Skip to content

Fenrir fixes #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aidangarske merged 8 commits into from
Apr 29, 2026
Merged

Fenrir fixes #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
61cab59
Fix OFB decrypt AES key setup
danielinux Apr 29, 2026
6075ef6
Restrict KDF input keys to DERIVE usage
danielinux Apr 29, 2026
7df9fb3
Add X448 PSA usability test
danielinux Apr 29, 2026
d5fe8af
Add ML-DSA parameter mapping coverage
danielinux Apr 29, 2026
88e8417
Scrub hash clone cleanup paths
danielinux Apr 29, 2026
61728f2
Remove dead psa_engine helpers
danielinux Apr 29, 2026
ca9b864
Fix regression in PSA compliance test
danielinux Apr 29, 2026
9c3144b
Addressed reviewer's comments
danielinux Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions src/psa_cipher.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -400,7 +400,7 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
}

#ifdef WOLFSSL_AES_COUNTER
if (alg == PSA_ALG_CTR || alg == PSA_ALG_CFB) {
if (alg == PSA_ALG_CTR) {
ret = wc_AesCtrSetKey(&ctx->aes, key_data, (word32)key_data_length,
ctx->iv, AES_ENCRYPTION);
}
Expand Down Expand Up @@ -543,13 +543,14 @@ psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
}

#ifdef WOLFSSL_AES_COUNTER
if (alg == PSA_ALG_CTR || alg == PSA_ALG_CFB) {
if (alg == PSA_ALG_CTR) {
ret = wc_AesCtrSetKey(&ctx->aes, key_data, (word32)key_data_length,
ctx->iv, AES_ENCRYPTION);
}
Comment thread
aidangarske marked this conversation as resolved.
else
#endif
if (alg == PSA_ALG_CCM_STAR_NO_TAG) {
if (alg == PSA_ALG_CCM_STAR_NO_TAG || alg == PSA_ALG_OFB ||
Comment thread
aidangarske marked this conversation as resolved.
alg == PSA_ALG_CFB) {
ret = wc_AesSetKey(&ctx->aes, key_data, (word32)key_data_length,
ctx->iv, AES_ENCRYPTION);
}
Expand Down
222 changes: 0 additions & 222 deletions src/psa_engine.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,62 +31,6 @@
#include <wolfpsa/psa_engine.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/types.h>
Comment thread
danielinux marked this conversation as resolved.
#include <wolfssl/wolfcrypt/ecc.h>

/* PSA status code to wolfCrypt error code conversion */
int psa_status_to_wc_error(psa_status_t status)
{
int ret;

switch (status) {
case PSA_SUCCESS:
ret = 0;
break;
case PSA_ERROR_NOT_SUPPORTED:
ret = NOT_COMPILED_IN;
break;
case PSA_ERROR_INVALID_ARGUMENT:
ret = BAD_FUNC_ARG;
break;
case PSA_ERROR_BUFFER_TOO_SMALL:
ret = BUFFER_E;
break;
case PSA_ERROR_INSUFFICIENT_MEMORY:
ret = MEMORY_E;
break;
case PSA_ERROR_COMMUNICATION_FAILURE:
case PSA_ERROR_HARDWARE_FAILURE:
ret = WC_HW_E;
break;
case PSA_ERROR_CORRUPTION_DETECTED:
ret = SIG_VERIFY_E;
break;
case PSA_ERROR_INSUFFICIENT_ENTROPY:
ret = RNG_FAILURE_E;
break;
case PSA_ERROR_INVALID_SIGNATURE:
ret = SIG_VERIFY_E;
break;
case PSA_ERROR_INVALID_PADDING:
ret = BAD_PADDING_E;
break;
case PSA_ERROR_INSUFFICIENT_DATA:
ret = BUFFER_E;
break;
case PSA_ERROR_INVALID_HANDLE:
ret = BAD_FUNC_ARG;
break;
case PSA_ERROR_BAD_STATE:
ret = BAD_STATE_E;
break;
default:
ret = WC_FAILURE;
break;
}

return ret;
}

/* wolfCrypt error code to PSA status code conversion */
psa_status_t wc_error_to_psa_status(int ret)
{
Expand Down Expand Up @@ -146,170 +90,4 @@ psa_status_t wc_error_to_psa_status(int ret)
return status;
}

/* Check if algorithm is supported */
psa_status_t psa_check_alg_supported(psa_algorithm_t alg)
{
/* Check if the algorithm is a cipher algorithm */
if (PSA_ALG_IS_CIPHER(alg)) {
switch (alg) {
case PSA_ALG_ECB_NO_PADDING:
#if defined(HAVE_AES_ECB)
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_ALG_CBC_NO_PADDING:
#if defined(HAVE_AES_CBC)
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_ALG_CBC_PKCS7:
#if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_PADDING)
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_ALG_CTR:
#if defined(WOLFSSL_AES_COUNTER)
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_ALG_CFB:
#if defined(WOLFSSL_AES_CFB)
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

default:
return PSA_ERROR_NOT_SUPPORTED;
}
}

return PSA_ERROR_NOT_SUPPORTED;
}

/* Check if key type is supported */
psa_status_t psa_check_key_type_supported(psa_key_type_t type)
{
switch (type) {
case PSA_KEY_TYPE_AES:
#ifndef NO_AES
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_KEY_TYPE_DES:
#ifndef NO_DES3
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_KEY_TYPE_HMAC:
#ifndef NO_HMAC
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_KEY_TYPE_RAW_DATA:
return PSA_SUCCESS;

case PSA_KEY_TYPE_CHACHA20:
#if defined(HAVE_CHACHA)
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

default:
break;
}

if (PSA_KEY_TYPE_IS_RSA(type)) {
#ifndef NO_RSA
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif
}

if (PSA_KEY_TYPE_IS_ECC(type)) {
#ifdef HAVE_ECC
return PSA_SUCCESS;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif
}

return PSA_ERROR_NOT_SUPPORTED;
}

/* Check if key size is valid for the given key type */
psa_status_t psa_check_key_size_valid(psa_key_type_t type, size_t bits)
{
extern int wc_psa_get_ecc_curve_id(psa_key_type_t type, size_t bits);

switch (type) {
case PSA_KEY_TYPE_AES:
#ifndef NO_AES
if (bits == 128 || bits == 192 || bits == 256) {
return PSA_SUCCESS;
}
return PSA_ERROR_INVALID_ARGUMENT;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif

case PSA_KEY_TYPE_HMAC:
case PSA_KEY_TYPE_RAW_DATA:
if (bits > 0) {
return PSA_SUCCESS;
}
return PSA_ERROR_INVALID_ARGUMENT;

case PSA_KEY_TYPE_CHACHA20:
if (bits == 256) {
return PSA_SUCCESS;
}
return PSA_ERROR_INVALID_ARGUMENT;

default:
break;
}

if (PSA_KEY_TYPE_IS_RSA(type)) {
#ifndef NO_RSA
if (bits >= 2048 && (bits % 8u) == 0 &&
bits <= PSA_VENDOR_RSA_MAX_KEY_BITS) {
return PSA_SUCCESS;
}
return PSA_ERROR_INVALID_ARGUMENT;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif
}

if (PSA_KEY_TYPE_IS_ECC(type)) {
#ifdef HAVE_ECC
if (wc_psa_get_ecc_curve_id(type, bits) != ECC_CURVE_INVALID) {
return PSA_SUCCESS;
}
return PSA_ERROR_NOT_SUPPORTED;
#else
return PSA_ERROR_NOT_SUPPORTED;
#endif
}

return PSA_ERROR_NOT_SUPPORTED;
}

#endif /* WOLFSSL_PSA_ENGINE */
2 changes: 2 additions & 0 deletions src/psa_hash_engine.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -815,12 +815,14 @@ psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
break;
#endif
default:
Comment thread
aidangarske marked this conversation as resolved.
wc_ForceZero(target_ctx, sizeof(*target_ctx));
XFREE(target_ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return PSA_ERROR_NOT_SUPPORTED;
}

if (ret != 0) {
psa_hash_cleanup_ctx(target_ctx);
wc_ForceZero(target_ctx, sizeof(*target_ctx));
XFREE(target_ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return wc_error_to_psa_status(ret);
}
Expand Down
Loading
Loading