Add tests and fix build issues

Author: JeremiahM37

scripts/build_ffi.py

@@ -305,13 +305,14 @@ def generate_libwolfssl(fips):
 
 def get_features(local_wolfssl, features):
     fips = False
+    fips_file = None
 
-    if sys.platform == "win32":
+    if local_wolfssl and sys.platform == "win32":
         # On Windows, we assume the local_wolfssl path is to a wolfSSL source
         # directory where the library has been built.
         fips_file = os.path.join(local_wolfssl, "wolfssl", "wolfcrypt",
             "fips.h")
-    else:
+    elif local_wolfssl:
         # On non-Windows platforms, first assume local_wolfssl is an
         # installation directory with an include subdirectory.
         fips_file = os.path.join(local_wolfssl, "include", "wolfssl",
@@ -321,7 +322,7 @@ def get_features(local_wolfssl, features):
             fips_file = os.path.join(local_wolfssl, "wolfssl", "wolfcrypt",
                 "fips.h")
 
-    if os.path.exists(fips_file):
+    if fips_file and os.path.exists(fips_file):
         with open(fips_file, "r") as f:
             contents = f.read()
             if not contents.isspace():
@@ -617,10 +618,10 @@ def build_ffi(local_wolfssl, features):
         int wc_Sha3_256_Final(wc_Sha3*, byte*);
         int wc_Sha3_384_Final(wc_Sha3*, byte*);
         int wc_Sha3_512_Final(wc_Sha3*, byte*);
-        int wc_Sha3_224_Free(wc_Sha3*);
-        int wc_Sha3_256_Free(wc_Sha3*);
-        int wc_Sha3_384_Free(wc_Sha3*);
-        int wc_Sha3_512_Free(wc_Sha3*);
+        void wc_Sha3_224_Free(wc_Sha3*);
+        void wc_Sha3_256_Free(wc_Sha3*);
+        void wc_Sha3_384_Free(wc_Sha3*);
+        void wc_Sha3_512_Free(wc_Sha3*);
         """
 
     if features["DES3"]:
@@ -1106,17 +1107,17 @@ def main(ffibuilder):
             e = "Local wolfssl installation path {} doesn't exist.".format(local_wolfssl)
             raise FileNotFoundError(e)
 
-        get_features(local_wolfssl, features)
-
-    if features["RSA_BLINDING"] and features["FIPS"]:
-        # These settings can't coexist. See settings.h.
-        features["RSA_BLINDING"] = 0
-
     if not local_wolfssl:
         print("Building wolfSSL...")
         if not get_libwolfssl():
             generate_libwolfssl(features["FIPS"])
 
+    get_features(local_wolfssl, features)
+
+    if features["RSA_BLINDING"] and features["FIPS"]:
+        # These settings can't coexist. See settings.h.
+        features["RSA_BLINDING"] = 0
+
     build_ffi(local_wolfssl, features)
 
 

tests/test_aesgcmstream.py

@@ -123,3 +123,16 @@ def test_encrypt_aad_bad():
         gcmdec.decrypt(buf)
         with pytest.raises(WolfCryptError):
             gcmdec.final(authTag)
+
+    def test_invalid_tag_bytes():
+        key = "fedcba9876543210"
+        iv = "0123456789abcdef"
+        with pytest.raises(ValueError, match="tag_bytes must be between 4 and 16"):
+            AesGcmStream(key, iv, tag_bytes=0)
+        with pytest.raises(ValueError, match="tag_bytes must be between 4 and 16"):
+            AesGcmStream(key, iv, tag_bytes=3)
+        with pytest.raises(ValueError, match="tag_bytes must be between 4 and 16"):
+            AesGcmStream(key, iv, tag_bytes=17)
+        # valid edge cases
+        AesGcmStream(key, iv, tag_bytes=4)
+        AesGcmStream(key, iv, tag_bytes=16)

tests/test_ciphers.py

@@ -876,3 +876,29 @@ def test_aessiv_decrypt_kat_openssl():
         TEST_VECTOR_CIPHERTEXT_OPENSSL
     )
     assert plaintext == TEST_VECTOR_PLAINTEXT_OPENSSL
+
+
+if _lib.DES3_ENABLED:
+    def test_des3_rejects_mode_ctr():
+        key = b"\x01\x23\x45\x67\x89\xab\xcd\xef" * 3
+        iv = b"\xfe\xdc\xba\x98\x76\x54\x32\x10"
+        with pytest.raises(ValueError, match="Des3 only supports MODE_CBC"):
+            Des3(key, MODE_CTR, iv)
+
+
+if _lib.CHACHA_ENABLED:
+    def test_chacha_non_block_aligned():
+        key = b"\x00" * 32
+        chacha = ChaCha(key)
+        chacha.set_iv(b"\x00" * 12)
+        plaintext = b"This is 25 bytes of text!"
+        assert len(plaintext) == 25
+        ciphertext = chacha.encrypt(plaintext)
+        assert len(ciphertext) == 25
+        chacha2 = ChaCha(key)
+        chacha2.set_iv(b"\x00" * 12)
+        assert chacha2.decrypt(ciphertext) == plaintext
+
+    def test_chacha_invalid_key_length():
+        with pytest.raises(ValueError, match="key must be"):
+            ChaCha(b"\x00" * 20)

wolfcrypt/ciphers.py

@@ -422,7 +422,8 @@ def __init__(self, key, IV, tag_bytes=16):
                 raise WolfCryptError("Init error (%d)" % ret)
 
         def __del__(self):
-            _lib.wc_AesFree(self._native_object)
+            if hasattr(self, '_native_object'):
+                _lib.wc_AesFree(self._native_object)
 
         def set_aad(self, data):
             """
@@ -1231,6 +1232,7 @@ def make_key(cls, size, rng=None):
                 ret = _lib.wc_ecc_set_rng(ecc.native_object, rng.native_object)
                 if ret < 0:
                     raise WolfCryptError("Error setting ECC RNG (%d)" % ret)
+                ecc._rng = rng
 
             return ecc
 
@@ -2247,7 +2249,7 @@ def priv_key_size(self):
             if ret < 0:  # pragma: no cover
                 raise WolfCryptError("wc_MlDsaKey_GetPrivLen() error (%d)" % ret)
 
-            return size[0]
+            return size[0] - self.pub_key_size
 
         def encode_pub_key(self):
             """

wolfcrypt/hashes.py

@@ -225,19 +225,21 @@ class Sha3(_Hash):
         SHA3_384_DIGEST_SIZE = 48
         SHA3_512_DIGEST_SIZE = 64
 
+        _SHA3_FREE = {
+            28: _lib.wc_Sha3_224_Free,
+            32: _lib.wc_Sha3_256_Free,
+            48: _lib.wc_Sha3_384_Free,
+            64: _lib.wc_Sha3_512_Free,
+        }
+
         def __del__(self):
-            if self.digest_size == Sha3.SHA3_224_DIGEST_SIZE:
-                _lib.wc_Sha3_224_Free(self._native_object)
-            elif self.digest_size == Sha3.SHA3_256_DIGEST_SIZE:
-                _lib.wc_Sha3_256_Free(self._native_object)
-            elif self.digest_size == Sha3.SHA3_384_DIGEST_SIZE:
-                _lib.wc_Sha3_384_Free(self._native_object)
-            elif self.digest_size == Sha3.SHA3_512_DIGEST_SIZE:
-                _lib.wc_Sha3_512_Free(self._native_object)
+            if hasattr(self, '_delete'):
+                self._delete(self._native_object)
 
         def __init__(self, string=None, size=SHA3_384_DIGEST_SIZE):  # pylint: disable=W0231
             self._native_object = _ffi.new(self._native_type)
             self.digest_size = size
+            self._delete = self._SHA3_FREE.get(size)
             ret = self._init()
             if ret < 0:  # pragma: no cover
                 raise WolfCryptError("Sha3 init error (%d)" % ret)