger than PSA_HASH_MAX_SIZE round-trip correctly.
- 7e9de67 F/2825 fixed PBKDF2-HMAC to reject wc_PBKDF2() arguments that overflow int.
- 6dd3343 F/2813 fixed ML-KEM paths to validate size_t to word32 length conversions before calling wolfCrypt.
- e83896d F/2814 fixed Ed25519/Ed448 helpers to validate size_t to word32 length conversions before calling wolfCrypt.
- 03cc22e F/2815 fixed raw key agreement to validate size_t to word32 conversions before calling wolfCrypt.
- daa919c F/2818 fixed psa_key_derivation_set_capacity() to enforce monotonic capacity reduction after output starts.
- f2ce25a F/3179 fixed multipart GCM to require exactly 12-byte nonces in psa_aead_set_nonce().
- 4366fe2 F/2822 added coverage proving GCM/CCM correctly reject non-AES keys.
- e24cb2f F/2824 added coverage proving AES cipher modes correctly reject non-AES keys.
- 9c2a1fe F/3183 fixed psa_mac_verify_finish() to accept valid MACs longer than the encoded minimum for PSA_ALG_AT_LEAST_THIS_LENGTH_MAC.
- c2b66ca F/2826 fixed psa_key_derivation_verify_bytes() to validate oversized expected lengths before generating output.
- 202f68e F/3187 fixed psa_hash_finish() to scrub the heap hash context before freeing it on the success path.
- 3e19a3e F/3181 fixed psa_import_key() to reject unknown or reserved usage-flag bits.
- 2b4a235 F/2827 fixed zero-length KDF verification so it no longer depends on XMALLOC(0) behavior.
F/3177
F/3187
There was a problem hiding this comment.
Pull request overview
This PR is a rollup of PSA Crypto fixes plus new negative-coverage tests, focused on tightening validation/error propagation and adding/rounding out support for several algorithms (notably PQC ML-DSA and Montgomery/X25519/X448 paths).
Changes:
- Adds/extends negative tests to ensure invalid signatures, usage-policy violations, algorithm/key mismatches, and storage short-writes are rejected reliably.
- Fixes multiple PSA implementation issues (key import/copy behavior, AEAD GCM validation, KDF/HKDF/PBKDF2 handling, RSA raw verify sizing, hash context scrubbing, etc.).
- Adds/exports ML-DSA API surface and implements Montgomery-family keygen/export/agreement plumbing.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
wolfpsa/psa/crypto.h |
Exposes new PQC- and hash-based verify APIs via public header. |
wolfpsa/psa/crypto-pqc.h |
Adds ML-DSA parameter type/constants (but contains problematic empty macros). |
wolfpsa.map |
Updates shared-library symbol exports (adds ML-DSA exports). |
user_settings.h |
Enables SHAKE and Dilithium-related wolfSSL feature macros for builds/tests. |
test/psa_server/psa_des3_stack_scrub_test.c |
Adds regression coverage that 2-key 3DES import is rejected. |
test/psa_server/psa_api_test.c |
Adds extensive negative/edge-case coverage across MAC/cipher/AEAD/KDF/key-agreement/import/copy/RSA/Montgomery/ML-DSA. |
src/psa_store_posix.c |
Tracks failed writes to avoid committing temp files after write/flush errors. |
src/psa_rsa.c |
Fixes RSA PKCS#1 v1.5 RAW verify buffer sizing to support larger inputs. |
src/psa_montgomery.c |
Implements X25519/X448 keygen, public export, and key agreement helpers. |
src/psa_mlkem.c |
Adds size validation before size_t→word32 conversions for wolfCrypt calls. |
src/psa_mldsa.c |
Updates Dilithium/ML-DSA integration to new wolfCrypt API patterns and adds needed validation. |
src/psa_mac.c |
Fixes AT_LEAST_THIS_LENGTH_MAC verify to accept valid longer MACs. |
src/psa_key_storage.c |
Improves import/copy semantics (usage flags validation, 2-key 3DES rejection, inherit unspecified type, preserve volatile-store errors). |
src/psa_key_derivation.c |
Sets correct HKDF default capacity, enforces monotonic capacity, validates PBKDF2 argument ranges, and fixes zero-length verify behavior. |
src/psa_hash_engine.c |
Scrubs heap hash context memory on success path before freeing. |
src/psa_ed25519_ed448.c |
Adds size_t→word32 length validation before wolfCrypt API calls. |
src/psa_cipher.c |
Rejects 2-key 3DES material and removes implicit 2-key→3-key expansion. |
src/psa_asymmetric_api.c |
Routes KDF-backed key agreements correctly; adds Montgomery-family raw agreement dispatch + length validation. |
src/psa_asymmetric.c |
Adds Montgomery-family curve ID mapping for X25519/X448. |
src/psa_aead.c |
Tightens GCM tag-length validation and enforces 12-byte nonce requirement for GCM multipart usage. |
Comments suppressed due to low confidence (1)
wolfpsa/psa/crypto-pqc.h:44
- Several function-like macros in this header are defined with empty replacement lists (e.g.,
PSA_KEY_TYPE_IS_ML_KEM,PSA_KEY_TYPE_IS_ML_DSA,PSA_ALG_IS_ML_DSA, etc.). If any caller uses these in an expression, the preprocessor expansion will produce invalid C (e.g.,if ()). These should be implemented (returning a proper boolean expression) or removed until supported.
#define PSA_KEY_TYPE_IS_ML_KEM(type)
#define PSA_ALG_ML_KEM ((psa_algorithm_t)0x0c000200)
#define PSA_KEY_TYPE_ML_DSA_KEY_PAIR ((psa_key_type_t)0x7002)
#define PSA_KEY_TYPE_ML_DSA_PUBLIC_KEY ((psa_key_type_t)0x4002)
#define PSA_ML_DSA_PARAMETER_2 ((psa_ml_dsa_parameter_t)2)
#define PSA_ML_DSA_PARAMETER_3 ((psa_ml_dsa_parameter_t)3)
#define PSA_ML_DSA_PARAMETER_5 ((psa_ml_dsa_parameter_t)5)
#define PSA_KEY_TYPE_IS_ML_DSA(type)
#define PSA_ALG_ML_DSA ((psa_algorithm_t) 0x06004400)
#define PSA_ALG_DETERMINISTIC_ML_DSA ((psa_algorithm_t) 0x06004500)
#define PSA_ALG_HASH_ML_DSA(hash_alg)
#define PSA_ALG_IS_ML_DSA(alg)
#define PSA_ALG_IS_HASH_ML_DSA(alg)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #13
Scan targets checked: wolfpsa-bugs, wolfpsa-src
No new issues found in the changed files. ✅
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 20 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
wolfpsa/psa/crypto-pqc.h:48
- Several public PSA PQC macros are defined with empty replacements (e.g., PSA_KEY_TYPE_IS_ML_KEM, PSA_KEY_TYPE_IS_ML_DSA, PSA_ALG_HASH_ML_DSA, PSA_ALG_IS_ML_DSA). As written, any consumer using these macros in an expression will get a compile error. These should expand to valid boolean/algorithm expressions (or at minimum be defined to 0/false) consistent with the rest of the PSA macro set in crypto_values.h.
#define PSA_KEY_TYPE_ML_KEM_KEY_PAIR ((psa_key_type_t)0x7004)
#define PSA_KEY_TYPE_ML_KEM_PUBLIC_KEY ((psa_key_type_t)0x4004)
#define PSA_KEY_TYPE_IS_ML_KEM(type)
#define PSA_ALG_ML_KEM ((psa_algorithm_t)0x0c000200)
#define PSA_KEY_TYPE_ML_DSA_KEY_PAIR ((psa_key_type_t)0x7002)
#define PSA_KEY_TYPE_ML_DSA_PUBLIC_KEY ((psa_key_type_t)0x4002)
#define PSA_ML_DSA_PARAMETER_2 ((psa_ml_dsa_parameter_t)2)
#define PSA_ML_DSA_PARAMETER_3 ((psa_ml_dsa_parameter_t)3)
#define PSA_ML_DSA_PARAMETER_5 ((psa_ml_dsa_parameter_t)5)
#define PSA_KEY_TYPE_IS_ML_DSA(type)
#define PSA_ALG_ML_DSA ((psa_algorithm_t) 0x06004400)
#define PSA_ALG_DETERMINISTIC_ML_DSA ((psa_algorithm_t) 0x06004500)
#define PSA_ALG_HASH_ML_DSA(hash_alg)
#define PSA_ALG_IS_ML_DSA(alg)
#define PSA_ALG_IS_HASH_ML_DSA(alg)
#define PSA_ALG_IS_DETERMINISTIC_HASH_ML_DSA(alg)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.