Skip to content

Add Testing Validation and Fixes for wolfPSA #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
danielinux merged 16 commits into from
Apr 21, 2026
Merged

Add Testing Validation and Fixes for wolfPSA #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
991d63f
F-2404 - https://fenrir.wolfssl.com/finding/2404 - add test for psa_e…
aidangarske Apr 8, 2026
3aff904
F-2417 - https://fenrir.wolfssl.com/finding/2417 - add ForceZero befo…
aidangarske Apr 8, 2026
7afc407
F-2405 - https://fenrir.wolfssl.com/finding/2405 - add tests for psa_…
aidangarske Apr 8, 2026
4858a0b
F-2421 - https://fenrir.wolfssl.com/finding/2421 - fix key derivation…
aidangarske Apr 8, 2026
81134e0
F-2396 - https://fenrir.wolfssl.com/finding/2396 - reject PSA_ALG_NON…
aidangarske Apr 8, 2026
4a38971
F-2406 - https://fenrir.wolfssl.com/finding/2406 - add test for ciphe…
aidangarske Apr 8, 2026
39ce0e7
F-2407 - https://fenrir.wolfssl.com/finding/2407 - add test for asymm…
aidangarske Apr 8, 2026
43678b2
F-2408 - https://fenrir.wolfssl.com/finding/2408 - add tests for psa_…
aidangarske Apr 8, 2026
5245ffd
F-2409 - https://fenrir.wolfssl.com/finding/2409 - add test for psa_k…
aidangarske Apr 8, 2026
955f398
F-2410 - https://fenrir.wolfssl.com/finding/2410 - add test for AEAD …
aidangarske Apr 8, 2026
0237f0e
F-2414 - https://fenrir.wolfssl.com/finding/2414 - add test for MAC a…
aidangarske Apr 8, 2026
a2b5ccd
F-2422 - https://fenrir.wolfssl.com/finding/2422 - allow multi-part c…
aidangarske Apr 8, 2026
c4f712b
F-2423 - https://fenrir.wolfssl.com/finding/2423 - allow HKDF-Extract…
aidangarske Apr 8, 2026
76e0978
F-2416 - https://fenrir.wolfssl.com/finding/2416 - add ForceZero befo…
aidangarske Apr 8, 2026
0e74d6d
Address copilot x fenrir reviews
aidangarske Apr 9, 2026
aad7628
Address skoll review / nits
aidangarske Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 27 additions & 26 deletions src/psa_aead.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ static psa_status_t wolfpsa_aead_check_key(psa_key_id_t key,
psa_status_t status;
psa_key_usage_t key_usage;
psa_algorithm_t key_alg;
psa_algorithm_t key_base;
psa_algorithm_t req_base;
size_t key_tag_len;
size_t req_tag_len;

Expand Down Expand Up @@ -153,41 +155,40 @@ static psa_status_t wolfpsa_aead_check_key(psa_key_id_t key,
return PSA_ERROR_NOT_PERMITTED;
}

{
psa_algorithm_t key_base = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(key_alg);
psa_algorithm_t req_base = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
key_tag_len = wolfpsa_aead_tag_length(key_alg);
req_tag_len = wolfpsa_aead_tag_length(alg);
/* Algorithm match checks */
key_base = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(key_alg);
req_base = PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
key_tag_len = wolfpsa_aead_tag_length(key_alg);
req_tag_len = wolfpsa_aead_tag_length(alg);

if (key_tag_len == 0 || req_tag_len == 0) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_INVALID_ARGUMENT;
}
if (key_tag_len == 0 || req_tag_len == 0) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_INVALID_ARGUMENT;
}

if (key_base != req_base) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}
if (key_base != req_base) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}

if ((key_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
if (req_tag_len < key_tag_len) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}
}
else if (req_tag_len != key_tag_len) {
if ((key_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
if (req_tag_len < key_tag_len) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}
}
else if (req_tag_len != key_tag_len) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}

return PSA_SUCCESS;
}
Expand Down
1 change: 1 addition & 0 deletions src/psa_asymmetric_api.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ static psa_status_t wolfpsa_asymmetric_check_key(psa_key_id_t key,
return PSA_ERROR_NOT_PERMITTED;
}

/* Algorithm match checks */
if (PSA_ALG_IS_KEY_AGREEMENT(alg) && PSA_ALG_IS_KEY_AGREEMENT(key_alg)) {
if (PSA_ALG_KEY_AGREEMENT_GET_BASE(key_alg) !=
PSA_ALG_KEY_AGREEMENT_GET_BASE(alg)) {
Expand Down
13 changes: 13 additions & 0 deletions src/psa_key_derivation.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,7 @@ psa_status_t psa_key_derivation_input_key(psa_key_derivation_operation_t *operat
return PSA_ERROR_NOT_PERMITTED;
}

/* Algorithm match checks */
if (ctx->is_key_agreement) {
if (!PSA_ALG_IS_KEY_AGREEMENT(key_alg) ||
PSA_ALG_KEY_AGREEMENT_GET_KDF(key_alg) != ctx->alg) {
Expand Down Expand Up @@ -756,6 +757,18 @@ static psa_status_t wolfpsa_kdf_hkdf(wolfpsa_kdf_ctx_t *ctx,
if (output_length > (size_t)hash_len) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (output_length < (size_t)hash_len) {
uint8_t tmp[WC_MAX_DIGEST_SIZE];
ret = wc_HKDF_Extract(hash_type,
ctx->salt, (word32)ctx->salt_length,
ctx->secret, (word32)ctx->secret_length,
tmp);
if (ret == 0) {
XMEMCPY(output, tmp, output_length);
}
wc_ForceZero(tmp, sizeof(tmp));
return ret == 0 ? PSA_SUCCESS : wc_error_to_psa_status(ret);
}
ret = wc_HKDF_Extract(hash_type,
ctx->salt, (word32)ctx->salt_length,
ctx->secret, (word32)ctx->secret_length,
Expand Down
7 changes: 5 additions & 2 deletions src/psa_mac.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,15 +162,17 @@ static psa_status_t wolfpsa_mac_check_key(psa_key_id_t key,
}

key_alg = psa_get_key_algorithm(attributes);
key_alg_full = PSA_ALG_FULL_LENGTH_MAC(key_alg);
req_alg_full = PSA_ALG_FULL_LENGTH_MAC(alg);
if (key_alg == PSA_ALG_NONE) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}

/* Algorithm match checks */
key_alg_full = PSA_ALG_FULL_LENGTH_MAC(key_alg);
req_alg_full = PSA_ALG_FULL_LENGTH_MAC(alg);

if (key_alg_full != req_alg_full) {
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
Expand Down Expand Up @@ -258,6 +260,7 @@ static psa_status_t wolfpsa_mac_setup(psa_mac_operation_t *operation,
PSA_ALG_FULL_LENGTH_MAC(alg));
if (wolfpsa_check_word32_length(key_data_length) != PSA_SUCCESS) {
wolfpsa_forcezero_free_key_data(key_data, key_data_length);
wc_ForceZero(ctx, sizeof(*ctx));
XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return PSA_ERROR_INVALID_ARGUMENT;
}
Expand Down
Loading
Loading