1 /* test.c
2  *
3  * Copyright (C) 2006-2021 wolfSSL Inc.
4  *
5  * This file is part of wolfSSL.
6  *
7  * wolfSSL is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * wolfSSL is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20  */
21 
22 #ifdef HAVE_CONFIG_H
23     #include <config.h>
24 #endif
25 
26 #ifndef WOLFSSL_USER_SETTINGS
27     #include <wolfssl/options.h>
28 #endif
29 #include <wolfssl/wolfcrypt/settings.h>
30 #include <wolfssl/version.h>
31 #include <wolfssl/wolfcrypt/wc_port.h>
32 
33 #ifndef NO_CRYPT_TEST
34 
35 #if defined(HAVE_STACK_SIZE) && !defined(HAVE_WOLFCRYPT_TEST_OPTIONS)
36     #define HAVE_WOLFCRYPT_TEST_OPTIONS
37 #endif
38 
39 #ifdef HAVE_WOLFCRYPT_TEST_OPTIONS
40     #include <wolfssl/ssl.h>
41     #define err_sys err_sys_remap /* remap err_sys */
42     #include <wolfssl/test.h>
43     #undef err_sys
44 #endif
45 
46 #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_PUBLIC_MP) && \
47     defined(HAVE_ECC_SIGN) && defined(HAVE_ECC_VERIFY)
48     #include <stdint.h>
49 #endif
50 
51 #if defined(HAVE_STACK_SIZE_VERBOSE)
52 #ifdef WOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES
53     static ssize_t max_relative_stack = WOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES;
54 #else
55     static ssize_t max_relative_stack = -1;
56 #endif
57 #else
58     #define STACK_SIZE_CHECKPOINT_WITH_MAX_CHECK(max, ...) (__VA_ARGS__, 0)
59     #define STACK_SIZE_INIT()
60 #endif
61 
62 #ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
63 #ifdef WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS
64     static ssize_t max_relative_heap_allocs = WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS;
65 #else
66     static ssize_t max_relative_heap_allocs = -1;
67 #endif
68 #ifdef WOLFSSL_TEST_MAX_RELATIVE_HEAP_BYTES
69     static ssize_t max_relative_heap_bytes = WOLFSSL_TEST_MAX_RELATIVE_HEAP_BYTES;
70 #else
71     static ssize_t max_relative_heap_bytes = -1;
72 #endif
73 #define PRINT_HEAP_CHECKPOINT() {                                        \
74     const ssize_t _rha = wolfCrypt_heap_peakAllocs_checkpoint() - heap_baselineAllocs; \
75     const ssize_t _rhb = wolfCrypt_heap_peakBytes_checkpoint() - heap_baselineBytes; \
76     printf("    relative heap peak usage: %ld alloc%s, %ld bytes\n",    \
77            _rha,                                                        \
78            _rha == 1 ? "" : "s",                                        \
79            _rhb);                                                       \
80     if ((max_relative_heap_allocs > 0) && (_rha > max_relative_heap_allocs)) \
81         return err_sys("heap allocs exceed designated max.", -1);       \
82     if ((max_relative_heap_bytes > 0) && (_rhb > max_relative_heap_bytes)) \
83         return err_sys("heap bytes exceed designated max.", -1);        \
84     heap_baselineAllocs = wolfCrypt_heap_peakAllocs_checkpoint();        \
85     heap_baselineBytes = wolfCrypt_heap_peakBytes_checkpoint();         \
86     }
87 #else
88 #define PRINT_HEAP_CHECKPOINT()
89 #endif
90 
91 #ifdef __GNUC__
92 _Pragma("GCC diagnostic ignored \"-Wunused-function\"")
93 #endif
94 
95 #ifdef USE_FLAT_TEST_H
96     #ifdef HAVE_CONFIG_H
97         #include "test_paths.h"
98     #endif
99     #include "test.h"
100 #else
101     #ifdef HAVE_CONFIG_H
102         #include "wolfcrypt/test/test_paths.h"
103     #endif
104     #include "wolfcrypt/test/test.h"
105 #endif
106 
107 /* printf mappings */
108 #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
109     #include <mqx.h>
110     #include <stdlib.h>
111     /* see wc_port.h for fio.h and nio.h includes */
112 #elif defined(FREESCALE_KSDK_BM)
113     #include "fsl_debug_console.h"
114     #undef printf
115     #define printf PRINTF
116 #elif defined(WOLFSSL_APACHE_MYNEWT)
117     #include <assert.h>
118     #include <string.h>
119     #include "sysinit/sysinit.h"
120     #include "os/os.h"
121     #ifdef ARCH_sim
122     #include "mcu/mcu_sim.h"
123     #endif
124     #include "os/os_time.h"
125 #elif defined(WOLFSSL_ESPIDF)
126     #include <time.h>
127     #include <sys/time.h>
128 #elif defined(WOLFSSL_ZEPHYR)
129     #include <stdio.h>
130 
131     #define printf printk
132 #elif defined(MICRIUM)
133     #include <os.h>
134     #if (OS_VERSION < 50000)
135         #include <bsp_ser.h>
136         void BSP_Ser_Printf (CPU_CHAR* format, ...);
137         #undef printf
138         #define printf BSP_Ser_Printf
139     #else
140         #include <stdio.h>
141     #endif
142 #elif defined(WOLFSSL_PB)
143     #include <stdarg.h>
144     int wolfssl_pb_print(const char*, ...);
145     #undef printf
146     #define printf wolfssl_pb_print
147 #elif defined(WOLFSSL_TELIT_M2MB)
148     #include "wolfssl/wolfcrypt/wc_port.h" /* for m2mb headers */
149     #include "m2m_log.h" /* for M2M_LOG_INFO - not standard API */
150     /* remap printf */
151     #undef printf
152     #define printf M2M_LOG_INFO
153     /* OS requires occasional sleep() */
154     #ifndef TEST_SLEEP_MS
155         #define TEST_SLEEP_MS 50
156     #endif
157     #define TEST_SLEEP() m2mb_os_taskSleep(M2MB_OS_MS2TICKS(TEST_SLEEP_MS))
158     /* don't use file system for these tests, since ./certs dir isn't loaded */
159     #undef  NO_FILESYSTEM
160     #define NO_FILESYSTEM
161 #elif defined(THREADX) && !defined(WOLFSSL_WICED) && \
162       !defined(THREADX_NO_DC_PRINTF)
163     #ifndef (NETOS)
164         /* since just testing, use THREADX log printf instead (NETOS prototypes
165          * this elsewhere) */
166         int dc_log_printf(char*, ...);
167     #endif
168     #undef printf
169     #define printf dc_log_printf
170 #elif defined(ANDROID)
171     #ifdef XMALLOC_USER
172         #include <stdlib.h>  /* we're using malloc / free direct here */
173     #endif
174     #ifndef STRING_USER
175         #include <stdio.h>
176     #endif
177     #include <android/log.h>
178 
179     #ifdef ANDROID_V454 /* See fips/android/wolfCrypt_v454_android */
180         #ifndef NO_FILESYSTEM
181             #define NO_FILESYSTEM /* Turn off tests that want to call SaveDerAndPem() */
182         #endif
183     #else
184         #define printf(...)       \
185                       __android_log_print(ANDROID_LOG_DEBUG, "TAG", __VA_ARGS__)
186         #define fprintf(fp, ...)  \
187                       __android_log_print(ANDROID_LOG_DEBUG, "TAG", __VA_ARGS__)
188     #endif
189 #elif defined(WOLFSSL_DEOS)
190     #include <printx.h>
191     #undef printf
192     #define printf printx
193 #else
194     #ifdef XMALLOC_USER
195         #include <stdlib.h>  /* we're using malloc / free direct here */
196     #endif
197     #if !defined(STRING_USER) && !defined(WOLFSSL_LINUXKM)
198         #include <stdio.h>
199     #endif
200 
201     #if defined(WOLFSSL_LINUXKM) && !defined(WOLFSSL_LINUXKM_VERBOSE_DEBUG)
202         #undef printf
203         #define printf(...) ({})
204     #endif
205 
206     /* enable way for customer to override test/bench printf */
207     #ifdef XPRINTF
208         #undef  printf
209         #define printf XPRINTF
210     #endif
211 #endif
212 
213 #include <wolfssl/wolfcrypt/memory.h>
214 #include <wolfssl/wolfcrypt/wc_port.h>
215 #include <wolfssl/wolfcrypt/logging.h>
216 #include <wolfssl/wolfcrypt/types.h>
217 #include <wolfssl/wolfcrypt/asn.h>
218 #include <wolfssl/wolfcrypt/md2.h>
219 #include <wolfssl/wolfcrypt/md5.h>
220 #include <wolfssl/wolfcrypt/md4.h>
221 #include <wolfssl/wolfcrypt/sha.h>
222 #include <wolfssl/wolfcrypt/sha256.h>
223 #include <wolfssl/wolfcrypt/sha512.h>
224 #include <wolfssl/wolfcrypt/rc2.h>
225 #include <wolfssl/wolfcrypt/arc4.h>
226 #if defined(WC_NO_RNG)
227     #include <wolfssl/wolfcrypt/integer.h>
228 #else
229     #include <wolfssl/wolfcrypt/random.h>
230 #endif
231 #include <wolfssl/wolfcrypt/coding.h>
232 #include <wolfssl/wolfcrypt/signature.h>
233 #include <wolfssl/wolfcrypt/rsa.h>
234 #include <wolfssl/wolfcrypt/des3.h>
235 #include <wolfssl/wolfcrypt/aes.h>
236 #include <wolfssl/wolfcrypt/wc_encrypt.h>
237 #include <wolfssl/wolfcrypt/cmac.h>
238 #include <wolfssl/wolfcrypt/poly1305.h>
239 #include <wolfssl/wolfcrypt/camellia.h>
240 #include <wolfssl/wolfcrypt/hmac.h>
241 #include <wolfssl/wolfcrypt/kdf.h>
242 #include <wolfssl/wolfcrypt/dh.h>
243 #include <wolfssl/wolfcrypt/dsa.h>
244 #include <wolfssl/wolfcrypt/srp.h>
245 #include <wolfssl/wolfcrypt/idea.h>
246 #include <wolfssl/wolfcrypt/hc128.h>
247 #include <wolfssl/wolfcrypt/rabbit.h>
248 #include <wolfssl/wolfcrypt/chacha.h>
249 #include <wolfssl/wolfcrypt/chacha20_poly1305.h>
250 #include <wolfssl/wolfcrypt/pwdbased.h>
251 #include <wolfssl/wolfcrypt/ripemd.h>
252 #include <wolfssl/wolfcrypt/error-crypt.h>
253 #ifdef HAVE_ECC
254     #include <wolfssl/wolfcrypt/ecc.h>
255 #endif
256 #ifdef HAVE_CURVE25519
257     #include <wolfssl/wolfcrypt/curve25519.h>
258 #endif
259 #ifdef HAVE_ED25519
260     #include <wolfssl/wolfcrypt/ed25519.h>
261 #endif
262 #ifdef HAVE_CURVE448
263     #include <wolfssl/wolfcrypt/curve448.h>
264 #endif
265 #ifdef HAVE_ED448
266     #include <wolfssl/wolfcrypt/ed448.h>
267 #endif
268 #ifdef WOLFCRYPT_HAVE_ECCSI
269     #include <wolfssl/wolfcrypt/eccsi.h>
270 #endif
271 #ifdef WOLFCRYPT_HAVE_SAKKE
272     #include <wolfssl/wolfcrypt/sakke.h>
273 #endif
274 #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
275     #include <wolfssl/wolfcrypt/blake2.h>
276 #endif
277 #ifdef WOLFSSL_SHA3
278     #include <wolfssl/wolfcrypt/sha3.h>
279 #endif
280 #ifdef HAVE_LIBZ
281     #include <wolfssl/wolfcrypt/compress.h>
282 #endif
283 #ifdef HAVE_PKCS7
284     #include <wolfssl/wolfcrypt/pkcs7.h>
285 #endif
286 #ifdef HAVE_FIPS
287     #include <wolfssl/wolfcrypt/fips_test.h>
288 #endif
289 #ifdef HAVE_SELFTEST
290     #include <wolfssl/wolfcrypt/selftest.h>
291 #endif
292 #ifdef WOLFSSL_ASYNC_CRYPT
293     #include <wolfssl/wolfcrypt/async.h>
294 #endif
295 #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
296     #include <wolfssl/wolfcrypt/logging.h>
297 #endif
298 #ifdef WOLFSSL_IMX6_CAAM_BLOB
299     #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
300 #endif
301 #ifdef WOLF_CRYPTO_CB
302     #include <wolfssl/wolfcrypt/cryptocb.h>
303     #ifdef HAVE_INTEL_QA_SYNC
304         #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
305     #endif
306     #ifdef HAVE_CAVIUM_OCTEON_SYNC
307         #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
308     #endif
309 #endif
310 
311 #ifdef _MSC_VER
312     /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */
313     #pragma warning(disable: 4996)
314 #endif
315 
316 #ifdef OPENSSL_EXTRA
317   #ifndef WOLFCRYPT_ONLY
318     #include <wolfssl/openssl/evp.h>
319     #include <wolfssl/openssl/hmac.h>
320   #endif
321     #include <wolfssl/openssl/rand.h>
322     #include <wolfssl/openssl/aes.h>
323     #include <wolfssl/openssl/des.h>
324 #endif
325 
326 #if defined(NO_FILESYSTEM) || defined(WC_NO_RNG)
327     #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
328         !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
329         #define USE_CERT_BUFFERS_2048
330     #endif
331     #if !defined(USE_CERT_BUFFERS_256)
332         #define USE_CERT_BUFFERS_256
333     #endif
334 #endif
335 
336 #if defined(WOLFSSL_CERT_GEN) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES))
337     #define ENABLE_ECC384_CERT_GEN_TEST
338 #endif
339 
340 #include <wolfssl/certs_test.h>
341 
342 #ifdef DEVKITPRO
343     #include <wiiuse/wpad.h>
344 #endif
345 
346 #ifdef WOLFSSL_STATIC_MEMORY
347     static WOLFSSL_HEAP_HINT* HEAP_HINT;
348 #else
349     #define HEAP_HINT NULL
350 #endif /* WOLFSSL_STATIC_MEMORY */
351 
352 /* these cases do not have intermediate hashing support */
353 #if (defined(WOLFSSL_AFALG_XILINX_SHA3) && !defined(WOLFSSL_AFALG_HASH_KEEP)) \
354         && !defined(WOLFSSL_XILINX_CRYPT)
355     #define NO_INTM_HASH_TEST
356 #endif
357 
358 #ifdef WOLFSSL_CERT_GEN
359 static void initDefaultName(void);
360 #endif
361 
362 /* for async devices */
363 #ifdef WOLFSSL_QNX_CAAM
364 static int devId = WOLFSSL_CAAM_DEVID;
365 #else
366 static int devId = INVALID_DEVID;
367 #endif
368 
369 #ifdef HAVE_WNR
370     const char* wnrConfigFile = "wnr-example.conf";
371 #endif
372 
373 #define TEST_STRING    "Everyone gets Friday off."
374 #define TEST_STRING_SZ 25
375 
376 typedef struct testVector {
377     const char*  input;
378     const char*  output;
379     size_t inLen;
380     size_t outLen;
381 } testVector;
382 
383 #ifndef WOLFSSL_TEST_SUBROUTINE
384 #define WOLFSSL_TEST_SUBROUTINE
385 #endif
386 
387 WOLFSSL_TEST_SUBROUTINE int  error_test(void);
388 WOLFSSL_TEST_SUBROUTINE int  base64_test(void);
389 WOLFSSL_TEST_SUBROUTINE int  base16_test(void);
390 WOLFSSL_TEST_SUBROUTINE int  asn_test(void);
391 WOLFSSL_TEST_SUBROUTINE int  md2_test(void);
392 WOLFSSL_TEST_SUBROUTINE int  md5_test(void);
393 WOLFSSL_TEST_SUBROUTINE int  md4_test(void);
394 WOLFSSL_TEST_SUBROUTINE int  sha_test(void);
395 WOLFSSL_TEST_SUBROUTINE int  sha224_test(void);
396 WOLFSSL_TEST_SUBROUTINE int  sha256_test(void);
397 WOLFSSL_TEST_SUBROUTINE int  sha512_test(void);
398 WOLFSSL_TEST_SUBROUTINE int  sha384_test(void);
399 WOLFSSL_TEST_SUBROUTINE int  sha3_test(void);
400 WOLFSSL_TEST_SUBROUTINE int  shake256_test(void);
401 WOLFSSL_TEST_SUBROUTINE int  hash_test(void);
402 WOLFSSL_TEST_SUBROUTINE int  hmac_md5_test(void);
403 WOLFSSL_TEST_SUBROUTINE int  hmac_sha_test(void);
404 WOLFSSL_TEST_SUBROUTINE int  hmac_sha224_test(void);
405 WOLFSSL_TEST_SUBROUTINE int  hmac_sha256_test(void);
406 WOLFSSL_TEST_SUBROUTINE int  hmac_sha384_test(void);
407 WOLFSSL_TEST_SUBROUTINE int  hmac_sha512_test(void);
408 WOLFSSL_TEST_SUBROUTINE int  hmac_sha3_test(void);
409 #ifdef HAVE_HKDF
410 /* WOLFSSL_TEST_SUBROUTINE */ static int  hkdf_test(void);
411 #endif
412 WOLFSSL_TEST_SUBROUTINE int  sshkdf_test(void);
413 WOLFSSL_TEST_SUBROUTINE int  x963kdf_test(void);
414 WOLFSSL_TEST_SUBROUTINE int  arc4_test(void);
415 WOLFSSL_TEST_SUBROUTINE int  rc2_test(void);
416 WOLFSSL_TEST_SUBROUTINE int  hc128_test(void);
417 WOLFSSL_TEST_SUBROUTINE int  rabbit_test(void);
418 WOLFSSL_TEST_SUBROUTINE int  chacha_test(void);
419 WOLFSSL_TEST_SUBROUTINE int  XChaCha_test(void);
420 WOLFSSL_TEST_SUBROUTINE int  chacha20_poly1305_aead_test(void);
421 WOLFSSL_TEST_SUBROUTINE int  XChaCha20Poly1305_test(void);
422 WOLFSSL_TEST_SUBROUTINE int  des_test(void);
423 WOLFSSL_TEST_SUBROUTINE int  des3_test(void);
424 WOLFSSL_TEST_SUBROUTINE int  aes_test(void);
425 WOLFSSL_TEST_SUBROUTINE int  aes192_test(void);
426 WOLFSSL_TEST_SUBROUTINE int  aes256_test(void);
427 WOLFSSL_TEST_SUBROUTINE int  aesofb_test(void);
428 WOLFSSL_TEST_SUBROUTINE int  cmac_test(void);
429 WOLFSSL_TEST_SUBROUTINE int  poly1305_test(void);
430 WOLFSSL_TEST_SUBROUTINE int  aesgcm_test(void);
431 WOLFSSL_TEST_SUBROUTINE int  aesgcm_default_test(void);
432 WOLFSSL_TEST_SUBROUTINE int  gmac_test(void);
433 WOLFSSL_TEST_SUBROUTINE int  aesccm_test(void);
434 WOLFSSL_TEST_SUBROUTINE int  aeskeywrap_test(void);
435 WOLFSSL_TEST_SUBROUTINE int  camellia_test(void);
436 WOLFSSL_TEST_SUBROUTINE int  rsa_no_pad_test(void);
437 WOLFSSL_TEST_SUBROUTINE int  rsa_test(void);
438 WOLFSSL_TEST_SUBROUTINE int  dh_test(void);
439 WOLFSSL_TEST_SUBROUTINE int  dsa_test(void);
440 WOLFSSL_TEST_SUBROUTINE int  srp_test(void);
441 #ifndef WC_NO_RNG
442 WOLFSSL_TEST_SUBROUTINE int  random_test(void);
443 #endif /* WC_NO_RNG */
444 WOLFSSL_TEST_SUBROUTINE int  pwdbased_test(void);
445 WOLFSSL_TEST_SUBROUTINE int  ripemd_test(void);
446 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
447 WOLFSSL_TEST_SUBROUTINE int  openssl_test(void);   /* test mini api */
448 
449 WOLFSSL_TEST_SUBROUTINE int  openssl_pkey0_test(void);
450 WOLFSSL_TEST_SUBROUTINE int  openssl_pkey1_test(void);
451 WOLFSSL_TEST_SUBROUTINE int  openSSL_evpMD_test(void);
452 WOLFSSL_TEST_SUBROUTINE int  openssl_evpSig_test(void);
453 #endif
454 
455 WOLFSSL_TEST_SUBROUTINE int pbkdf1_test(void);
456 WOLFSSL_TEST_SUBROUTINE int pkcs12_test(void);
457 WOLFSSL_TEST_SUBROUTINE int pbkdf2_test(void);
458 WOLFSSL_TEST_SUBROUTINE int scrypt_test(void);
459 #ifdef HAVE_ECC
460     WOLFSSL_TEST_SUBROUTINE int  ecc_test(void);
461     #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \
462         defined(WOLFSSL_AES_128)
463         WOLFSSL_TEST_SUBROUTINE int  ecc_encrypt_test(void);
464     #endif
465     #if defined(USE_CERT_BUFFERS_256) && !defined(WOLFSSL_ATECC508A) && \
466         !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) && \
467         defined(HAVE_ECC_VERIFY) && defined(HAVE_ECC_SIGN)
468         /* skip for ATECC508/608A, cannot import private key buffers */
469         WOLFSSL_TEST_SUBROUTINE int ecc_test_buffers(void);
470     #endif
471 #endif
472 #ifdef HAVE_CURVE25519
473     WOLFSSL_TEST_SUBROUTINE int  curve25519_test(void);
474 #endif
475 #ifdef HAVE_ED25519
476     WOLFSSL_TEST_SUBROUTINE int  ed25519_test(void);
477 #endif
478 #ifdef HAVE_CURVE448
479     WOLFSSL_TEST_SUBROUTINE int  curve448_test(void);
480 #endif
481 #ifdef HAVE_ED448
482     WOLFSSL_TEST_SUBROUTINE int  ed448_test(void);
483 #endif
484 #ifdef WOLFCRYPT_HAVE_ECCSI
485     WOLFSSL_TEST_SUBROUTINE int  eccsi_test(void);
486 #endif
487 #ifdef WOLFCRYPT_HAVE_SAKKE
488     WOLFSSL_TEST_SUBROUTINE int  sakke_test(void);
489 #endif
490 #ifdef HAVE_BLAKE2
491     WOLFSSL_TEST_SUBROUTINE int  blake2b_test(void);
492 #endif
493 #ifdef HAVE_BLAKE2S
494     WOLFSSL_TEST_SUBROUTINE int  blake2s_test(void);
495 #endif
496 #ifdef HAVE_LIBZ
497     WOLFSSL_TEST_SUBROUTINE int compress_test(void);
498 #endif
499 #ifdef HAVE_PKCS7
500     #ifndef NO_PKCS7_ENCRYPTED_DATA
501         WOLFSSL_TEST_SUBROUTINE int pkcs7encrypted_test(void);
502     #endif
503     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
504         WOLFSSL_TEST_SUBROUTINE int pkcs7compressed_test(void);
505     #endif
506     WOLFSSL_TEST_SUBROUTINE int pkcs7signed_test(void);
507     WOLFSSL_TEST_SUBROUTINE int pkcs7enveloped_test(void);
508     #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
509         WOLFSSL_TEST_SUBROUTINE int pkcs7authenveloped_test(void);
510     #endif
511     #if !defined(NO_AES) && defined(HAVE_AES_CBC)
512         WOLFSSL_TEST_SUBROUTINE int pkcs7callback_test(byte* cert, word32 certSz, byte* key,
513                 word32 keySz);
514     #endif
515 #endif
516 #if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
517     !defined(NO_FILESYSTEM)
518 WOLFSSL_TEST_SUBROUTINE int cert_test(void);
519 #endif
520 #if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) && \
521    !defined(NO_FILESYSTEM)
522 WOLFSSL_TEST_SUBROUTINE int  certext_test(void);
523 #endif
524 #if defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) && \
525     defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)
526 WOLFSSL_TEST_SUBROUTINE int decodedCertCache_test(void);
527 #endif
528 #ifdef HAVE_IDEA
529 WOLFSSL_TEST_SUBROUTINE int idea_test(void);
530 #endif
531 WOLFSSL_TEST_SUBROUTINE int memory_test(void);
532 #ifdef HAVE_VALGRIND
533 WOLFSSL_TEST_SUBROUTINE int mp_test(void);
534 #endif
535 #if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
536 WOLFSSL_TEST_SUBROUTINE int prime_test(void);
537 #endif
538 #ifdef ASN_BER_TO_DER
539 WOLFSSL_TEST_SUBROUTINE int berder_test(void);
540 #endif
541 WOLFSSL_TEST_SUBROUTINE int logging_test(void);
542 WOLFSSL_TEST_SUBROUTINE int mutex_test(void);
543 #if defined(USE_WOLFSSL_MEMORY) && !defined(FREERTOS)
544 WOLFSSL_TEST_SUBROUTINE int memcb_test(void);
545 #endif
546 #ifdef WOLFSSL_IMX6_CAAM_BLOB
547 WOLFSSL_TEST_SUBROUTINE int blob_test(void);
548 #endif
549 
550 #ifdef WOLF_CRYPTO_CB
551 WOLFSSL_TEST_SUBROUTINE int cryptocb_test(void);
552 #endif
553 #ifdef WOLFSSL_CERT_PIV
554 WOLFSSL_TEST_SUBROUTINE int certpiv_test(void);
555 #endif
556 
557 /* General big buffer size for many tests. */
558 #define FOURK_BUF 4096
559 
560 
561 #define ERROR_OUT(err, eLabel) do { ret = (err); goto eLabel; } while (0)
562 
563 #ifdef HAVE_STACK_SIZE
err_sys(const char * msg,int es)564 static THREAD_RETURN err_sys(const char* msg, int es)
565 #else
566 static int err_sys(const char* msg, int es)
567 #endif
568 {
569     (void)msg;
570     (void)es;
571 
572 #ifdef WOLFSSL_LINUXKM
573     lkm_printf("%s error = %d\n", msg, es);
574     EXIT_TEST(es);
575 #else
576     printf("%s error = %d\n", msg, es);
577     EXIT_TEST(-1);
578 #endif
579 }
580 
581 #ifndef HAVE_WOLFCRYPT_TEST_OPTIONS
582 /* func_args from test.h, so don't have to pull in other stuff */
583 typedef struct func_args {
584     int    argc;
585     char** argv;
586     int    return_code;
587 } func_args;
588 #endif /* !HAVE_WOLFCRYPT_TEST_OPTIONS */
589 
590 #if defined(HAVE_FIPS) && !defined(WOLFSSL_LINUXKM)
myFipsCb(int ok,int err,const char * hash)591 static void myFipsCb(int ok, int err, const char* hash)
592 {
593     printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
594     printf("message = %s\n", wc_GetErrorString(err));
595     printf("hash = %s\n", hash);
596 
597     if (err == IN_CORE_FIPS_E) {
598         printf("In core integrity hash check failure, copy above hash\n");
599         printf("into verifyCore[] in fips_test.c and rebuild\n");
600     }
601 }
602 #endif /* HAVE_FIPS && !WOLFSSL_LINUXKM */
603 
604 #ifdef WOLFSSL_STATIC_MEMORY
605     #ifdef BENCH_EMBEDDED
606         static byte gTestMemory[14000];
607     #elif defined(WOLFSSL_CERT_EXT)
608         static byte gTestMemory[140000];
609     #elif defined(USE_FAST_MATH) && !defined(ALT_ECC_SIZE)
610         static byte gTestMemory[160000];
611     #else
612         static byte gTestMemory[80000];
613     #endif
614 #endif
615 
616 #ifdef WOLFSSL_PB
wolfssl_pb_print(const char * msg,...)617 static int wolfssl_pb_print(const char* msg, ...)
618 {
619     int ret;
620     va_list args;
621     char tmpBuf[80];
622 
623     va_start(args, msg);
624     ret = vsprint(tmpBuf, msg, args);
625     va_end(args);
626 
627     fnDumpStringToSystemLog(tmpBuf);
628 
629     return ret;
630 }
631 #endif /* WOLFSSL_PB */
632 
633 /* optional macro to add sleep between tests */
634 #ifndef TEST_SLEEP
635 #define TEST_SLEEP()
636 #else
637     #define TEST_PASS test_pass
638     #include <stdarg.h> /* for var args */
test_pass(const char * fmt,...)639     static WC_INLINE void test_pass(const char* fmt, ...)
640     {
641         va_list args;
642         va_start(args, fmt);
643         STACK_SIZE_CHECKPOINT_WITH_MAX_CHECK(max_relative_stack, vprintf(fmt, args));
644         va_end(args);
645         PRINT_HEAP_CHECKPOINT();
646         TEST_SLEEP();
647         ASSERT_RESTORED_VECTOR_REGISTERS(exit(1););
648     }
649 #endif
650 
651 /* set test pass output to printf if not overriden */
652 #ifndef TEST_PASS
653     /* redirect to printf */
654     #define TEST_PASS(...) {                                    \
655         if (STACK_SIZE_CHECKPOINT_WITH_MAX_CHECK                \
656             (max_relative_stack, printf(__VA_ARGS__)) < 0) {    \
657             return err_sys("post-test check failed", -1);       \
658         }                                                       \
659         PRINT_HEAP_CHECKPOINT();                                \
660         ASSERT_RESTORED_VECTOR_REGISTERS(exit(1););             \
661     }
662 #endif
663 
664 #ifdef HAVE_STACK_SIZE
wolfcrypt_test(void * args)665 THREAD_RETURN WOLFSSL_THREAD wolfcrypt_test(void* args)
666 #else
667 int wolfcrypt_test(void* args)
668 #endif
669 {
670     int ret;
671 #ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
672     long heap_baselineAllocs, heap_baselineBytes;
673 #endif
674     STACK_SIZE_INIT();
675 
676 #ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
677     (void)wolfCrypt_heap_peakAllocs_checkpoint();
678     heap_baselineAllocs = wolfCrypt_heap_peakAllocs_checkpoint();
679     (void)wolfCrypt_heap_peakBytes_checkpoint();
680     heap_baselineBytes = wolfCrypt_heap_peakBytes_checkpoint();
681 #endif
682 
683     printf("------------------------------------------------------------------------------\n");
684     printf(" wolfSSL version %s\n", LIBWOLFSSL_VERSION_STRING);
685     printf("------------------------------------------------------------------------------\n");
686 
687     if (args) {
688 #ifdef HAVE_WOLFCRYPT_TEST_OPTIONS
689         int ch;
690 #endif
691         ((func_args*)args)->return_code = -1; /* error state */
692 #ifdef HAVE_WOLFCRYPT_TEST_OPTIONS
693         while ((ch = mygetopt(((func_args*)args)->argc, ((func_args*)args)->argv, "s:m:a:h")) != -1) {
694             switch(ch) {
695             case 's':
696 #ifdef HAVE_STACK_SIZE_VERBOSE
697                 max_relative_stack = (ssize_t)atoi(myoptarg);
698                 break;
699 #else
700                 return err_sys("-s (max relative stack bytes) requires HAVE_STACK_SIZE_VERBOSE (--enable-stacksize=verbose).", -1);
701 #endif
702             case 'm':
703 #ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
704                 max_relative_heap_bytes = (ssize_t)atoi(myoptarg);
705                 break;
706 #else
707                 return err_sys("-m (max relative heap memory bytes) requires WOLFSSL_TRACK_MEMORY_VERBOSE (--enable-trackmemory=verbose).", -1);
708 #endif
709             case 'a':
710 #ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
711                 max_relative_heap_allocs = (ssize_t)atoi(myoptarg);
712                 break;
713 #else
714                 return err_sys("-a (max relative heap allocs) requires WOLFSSL_TRACK_MEMORY_VERBOSE (--enable-trackmemory=verbose).", -1);
715 #endif
716             case 'h':
717                 return err_sys("\
718 options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
719          [-a max_relative_heap_allocs] [-h]\n", 0);
720             default:
721                 return err_sys("unknown test option.  try -h.", -1);
722             }
723         }
724 #endif
725     }
726 
727 #ifdef WOLFSSL_STATIC_MEMORY
728     if (wc_LoadStaticMemory(&HEAP_HINT, gTestMemory, sizeof(gTestMemory),
729                                                 WOLFMEM_GENERAL, 1) != 0) {
730         printf("unable to load static memory.\n");
731         return(EXIT_FAILURE);
732     }
733 #endif
734 
735 #if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
736     wolfSSL_Debugging_ON();
737 #endif
738 
739 #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
740     wc_SetLoggingHeap(HEAP_HINT);
741 #endif
742 
743 #if defined(HAVE_FIPS) && !defined(WOLFSSL_LINUXKM)
744     wolfCrypt_SetCb_fips(myFipsCb);
745 #endif
746 
747 #if !defined(NO_BIG_INT)
748     if (CheckCtcSettings() != 1) {
749         printf("Sizeof mismatch (build) %x != (run) %x\n",
750             CTC_SETTINGS, CheckRunTimeSettings());
751         return err_sys("Build vs runtime math mismatch\n", -1000);
752     }
753 
754 #if defined(USE_FAST_MATH) && \
755         (!defined(NO_RSA) || !defined(NO_DH) || defined(HAVE_ECC))
756     if (CheckFastMathSettings() != 1)
757         return err_sys("Build vs runtime fastmath FP_MAX_BITS mismatch\n",
758                        -1001);
759 #endif /* USE_FAST_MATH */
760 #endif /* !NO_BIG_INT */
761 
762 #ifdef WOLFSSL_CERT_GEN
763     initDefaultName();
764 #endif
765 
766 #ifdef WOLFSSL_ASYNC_CRYPT
767     ret = wolfAsync_DevOpen(&devId);
768     if (ret < 0) {
769         printf("Async device open failed\nRunning without async\n");
770     }
771 #else
772     (void)devId;
773 #endif /* WOLFSSL_ASYNC_CRYPT */
774 
775 #ifdef WOLF_CRYPTO_CB
776 #ifdef HAVE_INTEL_QA_SYNC
777     devId = wc_CryptoCb_InitIntelQa();
778     if (INVALID_DEVID == devId) {
779         printf("Couldn't init the Intel QA\n");
780     }
781 #endif
782 #ifdef HAVE_CAVIUM_OCTEON_SYNC
783     devId = wc_CryptoCb_InitOcteon();
784     if (INVALID_DEVID == devId) {
785         printf("Couldn't init the Cavium Octeon\n");
786     }
787 #endif
788 #endif
789 
790 #ifdef HAVE_SELFTEST
791     if ( (ret = wolfCrypt_SelfTest()) != 0)
792         return err_sys("CAVP selftest failed!\n", ret);
793     else
794         TEST_PASS("CAVP selftest passed!\n");
795 #endif
796 
797     if ( (ret = error_test()) != 0)
798         return err_sys("error    test failed!\n", ret);
799     else
800         TEST_PASS("error    test passed!\n");
801 
802     if ( (ret = memory_test()) != 0)
803         return err_sys("MEMORY   test failed!\n", ret);
804     else
805         TEST_PASS("MEMORY   test passed!\n");
806 
807 #ifndef NO_CODING
808     if ( (ret = base64_test()) != 0)
809         return err_sys("base64   test failed!\n", ret);
810     else
811         TEST_PASS("base64   test passed!\n");
812 #ifdef WOLFSSL_BASE16
813     if ( (ret = base16_test()) != 0)
814         return err_sys("base16   test failed!\n", ret);
815     else
816         TEST_PASS("base16   test passed!\n");
817 #endif
818 #endif /* !NO_CODING */
819 
820 #ifndef NO_ASN
821     if ( (ret = asn_test()) != 0)
822         return err_sys("asn      test failed!\n", ret);
823     else
824         TEST_PASS("asn      test passed!\n");
825 #endif
826 
827 #ifndef WC_NO_RNG
828     if ( (ret = random_test()) != 0)
829         return err_sys("RANDOM   test failed!\n", ret);
830     else
831         TEST_PASS("RANDOM   test passed!\n");
832 #endif /* WC_NO_RNG */
833 
834 #ifndef NO_MD5
835     if ( (ret = md5_test()) != 0)
836         return err_sys("MD5      test failed!\n", ret);
837     else
838         TEST_PASS("MD5      test passed!\n");
839 #endif
840 
841 #ifdef WOLFSSL_MD2
842     if ( (ret = md2_test()) != 0)
843         return err_sys("MD2      test failed!\n", ret);
844     else
845         TEST_PASS("MD2      test passed!\n");
846 #endif
847 
848 #ifndef NO_MD4
849     if ( (ret = md4_test()) != 0)
850         return err_sys("MD4      test failed!\n", ret);
851     else
852         TEST_PASS("MD4      test passed!\n");
853 #endif
854 
855 #ifndef NO_SHA
856     if ( (ret = sha_test()) != 0)
857         return err_sys("SHA      test failed!\n", ret);
858     else
859         TEST_PASS("SHA      test passed!\n");
860 #endif
861 
862 #ifdef WOLFSSL_SHA224
863     if ( (ret = sha224_test()) != 0)
864         return err_sys("SHA-224  test failed!\n", ret);
865     else
866         TEST_PASS("SHA-224  test passed!\n");
867 #endif
868 
869 #ifndef NO_SHA256
870     if ( (ret = sha256_test()) != 0)
871         return err_sys("SHA-256  test failed!\n", ret);
872     else
873         TEST_PASS("SHA-256  test passed!\n");
874 #endif
875 
876 #ifdef WOLFSSL_SHA384
877     if ( (ret = sha384_test()) != 0)
878         return err_sys("SHA-384  test failed!\n", ret);
879     else
880         TEST_PASS("SHA-384  test passed!\n");
881 #endif
882 
883 #ifdef WOLFSSL_SHA512
884     if ( (ret = sha512_test()) != 0)
885         return err_sys("SHA-512  test failed!\n", ret);
886     else
887         TEST_PASS("SHA-512  test passed!\n");
888 #endif
889 
890 #ifdef WOLFSSL_SHA3
891     if ( (ret = sha3_test()) != 0)
892         return err_sys("SHA-3    test failed!\n", ret);
893     else
894         TEST_PASS("SHA-3    test passed!\n");
895 #endif
896 
897 #ifdef WOLFSSL_SHAKE256
898     if ( (ret = shake256_test()) != 0)
899         return err_sys("SHAKE256 test failed!\n", ret);
900     else
901         TEST_PASS("SHAKE256 test passed!\n");
902 #endif
903 
904 #ifndef NO_HASH_WRAPPER
905     if ( (ret = hash_test()) != 0)
906         return err_sys("Hash     test failed!\n", ret);
907     else
908         TEST_PASS("Hash     test passed!\n");
909 #endif
910 
911 #ifdef WOLFSSL_RIPEMD
912     if ( (ret = ripemd_test()) != 0)
913         return err_sys("RIPEMD   test failed!\n", ret);
914     else
915         TEST_PASS("RIPEMD   test passed!\n");
916 #endif
917 
918 #ifdef HAVE_BLAKE2
919     if ( (ret = blake2b_test()) != 0)
920         return err_sys("BLAKE2b  test failed!\n", ret);
921     else
922         TEST_PASS("BLAKE2b  test passed!\n");
923 #endif
924 #ifdef HAVE_BLAKE2S
925     if ( (ret = blake2s_test()) != 0)
926         return err_sys("BLAKE2s  test failed!\n", ret);
927     else
928         TEST_PASS("BLAKE2s  test passed!\n");
929 #endif
930 
931 #ifndef NO_HMAC
932     #if !defined(NO_MD5) && !(defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) \
933                               && (HAVE_FIPS_VERSION >= 5))
934         if ( (ret = hmac_md5_test()) != 0)
935             return err_sys("HMAC-MD5 test failed!\n", ret);
936         else
937             TEST_PASS("HMAC-MD5 test passed!\n");
938     #endif
939 
940     #ifndef NO_SHA
941     if ( (ret = hmac_sha_test()) != 0)
942         return err_sys("HMAC-SHA test failed!\n", ret);
943     else
944         TEST_PASS("HMAC-SHA test passed!\n");
945     #endif
946 
947     #ifdef WOLFSSL_SHA224
948         if ( (ret = hmac_sha224_test()) != 0)
949             return err_sys("HMAC-SHA224 test failed!\n", ret);
950         else
951             TEST_PASS("HMAC-SHA224 test passed!\n");
952     #endif
953 
954     #ifndef NO_SHA256
955         if ( (ret = hmac_sha256_test()) != 0)
956             return err_sys("HMAC-SHA256 test failed!\n", ret);
957         else
958             TEST_PASS("HMAC-SHA256 test passed!\n");
959     #endif
960 
961     #ifdef WOLFSSL_SHA384
962         if ( (ret = hmac_sha384_test()) != 0)
963             return err_sys("HMAC-SHA384 test failed!\n", ret);
964         else
965             TEST_PASS("HMAC-SHA384 test passed!\n");
966     #endif
967 
968     #ifdef WOLFSSL_SHA512
969         if ( (ret = hmac_sha512_test()) != 0)
970             return err_sys("HMAC-SHA512 test failed!\n", ret);
971         else
972             TEST_PASS("HMAC-SHA512 test passed!\n");
973     #endif
974 
975     #if !defined(NO_HMAC) && defined(WOLFSSL_SHA3) && \
976       !defined(WOLFSSL_NOSHA3_224) && !defined(WOLFSSL_NOSHA3_256) && \
977       !defined(WOLFSSL_NOSHA3_384) && !defined(WOLFSSL_NOSHA3_512)
978         if ( (ret = hmac_sha3_test()) != 0)
979             return err_sys("HMAC-SHA3   test failed!\n", ret);
980         else
981             TEST_PASS("HMAC-SHA3   test passed!\n");
982     #endif
983 
984     #ifdef HAVE_HKDF
985         PRIVATE_KEY_UNLOCK();
986         if ( (ret = hkdf_test()) != 0)
987             return err_sys("HMAC-KDF    test failed!\n", ret);
988         else
989             TEST_PASS("HMAC-KDF    test passed!\n");
990         PRIVATE_KEY_LOCK();
991     #endif
992 #endif /* !NO_HMAC */
993 
994 #ifdef WOLFSSL_WOLFSSH
995     PRIVATE_KEY_UNLOCK();
996     if ( (ret = sshkdf_test()) != 0)
997         return err_sys("SSH-KDF     test failed!\n", ret);
998     else
999         TEST_PASS("SSH-KDF     test passed!\n");
1000     PRIVATE_KEY_LOCK();
1001 #endif /* WOLFSSL_WOLFSSH */
1002 
1003 #if defined(HAVE_X963_KDF) && defined(HAVE_ECC)
1004     if ( (ret = x963kdf_test()) != 0)
1005         return err_sys("X963-KDF    test failed!\n", ret);
1006     else
1007         TEST_PASS("X963-KDF    test passed!\n");
1008 #endif
1009 
1010 #if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
1011    !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
1012     if ( (ret = gmac_test()) != 0)
1013         return err_sys("GMAC     test failed!\n", ret);
1014     else
1015         TEST_PASS("GMAC     test passed!\n");
1016 #endif
1017 
1018 #ifdef WC_RC2
1019     if ( (ret = rc2_test()) != 0)
1020         return err_sys("RC2      test failed!\n", ret);
1021     else
1022         TEST_PASS("RC2      test passed!\n");
1023 #endif
1024 
1025 #ifndef NO_RC4
1026     if ( (ret = arc4_test()) != 0)
1027         return err_sys("ARC4     test failed!\n", ret);
1028     else
1029         TEST_PASS("ARC4     test passed!\n");
1030 #endif
1031 
1032 #ifndef NO_HC128
1033     if ( (ret = hc128_test()) != 0)
1034         return err_sys("HC-128   test failed!\n", ret);
1035     else
1036         TEST_PASS("HC-128   test passed!\n");
1037 #endif
1038 
1039 #ifndef NO_RABBIT
1040     if ( (ret = rabbit_test()) != 0)
1041         return err_sys("Rabbit   test failed!\n", ret);
1042     else
1043         TEST_PASS("Rabbit   test passed!\n");
1044 #endif
1045 
1046 #ifdef HAVE_CHACHA
1047     if ( (ret = chacha_test()) != 0)
1048         return err_sys("Chacha   test failed!\n", ret);
1049     else
1050         TEST_PASS("Chacha   test passed!\n");
1051 #endif
1052 
1053 #ifdef HAVE_XCHACHA
1054     if ( (ret = XChaCha_test()) != 0)
1055         return err_sys("XChacha  test failed!\n", ret);
1056     else
1057         TEST_PASS("XChacha  test passed!\n");
1058 #endif
1059 
1060 #ifdef HAVE_POLY1305
1061     if ( (ret = poly1305_test()) != 0)
1062         return err_sys("POLY1305 test failed!\n", ret);
1063     else
1064         TEST_PASS("POLY1305 test passed!\n");
1065 #endif
1066 
1067 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
1068     if ( (ret = chacha20_poly1305_aead_test()) != 0)
1069         return err_sys("ChaCha20-Poly1305 AEAD test failed!\n", ret);
1070     else
1071         TEST_PASS("ChaCha20-Poly1305 AEAD test passed!\n");
1072 #endif
1073 
1074 #if defined(HAVE_XCHACHA) && defined(HAVE_POLY1305)
1075     if ( (ret = XChaCha20Poly1305_test()) != 0)
1076         return err_sys("XChaCha20-Poly1305 AEAD test failed!\n", ret);
1077     else
1078         TEST_PASS("XChaCha20-Poly1305 AEAD test passed!\n");
1079 #endif
1080 
1081 #ifndef NO_DES3
1082     if ( (ret = des_test()) != 0)
1083         return err_sys("DES      test failed!\n", ret);
1084     else
1085         TEST_PASS("DES      test passed!\n");
1086 #endif
1087 
1088 #ifndef NO_DES3
1089     if ( (ret = des3_test()) != 0)
1090         return err_sys("DES3     test failed!\n", ret);
1091     else
1092         TEST_PASS("DES3     test passed!\n");
1093 #endif
1094 
1095 #ifndef NO_AES
1096     if ( (ret = aes_test()) != 0)
1097         return err_sys("AES      test failed!\n", ret);
1098     else
1099         TEST_PASS("AES      test passed!\n");
1100 
1101 #ifdef WOLFSSL_AES_192
1102     if ( (ret = aes192_test()) != 0)
1103         return err_sys("AES192   test failed!\n", ret);
1104     else
1105         TEST_PASS("AES192   test passed!\n");
1106 #endif
1107 
1108 #ifdef WOLFSSL_AES_256
1109     if ( (ret = aes256_test()) != 0)
1110         return err_sys("AES256   test failed!\n", ret);
1111     else
1112         TEST_PASS("AES256   test passed!\n");
1113 #endif
1114 
1115 #ifdef WOLFSSL_AES_OFB
1116     if ( (ret = aesofb_test()) != 0)
1117         return err_sys("AES-OFB  test failed!\n", ret);
1118     else
1119         TEST_PASS("AESOFB   test passed!\n");
1120 #endif
1121 
1122 #ifdef HAVE_AESGCM
1123     #if !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_DEVCRYPTO)
1124     if ( (ret = aesgcm_test()) != 0)
1125         return err_sys("AES-GCM  test failed!\n", ret);
1126     #endif
1127     #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \
1128         !(defined(WOLF_CRYPTO_CB) && \
1129             (defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)))
1130     if ((ret = aesgcm_default_test()) != 0) {
1131         return err_sys("AES-GCM  test failed!\n", ret);
1132     }
1133     #endif
1134     TEST_PASS("AES-GCM  test passed!\n");
1135 #endif
1136 
1137 #if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
1138     if ( (ret = aesccm_test()) != 0)
1139         return err_sys("AES-CCM  test failed!\n", ret);
1140     else
1141         TEST_PASS("AES-CCM  test passed!\n");
1142 #endif
1143 #ifdef HAVE_AES_KEYWRAP
1144     if ( (ret = aeskeywrap_test()) != 0)
1145         return err_sys("AES Key Wrap test failed!\n", ret);
1146     else
1147         TEST_PASS("AES Key Wrap test passed!\n");
1148 #endif
1149 #endif
1150 
1151 #ifdef HAVE_CAMELLIA
1152     if ( (ret = camellia_test()) != 0)
1153         return err_sys("CAMELLIA test failed!\n", ret);
1154     else
1155         TEST_PASS("CAMELLIA test passed!\n");
1156 #endif
1157 
1158 #ifdef HAVE_IDEA
1159     if ( (ret = idea_test()) != 0)
1160         return err_sys("IDEA     test failed!\n", ret);
1161     else
1162         TEST_PASS("IDEA     test passed!\n");
1163 #endif
1164 
1165 #ifndef NO_RSA
1166     #ifdef WC_RSA_NO_PADDING
1167     if ( (ret = rsa_no_pad_test()) != 0)
1168         return err_sys("RSA NOPAD test failed!\n", ret);
1169     else
1170         TEST_PASS("RSA NOPAD test passed!\n");
1171     #endif
1172     if ( (ret = rsa_test()) != 0)
1173         return err_sys("RSA      test failed!\n", ret);
1174     else
1175         TEST_PASS("RSA      test passed!\n");
1176 #endif
1177 
1178 #ifndef NO_DH
1179     PRIVATE_KEY_UNLOCK();
1180     if ( (ret = dh_test()) != 0)
1181         return err_sys("DH       test failed!\n", ret);
1182     else
1183         TEST_PASS("DH       test passed!\n");
1184     PRIVATE_KEY_LOCK();
1185 #endif
1186 
1187 #ifndef NO_DSA
1188     if ( (ret = dsa_test()) != 0)
1189         return err_sys("DSA      test failed!\n", ret);
1190     else
1191         TEST_PASS("DSA      test passed!\n");
1192 #endif
1193 
1194 #ifdef WOLFCRYPT_HAVE_SRP
1195     if ( (ret = srp_test()) != 0)
1196         return err_sys("SRP      test failed!\n", ret);
1197     else
1198         TEST_PASS("SRP      test passed!\n");
1199 #endif
1200 
1201 #ifndef NO_PWDBASED
1202     if ( (ret = pwdbased_test()) != 0)
1203         return err_sys("PWDBASED test failed!\n", ret);
1204     else
1205         TEST_PASS("PWDBASED test passed!\n");
1206 #endif
1207 
1208 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
1209     if ( (ret = openssl_test()) != 0)
1210         return err_sys("OPENSSL  test failed!\n", ret);
1211     else
1212         TEST_PASS("OPENSSL  test passed!\n");
1213 
1214     if ( (ret = openSSL_evpMD_test()) != 0)
1215         return err_sys("OPENSSL (EVP MD) test failed!\n", ret);
1216     else
1217         TEST_PASS("OPENSSL (EVP MD) passed!\n");
1218 
1219     if ( (ret = openssl_pkey0_test()) != 0)
1220         return err_sys("OPENSSL (PKEY0) test failed!\n", ret);
1221     else
1222         TEST_PASS("OPENSSL (PKEY0) passed!\n");
1223 
1224     if ( (ret = openssl_pkey1_test()) != 0)
1225         return err_sys("OPENSSL (PKEY1) test failed!\n", ret);
1226     else
1227         TEST_PASS("OPENSSL (PKEY1) passed!\n");
1228 
1229     if ( (ret = openssl_evpSig_test()) != 0)
1230         return err_sys("OPENSSL (EVP Sign/Verify) test failed!\n", ret);
1231     else
1232         TEST_PASS("OPENSSL (EVP Sign/Verify) passed!\n");
1233 
1234 #endif
1235 
1236 #ifdef HAVE_ECC
1237     PRIVATE_KEY_UNLOCK();
1238     if ( (ret = ecc_test()) != 0)
1239         return err_sys("ECC      test failed!\n", ret);
1240     else
1241         TEST_PASS("ECC      test passed!\n");
1242     PRIVATE_KEY_LOCK();
1243     #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \
1244         defined(WOLFSSL_AES_128)
1245         if ( (ret = ecc_encrypt_test()) != 0)
1246             return err_sys("ECC Enc  test failed!\n", ret);
1247         else
1248             TEST_PASS("ECC Enc  test passed!\n");
1249     #endif
1250     #if defined(USE_CERT_BUFFERS_256) && !defined(WOLFSSL_ATECC508A) && \
1251         !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) && \
1252         defined(HAVE_ECC_VERIFY) && defined(HAVE_ECC_SIGN)
1253         /* skip for ATECC508/608A, cannot import private key buffers */
1254         if ( (ret = ecc_test_buffers()) != 0)
1255             return err_sys("ECC buffer test failed!\n", ret);
1256         else
1257             TEST_PASS("ECC buffer test passed!\n");
1258     #endif
1259 #endif
1260 
1261 #if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
1262     !defined(NO_FILESYSTEM)
1263     if ( (ret = cert_test()) != 0)
1264         return err_sys("CERT     test failed!\n", ret);
1265     else
1266         TEST_PASS("CERT     test passed!\n");
1267 #endif
1268 
1269 #if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) && \
1270    !defined(NO_FILESYSTEM) && !defined(NO_RSA)
1271     if ( (ret = certext_test()) != 0)
1272         return err_sys("CERT EXT test failed!\n", ret);
1273     else
1274         TEST_PASS("CERT EXT test passed!\n");
1275 #endif
1276 
1277 #if defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) && \
1278     defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)
1279     if ( (ret = decodedCertCache_test()) != 0)
1280         return err_sys("DECODED CERT CACHE test failed!\n", ret);
1281     else
1282         TEST_PASS("DECODED CERT CACHE test passed!\n");
1283 #endif
1284 
1285 #ifdef HAVE_CURVE25519
1286     if ( (ret = curve25519_test()) != 0)
1287         return err_sys("CURVE25519 test failed!\n", ret);
1288     else
1289         TEST_PASS("CURVE25519 test passed!\n");
1290 #endif
1291 
1292 #ifdef HAVE_ED25519
1293     if ( (ret = ed25519_test()) != 0)
1294         return err_sys("ED25519  test failed!\n", ret);
1295     else
1296         TEST_PASS("ED25519  test passed!\n");
1297 #endif
1298 
1299 #ifdef HAVE_CURVE448
1300     if ( (ret = curve448_test()) != 0)
1301         return err_sys("CURVE448 test failed!\n", ret);
1302     else
1303         TEST_PASS("CURVE448 test passed!\n");
1304 #endif
1305 
1306 #ifdef HAVE_ED448
1307     if ( (ret = ed448_test()) != 0)
1308         return err_sys("ED448    test failed!\n", ret);
1309     else
1310         TEST_PASS("ED448    test passed!\n");
1311 #endif
1312 
1313 #ifdef WOLFCRYPT_HAVE_ECCSI
1314     if ( (ret = eccsi_test()) != 0)
1315         return err_sys("ECCSI    test failed!\n", ret);
1316     else
1317         TEST_PASS("ECCSI    test passed!\n");
1318 #endif
1319 #ifdef WOLFCRYPT_HAVE_SAKKE
1320     if ( (ret = sakke_test()) != 0)
1321         return err_sys("SAKKE    test failed!\n", ret);
1322     else
1323         TEST_PASS("SAKKE    test passed!\n");
1324 #endif
1325 
1326 #if defined(WOLFSSL_CMAC) && !defined(NO_AES)
1327     if ( (ret = cmac_test()) != 0)
1328         return err_sys("CMAC     test failed!\n", ret);
1329     else
1330         TEST_PASS("CMAC     test passed!\n");
1331 #endif
1332 
1333 #ifdef HAVE_LIBZ
1334     if ( (ret = compress_test()) != 0)
1335         return err_sys("COMPRESS test failed!\n", ret);
1336     else
1337         TEST_PASS("COMPRESS test passed!\n");
1338 #endif
1339 
1340 #ifdef HAVE_PKCS7
1341     #ifndef NO_PKCS7_ENCRYPTED_DATA
1342         if ( (ret = pkcs7encrypted_test()) != 0)
1343             return err_sys("PKCS7encrypted  test failed!\n", ret);
1344         else
1345             TEST_PASS("PKCS7encrypted  test passed!\n");
1346     #endif
1347     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
1348         if ( (ret = pkcs7compressed_test()) != 0)
1349             return err_sys("PKCS7compressed test failed!\n", ret);
1350         else
1351             TEST_PASS("PKCS7compressed test passed!\n");
1352     #endif
1353     if ( (ret = pkcs7signed_test()) != 0)
1354         return err_sys("PKCS7signed     test failed!\n", ret);
1355     else
1356         TEST_PASS("PKCS7signed     test passed!\n");
1357 
1358     if ( (ret = pkcs7enveloped_test()) != 0)
1359         return err_sys("PKCS7enveloped  test failed!\n", ret);
1360     else
1361         TEST_PASS("PKCS7enveloped  test passed!\n");
1362 
1363     #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
1364         if ( (ret = pkcs7authenveloped_test()) != 0)
1365             return err_sys("PKCS7authenveloped  test failed!\n", ret);
1366         else
1367             TEST_PASS("PKCS7authenveloped  test passed!\n");
1368     #endif
1369 #endif
1370 
1371 #ifdef HAVE_VALGRIND
1372     if ( (ret = mp_test()) != 0)
1373         return err_sys("mp       test failed!\n", ret);
1374     else
1375         TEST_PASS("mp       test passed!\n");
1376 #endif
1377 
1378 #if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
1379     if ( (ret = prime_test()) != 0)
1380         return err_sys("prime    test failed!\n", ret);
1381     else
1382         TEST_PASS("prime    test passed!\n");
1383 #endif
1384 
1385 #if defined(ASN_BER_TO_DER) && \
1386     (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
1387      defined(OPENSSL_EXTRA_X509_SMALL))
1388     if ( (ret = berder_test()) != 0)
1389         return err_sys("ber-der  test failed!\n", ret);
1390     else
1391         TEST_PASS("ber-der  test passed!\n");
1392 #endif
1393 
1394     if ( (ret = logging_test()) != 0)
1395         return err_sys("logging  test failed!\n", ret);
1396     else
1397         TEST_PASS("logging  test passed!\n");
1398 
1399     if ( (ret = mutex_test()) != 0)
1400         return err_sys("mutex    test failed!\n", ret);
1401     else
1402         TEST_PASS("mutex    test passed!\n");
1403 
1404 #if defined(USE_WOLFSSL_MEMORY) && !defined(FREERTOS)
1405     if ( (ret = memcb_test()) != 0)
1406         return err_sys("memcb    test failed!\n", ret);
1407     else
1408         TEST_PASS("memcb    test passed!\n");
1409 #endif
1410 
1411 #ifdef WOLFSSL_IMX6_CAAM_BLOB
1412     if ( (ret = blob_test()) != 0)
1413         return err_sys("blob     test failed!\n", ret);
1414     else
1415         TEST_PASS("blob     test passed!\n");
1416 #endif
1417 
1418 #if defined(WOLF_CRYPTO_CB) && \
1419     !(defined(HAVE_INTEL_QAT_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC) || \
1420       defined(WOLFSSL_QNX_CAAM))
1421     if ( (ret = cryptocb_test()) != 0)
1422         return err_sys("crypto callback test failed!\n", ret);
1423     else
1424         TEST_PASS("crypto callback test passed!\n");
1425 #endif
1426 
1427 #ifdef WOLFSSL_CERT_PIV
1428     if ( (ret = certpiv_test()) != 0)
1429         return err_sys("cert piv test failed!\n", ret);
1430     else
1431         TEST_PASS("cert piv test passed!\n");
1432 #endif
1433 
1434 #ifdef WOLF_CRYPTO_CB
1435 #ifdef HAVE_INTEL_QA_SYNC
1436     wc_CryptoCb_CleanupIntelQa(&devId);
1437 #endif
1438 #ifdef HAVE_CAVIUM_OCTEON_SYNC
1439     wc_CryptoCb_CleanupOcteon(&devId);
1440 #endif
1441 #endif
1442 
1443 #ifdef WOLFSSL_ASYNC_CRYPT
1444     wolfAsync_DevClose(&devId);
1445 #endif
1446 
1447     /* cleanup the thread if fixed point cache is enabled and have thread local */
1448 #if defined(HAVE_THREAD_LS) && defined(HAVE_ECC) && defined(FP_ECC)
1449     wc_ecc_fp_free();
1450 #endif
1451 
1452     if (args)
1453         ((func_args*)args)->return_code = ret;
1454 
1455     TEST_PASS("Test complete\n");
1456 
1457     EXIT_TEST(ret);
1458 }
1459 
1460 #ifndef NO_MAIN_DRIVER
1461 
1462     /* so overall tests can pull in test function */
1463 #ifdef WOLFSSL_ESPIDF
1464     void app_main( )
1465 #else
1466 
1467 #ifdef HAVE_WOLFCRYPT_TEST_OPTIONS
1468     int myoptind = 0;
1469     char* myoptarg = NULL;
1470 #endif
1471 
main(int argc,char ** argv)1472     int main(int argc, char** argv)
1473 #endif
1474     {
1475         int ret;
1476         func_args args;
1477 #ifdef WOLFSSL_ESPIDF
1478         /* set dummy wallclock time. */
1479         struct timeval utctime;
1480         struct timezone tz;
1481         utctime.tv_sec = 1521725159; /* dummy time: 2018-03-22T13:25:59+00:00 */
1482         utctime.tv_usec = 0;
1483         tz.tz_minuteswest = 0;
1484         tz.tz_dsttime = 0;
1485         settimeofday(&utctime, &tz);
1486 #endif
1487 #ifdef WOLFSSL_APACHE_MYNEWT
1488         #ifdef ARCH_sim
1489         mcu_sim_parse_args(argc, argv);
1490         #endif
1491         sysinit();
1492 
1493         /* set dummy wallclock time. */
1494         struct os_timeval utctime;
1495         struct os_timezone tz;
1496         utctime.tv_sec = 1521725159; /* dummy time: 2018-03-22T13:25:59+00:00 */
1497         utctime.tv_usec = 0;
1498         tz.tz_minuteswest = 0;
1499         tz.tz_dsttime = 0;
1500         os_settimeofday(&utctime, &tz);
1501 #endif
1502 #ifdef DEVKITPRO
1503         void *framebuffer;
1504         GXRModeObj *rmode = NULL;
1505 
1506         VIDEO_Init();
1507         WPAD_Init();
1508 
1509         rmode = VIDEO_GetPreferredMode(NULL);
1510 #pragma GCC diagnostic ignored "-Wbad-function-cast"
1511         framebuffer = MEM_K0_TO_K1(SYS_AllocateFramebuffer(rmode));
1512 #pragma GCC diagnostic pop
1513         console_init(framebuffer,20,20,rmode->fbWidth,rmode->xfbHeight,rmode->fbWidth*VI_DISPLAY_PIX_SZ);
1514 
1515         VIDEO_Configure(rmode);
1516         VIDEO_SetNextFramebuffer(framebuffer);
1517         VIDEO_SetBlack(FALSE);
1518         VIDEO_Flush();
1519         VIDEO_WaitVSync();
1520         if(rmode->viTVMode&VI_NON_INTERLACE) VIDEO_WaitVSync();
1521 #endif
1522 
1523 #ifdef HAVE_WNR
1524         if (wc_InitNetRandom(wnrConfigFile, NULL, 5000) != 0) {
1525             err_sys("Whitewood netRandom global config failed", -1001);
1526             return -1002;
1527         }
1528 #endif
1529 #ifndef WOLFSSL_ESPIDF
1530         args.argc = argc;
1531         args.argv = argv;
1532 #endif
1533         if ((ret = wolfCrypt_Init()) != 0) {
1534             printf("wolfCrypt_Init failed %d\n", ret);
1535             err_sys("Error with wolfCrypt_Init!\n", -1003);
1536         }
1537 
1538 #ifdef WC_RNG_SEED_CB
1539     wc_SetSeed_Cb(wc_GenerateSeed);
1540 #endif
1541 
1542     #ifdef HAVE_STACK_SIZE
1543         StackSizeCheck(&args, wolfcrypt_test);
1544     #else
1545         wolfcrypt_test(&args);
1546     #endif
1547 
1548         if ((ret = wolfCrypt_Cleanup()) != 0) {
1549             printf("wolfCrypt_Cleanup failed %d\n", ret);
1550             err_sys("Error with wolfCrypt_Cleanup!\n", -1004);
1551         }
1552 
1553 #ifdef HAVE_WNR
1554         if (wc_FreeNetRandom() < 0)
1555             err_sys("Failed to free netRandom context", -1005);
1556 #endif /* HAVE_WNR */
1557 #ifdef DOLPHIN_EMULATOR
1558         /* Returning from main panics the emulator. Just hang
1559          * and let the user force quit the emulator window. */
1560         printf("args.return_code: %d\n", args.return_code);
1561         printf("Testing complete. You may close the window now\n");
1562         while (1);
1563 #endif
1564 #ifndef WOLFSSL_ESPIDF
1565         printf("Exiting main with return code: %d\n", args.return_code);
1566         return args.return_code;
1567 #endif
1568     }
1569 
1570 #endif /* NO_MAIN_DRIVER */
1571 
1572 /* helper to save DER, convert to PEM and save PEM */
1573 #if !defined(NO_ASN) && (defined(HAVE_ECC) || !defined(NO_DSA) || \
1574     (!defined(NO_RSA) && (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN))))
1575 
1576 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
1577 #define SaveDerAndPem(d, dSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, fD, fP, pT, eB)
1578 #else
1579 #define SaveDerAndPem(d, dSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, NULL, NULL, pT, eB)
1580 #endif
1581 
_SaveDerAndPem(const byte * der,int derSz,const char * fileDer,const char * filePem,int pemType,int errBase)1582 static int _SaveDerAndPem(const byte* der, int derSz,
1583     const char* fileDer, const char* filePem, int pemType, int errBase)
1584 {
1585 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
1586     int ret;
1587     XFILE derFile;
1588 
1589     derFile = XFOPEN(fileDer, "wb");
1590     if (!derFile) {
1591         return errBase + 0;
1592     }
1593     ret = (int)XFWRITE(der, 1, derSz, derFile);
1594     XFCLOSE(derFile);
1595     if (ret != derSz) {
1596         return errBase + 1;
1597     }
1598 #endif
1599 
1600 #ifdef WOLFSSL_DER_TO_PEM
1601     if (filePem) {
1602     #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
1603         XFILE pemFile;
1604     #endif
1605         byte* pem;
1606         int pemSz;
1607 
1608         /* calculate PEM size */
1609         pemSz = wc_DerToPem(der, derSz, NULL, 0, pemType);
1610         if (pemSz < 0) {
1611             return pemSz;
1612         }
1613         pem = (byte*)XMALLOC(pemSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
1614         if (pem == NULL) {
1615             return MEMORY_E;
1616         }
1617         /* Convert to PEM */
1618         pemSz = wc_DerToPem(der, derSz, pem, pemSz, pemType);
1619         if (pemSz < 0) {
1620             XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
1621             return errBase + 2;
1622         }
1623     #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
1624         pemFile = XFOPEN(filePem, "wb");
1625         if (!pemFile) {
1626             XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
1627             return errBase + 3;
1628         }
1629         ret = (int)XFWRITE(pem, 1, pemSz, pemFile);
1630         XFCLOSE(pemFile);
1631         if (ret != pemSz) {
1632             XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
1633             return errBase + 4;
1634         }
1635     #endif
1636         XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
1637     }
1638 #endif /* WOLFSSL_DER_TO_PEM */
1639 
1640     /* suppress unused variable warnings */
1641     (void)der;
1642     (void)derSz;
1643     (void)filePem;
1644     (void)fileDer;
1645     (void)pemType;
1646     (void)errBase;
1647 
1648     return 0;
1649 }
1650 #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
1651 
error_test(void)1652 WOLFSSL_TEST_SUBROUTINE int error_test(void)
1653 {
1654     const char* errStr;
1655     char        out[WOLFSSL_MAX_ERROR_SZ];
1656     const char* unknownStr = wc_GetErrorString(0);
1657 
1658 #ifdef NO_ERROR_STRINGS
1659     /* Ensure a valid error code's string matches an invalid code's.
1660      * The string is that error strings are not available.
1661      */
1662     errStr = wc_GetErrorString(OPEN_RAN_E);
1663     wc_ErrorString(OPEN_RAN_E, out);
1664     if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0)
1665         return -1100;
1666     if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0)
1667         return -1101;
1668 #else
1669     int i;
1670     int j = 0;
1671     /* Values that are not or no longer error codes. */
1672     int missing[] = { -122, -123, -124,       -127, -128, -129, -159,
1673                       -163, -164, -165, -166, -167, -168, -169, -233,
1674                       0 };
1675 
1676     /* Check that all errors have a string and it's the same through the two
1677      * APIs. Check that the values that are not errors map to the unknown
1678      * string.
1679      */
1680     for (i = MAX_CODE_E-1; i >= WC_LAST_E; i--) {
1681         errStr = wc_GetErrorString(i);
1682         wc_ErrorString(i, out);
1683 
1684         if (i != missing[j]) {
1685             if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) == 0)
1686                 return -1102;
1687             if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) == 0)
1688                 return -1103;
1689             if (XSTRNCMP(errStr, out, XSTRLEN(errStr)) != 0)
1690                 return -1104;
1691             if (XSTRLEN(errStr) >= WOLFSSL_MAX_ERROR_SZ)
1692                 return -1105;
1693         }
1694         else {
1695             j++;
1696             if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0)
1697                 return -1106;
1698             if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0)
1699                 return -1107;
1700         }
1701     }
1702 
1703     /* Check if the next possible value has been given a string. */
1704     errStr = wc_GetErrorString(i);
1705     wc_ErrorString(i, out);
1706     if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0)
1707         return -1108;
1708     if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0)
1709         return -1109;
1710 #endif
1711 
1712     return 0;
1713 }
1714 
1715 #ifndef NO_CODING
1716 
base64_test(void)1717 WOLFSSL_TEST_SUBROUTINE int base64_test(void)
1718 {
1719     int        ret;
1720     WOLFSSL_SMALL_STACK_STATIC const byte good[] = "A+Gd\0\0\0";
1721     WOLFSSL_SMALL_STACK_STATIC const byte goodEnd[] = "A+Gd \r\n";
1722     WOLFSSL_SMALL_STACK_STATIC const byte good_spaces[] = " A + G d \0";
1723     byte       out[128];
1724     word32     outLen;
1725 #ifdef WOLFSSL_BASE64_ENCODE
1726     byte       data[3];
1727     word32     dataLen;
1728     byte       longData[79] = { 0 };
1729     WOLFSSL_SMALL_STACK_STATIC const byte symbols[] = "+/A=";
1730 #endif
1731     WOLFSSL_SMALL_STACK_STATIC const byte badSmall[] = "AAA!Gdj=";
1732     WOLFSSL_SMALL_STACK_STATIC const byte badLarge[] = "AAA~Gdj=";
1733     WOLFSSL_SMALL_STACK_STATIC const byte badEOL[] = "A+Gd!AA";
1734     WOLFSSL_SMALL_STACK_STATIC const byte badPadding[] = "AA=A";
1735     WOLFSSL_SMALL_STACK_STATIC const byte badChar[] = ",-.:;<=>?@[\\]^_`";
1736     byte goodChar[] =
1737         "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1738         "abcdefghijklmnopqrstuvwxyz"
1739         "0123456789+/;";
1740     byte charTest[] = "A+Gd\0\0\0";
1741     int        i;
1742 
1743     /* Good Base64 encodings. */
1744     outLen = sizeof(out);
1745     ret = Base64_Decode(good, sizeof(good), out, &outLen);
1746     if (ret != 0)
1747         return -1200;
1748     outLen = sizeof(out);
1749     ret = Base64_Decode(goodEnd, sizeof(goodEnd), out, &outLen);
1750     if (ret != 0)
1751         return -1201;
1752     outLen = sizeof(goodChar);
1753     ret = Base64_Decode(goodChar, sizeof(goodChar), goodChar, &outLen);
1754     if (ret != 0)
1755         return -1235;
1756     if (outLen != 64 / 4 * 3)
1757         return -1236;
1758     outLen = sizeof(out);
1759     ret = Base64_Decode(good_spaces, sizeof(good_spaces), out, &outLen);
1760     if (ret != 0)
1761         return -1201;
1762 
1763     /* Bad parameters. */
1764     outLen = 1;
1765     ret = Base64_Decode(good, sizeof(good), out, &outLen);
1766     if (ret != BAD_FUNC_ARG)
1767         return -1202;
1768 
1769     outLen = sizeof(out);
1770     ret = Base64_Decode(badEOL, sizeof(badEOL), out, &outLen);
1771     if (ret != ASN_INPUT_E)
1772         return -1203;
1773     outLen = sizeof(out);
1774     ret = Base64_Decode(badPadding, sizeof(badPadding), out, &outLen);
1775     if (ret != ASN_INPUT_E)
1776         return -1203;
1777     /* Bad character at each offset 0-3. */
1778     for (i = 0; i < 4; i++) {
1779         outLen = sizeof(out);
1780         ret = Base64_Decode(badSmall + i, 4, out, &outLen);
1781         if (ret != ASN_INPUT_E)
1782             return -1204 - i;
1783         ret = Base64_Decode(badLarge + i, 4, out, &outLen);
1784         if (ret != ASN_INPUT_E)
1785             return -1214 - i;
1786     }
1787     /* Invalid character less than 0x2b */
1788     for (i = 1; i < 0x2b; i++) {
1789         outLen = sizeof(out);
1790         charTest[0] = i;
1791         ret = Base64_Decode(charTest, sizeof(charTest), out, &outLen);
1792         if (ret != ASN_INPUT_E)
1793             return -1240 - i;
1794     }
1795     /* Bad characters in range 0x2b - 0x7a. */
1796     for (i = 0; i < (int)sizeof(badChar) - 1; i++) {
1797         outLen = sizeof(out);
1798         charTest[0] = badChar[i];
1799         ret = Base64_Decode(charTest, sizeof(charTest), out, &outLen);
1800         if (ret != ASN_INPUT_E)
1801             return -1270 - i;
1802     }
1803     /* Invalid character greater than 0x7a */
1804     for (i = 0x7b; i < 0x100; i++) {
1805         outLen = sizeof(out);
1806         charTest[0] = i;
1807         ret = Base64_Decode(charTest, sizeof(charTest), out, &outLen);
1808         if (ret != ASN_INPUT_E)
1809             return -1290 - i;
1810     }
1811 
1812 
1813 #ifdef WOLFSSL_BASE64_ENCODE
1814     /* Decode and encode all symbols - non-alphanumeric. */
1815     dataLen = sizeof(data);
1816     ret = Base64_Decode(symbols, sizeof(symbols), data, &dataLen);
1817     if (ret != 0)
1818         return -1224;
1819     outLen = sizeof(out);
1820     ret = Base64_Encode(data, dataLen, NULL, &outLen);
1821     if (ret != LENGTH_ONLY_E)
1822         return -1225;
1823     outLen = sizeof(out);
1824     ret = Base64_Encode(data, dataLen, out, &outLen);
1825     if (ret != 0)
1826         return -1226;
1827     outLen = 7;
1828     ret = Base64_EncodeEsc(data, dataLen, out, &outLen);
1829     if (ret != BUFFER_E)
1830         return -1227;
1831     outLen = sizeof(out);
1832     ret = Base64_EncodeEsc(data, dataLen, NULL, &outLen);
1833     if (ret != LENGTH_ONLY_E)
1834         return -1228;
1835     outLen = sizeof(out);
1836     ret = Base64_EncodeEsc(data, dataLen, out, &outLen);
1837     if (ret != 0)
1838         return -1229;
1839     outLen = sizeof(out);
1840     ret = Base64_Encode_NoNl(data, dataLen, out, &outLen);
1841     if (ret != 0)
1842         return -1230;
1843 
1844     /* Data that results in an encoding longer than one line. */
1845     outLen = sizeof(out);
1846     dataLen = sizeof(longData);
1847     ret = Base64_Encode(longData, dataLen, out, &outLen);
1848     if (ret != 0)
1849         return -1231;
1850     outLen = sizeof(out);
1851     ret = Base64_EncodeEsc(longData, dataLen, out, &outLen);
1852     if (ret != 0)
1853         return -1232;
1854     outLen = sizeof(out);
1855     ret = Base64_Encode_NoNl(longData, dataLen, out, &outLen);
1856     if (ret != 0)
1857         return -1233;
1858 #endif
1859 
1860     return 0;
1861 }
1862 
1863 #ifdef WOLFSSL_BASE16
base16_test(void)1864 WOLFSSL_TEST_SUBROUTINE int base16_test(void)
1865 {
1866     int ret;
1867     WOLFSSL_SMALL_STACK_STATIC const byte testData[] = "SomeDataToEncode\n";
1868     WOLFSSL_SMALL_STACK_STATIC const byte encodedTestData[] = "536F6D6544617461546F456E636F64650A00";
1869     byte   encoded[40];
1870     word32 encodedLen;
1871     byte   plain[40];
1872     word32 len;
1873 
1874     /* length returned includes null termination */
1875     encodedLen = sizeof(encoded);
1876     ret = Base16_Encode(testData, sizeof(testData), encoded, &encodedLen);
1877     if (ret != 0)
1878         return -1300;
1879 
1880     len = (word32)XSTRLEN((char*)encoded);
1881     if (len != encodedLen - 1)
1882         return -1301;
1883 
1884     len = sizeof(plain);
1885     ret = Base16_Decode(encoded, encodedLen - 1, plain, &len);
1886     if (ret != 0)
1887         return -1302;
1888 
1889     if (len != sizeof(testData) || XMEMCMP(testData, plain, len) != 0)
1890         return -1303;
1891 
1892     if (encodedLen != sizeof(encodedTestData) ||
1893         XMEMCMP(encoded, encodedTestData, encodedLen) != 0) {
1894         return -1304;
1895     }
1896 
1897     return 0;
1898 }
1899 #endif /* WOLFSSL_BASE16 */
1900 #endif /* !NO_CODING */
1901 
1902 #ifndef NO_ASN
asn_test(void)1903 WOLFSSL_TEST_SUBROUTINE int asn_test(void)
1904 {
1905     int ret;
1906     /* ASN1 encoded date buffer */
1907     WOLFSSL_SMALL_STACK_STATIC const byte dateBuf[] = {0x17, 0x0d, 0x31, 0x36, 0x30, 0x38, 0x31, 0x31,
1908                             0x32, 0x30, 0x30, 0x37, 0x33, 0x37, 0x5a};
1909     byte format;
1910     int length;
1911     const byte* datePart;
1912 #ifndef NO_ASN_TIME
1913     struct tm timearg;
1914     time_t now;
1915 #endif
1916 
1917     ret = wc_GetDateInfo(dateBuf, (int)sizeof(dateBuf), &datePart, &format,
1918                          &length);
1919     if (ret != 0)
1920         return -1400;
1921 
1922 #ifndef NO_ASN_TIME
1923     /* Parameter Validation tests. */
1924     if (wc_GetTime(NULL, sizeof(now)) != BAD_FUNC_ARG)
1925         return -1401;
1926     if (wc_GetTime(&now, 0) != BUFFER_E)
1927         return -1402;
1928 
1929     now = 0;
1930     if (wc_GetTime(&now, sizeof(now)) != 0) {
1931         return -1403;
1932     }
1933     if (now == 0) {
1934         printf("RTC/Time not set!\n");
1935         return -1404;
1936     }
1937 
1938     ret = wc_GetDateAsCalendarTime(datePart, length, format, &timearg);
1939     if (ret != 0)
1940         return -1405;
1941 #endif /* !NO_ASN_TIME */
1942 
1943     return 0;
1944 }
1945 #endif /* !NO_ASN */
1946 
1947 #ifdef WOLFSSL_MD2
md2_test(void)1948 WOLFSSL_TEST_SUBROUTINE int md2_test(void)
1949 {
1950     int ret = 0;
1951     Md2  md2;
1952     byte hash[MD2_DIGEST_SIZE];
1953 
1954     testVector a, b, c, d, e, f, g;
1955     testVector test_md2[7];
1956     int times = sizeof(test_md2) / sizeof(testVector), i;
1957 
1958     a.input  = "";
1959     a.output = "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69"
1960                "\x27\x73";
1961     a.inLen  = XSTRLEN(a.input);
1962     a.outLen = MD2_DIGEST_SIZE;
1963 
1964     b.input  = "a";
1965     b.output = "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0"
1966                "\xb5\xd1";
1967     b.inLen  = XSTRLEN(b.input);
1968     b.outLen = MD2_DIGEST_SIZE;
1969 
1970     c.input  = "abc";
1971     c.output = "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde"
1972                "\xd6\xbb";
1973     c.inLen  = XSTRLEN(c.input);
1974     c.outLen = MD2_DIGEST_SIZE;
1975 
1976     d.input  = "message digest";
1977     d.output = "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe"
1978                "\x06\xb0";
1979     d.inLen  = XSTRLEN(d.input);
1980     d.outLen = MD2_DIGEST_SIZE;
1981 
1982     e.input  = "abcdefghijklmnopqrstuvwxyz";
1983     e.output = "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47"
1984                "\x94\x0b";
1985     e.inLen  = XSTRLEN(e.input);
1986     e.outLen = MD2_DIGEST_SIZE;
1987 
1988     f.input  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345"
1989                "6789";
1990     f.output = "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03"
1991                "\x38\xcd";
1992     f.inLen  = XSTRLEN(f.input);
1993     f.outLen = MD2_DIGEST_SIZE;
1994 
1995     g.input  = "1234567890123456789012345678901234567890123456789012345678"
1996                "9012345678901234567890";
1997     g.output = "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3"
1998                "\xef\xd8";
1999     g.inLen  = XSTRLEN(g.input);
2000     g.outLen = MD2_DIGEST_SIZE;
2001 
2002     test_md2[0] = a;
2003     test_md2[1] = b;
2004     test_md2[2] = c;
2005     test_md2[3] = d;
2006     test_md2[4] = e;
2007     test_md2[5] = f;
2008     test_md2[6] = g;
2009 
2010     wc_InitMd2(&md2);
2011 
2012     for (i = 0; i < times; ++i) {
2013         wc_Md2Update(&md2, (byte*)test_md2[i].input, (word32)test_md2[i].inLen);
2014         wc_Md2Final(&md2, hash);
2015 
2016         if (XMEMCMP(hash, test_md2[i].output, MD2_DIGEST_SIZE) != 0)
2017             return -1500 - i;
2018     }
2019 
2020     for (i = 0; i < times; ++i) {
2021         ret = wc_Md2Hash((byte*)test_md2[i].input, (word32)test_md2[i].inLen, hash);
2022          if (ret != 0) {
2023             return -1507 - i;
2024         }
2025 
2026         if (XMEMCMP(hash, test_md2[i].output, MD2_DIGEST_SIZE) != 0) {
2027             return -1507 - i;
2028         }
2029 
2030     }
2031 
2032     return 0;
2033 }
2034 #endif
2035 
2036 #ifndef NO_MD5
md5_test(void)2037 WOLFSSL_TEST_SUBROUTINE int md5_test(void)
2038 {
2039     int ret = 0;
2040     wc_Md5 md5, md5Copy;
2041     byte hash[WC_MD5_DIGEST_SIZE];
2042     byte hashcopy[WC_MD5_DIGEST_SIZE];
2043     testVector a, b, c, d, e, f;
2044     testVector test_md5[6];
2045     int times = sizeof(test_md5) / sizeof(testVector), i;
2046 
2047     a.input  = "";
2048     a.output = "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42"
2049                "\x7e";
2050     a.inLen  = XSTRLEN(a.input);
2051     a.outLen = WC_MD5_DIGEST_SIZE;
2052 
2053     b.input  = "abc";
2054     b.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f"
2055                "\x72";
2056     b.inLen  = XSTRLEN(b.input);
2057     b.outLen = WC_MD5_DIGEST_SIZE;
2058 
2059     c.input  = "message digest";
2060     c.output = "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61"
2061                "\xd0";
2062     c.inLen  = XSTRLEN(c.input);
2063     c.outLen = WC_MD5_DIGEST_SIZE;
2064 
2065     d.input  = "abcdefghijklmnopqrstuvwxyz";
2066     d.output = "\xc3\xfc\xd3\xd7\x61\x92\xe4\x00\x7d\xfb\x49\x6c\xca\x67\xe1"
2067                "\x3b";
2068     d.inLen  = XSTRLEN(d.input);
2069     d.outLen = WC_MD5_DIGEST_SIZE;
2070 
2071     e.input  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345"
2072                "6789";
2073     e.output = "\xd1\x74\xab\x98\xd2\x77\xd9\xf5\xa5\x61\x1c\x2c\x9f\x41\x9d"
2074                "\x9f";
2075     e.inLen  = XSTRLEN(e.input);
2076     e.outLen = WC_MD5_DIGEST_SIZE;
2077 
2078     f.input  = "1234567890123456789012345678901234567890123456789012345678"
2079                "9012345678901234567890";
2080     f.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6"
2081                "\x7a";
2082     f.inLen  = XSTRLEN(f.input);
2083     f.outLen = WC_MD5_DIGEST_SIZE;
2084 
2085     test_md5[0] = a;
2086     test_md5[1] = b;
2087     test_md5[2] = c;
2088     test_md5[3] = d;
2089     test_md5[4] = e;
2090     test_md5[5] = f;
2091 
2092     ret = wc_InitMd5_ex(&md5, HEAP_HINT, devId);
2093     if (ret != 0)
2094         return -1600;
2095     ret = wc_InitMd5_ex(&md5Copy, HEAP_HINT, devId);
2096     if (ret != 0) {
2097         wc_Md5Free(&md5);
2098         return -1601;
2099     }
2100 
2101     for (i = 0; i < times; ++i) {
2102         ret = wc_Md5Update(&md5, (byte*)test_md5[i].input,
2103             (word32)test_md5[i].inLen);
2104         if (ret != 0)
2105             ERROR_OUT(-1602 - i, exit);
2106 
2107         ret = wc_Md5GetHash(&md5, hashcopy);
2108         if (ret != 0)
2109             ERROR_OUT(-1603 - i, exit);
2110 
2111         ret = wc_Md5Copy(&md5, &md5Copy);
2112         if (ret != 0)
2113             ERROR_OUT(-1604 - i, exit);
2114 
2115         ret = wc_Md5Final(&md5, hash);
2116         if (ret != 0)
2117             ERROR_OUT(-1605 - i, exit);
2118 
2119         wc_Md5Free(&md5Copy);
2120 
2121         if (XMEMCMP(hash, test_md5[i].output, WC_MD5_DIGEST_SIZE) != 0)
2122             ERROR_OUT(-1606 - i, exit);
2123 
2124         if (XMEMCMP(hash, hashcopy, WC_MD5_DIGEST_SIZE) != 0)
2125             ERROR_OUT(-1607 - i, exit);
2126     }
2127 
2128     /* BEGIN LARGE HASH TEST */ {
2129     byte large_input[1024];
2130     const char* large_digest =
2131         "\x44\xd0\x88\xce\xf1\x36\xd1\x78\xe9\xc8\xba\x84\xc3\xfd\xf6\xca";
2132 
2133     for (i = 0; i < (int)sizeof(large_input); i++) {
2134         large_input[i] = (byte)(i & 0xFF);
2135     }
2136     times = 100;
2137 #ifdef WOLFSSL_PIC32MZ_HASH
2138     wc_Md5SizeSet(&md5, times * sizeof(large_input));
2139 #endif
2140     for (i = 0; i < times; ++i) {
2141         ret = wc_Md5Update(&md5, (byte*)large_input,
2142             (word32)sizeof(large_input));
2143         if (ret != 0)
2144             ERROR_OUT(-1608, exit);
2145     }
2146     ret = wc_Md5Final(&md5, hash);
2147     if (ret != 0)
2148         ERROR_OUT(-1609, exit);
2149     if (XMEMCMP(hash, large_digest, WC_MD5_DIGEST_SIZE) != 0)
2150         ERROR_OUT(-1610, exit);
2151     } /* END LARGE HASH TEST */
2152 
2153 exit:
2154 
2155     wc_Md5Free(&md5);
2156     wc_Md5Free(&md5Copy);
2157 
2158     return ret;
2159 }
2160 #endif /* NO_MD5 */
2161 
2162 
2163 #ifndef NO_MD4
2164 
md4_test(void)2165 WOLFSSL_TEST_SUBROUTINE int md4_test(void)
2166 {
2167     Md4  md4;
2168     byte hash[MD4_DIGEST_SIZE];
2169 
2170     testVector a, b, c, d, e, f, g;
2171     testVector test_md4[7];
2172     int times = sizeof(test_md4) / sizeof(testVector), i;
2173 
2174     a.input  = "";
2175     a.output = "\x31\xd6\xcf\xe0\xd1\x6a\xe9\x31\xb7\x3c\x59\xd7\xe0\xc0\x89"
2176                "\xc0";
2177     a.inLen  = XSTRLEN(a.input);
2178     a.outLen = MD4_DIGEST_SIZE;
2179 
2180     b.input  = "a";
2181     b.output = "\xbd\xe5\x2c\xb3\x1d\xe3\x3e\x46\x24\x5e\x05\xfb\xdb\xd6\xfb"
2182                "\x24";
2183     b.inLen  = XSTRLEN(b.input);
2184     b.outLen = MD4_DIGEST_SIZE;
2185 
2186     c.input  = "abc";
2187     c.output = "\xa4\x48\x01\x7a\xaf\x21\xd8\x52\x5f\xc1\x0a\xe8\x7a\xa6\x72"
2188                "\x9d";
2189     c.inLen  = XSTRLEN(c.input);
2190     c.outLen = MD4_DIGEST_SIZE;
2191 
2192     d.input  = "message digest";
2193     d.output = "\xd9\x13\x0a\x81\x64\x54\x9f\xe8\x18\x87\x48\x06\xe1\xc7\x01"
2194                "\x4b";
2195     d.inLen  = XSTRLEN(d.input);
2196     d.outLen = MD4_DIGEST_SIZE;
2197 
2198     e.input  = "abcdefghijklmnopqrstuvwxyz";
2199     e.output = "\xd7\x9e\x1c\x30\x8a\xa5\xbb\xcd\xee\xa8\xed\x63\xdf\x41\x2d"
2200                "\xa9";
2201     e.inLen  = XSTRLEN(e.input);
2202     e.outLen = MD4_DIGEST_SIZE;
2203 
2204     f.input  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345"
2205                "6789";
2206     f.output = "\x04\x3f\x85\x82\xf2\x41\xdb\x35\x1c\xe6\x27\xe1\x53\xe7\xf0"
2207                "\xe4";
2208     f.inLen  = XSTRLEN(f.input);
2209     f.outLen = MD4_DIGEST_SIZE;
2210 
2211     g.input  = "1234567890123456789012345678901234567890123456789012345678"
2212                "9012345678901234567890";
2213     g.output = "\xe3\x3b\x4d\xdc\x9c\x38\xf2\x19\x9c\x3e\x7b\x16\x4f\xcc\x05"
2214                "\x36";
2215     g.inLen  = XSTRLEN(g.input);
2216     g.outLen = MD4_DIGEST_SIZE;
2217 
2218     test_md4[0] = a;
2219     test_md4[1] = b;
2220     test_md4[2] = c;
2221     test_md4[3] = d;
2222     test_md4[4] = e;
2223     test_md4[5] = f;
2224     test_md4[6] = g;
2225 
2226     wc_InitMd4(&md4);
2227 
2228     for (i = 0; i < times; ++i) {
2229         wc_Md4Update(&md4, (byte*)test_md4[i].input, (word32)test_md4[i].inLen);
2230         wc_Md4Final(&md4, hash);
2231 
2232         if (XMEMCMP(hash, test_md4[i].output, MD4_DIGEST_SIZE) != 0)
2233             return -1700 - i;
2234     }
2235 
2236     return 0;
2237 }
2238 
2239 #endif /* NO_MD4 */
2240 
2241 #ifndef NO_SHA
2242 
sha_test(void)2243 WOLFSSL_TEST_SUBROUTINE int sha_test(void)
2244 {
2245     int ret = 0;
2246     wc_Sha sha, shaCopy;
2247     byte hash[WC_SHA_DIGEST_SIZE];
2248     byte hashcopy[WC_SHA_DIGEST_SIZE];
2249     testVector a, b, c, d, e;
2250     testVector test_sha[5];
2251     int times = sizeof(test_sha) / sizeof(struct testVector), i;
2252 
2253     a.input  = "";
2254     a.output = "\xda\x39\xa3\xee\x5e\x6b\x4b\x0d\x32\x55\xbf\xef\x95\x60\x18"
2255                "\x90\xaf\xd8\x07\x09";
2256     a.inLen  = XSTRLEN(a.input);
2257     a.outLen = WC_SHA_DIGEST_SIZE;
2258 
2259     b.input  = "abc";
2260     b.output = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2"
2261                "\x6C\x9C\xD0\xD8\x9D";
2262     b.inLen  = XSTRLEN(b.input);
2263     b.outLen = WC_SHA_DIGEST_SIZE;
2264 
2265     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
2266     c.output = "\x84\x98\x3E\x44\x1C\x3B\xD2\x6E\xBA\xAE\x4A\xA1\xF9\x51\x29"
2267                "\xE5\xE5\x46\x70\xF1";
2268     c.inLen  = XSTRLEN(c.input);
2269     c.outLen = WC_SHA_DIGEST_SIZE;
2270 
2271     d.input  = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
2272                "aaaaaa";
2273     d.output = "\x00\x98\xBA\x82\x4B\x5C\x16\x42\x7B\xD7\xA1\x12\x2A\x5A\x44"
2274                "\x2A\x25\xEC\x64\x4D";
2275     d.inLen  = XSTRLEN(d.input);
2276     d.outLen = WC_SHA_DIGEST_SIZE;
2277 
2278     e.input  = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
2279                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
2280                "aaaaaaaaaa";
2281     e.output = "\xAD\x5B\x3F\xDB\xCB\x52\x67\x78\xC2\x83\x9D\x2F\x15\x1E\xA7"
2282                "\x53\x99\x5E\x26\xA0";
2283     e.inLen  = XSTRLEN(e.input);
2284     e.outLen = WC_SHA_DIGEST_SIZE;
2285 
2286     test_sha[0] = a;
2287     test_sha[1] = b;
2288     test_sha[2] = c;
2289     test_sha[3] = d;
2290     test_sha[4] = e;
2291 
2292     ret = wc_InitSha_ex(&sha, HEAP_HINT, devId);
2293     if (ret != 0)
2294         return -1800;
2295     ret = wc_InitSha_ex(&shaCopy, HEAP_HINT, devId);
2296     if (ret != 0) {
2297         wc_ShaFree(&sha);
2298         return -1801;
2299     }
2300 
2301     for (i = 0; i < times; ++i) {
2302         ret = wc_ShaUpdate(&sha, (byte*)test_sha[i].input,
2303             (word32)test_sha[i].inLen);
2304         if (ret != 0)
2305             ERROR_OUT(-1802 - i, exit);
2306         ret = wc_ShaGetHash(&sha, hashcopy);
2307         if (ret != 0)
2308             ERROR_OUT(-1803 - i, exit);
2309         ret = wc_ShaCopy(&sha, &shaCopy);
2310         if (ret != 0)
2311             ERROR_OUT(-1804 - i, exit);
2312         ret = wc_ShaFinal(&sha, hash);
2313         if (ret != 0)
2314             ERROR_OUT(-1805 - i, exit);
2315         wc_ShaFree(&shaCopy);
2316 
2317         if (XMEMCMP(hash, test_sha[i].output, WC_SHA_DIGEST_SIZE) != 0)
2318             ERROR_OUT(-1806 - i, exit);
2319         if (XMEMCMP(hash, hashcopy, WC_SHA_DIGEST_SIZE) != 0)
2320             ERROR_OUT(-1807 - i, exit);
2321     }
2322 
2323     /* BEGIN LARGE HASH TEST */ {
2324     byte large_input[1024];
2325 #if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT)
2326     const char* large_digest =
2327             "\x1d\x6a\x5a\xf6\xe5\x7c\x86\xce\x7f\x7c\xaf\xd5\xdb\x08\xcd\x59"
2328             "\x15\x8c\x6d\xb6";
2329 #else
2330     const char* large_digest =
2331            "\x8b\x77\x02\x48\x39\xe8\xdb\xd3\x9a\xf4\x05\x24\x66\x12\x2d\x9e"
2332            "\xc5\xd9\x0a\xac";
2333 #endif
2334     for (i = 0; i < (int)sizeof(large_input); i++) {
2335         large_input[i] = (byte)(i & 0xFF);
2336     }
2337 #if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT)
2338     times = 20;
2339 #else
2340     times = 100;
2341 #endif
2342 #ifdef WOLFSSL_PIC32MZ_HASH
2343     wc_ShaSizeSet(&sha, times * sizeof(large_input));
2344 #endif
2345     for (i = 0; i < times; ++i) {
2346         ret = wc_ShaUpdate(&sha, (byte*)large_input,
2347             (word32)sizeof(large_input));
2348         if (ret != 0)
2349             ERROR_OUT(-1808, exit);
2350     }
2351     ret = wc_ShaFinal(&sha, hash);
2352     if (ret != 0)
2353         ERROR_OUT(-1809, exit);
2354     if (XMEMCMP(hash, large_digest, WC_SHA_DIGEST_SIZE) != 0)
2355         ERROR_OUT(-1810, exit);
2356     } /* END LARGE HASH TEST */
2357 
2358 exit:
2359 
2360     wc_ShaFree(&sha);
2361     wc_ShaFree(&shaCopy);
2362 
2363     return ret;
2364 }
2365 
2366 #endif /* NO_SHA */
2367 
2368 #ifdef WOLFSSL_RIPEMD
ripemd_test(void)2369 WOLFSSL_TEST_SUBROUTINE int ripemd_test(void)
2370 {
2371     RipeMd  ripemd;
2372     int ret;
2373     byte hash[RIPEMD_DIGEST_SIZE];
2374 
2375     testVector a, b, c, d;
2376     testVector test_ripemd[4];
2377     int times = sizeof(test_ripemd) / sizeof(struct testVector), i;
2378 
2379     a.input  = "abc";
2380     a.output = "\x8e\xb2\x08\xf7\xe0\x5d\x98\x7a\x9b\x04\x4a\x8e\x98\xc6"
2381                "\xb0\x87\xf1\x5a\x0b\xfc";
2382     a.inLen  = XSTRLEN(a.input);
2383     a.outLen = RIPEMD_DIGEST_SIZE;
2384 
2385     b.input  = "message digest";
2386     b.output = "\x5d\x06\x89\xef\x49\xd2\xfa\xe5\x72\xb8\x81\xb1\x23\xa8"
2387                "\x5f\xfa\x21\x59\x5f\x36";
2388     b.inLen  = XSTRLEN(b.input);
2389     b.outLen = RIPEMD_DIGEST_SIZE;
2390 
2391     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
2392     c.output = "\x12\xa0\x53\x38\x4a\x9c\x0c\x88\xe4\x05\xa0\x6c\x27\xdc"
2393                "\xf4\x9a\xda\x62\xeb\x2b";
2394     c.inLen  = XSTRLEN(c.input);
2395     c.outLen = RIPEMD_DIGEST_SIZE;
2396 
2397     d.input  = "12345678901234567890123456789012345678901234567890123456"
2398                "789012345678901234567890";
2399     d.output = "\x9b\x75\x2e\x45\x57\x3d\x4b\x39\xf4\xdb\xd3\x32\x3c\xab"
2400                "\x82\xbf\x63\x32\x6b\xfb";
2401     d.inLen  = XSTRLEN(d.input);
2402     d.outLen = RIPEMD_DIGEST_SIZE;
2403 
2404     test_ripemd[0] = a;
2405     test_ripemd[1] = b;
2406     test_ripemd[2] = c;
2407     test_ripemd[3] = d;
2408 
2409     ret = wc_InitRipeMd(&ripemd);
2410     if (ret != 0) {
2411         return -1900;
2412     }
2413 
2414     for (i = 0; i < times; ++i) {
2415         ret = wc_RipeMdUpdate(&ripemd, (byte*)test_ripemd[i].input,
2416                               (word32)test_ripemd[i].inLen);
2417         if (ret != 0) {
2418             return -1901 - i;
2419         }
2420 
2421         ret = wc_RipeMdFinal(&ripemd, hash);
2422         if (ret != 0) {
2423             return -1911 - i;
2424         }
2425 
2426         if (XMEMCMP(hash, test_ripemd[i].output, RIPEMD_DIGEST_SIZE) != 0)
2427             return -1921 - i;
2428     }
2429 
2430     return 0;
2431 }
2432 #endif /* WOLFSSL_RIPEMD */
2433 
2434 
2435 #ifdef HAVE_BLAKE2
2436 
2437 
2438 #define BLAKE2B_TESTS 3
2439 
2440 static const byte blake2b_vec[BLAKE2B_TESTS][BLAKE2B_OUTBYTES] =
2441 {
2442   {
2443     0x78, 0x6A, 0x02, 0xF7, 0x42, 0x01, 0x59, 0x03,
2444     0xC6, 0xC6, 0xFD, 0x85, 0x25, 0x52, 0xD2, 0x72,
2445     0x91, 0x2F, 0x47, 0x40, 0xE1, 0x58, 0x47, 0x61,
2446     0x8A, 0x86, 0xE2, 0x17, 0xF7, 0x1F, 0x54, 0x19,
2447     0xD2, 0x5E, 0x10, 0x31, 0xAF, 0xEE, 0x58, 0x53,
2448     0x13, 0x89, 0x64, 0x44, 0x93, 0x4E, 0xB0, 0x4B,
2449     0x90, 0x3A, 0x68, 0x5B, 0x14, 0x48, 0xB7, 0x55,
2450     0xD5, 0x6F, 0x70, 0x1A, 0xFE, 0x9B, 0xE2, 0xCE
2451   },
2452   {
2453     0x2F, 0xA3, 0xF6, 0x86, 0xDF, 0x87, 0x69, 0x95,
2454     0x16, 0x7E, 0x7C, 0x2E, 0x5D, 0x74, 0xC4, 0xC7,
2455     0xB6, 0xE4, 0x8F, 0x80, 0x68, 0xFE, 0x0E, 0x44,
2456     0x20, 0x83, 0x44, 0xD4, 0x80, 0xF7, 0x90, 0x4C,
2457     0x36, 0x96, 0x3E, 0x44, 0x11, 0x5F, 0xE3, 0xEB,
2458     0x2A, 0x3A, 0xC8, 0x69, 0x4C, 0x28, 0xBC, 0xB4,
2459     0xF5, 0xA0, 0xF3, 0x27, 0x6F, 0x2E, 0x79, 0x48,
2460     0x7D, 0x82, 0x19, 0x05, 0x7A, 0x50, 0x6E, 0x4B
2461   },
2462   {
2463     0x1C, 0x08, 0x79, 0x8D, 0xC6, 0x41, 0xAB, 0xA9,
2464     0xDE, 0xE4, 0x35, 0xE2, 0x25, 0x19, 0xA4, 0x72,
2465     0x9A, 0x09, 0xB2, 0xBF, 0xE0, 0xFF, 0x00, 0xEF,
2466     0x2D, 0xCD, 0x8E, 0xD6, 0xF8, 0xA0, 0x7D, 0x15,
2467     0xEA, 0xF4, 0xAE, 0xE5, 0x2B, 0xBF, 0x18, 0xAB,
2468     0x56, 0x08, 0xA6, 0x19, 0x0F, 0x70, 0xB9, 0x04,
2469     0x86, 0xC8, 0xA7, 0xD4, 0x87, 0x37, 0x10, 0xB1,
2470     0x11, 0x5D, 0x3D, 0xEB, 0xBB, 0x43, 0x27, 0xB5
2471   }
2472 };
2473 
2474 
2475 
blake2b_test(void)2476 WOLFSSL_TEST_SUBROUTINE int blake2b_test(void)
2477 {
2478     Blake2b b2b;
2479     byte    digest[64];
2480     byte    input[64];
2481     int     i, ret;
2482 
2483     for (i = 0; i < (int)sizeof(input); i++)
2484         input[i] = (byte)i;
2485 
2486     for (i = 0; i < BLAKE2B_TESTS; i++) {
2487         ret = wc_InitBlake2b(&b2b, 64);
2488         if (ret != 0)
2489             return -2000 - i;
2490 
2491         ret = wc_Blake2bUpdate(&b2b, input, i);
2492         if (ret != 0)
2493             return -2010 - 1;
2494 
2495         ret = wc_Blake2bFinal(&b2b, digest, 64);
2496         if (ret != 0)
2497             return -2020 - i;
2498 
2499         if (XMEMCMP(digest, blake2b_vec[i], 64) != 0) {
2500             return -2030 - i;
2501         }
2502     }
2503 
2504     return 0;
2505 }
2506 #endif /* HAVE_BLAKE2 */
2507 
2508 #ifdef HAVE_BLAKE2S
2509 
2510 
2511 #define BLAKE2S_TESTS 3
2512 
2513 static const byte blake2s_vec[BLAKE2S_TESTS][BLAKE2S_OUTBYTES] =
2514 {
2515   {
2516     0x69, 0x21, 0x7a, 0x30, 0x79, 0x90, 0x80, 0x94,
2517     0xe1, 0x11, 0x21, 0xd0, 0x42, 0x35, 0x4a, 0x7c,
2518     0x1f, 0x55, 0xb6, 0x48, 0x2c, 0xa1, 0xa5, 0x1e,
2519     0x1b, 0x25, 0x0d, 0xfd, 0x1e, 0xd0, 0xee, 0xf9,
2520   },
2521   {
2522     0xe3, 0x4d, 0x74, 0xdb, 0xaf, 0x4f, 0xf4, 0xc6,
2523     0xab, 0xd8, 0x71, 0xcc, 0x22, 0x04, 0x51, 0xd2,
2524     0xea, 0x26, 0x48, 0x84, 0x6c, 0x77, 0x57, 0xfb,
2525     0xaa, 0xc8, 0x2f, 0xe5, 0x1a, 0xd6, 0x4b, 0xea,
2526   },
2527   {
2528     0xdd, 0xad, 0x9a, 0xb1, 0x5d, 0xac, 0x45, 0x49,
2529     0xba, 0x42, 0xf4, 0x9d, 0x26, 0x24, 0x96, 0xbe,
2530     0xf6, 0xc0, 0xba, 0xe1, 0xdd, 0x34, 0x2a, 0x88,
2531     0x08, 0xf8, 0xea, 0x26, 0x7c, 0x6e, 0x21, 0x0c,
2532   }
2533 };
2534 
2535 
2536 
blake2s_test(void)2537 WOLFSSL_TEST_SUBROUTINE int blake2s_test(void)
2538 {
2539     Blake2s b2s;
2540     byte    digest[32];
2541     byte    input[64];
2542     int     i, ret;
2543 
2544     for (i = 0; i < (int)sizeof(input); i++)
2545         input[i] = (byte)i;
2546 
2547     for (i = 0; i < BLAKE2S_TESTS; i++) {
2548         ret = wc_InitBlake2s(&b2s, 32);
2549         if (ret != 0)
2550             return -2100 - i;
2551 
2552         ret = wc_Blake2sUpdate(&b2s, input, i);
2553         if (ret != 0)
2554             return -2110 - 1;
2555 
2556         ret = wc_Blake2sFinal(&b2s, digest, 32);
2557         if (ret != 0)
2558             return -2120 - i;
2559 
2560         if (XMEMCMP(digest, blake2s_vec[i], 32) != 0) {
2561             return -2130 - i;
2562         }
2563     }
2564 
2565     return 0;
2566 }
2567 #endif /* HAVE_BLAKE2S */
2568 
2569 
2570 #ifdef WOLFSSL_SHA224
sha224_test(void)2571 WOLFSSL_TEST_SUBROUTINE int sha224_test(void)
2572 {
2573     wc_Sha224 sha, shaCopy;
2574     byte      hash[WC_SHA224_DIGEST_SIZE];
2575     byte      hashcopy[WC_SHA224_DIGEST_SIZE];
2576     int       ret = 0;
2577 
2578     testVector a, b, c;
2579     testVector test_sha[3];
2580     int times = sizeof(test_sha) / sizeof(struct testVector), i;
2581 
2582     a.input  = "";
2583     a.output = "\xd1\x4a\x02\x8c\x2a\x3a\x2b\xc9\x47\x61\x02\xbb\x28\x82\x34"
2584                "\xc4\x15\xa2\xb0\x1f\x82\x8e\xa6\x2a\xc5\xb3\xe4\x2f";
2585     a.inLen  = XSTRLEN(a.input);
2586     a.outLen = WC_SHA224_DIGEST_SIZE;
2587 
2588     b.input  = "abc";
2589     b.output = "\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2\x55"
2590                "\xb3\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7";
2591     b.inLen  = XSTRLEN(b.input);
2592     b.outLen = WC_SHA224_DIGEST_SIZE;
2593 
2594     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
2595     c.output = "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01"
2596                "\x50\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25";
2597     c.inLen  = XSTRLEN(c.input);
2598     c.outLen = WC_SHA224_DIGEST_SIZE;
2599 
2600     test_sha[0] = a;
2601     test_sha[1] = b;
2602     test_sha[2] = c;
2603 
2604     ret = wc_InitSha224_ex(&sha, HEAP_HINT, devId);
2605     if (ret != 0)
2606         return -2200;
2607     ret = wc_InitSha224_ex(&shaCopy, HEAP_HINT, devId);
2608     if (ret != 0) {
2609         wc_Sha224Free(&sha);
2610         return -2201;
2611     }
2612 
2613     for (i = 0; i < times; ++i) {
2614         ret = wc_Sha224Update(&sha, (byte*)test_sha[i].input,
2615             (word32)test_sha[i].inLen);
2616         if (ret != 0)
2617             ERROR_OUT(-2202 - i, exit);
2618         ret = wc_Sha224GetHash(&sha, hashcopy);
2619         if (ret != 0)
2620             ERROR_OUT(-2203 - i, exit);
2621         ret = wc_Sha224Copy(&sha, &shaCopy);
2622         if (ret != 0)
2623             ERROR_OUT(-2204 - i, exit);
2624         ret = wc_Sha224Final(&sha, hash);
2625         if (ret != 0)
2626             ERROR_OUT(-2205 - i, exit);
2627         wc_Sha224Free(&shaCopy);
2628 
2629         if (XMEMCMP(hash, test_sha[i].output, WC_SHA224_DIGEST_SIZE) != 0)
2630             ERROR_OUT(-2206 - i, exit);
2631         if (XMEMCMP(hash, hashcopy, WC_SHA224_DIGEST_SIZE) != 0)
2632             ERROR_OUT(-2207 - i, exit);
2633     }
2634 
2635 exit:
2636     wc_Sha224Free(&sha);
2637     wc_Sha224Free(&shaCopy);
2638 
2639     return ret;
2640 }
2641 #endif
2642 
2643 
2644 #ifndef NO_SHA256
sha256_test(void)2645 WOLFSSL_TEST_SUBROUTINE int sha256_test(void)
2646 {
2647     wc_Sha256 sha, shaCopy;
2648     byte      hash[WC_SHA256_DIGEST_SIZE];
2649     byte      hashcopy[WC_SHA256_DIGEST_SIZE];
2650     int       ret = 0;
2651 
2652     testVector a, b, c;
2653     testVector test_sha[3];
2654     int times = sizeof(test_sha) / sizeof(struct testVector), i;
2655 
2656     a.input  = "";
2657     a.output = "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9"
2658                "\x24\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52"
2659                "\xb8\x55";
2660     a.inLen  = XSTRLEN(a.input);
2661     a.outLen = WC_SHA256_DIGEST_SIZE;
2662 
2663     b.input  = "abc";
2664     b.output = "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22"
2665                "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00"
2666                "\x15\xAD";
2667     b.inLen  = XSTRLEN(b.input);
2668     b.outLen = WC_SHA256_DIGEST_SIZE;
2669 
2670     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
2671     c.output = "\x24\x8D\x6A\x61\xD2\x06\x38\xB8\xE5\xC0\x26\x93\x0C\x3E\x60"
2672                "\x39\xA3\x3C\xE4\x59\x64\xFF\x21\x67\xF6\xEC\xED\xD4\x19\xDB"
2673                "\x06\xC1";
2674     c.inLen  = XSTRLEN(c.input);
2675     c.outLen = WC_SHA256_DIGEST_SIZE;
2676 
2677     test_sha[0] = a;
2678     test_sha[1] = b;
2679     test_sha[2] = c;
2680 
2681     ret = wc_InitSha256_ex(&sha, HEAP_HINT, devId);
2682     if (ret != 0)
2683         return -2300;
2684     ret = wc_InitSha256_ex(&shaCopy, HEAP_HINT, devId);
2685     if (ret != 0) {
2686         wc_Sha256Free(&sha);
2687         return -2301;
2688     }
2689 
2690     for (i = 0; i < times; ++i) {
2691         ret = wc_Sha256Update(&sha, (byte*)test_sha[i].input,
2692             (word32)test_sha[i].inLen);
2693         if (ret != 0) {
2694             ERROR_OUT(-2302 - i, exit);
2695         }
2696         ret = wc_Sha256GetHash(&sha, hashcopy);
2697         if (ret != 0)
2698             ERROR_OUT(-2303 - i, exit);
2699         ret = wc_Sha256Copy(&sha, &shaCopy);
2700         if (ret != 0)
2701             ERROR_OUT(-2304 - i, exit);
2702         ret = wc_Sha256Final(&sha, hash);
2703         if (ret != 0)
2704             ERROR_OUT(-2305 - i, exit);
2705         wc_Sha256Free(&shaCopy);
2706 
2707         if (XMEMCMP(hash, test_sha[i].output, WC_SHA256_DIGEST_SIZE) != 0)
2708             ERROR_OUT(-2306 - i, exit);
2709         if (XMEMCMP(hash, hashcopy, WC_SHA256_DIGEST_SIZE) != 0)
2710             ERROR_OUT(-2307 - i, exit);
2711     }
2712 
2713     /* BEGIN LARGE HASH TEST */ {
2714     byte large_input[1024];
2715 #if defined(WOLFSSL_RENESAS_TSIP_CRYPT) || defined(WOLFSSL_RENESAS_SCEPROTECT)
2716     const char* large_digest =
2717             "\xa4\x75\x9e\x7a\xa2\x03\x38\x32\x88\x66\xa2\xea\x17\xea\xf8\xc7"
2718             "\xfe\x4e\xc6\xbb\xe3\xbb\x71\xce\xe7\xdf\x7c\x04\x61\xb3\xc2\x2f";
2719 #else
2720     const char* large_digest =
2721            "\x27\x78\x3e\x87\x96\x3a\x4e\xfb\x68\x29\xb5\x31\xc9\xba\x57\xb4"
2722            "\x4f\x45\x79\x7f\x67\x70\xbd\x63\x7f\xbf\x0d\x80\x7c\xbd\xba\xe0";
2723 #endif
2724     for (i = 0; i < (int)sizeof(large_input); i++) {
2725         large_input[i] = (byte)(i & 0xFF);
2726     }
2727 #if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT)
2728     times = 20;
2729 #else
2730     times = 100;
2731 #endif
2732 #ifdef WOLFSSL_PIC32MZ_HASH
2733     wc_Sha256SizeSet(&sha, times * sizeof(large_input));
2734 #endif
2735     for (i = 0; i < times; ++i) {
2736         ret = wc_Sha256Update(&sha, (byte*)large_input,
2737             (word32)sizeof(large_input));
2738         if (ret != 0)
2739             ERROR_OUT(-2308, exit);
2740     }
2741     ret = wc_Sha256Final(&sha, hash);
2742     if (ret != 0)
2743         ERROR_OUT(-2309, exit);
2744     if (XMEMCMP(hash, large_digest, WC_SHA256_DIGEST_SIZE) != 0)
2745         ERROR_OUT(-2310, exit);
2746     } /* END LARGE HASH TEST */
2747 
2748 exit:
2749 
2750     wc_Sha256Free(&sha);
2751     wc_Sha256Free(&shaCopy);
2752 
2753     return ret;
2754 }
2755 #endif
2756 
2757 
2758 #ifdef WOLFSSL_SHA512
sha512_test(void)2759 WOLFSSL_TEST_SUBROUTINE int sha512_test(void)
2760 {
2761     wc_Sha512 sha, shaCopy;
2762     byte      hash[WC_SHA512_DIGEST_SIZE];
2763     byte      hashcopy[WC_SHA512_DIGEST_SIZE];
2764     int       ret = 0;
2765 
2766     testVector a, b, c;
2767     testVector test_sha[3];
2768     int times = sizeof(test_sha) / sizeof(struct testVector), i;
2769 
2770     a.input  = "";
2771     a.output = "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80"
2772                "\x07\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c"
2773                "\xe9\xce\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87"
2774                "\x7e\xec\x2f\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a"
2775                "\xf9\x27\xda\x3e";
2776     a.inLen  = XSTRLEN(a.input);
2777     a.outLen = WC_SHA512_DIGEST_SIZE;
2778 
2779     b.input  = "abc";
2780     b.output = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41"
2781                "\x31\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55"
2782                "\xd3\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3"
2783                "\xfe\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f"
2784                "\xa5\x4c\xa4\x9f";
2785     b.inLen  = XSTRLEN(b.input);
2786     b.outLen = WC_SHA512_DIGEST_SIZE;
2787 
2788     c.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
2789                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
2790     c.output = "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14"
2791                "\x3f\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88"
2792                "\x90\x18\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4"
2793                "\xb5\x43\x3a\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b"
2794                "\x87\x4b\xe9\x09";
2795     c.inLen  = XSTRLEN(c.input);
2796     c.outLen = WC_SHA512_DIGEST_SIZE;
2797 
2798     test_sha[0] = a;
2799     test_sha[1] = b;
2800     test_sha[2] = c;
2801 
2802     ret = wc_InitSha512_ex(&sha, HEAP_HINT, devId);
2803     if (ret != 0)
2804         return -2400;
2805     ret = wc_InitSha512_ex(&shaCopy, HEAP_HINT, devId);
2806     if (ret != 0) {
2807         wc_Sha512Free(&sha);
2808         return -2401;
2809     }
2810 
2811     for (i = 0; i < times; ++i) {
2812         ret = wc_Sha512Update(&sha, (byte*)test_sha[i].input,
2813             (word32)test_sha[i].inLen);
2814         if (ret != 0)
2815             ERROR_OUT(-2402 - i, exit);
2816         ret = wc_Sha512GetHash(&sha, hashcopy);
2817         if (ret != 0)
2818             ERROR_OUT(-2403 - i, exit);
2819         ret = wc_Sha512Copy(&sha, &shaCopy);
2820         if (ret != 0)
2821             ERROR_OUT(-2404 - i, exit);
2822         ret = wc_Sha512Final(&sha, hash);
2823         if (ret != 0)
2824             ERROR_OUT(-2405 - i, exit);
2825         wc_Sha512Free(&shaCopy);
2826 
2827         if (XMEMCMP(hash, test_sha[i].output, WC_SHA512_DIGEST_SIZE) != 0)
2828             ERROR_OUT(-2406 - i, exit);
2829         if (XMEMCMP(hash, hashcopy, WC_SHA512_DIGEST_SIZE) != 0)
2830             ERROR_OUT(-2407 - i, exit);
2831     }
2832 
2833     /* BEGIN LARGE HASH TEST */ {
2834     byte large_input[1024];
2835     const char* large_digest =
2836         "\x5a\x1f\x73\x90\xbd\x8c\xe4\x63\x54\xce\xa0\x9b\xef\x32\x78\x2d"
2837         "\x2e\xe7\x0d\x5e\x2f\x9d\x15\x1b\xdd\x2d\xde\x65\x0c\x7b\xfa\x83"
2838         "\x5e\x80\x02\x13\x84\xb8\x3f\xff\x71\x62\xb5\x09\x89\x63\xe1\xdc"
2839         "\xa5\xdc\xfc\xfa\x9d\x1a\x4d\xc0\xfa\x3a\x14\xf6\x01\x51\x90\xa4";
2840 
2841     for (i = 0; i < (int)sizeof(large_input); i++) {
2842         large_input[i] = (byte)(i & 0xFF);
2843     }
2844     times = 100;
2845     for (i = 0; i < times; ++i) {
2846         ret = wc_Sha512Update(&sha, (byte*)large_input,
2847             (word32)sizeof(large_input));
2848         if (ret != 0)
2849             ERROR_OUT(-2408, exit);
2850     }
2851     ret = wc_Sha512Final(&sha, hash);
2852     if (ret != 0)
2853         ERROR_OUT(-2409, exit);
2854     if (XMEMCMP(hash, large_digest, WC_SHA512_DIGEST_SIZE) != 0)
2855         ERROR_OUT(-2410, exit);
2856 
2857     /* Unaligned memory access test */
2858     for (i = 1; i < 16; i++) {
2859         ret = wc_Sha512Update(&sha, (byte*)large_input + i,
2860             (word32)sizeof(large_input) - i);
2861         if (ret != 0)
2862             ERROR_OUT(-2411, exit);
2863         ret = wc_Sha512Final(&sha, hash);
2864     }
2865     } /* END LARGE HASH TEST */
2866 
2867 exit:
2868     wc_Sha512Free(&sha);
2869     wc_Sha512Free(&shaCopy);
2870 
2871     return ret;
2872 }
2873 #endif
2874 
2875 
2876 #ifdef WOLFSSL_SHA384
sha384_test(void)2877 WOLFSSL_TEST_SUBROUTINE int sha384_test(void)
2878 {
2879     wc_Sha384 sha, shaCopy;
2880     byte      hash[WC_SHA384_DIGEST_SIZE];
2881     byte      hashcopy[WC_SHA384_DIGEST_SIZE];
2882     int       ret = 0;
2883 
2884     testVector a, b, c;
2885     testVector test_sha[3];
2886     int times = sizeof(test_sha) / sizeof(struct testVector), i;
2887 
2888     a.input  = "";
2889 
2890     a.output = "\x38\xb0\x60\xa7\x51\xac\x96\x38\x4c\xd9\x32\x7e\xb1\xb1\xe3"
2891                "\x6a\x21\xfd\xb7\x11\x14\xbe\x07\x43\x4c\x0c\xc7\xbf\x63\xf6"
2892                "\xe1\xda\x27\x4e\xde\xbf\xe7\x6f\x65\xfb\xd5\x1a\xd2\xf1\x48"
2893                "\x98\xb9\x5b";
2894     a.inLen  = XSTRLEN(a.input);
2895     a.outLen = WC_SHA384_DIGEST_SIZE;
2896 
2897     b.input  = "abc";
2898     b.output = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50"
2899                "\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff"
2900                "\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34"
2901                "\xc8\x25\xa7";
2902     b.inLen  = XSTRLEN(b.input);
2903     b.outLen = WC_SHA384_DIGEST_SIZE;
2904 
2905     c.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
2906                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
2907     c.output = "\x09\x33\x0c\x33\xf7\x11\x47\xe8\x3d\x19\x2f\xc7\x82\xcd\x1b"
2908                "\x47\x53\x11\x1b\x17\x3b\x3b\x05\xd2\x2f\xa0\x80\x86\xe3\xb0"
2909                "\xf7\x12\xfc\xc7\xc7\x1a\x55\x7e\x2d\xb9\x66\xc3\xe9\xfa\x91"
2910                "\x74\x60\x39";
2911     c.inLen  = XSTRLEN(c.input);
2912     c.outLen = WC_SHA384_DIGEST_SIZE;
2913 
2914     test_sha[0] = a;
2915     test_sha[1] = b;
2916     test_sha[2] = c;
2917 
2918     ret = wc_InitSha384_ex(&sha, HEAP_HINT, devId);
2919     if (ret != 0)
2920         return -2500;
2921     ret = wc_InitSha384_ex(&shaCopy, HEAP_HINT, devId);
2922     if (ret != 0) {
2923         wc_Sha384Free(&sha);
2924         return -2501;
2925     }
2926 
2927     for (i = 0; i < times; ++i) {
2928         ret = wc_Sha384Update(&sha, (byte*)test_sha[i].input,
2929             (word32)test_sha[i].inLen);
2930         if (ret != 0)
2931             ERROR_OUT(-2502 - i, exit);
2932         ret = wc_Sha384GetHash(&sha, hashcopy);
2933         if (ret != 0)
2934             ERROR_OUT(-2503 - i, exit);
2935         ret = wc_Sha384Copy(&sha, &shaCopy);
2936         if (ret != 0)
2937             ERROR_OUT(-2504 - i, exit);
2938         ret = wc_Sha384Final(&sha, hash);
2939         if (ret != 0)
2940             ERROR_OUT(-2505 - i, exit);
2941         wc_Sha384Free(&shaCopy);
2942 
2943         if (XMEMCMP(hash, test_sha[i].output, WC_SHA384_DIGEST_SIZE) != 0)
2944             ERROR_OUT(-2506 - i, exit);
2945         if (XMEMCMP(hash, hashcopy, WC_SHA384_DIGEST_SIZE) != 0)
2946             ERROR_OUT(-2507 - i, exit);
2947     }
2948 
2949     /* BEGIN LARGE HASH TEST */ {
2950     byte large_input[1024];
2951     const char* large_digest =
2952         "\x37\x01\xdb\xff\x1e\x40\x4f\xe1\xe2\xea\x0b\x40\xbb\x3b\x39\x9a"
2953         "\xcc\xe8\x44\x8e\x7e\xe5\x64\xb5\x6b\x7f\x56\x64\xa7\x2b\x84\xe3"
2954         "\xc5\xd7\x79\x03\x25\x90\xf7\xa4\x58\xcb\x97\xa8\x8b\xb1\xa4\x81";
2955 
2956     for (i = 0; i < (int)sizeof(large_input); i++) {
2957         large_input[i] = (byte)(i & 0xFF);
2958     }
2959     times = 100;
2960     for (i = 0; i < times; ++i) {
2961         ret = wc_Sha384Update(&sha, (byte*)large_input,
2962             (word32)sizeof(large_input));
2963         if (ret != 0)
2964             ERROR_OUT(-2508, exit);
2965     }
2966     ret = wc_Sha384Final(&sha, hash);
2967     if (ret != 0)
2968         ERROR_OUT(-2509, exit);
2969     if (XMEMCMP(hash, large_digest, WC_SHA384_DIGEST_SIZE) != 0)
2970         ERROR_OUT(-2510, exit);
2971     } /* END LARGE HASH TEST */
2972 
2973 exit:
2974 
2975     wc_Sha384Free(&sha);
2976     wc_Sha384Free(&shaCopy);
2977 
2978     return ret;
2979 }
2980 #endif /* WOLFSSL_SHA384 */
2981 
2982 #ifdef WOLFSSL_SHA3
2983 #ifndef WOLFSSL_NOSHA3_224
sha3_224_test(void)2984 static int sha3_224_test(void)
2985 {
2986     wc_Sha3  sha;
2987     byte  hash[WC_SHA3_224_DIGEST_SIZE];
2988     byte  hashcopy[WC_SHA3_224_DIGEST_SIZE];
2989 
2990     testVector a, b, c;
2991     testVector test_sha[3];
2992     int ret = 0;
2993     int times = sizeof(test_sha) / sizeof(struct testVector), i;
2994 
2995     a.input  = "";
2996     a.output = "\x6b\x4e\x03\x42\x36\x67\xdb\xb7\x3b\x6e\x15\x45\x4f\x0e\xb1"
2997                "\xab\xd4\x59\x7f\x9a\x1b\x07\x8e\x3f\x5b\x5a\x6b\xc7";
2998     a.inLen  = XSTRLEN(a.input);
2999     a.outLen = WC_SHA3_224_DIGEST_SIZE;
3000 
3001     b.input  = "abc";
3002     b.output = "\xe6\x42\x82\x4c\x3f\x8c\xf2\x4a\xd0\x92\x34\xee\x7d\x3c\x76"
3003                "\x6f\xc9\xa3\xa5\x16\x8d\x0c\x94\xad\x73\xb4\x6f\xdf";
3004     b.inLen  = XSTRLEN(b.input);
3005     b.outLen = WC_SHA3_224_DIGEST_SIZE;
3006 
3007     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
3008     c.output = "\x8a\x24\x10\x8b\x15\x4a\xda\x21\xc9\xfd\x55\x74\x49\x44\x79"
3009                "\xba\x5c\x7e\x7a\xb7\x6e\xf2\x64\xea\xd0\xfc\xce\x33";
3010     c.inLen  = XSTRLEN(c.input);
3011     c.outLen = WC_SHA3_224_DIGEST_SIZE;
3012 
3013     test_sha[0] = a;
3014     test_sha[1] = b;
3015     test_sha[2] = c;
3016 
3017     ret = wc_InitSha3_224(&sha, HEAP_HINT, devId);
3018     if (ret != 0)
3019         return -2600;
3020 
3021     for (i = 0; i < times; ++i) {
3022         ret = wc_Sha3_224_Update(&sha, (byte*)test_sha[i].input,
3023             (word32)test_sha[i].inLen);
3024         if (ret != 0)
3025             ERROR_OUT(-2601 - i, exit);
3026         ret = wc_Sha3_224_GetHash(&sha, hashcopy);
3027         if (ret != 0)
3028             ERROR_OUT(-2602 - i, exit);
3029         ret = wc_Sha3_224_Final(&sha, hash);
3030         if (ret != 0)
3031             ERROR_OUT(-2603 - i, exit);
3032 
3033         if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_224_DIGEST_SIZE) != 0)
3034             ERROR_OUT(-2604 - i, exit);
3035         if (XMEMCMP(hash, hashcopy, WC_SHA3_224_DIGEST_SIZE) != 0)
3036             ERROR_OUT(-2605 - i, exit);
3037     }
3038 
3039     /* BEGIN LARGE HASH TEST */ {
3040     byte large_input[1024];
3041     const char* large_digest =
3042         "\x13\xe5\xd3\x98\x7b\x94\xda\x41\x12\xc7\x1e\x92\x3a\x19"
3043         "\x21\x20\x86\x6f\x24\xbf\x0a\x31\xbc\xfd\xd6\x70\x36\xf3";
3044 
3045     for (i = 0; i < (int)sizeof(large_input); i++) {
3046         large_input[i] = (byte)(i & 0xFF);
3047     }
3048     times = 100;
3049     for (i = 0; i < times; ++i) {
3050         ret = wc_Sha3_224_Update(&sha, (byte*)large_input,
3051             (word32)sizeof(large_input));
3052         if (ret != 0)
3053             ERROR_OUT(-2606, exit);
3054     }
3055     ret = wc_Sha3_224_Final(&sha, hash);
3056     if (ret != 0)
3057         ERROR_OUT(-2607, exit);
3058     if (XMEMCMP(hash, large_digest, WC_SHA3_224_DIGEST_SIZE) != 0)
3059         ERROR_OUT(-2608, exit);
3060     } /* END LARGE HASH TEST */
3061 
3062 exit:
3063     wc_Sha3_224_Free(&sha);
3064 
3065     return ret;
3066 }
3067 #endif /* WOLFSSL_NOSHA3_224 */
3068 
3069 #ifndef WOLFSSL_NOSHA3_256
sha3_256_test(void)3070 static int sha3_256_test(void)
3071 {
3072     wc_Sha3  sha;
3073     byte  hash[WC_SHA3_256_DIGEST_SIZE];
3074     byte  hashcopy[WC_SHA3_256_DIGEST_SIZE];
3075 
3076     testVector a, b, c;
3077     testVector test_sha[3];
3078     int ret = 0;
3079     int times = sizeof(test_sha) / sizeof(struct testVector), i;
3080 
3081     byte large_input[1024];
3082     const char* large_digest =
3083         "\xdc\x90\xc0\xb1\x25\xdb\x2c\x34\x81\xa3\xff\xbc\x1e\x2e\x87\xeb"
3084         "\x6d\x70\x85\x61\xe0\xe9\x63\x61\xff\xe5\x84\x4b\x1f\x68\x05\x15";
3085 
3086 #if defined(WOLFSSL_HASH_FLAGS) && !defined(WOLFSSL_ASYNC_CRYPT)
3087     /* test vector with hash of empty string */
3088     const char* Keccak256EmptyOut =
3089         "\xc5\xd2\x46\x01\x86\xf7\x23\x3c\x92\x7e\x7d\xb2\xdc\xc7\x03\xc0"
3090         "\xe5\x00\xb6\x53\xca\x82\x27\x3b\x7b\xfa\xd8\x04\x5d\x85\xa4\x70";
3091 #endif
3092 
3093     a.input  = "";
3094     a.output = "\xa7\xff\xc6\xf8\xbf\x1e\xd7\x66\x51\xc1\x47\x56\xa0\x61\xd6"
3095                "\x62\xf5\x80\xff\x4d\xe4\x3b\x49\xfa\x82\xd8\x0a\x4b\x80\xf8"
3096                "\x43\x4a";
3097     a.inLen  = XSTRLEN(a.input);
3098     a.outLen = WC_SHA3_256_DIGEST_SIZE;
3099 
3100     b.input  = "abc";
3101     b.output = "\x3a\x98\x5d\xa7\x4f\xe2\x25\xb2\x04\x5c\x17\x2d\x6b\xd3\x90"
3102                "\xbd\x85\x5f\x08\x6e\x3e\x9d\x52\x5b\x46\xbf\xe2\x45\x11\x43"
3103                "\x15\x32";
3104     b.inLen  = XSTRLEN(b.input);
3105     b.outLen = WC_SHA3_256_DIGEST_SIZE;
3106 
3107     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
3108     c.output = "\x41\xc0\xdb\xa2\xa9\xd6\x24\x08\x49\x10\x03\x76\xa8\x23\x5e"
3109                "\x2c\x82\xe1\xb9\x99\x8a\x99\x9e\x21\xdb\x32\xdd\x97\x49\x6d"
3110                "\x33\x76";
3111     c.inLen  = XSTRLEN(c.input);
3112     c.outLen = WC_SHA3_256_DIGEST_SIZE;
3113 
3114     test_sha[0] = a;
3115     test_sha[1] = b;
3116     test_sha[2] = c;
3117 
3118     ret = wc_InitSha3_256(&sha, HEAP_HINT, devId);
3119     if (ret != 0)
3120         return -2700;
3121 
3122     for (i = 0; i < times; ++i) {
3123         ret = wc_Sha3_256_Update(&sha, (byte*)test_sha[i].input,
3124             (word32)test_sha[i].inLen);
3125         if (ret != 0)
3126             ERROR_OUT(-2701 - i, exit);
3127         ret = wc_Sha3_256_GetHash(&sha, hashcopy);
3128         if (ret != 0)
3129             ERROR_OUT(-2702 - i, exit);
3130         ret = wc_Sha3_256_Final(&sha, hash);
3131         if (ret != 0)
3132             ERROR_OUT(-2703 - i, exit);
3133 
3134         if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_256_DIGEST_SIZE) != 0)
3135             ERROR_OUT(-2704 - i, exit);
3136         if (XMEMCMP(hash, hashcopy, WC_SHA3_256_DIGEST_SIZE) != 0)
3137             ERROR_OUT(-2705 - i, exit);
3138     }
3139 
3140     /* BEGIN LARGE HASH TEST */ {
3141     for (i = 0; i < (int)sizeof(large_input); i++) {
3142         large_input[i] = (byte)(i & 0xFF);
3143     }
3144     times = 100;
3145     for (i = 0; i < times; ++i) {
3146         ret = wc_Sha3_256_Update(&sha, (byte*)large_input,
3147             (word32)sizeof(large_input));
3148         if (ret != 0)
3149             ERROR_OUT(-2706, exit);
3150     }
3151     ret = wc_Sha3_256_Final(&sha, hash);
3152     if (ret != 0)
3153         ERROR_OUT(-2707, exit);
3154     if (XMEMCMP(hash, large_digest, WC_SHA3_256_DIGEST_SIZE) != 0)
3155         ERROR_OUT(-2708, exit);
3156     } /* END LARGE HASH TEST */
3157 
3158     /* this is a software only variant of SHA3 not supported by external hardware devices */
3159 #if defined(WOLFSSL_HASH_FLAGS) && !defined(WOLFSSL_ASYNC_CRYPT)
3160     /* Test for Keccak256 */
3161     ret = wc_Sha3_SetFlags(&sha, WC_HASH_SHA3_KECCAK256);
3162     if (ret != 0) {
3163         ERROR_OUT(-2709, exit);
3164     }
3165     ret = wc_Sha3_256_Update(&sha, (byte*)"", 0);
3166     if (ret != 0) {
3167         ERROR_OUT(-2710, exit);
3168     }
3169     ret = wc_Sha3_256_Final(&sha, hash);
3170     if (ret != 0) {
3171         ERROR_OUT(-2711, exit);
3172     }
3173     if (XMEMCMP(hash, Keccak256EmptyOut, WC_SHA3_256_DIGEST_SIZE) != 0) {
3174         ERROR_OUT(-2712, exit);
3175     }
3176 #endif /* WOLFSSL_HASH_FLAGS && !WOLFSSL_ASYNC_CRYPT */
3177 
3178 exit:
3179     wc_Sha3_256_Free(&sha);
3180 
3181     return ret;
3182 }
3183 #endif /* WOLFSSL_NOSHA3_256 */
3184 
3185 #ifndef WOLFSSL_NOSHA3_384
sha3_384_test(void)3186 static int sha3_384_test(void)
3187 {
3188     wc_Sha3  sha;
3189     byte  hash[WC_SHA3_384_DIGEST_SIZE];
3190 #ifndef NO_INTM_HASH_TEST
3191     byte  hashcopy[WC_SHA3_384_DIGEST_SIZE];
3192 #endif
3193 
3194     testVector a, b, c;
3195     testVector test_sha[3];
3196     int ret;
3197     int times = sizeof(test_sha) / sizeof(struct testVector), i;
3198 
3199     a.input  = "";
3200     a.output = "\x0c\x63\xa7\x5b\x84\x5e\x4f\x7d\x01\x10\x7d\x85\x2e\x4c\x24"
3201                "\x85\xc5\x1a\x50\xaa\xaa\x94\xfc\x61\x99\x5e\x71\xbb\xee\x98"
3202                "\x3a\x2a\xc3\x71\x38\x31\x26\x4a\xdb\x47\xfb\x6b\xd1\xe0\x58"
3203                "\xd5\xf0\x04";
3204     a.inLen  = XSTRLEN(a.input);
3205     a.outLen = WC_SHA3_384_DIGEST_SIZE;
3206 
3207 #if defined(WOLFSSL_AFALG_XILINX_SHA3) || defined(WOLFSSL_XILINX_CRYPT)
3208     /* NIST test vector with a length that is a multiple of 4 */
3209     b.input  = "\x7d\x80\xb1\x60\xc4\xb5\x36\xa3\xbe\xb7\x99\x80\x59\x93\x44"
3210                "\x04\x7c\x5f\x82\xa1\xdf\xc3\xee\xd4";
3211     b.output = "\x04\x1c\xc5\x86\x1b\xa3\x34\x56\x3c\x61\xd4\xef\x97\x10\xd4"
3212                "\x89\x6c\x31\x1c\x92\xed\xbe\x0d\x7c\xd5\x3e\x80\x3b\xf2\xf4"
3213                "\xeb\x60\x57\x23\x55\x70\x77\x0c\xe8\x7c\x55\x20\xd7\xec\x14"
3214                "\x19\x87\x22";
3215     b.inLen  = XSTRLEN(b.input);
3216     b.outLen = WC_SHA3_384_DIGEST_SIZE;
3217 #else
3218     b.input  = "abc";
3219     b.output = "\xec\x01\x49\x82\x88\x51\x6f\xc9\x26\x45\x9f\x58\xe2\xc6\xad"
3220                "\x8d\xf9\xb4\x73\xcb\x0f\xc0\x8c\x25\x96\xda\x7c\xf0\xe4\x9b"
3221                "\xe4\xb2\x98\xd8\x8c\xea\x92\x7a\xc7\xf5\x39\xf1\xed\xf2\x28"
3222                "\x37\x6d\x25";
3223     b.inLen  = XSTRLEN(b.input);
3224     b.outLen = WC_SHA3_384_DIGEST_SIZE;
3225 #endif
3226     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
3227     c.output = "\x99\x1c\x66\x57\x55\xeb\x3a\x4b\x6b\xbd\xfb\x75\xc7\x8a\x49"
3228                "\x2e\x8c\x56\xa2\x2c\x5c\x4d\x7e\x42\x9b\xfd\xbc\x32\xb9\xd4"
3229                "\xad\x5a\xa0\x4a\x1f\x07\x6e\x62\xfe\xa1\x9e\xef\x51\xac\xd0"
3230                "\x65\x7c\x22";
3231     c.inLen  = XSTRLEN(c.input);
3232     c.outLen = WC_SHA3_384_DIGEST_SIZE;
3233 
3234 #ifdef WOLFSSL_XILINX_CRYPT
3235     test_sha[0] = b; /* hardware acc. can not handle "" string */
3236 #else
3237     test_sha[0] = a;
3238 #endif
3239     test_sha[1] = b;
3240     test_sha[2] = c;
3241 
3242     ret = wc_InitSha3_384(&sha, HEAP_HINT, devId);
3243     if (ret != 0)
3244         return -2800;
3245 
3246     for (i = 0; i < times; ++i) {
3247         ret = wc_Sha3_384_Update(&sha, (byte*)test_sha[i].input,
3248             (word32)test_sha[i].inLen);
3249         if (ret != 0)
3250             ERROR_OUT(-2801 - i, exit);
3251     #ifndef NO_INTM_HASH_TEST
3252         ret = wc_Sha3_384_GetHash(&sha, hashcopy);
3253         if (ret != 0)
3254             ERROR_OUT(-2802 - i, exit);
3255     #endif
3256         ret = wc_Sha3_384_Final(&sha, hash);
3257         if (ret != 0)
3258             ERROR_OUT(-2803 - i, exit);
3259 
3260         if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_384_DIGEST_SIZE) != 0)
3261             ERROR_OUT(-2804 - i, exit);
3262     #ifndef NO_INTM_HASH_TEST
3263         if (XMEMCMP(hash, hashcopy, WC_SHA3_384_DIGEST_SIZE) != 0)
3264             ERROR_OUT(-2805 - i, exit);
3265     #endif
3266     }
3267 
3268     /* BEGIN LARGE HASH TEST */ {
3269     byte large_input[1024];
3270     const char* large_digest =
3271         "\x30\x44\xec\x17\xef\x47\x9f\x55\x36\x11\xd6\x3f\x8a\x31\x5a\x71"
3272         "\x8a\x71\xa7\x1d\x8e\x84\xe8\x6c\x24\x02\x2f\x7a\x08\x4e\xea\xd7"
3273         "\x42\x36\x5d\xa8\xc2\xb7\x42\xad\xec\x19\xfb\xca\xc6\x64\xb3\xa4";
3274 
3275     for (i = 0; i < (int)sizeof(large_input); i++) {
3276         large_input[i] = (byte)(i & 0xFF);
3277     }
3278     times = 100;
3279     for (i = 0; i < times; ++i) {
3280         ret = wc_Sha3_384_Update(&sha, (byte*)large_input,
3281             (word32)sizeof(large_input));
3282         if (ret != 0)
3283             ERROR_OUT(-2806, exit);
3284     }
3285     ret = wc_Sha3_384_Final(&sha, hash);
3286     if (ret != 0)
3287         ERROR_OUT(-2807, exit);
3288     if (XMEMCMP(hash, large_digest, WC_SHA3_384_DIGEST_SIZE) != 0)
3289         ERROR_OUT(-2808, exit);
3290     } /* END LARGE HASH TEST */
3291 
3292 exit:
3293     wc_Sha3_384_Free(&sha);
3294 
3295     return ret;
3296 }
3297 #endif /* WOLFSSL_NOSHA3_384 */
3298 
3299 #ifndef WOLFSSL_NOSHA3_512
sha3_512_test(void)3300 static int sha3_512_test(void)
3301 {
3302     wc_Sha3  sha;
3303     byte  hash[WC_SHA3_512_DIGEST_SIZE];
3304     byte  hashcopy[WC_SHA3_512_DIGEST_SIZE];
3305 
3306     testVector a, b, c;
3307     testVector test_sha[3];
3308     int ret;
3309     int times = sizeof(test_sha) / sizeof(struct testVector), i;
3310 
3311     a.input  = "";
3312     a.output = "\xa6\x9f\x73\xcc\xa2\x3a\x9a\xc5\xc8\xb5\x67\xdc\x18\x5a\x75"
3313                "\x6e\x97\xc9\x82\x16\x4f\xe2\x58\x59\xe0\xd1\xdc\xc1\x47\x5c"
3314                "\x80\xa6\x15\xb2\x12\x3a\xf1\xf5\xf9\x4c\x11\xe3\xe9\x40\x2c"
3315                "\x3a\xc5\x58\xf5\x00\x19\x9d\x95\xb6\xd3\xe3\x01\x75\x85\x86"
3316                "\x28\x1d\xcd\x26";
3317     a.inLen  = XSTRLEN(a.input);
3318     a.outLen = WC_SHA3_512_DIGEST_SIZE;
3319 
3320     b.input  = "abc";
3321     b.output = "\xb7\x51\x85\x0b\x1a\x57\x16\x8a\x56\x93\xcd\x92\x4b\x6b\x09"
3322                "\x6e\x08\xf6\x21\x82\x74\x44\xf7\x0d\x88\x4f\x5d\x02\x40\xd2"
3323                "\x71\x2e\x10\xe1\x16\xe9\x19\x2a\xf3\xc9\x1a\x7e\xc5\x76\x47"
3324                "\xe3\x93\x40\x57\x34\x0b\x4c\xf4\x08\xd5\xa5\x65\x92\xf8\x27"
3325                "\x4e\xec\x53\xf0";
3326     b.inLen  = XSTRLEN(b.input);
3327     b.outLen = WC_SHA3_512_DIGEST_SIZE;
3328 
3329     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
3330     c.output = "\x04\xa3\x71\xe8\x4e\xcf\xb5\xb8\xb7\x7c\xb4\x86\x10\xfc\xa8"
3331                "\x18\x2d\xd4\x57\xce\x6f\x32\x6a\x0f\xd3\xd7\xec\x2f\x1e\x91"
3332                "\x63\x6d\xee\x69\x1f\xbe\x0c\x98\x53\x02\xba\x1b\x0d\x8d\xc7"
3333                "\x8c\x08\x63\x46\xb5\x33\xb4\x9c\x03\x0d\x99\xa2\x7d\xaf\x11"
3334                "\x39\xd6\xe7\x5e";
3335     c.inLen  = XSTRLEN(c.input);
3336     c.outLen = WC_SHA3_512_DIGEST_SIZE;
3337 
3338     test_sha[0] = a;
3339     test_sha[1] = b;
3340     test_sha[2] = c;
3341 
3342     ret = wc_InitSha3_512(&sha, HEAP_HINT, devId);
3343     if (ret != 0)
3344         return -2900;
3345 
3346     for (i = 0; i < times; ++i) {
3347         ret = wc_Sha3_512_Update(&sha, (byte*)test_sha[i].input,
3348             (word32)test_sha[i].inLen);
3349         if (ret != 0)
3350             ERROR_OUT(-2901 - i, exit);
3351         ret = wc_Sha3_512_GetHash(&sha, hashcopy);
3352         if (ret != 0)
3353             ERROR_OUT(-2902 - i, exit);
3354         ret = wc_Sha3_512_Final(&sha, hash);
3355         if (ret != 0)
3356             ERROR_OUT(-2903 - i, exit);
3357 
3358         if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_512_DIGEST_SIZE) != 0)
3359             ERROR_OUT(-2904 - i, exit);
3360         if (XMEMCMP(hash, hashcopy, WC_SHA3_512_DIGEST_SIZE) != 0)
3361             ERROR_OUT(-2905 - i, exit);
3362     }
3363 
3364     /* BEGIN LARGE HASH TEST */ {
3365     byte large_input[1024];
3366     const char* large_digest =
3367         "\x9c\x13\x26\xb6\x26\xb2\x94\x31\xbc\xf4\x34\xe9\x6f\xf2\xd6\x29"
3368         "\x9a\xd0\x9b\x32\x63\x2f\x18\xa7\x5f\x23\xc9\x60\xc2\x32\x0c\xbc"
3369         "\x57\x77\x33\xf1\x83\x81\x8a\xd3\x15\x7c\x93\xdc\x80\x9f\xed\x61"
3370         "\x41\xa7\x5b\xfd\x32\x0e\x38\x15\xb0\x46\x3b\x7a\x4f\xfd\x44\x88";
3371 
3372     for (i = 0; i < (int)sizeof(large_input); i++) {
3373         large_input[i] = (byte)(i & 0xFF);
3374     }
3375     times = 100;
3376     for (i = 0; i < times; ++i) {
3377         ret = wc_Sha3_512_Update(&sha, (byte*)large_input,
3378             (word32)sizeof(large_input));
3379         if (ret != 0)
3380             ERROR_OUT(-2906, exit);
3381     }
3382     ret = wc_Sha3_512_Final(&sha, hash);
3383     if (ret != 0)
3384         ERROR_OUT(-2907, exit);
3385     if (XMEMCMP(hash, large_digest, WC_SHA3_512_DIGEST_SIZE) != 0)
3386         ERROR_OUT(-2908, exit);
3387     } /* END LARGE HASH TEST */
3388 
3389 exit:
3390     wc_Sha3_512_Free(&sha);
3391 
3392     return ret;
3393 }
3394 #endif /* WOLFSSL_NOSHA3_512 */
3395 
sha3_test(void)3396 WOLFSSL_TEST_SUBROUTINE int sha3_test(void)
3397 {
3398     int ret;
3399 
3400     (void)ret;
3401 
3402 #ifndef WOLFSSL_NOSHA3_224
3403     if ((ret = sha3_224_test()) != 0)
3404         return ret;
3405 #endif
3406 #ifndef WOLFSSL_NOSHA3_256
3407     if ((ret = sha3_256_test()) != 0)
3408         return ret;
3409 #endif
3410 #ifndef WOLFSSL_NOSHA3_384
3411     if ((ret = sha3_384_test()) != 0)
3412         return ret;
3413 #endif
3414 #ifndef WOLFSSL_NOSHA3_512
3415     if ((ret = sha3_512_test()) != 0)
3416         return ret;
3417 #endif
3418 
3419     return 0;
3420 }
3421 #endif /* WOLFSSL_SHA3 */
3422 
3423 #ifdef WOLFSSL_SHAKE256
shake256_test(void)3424 WOLFSSL_TEST_SUBROUTINE int shake256_test(void)
3425 {
3426     wc_Shake  sha;
3427     byte  hash[250];
3428 
3429     testVector a, b, c, d, e;
3430     testVector test_sha[5];
3431     int ret = 0;
3432     int times = sizeof(test_sha) / sizeof(struct testVector), i;
3433 
3434     byte large_input[1024];
3435     const char* large_digest =
3436         "\x90\x32\x4a\xcc\xd1\xdf\xb8\x0b\x79\x1f\xb8\xc8\x5b\x54\xc8\xe7"
3437         "\x45\xf5\x60\x6b\x38\x26\xb2\x0a\xee\x38\x01\xf3\xd9\xfa\x96\x9f"
3438         "\x6a\xd7\x15\xdf\xb6\xc2\xf4\x20\x33\x44\x55\xe8\x2a\x09\x2b\x68"
3439         "\x2e\x18\x65\x5e\x65\x93\x28\xbc\xb1\x9e\xe2\xb1\x92\xea\x98\xac"
3440         "\x21\xef\x4c\xe1\xb4\xb7\xbe\x81\x5c\x1d\xd3\xb7\x17\xe5\xbb\xc5"
3441         "\x8c\x68\xb7\xfb\xac\x55\x8a\x9b\x4d\x91\xe4\x9f\x72\xbb\x6e\x38"
3442         "\xaf\x21\x7d\x21\xaa\x98\x4e\x75\xc4\xb4\x1c\x7c\x50\x45\x54\xf9"
3443         "\xea\x26";
3444 
3445     a.input  = "";
3446     a.output = "\x46\xb9\xdd\x2b\x0b\xa8\x8d\x13\x23\x3b\x3f\xeb\x74\x3e\xeb"
3447                "\x24\x3f\xcd\x52\xea\x62\xb8\x1b\x82\xb5\x0c\x27\x64\x6e\xd5"
3448                "\x76\x2f\xd7\x5d\xc4\xdd\xd8\xc0\xf2\x00\xcb\x05\x01\x9d\x67"
3449                "\xb5\x92\xf6\xfc\x82\x1c\x49\x47\x9a\xb4\x86\x40\x29\x2e\xac"
3450                "\xb3\xb7\xc4\xbe\x14\x1e\x96\x61\x6f\xb1\x39\x57\x69\x2c\xc7"
3451                "\xed\xd0\xb4\x5a\xe3\xdc\x07\x22\x3c\x8e\x92\x93\x7b\xef\x84"
3452                "\xbc\x0e\xab\x86\x28\x53\x34\x9e\xc7\x55\x46\xf5\x8f\xb7\xc2"
3453                "\x77\x5c\x38\x46\x2c\x50\x10\xd8\x46";
3454     a.inLen  = XSTRLEN(a.input);
3455     a.outLen = 114;
3456 
3457     b.input  = "abc";
3458     b.output = "\x48\x33\x66\x60\x13\x60\xa8\x77\x1c\x68\x63\x08\x0c\xc4\x11"
3459                "\x4d\x8d\xb4\x45\x30\xf8\xf1\xe1\xee\x4f\x94\xea\x37\xe7\x8b"
3460                "\x57\x39\xd5\xa1\x5b\xef\x18\x6a\x53\x86\xc7\x57\x44\xc0\x52"
3461                "\x7e\x1f\xaa\x9f\x87\x26\xe4\x62\xa1\x2a\x4f\xeb\x06\xbd\x88"
3462                "\x01\xe7\x51\xe4\x13\x85\x14\x12\x04\xf3\x29\x97\x9f\xd3\x04"
3463                "\x7a\x13\xc5\x65\x77\x24\xad\xa6\x4d\x24\x70\x15\x7b\x3c\xdc"
3464                "\x28\x86\x20\x94\x4d\x78\xdb\xcd\xdb\xd9\x12\x99\x3f\x09\x13"
3465                "\xf1\x64\xfb\x2c\xe9\x51\x31\xa2\xd0";
3466     b.inLen  = XSTRLEN(b.input);
3467     b.outLen = 114;
3468 
3469     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
3470     c.output = "\x4d\x8c\x2d\xd2\x43\x5a\x01\x28\xee\xfb\xb8\xc3\x6f\x6f\x87"
3471                "\x13\x3a\x79\x11\xe1\x8d\x97\x9e\xe1\xae\x6b\xe5\xd4\xfd\x2e"
3472                "\x33\x29\x40\xd8\x68\x8a\x4e\x6a\x59\xaa\x80\x60\xf1\xf9\xbc"
3473                "\x99\x6c\x05\xac\xa3\xc6\x96\xa8\xb6\x62\x79\xdc\x67\x2c\x74"
3474                "\x0b\xb2\x24\xec\x37\xa9\x2b\x65\xdb\x05\x39\xc0\x20\x34\x55"
3475                "\xf5\x1d\x97\xcc\xe4\xcf\xc4\x91\x27\xd7\x26\x0a\xfc\x67\x3a"
3476                "\xf2\x08\xba\xf1\x9b\xe2\x12\x33\xf3\xde\xbe\x78\xd0\x67\x60"
3477                "\xcf\xa5\x51\xee\x1e\x07\x91\x41\xd4";
3478     c.inLen  = XSTRLEN(c.input);
3479     c.outLen = 114;
3480 
3481     /* Taken from NIST CAVP test vectors - full rate output. */
3482     d.input  = "\xdc\x88\x6d\xf3\xf6\x9c\x49\x51\x3d\xe3\x62\x7e\x94\x81\xdb"
3483                "\x58\x71\xe8\xee\x88\xeb\x9f\x99\x61\x15\x41\x93\x0a\x8b\xc8"
3484                "\x85\xe0";
3485     d.output = "\x00\x64\x8a\xfb\xc5\xe6\x51\x64\x9d\xb1\xfd\x82\x93\x6b\x00"
3486                "\xdb\xbc\x12\x2f\xb4\xc8\x77\x86\x0d\x38\x5c\x49\x50\xd5\x6d"
3487                "\xe7\xe0\x96\xd6\x13\xd7\xa3\xf2\x7e\xd8\xf2\x63\x34\xb0\xcc"
3488                "\xc1\x40\x7b\x41\xdc\xcb\x23\xdf\xaa\x52\x98\x18\xd1\x12\x5c"
3489                "\xd5\x34\x80\x92\x52\x43\x66\xb8\x5f\xab\xb9\x7c\x6c\xd1\xe6"
3490                "\x06\x6f\x45\x9b\xcc\x56\x6d\xa8\x7e\xc9\xb7\xba\x36\x79\x2d"
3491                "\x11\x8a\xc3\x9a\x4c\xce\xf6\x19\x2b\xbf\x3a\x54\xaf\x18\xe5"
3492                "\x7b\x0c\x14\x61\x01\xf6\xae\xaa\x82\x2b\xc4\xb4\xc9\x70\x8b"
3493                "\x09\xf0\xb3\xba\xb4\x1b\xcc\xe9\x64\xd9\x99\xd1\x10\x7b\xd7"
3494                "\xc2";
3495     d.inLen  = 32;
3496     d.outLen = 136;
3497     /* Taken from NIST CAVP test vectors - more than one output block. */
3498     e.input  = "\x8d\x80\x01\xe2\xc0\x96\xf1\xb8\x8e\x7c\x92\x24\xa0\x86\xef"
3499                "\xd4\x79\x7f\xbf\x74\xa8\x03\x3a\x2d\x42\x2a\x2b\x6b\x8f\x67"
3500                "\x47\xe4";
3501     e.output = "\x2e\x97\x5f\x6a\x8a\x14\xf0\x70\x4d\x51\xb1\x36\x67\xd8\x19"
3502                "\x5c\x21\x9f\x71\xe6\x34\x56\x96\xc4\x9f\xa4\xb9\xd0\x8e\x92"
3503                "\x25\xd3\xd3\x93\x93\x42\x51\x52\xc9\x7e\x71\xdd\x24\x60\x1c"
3504                "\x11\xab\xcf\xa0\xf1\x2f\x53\xc6\x80\xbd\x3a\xe7\x57\xb8\x13"
3505                "\x4a\x9c\x10\xd4\x29\x61\x58\x69\x21\x7f\xdd\x58\x85\xc4\xdb"
3506                "\x17\x49\x85\x70\x3a\x6d\x6d\xe9\x4a\x66\x7e\xac\x30\x23\x44"
3507                "\x3a\x83\x37\xae\x1b\xc6\x01\xb7\x6d\x7d\x38\xec\x3c\x34\x46"
3508                "\x31\x05\xf0\xd3\x94\x9d\x78\xe5\x62\xa0\x39\xe4\x46\x95\x48"
3509                "\xb6\x09\x39\x5d\xe5\xa4\xfd\x43\xc4\x6c\xa9\xfd\x6e\xe2\x9a"
3510                "\xda\x5e\xfc\x07\xd8\x4d\x55\x32\x49\x45\x0d\xab\x4a\x49\xc4"
3511                "\x83\xde\xd2\x50\xc9\x33\x8f\x85\xcd\x93\x7a\xe6\x6b\xb4\x36"
3512                "\xf3\xb4\x02\x6e\x85\x9f\xda\x1c\xa5\x71\x43\x2f\x3b\xfc\x09"
3513                "\xe7\xc0\x3c\xa4\xd1\x83\xb7\x41\x11\x1c\xa0\x48\x3d\x0e\xda"
3514                "\xbc\x03\xfe\xb2\x3b\x17\xee\x48\xe8\x44\xba\x24\x08\xd9\xdc"
3515                "\xfd\x01\x39\xd2\xe8\xc7\x31\x01\x25\xae\xe8\x01\xc6\x1a\xb7"
3516                "\x90\x0d\x1e\xfc\x47\xc0\x78\x28\x17\x66\xf3\x61\xc5\xe6\x11"
3517                "\x13\x46\x23\x5e\x1d\xc3\x83\x25\x66\x6c";
3518     e.inLen  = 32;
3519     e.outLen = 250;
3520 
3521     test_sha[0] = a;
3522     test_sha[1] = b;
3523     test_sha[2] = c;
3524     test_sha[3] = d;
3525     test_sha[4] = e;
3526 
3527     ret = wc_InitShake256(&sha, HEAP_HINT, devId);
3528     if (ret != 0)
3529         return -3100;
3530 
3531     for (i = 0; i < times; ++i) {
3532         ret = wc_Shake256_Update(&sha, (byte*)test_sha[i].input,
3533             (word32)test_sha[i].inLen);
3534         if (ret != 0)
3535             ERROR_OUT(-3101 - i, exit);
3536         ret = wc_Shake256_Final(&sha, hash, (word32)test_sha[i].outLen);
3537         if (ret != 0)
3538             ERROR_OUT(-3102 - i, exit);
3539 
3540         if (XMEMCMP(hash, test_sha[i].output, test_sha[i].outLen) != 0)
3541             ERROR_OUT(-3103 - i, exit);
3542     }
3543 
3544     /* BEGIN LARGE HASH TEST */ {
3545     for (i = 0; i < (int)sizeof(large_input); i++) {
3546         large_input[i] = (byte)(i & 0xFF);
3547     }
3548     times = 100;
3549     for (i = 0; i < times; ++i) {
3550         ret = wc_Shake256_Update(&sha, (byte*)large_input,
3551             (word32)sizeof(large_input));
3552         if (ret != 0)
3553             ERROR_OUT(-3104, exit);
3554     }
3555     ret = wc_Shake256_Final(&sha, hash, (word32)sizeof(hash));
3556     if (ret != 0)
3557         ERROR_OUT(-3105, exit);
3558     if (XMEMCMP(hash, large_digest, 114) != 0)
3559         ERROR_OUT(-3106, exit);
3560     } /* END LARGE HASH TEST */
3561 
3562 exit:
3563     wc_Shake256_Free(&sha);
3564 
3565     return ret;
3566 }
3567 #endif
3568 
3569 #ifndef NO_HASH_WRAPPER
hash_test(void)3570 WOLFSSL_TEST_SUBROUTINE int hash_test(void)
3571 {
3572     wc_HashAlg       hash;
3573     int              ret, exp_ret;
3574     int              i, j;
3575     int              digestSz;
3576     byte             data[] = "0123456789abcdef0123456789abcdef0123456";
3577     byte             out[WC_MAX_DIGEST_SIZE];
3578     byte             hashOut[WC_MAX_DIGEST_SIZE];
3579 #if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
3580     enum wc_HashType hashType;
3581 #endif
3582     enum wc_HashType typesGood[] = { WC_HASH_TYPE_MD5, WC_HASH_TYPE_SHA,
3583                                      WC_HASH_TYPE_SHA224, WC_HASH_TYPE_SHA256,
3584                                      WC_HASH_TYPE_SHA384, WC_HASH_TYPE_SHA512,
3585                                      WC_HASH_TYPE_SHA3_224,
3586                                      WC_HASH_TYPE_SHA3_256,
3587                                      WC_HASH_TYPE_SHA3_384,
3588                                      WC_HASH_TYPE_SHA3_512 };
3589     enum wc_HashType typesNoImpl[] = {
3590 #ifdef NO_MD5
3591                                         WC_HASH_TYPE_MD5,
3592 #endif
3593 #ifdef NO_SHA
3594                                         WC_HASH_TYPE_SHA,
3595 #endif
3596 #ifndef WOLFSSL_SHA224
3597                                         WC_HASH_TYPE_SHA224,
3598 #endif
3599 #ifdef NO_SHA256
3600                                         WC_HASH_TYPE_SHA256,
3601 #endif
3602 #ifndef WOLFSSL_SHA384
3603                                         WC_HASH_TYPE_SHA384,
3604 #endif
3605 #ifndef WOLFSSL_SHA512
3606                                         WC_HASH_TYPE_SHA512,
3607 #endif
3608 #if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_224)
3609                                         WC_HASH_TYPE_SHA3_224,
3610 #endif
3611 #if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_256)
3612                                         WC_HASH_TYPE_SHA3_256,
3613 #endif
3614 #if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_384)
3615                                         WC_HASH_TYPE_SHA3_384,
3616 #endif
3617 #if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_512)
3618                                         WC_HASH_TYPE_SHA3_512,
3619 #endif
3620                                         WC_HASH_TYPE_NONE
3621                                      };
3622     enum wc_HashType typesBad[]  = { WC_HASH_TYPE_NONE, WC_HASH_TYPE_MD5_SHA,
3623                                      WC_HASH_TYPE_MD2, WC_HASH_TYPE_MD4 };
3624     enum wc_HashType typesHashBad[] = { WC_HASH_TYPE_MD2, WC_HASH_TYPE_MD4,
3625                                         WC_HASH_TYPE_BLAKE2B,
3626                                         WC_HASH_TYPE_NONE };
3627 
3628     /* Parameter Validation testing. */
3629     ret = wc_HashInit(NULL, WC_HASH_TYPE_SHA256);
3630     if (ret != BAD_FUNC_ARG)
3631         return -3200;
3632     ret = wc_HashUpdate(NULL, WC_HASH_TYPE_SHA256, NULL, sizeof(data));
3633     if (ret != BAD_FUNC_ARG)
3634         return -3201;
3635     ret = wc_HashUpdate(&hash, WC_HASH_TYPE_SHA256, NULL, sizeof(data));
3636     if (ret != BAD_FUNC_ARG)
3637         return -3202;
3638     ret = wc_HashUpdate(NULL, WC_HASH_TYPE_SHA256, data, sizeof(data));
3639     if (ret != BAD_FUNC_ARG)
3640         return -3203;
3641     ret = wc_HashFinal(NULL, WC_HASH_TYPE_SHA256, NULL);
3642     if (ret != BAD_FUNC_ARG)
3643         return -3204;
3644     ret = wc_HashFinal(&hash, WC_HASH_TYPE_SHA256, NULL);
3645     if (ret != BAD_FUNC_ARG)
3646         return -3205;
3647     ret = wc_HashFinal(NULL, WC_HASH_TYPE_SHA256, out);
3648     if (ret != BAD_FUNC_ARG)
3649         return -3206;
3650 
3651     /* Try invalid hash algorithms. */
3652     for (i = 0; i < (int)(sizeof(typesBad)/sizeof(*typesBad)); i++) {
3653         ret = wc_HashInit(&hash, typesBad[i]);
3654         if (ret != BAD_FUNC_ARG)
3655             return -3207 - i;
3656         ret = wc_HashUpdate(&hash, typesBad[i], data, sizeof(data));
3657         if (ret != BAD_FUNC_ARG)
3658             return -3217 - i;
3659         ret = wc_HashFinal(&hash, typesBad[i], out);
3660         if (ret != BAD_FUNC_ARG)
3661             return -3227 - i;
3662         wc_HashFree(&hash, typesBad[i]);
3663     }
3664 
3665     /* Try valid hash algorithms. */
3666     for (i = 0, j = 0; i < (int)(sizeof(typesGood)/sizeof(*typesGood)); i++) {
3667         exp_ret = 0;
3668         if (typesGood[i] == typesNoImpl[j]) {
3669             /* Recognized but no implementation compiled in. */
3670             exp_ret = HASH_TYPE_E;
3671             j++;
3672         }
3673         ret = wc_HashInit(&hash, typesGood[i]);
3674         if (ret != exp_ret)
3675             return -3237 - i;
3676         ret = wc_HashUpdate(&hash, typesGood[i], data, sizeof(data));
3677         if (ret != exp_ret)
3678             return -3247 - i;
3679         ret = wc_HashFinal(&hash, typesGood[i], out);
3680         if (ret != exp_ret)
3681             return -3257 - i;
3682         wc_HashFree(&hash, typesGood[i]);
3683 
3684         digestSz = wc_HashGetDigestSize(typesGood[i]);
3685         if (exp_ret < 0 && digestSz != exp_ret)
3686             return -3267 - i;
3687         if (exp_ret == 0 && digestSz < 0)
3688             return -3277 - i;
3689         if (exp_ret == 0) {
3690             ret = wc_Hash(typesGood[i], data, sizeof(data), hashOut,
3691                                                                   digestSz - 1);
3692             if (ret != BUFFER_E)
3693                 return -3287 - i;
3694         }
3695         ret = wc_Hash(typesGood[i], data, sizeof(data), hashOut, digestSz);
3696         if (ret != exp_ret)
3697             return -3297 - i;
3698         if (exp_ret == 0 && XMEMCMP(out, hashOut, digestSz) != 0)
3699             return -3307 -i;
3700 
3701         ret = wc_HashGetBlockSize(typesGood[i]);
3702         if (exp_ret < 0 && ret != exp_ret)
3703             return -3308 - i;
3704         if (exp_ret == 0 && ret < 0)
3705             return -3318 - i;
3706 
3707 #if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
3708         ret = wc_HashGetOID(typesGood[i]);
3709         if (ret == BAD_FUNC_ARG ||
3710                 (exp_ret == 0 && ret == HASH_TYPE_E) ||
3711                 (exp_ret != 0 && ret != HASH_TYPE_E)) {
3712             return -3328 - i;
3713         }
3714 
3715         hashType = wc_OidGetHash(ret);
3716         if (exp_ret == 0 && hashType != typesGood[i])
3717             return -3338 - i;
3718 #endif /* !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC) */
3719     }
3720 
3721     for (i = 0; i < (int)(sizeof(typesHashBad)/sizeof(*typesHashBad)); i++) {
3722         ret = wc_Hash(typesHashBad[i], data, sizeof(data), out, sizeof(out));
3723         if (ret != BAD_FUNC_ARG && ret != BUFFER_E)
3724             return -3348 - i;
3725     }
3726 
3727 #if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
3728     ret = wc_HashGetOID(WC_HASH_TYPE_MD2);
3729 #ifdef WOLFSSL_MD2
3730     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3731         return -3358;
3732 #else
3733     if (ret != HASH_TYPE_E)
3734         return -3359;
3735 #endif
3736     hashType = wc_OidGetHash(646); /* Md2h */
3737 #ifdef WOLFSSL_MD2
3738     if (hashType != WC_HASH_TYPE_MD2)
3739         return -3360;
3740 #else
3741     if (hashType != WC_HASH_TYPE_NONE)
3742         return -3361;
3743 #endif
3744 
3745     ret = wc_HashGetOID(WC_HASH_TYPE_MD5_SHA);
3746 #ifndef NO_MD5
3747     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3748         return -3362;
3749 #else
3750     if (ret != HASH_TYPE_E)
3751         return -3363;
3752 #endif
3753     ret = wc_HashGetOID(WC_HASH_TYPE_MD4);
3754     if (ret != BAD_FUNC_ARG)
3755         return -3364;
3756     ret = wc_HashGetOID(WC_HASH_TYPE_NONE);
3757     if (ret != BAD_FUNC_ARG)
3758         return -3365;
3759 
3760     hashType = wc_OidGetHash(0);
3761     if (hashType != WC_HASH_TYPE_NONE)
3762         return -3366;
3763 #endif /* !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC) */
3764 
3765     ret = wc_HashGetBlockSize(WC_HASH_TYPE_MD2);
3766 #ifdef WOLFSSL_MD2
3767     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3768         return -3367;
3769 #else
3770     if (ret != HASH_TYPE_E)
3771         return -3368;
3772 #endif
3773     ret = wc_HashGetDigestSize(WC_HASH_TYPE_MD2);
3774 #ifdef WOLFSSL_MD2
3775     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3776         return -3369;
3777 #else
3778     if (ret != HASH_TYPE_E)
3779         return -3370;
3780 #endif
3781 
3782     ret = wc_HashGetBlockSize(WC_HASH_TYPE_MD4);
3783 #ifndef NO_MD4
3784     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3785         return -3371;
3786 #else
3787     if (ret != HASH_TYPE_E)
3788         return -3372;
3789 #endif
3790     ret = wc_HashGetDigestSize(WC_HASH_TYPE_MD4);
3791 #ifndef NO_MD4
3792     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3793         return -3373;
3794 #else
3795     if (ret != HASH_TYPE_E)
3796         return -3374;
3797 #endif
3798     ret = wc_HashGetBlockSize(WC_HASH_TYPE_MD5_SHA);
3799 #if !defined(NO_MD5) && !defined(NO_SHA)
3800     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3801         return -3375;
3802 #else
3803     if (ret != HASH_TYPE_E)
3804         return -3376;
3805 #endif
3806 
3807     ret = wc_HashGetBlockSize(WC_HASH_TYPE_BLAKE2B);
3808 #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
3809     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3810         return -3377;
3811 #else
3812     if (ret != HASH_TYPE_E)
3813         return -3378;
3814 #endif
3815     ret = wc_HashGetDigestSize(WC_HASH_TYPE_BLAKE2B);
3816 #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
3817     if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
3818         return -3379;
3819 #else
3820     if (ret != HASH_TYPE_E)
3821         return -3380;
3822 #endif
3823 
3824     ret = wc_HashGetBlockSize(WC_HASH_TYPE_NONE);
3825     if (ret != BAD_FUNC_ARG)
3826         return -3381;
3827     ret = wc_HashGetDigestSize(WC_HASH_TYPE_NONE);
3828     if (ret != BAD_FUNC_ARG)
3829         return -3382;
3830 
3831 #if !defined(NO_CERTS) && !defined(NO_ASN)
3832 #if defined(WOLFSSL_MD2) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
3833     ret = wc_GetCTC_HashOID(MD2);
3834     if (ret == 0)
3835         return -3383;
3836 #endif
3837 #ifndef NO_MD5
3838     ret = wc_GetCTC_HashOID(WC_MD5);
3839     if (ret == 0)
3840         return -3384;
3841 #endif
3842 #ifndef NO_SHA
3843     ret = wc_GetCTC_HashOID(WC_SHA);
3844     if (ret == 0)
3845         return -3385;
3846 #endif
3847 #ifdef WOLFSSL_SHA224
3848     ret = wc_GetCTC_HashOID(WC_SHA224);
3849     if (ret == 0)
3850         return -3386;
3851 #endif
3852 #ifndef NO_SHA256
3853     ret = wc_GetCTC_HashOID(WC_SHA256);
3854     if (ret == 0)
3855         return -3387;
3856 #endif
3857 #ifdef WOLFSSL_SHA384
3858     ret = wc_GetCTC_HashOID(WC_SHA384);
3859     if (ret == 0)
3860         return -3388;
3861 #endif
3862 #ifdef WOLFSSL_SHA512
3863     ret = wc_GetCTC_HashOID(WC_SHA512);
3864     if (ret == 0)
3865         return -3389;
3866 #endif
3867     ret = wc_GetCTC_HashOID(-1);
3868     if (ret != 0)
3869         return -3390;
3870 #endif
3871 
3872     return 0;
3873 }
3874 #endif /* !NO_HASH_WRAPPER */
3875 
3876 #if !defined(NO_HMAC) && !defined(NO_MD5) && !(defined(HAVE_FIPS) && \
3877                                                defined(HAVE_FIPS_VERSION) && \
3878                                                (HAVE_FIPS_VERSION >= 5))
hmac_md5_test(void)3879 WOLFSSL_TEST_SUBROUTINE int hmac_md5_test(void)
3880 {
3881     Hmac hmac;
3882     byte hash[WC_MD5_DIGEST_SIZE];
3883 
3884     const char* keys[]=
3885     {
3886         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
3887         "Jefe",
3888         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
3889     };
3890 
3891     testVector a, b, c;
3892     testVector test_hmac[3];
3893 
3894     int ret;
3895     int times = sizeof(test_hmac) / sizeof(testVector), i;
3896 
3897     a.input  = "Hi There";
3898     a.output = "\x92\x94\x72\x7a\x36\x38\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc"
3899                "\x9d";
3900     a.inLen  = XSTRLEN(a.input);
3901     a.outLen = WC_MD5_DIGEST_SIZE;
3902 
3903     b.input  = "what do ya want for nothing?";
3904     b.output = "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7"
3905                "\x38";
3906     b.inLen  = XSTRLEN(b.input);
3907     b.outLen = WC_MD5_DIGEST_SIZE;
3908 
3909     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
3910                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
3911                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
3912                "\xDD\xDD\xDD\xDD\xDD\xDD";
3913     c.output = "\x56\xbe\x34\x52\x1d\x14\x4c\x88\xdb\xb8\xc7\x33\xf0\xe8\xb3"
3914                "\xf6";
3915     c.inLen  = XSTRLEN(c.input);
3916     c.outLen = WC_MD5_DIGEST_SIZE;
3917 
3918     test_hmac[0] = a;
3919     test_hmac[1] = b;
3920     test_hmac[2] = c;
3921 
3922     for (i = 0; i < times; ++i) {
3923     #if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
3924         if (i == 1) {
3925             continue; /* cavium can't handle short keys, fips not allowed */
3926         }
3927     #endif
3928 
3929         if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0) {
3930             return -3400;
3931         }
3932 
3933         ret = wc_HmacSetKey(&hmac, WC_MD5, (byte*)keys[i],
3934             (word32)XSTRLEN(keys[i]));
3935         if (ret != 0)
3936             return -3401;
3937         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
3938                    (word32)test_hmac[i].inLen);
3939         if (ret != 0)
3940             return -3402;
3941         ret = wc_HmacFinal(&hmac, hash);
3942         if (ret != 0)
3943             return -3403;
3944 
3945         if (XMEMCMP(hash, test_hmac[i].output, WC_MD5_DIGEST_SIZE) != 0)
3946             return -3404 - i;
3947 
3948         wc_HmacFree(&hmac);
3949     }
3950 
3951 #ifndef HAVE_FIPS
3952     if (wc_HmacSizeByType(WC_MD5) != WC_MD5_DIGEST_SIZE)
3953         return -3414;
3954 #endif
3955 
3956     return 0;
3957 }
3958 #endif /* !NO_HMAC && !NO_MD5 && (!HAVE_FIPS || (HAVE_FIPS_VERSION < 5)) */
3959 
3960 #if !defined(NO_HMAC) && !defined(NO_SHA)
hmac_sha_test(void)3961 WOLFSSL_TEST_SUBROUTINE int hmac_sha_test(void)
3962 {
3963     Hmac hmac;
3964     byte hash[WC_SHA_DIGEST_SIZE];
3965 
3966     const char* keys[]=
3967     {
3968         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
3969                                                                 "\x0b\x0b\x0b",
3970         "Jefe",
3971         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
3972                                                                 "\xAA\xAA\xAA"
3973     };
3974 
3975     testVector a, b, c;
3976     testVector test_hmac[3];
3977 
3978     int ret;
3979     int times = sizeof(test_hmac) / sizeof(testVector), i;
3980 
3981     a.input  = "Hi There";
3982     a.output = "\xb6\x17\x31\x86\x55\x05\x72\x64\xe2\x8b\xc0\xb6\xfb\x37\x8c"
3983                "\x8e\xf1\x46\xbe\x00";
3984     a.inLen  = XSTRLEN(a.input);
3985     a.outLen = WC_SHA_DIGEST_SIZE;
3986 
3987     b.input  = "what do ya want for nothing?";
3988     b.output = "\xef\xfc\xdf\x6a\xe5\xeb\x2f\xa2\xd2\x74\x16\xd5\xf1\x84\xdf"
3989                "\x9c\x25\x9a\x7c\x79";
3990     b.inLen  = XSTRLEN(b.input);
3991     b.outLen = WC_SHA_DIGEST_SIZE;
3992 
3993     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
3994                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
3995                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
3996                "\xDD\xDD\xDD\xDD\xDD\xDD";
3997     c.output = "\x12\x5d\x73\x42\xb9\xac\x11\xcd\x91\xa3\x9a\xf4\x8a\xa1\x7b"
3998                "\x4f\x63\xf1\x75\xd3";
3999     c.inLen  = XSTRLEN(c.input);
4000     c.outLen = WC_SHA_DIGEST_SIZE;
4001 
4002     test_hmac[0] = a;
4003     test_hmac[1] = b;
4004     test_hmac[2] = c;
4005 
4006     for (i = 0; i < times; ++i) {
4007 #if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
4008         if (i == 1)
4009             continue; /* cavium can't handle short keys, fips not allowed */
4010 #endif
4011 
4012         if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
4013             return -3500;
4014 
4015         ret = wc_HmacSetKey(&hmac, WC_SHA, (byte*)keys[i],
4016             (word32)XSTRLEN(keys[i]));
4017         if (ret != 0)
4018             return -3501;
4019         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
4020                    (word32)test_hmac[i].inLen);
4021         if (ret != 0)
4022             return -3502;
4023         ret = wc_HmacFinal(&hmac, hash);
4024         if (ret != 0)
4025             return -3503;
4026 
4027         if (XMEMCMP(hash, test_hmac[i].output, WC_SHA_DIGEST_SIZE) != 0)
4028             return -3504 - i;
4029 
4030         wc_HmacFree(&hmac);
4031     }
4032 
4033 #ifndef HAVE_FIPS
4034     if (wc_HmacSizeByType(WC_SHA) != WC_SHA_DIGEST_SIZE)
4035         return -3514;
4036 #endif
4037 
4038     return 0;
4039 }
4040 #endif
4041 
4042 
4043 #if !defined(NO_HMAC) && defined(WOLFSSL_SHA224)
hmac_sha224_test(void)4044 WOLFSSL_TEST_SUBROUTINE int hmac_sha224_test(void)
4045 {
4046     Hmac hmac;
4047     byte hash[WC_SHA224_DIGEST_SIZE];
4048 
4049     const char* keys[]=
4050     {
4051         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
4052                                                                 "\x0b\x0b\x0b",
4053         "Jefe",
4054         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
4055                                                                 "\xAA\xAA\xAA",
4056         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4057         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4058         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4059         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4060         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4061     };
4062 
4063     testVector a, b, c, d;
4064     testVector test_hmac[4];
4065 
4066     int ret;
4067     int times = sizeof(test_hmac) / sizeof(testVector), i;
4068 
4069     a.input  = "Hi There";
4070     a.output = "\x89\x6f\xb1\x12\x8a\xbb\xdf\x19\x68\x32\x10\x7c\xd4\x9d\xf3"
4071                "\x3f\x47\xb4\xb1\x16\x99\x12\xba\x4f\x53\x68\x4b\x22";
4072     a.inLen  = XSTRLEN(a.input);
4073     a.outLen = WC_SHA224_DIGEST_SIZE;
4074 
4075     b.input  = "what do ya want for nothing?";
4076     b.output = "\xa3\x0e\x01\x09\x8b\xc6\xdb\xbf\x45\x69\x0f\x3a\x7e\x9e\x6d"
4077                "\x0f\x8b\xbe\xa2\xa3\x9e\x61\x48\x00\x8f\xd0\x5e\x44";
4078     b.inLen  = XSTRLEN(b.input);
4079     b.outLen = WC_SHA224_DIGEST_SIZE;
4080 
4081     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4082                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4083                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4084                "\xDD\xDD\xDD\xDD\xDD\xDD";
4085     c.output = "\x7f\xb3\xcb\x35\x88\xc6\xc1\xf6\xff\xa9\x69\x4d\x7d\x6a\xd2"
4086                "\x64\x93\x65\xb0\xc1\xf6\x5d\x69\xd1\xec\x83\x33\xea";
4087     c.inLen  = XSTRLEN(c.input);
4088     c.outLen = WC_SHA224_DIGEST_SIZE;
4089 
4090     d.input  = "Big Key Input";
4091     d.output = "\xe7\x4e\x2b\x8a\xa9\xf0\x37\x2f\xed\xae\x70\x0c\x49\x47\xf1"
4092                "\x46\x54\xa7\x32\x6b\x55\x01\x87\xd2\xc8\x02\x0e\x3a";
4093     d.inLen  = XSTRLEN(d.input);
4094     d.outLen = WC_SHA224_DIGEST_SIZE;
4095 
4096     test_hmac[0] = a;
4097     test_hmac[1] = b;
4098     test_hmac[2] = c;
4099     test_hmac[3] = d;
4100 
4101     for (i = 0; i < times; ++i) {
4102 #if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
4103         if (i == 1)
4104             continue; /* cavium can't handle short keys, fips not allowed */
4105 #endif
4106 
4107         if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
4108             return -3600;
4109 
4110         ret = wc_HmacSetKey(&hmac, WC_SHA224, (byte*)keys[i],
4111             (word32)XSTRLEN(keys[i]));
4112         if (ret != 0)
4113             return -3601;
4114         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
4115                    (word32)test_hmac[i].inLen);
4116         if (ret != 0)
4117             return -3602;
4118         ret = wc_HmacFinal(&hmac, hash);
4119         if (ret != 0)
4120             return -3603;
4121 
4122         if (XMEMCMP(hash, test_hmac[i].output, WC_SHA224_DIGEST_SIZE) != 0)
4123             return -3604 - i;
4124 
4125         wc_HmacFree(&hmac);
4126     }
4127 
4128 #ifndef HAVE_FIPS
4129     if (wc_HmacSizeByType(WC_SHA224) != WC_SHA224_DIGEST_SIZE)
4130         return -3614;
4131 #endif
4132 
4133     return 0;
4134 }
4135 #endif
4136 
4137 
4138 #if !defined(NO_HMAC) && !defined(NO_SHA256)
hmac_sha256_test(void)4139 WOLFSSL_TEST_SUBROUTINE int hmac_sha256_test(void)
4140 {
4141     Hmac hmac;
4142     byte hash[WC_SHA256_DIGEST_SIZE];
4143 
4144     const char* keys[]=
4145     {
4146         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
4147                                                                 "\x0b\x0b\x0b",
4148         "Jefe",
4149         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
4150                                                                 "\xAA\xAA\xAA",
4151         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
4152                                                                 "\xAA\xAA\xAA",
4153     };
4154 
4155     testVector a, b, c, d;
4156     testVector test_hmac[4];
4157 
4158     int ret;
4159     int times = sizeof(test_hmac) / sizeof(testVector), i;
4160 
4161     a.input  = "Hi There";
4162     a.output = "\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1"
4163                "\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32"
4164                "\xcf\xf7";
4165     a.inLen  = XSTRLEN(a.input);
4166     a.outLen = WC_SHA256_DIGEST_SIZE;
4167 
4168     b.input  = "what do ya want for nothing?";
4169     b.output = "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75"
4170                "\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec"
4171                "\x38\x43";
4172     b.inLen  = XSTRLEN(b.input);
4173     b.outLen = WC_SHA256_DIGEST_SIZE;
4174 
4175     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4176                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4177                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4178                "\xDD\xDD\xDD\xDD\xDD\xDD";
4179     c.output = "\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81"
4180                "\xa7\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5"
4181                "\x65\xfe";
4182     c.inLen  = XSTRLEN(c.input);
4183     c.outLen = WC_SHA256_DIGEST_SIZE;
4184 
4185     d.input  = 0;
4186     d.output = "\x86\xe5\x4f\xd4\x48\x72\x5d\x7e\x5d\xcf\xe2\x23\x53\xc8\x28"
4187                "\xaf\x48\x78\x1e\xb4\x8c\xae\x81\x06\xa7\xe1\xd4\x98\x94\x9f"
4188                "\x3e\x46";
4189     d.inLen  = 0;
4190     d.outLen = WC_SHA256_DIGEST_SIZE;
4191 
4192     test_hmac[0] = a;
4193     test_hmac[1] = b;
4194     test_hmac[2] = c;
4195     test_hmac[3] = d;
4196 
4197     for (i = 0; i < times; ++i) {
4198 #if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
4199         if (i == 1)
4200             continue; /* cavium can't handle short keys, fips not allowed */
4201 #endif
4202 #if defined(HAVE_INTEL_QA) || defined(HAVE_CAVIUM)
4203         if (i == 3)
4204             continue; /* QuickAssist can't handle empty HMAC */
4205 #endif
4206 
4207         if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
4208             return -3700 - i;
4209 
4210         ret = wc_HmacSetKey(&hmac, WC_SHA256, (byte*)keys[i],
4211             (word32)XSTRLEN(keys[i]));
4212         if (ret != 0)
4213             return -3710 - i;
4214         if (test_hmac[i].input != NULL) {
4215             ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
4216                        (word32)test_hmac[i].inLen);
4217             if (ret != 0)
4218                 return -3720 - i;
4219         }
4220         ret = wc_HmacFinal(&hmac, hash);
4221         if (ret != 0)
4222             return -3730 - i;
4223 
4224         if (XMEMCMP(hash, test_hmac[i].output, WC_SHA256_DIGEST_SIZE) != 0)
4225             return -3740 - i;
4226 
4227         wc_HmacFree(&hmac);
4228     }
4229 
4230 #ifndef HAVE_FIPS
4231     if (wc_HmacSizeByType(WC_SHA256) != WC_SHA256_DIGEST_SIZE)
4232         return -3750;
4233     if (wc_HmacSizeByType(20) != BAD_FUNC_ARG)
4234         return -3751;
4235 #endif
4236     if (wolfSSL_GetHmacMaxSize() != WC_MAX_DIGEST_SIZE)
4237         return -3752;
4238 
4239     return 0;
4240 }
4241 #endif
4242 
4243 
4244 #if !defined(NO_HMAC) && defined(WOLFSSL_SHA384)
hmac_sha384_test(void)4245 WOLFSSL_TEST_SUBROUTINE int hmac_sha384_test(void)
4246 {
4247     Hmac hmac;
4248     byte hash[WC_SHA384_DIGEST_SIZE];
4249 
4250     const char* keys[]=
4251     {
4252         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
4253                                                                 "\x0b\x0b\x0b",
4254         "Jefe",
4255         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
4256                                                                 "\xAA\xAA\xAA",
4257         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4258         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4259         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4260         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4261         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4262         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4263         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4264         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4265         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4266     };
4267 
4268     testVector a, b, c, d;
4269     testVector test_hmac[4];
4270 
4271     int ret;
4272     int times = sizeof(test_hmac) / sizeof(testVector), i;
4273 
4274     a.input  = "Hi There";
4275     a.output = "\xaf\xd0\x39\x44\xd8\x48\x95\x62\x6b\x08\x25\xf4\xab\x46\x90"
4276                "\x7f\x15\xf9\xda\xdb\xe4\x10\x1e\xc6\x82\xaa\x03\x4c\x7c\xeb"
4277                "\xc5\x9c\xfa\xea\x9e\xa9\x07\x6e\xde\x7f\x4a\xf1\x52\xe8\xb2"
4278                "\xfa\x9c\xb6";
4279     a.inLen  = XSTRLEN(a.input);
4280     a.outLen = WC_SHA384_DIGEST_SIZE;
4281 
4282     b.input  = "what do ya want for nothing?";
4283     b.output = "\xaf\x45\xd2\xe3\x76\x48\x40\x31\x61\x7f\x78\xd2\xb5\x8a\x6b"
4284                "\x1b\x9c\x7e\xf4\x64\xf5\xa0\x1b\x47\xe4\x2e\xc3\x73\x63\x22"
4285                "\x44\x5e\x8e\x22\x40\xca\x5e\x69\xe2\xc7\x8b\x32\x39\xec\xfa"
4286                "\xb2\x16\x49";
4287     b.inLen  = XSTRLEN(b.input);
4288     b.outLen = WC_SHA384_DIGEST_SIZE;
4289 
4290     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4291                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4292                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4293                "\xDD\xDD\xDD\xDD\xDD\xDD";
4294     c.output = "\x88\x06\x26\x08\xd3\xe6\xad\x8a\x0a\xa2\xac\xe0\x14\xc8\xa8"
4295                "\x6f\x0a\xa6\x35\xd9\x47\xac\x9f\xeb\xe8\x3e\xf4\xe5\x59\x66"
4296                "\x14\x4b\x2a\x5a\xb3\x9d\xc1\x38\x14\xb9\x4e\x3a\xb6\xe1\x01"
4297                "\xa3\x4f\x27";
4298     c.inLen  = XSTRLEN(c.input);
4299     c.outLen = WC_SHA384_DIGEST_SIZE;
4300 
4301     d.input  = "Big Key Input";
4302     d.output = "\xd2\x3d\x29\x6e\xf5\x1e\x23\x23\x49\x18\xb3\xbf\x4c\x38\x7b"
4303                "\x31\x21\x17\xbb\x09\x73\x27\xf8\x12\x9d\xe9\xc6\x5d\xf9\x54"
4304                "\xd6\x38\x5a\x68\x53\x14\xee\xe0\xa6\x4f\x36\x7e\xb2\xf3\x1a"
4305                "\x57\x41\x69";
4306     d.inLen  = XSTRLEN(d.input);
4307     d.outLen = WC_SHA384_DIGEST_SIZE;
4308 
4309     test_hmac[0] = a;
4310     test_hmac[1] = b;
4311     test_hmac[2] = c;
4312     test_hmac[3] = d;
4313 
4314     for (i = 0; i < times; ++i) {
4315 #if defined(HAVE_FIPS)
4316         if (i == 1)
4317             continue; /* fips not allowed */
4318 #endif
4319 
4320         if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
4321             return -3800;
4322 
4323         ret = wc_HmacSetKey(&hmac, WC_SHA384, (byte*)keys[i],
4324             (word32)XSTRLEN(keys[i]));
4325         if (ret != 0)
4326             return -3801;
4327         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
4328                    (word32)test_hmac[i].inLen);
4329         if (ret != 0)
4330             return -3802;
4331         ret = wc_HmacFinal(&hmac, hash);
4332         if (ret != 0)
4333             return -3803;
4334 
4335         if (XMEMCMP(hash, test_hmac[i].output, WC_SHA384_DIGEST_SIZE) != 0)
4336             return -3804 - i;
4337 
4338         wc_HmacFree(&hmac);
4339     }
4340 
4341 #ifndef HAVE_FIPS
4342     if (wc_HmacSizeByType(WC_SHA384) != WC_SHA384_DIGEST_SIZE)
4343         return -3814;
4344 #endif
4345 
4346     return 0;
4347 }
4348 #endif
4349 
4350 
4351 #if !defined(NO_HMAC) && defined(WOLFSSL_SHA512)
hmac_sha512_test(void)4352 WOLFSSL_TEST_SUBROUTINE int hmac_sha512_test(void)
4353 {
4354     Hmac hmac;
4355     byte hash[WC_SHA512_DIGEST_SIZE];
4356 
4357     const char* keys[]=
4358     {
4359         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
4360                                                                 "\x0b\x0b\x0b",
4361         "Jefe",
4362         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
4363                                                                 "\xAA\xAA\xAA",
4364         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4365         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4366         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4367         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4368         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4369         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4370         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4371         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4372         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4373     };
4374 
4375     testVector a, b, c, d;
4376     testVector test_hmac[4];
4377 
4378     int ret;
4379     int times = sizeof(test_hmac) / sizeof(testVector), i;
4380 
4381     a.input  = "Hi There";
4382     a.output = "\x87\xaa\x7c\xde\xa5\xef\x61\x9d\x4f\xf0\xb4\x24\x1a\x1d\x6c"
4383                "\xb0\x23\x79\xf4\xe2\xce\x4e\xc2\x78\x7a\xd0\xb3\x05\x45\xe1"
4384                "\x7c\xde\xda\xa8\x33\xb7\xd6\xb8\xa7\x02\x03\x8b\x27\x4e\xae"
4385                "\xa3\xf4\xe4\xbe\x9d\x91\x4e\xeb\x61\xf1\x70\x2e\x69\x6c\x20"
4386                "\x3a\x12\x68\x54";
4387     a.inLen  = XSTRLEN(a.input);
4388     a.outLen = WC_SHA512_DIGEST_SIZE;
4389 
4390     b.input  = "what do ya want for nothing?";
4391     b.output = "\x16\x4b\x7a\x7b\xfc\xf8\x19\xe2\xe3\x95\xfb\xe7\x3b\x56\xe0"
4392                "\xa3\x87\xbd\x64\x22\x2e\x83\x1f\xd6\x10\x27\x0c\xd7\xea\x25"
4393                "\x05\x54\x97\x58\xbf\x75\xc0\x5a\x99\x4a\x6d\x03\x4f\x65\xf8"
4394                "\xf0\xe6\xfd\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b\x63\x6e\x07\x0a"
4395                "\x38\xbc\xe7\x37";
4396     b.inLen  = XSTRLEN(b.input);
4397     b.outLen = WC_SHA512_DIGEST_SIZE;
4398 
4399     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4400                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4401                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
4402                "\xDD\xDD\xDD\xDD\xDD\xDD";
4403     c.output = "\xfa\x73\xb0\x08\x9d\x56\xa2\x84\xef\xb0\xf0\x75\x6c\x89\x0b"
4404                "\xe9\xb1\xb5\xdb\xdd\x8e\xe8\x1a\x36\x55\xf8\x3e\x33\xb2\x27"
4405                "\x9d\x39\xbf\x3e\x84\x82\x79\xa7\x22\xc8\x06\xb4\x85\xa4\x7e"
4406                "\x67\xc8\x07\xb9\x46\xa3\x37\xbe\xe8\x94\x26\x74\x27\x88\x59"
4407                "\xe1\x32\x92\xfb";
4408     c.inLen  = XSTRLEN(c.input);
4409     c.outLen = WC_SHA512_DIGEST_SIZE;
4410 
4411     d.input  = "Big Key Input";
4412     d.output = "\x3f\xa9\xc9\xe1\xbd\xbb\x04\x55\x1f\xef\xcc\x92\x33\x08\xeb"
4413                "\xcf\xc1\x9a\x5b\x5b\xc0\x7c\x86\x84\xae\x8c\x40\xaf\xb1\x27"
4414                "\x87\x38\x92\x04\xa8\xed\xd7\xd7\x07\xa9\x85\xa0\xc2\xcd\x30"
4415                "\xc0\x56\x14\x49\xbc\x2f\x69\x15\x6a\x97\xd8\x79\x2f\xb3\x3b"
4416                "\x1e\x18\xfe\xfa";
4417     d.inLen  = XSTRLEN(d.input);
4418     d.outLen = WC_SHA512_DIGEST_SIZE;
4419 
4420     test_hmac[0] = a;
4421     test_hmac[1] = b;
4422     test_hmac[2] = c;
4423     test_hmac[3] = d;
4424 
4425     for (i = 0; i < times; ++i) {
4426 #if defined(HAVE_FIPS)
4427         if (i == 1)
4428             continue; /* fips not allowed */
4429 #endif
4430 
4431         if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
4432             return -3900;
4433 
4434         ret = wc_HmacSetKey(&hmac, WC_SHA512, (byte*)keys[i],
4435             (word32)XSTRLEN(keys[i]));
4436         if (ret != 0)
4437             return -3901;
4438         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
4439                    (word32)test_hmac[i].inLen);
4440         if (ret != 0)
4441             return -3902;
4442         ret = wc_HmacFinal(&hmac, hash);
4443         if (ret != 0)
4444             return -3903;
4445 
4446         if (XMEMCMP(hash, test_hmac[i].output, WC_SHA512_DIGEST_SIZE) != 0)
4447             return -3904 - i;
4448 
4449         wc_HmacFree(&hmac);
4450     }
4451 
4452 #ifndef HAVE_FIPS
4453     if (wc_HmacSizeByType(WC_SHA512) != WC_SHA512_DIGEST_SIZE)
4454         return -3914;
4455 #endif
4456 
4457     return 0;
4458 }
4459 #endif
4460 
4461 
4462 #if !defined(NO_HMAC) && defined(WOLFSSL_SHA3) && \
4463     !defined(WOLFSSL_NOSHA3_224) && !defined(WOLFSSL_NOSHA3_256) && \
4464     !defined(WOLFSSL_NOSHA3_384) && !defined(WOLFSSL_NOSHA3_512)
hmac_sha3_test(void)4465 WOLFSSL_TEST_SUBROUTINE int hmac_sha3_test(void)
4466 {
4467     Hmac hmac;
4468     byte hash[WC_SHA3_512_DIGEST_SIZE];
4469 
4470     const char* key[4] =
4471     {
4472         "Jefe",
4473 
4474         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
4475         "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
4476 
4477         "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4478         "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
4479 
4480         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4481         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4482         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4483         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4484         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4485         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4486         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4487         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4488         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4489         "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
4490     };
4491 
4492     const char* input[4] =
4493     {
4494         "what do ya want for nothing?",
4495 
4496         "Hi There",
4497 
4498         "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
4499         "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
4500         "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
4501         "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
4502         "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
4503 
4504         "Big Key Input"
4505     };
4506 
4507     const int hashType[4] =
4508     {
4509         WC_SHA3_224, WC_SHA3_256, WC_SHA3_384, WC_SHA3_512
4510     };
4511 
4512     const int hashSz[4] =
4513     {
4514         WC_SHA3_224_DIGEST_SIZE, WC_SHA3_256_DIGEST_SIZE,
4515         WC_SHA3_384_DIGEST_SIZE, WC_SHA3_512_DIGEST_SIZE
4516     };
4517 
4518     const char* output[16] =
4519     {
4520         /* key = jefe, input = what do ya want for nothing? */
4521             /* HMAC-SHA3-224 */
4522             "\x7f\xdb\x8d\xd8\x8b\xd2\xf6\x0d\x1b\x79\x86\x34\xad\x38\x68\x11"
4523             "\xc2\xcf\xc8\x5b\xfa\xf5\xd5\x2b\xba\xce\x5e\x66",
4524             /* HMAC-SHA3-256 */
4525             "\xc7\xd4\x07\x2e\x78\x88\x77\xae\x35\x96\xbb\xb0\xda\x73\xb8\x87"
4526             "\xc9\x17\x1f\x93\x09\x5b\x29\x4a\xe8\x57\xfb\xe2\x64\x5e\x1b\xa5",
4527             /* HMAC-SHA3-384 */
4528             "\xf1\x10\x1f\x8c\xbf\x97\x66\xfd\x67\x64\xd2\xed\x61\x90\x3f\x21"
4529             "\xca\x9b\x18\xf5\x7c\xf3\xe1\xa2\x3c\xa1\x35\x08\xa9\x32\x43\xce"
4530             "\x48\xc0\x45\xdc\x00\x7f\x26\xa2\x1b\x3f\x5e\x0e\x9d\xf4\xc2\x0a",
4531             /* HMAC-SHA3-512 */
4532             "\x5a\x4b\xfe\xab\x61\x66\x42\x7c\x7a\x36\x47\xb7\x47\x29\x2b\x83"
4533             "\x84\x53\x7c\xdb\x89\xaf\xb3\xbf\x56\x65\xe4\xc5\xe7\x09\x35\x0b"
4534             "\x28\x7b\xae\xc9\x21\xfd\x7c\xa0\xee\x7a\x0c\x31\xd0\x22\xa9\x5e"
4535             "\x1f\xc9\x2b\xa9\xd7\x7d\xf8\x83\x96\x02\x75\xbe\xb4\xe6\x20\x24",
4536 
4537         /* key = 0b..., input = Hi There */
4538             /* HMAC-SHA3-224 */
4539             "\x3b\x16\x54\x6b\xbc\x7b\xe2\x70\x6a\x03\x1d\xca\xfd\x56\x37\x3d"
4540             "\x98\x84\x36\x76\x41\xd8\xc5\x9a\xf3\xc8\x60\xf7",
4541             /* HMAC-SHA3-256 */
4542             "\xba\x85\x19\x23\x10\xdf\xfa\x96\xe2\xa3\xa4\x0e\x69\x77\x43\x51"
4543             "\x14\x0b\xb7\x18\x5e\x12\x02\xcd\xcc\x91\x75\x89\xf9\x5e\x16\xbb",
4544             /* HMAC-SHA3-384 */
4545             "\x68\xd2\xdc\xf7\xfd\x4d\xdd\x0a\x22\x40\xc8\xa4\x37\x30\x5f\x61"
4546             "\xfb\x73\x34\xcf\xb5\xd0\x22\x6e\x1b\xc2\x7d\xc1\x0a\x2e\x72\x3a"
4547             "\x20\xd3\x70\xb4\x77\x43\x13\x0e\x26\xac\x7e\x3d\x53\x28\x86\xbd",
4548             /* HMAC-SHA3-512 */
4549             "\xeb\x3f\xbd\x4b\x2e\xaa\xb8\xf5\xc5\x04\xbd\x3a\x41\x46\x5a\xac"
4550             "\xec\x15\x77\x0a\x7c\xab\xac\x53\x1e\x48\x2f\x86\x0b\x5e\xc7\xba"
4551             "\x47\xcc\xb2\xc6\xf2\xaf\xce\x8f\x88\xd2\x2b\x6d\xc6\x13\x80\xf2"
4552             "\x3a\x66\x8f\xd3\x88\x8b\xb8\x05\x37\xc0\xa0\xb8\x64\x07\x68\x9e",
4553 
4554         /* key = aa..., output = dd... */
4555             /* HMAC-SHA3-224 */
4556             "\x67\x6c\xfc\x7d\x16\x15\x36\x38\x78\x03\x90\x69\x2b\xe1\x42\xd2"
4557             "\xdf\x7c\xe9\x24\xb9\x09\xc0\xc0\x8d\xbf\xdc\x1a",
4558             /* HMAC-SHA3-256 */
4559             "\x84\xec\x79\x12\x4a\x27\x10\x78\x65\xce\xdd\x8b\xd8\x2d\xa9\x96"
4560             "\x5e\x5e\xd8\xc3\x7b\x0a\xc9\x80\x05\xa7\xf3\x9e\xd5\x8a\x42\x07",
4561             /* HMAC-SHA3-384 */
4562             "\x27\x5c\xd0\xe6\x61\xbb\x8b\x15\x1c\x64\xd2\x88\xf1\xf7\x82\xfb"
4563             "\x91\xa8\xab\xd5\x68\x58\xd7\x2b\xab\xb2\xd4\x76\xf0\x45\x83\x73"
4564             "\xb4\x1b\x6a\xb5\xbf\x17\x4b\xec\x42\x2e\x53\xfc\x31\x35\xac\x6e",
4565             /* HMAC-SHA3-512 */
4566             "\x30\x9e\x99\xf9\xec\x07\x5e\xc6\xc6\xd4\x75\xed\xa1\x18\x06\x87"
4567             "\xfc\xf1\x53\x11\x95\x80\x2a\x99\xb5\x67\x74\x49\xa8\x62\x51\x82"
4568             "\x85\x1c\xb3\x32\xaf\xb6\xa8\x9c\x41\x13\x25\xfb\xcb\xcd\x42\xaf"
4569             "\xcb\x7b\x6e\x5a\xab\x7e\xa4\x2c\x66\x0f\x97\xfd\x85\x84\xbf\x03",
4570 
4571         /* key = big key, input = Big Key Input */
4572             /* HMAC-SHA3-224 */
4573             "\x29\xe0\x5e\x46\xc4\xa4\x5e\x46\x74\xbf\xd7\x2d\x1a\xd8\x66\xdb"
4574             "\x2d\x0d\x10\x4e\x2b\xfa\xad\x53\x7d\x15\x69\x8b",
4575             /* HMAC-SHA3-256 */
4576             "\xb5\x5b\x8d\x64\xb6\x9c\x21\xd0\xbf\x20\x5c\xa2\xf7\xb9\xb1\x4e"
4577             "\x88\x21\x61\x2c\x66\xc3\x91\xae\x6c\x95\x16\x85\x83\xe6\xf4\x9b",
4578             /* HMAC-SHA3-384 */
4579             "\xaa\x91\xb3\xa6\x2f\x56\xa1\xbe\x8c\x3e\x74\x38\xdb\x58\xd9\xd3"
4580             "\x34\xde\xa0\x60\x6d\x8d\x46\xe0\xec\xa9\xf6\x06\x35\x14\xe6\xed"
4581             "\x83\xe6\x7c\x77\x24\x6c\x11\xb5\x90\x82\xb5\x75\xda\x7b\x83\x2d",
4582             /* HMAC-SHA3-512 */
4583             "\x1c\xc3\xa9\x24\x4a\x4a\x3f\xbd\xc7\x20\x00\x16\x9b\x79\x47\x03"
4584             "\x78\x75\x2c\xb5\xf1\x2e\x62\x7c\xbe\xef\x4e\x8f\x0b\x11\x2b\x32"
4585             "\xa0\xee\xc9\xd0\x4d\x64\x64\x0b\x37\xf4\xdd\x66\xf7\x8b\xb3\xad"
4586             "\x52\x52\x6b\x65\x12\xde\x0d\x7c\xc0\x8b\x60\x01\x6c\x37\xd7\xa8"
4587 
4588     };
4589 
4590     int i = 0, iMax = sizeof(input) / sizeof(input[0]),
4591         j, jMax = sizeof(hashType) / sizeof(hashType[0]),
4592         ret;
4593 
4594 #ifdef HAVE_FIPS
4595     /* FIPS requires a minimum length for HMAC keys, and "Jefe" is too
4596      * short. Skip it in FIPS builds. */
4597     i = 1;
4598 #endif
4599     for (; i < iMax; i++) {
4600         for (j = 0; j < jMax; j++) {
4601             if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
4602                 return -4000;
4603 
4604             ret = wc_HmacSetKey(&hmac, hashType[j], (byte*)key[i],
4605                                                        (word32)XSTRLEN(key[i]));
4606             if (ret != 0)
4607                 return -4001;
4608             ret = wc_HmacUpdate(&hmac, (byte*)input[i],
4609                                                      (word32)XSTRLEN(input[i]));
4610             if (ret != 0)
4611                 return -4002;
4612             ret = wc_HmacFinal(&hmac, hash);
4613             if (ret != 0)
4614                 return -4003;
4615             if (XMEMCMP(hash, output[(i*jMax) + j], hashSz[j]) != 0)
4616                 return -4004;
4617 
4618             wc_HmacFree(&hmac);
4619 
4620             if (i > 0)
4621                 continue;
4622 
4623         #ifndef HAVE_FIPS
4624             ret = wc_HmacSizeByType(hashType[j]);
4625             if (ret != hashSz[j])
4626                 return -4005;
4627         #endif
4628         }
4629     }
4630 
4631     return 0;
4632 }
4633 #endif
4634 
4635 
4636 #ifdef WC_RC2
4637 typedef struct rc2TestVector {
4638     const char* input;
4639     const char* output;
4640     const char* key;        /* Key, variable up to 128 bytes */
4641     const char* iv;         /* IV, 8-bytes */
4642     int inLen;
4643     int outLen;
4644     int keyLen;
4645     int effectiveKeyBits;   /* Up to 1024 bits supported */
4646 } rc2TestVector;
4647 
rc2_ecb_test(void)4648 static int rc2_ecb_test(void)
4649 {
4650     int ret = 0;
4651     byte cipher[RC2_BLOCK_SIZE];
4652     byte plain[RC2_BLOCK_SIZE];
4653 
4654     rc2TestVector a, b, c, d, e, f, g, h;
4655     rc2TestVector test_rc2[8];
4656 
4657     int times = sizeof(test_rc2) / sizeof(rc2TestVector), i;
4658 
4659     a.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
4660     a.output = "\xeb\xb7\x73\xf9\x93\x27\x8e\xff";
4661     a.key    = "\x00\x00\x00\x00\x00\x00\x00\x00";
4662     a.inLen  = RC2_BLOCK_SIZE;
4663     a.outLen = RC2_BLOCK_SIZE;
4664     a.keyLen = 8;
4665     a.effectiveKeyBits = 63;
4666 
4667     b.input  = "\xff\xff\xff\xff\xff\xff\xff\xff";
4668     b.output = "\x27\x8b\x27\xe4\x2e\x2f\x0d\x49";
4669     b.key    = "\xff\xff\xff\xff\xff\xff\xff\xff";
4670     b.inLen  = RC2_BLOCK_SIZE;
4671     b.outLen = RC2_BLOCK_SIZE;
4672     b.keyLen = 8;
4673     b.effectiveKeyBits = 64;
4674 
4675     c.input  = "\x10\x00\x00\x00\x00\x00\x00\x01";
4676     c.output = "\x30\x64\x9e\xdf\x9b\xe7\xd2\xc2";
4677     c.key    = "\x30\x00\x00\x00\x00\x00\x00\x00";
4678     c.inLen  = RC2_BLOCK_SIZE;
4679     c.outLen = RC2_BLOCK_SIZE;
4680     c.keyLen = 8;
4681     c.effectiveKeyBits = 64;
4682 
4683     d.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
4684     d.output = "\x61\xa8\xa2\x44\xad\xac\xcc\xf0";
4685     d.key    = "\x88";
4686     d.inLen  = RC2_BLOCK_SIZE;
4687     d.outLen = RC2_BLOCK_SIZE;
4688     d.keyLen = 1;
4689     d.effectiveKeyBits = 64;
4690 
4691     e.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
4692     e.output = "\x6c\xcf\x43\x08\x97\x4c\x26\x7f";
4693     e.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a";
4694     e.inLen  = RC2_BLOCK_SIZE;
4695     e.outLen = RC2_BLOCK_SIZE;
4696     e.keyLen = 7;
4697     e.effectiveKeyBits = 64;
4698 
4699     f.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
4700     f.output = "\x1a\x80\x7d\x27\x2b\xbe\x5d\xb1";
4701     f.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f"
4702                "\x0f\x79\xc3\x84\x62\x7b\xaf\xb2";
4703     f.inLen  = RC2_BLOCK_SIZE;
4704     f.outLen = RC2_BLOCK_SIZE;
4705     f.keyLen = 16;
4706     f.effectiveKeyBits = 64;
4707 
4708     g.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
4709     g.output = "\x22\x69\x55\x2a\xb0\xf8\x5c\xa6";
4710     g.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f"
4711                "\x0f\x79\xc3\x84\x62\x7b\xaf\xb2";
4712     g.inLen  = RC2_BLOCK_SIZE;
4713     g.outLen = RC2_BLOCK_SIZE;
4714     g.keyLen = 16;
4715     g.effectiveKeyBits = 128;
4716 
4717     h.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
4718     h.output = "\x5b\x78\xd3\xa4\x3d\xff\xf1\xf1";
4719     h.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f"
4720                "\x0f\x79\xc3\x84\x62\x7b\xaf\xb2"
4721                "\x16\xf8\x0a\x6f\x85\x92\x05\x84"
4722                "\xc4\x2f\xce\xb0\xbe\x25\x5d\xaf"
4723                "\x1e";
4724     h.inLen  = RC2_BLOCK_SIZE;
4725     h.outLen = RC2_BLOCK_SIZE;
4726     h.keyLen = 33;
4727     h.effectiveKeyBits = 129;
4728 
4729     a.iv = b.iv = c.iv = d.iv = e.iv = f.iv = g.iv = h.iv = NULL;
4730 
4731     test_rc2[0] = a;
4732     test_rc2[1] = b;
4733     test_rc2[2] = c;
4734     test_rc2[3] = d;
4735     test_rc2[4] = e;
4736     test_rc2[5] = f;
4737     test_rc2[6] = g;
4738     test_rc2[7] = h;
4739 
4740     for (i = 0; i < times; ++i) {
4741         Rc2 enc;
4742 
4743         XMEMSET(cipher, 0, RC2_BLOCK_SIZE);
4744         XMEMSET(plain, 0, RC2_BLOCK_SIZE);
4745 
4746         ret = wc_Rc2SetKey(&enc, (byte*)test_rc2[i].key, test_rc2[i].keyLen,
4747                            NULL, test_rc2[i].effectiveKeyBits);
4748         if (ret != 0) {
4749             return -4100;
4750         }
4751 
4752         /* ECB encrypt */
4753         ret = wc_Rc2EcbEncrypt(&enc, cipher, (byte*)test_rc2[i].input,
4754                                (word32)test_rc2[i].outLen);
4755         if (ret != 0) {
4756             return -4101;
4757         }
4758 
4759         if (XMEMCMP(cipher, test_rc2[i].output, test_rc2[i].outLen)) {
4760             return -4102;
4761         }
4762 
4763         /* ECB decrypt */
4764         ret = wc_Rc2EcbDecrypt(&enc, plain, cipher, RC2_BLOCK_SIZE);
4765         if (ret != 0) {
4766             return -4103;
4767         }
4768 
4769         if (XMEMCMP(plain, test_rc2[i].input, RC2_BLOCK_SIZE)) {
4770             return -4104;
4771         }
4772     }
4773 
4774     return 0;
4775 }
4776 
rc2_cbc_test(void)4777 static int rc2_cbc_test(void)
4778 {
4779     int ret = 0;
4780     byte cipher[128];
4781     byte plain[128];
4782 
4783     rc2TestVector a, b, c, d, e, f, g, h, i;
4784     rc2TestVector test_rc2[9];
4785 
4786     int times = sizeof(test_rc2) / sizeof(rc2TestVector), j;
4787 
4788     /* key length = 7, effective key bits = 63 */
4789     a.input  = "\x00\x00\x00\x00\x00\x00\x00\x00"
4790                "\x00\x00\x00\x00\x00\x00\x00\x00";
4791     a.output = "\xEB\xB7\x73\xF9\x93\x27\x8E\xFF"
4792                "\xF0\x51\x77\x8B\x65\xDB\x13\x57";
4793     a.key    = "\x00\x00\x00\x00\x00\x00\x00\x00";
4794     a.iv     = "\x00\x00\x00\x00\x00\x00\x00\x00";
4795     a.inLen  = RC2_BLOCK_SIZE*2;
4796     a.outLen = RC2_BLOCK_SIZE*2;
4797     a.keyLen = 8;
4798     a.effectiveKeyBits = 63;
4799 
4800     /* key length = 8, effective key bits = 64, all 0xFF */
4801     b.input  = "\xff\xff\xff\xff\xff\xff\xff\xff"
4802                "\xff\xff\xff\xff\xff\xff\xff\xff";
4803     b.output = "\xA3\xA1\x12\x65\x4F\x81\xC5\xCD"
4804                "\xB6\x94\x3E\xEA\x3E\x8B\x9D\x1F";
4805     b.key    = "\xff\xff\xff\xff\xff\xff\xff\xff";
4806     b.iv     = "\xff\xff\xff\xff\xff\xff\xff\xff";
4807     b.inLen  = RC2_BLOCK_SIZE*2;
4808     b.outLen = RC2_BLOCK_SIZE*2;
4809     b.keyLen = 8;
4810     b.effectiveKeyBits = 64;
4811 
4812     /* key length = 8, effective key bits = 64 */
4813     c.input  = "\x10\x00\x00\x00\x00\x00\x00\x01"
4814                "\x10\x00\x00\x00\x00\x00\x00\x01";
4815     c.output = "\xB5\x70\x14\xA2\x5F\x40\xE3\x6D"
4816                "\x81\x99\x8D\xE0\xB5\xD5\x3A\x05";
4817     c.key    = "\x30\x00\x00\x00\x00\x00\x00\x00";
4818     c.iv     = "\x30\x00\x00\x00\x00\x00\x00\x00";
4819     c.inLen  = RC2_BLOCK_SIZE*2;
4820     c.outLen = RC2_BLOCK_SIZE*2;
4821     c.keyLen = 8;
4822     c.effectiveKeyBits = 64;
4823 
4824     /* key length = 1, effective key bits = 64 */
4825     d.input  = "\x00\x00\x00\x00\x00\x00\x00\x00"
4826                "\x00\x00\x00\x00\x00\x00\x00\x00";
4827     d.output = "\x61\xA8\xA2\x44\xAD\xAC\xCC\xF0"
4828                "\x6D\x19\xE8\xF1\xFC\xE7\x38\x87";
4829     d.key    = "\x88";
4830     d.iv     = "\x00\x00\x00\x00\x00\x00\x00\x00";
4831     d.inLen  = RC2_BLOCK_SIZE*2;
4832     d.outLen = RC2_BLOCK_SIZE*2;
4833     d.keyLen = 1;
4834     d.effectiveKeyBits = 64;
4835 
4836     /* key length = 7, effective key bits = 64 */
4837     e.input  = "\x00\x00\x00\x00\x00\x00\x00\x00"
4838                "\x00\x00\x00\x00\x00\x00\x00\x00";
4839     e.output = "\x6C\xCF\x43\x08\x97\x4C\x26\x7F"
4840                "\xCC\x3C\x53\x57\x7C\xA1\xA4\x4B";
4841     e.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a";
4842     e.iv     = "\x00\x00\x00\x00\x00\x00\x00\x00";
4843     e.inLen  = RC2_BLOCK_SIZE*2;
4844     e.outLen = RC2_BLOCK_SIZE*2;
4845     e.keyLen = 7;
4846     e.effectiveKeyBits = 64;
4847 
4848     /* key length = 16, effective key bits = 64 */
4849     f.input  = "\x00\x00\x00\x00\x00\x00\x00\x00"
4850                "\x00\x00\x00\x00\x00\x00\x00\x00";
4851     f.output = "\x1A\x80\x7D\x27\x2B\xBE\x5D\xB1"
4852                "\x64\xEF\xE1\xC3\xB8\xAD\xFB\xBA";
4853     f.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f"
4854                "\x0f\x79\xc3\x84\x62\x7b\xaf\xb2";
4855     f.iv     = "\x00\x00\x00\x00\x00\x00\x00\x00";
4856     f.inLen  = RC2_BLOCK_SIZE*2;
4857     f.outLen = RC2_BLOCK_SIZE*2;
4858     f.keyLen = 16;
4859     f.effectiveKeyBits = 64;
4860 
4861     /* key length = 16, effective bits = 128 */
4862     g.input  = "\x00\x00\x00\x00\x00\x00\x00\x00"
4863                "\x00\x00\x00\x00\x00\x00\x00\x00";
4864     g.output = "\x22\x69\x55\x2A\xB0\xF8\x5C\xA6"
4865                "\x53\x6E\xFD\x2D\x89\xE1\x2A\x73";
4866     g.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f"
4867                "\x0f\x79\xc3\x84\x62\x7b\xaf\xb2";
4868     g.iv     = "\x00\x00\x00\x00\x00\x00\x00\x00";
4869     g.inLen  = RC2_BLOCK_SIZE*2;
4870     g.outLen = RC2_BLOCK_SIZE*2;
4871     g.keyLen = 16;
4872     g.effectiveKeyBits = 128;
4873 
4874     /* key length = 33, effective bits = 129 */
4875     h.input  = "\x00\x00\x00\x00\x00\x00\x00\x00"
4876                "\x00\x00\x00\x00\x00\x00\x00\x00";
4877     h.output = "\x5B\x78\xD3\xA4\x3D\xFF\xF1\xF1"
4878                "\x45\x30\xA8\xD5\xC7\x7C\x46\x19";
4879     h.key    = "\x88\xbc\xa9\x0e\x90\x87\x5a\x7f"
4880                "\x0f\x79\xc3\x84\x62\x7b\xaf\xb2"
4881                "\x16\xf8\x0a\x6f\x85\x92\x05\x84"
4882                "\xc4\x2f\xce\xb0\xbe\x25\x5d\xaf"
4883                "\x1e";
4884     h.iv     = "\x00\x00\x00\x00\x00\x00\x00\x00";
4885     h.inLen  = RC2_BLOCK_SIZE*2;
4886     h.outLen = RC2_BLOCK_SIZE*2;
4887     h.keyLen = 33;
4888     h.effectiveKeyBits = 129;
4889 
4890     /* key length = 10, effective bits = 40 */
4891     i.input  = "\x11\x22\x33\x44\x55\x66\x77\x88"
4892                "\x99\xAA\xBB\xCC\xDD\xEE\xFF\x00"
4893                "\x11\x22\x33\x44\x55\x66\x77\x88"
4894                "\x99\xAA\xBB\xCC\xDD\xEE\xFF\x00";
4895     i.output = "\x71\x2D\x11\x99\xC9\xA0\x78\x4F"
4896                "\xCD\xF1\x1E\x3D\xFD\x21\x7E\xDB"
4897                "\xB2\x6E\x0D\xA4\x72\xBC\x31\x51"
4898                "\x48\xEF\x4E\x68\x3B\xDC\xCD\x7D";
4899     i.key    = "\x26\x1E\x57\x8E\xC9\x62\xBF\xB8"
4900                "\x3E\x96";
4901     i.iv     = "\x01\x02\x03\x04\x05\x06\x07\x08";
4902     i.inLen  = RC2_BLOCK_SIZE*4;
4903     i.outLen = RC2_BLOCK_SIZE*4;
4904     i.keyLen = 10;
4905     i.effectiveKeyBits = 40;
4906 
4907     test_rc2[0] = a;
4908     test_rc2[1] = b;
4909     test_rc2[2] = c;
4910     test_rc2[3] = d;
4911     test_rc2[4] = e;
4912     test_rc2[5] = f;
4913     test_rc2[6] = g;
4914     test_rc2[7] = h;
4915     test_rc2[8] = i;
4916 
4917     for (j = 0; j < times; ++j) {
4918         Rc2 rc2;
4919 
4920         XMEMSET(cipher, 0, sizeof(cipher));
4921         XMEMSET(plain, 0, sizeof(plain));
4922 
4923         ret = wc_Rc2SetKey(&rc2, (byte*)test_rc2[j].key, test_rc2[j].keyLen,
4924                            (byte*)test_rc2[j].iv, test_rc2[j].effectiveKeyBits);
4925         if (ret != 0) {
4926             return -4200;
4927         }
4928 
4929         ret = wc_Rc2CbcEncrypt(&rc2, cipher, (byte*)test_rc2[j].input,
4930                                test_rc2[j].inLen);
4931         if (ret != 0) {
4932             return -4201;
4933         }
4934 
4935         if (XMEMCMP(cipher, (byte*)test_rc2[j].output, test_rc2[j].outLen)) {
4936             return -4202;
4937         }
4938 
4939         /* reset IV for decrypt, since overriden by encrypt operation */
4940         ret = wc_Rc2SetIV(&rc2, (byte*)test_rc2[j].iv);
4941         if (ret != 0) {
4942             return -4203;
4943         }
4944 
4945         ret = wc_Rc2CbcDecrypt(&rc2, plain, cipher, test_rc2[j].outLen);
4946         if (ret != 0) {
4947             return -4204;
4948         }
4949 
4950         if (XMEMCMP(plain, (byte*)test_rc2[j].input, test_rc2[j].inLen)) {
4951             return -4205;
4952         }
4953     }
4954 
4955     return 0;
4956 }
4957 
rc2_test(void)4958 WOLFSSL_TEST_SUBROUTINE int rc2_test(void)
4959 {
4960     int ret = 0;
4961 
4962     ret = rc2_ecb_test();
4963     if (ret != 0) {
4964         return ret;
4965     }
4966 
4967     return rc2_cbc_test();
4968 }
4969 #endif
4970 
4971 
4972 #ifndef NO_RC4
arc4_test(void)4973 WOLFSSL_TEST_SUBROUTINE int arc4_test(void)
4974 {
4975     byte cipher[16];
4976     byte plain[16];
4977 
4978     const char* keys[] =
4979     {
4980         "\x01\x23\x45\x67\x89\xab\xcd\xef",
4981         "\x01\x23\x45\x67\x89\xab\xcd\xef",
4982         "\x00\x00\x00\x00\x00\x00\x00\x00",
4983         "\xef\x01\x23\x45"
4984     };
4985 
4986     testVector a, b, c, d;
4987     testVector test_arc4[4];
4988 
4989     int times = sizeof(test_arc4) / sizeof(testVector), i;
4990 
4991     a.input  = "\x01\x23\x45\x67\x89\xab\xcd\xef";
4992     a.output = "\x75\xb7\x87\x80\x99\xe0\xc5\x96";
4993     a.inLen  = 8;
4994     a.outLen = 8;
4995 
4996     b.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
4997     b.output = "\x74\x94\xc2\xe7\x10\x4b\x08\x79";
4998     b.inLen  = 8;
4999     b.outLen = 8;
5000 
5001     c.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
5002     c.output = "\xde\x18\x89\x41\xa3\x37\x5d\x3a";
5003     c.inLen  = 8;
5004     c.outLen = 8;
5005 
5006     d.input  = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
5007     d.output = "\xd6\xa1\x41\xa7\xec\x3c\x38\xdf\xbd\x61";
5008     d.inLen  = 10;
5009     d.outLen = 10;
5010 
5011     test_arc4[0] = a;
5012     test_arc4[1] = b;
5013     test_arc4[2] = c;
5014     test_arc4[3] = d;
5015 
5016     for (i = 0; i < times; ++i) {
5017         Arc4 enc;
5018         Arc4 dec;
5019         int  keylen = 8;  /* XSTRLEN with key 0x00 not good */
5020         if (i == 3)
5021             keylen = 4;
5022 
5023         if (wc_Arc4Init(&enc, HEAP_HINT, devId) != 0)
5024             return -4400;
5025         if (wc_Arc4Init(&dec, HEAP_HINT, devId) != 0)
5026             return -4401;
5027 
5028         wc_Arc4SetKey(&enc, (byte*)keys[i], keylen);
5029         wc_Arc4SetKey(&dec, (byte*)keys[i], keylen);
5030 
5031         wc_Arc4Process(&enc, cipher, (byte*)test_arc4[i].input,
5032                     (word32)test_arc4[i].outLen);
5033         wc_Arc4Process(&dec, plain,  cipher, (word32)test_arc4[i].outLen);
5034 
5035         if (XMEMCMP(plain, test_arc4[i].input, test_arc4[i].outLen))
5036             return -4402 - i;
5037 
5038         if (XMEMCMP(cipher, test_arc4[i].output, test_arc4[i].outLen))
5039             return -4412 - i;
5040 
5041         wc_Arc4Free(&enc);
5042         wc_Arc4Free(&dec);
5043     }
5044 
5045     return 0;
5046 }
5047 #endif
5048 
5049 
hc128_test(void)5050 WOLFSSL_TEST_SUBROUTINE int hc128_test(void)
5051 {
5052 #ifdef HAVE_HC128
5053     byte cipher[16];
5054     byte plain[16];
5055 
5056     const char* keys[] =
5057     {
5058         "\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
5059         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
5060         "\x00\x53\xA6\xF9\x4C\x9F\xF2\x45\x98\xEB\x3E\x91\xE4\x37\x8A\xDD",
5061         "\x0F\x62\xB5\x08\x5B\xAE\x01\x54\xA7\xFA\x4D\xA0\xF3\x46\x99\xEC"
5062     };
5063 
5064     const char* ivs[] =
5065     {
5066         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
5067         "\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
5068         "\x0D\x74\xDB\x42\xA9\x10\x77\xDE\x45\xAC\x13\x7A\xE1\x48\xAF\x16",
5069         "\x28\x8F\xF6\x5D\xC4\x2B\x92\xF9\x60\xC7\x2E\x95\xFC\x63\xCA\x31"
5070     };
5071 
5072 
5073     testVector a, b, c, d;
5074     testVector test_hc128[4];
5075 
5076     int times = sizeof(test_hc128) / sizeof(testVector), i;
5077 
5078     int ret = 0;
5079 #if !defined(WOLFSSL_SMALL_STACK) || defined(WOLFSSL_NO_MALLOC)
5080     HC128 enc[1], dec[1];
5081 #else
5082     HC128 *enc = (HC128 *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
5083     HC128 *dec = (HC128 *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
5084     if ((! enc) || (! dec)) {
5085         ERROR_OUT(-4500, out);
5086     }
5087 #endif
5088 
5089     a.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
5090     a.output = "\x37\x86\x02\xB9\x8F\x32\xA7\x48";
5091     a.inLen  = 8;
5092     a.outLen = 8;
5093 
5094     b.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
5095     b.output = "\x33\x7F\x86\x11\xC6\xED\x61\x5F";
5096     b.inLen  = 8;
5097     b.outLen = 8;
5098 
5099     c.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
5100     c.output = "\x2E\x1E\xD1\x2A\x85\x51\xC0\x5A";
5101     c.inLen  = 8;
5102     c.outLen = 8;
5103 
5104     d.input  = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
5105     d.output = "\x1C\xD8\xAE\xDD\xFE\x52\xE2\x17\xE8\x35\xD0\xB7\xE8\x4E\x29";
5106     d.inLen  = 15;
5107     d.outLen = 15;
5108 
5109     test_hc128[0] = a;
5110     test_hc128[1] = b;
5111     test_hc128[2] = c;
5112     test_hc128[3] = d;
5113 
5114     for (i = 0; i < times; ++i) {
5115         /* align keys/ivs in plain/cipher buffers */
5116         XMEMCPY(plain,  keys[i], 16);
5117         XMEMCPY(cipher, ivs[i],  16);
5118 
5119         wc_Hc128_SetKey(enc, plain, cipher);
5120         wc_Hc128_SetKey(dec, plain, cipher);
5121 
5122         /* align input */
5123         XMEMCPY(plain, test_hc128[i].input, test_hc128[i].outLen);
5124         if (wc_Hc128_Process(enc, cipher, plain,
5125                                            (word32)test_hc128[i].outLen) != 0) {
5126             ret = -4501;
5127             goto out;
5128         }
5129         if (wc_Hc128_Process(dec, plain, cipher,
5130                                            (word32)test_hc128[i].outLen) != 0) {
5131             ret = -4502;
5132             goto out;
5133         }
5134 
5135         if (XMEMCMP(plain, test_hc128[i].input, test_hc128[i].outLen)) {
5136             ret = -4503 - i;
5137             goto out;
5138         }
5139 
5140         if (XMEMCMP(cipher, test_hc128[i].output, test_hc128[i].outLen)) {
5141             ret = -4513 - i;
5142             goto out;
5143         }
5144     }
5145 
5146   out:
5147 
5148 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
5149     if (enc)
5150         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
5151     if (dec)
5152         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
5153 #endif
5154 
5155     return ret;
5156 #else
5157     return 0;
5158 #endif /* HAVE_HC128 */
5159 }
5160 
5161 
5162 #ifndef NO_RABBIT
rabbit_test(void)5163 WOLFSSL_TEST_SUBROUTINE int rabbit_test(void)
5164 {
5165     byte cipher[16];
5166     byte plain[16];
5167 
5168     const char* keys[] =
5169     {
5170         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
5171         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
5172         "\xAC\xC3\x51\xDC\xF1\x62\xFC\x3B\xFE\x36\x3D\x2E\x29\x13\x28\x91"
5173     };
5174 
5175     const char* ivs[] =
5176     {
5177         "\x00\x00\x00\x00\x00\x00\x00\x00",
5178         "\x59\x7E\x26\xC1\x75\xF5\x73\xC3",
5179         0
5180     };
5181 
5182     testVector a, b, c;
5183     testVector test_rabbit[3];
5184 
5185     int times = sizeof(test_rabbit) / sizeof(testVector), i;
5186 
5187     a.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
5188     a.output = "\xED\xB7\x05\x67\x37\x5D\xCD\x7C";
5189     a.inLen  = 8;
5190     a.outLen = 8;
5191 
5192     b.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
5193     b.output = "\x6D\x7D\x01\x22\x92\xCC\xDC\xE0";
5194     b.inLen  = 8;
5195     b.outLen = 8;
5196 
5197     c.input  = "\x00\x00\x00\x00\x00\x00\x00\x00";
5198     c.output = "\x04\xCE\xCA\x7A\x1A\x86\x6E\x77";
5199     c.inLen  = 8;
5200     c.outLen = 8;
5201 
5202     test_rabbit[0] = a;
5203     test_rabbit[1] = b;
5204     test_rabbit[2] = c;
5205 
5206     for (i = 0; i < times; ++i) {
5207         Rabbit enc;
5208         Rabbit dec;
5209         byte*  iv;
5210 
5211         /* align keys/ivs in plain/cipher buffers */
5212         XMEMCPY(plain,  keys[i], 16);
5213         if (ivs[i]) {
5214             XMEMCPY(cipher, ivs[i],   8);
5215             iv = cipher;
5216         } else
5217             iv = NULL;
5218         wc_RabbitSetKey(&enc, plain, iv);
5219         wc_RabbitSetKey(&dec, plain, iv);
5220 
5221         /* align input */
5222         XMEMCPY(plain, test_rabbit[i].input, test_rabbit[i].outLen);
5223         wc_RabbitProcess(&enc, cipher, plain,  (word32)test_rabbit[i].outLen);
5224         wc_RabbitProcess(&dec, plain,  cipher, (word32)test_rabbit[i].outLen);
5225 
5226         if (XMEMCMP(plain, test_rabbit[i].input, test_rabbit[i].outLen))
5227             return -4600 - i;
5228 
5229         if (XMEMCMP(cipher, test_rabbit[i].output, test_rabbit[i].outLen))
5230             return -4610 - i;
5231     }
5232 
5233     return 0;
5234 }
5235 #endif /* NO_RABBIT */
5236 
5237 
5238 #ifdef HAVE_CHACHA
chacha_test(void)5239 WOLFSSL_TEST_SUBROUTINE int chacha_test(void)
5240 {
5241     ChaCha enc;
5242     ChaCha dec;
5243     byte   cipher[128];
5244     byte   plain[128];
5245     byte   sliver[64];
5246     byte   input[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
5247     word32 keySz = 32;
5248     int    ret = 0;
5249     int    i;
5250     int    times = 4;
5251 
5252     WOLFSSL_SMALL_STACK_STATIC const byte key1[] =
5253     {
5254          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5255          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5256          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5257          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
5258     };
5259 
5260     WOLFSSL_SMALL_STACK_STATIC const byte key2[] =
5261     {
5262          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5263          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5264          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5265          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
5266     };
5267 
5268     WOLFSSL_SMALL_STACK_STATIC const byte key3[] =
5269     {
5270          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5271          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5272          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5273          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
5274     };
5275 
5276     /* 128 bit key */
5277     WOLFSSL_SMALL_STACK_STATIC const byte key4[] =
5278     {
5279          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5280          0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
5281     };
5282 
5283 
5284     const byte* keys[] = {key1, key2, key3, key4};
5285 
5286     WOLFSSL_SMALL_STACK_STATIC const byte ivs1[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
5287     WOLFSSL_SMALL_STACK_STATIC const byte ivs2[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
5288     WOLFSSL_SMALL_STACK_STATIC const byte ivs3[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00};
5289     WOLFSSL_SMALL_STACK_STATIC const byte ivs4[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
5290 
5291 
5292     const byte* ivs[] = {ivs1, ivs2, ivs3, ivs4};
5293 
5294 #ifndef BENCH_EMBEDDED
5295     WOLFSSL_SMALL_STACK_STATIC const byte cipher_big_result[] = {
5296         0x06, 0xa6, 0x5d, 0x31, 0x21, 0x6c, 0xdb, 0x37, 0x48, 0x7c, 0x01, 0x9d,
5297         0x72, 0xdf, 0x0a, 0x5b, 0x64, 0x74, 0x20, 0xba, 0x9e, 0xe0, 0x26, 0x7a,
5298         0xbf, 0xdf, 0x83, 0x34, 0x3b, 0x4f, 0x94, 0x3f, 0x37, 0x89, 0xaf, 0x00,
5299         0xdf, 0x0f, 0x2e, 0x75, 0x16, 0x41, 0xf6, 0x7a, 0x86, 0x94, 0x9d, 0x32,
5300         0x56, 0xf0, 0x79, 0x71, 0x68, 0x6f, 0xa6, 0x6b, 0xc6, 0x59, 0x49, 0xf6,
5301         0x10, 0x34, 0x03, 0x03, 0x16, 0x53, 0x9a, 0x98, 0x2a, 0x46, 0xde, 0x17,
5302         0x06, 0x65, 0x70, 0xca, 0x0a, 0x1f, 0xab, 0x80, 0x26, 0x96, 0x3f, 0x3e,
5303         0x7a, 0x3c, 0xa8, 0x87, 0xbb, 0x65, 0xdd, 0x5e, 0x07, 0x7b, 0x34, 0xe0,
5304         0x56, 0xda, 0x32, 0x13, 0x30, 0xc9, 0x0c, 0xd7, 0xba, 0xe4, 0x1f, 0xa6,
5305         0x91, 0x4f, 0x72, 0x9f, 0xd9, 0x5c, 0x62, 0x7d, 0xa6, 0xc2, 0xbc, 0x87,
5306         0xae, 0x64, 0x11, 0x94, 0x3b, 0xbc, 0x6c, 0x23, 0xbd, 0x7d, 0x00, 0xb4,
5307         0x99, 0xf2, 0x68, 0xb5, 0x59, 0x70, 0x93, 0xad, 0x69, 0xd0, 0xb1, 0x28,
5308         0x70, 0x92, 0xeb, 0xec, 0x39, 0x80, 0x82, 0xde, 0x44, 0xe2, 0x8a, 0x26,
5309         0xb3, 0xe9, 0x45, 0xcf, 0x83, 0x76, 0x9f, 0x6a, 0xa0, 0x46, 0x4a, 0x3d,
5310         0x26, 0x56, 0xaf, 0x49, 0x41, 0x26, 0x1b, 0x6a, 0x41, 0x37, 0x65, 0x91,
5311         0x72, 0xc4, 0xe7, 0x3c, 0x17, 0x31, 0xae, 0x2e, 0x2b, 0x31, 0x45, 0xe4,
5312         0x93, 0xd3, 0x10, 0xaa, 0xc5, 0x62, 0xd5, 0x11, 0x4b, 0x57, 0x1d, 0xad,
5313         0x48, 0x06, 0xd0, 0x0d, 0x98, 0xa5, 0xc6, 0x5b, 0xd0, 0x9e, 0x22, 0xc0,
5314         0x00, 0x32, 0x5a, 0xf5, 0x1c, 0x89, 0x6d, 0x54, 0x97, 0x55, 0x6b, 0x46,
5315         0xc5, 0xc7, 0xc4, 0x48, 0x9c, 0xbf, 0x47, 0xdc, 0x03, 0xc4, 0x1b, 0xcb,
5316         0x65, 0xa6, 0x91, 0x9d, 0x6d, 0xf1, 0xb0, 0x7a, 0x4d, 0x3b, 0x03, 0x95,
5317         0xf4, 0x8b, 0x0b, 0xae, 0x39, 0xff, 0x3f, 0xf6, 0xc0, 0x14, 0x18, 0x8a,
5318         0xe5, 0x19, 0xbd, 0xc1, 0xb4, 0x05, 0x4e, 0x29, 0x2f, 0x0b, 0x33, 0x76,
5319         0x28, 0x16, 0xa4, 0xa6, 0x93, 0x04, 0xb5, 0x55, 0x6b, 0x89, 0x3d, 0xa5,
5320         0x0f, 0xd3, 0xad, 0xfa, 0xd9, 0xfd, 0x05, 0x5d, 0x48, 0x94, 0x25, 0x5a,
5321         0x2c, 0x9a, 0x94, 0x80, 0xb0, 0xe7, 0xcb, 0x4d, 0x77, 0xbf, 0xca, 0xd8,
5322         0x55, 0x48, 0xbd, 0x66, 0xb1, 0x85, 0x81, 0xb1, 0x37, 0x79, 0xab, 0x52,
5323         0x08, 0x14, 0x12, 0xac, 0xcd, 0x45, 0x4d, 0x53, 0x6b, 0xca, 0x96, 0xc7,
5324         0x3b, 0x2f, 0x73, 0xb1, 0x5a, 0x23, 0xbd, 0x65, 0xd5, 0xea, 0x17, 0xb3,
5325         0xdc, 0xa1, 0x17, 0x1b, 0x2d, 0xb3, 0x9c, 0xd0, 0xdb, 0x41, 0x77, 0xef,
5326         0x93, 0x20, 0x52, 0x3e, 0x9d, 0xf5, 0xbf, 0x33, 0xf7, 0x52, 0xc1, 0x90,
5327         0xa0, 0x15, 0x17, 0xce, 0xf7, 0xf7, 0xd0, 0x3a, 0x3b, 0xd1, 0x72, 0x56,
5328         0x31, 0x81, 0xae, 0x60, 0xab, 0x40, 0xc1, 0xd1, 0x28, 0x77, 0x53, 0xac,
5329         0x9f, 0x11, 0x0a, 0x88, 0x36, 0x4b, 0xda, 0x57, 0xa7, 0x28, 0x5c, 0x85,
5330         0xd3, 0x85, 0x9b, 0x79, 0xad, 0x05, 0x1c, 0x37, 0x14, 0x5e, 0x0d, 0xd0,
5331         0x23, 0x03, 0x42, 0x1d, 0x48, 0x5d, 0xc5, 0x3c, 0x5a, 0x08, 0xa9, 0x0d,
5332         0x6e, 0x82, 0x7c, 0x2e, 0x3c, 0x41, 0xcc, 0x96, 0x8e, 0xad, 0xee, 0x2a,
5333         0x61, 0x0b, 0x16, 0x0f, 0xa9, 0x24, 0x40, 0x85, 0xbc, 0x9f, 0x28, 0x8d,
5334         0xe6, 0x68, 0x4d, 0x8f, 0x30, 0x48, 0xd9, 0x73, 0x73, 0x6c, 0x9a, 0x7f,
5335         0x67, 0xf7, 0xde, 0x4c, 0x0a, 0x8b, 0xe4, 0xb3, 0x08, 0x2a, 0x52, 0xda,
5336         0x54, 0xee, 0xcd, 0xb5, 0x62, 0x4a, 0x26, 0x20, 0xfb, 0x40, 0xbb, 0x39,
5337         0x3a, 0x0f, 0x09, 0xe8, 0x00, 0xd1, 0x24, 0x97, 0x60, 0xe9, 0x83, 0x83,
5338         0xfe, 0x9f, 0x9c, 0x15, 0xcf, 0x69, 0x03, 0x9f, 0x03, 0xe1, 0xe8, 0x6e,
5339         0xbd, 0x87, 0x58, 0x68, 0xee, 0xec, 0xd8, 0x29, 0x46, 0x23, 0x49, 0x92,
5340         0x72, 0x95, 0x5b, 0x49, 0xca, 0xe0, 0x45, 0x59, 0xb2, 0xca, 0xf4, 0xfc,
5341         0xb7, 0x59, 0x37, 0x49, 0x28, 0xbc, 0xf3, 0xd7, 0x61, 0xbc, 0x4b, 0xf3,
5342         0xa9, 0x4b, 0x2f, 0x05, 0xa8, 0x01, 0xa5, 0xdc, 0x00, 0x6e, 0x01, 0xb6,
5343         0x45, 0x3c, 0xd5, 0x49, 0x7d, 0x5c, 0x25, 0xe8, 0x31, 0x87, 0xb2, 0xb9,
5344         0xbf, 0xb3, 0x01, 0x62, 0x0c, 0xd0, 0x48, 0x77, 0xa2, 0x34, 0x0f, 0x16,
5345         0x22, 0x28, 0xee, 0x54, 0x08, 0x93, 0x3b, 0xe4, 0xde, 0x7e, 0x63, 0xf7,
5346         0x97, 0x16, 0x5d, 0x71, 0x58, 0xc2, 0x2e, 0xf2, 0x36, 0xa6, 0x12, 0x65,
5347         0x94, 0x17, 0xac, 0x66, 0x23, 0x7e, 0xc6, 0x72, 0x79, 0x24, 0xce, 0x8f,
5348         0x55, 0x19, 0x97, 0x44, 0xfc, 0x55, 0xec, 0x85, 0x26, 0x27, 0xdb, 0x38,
5349         0xb1, 0x42, 0x0a, 0xdd, 0x05, 0x99, 0x28, 0xeb, 0x03, 0x6c, 0x9a, 0xe9,
5350         0x17, 0xf6, 0x2c, 0xb0, 0xfe, 0xe7, 0xa4, 0xa7, 0x31, 0xda, 0x4d, 0xb0,
5351         0x29, 0xdb, 0xdd, 0x8d, 0x12, 0x13, 0x9c, 0xb4, 0xcc, 0x83, 0x97, 0xfb,
5352         0x1a, 0xdc, 0x08, 0xd6, 0x30, 0x62, 0xe8, 0xeb, 0x8b, 0x61, 0xcb, 0x1d,
5353         0x06, 0xe3, 0xa5, 0x4d, 0x35, 0xdb, 0x59, 0xa8, 0x2d, 0x87, 0x27, 0x44,
5354         0x6f, 0xc0, 0x38, 0x97, 0xe4, 0x85, 0x00, 0x02, 0x09, 0xf6, 0x69, 0x3a,
5355         0xcf, 0x08, 0x1b, 0x21, 0xbb, 0x79, 0xb1, 0xa1, 0x34, 0x09, 0xe0, 0x80,
5356         0xca, 0xb0, 0x78, 0x8a, 0x11, 0x97, 0xd4, 0x07, 0xbe, 0x1b, 0x6a, 0x5d,
5357         0xdb, 0xd6, 0x1f, 0x76, 0x6b, 0x16, 0xf0, 0x58, 0x84, 0x5f, 0x59, 0xce,
5358         0x62, 0x34, 0xc3, 0xdf, 0x94, 0xb8, 0x2f, 0x84, 0x68, 0xf0, 0xb8, 0x51,
5359         0xd9, 0x6d, 0x8e, 0x4a, 0x1d, 0xe6, 0x5c, 0xd8, 0x86, 0x25, 0xe3, 0x24,
5360         0xfd, 0x21, 0x61, 0x13, 0x48, 0x3e, 0xf6, 0x7d, 0xa6, 0x71, 0x9b, 0xd2,
5361         0x6e, 0xe6, 0xd2, 0x08, 0x94, 0x62, 0x6c, 0x98, 0xfe, 0x2f, 0x9c, 0x88,
5362         0x7e, 0x78, 0x15, 0x02, 0x00, 0xf0, 0xba, 0x24, 0x91, 0xf2, 0xdc, 0x47,
5363         0x51, 0x4d, 0x15, 0x5e, 0x91, 0x5f, 0x57, 0x5b, 0x1d, 0x35, 0x24, 0x45,
5364         0x75, 0x9b, 0x88, 0x75, 0xf1, 0x2f, 0x85, 0xe7, 0x89, 0xd1, 0x01, 0xb4,
5365         0xc8, 0x18, 0xb7, 0x97, 0xef, 0x4b, 0x90, 0xf4, 0xbf, 0x10, 0x27, 0x3c,
5366         0x60, 0xff, 0xc4, 0x94, 0x20, 0x2f, 0x93, 0x4b, 0x4d, 0xe3, 0x80, 0xf7,
5367         0x2c, 0x71, 0xd9, 0xe3, 0x68, 0xb4, 0x77, 0x2b, 0xc7, 0x0d, 0x39, 0x92,
5368         0xef, 0x91, 0x0d, 0xb2, 0x11, 0x50, 0x0e, 0xe8, 0xad, 0x3b, 0xf6, 0xb5,
5369         0xc6, 0x14, 0x4d, 0x33, 0x53, 0xa7, 0x60, 0x15, 0xc7, 0x27, 0x51, 0xdc,
5370         0x54, 0x29, 0xa7, 0x0d, 0x6a, 0x7b, 0x72, 0x13, 0xad, 0x7d, 0x41, 0x19,
5371         0x4e, 0x42, 0x49, 0xcc, 0x42, 0xe4, 0xbd, 0x99, 0x13, 0xd9, 0x7f, 0xf3,
5372         0x38, 0xa4, 0xb6, 0x33, 0xed, 0x07, 0x48, 0x7e, 0x8e, 0x82, 0xfe, 0x3a,
5373         0x9d, 0x75, 0x93, 0xba, 0x25, 0x4e, 0x37, 0x3c, 0x0c, 0xd5, 0x69, 0xa9,
5374         0x2d, 0x9e, 0xfd, 0xe8, 0xbb, 0xf5, 0x0c, 0xe2, 0x86, 0xb9, 0x5e, 0x6f,
5375         0x28, 0xe4, 0x19, 0xb3, 0x0b, 0xa4, 0x86, 0xd7, 0x24, 0xd0, 0xb8, 0x89,
5376         0x7b, 0x76, 0xec, 0x05, 0x10, 0x5b, 0x68, 0xe9, 0x58, 0x66, 0xa3, 0xc5,
5377         0xb6, 0x63, 0x20, 0x0e, 0x0e, 0xea, 0x3d, 0x61, 0x5e, 0xda, 0x3d, 0x3c,
5378         0xf9, 0xfd, 0xed, 0xa9, 0xdb, 0x52, 0x94, 0x8a, 0x00, 0xca, 0x3c, 0x8d,
5379         0x66, 0x8f, 0xb0, 0xf0, 0x5a, 0xca, 0x3f, 0x63, 0x71, 0xbf, 0xca, 0x99,
5380         0x37, 0x9b, 0x75, 0x97, 0x89, 0x10, 0x6e, 0xcf, 0xf2, 0xf5, 0xe3, 0xd5,
5381         0x45, 0x9b, 0xad, 0x10, 0x71, 0x6c, 0x5f, 0x6f, 0x7f, 0x22, 0x77, 0x18,
5382         0x2f, 0xf9, 0x99, 0xc5, 0x69, 0x58, 0x03, 0x12, 0x86, 0x82, 0x3e, 0xbf,
5383         0xc2, 0x12, 0x35, 0x43, 0xa3, 0xd9, 0x18, 0x4f, 0x41, 0x11, 0x6b, 0xf3,
5384         0x67, 0xaf, 0x3d, 0x78, 0xe4, 0x22, 0x2d, 0xb3, 0x48, 0x43, 0x31, 0x1d,
5385         0xef, 0xa8, 0xba, 0x49, 0x8e, 0xa9, 0xa7, 0xb6, 0x18, 0x77, 0x84, 0xca,
5386         0xbd, 0xa2, 0x02, 0x1b, 0x6a, 0xf8, 0x5f, 0xda, 0xff, 0xcf, 0x01, 0x6a,
5387         0x86, 0x69, 0xa9, 0xe9, 0xcb, 0x60, 0x1e, 0x15, 0xdc, 0x8f, 0x5d, 0x39,
5388         0xb5, 0xce, 0x55, 0x5f, 0x47, 0x97, 0xb1, 0x19, 0x6e, 0x21, 0xd6, 0x13,
5389         0x39, 0xb2, 0x24, 0xe0, 0x62, 0x82, 0x9f, 0xed, 0x12, 0x81, 0xed, 0xee,
5390         0xab, 0xd0, 0x2f, 0x19, 0x89, 0x3f, 0x57, 0x2e, 0xc2, 0xe2, 0x67, 0xe8,
5391         0xae, 0x03, 0x56, 0xba, 0xd4, 0xd0, 0xa4, 0x89, 0x03, 0x06, 0x5b, 0xcc,
5392         0xf2, 0x22, 0xb8, 0x0e, 0x76, 0x79, 0x4a, 0x42, 0x1d, 0x37, 0x51, 0x5a,
5393         0xaa, 0x46, 0x6c, 0x2a, 0xdd, 0x66, 0xfe, 0xc6, 0x68, 0xc3, 0x38, 0xa2,
5394         0xae, 0x5b, 0x98, 0x24, 0x5d, 0x43, 0x05, 0x82, 0x38, 0x12, 0xd3, 0xd1,
5395         0x75, 0x2d, 0x4f, 0x61, 0xbd, 0xb9, 0x10, 0x87, 0x44, 0x2a, 0x78, 0x07,
5396         0xff, 0xf4, 0x0f, 0xa1, 0xf3, 0x68, 0x9f, 0xbe, 0xae, 0xa2, 0x91, 0xf0,
5397         0xc7, 0x55, 0x7a, 0x52, 0xd5, 0xa3, 0x8d, 0x6f, 0xe4, 0x90, 0x5c, 0xf3,
5398         0x5f, 0xce, 0x3d, 0x23, 0xf9, 0x8e, 0xae, 0x14, 0xfb, 0x82, 0x9a, 0xa3,
5399         0x04, 0x5f, 0xbf, 0xad, 0x3e, 0xf2, 0x97, 0x0a, 0x60, 0x40, 0x70, 0x19,
5400         0x72, 0xad, 0x66, 0xfb, 0x78, 0x1b, 0x84, 0x6c, 0x98, 0xbc, 0x8c, 0xf8,
5401         0x4f, 0xcb, 0xb5, 0xf6, 0xaf, 0x7a, 0xb7, 0x93, 0xef, 0x67, 0x48, 0x02,
5402         0x2c, 0xcb, 0xe6, 0x77, 0x0f, 0x7b, 0xc1, 0xee, 0xc5, 0xb6, 0x2d, 0x7e,
5403         0x62, 0xa0, 0xc0, 0xa7, 0xa5, 0x80, 0x31, 0x92, 0x50, 0xa1, 0x28, 0x22,
5404         0x95, 0x03, 0x17, 0xd1, 0x0f, 0xf6, 0x08, 0xe5, 0xec
5405     };
5406 #define CHACHA_BIG_TEST_SIZE 1305
5407 #ifndef WOLFSSL_SMALL_STACK
5408     byte   cipher_big[CHACHA_BIG_TEST_SIZE] = {0};
5409     byte   plain_big[CHACHA_BIG_TEST_SIZE] = {0};
5410     byte   input_big[CHACHA_BIG_TEST_SIZE] = {0};
5411 #else
5412     byte*  cipher_big;
5413     byte*  plain_big;
5414     byte*  input_big;
5415 #endif /* WOLFSSL_SMALL_STACK */
5416     int    block_size;
5417 #endif /* BENCH_EMBEDDED */
5418 
5419     byte a[] = {0x76,0xb8,0xe0,0xad,0xa0,0xf1,0x3d,0x90};
5420     byte b[] = {0x45,0x40,0xf0,0x5a,0x9f,0x1f,0xb2,0x96};
5421     byte c[] = {0xde,0x9c,0xba,0x7b,0xf3,0xd6,0x9e,0xf5};
5422     byte d[] = {0x89,0x67,0x09,0x52,0x60,0x83,0x64,0xfd};
5423 
5424     byte* test_chacha[4];
5425 
5426     test_chacha[0] = a;
5427     test_chacha[1] = b;
5428     test_chacha[2] = c;
5429     test_chacha[3] = d;
5430 
5431 #ifndef BENCH_EMBEDDED
5432 #ifdef WOLFSSL_SMALL_STACK
5433     cipher_big = (byte*)XMALLOC(CHACHA_BIG_TEST_SIZE, HEAP_HINT,
5434                                                        DYNAMIC_TYPE_TMP_BUFFER);
5435     if (cipher_big == NULL) {
5436         return MEMORY_E;
5437     }
5438     plain_big = (byte*)XMALLOC(CHACHA_BIG_TEST_SIZE, HEAP_HINT,
5439                                                        DYNAMIC_TYPE_TMP_BUFFER);
5440     if (plain_big == NULL) {
5441         return MEMORY_E;
5442     }
5443     input_big = (byte*)XMALLOC(CHACHA_BIG_TEST_SIZE, HEAP_HINT,
5444                                                        DYNAMIC_TYPE_TMP_BUFFER);
5445     if (input_big == NULL) {
5446         return MEMORY_E;
5447     }
5448     XMEMSET(cipher_big, 0, CHACHA_BIG_TEST_SIZE);
5449     XMEMSET(plain_big, 0, CHACHA_BIG_TEST_SIZE);
5450     XMEMSET(input_big, 0, CHACHA_BIG_TEST_SIZE);
5451 #endif /* WOLFSSL_SMALL_STACK */
5452 #endif /* BENCH_EMBEDDED */
5453 
5454     for (i = 0; i < times; ++i) {
5455         if (i < 3) {
5456             keySz = 32;
5457         }
5458         else {
5459             keySz = 16;
5460         }
5461 
5462         XMEMCPY(plain, keys[i], keySz);
5463         XMEMSET(cipher, 0, 32);
5464         XMEMCPY(cipher + 4, ivs[i], 8);
5465 
5466         ret |= wc_Chacha_SetKey(&enc, keys[i], keySz);
5467         ret |= wc_Chacha_SetKey(&dec, keys[i], keySz);
5468         if (ret != 0)
5469             return ret;
5470 
5471         ret |= wc_Chacha_SetIV(&enc, cipher, 0);
5472         ret |= wc_Chacha_SetIV(&dec, cipher, 0);
5473         if (ret != 0)
5474             return ret;
5475         XMEMCPY(plain, input, 8);
5476 
5477         ret |= wc_Chacha_Process(&enc, cipher, plain,  (word32)8);
5478         ret |= wc_Chacha_Process(&dec, plain,  cipher, (word32)8);
5479         if (ret != 0)
5480             return ret;
5481 
5482         if (XMEMCMP(test_chacha[i], cipher, 8))
5483             return -4700 - i;
5484 
5485         if (XMEMCMP(plain, input, 8))
5486             return -4710 - i;
5487     }
5488 
5489     /* test of starting at a different counter
5490        encrypts all of the information and decrypts starting at 2nd chunk */
5491     XMEMSET(plain,  0, sizeof(plain));
5492     XMEMSET(sliver, 1, sizeof(sliver)); /* set as 1's to not match plain */
5493     XMEMSET(cipher, 0, sizeof(cipher));
5494     XMEMCPY(cipher + 4, ivs[0], 8);
5495 
5496     ret |= wc_Chacha_SetKey(&enc, keys[0], keySz);
5497     ret |= wc_Chacha_SetKey(&dec, keys[0], keySz);
5498     if (ret != 0)
5499         return ret;
5500 
5501     ret |= wc_Chacha_SetIV(&enc, cipher, 0);
5502     ret |= wc_Chacha_SetIV(&dec, cipher, 1);
5503     if (ret != 0)
5504         return ret;
5505 
5506     ret |= wc_Chacha_Process(&enc, cipher, plain,  sizeof(plain));
5507     ret |= wc_Chacha_Process(&dec, sliver,  cipher + 64, sizeof(sliver));
5508     if (ret != 0)
5509         return ret;
5510 
5511     if (XMEMCMP(plain + 64, sliver, 64))
5512         return -4720;
5513 
5514 #ifndef BENCH_EMBEDDED
5515     /* test of encrypting more data */
5516     keySz = 32;
5517 
5518     ret |= wc_Chacha_SetKey(&enc, keys[0], keySz);
5519     ret |= wc_Chacha_SetKey(&dec, keys[0], keySz);
5520     if (ret != 0)
5521         return ret;
5522 
5523     ret |= wc_Chacha_SetIV(&enc, ivs[2], 0);
5524     ret |= wc_Chacha_SetIV(&dec, ivs[2], 0);
5525     if (ret != 0)
5526         return ret;
5527 
5528     ret |= wc_Chacha_Process(&enc, cipher_big, plain_big, CHACHA_BIG_TEST_SIZE);
5529     ret |= wc_Chacha_Process(&dec, plain_big,  cipher_big,
5530                                                           CHACHA_BIG_TEST_SIZE);
5531     if (ret != 0)
5532         return ret;
5533 
5534     if (XMEMCMP(plain_big, input_big, CHACHA_BIG_TEST_SIZE))
5535         return -4721;
5536 
5537     if (XMEMCMP(cipher_big, cipher_big_result, CHACHA_BIG_TEST_SIZE))
5538         return -4722;
5539 
5540     for (i = 0; i < 18; ++i) {
5541         /* this will test all paths */
5542         /* block sizes: 1 2 3 4 7 8 15 16 31 32 63 64 127 128 255 256 511 512 */
5543         block_size = (2 << (i%9)) - (i<9?1:0);
5544         keySz = 32;
5545 
5546         ret |= wc_Chacha_SetKey(&enc, keys[0], keySz);
5547         ret |= wc_Chacha_SetKey(&dec, keys[0], keySz);
5548         if (ret != 0)
5549             return ret;
5550 
5551         ret |= wc_Chacha_SetIV(&enc, ivs[2], 0);
5552         ret |= wc_Chacha_SetIV(&dec, ivs[2], 0);
5553         if (ret != 0)
5554             return ret;
5555 
5556         ret |= wc_Chacha_Process(&enc, cipher_big, plain_big,  block_size);
5557         ret |= wc_Chacha_Process(&dec, plain_big,  cipher_big, block_size);
5558         if (ret != 0)
5559             return ret;
5560 
5561         if (XMEMCMP(plain_big, input_big, block_size))
5562             return -4723-i;
5563 
5564         if (XMEMCMP(cipher_big, cipher_big_result, block_size))
5565             return -4724-i;
5566     }
5567 
5568     /* Streaming test */
5569     for (i = 1; i <= (int)CHACHA_CHUNK_BYTES + 1; i++) {
5570         int j, rem;
5571 
5572         ret = wc_Chacha_SetKey(&enc, keys[0], keySz);
5573         if (ret != 0)
5574             return -4725;
5575         ret = wc_Chacha_SetKey(&dec, keys[0], keySz);
5576         if (ret != 0)
5577             return -4726;
5578 
5579         ret = wc_Chacha_SetIV(&enc, ivs[2], 0);
5580         if (ret != 0)
5581             return -4727;
5582         ret = wc_Chacha_SetIV(&dec, ivs[2], 0);
5583         if (ret != 0)
5584             return -4728;
5585 
5586         for (j = 0; j < CHACHA_BIG_TEST_SIZE - i; j+= i) {
5587             ret = wc_Chacha_Process(&enc, cipher_big + j, plain_big + j, i);
5588             if (ret != 0)
5589                 return -4729;
5590             ret = wc_Chacha_Process(&dec, plain_big + j, cipher_big + j, i);
5591             if (ret != 0)
5592                 return -4730;
5593         }
5594 
5595         rem = CHACHA_BIG_TEST_SIZE - j;
5596         ret = wc_Chacha_Process(&enc, cipher_big + j, plain_big + j, rem);
5597         if (ret != 0)
5598             return -4731;
5599         ret = wc_Chacha_Process(&dec, plain_big + j, cipher_big + j, rem);
5600         if (ret != 0)
5601             return -4732;
5602 
5603         if (XMEMCMP(plain_big, input_big, CHACHA_BIG_TEST_SIZE))
5604             return -4733;
5605 
5606         if (XMEMCMP(cipher_big, cipher_big_result, CHACHA_BIG_TEST_SIZE))
5607             return -4734;
5608     }
5609 
5610 #ifdef WOLFSSL_SMALL_STACK
5611     XFREE(cipher_big, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
5612     XFREE(plain_big, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
5613     XFREE(input_big, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
5614 #endif /* WOLFSSL_SMALL_STACK */
5615 #endif /* BENCH_EMBEDDED */
5616 
5617     return 0;
5618 }
5619 #endif /* HAVE_CHACHA */
5620 
5621 
5622 #ifdef HAVE_POLY1305
poly1305_test(void)5623 WOLFSSL_TEST_SUBROUTINE int poly1305_test(void)
5624 {
5625     int      ret = 0;
5626     int      i;
5627     byte     tag[16];
5628     Poly1305 enc;
5629 
5630     WOLFSSL_SMALL_STACK_STATIC const byte msg1[] =
5631     {
5632         0x43,0x72,0x79,0x70,0x74,0x6f,0x67,0x72,
5633         0x61,0x70,0x68,0x69,0x63,0x20,0x46,0x6f,
5634         0x72,0x75,0x6d,0x20,0x52,0x65,0x73,0x65,
5635         0x61,0x72,0x63,0x68,0x20,0x47,0x72,0x6f,
5636         0x75,0x70
5637     };
5638 
5639     WOLFSSL_SMALL_STACK_STATIC const byte msg2[] =
5640     {
5641         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x77,0x6f,0x72,
5642         0x6c,0x64,0x21
5643     };
5644 
5645     WOLFSSL_SMALL_STACK_STATIC const byte msg3[] =
5646     {
5647         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5648         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5649         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5650         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
5651     };
5652 
5653     WOLFSSL_SMALL_STACK_STATIC const byte msg4[] =
5654     {
5655         0xd3,0x1a,0x8d,0x34,0x64,0x8e,0x60,0xdb,
5656         0x7b,0x86,0xaf,0xbc,0x53,0xef,0x7e,0xc2,
5657         0xa4,0xad,0xed,0x51,0x29,0x6e,0x08,0xfe,
5658         0xa9,0xe2,0xb5,0xa7,0x36,0xee,0x62,0xd6,
5659         0x3d,0xbe,0xa4,0x5e,0x8c,0xa9,0x67,0x12,
5660         0x82,0xfa,0xfb,0x69,0xda,0x92,0x72,0x8b,
5661         0x1a,0x71,0xde,0x0a,0x9e,0x06,0x0b,0x29,
5662         0x05,0xd6,0xa5,0xb6,0x7e,0xcd,0x3b,0x36,
5663         0x92,0xdd,0xbd,0x7f,0x2d,0x77,0x8b,0x8c,
5664         0x98,0x03,0xae,0xe3,0x28,0x09,0x1b,0x58,
5665         0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
5666         0x55,0x85,0x80,0x8b,0x48,0x31,0xd7,0xbc,
5667         0x3f,0xf4,0xde,0xf0,0x8e,0x4b,0x7a,0x9d,
5668         0xe5,0x76,0xd2,0x65,0x86,0xce,0xc6,0x4b,
5669         0x61,0x16
5670     };
5671 
5672     WOLFSSL_SMALL_STACK_STATIC const byte msg5[] =
5673     {
5674         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
5675         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
5676     };
5677 
5678     WOLFSSL_SMALL_STACK_STATIC const byte msg6[] =
5679     {
5680         0xd3,0x1a,0x8d,0x34,0x64,0x8e,0x60,0xdb,
5681         0x7b,0x86,0xaf,0xbc,0x53,0xef,0x7e,0xc2,
5682         0xa4,0xad,0xed,0x51,0x29,0x6e,0x08,0xfe,
5683         0xa9,0xe2,0xb5,0xa7,0x36,0xee,0x62,0xd6,
5684         0x3d,0xbe,0xa4,0x5e,0x8c,0xa9,0x67,0x12,
5685         0x82,0xfa,0xfb,0x69,0xda,0x92,0x72,0x8b,
5686         0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
5687         0x1a,0x71,0xde,0x0a,0x9e,0x06,0x0b,0x29,
5688         0xa9,0xe2,0xb5,0xa7,0x36,0xee,0x62,0xd6,
5689         0x3d,0xbe,0xa4,0x5e,0x8c,0xa9,0x67,0x12,
5690         0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
5691         0x05,0xd6,0xa5,0xb6,0x7e,0xcd,0x3b,0x36,
5692         0x92,0xdd,0xbd,0x7f,0x2d,0x77,0x8b,0x8c,
5693         0x7b,0x86,0xaf,0xbc,0x53,0xef,0x7e,0xc2,
5694         0x98,0x03,0xae,0xe3,0x28,0x09,0x1b,0x58,
5695         0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
5696         0x55,0x85,0x80,0x8b,0x48,0x31,0xd7,0xbc,
5697         0x3f,0xf4,0xde,0xf0,0x8e,0x4b,0x7a,0x9d,
5698         0xe5,0x76,0xd2,0x65,0x86,0xce,0xc6,0x4b,
5699         0x61,0x16
5700     };
5701 
5702     byte additional[] =
5703     {
5704         0x50,0x51,0x52,0x53,0xc0,0xc1,0xc2,0xc3,
5705         0xc4,0xc5,0xc6,0xc7
5706     };
5707 
5708     WOLFSSL_SMALL_STACK_STATIC const byte correct0[] =
5709     {
5710         0x01,0x03,0x80,0x8a,0xfb,0x0d,0xb2,0xfd,
5711         0x4a,0xbf,0xf6,0xaf,0x41,0x49,0xf5,0x1b
5712     };
5713 
5714     WOLFSSL_SMALL_STACK_STATIC const byte correct1[] =
5715     {
5716         0xa8,0x06,0x1d,0xc1,0x30,0x51,0x36,0xc6,
5717         0xc2,0x2b,0x8b,0xaf,0x0c,0x01,0x27,0xa9
5718     };
5719 
5720     WOLFSSL_SMALL_STACK_STATIC const byte correct2[] =
5721     {
5722         0xa6,0xf7,0x45,0x00,0x8f,0x81,0xc9,0x16,
5723         0xa2,0x0d,0xcc,0x74,0xee,0xf2,0xb2,0xf0
5724     };
5725 
5726     WOLFSSL_SMALL_STACK_STATIC const byte correct3[] =
5727     {
5728         0x49,0xec,0x78,0x09,0x0e,0x48,0x1e,0xc6,
5729         0xc2,0x6b,0x33,0xb9,0x1c,0xcc,0x03,0x07
5730     };
5731 
5732     WOLFSSL_SMALL_STACK_STATIC const byte correct4[] =
5733     {
5734         0x1a,0xe1,0x0b,0x59,0x4f,0x09,0xe2,0x6a,
5735         0x7e,0x90,0x2e,0xcb,0xd0,0x60,0x06,0x91
5736     };
5737 
5738     WOLFSSL_SMALL_STACK_STATIC const byte correct5[] =
5739     {
5740         0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5741         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5742     };
5743 
5744     WOLFSSL_SMALL_STACK_STATIC const byte correct6[] =
5745     {
5746         0xea,0x11,0x5c,0x4f,0xd0,0xc0,0x10,0xae,
5747         0xf7,0xdf,0xda,0x77,0xa2,0xe9,0xaf,0xca
5748     };
5749 
5750     WOLFSSL_SMALL_STACK_STATIC const byte key[] = {
5751         0x85,0xd6,0xbe,0x78,0x57,0x55,0x6d,0x33,
5752         0x7f,0x44,0x52,0xfe,0x42,0xd5,0x06,0xa8,
5753         0x01,0x03,0x80,0x8a,0xfb,0x0d,0xb2,0xfd,
5754         0x4a,0xbf,0xf6,0xaf,0x41,0x49,0xf5,0x1b
5755     };
5756 
5757     WOLFSSL_SMALL_STACK_STATIC const byte key2[] = {
5758         0x74,0x68,0x69,0x73,0x20,0x69,0x73,0x20,
5759         0x33,0x32,0x2d,0x62,0x79,0x74,0x65,0x20,
5760         0x6b,0x65,0x79,0x20,0x66,0x6f,0x72,0x20,
5761         0x50,0x6f,0x6c,0x79,0x31,0x33,0x30,0x35
5762     };
5763 
5764     WOLFSSL_SMALL_STACK_STATIC const byte key4[] = {
5765         0x7b,0xac,0x2b,0x25,0x2d,0xb4,0x47,0xaf,
5766         0x09,0xb6,0x7a,0x55,0xa4,0xe9,0x55,0x84,
5767         0x0a,0xe1,0xd6,0x73,0x10,0x75,0xd9,0xeb,
5768         0x2a,0x93,0x75,0x78,0x3e,0xd5,0x53,0xff
5769     };
5770 
5771     WOLFSSL_SMALL_STACK_STATIC const byte key5[] = {
5772         0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5773         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5774         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
5775         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
5776     };
5777 
5778     const byte* msgs[]  = {NULL, msg1, msg2, msg3, msg5, msg6};
5779     word32      szm[]   = {0, sizeof(msg1), sizeof(msg2),
5780                            sizeof(msg3), sizeof(msg5), sizeof(msg6)};
5781     const byte* keys[]  = {key, key, key2, key2, key5, key};
5782     const byte* tests[] = {correct0, correct1, correct2, correct3, correct5,
5783                            correct6};
5784 
5785     for (i = 0; i < 6; i++) {
5786         ret = wc_Poly1305SetKey(&enc, keys[i], 32);
5787         if (ret != 0)
5788             return -4800 - i;
5789 
5790         ret = wc_Poly1305Update(&enc, msgs[i], szm[i]);
5791         if (ret != 0)
5792             return -4810 - i;
5793 
5794         ret = wc_Poly1305Final(&enc, tag);
5795         if (ret != 0)
5796             return -4820 - i;
5797 
5798         if (XMEMCMP(tag, tests[i], sizeof(tag)))
5799             return -4830 - i;
5800     }
5801 
5802     /* Check TLS MAC function from 2.8.2 https://tools.ietf.org/html/rfc7539 */
5803     XMEMSET(tag, 0, sizeof(tag));
5804     ret = wc_Poly1305SetKey(&enc, key4, sizeof(key4));
5805     if (ret != 0)
5806         return -4840;
5807 
5808     ret = wc_Poly1305_MAC(&enc, additional, sizeof(additional),
5809                                    (byte*)msg4, sizeof(msg4), tag, sizeof(tag));
5810     if (ret != 0)
5811         return -4841;
5812 
5813     if (XMEMCMP(tag, correct4, sizeof(tag)))
5814         return -4842;
5815 
5816     /* Check fail of TLS MAC function if altering additional data */
5817     XMEMSET(tag, 0, sizeof(tag));
5818     additional[0]++;
5819     ret = wc_Poly1305_MAC(&enc, additional, sizeof(additional),
5820                                    (byte*)msg4, sizeof(msg4), tag, sizeof(tag));
5821     if (ret != 0)
5822         return -4843;
5823 
5824     if (XMEMCMP(tag, correct4, sizeof(tag)) == 0)
5825         return -4844;
5826 
5827 
5828     return 0;
5829 }
5830 #endif /* HAVE_POLY1305 */
5831 
5832 
5833 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
chacha20_poly1305_aead_test(void)5834 WOLFSSL_TEST_SUBROUTINE int chacha20_poly1305_aead_test(void)
5835 {
5836     /* Test #1 from Section 2.8.2 of draft-irtf-cfrg-chacha20-poly1305-10 */
5837     /* https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10  */
5838 
5839     WOLFSSL_SMALL_STACK_STATIC const byte key1[] = {
5840         0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
5841         0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
5842         0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
5843         0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
5844     };
5845 
5846     WOLFSSL_SMALL_STACK_STATIC const byte plaintext1[] = {
5847         0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
5848         0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
5849         0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
5850         0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
5851         0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
5852         0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
5853         0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
5854         0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
5855         0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
5856         0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
5857         0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
5858         0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
5859         0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
5860         0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
5861         0x74, 0x2e
5862     };
5863 
5864     WOLFSSL_SMALL_STACK_STATIC const byte iv1[] = {
5865         0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43,
5866         0x44, 0x45, 0x46, 0x47
5867     };
5868 
5869     WOLFSSL_SMALL_STACK_STATIC const byte aad1[] = { /* additional data */
5870         0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
5871         0xc4, 0xc5, 0xc6, 0xc7
5872     };
5873 
5874     WOLFSSL_SMALL_STACK_STATIC const byte cipher1[] = { /* expected output from operation */
5875         0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
5876         0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
5877         0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
5878         0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
5879         0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
5880         0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
5881         0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
5882         0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
5883         0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
5884         0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
5885         0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
5886         0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
5887         0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
5888         0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
5889         0x61, 0x16
5890     };
5891 
5892     WOLFSSL_SMALL_STACK_STATIC const byte authTag1[] = { /* expected output from operation */
5893         0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
5894         0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
5895     };
5896 
5897     /* Test #2 from Appendix A.2 in draft-irtf-cfrg-chacha20-poly1305-10 */
5898     /* https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10  */
5899 
5900     WOLFSSL_SMALL_STACK_STATIC const byte key2[] = {
5901         0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
5902         0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
5903         0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
5904         0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
5905     };
5906 
5907     WOLFSSL_SMALL_STACK_STATIC const byte plaintext2[] = {
5908         0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
5909         0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
5910         0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
5911         0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
5912         0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
5913         0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
5914         0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
5915         0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
5916         0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
5917         0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
5918         0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
5919         0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
5920         0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
5921         0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
5922         0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
5923         0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
5924         0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
5925         0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
5926         0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
5927         0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
5928         0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
5929         0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
5930         0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
5931         0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
5932         0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
5933         0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
5934         0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
5935         0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
5936         0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
5937         0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
5938         0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
5939         0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
5940         0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
5941         0x9d
5942     };
5943 
5944     WOLFSSL_SMALL_STACK_STATIC const byte iv2[] = {
5945         0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04,
5946         0x05, 0x06, 0x07, 0x08
5947     };
5948 
5949     WOLFSSL_SMALL_STACK_STATIC const byte aad2[] = { /* additional data */
5950         0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
5951         0x00, 0x00, 0x4e, 0x91
5952     };
5953 
5954     WOLFSSL_SMALL_STACK_STATIC const byte cipher2[] = { /* expected output from operation */
5955         0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4,
5956         0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd,
5957         0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
5958         0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2,
5959         0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43, 0xee,
5960         0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
5961         0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00,
5962         0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf,
5963         0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
5964         0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81,
5965         0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd,
5966         0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
5967         0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
5968         0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38,
5969         0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
5970         0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4,
5971         0xb9, 0x16, 0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46,
5972         0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
5973         0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e,
5974         0xe2, 0x82, 0xa1, 0xb0, 0xa0, 0x6c, 0x52, 0x3e,
5975         0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
5976         0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a,
5977         0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56, 0x4e, 0xea,
5978         0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
5979         0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99,
5980         0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
5981         0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
5982         0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10,
5983         0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94,
5984         0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
5985         0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf,
5986         0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29,
5987         0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
5988         0x9b
5989     };
5990 
5991     WOLFSSL_SMALL_STACK_STATIC const byte authTag2[] = { /* expected output from operation */
5992         0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22,
5993         0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f, 0x38
5994     };
5995 
5996     byte generatedCiphertext[265]; /* max plaintext2/cipher2 */
5997     byte generatedPlaintext[265];  /* max plaintext2/cipher2 */
5998     byte generatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];
5999     int err;
6000 
6001     ChaChaPoly_Aead aead;
6002 
6003 #if !defined(USE_INTEL_CHACHA_SPEEDUP) && !defined(WOLFSSL_ARMASM)
6004     #define TEST_SMALL_CHACHA_CHUNKS 32
6005 #else
6006     #define TEST_SMALL_CHACHA_CHUNKS 64
6007 #endif
6008     #ifdef TEST_SMALL_CHACHA_CHUNKS
6009     word32 testLen;
6010     #endif
6011 
6012     XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
6013     XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
6014     XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
6015 
6016     /* Parameter Validation testing */
6017     /* Encrypt */
6018     err = wc_ChaCha20Poly1305_Encrypt(NULL, iv1, aad1, sizeof(aad1), plaintext1,
6019             sizeof(plaintext1), generatedCiphertext, generatedAuthTag);
6020     if (err != BAD_FUNC_ARG)
6021         return -4900;
6022     err = wc_ChaCha20Poly1305_Encrypt(key1, NULL, aad1, sizeof(aad1),
6023             plaintext1, sizeof(plaintext1), generatedCiphertext,
6024             generatedAuthTag);
6025     if (err != BAD_FUNC_ARG)
6026         return -4901;
6027     err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), NULL,
6028             sizeof(plaintext1), generatedCiphertext, generatedAuthTag);
6029     if (err != BAD_FUNC_ARG)
6030         return -4902;
6031     err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1,
6032             sizeof(plaintext1), NULL, generatedAuthTag);
6033     if (err != BAD_FUNC_ARG)
6034         return -4903;
6035     err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1,
6036             sizeof(plaintext1), generatedCiphertext, NULL);
6037     if (err != BAD_FUNC_ARG)
6038         return -4904;
6039     err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1,
6040             0, generatedCiphertext, generatedAuthTag);
6041     if (err != BAD_FUNC_ARG)
6042         return -4905;
6043     /* Decrypt */
6044     err = wc_ChaCha20Poly1305_Decrypt(NULL, iv2, aad2, sizeof(aad2), cipher2,
6045             sizeof(cipher2), authTag2, generatedPlaintext);
6046     if (err != BAD_FUNC_ARG)
6047         return -4906;
6048     err = wc_ChaCha20Poly1305_Decrypt(key2, NULL, aad2, sizeof(aad2), cipher2,
6049             sizeof(cipher2), authTag2, generatedPlaintext);
6050     if (err != BAD_FUNC_ARG)
6051         return -4907;
6052     err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), NULL,
6053             sizeof(cipher2), authTag2, generatedPlaintext);
6054     if (err != BAD_FUNC_ARG)
6055         return -4908;
6056     err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2,
6057             sizeof(cipher2), NULL, generatedPlaintext);
6058     if (err != BAD_FUNC_ARG)
6059         return -4909;
6060     err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2,
6061             sizeof(cipher2), authTag2, NULL);
6062     if (err != BAD_FUNC_ARG)
6063         return -4910;
6064     err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2,
6065             0, authTag2, generatedPlaintext);
6066     if (err != BAD_FUNC_ARG)
6067         return -4911;
6068 
6069 
6070     /* Test #1 */
6071     err = wc_ChaCha20Poly1305_Encrypt(key1, iv1,
6072                                        aad1, sizeof(aad1),
6073                                        plaintext1, sizeof(plaintext1),
6074                                        generatedCiphertext, generatedAuthTag);
6075     if (err) {
6076         return err;
6077     }
6078 
6079     /* -- Check the ciphertext and authtag */
6080     if (XMEMCMP(generatedCiphertext, cipher1, sizeof(cipher1))) {
6081         return -4912;
6082     }
6083     if (XMEMCMP(generatedAuthTag, authTag1, sizeof(authTag1))) {
6084         return -4913;
6085     }
6086 
6087     /* -- Verify decryption works */
6088     err = wc_ChaCha20Poly1305_Decrypt(key1, iv1,
6089                                        aad1, sizeof(aad1),
6090                                        cipher1, sizeof(cipher1),
6091                                        authTag1, generatedPlaintext);
6092     if (err) {
6093         return err;
6094     }
6095     if (XMEMCMP(generatedPlaintext, plaintext1, sizeof(plaintext1))) {
6096         return -4914;
6097     }
6098 
6099 
6100     XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
6101     XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
6102     XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
6103 
6104     /* Test #2 */
6105     err = wc_ChaCha20Poly1305_Encrypt(key2, iv2,
6106                                        aad2, sizeof(aad2),
6107                                        plaintext2, sizeof(plaintext2),
6108                                        generatedCiphertext, generatedAuthTag);
6109     if (err) {
6110         return err;
6111     }
6112 
6113     /* -- Check the ciphertext and authtag */
6114     if (XMEMCMP(generatedCiphertext, cipher2, sizeof(cipher2))) {
6115         return -4915;
6116     }
6117     if (XMEMCMP(generatedAuthTag, authTag2, sizeof(authTag2))) {
6118         return -4916;
6119     }
6120 
6121     /* -- Verify decryption works */
6122     err = wc_ChaCha20Poly1305_Decrypt(key2, iv2,
6123                                       aad2, sizeof(aad2),
6124                                       cipher2, sizeof(cipher2),
6125                                       authTag2, generatedPlaintext);
6126     if (err) {
6127         return err;
6128     }
6129 
6130     if (XMEMCMP(generatedPlaintext, plaintext2, sizeof(plaintext2))) {
6131         return -4917;
6132     }
6133 
6134 
6135     /* AEAD init/update/final - bad argument tests */
6136     err = wc_ChaCha20Poly1305_Init(NULL, key1, iv1,
6137         CHACHA20_POLY1305_AEAD_DECRYPT);
6138     if (err != BAD_FUNC_ARG)
6139         return -4918;
6140     err = wc_ChaCha20Poly1305_Init(&aead, NULL, iv1,
6141         CHACHA20_POLY1305_AEAD_DECRYPT);
6142     if (err != BAD_FUNC_ARG)
6143         return -4919;
6144     err = wc_ChaCha20Poly1305_Init(&aead, key1, NULL,
6145         CHACHA20_POLY1305_AEAD_DECRYPT);
6146     if (err != BAD_FUNC_ARG)
6147         return -4920;
6148     err = wc_ChaCha20Poly1305_UpdateAad(NULL, aad1, sizeof(aad1));
6149     if (err != BAD_FUNC_ARG)
6150         return -4921;
6151     err = wc_ChaCha20Poly1305_UpdateAad(&aead, NULL, sizeof(aad1));
6152     if (err != BAD_FUNC_ARG)
6153         return -4922;
6154     err = wc_ChaCha20Poly1305_UpdateData(NULL, generatedPlaintext,
6155         generatedPlaintext, sizeof(plaintext1));
6156     if (err != BAD_FUNC_ARG)
6157         return -4923;
6158     err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedPlaintext, NULL,
6159         sizeof(plaintext1));
6160     if (err != BAD_FUNC_ARG)
6161         return -4924;
6162     err = wc_ChaCha20Poly1305_UpdateData(&aead, NULL, generatedPlaintext,
6163         sizeof(plaintext1));
6164     if (err != BAD_FUNC_ARG)
6165         return -4925;
6166     err = wc_ChaCha20Poly1305_Final(NULL, generatedAuthTag);
6167     if (err != BAD_FUNC_ARG)
6168         return -4926;
6169     err = wc_ChaCha20Poly1305_Final(&aead, NULL);
6170     if (err != BAD_FUNC_ARG)
6171         return -4927;
6172 
6173     /* AEAD init/update/final - bad state tests */
6174     /* clear struct - make valgrind happy to resolve
6175         "Conditional jump or move depends on uninitialised value(s)".
6176         The enum is "int" size and aead.state is "byte" */
6177     /* The wc_ChaCha20Poly1305_Init function does this normally */
6178     XMEMSET(&aead, 0, sizeof(aead));
6179     aead.state = CHACHA20_POLY1305_STATE_INIT;
6180     err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
6181     if (err != BAD_STATE_E)
6182         return -4928;
6183     aead.state = CHACHA20_POLY1305_STATE_DATA;
6184     err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
6185     if (err != BAD_STATE_E)
6186         return -4929;
6187     aead.state = CHACHA20_POLY1305_STATE_INIT;
6188     err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedPlaintext,
6189         generatedPlaintext, sizeof(plaintext1));
6190     if (err != BAD_STATE_E)
6191         return -4930;
6192     aead.state = CHACHA20_POLY1305_STATE_INIT;
6193     err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
6194     if (err != BAD_STATE_E)
6195         return -4931;
6196     aead.state = CHACHA20_POLY1305_STATE_READY;
6197     err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
6198     if (err != BAD_STATE_E)
6199         return -4932;
6200 
6201     XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
6202     XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
6203     XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
6204 
6205     /* Test 1 - Encrypt */
6206     err = wc_ChaCha20Poly1305_Init(&aead, key1, iv1,
6207         CHACHA20_POLY1305_AEAD_ENCRYPT);
6208     if (err != 0)
6209         return -4933;
6210     err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
6211     if (err != 0)
6212         return -4934;
6213 #ifdef TEST_SMALL_CHACHA_CHUNKS
6214     /* test doing data in smaller chunks */
6215     for (testLen=0; testLen<sizeof(plaintext1); ) {
6216         word32 dataLen = sizeof(plaintext1) - testLen;
6217         if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
6218             dataLen = TEST_SMALL_CHACHA_CHUNKS;
6219         err = wc_ChaCha20Poly1305_UpdateData(&aead, &plaintext1[testLen],
6220             &generatedCiphertext[testLen], dataLen);
6221         if (err != 0)
6222             return -4935;
6223         testLen += dataLen;
6224     }
6225 #else
6226     err = wc_ChaCha20Poly1305_UpdateData(&aead, plaintext1,
6227         generatedCiphertext, sizeof(plaintext1));
6228 #endif
6229     err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
6230     if (err != 0)
6231         return -4936;
6232     err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag1);
6233     if (err != 0)
6234         return -4937;
6235     if (XMEMCMP(generatedCiphertext, cipher1, sizeof(cipher1))) {
6236         return -4938;
6237     }
6238 
6239     /* Test 1 - Decrypt */
6240     err = wc_ChaCha20Poly1305_Init(&aead, key1, iv1,
6241         CHACHA20_POLY1305_AEAD_DECRYPT);
6242     if (err != 0)
6243         return -4939;
6244     err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
6245     if (err != 0)
6246         return -4940;
6247 #ifdef TEST_SMALL_CHACHA_CHUNKS
6248     /* test doing data in smaller chunks */
6249     for (testLen=0; testLen<sizeof(plaintext1); ) {
6250         word32 dataLen = sizeof(plaintext1) - testLen;
6251         if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
6252             dataLen = TEST_SMALL_CHACHA_CHUNKS;
6253         err = wc_ChaCha20Poly1305_UpdateData(&aead,
6254             &generatedCiphertext[testLen], &generatedPlaintext[testLen],
6255             dataLen);
6256         if (err != 0)
6257             return -4941;
6258         testLen += dataLen;
6259     }
6260 #else
6261     err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedCiphertext,
6262         generatedPlaintext, sizeof(cipher1));
6263 #endif
6264     err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
6265     if (err != 0)
6266         return -4942;
6267     err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag1);
6268     if (err != 0)
6269         return -4943;
6270     if (XMEMCMP(generatedPlaintext, plaintext1, sizeof(plaintext1))) {
6271         return -4944;
6272     }
6273 
6274     XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
6275     XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
6276     XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
6277 
6278     /* Test 2 - Encrypt */
6279     err = wc_ChaCha20Poly1305_Init(&aead, key2, iv2,
6280         CHACHA20_POLY1305_AEAD_ENCRYPT);
6281     if (err != 0)
6282         return -4945;
6283     err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad2, sizeof(aad2));
6284     if (err != 0)
6285         return -4946;
6286 #ifdef TEST_SMALL_CHACHA_CHUNKS
6287     /* test doing data in smaller chunks */
6288     for (testLen=0; testLen<sizeof(plaintext2); ) {
6289         word32 dataLen = sizeof(plaintext2) - testLen;
6290         if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
6291             dataLen = TEST_SMALL_CHACHA_CHUNKS;
6292         err = wc_ChaCha20Poly1305_UpdateData(&aead, &plaintext2[testLen],
6293             &generatedCiphertext[testLen], dataLen);
6294         if (err != 0)
6295             return -4947;
6296         testLen += dataLen;
6297     }
6298 #else
6299     err = wc_ChaCha20Poly1305_UpdateData(&aead, plaintext2, generatedCiphertext,
6300         sizeof(plaintext2));
6301 #endif
6302     err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
6303     if (err != 0)
6304         return -4948;
6305     err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag2);
6306     if (err != 0)
6307         return -4949;
6308     if (XMEMCMP(generatedCiphertext, cipher2, sizeof(cipher2))) {
6309         return -4950;
6310     }
6311 
6312     /* Test 2 - Decrypt */
6313     err = wc_ChaCha20Poly1305_Init(&aead, key2, iv2,
6314         CHACHA20_POLY1305_AEAD_DECRYPT);
6315     if (err != 0)
6316         return -4951;
6317     err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad2, sizeof(aad2));
6318     if (err != 0)
6319         return -4952;
6320 #ifdef TEST_SMALL_CHACHA_CHUNKS
6321     /* test doing data in smaller chunks */
6322     for (testLen=0; testLen<sizeof(plaintext2); ) {
6323         word32 dataLen = sizeof(plaintext2) - testLen;
6324         if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
6325             dataLen = TEST_SMALL_CHACHA_CHUNKS;
6326         err = wc_ChaCha20Poly1305_UpdateData(&aead,
6327             &generatedCiphertext[testLen], &generatedPlaintext[testLen],
6328             dataLen);
6329         if (err != 0)
6330             return -4953;
6331         testLen += dataLen;
6332     }
6333 #else
6334     err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedCiphertext,
6335         generatedPlaintext, sizeof(cipher2));
6336 #endif
6337     err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
6338     if (err != 0)
6339         return -4954;
6340     err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag2);
6341     if (err != 0)
6342         return -4955;
6343     if (XMEMCMP(generatedPlaintext, plaintext2, sizeof(plaintext2))) {
6344         return -4956;
6345     }
6346 
6347     return err;
6348 }
6349 #endif /* HAVE_CHACHA && HAVE_POLY1305 */
6350 
6351 
6352 #ifndef NO_DES3
des_test(void)6353 WOLFSSL_TEST_SUBROUTINE int des_test(void)
6354 {
6355     WOLFSSL_SMALL_STACK_STATIC const byte vector[] = { /* "now is the time for all " w/o trailing 0 */
6356         0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
6357         0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
6358         0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
6359     };
6360 
6361     byte plain[24];
6362     byte cipher[24];
6363 
6364     Des enc;
6365     Des dec;
6366 
6367     WOLFSSL_SMALL_STACK_STATIC const byte key[] =
6368     {
6369         0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef
6370     };
6371 
6372     WOLFSSL_SMALL_STACK_STATIC const byte iv[] =
6373     {
6374         0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef
6375     };
6376 
6377     WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
6378     {
6379         0x8b,0x7c,0x52,0xb0,0x01,0x2b,0x6c,0xb8,
6380         0x4f,0x0f,0xeb,0xf3,0xfb,0x5f,0x86,0x73,
6381         0x15,0x85,0xb3,0x22,0x4b,0x86,0x2b,0x4b
6382     };
6383 
6384     int ret;
6385 
6386     ret = wc_Des_SetKey(&enc, key, iv, DES_ENCRYPTION);
6387     if (ret != 0)
6388         return -5000;
6389 
6390     ret = wc_Des_CbcEncrypt(&enc, cipher, vector, sizeof(vector));
6391     if (ret != 0)
6392         return -5001;
6393 
6394     ret = wc_Des_SetKey(&dec, key, iv, DES_DECRYPTION);
6395     if (ret != 0)
6396         return -5002;
6397 
6398     ret = wc_Des_CbcDecrypt(&dec, plain, cipher, sizeof(cipher));
6399     if (ret != 0)
6400         return -5003;
6401 
6402     if (XMEMCMP(plain, vector, sizeof(plain)))
6403         return -5004;
6404 
6405     if (XMEMCMP(cipher, verify, sizeof(cipher)))
6406         return -5005;
6407 
6408     ret = wc_Des_CbcEncryptWithKey(cipher, vector, sizeof(vector), key, iv);
6409     if (ret != 0)
6410         return -5006;
6411 
6412 #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_SHA)
6413     {
6414         EncryptedInfo info;
6415         XMEMSET(&info, 0, sizeof(EncryptedInfo));
6416         XMEMCPY(info.iv, iv, sizeof(iv));
6417         info.ivSz = sizeof(iv);
6418         info.keySz = sizeof(key);
6419         info.cipherType = WC_CIPHER_DES;
6420 
6421         ret = wc_BufferKeyEncrypt(&info, cipher, sizeof(cipher), key,
6422                 sizeof(key), WC_HASH_TYPE_SHA);
6423         if (ret != 0)
6424             return -5007;
6425 
6426         /* Test invalid info ptr */
6427         ret = wc_BufferKeyEncrypt(NULL, cipher, sizeof(cipher), key,
6428                 sizeof(key), WC_HASH_TYPE_SHA);
6429         if (ret != BAD_FUNC_ARG)
6430             return -5008;
6431 
6432     #ifndef NO_PWDBASED
6433         /* Test invalid hash type - only applies to wc_PBKDF1 call */
6434         ret = wc_BufferKeyEncrypt(&info, cipher, sizeof(cipher), key,
6435                 sizeof(key), WC_HASH_TYPE_NONE);
6436         if (ret == 0)
6437             return -5009;
6438     #endif /* !NO_PWDBASED */
6439     }
6440 #endif
6441 
6442     return 0;
6443 }
6444 #endif /* !NO_DES3 */
6445 
6446 
6447 #ifndef NO_DES3
des3_test(void)6448 WOLFSSL_TEST_SUBROUTINE int des3_test(void)
6449 {
6450     WOLFSSL_SMALL_STACK_STATIC const byte vector[] = { /* "Now is the time for all " w/o trailing 0 */
6451         0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
6452         0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
6453         0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
6454     };
6455 
6456     byte plain[24];
6457     byte cipher[24];
6458 
6459     Des3 enc;
6460     Des3 dec;
6461 
6462     WOLFSSL_SMALL_STACK_STATIC const byte key3[] =
6463     {
6464         0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
6465         0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
6466         0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
6467     };
6468     WOLFSSL_SMALL_STACK_STATIC const byte iv3[] =
6469     {
6470         0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef,
6471         0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
6472         0x11,0x21,0x31,0x41,0x51,0x61,0x71,0x81
6473 
6474     };
6475 
6476     WOLFSSL_SMALL_STACK_STATIC const byte verify3[] =
6477     {
6478         0x43,0xa0,0x29,0x7e,0xd1,0x84,0xf8,0x0e,
6479         0x89,0x64,0x84,0x32,0x12,0xd5,0x08,0x98,
6480         0x18,0x94,0x15,0x74,0x87,0x12,0x7d,0xb0
6481     };
6482 
6483     int ret;
6484 
6485 
6486     if (wc_Des3Init(&enc, HEAP_HINT, devId) != 0)
6487         return -5100;
6488     if (wc_Des3Init(&dec, HEAP_HINT, devId) != 0)
6489         return -5101;
6490 
6491     ret = wc_Des3_SetKey(&enc, key3, iv3, DES_ENCRYPTION);
6492     if (ret != 0)
6493         return -5102;
6494     ret = wc_Des3_SetKey(&dec, key3, iv3, DES_DECRYPTION);
6495     if (ret != 0)
6496         return -5103;
6497     ret = wc_Des3_CbcEncrypt(&enc, cipher, vector, sizeof(vector));
6498 #if defined(WOLFSSL_ASYNC_CRYPT)
6499     ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
6500 #endif
6501     if (ret != 0)
6502         return -5104;
6503     ret = wc_Des3_CbcDecrypt(&dec, plain, cipher, sizeof(cipher));
6504 #if defined(WOLFSSL_ASYNC_CRYPT)
6505     ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
6506 #endif
6507     if (ret != 0)
6508         return -5105;
6509 
6510     if (XMEMCMP(plain, vector, sizeof(plain)))
6511         return -5106;
6512 
6513     if (XMEMCMP(cipher, verify3, sizeof(cipher)))
6514         return -5107;
6515 
6516 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
6517     /* test the same vectors with using compatibility layer */
6518     {
6519         DES_key_schedule ks1;
6520         DES_key_schedule ks2;
6521         DES_key_schedule ks3;
6522         DES_cblock iv4;
6523 
6524         XMEMCPY(ks1, key3, sizeof(DES_key_schedule));
6525         XMEMCPY(ks2, key3 + 8, sizeof(DES_key_schedule));
6526         XMEMCPY(ks3, key3 + 16, sizeof(DES_key_schedule));
6527         XMEMCPY(iv4, iv3, sizeof(DES_cblock));
6528 
6529         XMEMSET(plain, 0, sizeof(plain));
6530         XMEMSET(cipher, 0, sizeof(cipher));
6531 
6532         DES_ede3_cbc_encrypt(vector, cipher, sizeof(vector), &ks1, &ks2, &ks3,
6533                 &iv4, DES_ENCRYPT);
6534         DES_ede3_cbc_encrypt(cipher, plain, sizeof(cipher), &ks1, &ks2, &ks3,
6535                 &iv4, DES_DECRYPT);
6536 
6537         if (XMEMCMP(plain, vector, sizeof(plain)))
6538             return -5108;
6539 
6540         if (XMEMCMP(cipher, verify3, sizeof(cipher)))
6541             return -5109;
6542     }
6543 #endif /* OPENSSL_EXTRA */
6544 
6545     wc_Des3Free(&enc);
6546     wc_Des3Free(&dec);
6547 
6548 #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_SHA)
6549     {
6550         EncryptedInfo info;
6551         XMEMSET(&info, 0, sizeof(EncryptedInfo));
6552         XMEMCPY(info.iv, iv3, sizeof(iv3));
6553         info.ivSz = sizeof(iv3);
6554         info.keySz = sizeof(key3);
6555         info.cipherType = WC_CIPHER_DES3;
6556 
6557         ret = wc_BufferKeyEncrypt(&info, cipher, sizeof(cipher), key3,
6558                 sizeof(key3), WC_HASH_TYPE_SHA);
6559         if (ret != 0)
6560             return -5110;
6561     }
6562 #endif
6563 
6564     return 0;
6565 }
6566 #endif /* NO_DES3 */
6567 
6568 
6569 #ifndef NO_AES
6570 
6571 #if defined(WOLFSSL_AES_OFB) || defined(WOLFSSL_AES_CFB) || \
6572     defined(WOLFSSL_AES_XTS)
6573 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
6574     && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
6575 /* pass in the function, key, iv, plain text and expected and this function
6576  * tests that the encryption and decryption is successful */
EVP_test(const WOLFSSL_EVP_CIPHER * type,const byte * key,const byte * iv,const byte * plain,int plainSz,const byte * expected,int expectedSz)6577 static int EVP_test(const WOLFSSL_EVP_CIPHER* type, const byte* key,
6578         const byte* iv, const byte* plain, int plainSz,
6579         const byte* expected, int expectedSz)
6580 {
6581 #ifdef WOLFSSL_SMALL_STACK
6582     EVP_CIPHER_CTX *ctx = NULL;
6583 #else
6584     EVP_CIPHER_CTX ctx[1];
6585 #endif
6586     int idx, ret = 0, cipherSz;
6587     byte* cipher;
6588 
6589 #ifdef WOLFSSL_SMALL_STACK
6590     if ((ctx = wolfSSL_EVP_CIPHER_CTX_new()) == NULL)
6591         return MEMORY_E;
6592 #endif
6593 
6594     cipher = (byte*)XMALLOC(plainSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
6595     if (cipher == NULL) {
6596         ret = -5120;
6597         goto EVP_TEST_END;
6598     }
6599 
6600     /* test encrypt */
6601     EVP_CIPHER_CTX_init(ctx);
6602     if (EVP_CipherInit(ctx, type, key, iv, 1) == 0) {
6603         ret = -5121;
6604         goto EVP_TEST_END;
6605     }
6606 
6607     if (EVP_CipherUpdate(ctx, cipher, &idx, plain, expectedSz) == 0) {
6608         ret = -5122;
6609         goto EVP_TEST_END;
6610     }
6611 
6612     cipherSz = idx;
6613     if (EVP_CipherFinal(ctx, cipher + cipherSz, &idx) == 0) {
6614         ret = -5123;
6615         goto EVP_TEST_END;
6616     }
6617     cipherSz += idx;
6618 
6619     if (XMEMCMP(cipher, expected, plainSz)) {
6620         ret = -5124;
6621         goto EVP_TEST_END;
6622     }
6623 
6624     /* test decrypt */
6625     EVP_CIPHER_CTX_init(ctx);
6626     if (EVP_CipherInit(ctx, type, key, iv, 0) == 0) {
6627         ret = -5125;
6628         goto EVP_TEST_END;
6629     }
6630 
6631     if (EVP_CipherUpdate(ctx, cipher, &idx, cipher, expectedSz) == 0) {
6632         ret = -5126;
6633         goto EVP_TEST_END;
6634     }
6635 
6636     cipherSz = idx;
6637     if (EVP_CipherFinal(ctx, cipher + cipherSz, &idx) == 0) {
6638         ret = -5127;
6639         goto EVP_TEST_END;
6640     }
6641     cipherSz += idx;
6642 
6643     if ((expectedSz != cipherSz) || XMEMCMP(plain, cipher, plainSz)) {
6644         ret = -5128;
6645         goto EVP_TEST_END;
6646     }
6647 
6648 EVP_TEST_END:
6649     if (cipher)
6650         XFREE(cipher, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
6651     (void)cipherSz;
6652 #ifdef WOLFSSL_SMALL_STACK
6653     wolfSSL_EVP_CIPHER_CTX_free(ctx);
6654 #endif
6655 
6656     return ret;
6657 }
6658 #endif /* OPENSSL_EXTRA */
6659 #endif /* WOLFSSL_AES_OFB || WOLFSSL_AES_CFB */
6660 
6661 #ifdef WOLFSSL_AES_OFB
6662     /* test vector from https://csrc.nist.gov/Projects/cryptographic-algorithm-validation-program/Block-Ciphers */
aesofb_test(void)6663     WOLFSSL_TEST_SUBROUTINE int aesofb_test(void)
6664     {
6665     #ifdef WOLFSSL_AES_256
6666         WOLFSSL_SMALL_STACK_STATIC const byte key1[] =
6667         {
6668             0xc4,0xc7,0xfa,0xd6,0x53,0x5c,0xb8,0x71,
6669             0x4a,0x5c,0x40,0x77,0x9a,0x8b,0xa1,0xd2,
6670             0x53,0x3e,0x23,0xb4,0xb2,0x58,0x73,0x2a,
6671             0x5b,0x78,0x01,0xf4,0xe3,0x71,0xa7,0x94
6672         };
6673         WOLFSSL_SMALL_STACK_STATIC const byte iv1[] =
6674         {
6675             0x5e,0xb9,0x33,0x13,0xb8,0x71,0xff,0x16,
6676             0xb9,0x8a,0x9b,0xcb,0x43,0x33,0x0d,0x6f
6677         };
6678         WOLFSSL_SMALL_STACK_STATIC const byte plain1[] =
6679         {
6680             0x6d,0x0b,0xb0,0x79,0x63,0x84,0x71,0xe9,
6681             0x39,0xd4,0x53,0x14,0x86,0xc1,0x4c,0x25,
6682             0x9a,0xee,0xc6,0xf3,0xc0,0x0d,0xfd,0xd6,
6683             0xc0,0x50,0xa8,0xba,0xa8,0x20,0xdb,0x71,
6684             0xcc,0x12,0x2c,0x4e,0x0c,0x17,0x15,0xef,
6685             0x55,0xf3,0x99,0x5a,0x6b,0xf0,0x2a,0x4c
6686         };
6687         WOLFSSL_SMALL_STACK_STATIC const byte cipher1[] =
6688         {
6689             0x0f,0x54,0x61,0x71,0x59,0xd0,0x3f,0xfc,
6690             0x1b,0xfa,0xfb,0x60,0x29,0x30,0xd7,0x00,
6691             0xf4,0xa4,0xa8,0xe6,0xdd,0x93,0x94,0x46,
6692             0x64,0xd2,0x19,0xc4,0xc5,0x4d,0xde,0x1b,
6693             0x04,0x53,0xe1,0x73,0xf5,0x18,0x74,0xae,
6694             0xfd,0x64,0xa2,0xe1,0xe2,0x76,0x13,0xb0
6695         };
6696     #endif /* WOLFSSL_AES_256 */
6697 
6698 
6699     #ifdef WOLFSSL_AES_128
6700         WOLFSSL_SMALL_STACK_STATIC const byte key2[] =
6701         {
6702             0x10,0xa5,0x88,0x69,0xd7,0x4b,0xe5,0xa3,
6703             0x74,0xcf,0x86,0x7c,0xfb,0x47,0x38,0x59
6704         };
6705         WOLFSSL_SMALL_STACK_STATIC const byte iv2[] =
6706         {
6707             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
6708             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
6709         };
6710         WOLFSSL_SMALL_STACK_STATIC const byte plain2[] =
6711         {
6712             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
6713             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
6714         };
6715         WOLFSSL_SMALL_STACK_STATIC const byte cipher2[] =
6716         {
6717             0x6d,0x25,0x1e,0x69,0x44,0xb0,0x51,0xe0,
6718             0x4e,0xaa,0x6f,0xb4,0xdb,0xf7,0x84,0x65
6719         };
6720     #endif /* WOLFSSL_AES_128 */
6721 
6722 
6723     #ifdef WOLFSSL_AES_192
6724         WOLFSSL_SMALL_STACK_STATIC const byte key3[] = {
6725             0xd0,0x77,0xa0,0x3b,0xd8,0xa3,0x89,0x73,
6726             0x92,0x8c,0xca,0xfe,0x4a,0x9d,0x2f,0x45,
6727             0x51,0x30,0xbd,0x0a,0xf5,0xae,0x46,0xa9
6728         };
6729         WOLFSSL_SMALL_STACK_STATIC const byte iv3[] =
6730         {
6731             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
6732             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
6733         };
6734         WOLFSSL_SMALL_STACK_STATIC const byte cipher3[] =
6735         {
6736             0xab,0xc7,0x86,0xfb,0x1e,0xdb,0x50,0x45,
6737             0x80,0xc4,0xd8,0x82,0xef,0x29,0xa0,0xc7
6738         };
6739         WOLFSSL_SMALL_STACK_STATIC const byte plain3[] =
6740         {
6741             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
6742             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
6743         };
6744     #endif /* WOLFSSL_AES_192 */
6745 
6746 #ifdef WOLFSSL_SMALL_STACK
6747         Aes *enc = NULL;
6748 #else
6749         Aes enc[1];
6750 #endif
6751         byte cipher[AES_BLOCK_SIZE * 4];
6752     #ifdef HAVE_AES_DECRYPT
6753 #ifdef WOLFSSL_SMALL_STACK
6754         Aes *dec = NULL;
6755 #else
6756         Aes dec[1];
6757 #endif
6758         byte plain [AES_BLOCK_SIZE * 4];
6759     #endif
6760         int  ret = 0;
6761 
6762 #ifdef WOLFSSL_SMALL_STACK
6763     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
6764         ERROR_OUT(-1, out);
6765 #ifdef HAVE_AES_DECRYPT
6766     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
6767         ERROR_OUT(-1, out);
6768 #endif
6769 #endif
6770 
6771         XMEMSET(enc, 0, sizeof *enc);
6772     #ifdef HAVE_AES_DECRYPT
6773         XMEMSET(dec, 0, sizeof *dec);
6774     #endif
6775 
6776 #ifdef WOLFSSL_AES_128
6777         /* 128 key size test */
6778     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
6779         && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
6780         ret = EVP_test(EVP_aes_128_ofb(), key2, iv2, plain2, sizeof(plain2),
6781                 cipher2, sizeof(cipher2));
6782         if (ret != 0) {
6783             goto out;
6784         }
6785     #endif
6786 
6787         ret = wc_AesSetKey(enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
6788         if (ret != 0)
6789             ERROR_OUT(-5129, out);
6790     #ifdef HAVE_AES_DECRYPT
6791         /* decrypt uses AES_ENCRYPTION */
6792         ret = wc_AesSetKey(dec, key2, sizeof(key2), iv2, AES_ENCRYPTION);
6793         if (ret != 0)
6794             ERROR_OUT(-5130, out);
6795     #endif
6796 
6797         XMEMSET(cipher, 0, sizeof(cipher));
6798         ret = wc_AesOfbEncrypt(enc, cipher, plain2, AES_BLOCK_SIZE);
6799         if (ret != 0)
6800             ERROR_OUT(-5131, out);
6801 
6802         if (XMEMCMP(cipher, cipher2, AES_BLOCK_SIZE))
6803             ERROR_OUT(-5132, out);
6804 
6805     #ifdef HAVE_AES_DECRYPT
6806         ret = wc_AesOfbDecrypt(dec, plain, cipher2, AES_BLOCK_SIZE);
6807         if (ret != 0)
6808             ERROR_OUT(-5133, out);
6809 
6810         if (XMEMCMP(plain, plain2, AES_BLOCK_SIZE))
6811             ERROR_OUT(-5134, out);
6812     #endif /* HAVE_AES_DECRYPT */
6813 #endif /* WOLFSSL_AES_128 */
6814 
6815 #ifdef WOLFSSL_AES_192
6816         /* 192 key size test */
6817     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
6818         && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
6819         ret = EVP_test(EVP_aes_192_ofb(), key3, iv3, plain3, sizeof(plain3),
6820                 cipher3, sizeof(cipher3));
6821         if (ret != 0) {
6822             goto out;
6823         }
6824     #endif
6825 
6826         ret = wc_AesSetKey(enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
6827         if (ret != 0)
6828             ERROR_OUT(-5135, out);
6829     #ifdef HAVE_AES_DECRYPT
6830         /* decrypt uses AES_ENCRYPTION */
6831         ret = wc_AesSetKey(dec, key3, sizeof(key3), iv3, AES_ENCRYPTION);
6832         if (ret != 0)
6833             ERROR_OUT(-5136, out);
6834     #endif
6835 
6836         XMEMSET(cipher, 0, sizeof(cipher));
6837         ret = wc_AesOfbEncrypt(enc, cipher, plain3, AES_BLOCK_SIZE);
6838         if (ret != 0)
6839             ERROR_OUT(-5137, out);
6840 
6841         if (XMEMCMP(cipher, cipher3, AES_BLOCK_SIZE))
6842             ERROR_OUT(-5138, out);
6843 
6844     #ifdef HAVE_AES_DECRYPT
6845         ret = wc_AesOfbDecrypt(dec, plain, cipher3, AES_BLOCK_SIZE);
6846         if (ret != 0)
6847             ERROR_OUT(-5139, out);
6848 
6849         if (XMEMCMP(plain, plain3, AES_BLOCK_SIZE))
6850             ERROR_OUT(-5140, out);
6851     #endif /* HAVE_AES_DECRYPT */
6852 #endif /* WOLFSSL_AES_192 */
6853 
6854 #ifdef WOLFSSL_AES_256
6855         /* 256 key size test */
6856     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
6857         && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
6858         ret = EVP_test(EVP_aes_256_ofb(), key1, iv1, plain1, sizeof(plain1),
6859                 cipher1, sizeof(cipher1));
6860         if (ret != 0) {
6861             goto out;
6862         }
6863     #endif
6864 
6865         ret = wc_AesSetKey(enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6866         if (ret != 0)
6867             ERROR_OUT(-5141, out);
6868     #ifdef HAVE_AES_DECRYPT
6869         /* decrypt uses AES_ENCRYPTION */
6870         ret = wc_AesSetKey(dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6871         if (ret != 0)
6872             ERROR_OUT(-5142, out);
6873     #endif
6874 
6875         XMEMSET(cipher, 0, sizeof(cipher));
6876         ret = wc_AesOfbEncrypt(enc, cipher, plain1, AES_BLOCK_SIZE);
6877         if (ret != 0)
6878             ERROR_OUT(-5143, out);
6879 
6880         if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE))
6881             ERROR_OUT(-5144, out);
6882 
6883         ret = wc_AesOfbEncrypt(enc, cipher + AES_BLOCK_SIZE,
6884                 plain1 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
6885         if (ret != 0)
6886             ERROR_OUT(-5145, out);
6887 
6888         if (XMEMCMP(cipher + AES_BLOCK_SIZE, cipher1 + AES_BLOCK_SIZE,
6889                     AES_BLOCK_SIZE))
6890             ERROR_OUT(-5146, out);
6891 
6892     #ifdef HAVE_AES_DECRYPT
6893         ret = wc_AesOfbDecrypt(dec, plain, cipher1, AES_BLOCK_SIZE);
6894         if (ret != 0)
6895             ERROR_OUT(-5147, out);
6896 
6897         if (XMEMCMP(plain, plain1, AES_BLOCK_SIZE))
6898             ERROR_OUT(-5148, out);
6899 
6900         ret = wc_AesOfbDecrypt(dec, plain + AES_BLOCK_SIZE,
6901                 cipher1 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
6902         if (ret != 0)
6903             ERROR_OUT(-5149, out);
6904 
6905         if (XMEMCMP(plain + AES_BLOCK_SIZE, plain1 + AES_BLOCK_SIZE,
6906                     AES_BLOCK_SIZE))
6907             ERROR_OUT(-5150, out);
6908     #endif /* HAVE_AES_DECRYPT */
6909 
6910         /* multiple blocks at once */
6911         ret = wc_AesSetKey(enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6912         if (ret != 0)
6913             ERROR_OUT(-5151, out);
6914     #ifdef HAVE_AES_DECRYPT
6915         /* decrypt uses AES_ENCRYPTION */
6916         ret = wc_AesSetKey(dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6917         if (ret != 0)
6918             ERROR_OUT(-5152, out);
6919     #endif
6920 
6921         XMEMSET(cipher, 0, sizeof(cipher));
6922         ret = wc_AesOfbEncrypt(enc, cipher, plain1, AES_BLOCK_SIZE * 3);
6923         if (ret != 0)
6924             ERROR_OUT(-5153, out);
6925 
6926         if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 3))
6927             ERROR_OUT(-5154, out);
6928 
6929     #ifdef HAVE_AES_DECRYPT
6930         ret = wc_AesOfbDecrypt(dec, plain, cipher1, AES_BLOCK_SIZE * 3);
6931         if (ret != 0)
6932             ERROR_OUT(-5155, out);
6933 
6934         if (XMEMCMP(plain, plain1, AES_BLOCK_SIZE * 3))
6935             ERROR_OUT(-5156, out);
6936     #endif /* HAVE_AES_DECRYPT */
6937 
6938         /* inline decrypt/encrypt*/
6939         ret = wc_AesSetKey(enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6940         if (ret != 0)
6941             ERROR_OUT(-5157, out);
6942     #ifdef HAVE_AES_DECRYPT
6943         /* decrypt uses AES_ENCRYPTION */
6944         ret = wc_AesSetKey(dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6945         if (ret != 0)
6946             ERROR_OUT(-5158, out);
6947     #endif
6948 
6949         XMEMCPY(cipher, plain1, AES_BLOCK_SIZE * 2);
6950         ret = wc_AesOfbEncrypt(enc, cipher, cipher, AES_BLOCK_SIZE * 2);
6951         if (ret != 0)
6952             ERROR_OUT(-5159, out);
6953 
6954         if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 2))
6955             ERROR_OUT(-5160, out);
6956 
6957     #ifdef HAVE_AES_DECRYPT
6958         ret = wc_AesOfbDecrypt(dec, cipher, cipher, AES_BLOCK_SIZE * 2);
6959         if (ret != 0)
6960             ERROR_OUT(-5161, out);
6961 
6962         if (XMEMCMP(cipher, plain1, AES_BLOCK_SIZE * 2))
6963             ERROR_OUT(-5162, out);
6964     #endif /* HAVE_AES_DECRYPT */
6965 
6966         /* 256 key size test leftover support */
6967         ret = wc_AesSetKey(enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6968         if (ret != 0)
6969             ERROR_OUT(-5163, out);
6970     #ifdef HAVE_AES_DECRYPT
6971         /* decrypt uses AES_ENCRYPTION */
6972         ret = wc_AesSetKey(dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
6973         if (ret != 0)
6974             ERROR_OUT(-5164, out);
6975     #endif
6976 
6977         XMEMSET(cipher, 0, sizeof(cipher));
6978         ret = wc_AesOfbEncrypt(enc, cipher, plain1, 3);
6979         if (ret != 0)
6980             ERROR_OUT(-5165, out);
6981 
6982         if (XMEMCMP(cipher, cipher1, 3))
6983             ERROR_OUT(-5166, out);
6984 
6985         ret = wc_AesOfbEncrypt(enc, cipher + 3, plain1 + 3, AES_BLOCK_SIZE);
6986         if (ret != 0)
6987             ERROR_OUT(-5167, out);
6988 
6989         if (XMEMCMP(cipher + 3, cipher1 + 3, AES_BLOCK_SIZE))
6990             ERROR_OUT(-5168, out);
6991 
6992     #ifdef HAVE_AES_DECRYPT
6993         ret = wc_AesOfbDecrypt(dec, plain, cipher1, 6);
6994         if (ret != 0)
6995             ERROR_OUT(-5169, out);
6996 
6997         if (XMEMCMP(plain, plain1, 6))
6998             ERROR_OUT(-5170, out);
6999 
7000         ret = wc_AesOfbDecrypt(dec, plain + 6, cipher1 + 6, AES_BLOCK_SIZE);
7001         if (ret != 0)
7002             ERROR_OUT(-5171, out);
7003 
7004         if (XMEMCMP(plain + 6, plain1 + 6, AES_BLOCK_SIZE))
7005             ERROR_OUT(-5172, out);
7006     #endif /* HAVE_AES_DECRYPT */
7007 
7008   out:
7009 
7010 #ifdef WOLFSSL_SMALL_STACK
7011     if (enc)
7012         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
7013 #ifdef HAVE_AES_DECRYPT
7014     if (dec)
7015         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
7016 #endif
7017 #endif
7018 
7019 #endif /* WOLFSSL_AES_256 */
7020 
7021         return ret;
7022     }
7023 #endif /* WOLFSSL_AES_OFB */
7024 
7025 #if defined(WOLFSSL_AES_CFB)
7026     /* Test cases from NIST SP 800-38A, Recommendation for Block Cipher Modes of Operation Methods an*/
aescfb_test(void)7027     static int aescfb_test(void)
7028     {
7029 #ifdef WOLFSSL_SMALL_STACK
7030         Aes *enc = NULL;
7031 #else
7032         Aes enc[1];
7033 #endif
7034         int enc_inited = 0;
7035         byte cipher[AES_BLOCK_SIZE * 4];
7036     #ifdef HAVE_AES_DECRYPT
7037 #ifdef WOLFSSL_SMALL_STACK
7038         Aes *dec = NULL;
7039 #else
7040         Aes dec[1];
7041 #endif
7042         int dec_inited = 0;
7043         byte plain [AES_BLOCK_SIZE * 4];
7044     #endif
7045         int  ret = 0;
7046 
7047         WOLFSSL_SMALL_STACK_STATIC const byte iv[] = {
7048             0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
7049             0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
7050         };
7051 
7052 #ifdef WOLFSSL_AES_128
7053         WOLFSSL_SMALL_STACK_STATIC const byte key1[] =
7054         {
7055             0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
7056             0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
7057         };
7058 
7059         WOLFSSL_SMALL_STACK_STATIC const byte cipher1[] =
7060         {
7061             0x3b,0x3f,0xd9,0x2e,0xb7,0x2d,0xad,0x20,
7062             0x33,0x34,0x49,0xf8,0xe8,0x3c,0xfb,0x4a,
7063             0xc8,0xa6,0x45,0x37,0xa0,0xb3,0xa9,0x3f,
7064             0xcd,0xe3,0xcd,0xad,0x9f,0x1c,0xe5,0x8b,
7065             0x26,0x75,0x1f,0x67,0xa3,0xcb,0xb1,0x40,
7066             0xb1,0x80,0x8c,0xf1,0x87,0xa4,0xf4,0xdf
7067         };
7068 
7069         WOLFSSL_SMALL_STACK_STATIC const byte msg1[] =
7070         {
7071             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
7072             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
7073             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
7074             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
7075             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
7076             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef
7077         };
7078 #endif /* WOLFSSL_AES_128 */
7079 
7080 #ifdef WOLFSSL_AES_192
7081         /* 192 size key test */
7082         WOLFSSL_SMALL_STACK_STATIC const byte key2[] =
7083         {
7084             0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
7085             0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
7086             0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
7087         };
7088 
7089         WOLFSSL_SMALL_STACK_STATIC const byte cipher2[] =
7090         {
7091             0xcd,0xc8,0x0d,0x6f,0xdd,0xf1,0x8c,0xab,
7092             0x34,0xc2,0x59,0x09,0xc9,0x9a,0x41,0x74,
7093             0x67,0xce,0x7f,0x7f,0x81,0x17,0x36,0x21,
7094             0x96,0x1a,0x2b,0x70,0x17,0x1d,0x3d,0x7a,
7095             0x2e,0x1e,0x8a,0x1d,0xd5,0x9b,0x88,0xb1,
7096             0xc8,0xe6,0x0f,0xed,0x1e,0xfa,0xc4,0xc9,
7097             0xc0,0x5f,0x9f,0x9c,0xa9,0x83,0x4f,0xa0,
7098             0x42,0xae,0x8f,0xba,0x58,0x4b,0x09,0xff
7099         };
7100 
7101         WOLFSSL_SMALL_STACK_STATIC const byte msg2[] =
7102         {
7103             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
7104             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
7105             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
7106             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
7107             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
7108             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
7109             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
7110             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
7111         };
7112 #endif /* WOLFSSL_AES_192 */
7113 
7114 #ifdef WOLFSSL_AES_256
7115         /* 256 size key simple test */
7116         WOLFSSL_SMALL_STACK_STATIC const byte key3[] =
7117         {
7118             0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
7119             0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
7120             0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
7121             0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
7122         };
7123 
7124         WOLFSSL_SMALL_STACK_STATIC const byte cipher3[] =
7125         {
7126             0xdc,0x7e,0x84,0xbf,0xda,0x79,0x16,0x4b,
7127             0x7e,0xcd,0x84,0x86,0x98,0x5d,0x38,0x60,
7128             0x39,0xff,0xed,0x14,0x3b,0x28,0xb1,0xc8,
7129             0x32,0x11,0x3c,0x63,0x31,0xe5,0x40,0x7b,
7130             0xdf,0x10,0x13,0x24,0x15,0xe5,0x4b,0x92,
7131             0xa1,0x3e,0xd0,0xa8,0x26,0x7a,0xe2,0xf9,
7132             0x75,0xa3,0x85,0x74,0x1a,0xb9,0xce,0xf8,
7133             0x20,0x31,0x62,0x3d,0x55,0xb1,0xe4,0x71
7134         };
7135 
7136         WOLFSSL_SMALL_STACK_STATIC const byte msg3[] =
7137         {
7138             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
7139             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
7140             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
7141             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
7142             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
7143             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
7144             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
7145             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
7146         };
7147 #endif /* WOLFSSL_AES_256 */
7148 
7149 #ifdef WOLFSSL_SMALL_STACK
7150     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
7151         ERROR_OUT(-1, out);
7152 #ifdef HAVE_AES_DECRYPT
7153     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
7154         ERROR_OUT(-1, out);
7155 #endif
7156 #endif
7157 
7158     if (wc_AesInit(enc, HEAP_HINT, devId) != 0)
7159         ERROR_OUT(-5173, out);
7160     else
7161         enc_inited = 1;
7162 #ifdef HAVE_AES_DECRYPT
7163     if (wc_AesInit(dec, HEAP_HINT, devId) != 0)
7164         ERROR_OUT(-5174, out);
7165     else
7166         dec_inited = 1;
7167 #endif
7168 
7169 #ifdef WOLFSSL_AES_128
7170         /* 128 key tests */
7171     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
7172         && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
7173         ret = EVP_test(EVP_aes_128_cfb128(), key1, iv, msg1, sizeof(msg1),
7174                 cipher1, sizeof(cipher1));
7175         if (ret != 0) {
7176             return ret;
7177         }
7178     #endif
7179 
7180         ret = wc_AesSetKey(enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
7181         if (ret != 0)
7182             ERROR_OUT(-5175, out);
7183     #ifdef HAVE_AES_DECRYPT
7184         /* decrypt uses AES_ENCRYPTION */
7185         ret = wc_AesSetKey(dec, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
7186         if (ret != 0)
7187             ERROR_OUT(-5176, out);
7188     #endif
7189 
7190         XMEMSET(cipher, 0, sizeof(cipher));
7191         ret = wc_AesCfbEncrypt(enc, cipher, msg1, AES_BLOCK_SIZE * 2);
7192         if (ret != 0)
7193             ERROR_OUT(-5177, out);
7194 
7195         if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 2))
7196             ERROR_OUT(-5178, out);
7197 
7198         /* test restarting encryption process */
7199         ret = wc_AesCfbEncrypt(enc, cipher + (AES_BLOCK_SIZE * 2),
7200                 msg1 + (AES_BLOCK_SIZE * 2), AES_BLOCK_SIZE);
7201         if (ret != 0)
7202             ERROR_OUT(-5179, out);
7203 
7204         if (XMEMCMP(cipher + (AES_BLOCK_SIZE * 2),
7205                     cipher1 + (AES_BLOCK_SIZE * 2), AES_BLOCK_SIZE))
7206             ERROR_OUT(-5180, out);
7207 
7208     #ifdef HAVE_AES_DECRYPT
7209         ret = wc_AesCfbDecrypt(dec, plain, cipher, AES_BLOCK_SIZE * 3);
7210         if (ret != 0)
7211             ERROR_OUT(-5181, out);
7212 
7213         if (XMEMCMP(plain, msg1, AES_BLOCK_SIZE * 3))
7214             ERROR_OUT(-5182, out);
7215     #endif /* HAVE_AES_DECRYPT */
7216 #endif /* WOLFSSL_AES_128 */
7217 
7218 #ifdef WOLFSSL_AES_192
7219         /* 192 key size test */
7220     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
7221         && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
7222         ret = EVP_test(EVP_aes_192_cfb128(), key2, iv, msg2, sizeof(msg2),
7223                 cipher2, sizeof(cipher2));
7224         if (ret != 0) {
7225             return ret;
7226         }
7227     #endif
7228 
7229         ret = wc_AesSetKey(enc, key2, sizeof(key2), iv, AES_ENCRYPTION);
7230         if (ret != 0)
7231             ERROR_OUT(-5183, out);
7232     #ifdef HAVE_AES_DECRYPT
7233         /* decrypt uses AES_ENCRYPTION */
7234         ret = wc_AesSetKey(dec, key2, sizeof(key2), iv, AES_ENCRYPTION);
7235         if (ret != 0)
7236             ERROR_OUT(-5184, out);
7237     #endif
7238 
7239         XMEMSET(cipher, 0, sizeof(cipher));
7240         ret = wc_AesCfbEncrypt(enc, cipher, msg2, AES_BLOCK_SIZE * 4);
7241         if (ret != 0)
7242             ERROR_OUT(-5185, out);
7243 
7244         if (XMEMCMP(cipher, cipher2, AES_BLOCK_SIZE * 4))
7245             ERROR_OUT(-5186, out);
7246 
7247     #ifdef HAVE_AES_DECRYPT
7248         ret = wc_AesCfbDecrypt(dec, plain, cipher, AES_BLOCK_SIZE * 4);
7249         if (ret != 0)
7250             ERROR_OUT(-5187, out);
7251 
7252         if (XMEMCMP(plain, msg2, AES_BLOCK_SIZE * 4))
7253             ERROR_OUT(-5188, out);
7254     #endif /* HAVE_AES_DECRYPT */
7255 #endif /* WOLFSSL_AES_192 */
7256 
7257 #ifdef WOLFSSL_AES_256
7258         /* 256 key size test */
7259     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
7260         && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
7261         ret = EVP_test(EVP_aes_256_cfb128(), key3, iv, msg3, sizeof(msg3),
7262                 cipher3, sizeof(cipher3));
7263         if (ret != 0) {
7264             return ret;
7265         }
7266     #endif
7267         ret = wc_AesSetKey(enc, key3, sizeof(key3), iv, AES_ENCRYPTION);
7268         if (ret != 0)
7269             ERROR_OUT(-5189, out);
7270     #ifdef HAVE_AES_DECRYPT
7271         /* decrypt uses AES_ENCRYPTION */
7272         ret = wc_AesSetKey(dec, key3, sizeof(key3), iv, AES_ENCRYPTION);
7273         if (ret != 0)
7274             ERROR_OUT(-5190, out);
7275     #endif
7276 
7277         /* test with data left overs, magic lengths are checking near edges */
7278         XMEMSET(cipher, 0, sizeof(cipher));
7279         ret = wc_AesCfbEncrypt(enc, cipher, msg3, 4);
7280         if (ret != 0)
7281             ERROR_OUT(-5191, out);
7282 
7283         if (XMEMCMP(cipher, cipher3, 4))
7284             ERROR_OUT(-5192, out);
7285 
7286         ret = wc_AesCfbEncrypt(enc, cipher + 4, msg3 + 4, 27);
7287         if (ret != 0)
7288             ERROR_OUT(-5193, out);
7289 
7290         if (XMEMCMP(cipher + 4, cipher3 + 4, 27))
7291             ERROR_OUT(-5194, out);
7292 
7293         ret = wc_AesCfbEncrypt(enc, cipher + 31, msg3 + 31,
7294                 (AES_BLOCK_SIZE * 4) - 31);
7295         if (ret != 0)
7296             ERROR_OUT(-5195, out);
7297 
7298         if (XMEMCMP(cipher, cipher3, AES_BLOCK_SIZE * 4))
7299             ERROR_OUT(-5196, out);
7300 
7301     #ifdef HAVE_AES_DECRYPT
7302         ret = wc_AesCfbDecrypt(dec, plain, cipher, 4);
7303         if (ret != 0)
7304             ERROR_OUT(-5197, out);
7305 
7306         if (XMEMCMP(plain, msg3, 4))
7307             ERROR_OUT(-5198, out);
7308 
7309         ret = wc_AesCfbDecrypt(dec, plain + 4, cipher + 4, 4);
7310         if (ret != 0)
7311             ERROR_OUT(-5199, out);
7312 
7313         ret = wc_AesCfbDecrypt(dec, plain + 8, cipher + 8, 23);
7314         if (ret != 0)
7315             ERROR_OUT(-5200, out);
7316 
7317         if (XMEMCMP(plain + 4, msg3 + 4, 27))
7318             ERROR_OUT(-5201, out);
7319 
7320         ret = wc_AesCfbDecrypt(dec, plain + 31, cipher + 31,
7321                 (AES_BLOCK_SIZE * 4) - 31);
7322         if (ret != 0)
7323             ERROR_OUT(-5202, out);
7324 
7325         if (XMEMCMP(plain, msg3, AES_BLOCK_SIZE * 4))
7326             ERROR_OUT(-5203, out);
7327     #endif /* HAVE_AES_DECRYPT */
7328 #endif /* WOLFSSL_AES_256 */
7329 
7330   out:
7331 
7332     if (enc_inited)
7333         wc_AesFree(enc);
7334     if (dec_inited)
7335         wc_AesFree(dec);
7336 
7337 #ifdef WOLFSSL_SMALL_STACK
7338     if (enc)
7339         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
7340 #ifdef HAVE_AES_DECRYPT
7341     if (dec)
7342         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
7343 #endif
7344 #endif
7345 
7346         return ret;
7347     }
7348 
7349 #if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
aescfb1_test(void)7350     static int aescfb1_test(void)
7351     {
7352 #ifdef WOLFSSL_SMALL_STACK
7353         Aes *enc = NULL;
7354 #else
7355         Aes enc[1];
7356 #endif
7357         int enc_inited = 0;
7358         byte cipher[AES_BLOCK_SIZE];
7359     #ifdef HAVE_AES_DECRYPT
7360 #ifdef WOLFSSL_SMALL_STACK
7361         Aes *dec = NULL;
7362 #else
7363         Aes dec[1];
7364 #endif
7365         int dec_inited = 0;
7366         byte plain [AES_BLOCK_SIZE];
7367     #endif
7368         int  ret = 0;
7369 
7370 #ifdef WOLFSSL_AES_128
7371         WOLFSSL_SMALL_STACK_STATIC const byte iv[] = {
7372             0x4d,0xbb,0xdc,0xaa,0x59,0xf3,0x63,0xc9,
7373             0x2a,0x3b,0x98,0x43,0xad,0x20,0xe2,0xb7
7374         };
7375 
7376         WOLFSSL_SMALL_STACK_STATIC const byte key1[] =
7377         {
7378             0xcd,0xef,0x9d,0x06,0x61,0xba,0xe4,0x73,
7379             0x8d,0x1a,0x58,0xa2,0xa6,0x22,0x8b,0x66
7380         };
7381 
7382         WOLFSSL_SMALL_STACK_STATIC const byte cipher1[] =
7383         {
7384             0x00
7385         };
7386 
7387         WOLFSSL_SMALL_STACK_STATIC const byte msg1[] =
7388         {
7389             0xC0
7390         };
7391 #endif /* WOLFSSL_AES_128 */
7392 #ifdef WOLFSSL_AES_192
7393         WOLFSSL_SMALL_STACK_STATIC const byte iv2[] = {
7394             0x57,0xc6,0x89,0x7c,0x99,0x52,0x28,0x13,
7395             0xbf,0x67,0x9c,0xe1,0x13,0x70,0xaf,0x5e
7396         };
7397 
7398         WOLFSSL_SMALL_STACK_STATIC const byte key2[] =
7399         {
7400             0xba,0xa1,0x58,0xa1,0x6b,0x50,0x4a,0x10,
7401             0x8e,0xd4,0x33,0x2e,0xe7,0xf2,0x9b,0xf6,
7402             0xd1,0xac,0x46,0xa8,0xde,0x5a,0xfe,0x7a
7403         };
7404 
7405         WOLFSSL_SMALL_STACK_STATIC const byte cipher2[] =
7406         {
7407             0x30
7408         };
7409 
7410         WOLFSSL_SMALL_STACK_STATIC const byte msg2[] =
7411         {
7412             0x80
7413         };
7414 #endif /* WOLFSSL_AES_192 */
7415 #ifdef WOLFSSL_AES_256
7416         WOLFSSL_SMALL_STACK_STATIC const byte iv3[] = {
7417             0x63,0x2e,0x9f,0x83,0x1f,0xa3,0x80,0x5e,
7418             0x52,0x02,0xbc,0xe0,0x6d,0x04,0xf9,0xa0
7419         };
7420 
7421         WOLFSSL_SMALL_STACK_STATIC const byte key3[] =
7422         {
7423             0xf6,0xfa,0xe4,0xf1,0x5d,0x91,0xfc,0x50,
7424             0x88,0x78,0x4f,0x84,0xa5,0x37,0x12,0x7e,
7425             0x32,0x63,0x55,0x9c,0x62,0x73,0x88,0x20,
7426             0xc2,0xcf,0x3d,0xe1,0x1c,0x2a,0x30,0x40
7427         };
7428 
7429         WOLFSSL_SMALL_STACK_STATIC const byte cipher3[] =
7430         {
7431             0xF7, 0x00
7432         };
7433 
7434         WOLFSSL_SMALL_STACK_STATIC const byte msg3[] =
7435         {
7436             0x41, 0xC0
7437         };
7438 #endif /* WOLFSSL_AES_256 */
7439 
7440 #ifdef WOLFSSL_SMALL_STACK
7441     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
7442         ERROR_OUT(-1, out);
7443 #ifdef HAVE_AES_DECRYPT
7444     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
7445         ERROR_OUT(-1, out);
7446 #endif
7447 #endif
7448 
7449     if (wc_AesInit(enc, HEAP_HINT, devId) != 0)
7450         ERROR_OUT(-5204, out);
7451     else
7452         enc_inited = 1;
7453 #ifdef HAVE_AES_DECRYPT
7454     if (wc_AesInit(dec, HEAP_HINT, devId) != 0)
7455         ERROR_OUT(-5205, out);
7456     else
7457         dec_inited = 1;
7458 #endif
7459 
7460 #ifdef WOLFSSL_AES_128
7461         /* 128 key tests */
7462         ret = wc_AesSetKey(enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
7463         if (ret != 0)
7464             ERROR_OUT(-5206, out);
7465     #ifdef HAVE_AES_DECRYPT
7466         /* decrypt uses AES_ENCRYPTION */
7467         ret = wc_AesSetKey(dec, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
7468         if (ret != 0)
7469             ERROR_OUT(-5207, out);
7470     #endif
7471 
7472         XMEMSET(cipher, 0, sizeof(cipher));
7473         ret = wc_AesCfb1Encrypt(enc, cipher, msg1, 2);
7474         if (ret != 0)
7475             ERROR_OUT(-5208, out);
7476 
7477         if (cipher[0] != cipher1[0])
7478             ERROR_OUT(-5209, out);
7479 
7480     #ifdef HAVE_AES_DECRYPT
7481         ret = wc_AesCfb1Decrypt(dec, plain, cipher, 2);
7482         if (ret != 0)
7483             ERROR_OUT(-5210, out);
7484 
7485         if (plain[0] != msg1[0])
7486             ERROR_OUT(-5211, out);
7487     #endif /* HAVE_AES_DECRYPT */
7488 
7489     #ifdef OPENSSL_EXTRA
7490         ret = wc_AesSetKey(enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
7491         if (ret != 0)
7492             ERROR_OUT(-5212, out);
7493 
7494         XMEMSET(cipher, 0, sizeof(cipher));
7495         ret = wc_AesCfb1Encrypt(enc, cipher, msg1,
7496                 sizeof(msg1) * WOLFSSL_BIT_SIZE);
7497         if (ret != 0)
7498             ERROR_OUT(-5213, out);
7499 
7500     #ifndef WOLFCRYPT_ONLY
7501         ret = EVP_test(EVP_aes_128_cfb1(), key1, iv, msg1, sizeof(msg1),
7502                 cipher, sizeof(msg1));
7503         if (ret != 0) {
7504             goto out;
7505         }
7506     #endif
7507     #endif
7508 #endif /* WOLFSSL_AES_128 */
7509 #ifdef WOLFSSL_AES_192
7510         /* 192 key tests */
7511         ret = wc_AesSetKey(enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
7512         if (ret != 0)
7513             ERROR_OUT(-5214, out);
7514 
7515         XMEMSET(cipher, 0, sizeof(cipher));
7516         ret = wc_AesCfb1Encrypt(enc, cipher, msg2, 4);
7517         if (ret != 0)
7518             ERROR_OUT(-5215, out);
7519         if (XMEMCMP(cipher, cipher2, sizeof(cipher2)) != 0)
7520             ERROR_OUT(-5216, out);
7521 
7522     #ifdef OPENSSL_EXTRA
7523         ret = wc_AesSetKey(enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
7524         if (ret != 0)
7525             ERROR_OUT(-5217, out);
7526 
7527         XMEMSET(cipher, 0, sizeof(cipher));
7528         ret = wc_AesCfb1Encrypt(enc, cipher, msg2,
7529                 sizeof(msg2) * WOLFSSL_BIT_SIZE);
7530         if (ret != 0)
7531             ERROR_OUT(-5218, out);
7532 
7533         #ifndef WOLFCRYPT_ONLY
7534         ret = EVP_test(EVP_aes_192_cfb1(), key2, iv2, msg2, sizeof(msg2),
7535                 cipher, sizeof(msg2));
7536         if (ret != 0) {
7537             goto out;
7538         }
7539         #endif
7540     #endif
7541 #endif /* WOLFSSL_AES_192 */
7542 
7543 #ifdef WOLFSSL_AES_256
7544         /* 256 key tests */
7545         ret = wc_AesSetKey(enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
7546         if (ret != 0)
7547             ERROR_OUT(-5219, out);
7548 
7549         XMEMSET(cipher, 0, sizeof(cipher));
7550         ret = wc_AesCfb1Encrypt(enc, cipher, msg3, 10);
7551         if (ret != 0)
7552             ERROR_OUT(-5220, out);
7553         if (XMEMCMP(cipher, cipher3, sizeof(cipher3)) != 0)
7554             ERROR_OUT(-5221, out);
7555 
7556     #ifdef OPENSSL_EXTRA
7557         ret = wc_AesSetKey(enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
7558         if (ret != 0)
7559             ERROR_OUT(-5222, out);
7560 
7561         XMEMSET(cipher, 0, sizeof(cipher));
7562         ret = wc_AesCfb1Encrypt(enc, cipher, msg3,
7563                 sizeof(msg3) * WOLFSSL_BIT_SIZE);
7564         if (ret != 0)
7565             ERROR_OUT(-5223, out);
7566 
7567         #ifndef WOLFCRYPT_ONLY
7568         ret = EVP_test(EVP_aes_256_cfb1(), key3, iv3, msg3, sizeof(msg3),
7569                 cipher, sizeof(msg3));
7570         if (ret != 0) {
7571             goto out;
7572         }
7573         #endif
7574     #endif
7575 
7576   out:
7577 
7578     if (enc_inited)
7579         wc_AesFree(enc);
7580 #ifdef HAVE_AES_DECRYPT
7581     if (dec_inited)
7582         wc_AesFree(dec);
7583 #endif
7584 
7585 #ifdef WOLFSSL_SMALL_STACK
7586     if (enc)
7587         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
7588 #ifdef HAVE_AES_DECRYPT
7589     if (dec)
7590         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
7591 #endif
7592 #endif
7593 
7594 #endif /* WOLFSSL_AES_256 */
7595         return ret;
7596     }
7597 
aescfb8_test(void)7598     static int aescfb8_test(void)
7599     {
7600 #ifdef WOLFSSL_SMALL_STACK
7601         Aes *enc = NULL;
7602 #else
7603         Aes enc[1];
7604 #endif
7605         int enc_inited = 0;
7606         byte cipher[AES_BLOCK_SIZE];
7607     #ifdef HAVE_AES_DECRYPT
7608 #ifdef WOLFSSL_SMALL_STACK
7609         Aes *dec = NULL;
7610 #else
7611         Aes dec[1];
7612 #endif
7613         int dec_inited = 0;
7614         byte plain [AES_BLOCK_SIZE];
7615     #endif
7616         int  ret = 0;
7617 
7618 #ifdef WOLFSSL_AES_128
7619         WOLFSSL_SMALL_STACK_STATIC const byte iv[] = {
7620             0xf4,0x75,0xc6,0x49,0x91,0xb2,0x0e,0xae,
7621             0xe1,0x83,0xa2,0x26,0x29,0xe2,0x1e,0x22
7622         };
7623 
7624         WOLFSSL_SMALL_STACK_STATIC const byte key1[] =
7625         {
7626             0xc8,0xfe,0x9b,0xf7,0x7b,0x93,0x0f,0x46,
7627             0xd2,0x07,0x8b,0x8c,0x0e,0x65,0x7c,0xd4
7628         };
7629 
7630         WOLFSSL_SMALL_STACK_STATIC const byte cipher1[] =
7631         {
7632             0xd2,0x76,0x91
7633         };
7634 
7635         WOLFSSL_SMALL_STACK_STATIC const byte msg1[] =
7636         {
7637             0xc9,0x06,0x35
7638         };
7639 #endif /* WOLFSSL_AES_128 */
7640 #ifdef WOLFSSL_AES_192
7641         WOLFSSL_SMALL_STACK_STATIC const byte iv2[] = {
7642             0x0a,0x02,0x84,0x6b,0x62,0xab,0xb6,0x93,
7643             0xef,0x31,0xd7,0x54,0x84,0x2e,0xed,0x29
7644         };
7645 
7646         WOLFSSL_SMALL_STACK_STATIC const byte key2[] =
7647         {
7648             0xba,0xf0,0x8b,0x76,0x31,0x7a,0x65,0xc5,
7649             0xf0,0x7a,0xe6,0xf5,0x7e,0xb0,0xe6,0x54,
7650             0x88,0x65,0x93,0x24,0xd2,0x97,0x09,0xe3
7651         };
7652 
7653         WOLFSSL_SMALL_STACK_STATIC const byte cipher2[] =
7654         {
7655             0x72,0x9c,0x0b,0x6d,0xeb,0x75,0xfa,0x6e,
7656             0xb5,0xe8
7657         };
7658 
7659         WOLFSSL_SMALL_STACK_STATIC const byte msg2[] =
7660         {
7661             0x98,0x95,0x93,0x24,0x02,0x39,0x3d,0xc3,
7662             0x3a,0x60
7663         };
7664 #endif
7665 #ifdef WOLFSSL_AES_256
7666         WOLFSSL_SMALL_STACK_STATIC const byte iv3[] = {
7667             0x33,0x8c,0x55,0x2f,0xf1,0xec,0xa1,0x44,
7668             0x08,0xe0,0x5d,0x8c,0xf9,0xf3,0xb3,0x1b
7669         };
7670 
7671         WOLFSSL_SMALL_STACK_STATIC const byte key3[] =
7672         {
7673             0x06,0x48,0x74,0x09,0x2f,0x7a,0x13,0xcc,
7674             0x44,0x62,0x24,0x7a,0xd4,0x23,0xd0,0xe9,
7675             0x6e,0xdf,0x42,0xe8,0xb6,0x7a,0x5a,0x23,
7676             0xb7,0xa0,0xa6,0x47,0x7b,0x09,0x8e,0x66
7677         };
7678 
7679         WOLFSSL_SMALL_STACK_STATIC const byte cipher3[] =
7680         {
7681             0x1c,0xff,0x95
7682         };
7683 
7684         WOLFSSL_SMALL_STACK_STATIC const byte msg3[] =
7685         {
7686             0xb9,0x74,0xfa
7687         };
7688 #endif
7689 
7690 #ifdef WOLFSSL_SMALL_STACK
7691     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
7692         ERROR_OUT(-5238, out);
7693 #ifdef HAVE_AES_DECRYPT
7694     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
7695         ERROR_OUT(-5239, out);
7696 #endif
7697 #endif
7698 
7699     if (wc_AesInit(enc, HEAP_HINT, devId) != 0)
7700         ERROR_OUT(-5224, out);
7701     else
7702         enc_inited = 1;
7703 #ifdef HAVE_AES_DECRYPT
7704     if (wc_AesInit(dec, HEAP_HINT, devId) != 0)
7705         ERROR_OUT(-5225, out);
7706     else
7707         dec_inited = 1;
7708 #endif
7709 
7710 #ifdef WOLFSSL_AES_128
7711         /* 128 key tests */
7712     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
7713         ret = EVP_test(EVP_aes_128_cfb8(), key1, iv, msg1, sizeof(msg1),
7714                 cipher1, sizeof(cipher1));
7715         if (ret != 0) {
7716             return ret;
7717         }
7718     #endif
7719         ret = wc_AesSetKey(enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
7720         if (ret != 0)
7721             ERROR_OUT(-5226, out);
7722     #ifdef HAVE_AES_DECRYPT
7723         /* decrypt uses AES_ENCRYPTION */
7724         ret = wc_AesSetKey(dec, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
7725         if (ret != 0)
7726             ERROR_OUT(-5227, out);
7727     #endif
7728 
7729         XMEMSET(cipher, 0, sizeof(cipher));
7730         ret = wc_AesCfb8Encrypt(enc, cipher, msg1, sizeof(msg1));
7731         if (ret != 0)
7732             ERROR_OUT(-5228, out);
7733 
7734         if (XMEMCMP(cipher, cipher1, sizeof(cipher1)) != 0)
7735             ERROR_OUT(-5229, out);
7736 
7737     #ifdef HAVE_AES_DECRYPT
7738         ret = wc_AesCfb8Decrypt(dec, plain, cipher, sizeof(msg1));
7739         if (ret != 0)
7740             ERROR_OUT(-5230, out);
7741 
7742         if (XMEMCMP(plain, msg1, sizeof(msg1)) != 0)
7743             ERROR_OUT(-5231, out);
7744     #endif /* HAVE_AES_DECRYPT */
7745 #endif /* WOLFSSL_AES_128 */
7746 #ifdef WOLFSSL_AES_192
7747         /* 192 key tests */
7748         ret = wc_AesSetKey(enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
7749         if (ret != 0)
7750             ERROR_OUT(-5232, out);
7751 
7752         XMEMSET(cipher, 0, sizeof(cipher));
7753         ret = wc_AesCfb8Encrypt(enc, cipher, msg2, sizeof(msg2));
7754         if (ret != 0)
7755             ERROR_OUT(-5233, out);
7756         if (XMEMCMP(cipher, cipher2, sizeof(msg2)) != 0)
7757             ERROR_OUT(-5234, out);
7758 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
7759         ret = EVP_test(EVP_aes_192_cfb8(), key2, iv2, msg2, sizeof(msg2),
7760                 cipher2, sizeof(msg2));
7761         if (ret != 0) {
7762             return ret;
7763         }
7764 #endif
7765 
7766 #endif /* WOLFSSL_AES_192 */
7767 
7768 #ifdef WOLFSSL_AES_256
7769         /* 256 key tests */
7770         ret = wc_AesSetKey(enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
7771         if (ret != 0)
7772             ERROR_OUT(-5235, out);
7773 
7774         XMEMSET(cipher, 0, sizeof(cipher));
7775         ret = wc_AesCfb8Encrypt(enc, cipher, msg3, sizeof(msg3));
7776         if (ret != 0)
7777             ERROR_OUT(-5236, out);
7778         if (XMEMCMP(cipher, cipher3, sizeof(cipher3)) != 0)
7779             ERROR_OUT(-5237, out);
7780 
7781     #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
7782         ret = EVP_test(EVP_aes_256_cfb8(), key3, iv3, msg3, sizeof(msg3),
7783                 cipher3, sizeof(msg3));
7784         if (ret != 0) {
7785             goto out;
7786         }
7787     #endif
7788 
7789       out:
7790 
7791         if (enc_inited)
7792             wc_AesFree(enc);
7793 #ifdef HAVE_AES_DECRYPT
7794         if (dec_inited)
7795             wc_AesFree(dec);
7796 #endif
7797 
7798 #ifdef WOLFSSL_SMALL_STACK
7799     if (enc)
7800         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
7801 #ifdef HAVE_AES_DECRYPT
7802     if (dec)
7803         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
7804 #endif
7805 #endif
7806 
7807 #endif /* WOLFSSL_AES_256 */
7808 
7809         return ret;
7810     }
7811 #endif /* !HAVE_SELFTEST && !HAVE_FIPS */
7812 #endif /* WOLFSSL_AES_CFB */
7813 
7814 
aes_key_size_test(void)7815 static int aes_key_size_test(void)
7816 {
7817     int    ret;
7818 #ifdef WOLFSSL_SMALL_STACK
7819     Aes    *aes;
7820 #else
7821     Aes    aes[1];
7822 #endif
7823     byte   key16[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
7824                        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66 };
7825 #ifndef WOLFSSL_CRYPTOCELL
7826     byte   key24[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
7827                        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
7828                        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37 };
7829 #endif
7830     byte   key32[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
7831                        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
7832                        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
7833                        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66 };
7834     byte   iv[]    = "1234567890abcdef";
7835 #ifndef HAVE_FIPS
7836     word32 keySize;
7837 #endif
7838 
7839 #ifdef WOLFSSL_SMALL_STACK
7840     if ((aes = (Aes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
7841         return -5315;
7842 #endif
7843 
7844 #if !defined(HAVE_FIPS) || \
7845     defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
7846     /* w/ FIPS v1 (cert 2425) wc_AesInit just returns 0 always as it's not
7847      * supported with that FIPS version */
7848     ret = wc_AesInit(NULL, HEAP_HINT, devId);
7849     if (ret != BAD_FUNC_ARG)
7850         ERROR_OUT(-5300, out);
7851 #endif
7852 
7853     ret = wc_AesInit(aes, HEAP_HINT, devId);
7854     /* 0 check OK for FIPSv1 */
7855     if (ret != 0)
7856         ERROR_OUT(-5301, out);
7857 
7858 #ifndef HAVE_FIPS
7859     /* Parameter Validation testing. */
7860     ret = wc_AesGetKeySize(NULL, NULL);
7861     if (ret != BAD_FUNC_ARG)
7862         ERROR_OUT(-5302, out);
7863     ret = wc_AesGetKeySize(aes, NULL);
7864     if (ret != BAD_FUNC_ARG)
7865         ERROR_OUT(-5303, out);
7866     ret = wc_AesGetKeySize(NULL, &keySize);
7867     if (ret != BAD_FUNC_ARG)
7868         ERROR_OUT(-5304, out);
7869     /* Crashes in FIPS */
7870     ret = wc_AesSetKey(NULL, key16, sizeof(key16), iv, AES_ENCRYPTION);
7871     if (ret != BAD_FUNC_ARG)
7872         ERROR_OUT(-5305, out);
7873 #endif
7874     /* NULL IV indicates to use all zeros IV. */
7875     ret = wc_AesSetKey(aes, key16, sizeof(key16), NULL, AES_ENCRYPTION);
7876 #ifdef WOLFSSL_AES_128
7877     if (ret != 0)
7878 #else
7879     if (ret != BAD_FUNC_ARG)
7880 #endif
7881         ERROR_OUT(-5306, out);
7882     ret = wc_AesSetKey(aes, key32, sizeof(key32) - 1, iv, AES_ENCRYPTION);
7883     if (ret != BAD_FUNC_ARG)
7884         ERROR_OUT(-5307, out);
7885 /* CryptoCell handles rounds internally */
7886 #if !defined(HAVE_FIPS) && !defined(WOLFSSL_CRYPTOCELL)
7887     /* Force invalid rounds */
7888     aes->rounds = 16;
7889     ret = wc_AesGetKeySize(aes, &keySize);
7890     if (ret != BAD_FUNC_ARG)
7891         ERROR_OUT(-5308, out);
7892 #endif
7893 
7894     ret = wc_AesSetKey(aes, key16, sizeof(key16), iv, AES_ENCRYPTION);
7895 #ifdef WOLFSSL_AES_128
7896     if (ret != 0)
7897 #else
7898     if (ret != BAD_FUNC_ARG)
7899 #endif
7900         ERROR_OUT(-5309, out);
7901 #if !defined(HAVE_FIPS) && defined(WOLFSSL_AES_128)
7902     ret = wc_AesGetKeySize(aes, &keySize);
7903     if (ret != 0 || keySize != sizeof(key16))
7904         ERROR_OUT(-5310, out);
7905 #endif
7906 #ifndef WOLFSSL_CRYPTOCELL
7907 /* Cryptocell only supports AES-128 key size */
7908     ret = wc_AesSetKey(aes, key24, sizeof(key24), iv, AES_ENCRYPTION);
7909 #ifdef WOLFSSL_AES_192
7910     if (ret != 0)
7911 #else
7912     if (ret != BAD_FUNC_ARG)
7913 #endif
7914         ERROR_OUT(-5311, out);
7915 #if !defined(HAVE_FIPS) && defined(WOLFSSL_AES_192)
7916     ret = wc_AesGetKeySize(aes, &keySize);
7917     if (ret != 0 || keySize != sizeof(key24))
7918         ERROR_OUT(-5312, out);
7919 #endif
7920 
7921     ret = wc_AesSetKey(aes, key32, sizeof(key32), iv, AES_ENCRYPTION);
7922 #ifdef WOLFSSL_AES_256
7923     if (ret != 0)
7924 #else
7925     if (ret != BAD_FUNC_ARG)
7926 #endif
7927         ERROR_OUT(-5313, out);
7928 #if !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256)
7929     ret = wc_AesGetKeySize(aes, &keySize);
7930     if (ret != 0 || keySize != sizeof(key32))
7931         ERROR_OUT(-5314, out);
7932 #endif
7933 #endif /* !WOLFSSL_CRYPTOCELL */
7934     ret = 0; /* success */
7935   out:
7936 
7937 #ifdef WOLFSSL_SMALL_STACK
7938     XFREE(aes, HEAP_HINT, DYNAMIC_TYPE_AES);
7939 #endif
7940 
7941     return ret;
7942 }
7943 
7944 #if defined(WOLFSSL_AES_XTS)
7945 /* test vectors from http://csrc.nist.gov/groups/STM/cavp/block-cipher-modes.html */
7946 #ifdef WOLFSSL_AES_128
aes_xts_128_test(void)7947 static int aes_xts_128_test(void)
7948 {
7949 #ifdef WOLFSSL_SMALL_STACK
7950     XtsAes *aes = NULL;
7951 #else
7952     XtsAes aes[1];
7953 #endif
7954     int aes_inited = 0;
7955     int ret = 0;
7956     unsigned char buf[AES_BLOCK_SIZE * 2];
7957     unsigned char cipher[AES_BLOCK_SIZE * 2];
7958 
7959     /* 128 key tests */
7960     WOLFSSL_SMALL_STACK_STATIC unsigned char k1[] = {
7961         0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35,
7962         0x3b, 0x2c, 0x34, 0x38, 0x76, 0x08, 0x17, 0x62,
7963         0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
7964         0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
7965     };
7966 
7967     WOLFSSL_SMALL_STACK_STATIC unsigned char i1[] = {
7968         0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6,
7969         0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
7970     };
7971 
7972     WOLFSSL_SMALL_STACK_STATIC unsigned char p1[] = {
7973         0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
7974         0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c
7975     };
7976 
7977     /* plain text test of partial block is not from NIST test vector list */
7978     WOLFSSL_SMALL_STACK_STATIC unsigned char pp[] = {
7979         0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
7980         0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c,
7981         0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
7982     };
7983 
7984     WOLFSSL_SMALL_STACK_STATIC unsigned char c1[] = {
7985         0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a,
7986         0x82, 0x50, 0x81, 0xd5, 0xbe, 0x47, 0x1c, 0x63
7987     };
7988 
7989     WOLFSSL_SMALL_STACK_STATIC unsigned char k2[] = {
7990         0x39, 0x25, 0x79, 0x05, 0xdf, 0xcc, 0x77, 0x76,
7991         0x6c, 0x87, 0x0a, 0x80, 0x6a, 0x60, 0xe3, 0xc0,
7992         0x93, 0xd1, 0x2a, 0xcf, 0xcb, 0x51, 0x42, 0xfa,
7993         0x09, 0x69, 0x89, 0x62, 0x5b, 0x60, 0xdb, 0x16
7994     };
7995 
7996     WOLFSSL_SMALL_STACK_STATIC unsigned char i2[] = {
7997         0x5c, 0xf7, 0x9d, 0xb6, 0xc5, 0xcd, 0x99, 0x1a,
7998         0x1c, 0x78, 0x81, 0x42, 0x24, 0x95, 0x1e, 0x84
7999     };
8000 
8001     WOLFSSL_SMALL_STACK_STATIC unsigned char p2[] = {
8002         0xbd, 0xc5, 0x46, 0x8f, 0xbc, 0x8d, 0x50, 0xa1,
8003         0x0d, 0x1c, 0x85, 0x7f, 0x79, 0x1c, 0x5c, 0xba,
8004         0xb3, 0x81, 0x0d, 0x0d, 0x73, 0xcf, 0x8f, 0x20,
8005         0x46, 0xb1, 0xd1, 0x9e, 0x7d, 0x5d, 0x8a, 0x56
8006     };
8007 
8008     WOLFSSL_SMALL_STACK_STATIC unsigned char c2[] = {
8009         0xd6, 0xbe, 0x04, 0x6d, 0x41, 0xf2, 0x3b, 0x5e,
8010         0xd7, 0x0b, 0x6b, 0x3d, 0x5c, 0x8e, 0x66, 0x23,
8011         0x2b, 0xe6, 0xb8, 0x07, 0xd4, 0xdc, 0xc6, 0x0e,
8012         0xff, 0x8d, 0xbc, 0x1d, 0x9f, 0x7f, 0xc8, 0x22
8013     };
8014 
8015 #ifdef WOLFSSL_SMALL_STACK
8016     if ((aes = (XtsAes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
8017         ERROR_OUT(-5417, out);
8018 #endif
8019 
8020 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
8021     && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
8022     ret = EVP_test(EVP_aes_128_xts(), k2, i2, p2, sizeof(p2), c2, sizeof(c2));
8023     if (ret != 0) {
8024         printf("EVP_aes_128_xts failed!\n");
8025         goto out;
8026     }
8027 #endif
8028 
8029     XMEMSET(buf, 0, sizeof(buf));
8030     if (wc_AesXtsSetKey(aes, k2, sizeof(k2), AES_ENCRYPTION,
8031             HEAP_HINT, devId) != 0)
8032         ERROR_OUT(-5400, out);
8033     else
8034         aes_inited = 1;
8035 
8036     ret = wc_AesXtsEncrypt(aes, buf, p2, sizeof(p2), i2, sizeof(i2));
8037 #if defined(WOLFSSL_ASYNC_CRYPT)
8038     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8039 #endif
8040     if (ret != 0)
8041         ERROR_OUT(-5401, out);
8042     if (XMEMCMP(c2, buf, sizeof(c2)))
8043         ERROR_OUT(-5402, out);
8044 
8045     XMEMSET(buf, 0, sizeof(buf));
8046     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_ENCRYPTION,
8047             HEAP_HINT, devId) != 0)
8048         ERROR_OUT(-5403, out);
8049     ret = wc_AesXtsEncrypt(aes, buf, p1, sizeof(p1), i1, sizeof(i1));
8050 #if defined(WOLFSSL_ASYNC_CRYPT)
8051     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8052 #endif
8053     if (ret != 0)
8054         ERROR_OUT(-5404, out);
8055     if (XMEMCMP(c1, buf, AES_BLOCK_SIZE))
8056         ERROR_OUT(-5405, out);
8057 
8058     /* partial block encryption test */
8059     XMEMSET(cipher, 0, sizeof(cipher));
8060     ret = wc_AesXtsEncrypt(aes, cipher, pp, sizeof(pp), i1, sizeof(i1));
8061 #if defined(WOLFSSL_ASYNC_CRYPT)
8062     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8063 #endif
8064     if (ret != 0)
8065         ERROR_OUT(-5406, out);
8066     wc_AesXtsFree(aes);
8067 
8068     /* partial block decrypt test */
8069     XMEMSET(buf, 0, sizeof(buf));
8070     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_DECRYPTION,
8071             HEAP_HINT, devId) != 0)
8072         ERROR_OUT(-5407, out);
8073     ret = wc_AesXtsDecrypt(aes, buf, cipher, sizeof(pp), i1, sizeof(i1));
8074 #if defined(WOLFSSL_ASYNC_CRYPT)
8075     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8076 #endif
8077     if (ret != 0)
8078         ERROR_OUT(-5408, out);
8079     if (XMEMCMP(pp, buf, sizeof(pp)))
8080         ERROR_OUT(-5409, out);
8081 
8082     /* NIST decrypt test vector */
8083     XMEMSET(buf, 0, sizeof(buf));
8084     ret = wc_AesXtsDecrypt(aes, buf, c1, sizeof(c1), i1, sizeof(i1));
8085 #if defined(WOLFSSL_ASYNC_CRYPT)
8086     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8087 #endif
8088     if (ret != 0)
8089         ERROR_OUT(-5410, out);
8090     if (XMEMCMP(p1, buf, AES_BLOCK_SIZE))
8091         ERROR_OUT(-5411, out);
8092 
8093     /* fail case with decrypting using wrong key */
8094     XMEMSET(buf, 0, sizeof(buf));
8095     ret = wc_AesXtsDecrypt(aes, buf, c2, sizeof(c2), i2, sizeof(i2));
8096 #if defined(WOLFSSL_ASYNC_CRYPT)
8097     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8098 #endif
8099     if (ret != 0)
8100         ERROR_OUT(-5412, out);
8101     if (XMEMCMP(p2, buf, sizeof(p2)) == 0) /* fail case with wrong key */
8102         ERROR_OUT(-5413, out);
8103 
8104     /* set correct key and retest */
8105     XMEMSET(buf, 0, sizeof(buf));
8106     if (wc_AesXtsSetKey(aes, k2, sizeof(k2), AES_DECRYPTION,
8107             HEAP_HINT, devId) != 0)
8108         ERROR_OUT(-5414, out);
8109     ret = wc_AesXtsDecrypt(aes, buf, c2, sizeof(c2), i2, sizeof(i2));
8110 #if defined(WOLFSSL_ASYNC_CRYPT)
8111     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8112 #endif
8113     if (ret != 0)
8114         ERROR_OUT(-5415, out);
8115     if (XMEMCMP(p2, buf, sizeof(p2)))
8116         ERROR_OUT(-5416, out);
8117 
8118   out:
8119 
8120     if (aes_inited)
8121         wc_AesXtsFree(aes);
8122 
8123 #ifdef WOLFSSL_SMALL_STACK
8124     if (aes)
8125         XFREE(aes, HEAP_HINT, DYNAMIC_TYPE_AES);
8126 #endif
8127 
8128     return ret;
8129 }
8130 #endif /* WOLFSSL_AES_128 */
8131 
8132 
8133 #ifdef WOLFSSL_AES_256
aes_xts_256_test(void)8134 static int aes_xts_256_test(void)
8135 {
8136 #ifdef WOLFSSL_SMALL_STACK
8137     XtsAes *aes = NULL;
8138 #else
8139     XtsAes aes[1];
8140 #endif
8141     int aes_inited = 0;
8142     int ret = 0;
8143     unsigned char buf[AES_BLOCK_SIZE * 3];
8144     unsigned char cipher[AES_BLOCK_SIZE * 3];
8145 
8146     /* 256 key tests */
8147     WOLFSSL_SMALL_STACK_STATIC unsigned char k1[] = {
8148         0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e,
8149         0x48, 0x01, 0xe4, 0x2f, 0x4b, 0x09, 0x47, 0x14,
8150         0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
8151         0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c,
8152         0xd6, 0xe1, 0x3f, 0xfd, 0xf2, 0x41, 0x8d, 0x8d,
8153         0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
8154         0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58,
8155         0x31, 0x8e, 0xea, 0x39, 0x2c, 0xf4, 0x1b, 0x08
8156     };
8157 
8158     WOLFSSL_SMALL_STACK_STATIC unsigned char i1[] = {
8159         0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2,
8160         0xf0, 0x42, 0x8e, 0x84, 0xa9, 0xf8, 0x75, 0x64
8161     };
8162 
8163     WOLFSSL_SMALL_STACK_STATIC unsigned char p1[] = {
8164         0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1,
8165         0xac, 0xc6, 0x47, 0xe8, 0x10, 0xbb, 0xc3, 0x64,
8166         0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
8167         0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
8168     };
8169 
8170     /* plain text test of partial block is not from NIST test vector list */
8171     WOLFSSL_SMALL_STACK_STATIC unsigned char pp[] = {
8172         0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
8173         0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c,
8174         0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
8175     };
8176 
8177     WOLFSSL_SMALL_STACK_STATIC unsigned char c1[] = {
8178         0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5,
8179         0x0b, 0x37, 0xf9, 0x34, 0xd4, 0x6a, 0x9b, 0x13,
8180         0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
8181         0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
8182     };
8183 
8184     WOLFSSL_SMALL_STACK_STATIC unsigned char k2[] = {
8185         0xad, 0x50, 0x4b, 0x85, 0xd7, 0x51, 0xbf, 0xba,
8186         0x69, 0x13, 0xb4, 0xcc, 0x79, 0xb6, 0x5a, 0x62,
8187         0xf7, 0xf3, 0x9d, 0x36, 0x0f, 0x35, 0xb5, 0xec,
8188         0x4a, 0x7e, 0x95, 0xbd, 0x9b, 0xa5, 0xf2, 0xec,
8189         0xc1, 0xd7, 0x7e, 0xa3, 0xc3, 0x74, 0xbd, 0x4b,
8190         0x13, 0x1b, 0x07, 0x83, 0x87, 0xdd, 0x55, 0x5a,
8191         0xb5, 0xb0, 0xc7, 0xe5, 0x2d, 0xb5, 0x06, 0x12,
8192         0xd2, 0xb5, 0x3a, 0xcb, 0x47, 0x8a, 0x53, 0xb4
8193     };
8194 
8195     WOLFSSL_SMALL_STACK_STATIC unsigned char i2[] = {
8196         0xe6, 0x42, 0x19, 0xed, 0xe0, 0xe1, 0xc2, 0xa0,
8197         0x0e, 0xf5, 0x58, 0x6a, 0xc4, 0x9b, 0xeb, 0x6f
8198     };
8199 
8200     WOLFSSL_SMALL_STACK_STATIC unsigned char p2[] = {
8201         0x24, 0xcb, 0x76, 0x22, 0x55, 0xb5, 0xa8, 0x00,
8202         0xf4, 0x6e, 0x80, 0x60, 0x56, 0x9e, 0x05, 0x53,
8203         0xbc, 0xfe, 0x86, 0x55, 0x3b, 0xca, 0xd5, 0x89,
8204         0xc7, 0x54, 0x1a, 0x73, 0xac, 0xc3, 0x9a, 0xbd,
8205         0x53, 0xc4, 0x07, 0x76, 0xd8, 0xe8, 0x22, 0x61,
8206         0x9e, 0xa9, 0xad, 0x77, 0xa0, 0x13, 0x4c, 0xfc
8207     };
8208 
8209     WOLFSSL_SMALL_STACK_STATIC unsigned char c2[] = {
8210         0xa3, 0xc6, 0xf3, 0xf3, 0x82, 0x79, 0x5b, 0x10,
8211         0x87, 0xd7, 0x02, 0x50, 0xdb, 0x2c, 0xd3, 0xb1,
8212         0xa1, 0x62, 0xa8, 0xb6, 0xdc, 0x12, 0x60, 0x61,
8213         0xc1, 0x0a, 0x84, 0xa5, 0x85, 0x3f, 0x3a, 0x89,
8214         0xe6, 0x6c, 0xdb, 0xb7, 0x9a, 0xb4, 0x28, 0x9b,
8215         0xc3, 0xea, 0xd8, 0x10, 0xe9, 0xc0, 0xaf, 0x92
8216     };
8217 
8218 #ifdef WOLFSSL_SMALL_STACK
8219     if ((aes = (XtsAes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
8220         ERROR_OUT(-5515, out);
8221 #endif
8222 
8223 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) \
8224     && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
8225     ret = EVP_test(EVP_aes_256_xts(), k2, i2, p2, sizeof(p2), c2, sizeof(c2));
8226     if (ret != 0) {
8227         printf("EVP_aes_256_xts failed\n");
8228         goto out;
8229     }
8230 #endif
8231 
8232     XMEMSET(buf, 0, sizeof(buf));
8233     if (wc_AesXtsSetKey(aes, k2, sizeof(k2), AES_ENCRYPTION,
8234             HEAP_HINT, devId) != 0)
8235         ERROR_OUT(-5500, out);
8236     else
8237         aes_inited = 1;
8238     ret = wc_AesXtsEncrypt(aes, buf, p2, sizeof(p2), i2, sizeof(i2));
8239 #if defined(WOLFSSL_ASYNC_CRYPT)
8240     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8241 #endif
8242     if (ret != 0)
8243         ERROR_OUT(-5501, out);
8244     if (XMEMCMP(c2, buf, sizeof(c2)))
8245         ERROR_OUT(-5502, out);
8246 
8247     XMEMSET(buf, 0, sizeof(buf));
8248     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_ENCRYPTION,
8249             HEAP_HINT, devId) != 0)
8250         ERROR_OUT(-5503, out);
8251     ret = wc_AesXtsEncrypt(aes, buf, p1, sizeof(p1), i1, sizeof(i1));
8252 #if defined(WOLFSSL_ASYNC_CRYPT)
8253     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8254 #endif
8255     if (ret != 0)
8256         ERROR_OUT(-5504, out);
8257     if (XMEMCMP(c1, buf, AES_BLOCK_SIZE))
8258         ERROR_OUT(-5505, out);
8259 
8260     /* partial block encryption test */
8261     XMEMSET(cipher, 0, sizeof(cipher));
8262     ret = wc_AesXtsEncrypt(aes, cipher, pp, sizeof(pp), i1, sizeof(i1));
8263 #if defined(WOLFSSL_ASYNC_CRYPT)
8264     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8265 #endif
8266     if (ret != 0)
8267         ERROR_OUT(-5506, out);
8268     wc_AesXtsFree(aes);
8269 
8270     /* partial block decrypt test */
8271     XMEMSET(buf, 0, sizeof(buf));
8272     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_DECRYPTION,
8273             HEAP_HINT, devId) != 0)
8274         ERROR_OUT(-5507, out);
8275     ret = wc_AesXtsDecrypt(aes, buf, cipher, sizeof(pp), i1, sizeof(i1));
8276 #if defined(WOLFSSL_ASYNC_CRYPT)
8277     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8278 #endif
8279     if (ret != 0)
8280         ERROR_OUT(-5508, out);
8281     if (XMEMCMP(pp, buf, sizeof(pp)))
8282         ERROR_OUT(-5509, out);
8283 
8284     /* NIST decrypt test vector */
8285     XMEMSET(buf, 0, sizeof(buf));
8286     ret = wc_AesXtsDecrypt(aes, buf, c1, sizeof(c1), i1, sizeof(i1));
8287 #if defined(WOLFSSL_ASYNC_CRYPT)
8288     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8289 #endif
8290     if (ret != 0)
8291         ERROR_OUT(-5510, out);
8292     if (XMEMCMP(p1, buf, AES_BLOCK_SIZE))
8293         ERROR_OUT(-5511, out);
8294 
8295     XMEMSET(buf, 0, sizeof(buf));
8296     if (wc_AesXtsSetKey(aes, k2, sizeof(k2), AES_DECRYPTION,
8297             HEAP_HINT, devId) != 0)
8298         ERROR_OUT(-5512, out);
8299     ret = wc_AesXtsDecrypt(aes, buf, c2, sizeof(c2), i2, sizeof(i2));
8300 #if defined(WOLFSSL_ASYNC_CRYPT)
8301     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8302 #endif
8303     if (ret != 0)
8304         ERROR_OUT(-5513, out);
8305     if (XMEMCMP(p2, buf, sizeof(p2)))
8306         ERROR_OUT(-5514, out);
8307 
8308   out:
8309 
8310     if (aes_inited)
8311         wc_AesXtsFree(aes);
8312 
8313 #ifdef WOLFSSL_SMALL_STACK
8314     if (aes)
8315         XFREE(aes, HEAP_HINT, DYNAMIC_TYPE_AES);
8316 #endif
8317 
8318     return ret;
8319 }
8320 #endif /* WOLFSSL_AES_256 */
8321 
8322 
8323 #if defined(WOLFSSL_AES_128) && defined(WOLFSSL_AES_256)
8324 /* both 128 and 256 bit key test */
aes_xts_sector_test(void)8325 static int aes_xts_sector_test(void)
8326 {
8327 #ifdef WOLFSSL_SMALL_STACK
8328     XtsAes *aes = NULL;
8329 #else
8330     XtsAes aes[1];
8331 #endif
8332     int aes_inited = 0;
8333     int ret = 0;
8334     unsigned char buf[AES_BLOCK_SIZE * 2];
8335 
8336     /* 128 key tests */
8337     WOLFSSL_SMALL_STACK_STATIC unsigned char k1[] = {
8338         0xa3, 0xe4, 0x0d, 0x5b, 0xd4, 0xb6, 0xbb, 0xed,
8339         0xb2, 0xd1, 0x8c, 0x70, 0x0a, 0xd2, 0xdb, 0x22,
8340         0x10, 0xc8, 0x11, 0x90, 0x64, 0x6d, 0x67, 0x3c,
8341         0xbc, 0xa5, 0x3f, 0x13, 0x3e, 0xab, 0x37, 0x3c
8342     };
8343 
8344     WOLFSSL_SMALL_STACK_STATIC unsigned char p1[] = {
8345         0x20, 0xe0, 0x71, 0x94, 0x05, 0x99, 0x3f, 0x09,
8346         0xa6, 0x6a, 0xe5, 0xbb, 0x50, 0x0e, 0x56, 0x2c
8347     };
8348 
8349     WOLFSSL_SMALL_STACK_STATIC unsigned char c1[] = {
8350         0x74, 0x62, 0x35, 0x51, 0x21, 0x02, 0x16, 0xac,
8351         0x92, 0x6b, 0x96, 0x50, 0xb6, 0xd3, 0xfa, 0x52
8352     };
8353     word64 s1 = 141;
8354 
8355     /* 256 key tests */
8356     WOLFSSL_SMALL_STACK_STATIC unsigned char k2[] = {
8357         0xef, 0x01, 0x0c, 0xa1, 0xa3, 0x66, 0x3e, 0x32,
8358         0x53, 0x43, 0x49, 0xbc, 0x0b, 0xae, 0x62, 0x23,
8359         0x2a, 0x15, 0x73, 0x34, 0x85, 0x68, 0xfb, 0x9e,
8360         0xf4, 0x17, 0x68, 0xa7, 0x67, 0x4f, 0x50, 0x7a,
8361         0x72, 0x7f, 0x98, 0x75, 0x53, 0x97, 0xd0, 0xe0,
8362         0xaa, 0x32, 0xf8, 0x30, 0x33, 0x8c, 0xc7, 0xa9,
8363         0x26, 0xc7, 0x73, 0xf0, 0x9e, 0x57, 0xb3, 0x57,
8364         0xcd, 0x15, 0x6a, 0xfb, 0xca, 0x46, 0xe1, 0xa0
8365     };
8366 
8367     WOLFSSL_SMALL_STACK_STATIC unsigned char p2[] = {
8368         0xed, 0x98, 0xe0, 0x17, 0x70, 0xa8, 0x53, 0xb4,
8369         0x9d, 0xb9, 0xe6, 0xaa, 0xf8, 0x8f, 0x0a, 0x41,
8370         0xb9, 0xb5, 0x6e, 0x91, 0xa5, 0xa2, 0xb1, 0x1d,
8371         0x40, 0x52, 0x92, 0x54, 0xf5, 0x52, 0x3e, 0x75
8372     };
8373 
8374     WOLFSSL_SMALL_STACK_STATIC unsigned char c2[] = {
8375         0xca, 0x20, 0xc5, 0x5e, 0x8d, 0xc1, 0x49, 0x68,
8376         0x7d, 0x25, 0x41, 0xde, 0x39, 0xc3, 0xdf, 0x63,
8377         0x00, 0xbb, 0x5a, 0x16, 0x3c, 0x10, 0xce, 0xd3,
8378         0x66, 0x6b, 0x13, 0x57, 0xdb, 0x8b, 0xd3, 0x9d
8379     };
8380     word64 s2 = 187;
8381 
8382 #ifdef WOLFSSL_SMALL_STACK
8383     if ((aes = (XtsAes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
8384         ERROR_OUT(-5612, out);
8385 #endif
8386 
8387     XMEMSET(buf, 0, sizeof(buf));
8388     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_ENCRYPTION,
8389             HEAP_HINT, devId) != 0)
8390         ERROR_OUT(-5600, out);
8391     else
8392         aes_inited = 1;
8393     ret = wc_AesXtsEncryptSector(aes, buf, p1, sizeof(p1), s1);
8394 #if defined(WOLFSSL_ASYNC_CRYPT)
8395     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8396 #endif
8397     if (ret != 0)
8398         ERROR_OUT(-5601, out);
8399     if (XMEMCMP(c1, buf, AES_BLOCK_SIZE))
8400         ERROR_OUT(-5602, out);
8401 
8402     /* decrypt test */
8403     XMEMSET(buf, 0, sizeof(buf));
8404     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_DECRYPTION,
8405             HEAP_HINT, devId) != 0)
8406         ERROR_OUT(-5603, out);
8407     ret = wc_AesXtsDecryptSector(aes, buf, c1, sizeof(c1), s1);
8408 #if defined(WOLFSSL_ASYNC_CRYPT)
8409     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8410 #endif
8411     if (ret != 0)
8412         ERROR_OUT(-5604, out);
8413     if (XMEMCMP(p1, buf, AES_BLOCK_SIZE))
8414         ERROR_OUT(-5605, out);
8415     wc_AesXtsFree(aes);
8416 
8417     /* 256 bit key tests */
8418     XMEMSET(buf, 0, sizeof(buf));
8419     if (wc_AesXtsSetKey(aes, k2, sizeof(k2), AES_ENCRYPTION,
8420             HEAP_HINT, devId) != 0)
8421         ERROR_OUT(-5606, out);
8422     ret = wc_AesXtsEncryptSector(aes, buf, p2, sizeof(p2), s2);
8423 #if defined(WOLFSSL_ASYNC_CRYPT)
8424     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8425 #endif
8426     if (ret != 0)
8427         ERROR_OUT(-5607, out);
8428     if (XMEMCMP(c2, buf, sizeof(c2)))
8429         ERROR_OUT(-5608, out);
8430 
8431     /* decrypt test */
8432     XMEMSET(buf, 0, sizeof(buf));
8433     if (wc_AesXtsSetKey(aes, k2, sizeof(k2), AES_DECRYPTION,
8434             HEAP_HINT, devId) != 0)
8435         ERROR_OUT(-5609, out);
8436     ret = wc_AesXtsDecryptSector(aes, buf, c2, sizeof(c2), s2);
8437 #if defined(WOLFSSL_ASYNC_CRYPT)
8438     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8439 #endif
8440     if (ret != 0)
8441         ERROR_OUT(-5610, out);
8442     if (XMEMCMP(p2, buf, sizeof(p2)))
8443         ERROR_OUT(-5611, out);
8444 
8445   out:
8446 
8447     if (aes_inited)
8448         wc_AesXtsFree(aes);
8449 
8450 #ifdef WOLFSSL_SMALL_STACK
8451     if (aes)
8452         XFREE(aes, HEAP_HINT, DYNAMIC_TYPE_AES);
8453 #endif
8454 
8455     return ret;
8456 }
8457 #endif /* WOLFSSL_AES_128 && WOLFSSL_AES_256 */
8458 
8459 
8460 #ifdef WOLFSSL_AES_128
8461 /* testing of bad arguments */
aes_xts_args_test(void)8462 static int aes_xts_args_test(void)
8463 {
8464 #ifdef WOLFSSL_SMALL_STACK
8465     XtsAes *aes = NULL;
8466 #else
8467     XtsAes aes[1];
8468 #endif
8469     int aes_inited = 0;
8470     int ret;
8471     unsigned char buf[AES_BLOCK_SIZE * 2];
8472 
8473     /* 128 key tests */
8474     WOLFSSL_SMALL_STACK_STATIC unsigned char k1[] = {
8475         0xa3, 0xe4, 0x0d, 0x5b, 0xd4, 0xb6, 0xbb, 0xed,
8476         0xb2, 0xd1, 0x8c, 0x70, 0x0a, 0xd2, 0xdb, 0x22,
8477         0x10, 0xc8, 0x11, 0x90, 0x64, 0x6d, 0x67, 0x3c,
8478         0xbc, 0xa5, 0x3f, 0x13, 0x3e, 0xab, 0x37, 0x3c
8479     };
8480 
8481     WOLFSSL_SMALL_STACK_STATIC unsigned char p1[] = {
8482         0x20, 0xe0, 0x71, 0x94, 0x05, 0x99, 0x3f, 0x09,
8483         0xa6, 0x6a, 0xe5, 0xbb, 0x50, 0x0e, 0x56, 0x2c
8484     };
8485 
8486     WOLFSSL_SMALL_STACK_STATIC unsigned char c1[] = {
8487         0x74, 0x62, 0x35, 0x51, 0x21, 0x02, 0x16, 0xac,
8488         0x92, 0x6b, 0x96, 0x50, 0xb6, 0xd3, 0xfa, 0x52
8489     };
8490     word64 s1 = 141;
8491 
8492 #ifdef WOLFSSL_SMALL_STACK
8493     if ((aes = (XtsAes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
8494         ERROR_OUT(-5708, out);
8495 #endif
8496 
8497     if (wc_AesXtsSetKey(NULL, k1, sizeof(k1), AES_ENCRYPTION,
8498             HEAP_HINT, devId) == 0)
8499         ERROR_OUT(-5700, out);
8500     if (wc_AesXtsSetKey(aes, NULL, sizeof(k1), AES_ENCRYPTION,
8501             HEAP_HINT, devId) == 0)
8502         ERROR_OUT(-5701, out);
8503 
8504     /* encryption operations */
8505     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_ENCRYPTION,
8506             HEAP_HINT, devId) != 0)
8507         ERROR_OUT(-5702, out);
8508     else
8509         aes_inited = 1;
8510     ret = wc_AesXtsEncryptSector(NULL, buf, p1, sizeof(p1), s1);
8511 #if defined(WOLFSSL_ASYNC_CRYPT)
8512     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8513 #endif
8514     if (ret == 0)
8515         ERROR_OUT(-5703, out);
8516 
8517     ret = wc_AesXtsEncryptSector(aes, NULL, p1, sizeof(p1), s1);
8518 #if defined(WOLFSSL_ASYNC_CRYPT)
8519     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8520 #endif
8521     if (ret == 0)
8522         ERROR_OUT(-5704, out);
8523     wc_AesXtsFree(aes);
8524 
8525     /* decryption operations */
8526     if (wc_AesXtsSetKey(aes, k1, sizeof(k1), AES_DECRYPTION,
8527             HEAP_HINT, devId) != 0)
8528         ERROR_OUT(-5705, out);
8529     ret = wc_AesXtsDecryptSector(NULL, buf, c1, sizeof(c1), s1);
8530 #if defined(WOLFSSL_ASYNC_CRYPT)
8531     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8532 #endif
8533     if (ret == 0)
8534         ERROR_OUT(-5706, out);
8535 
8536     ret = wc_AesXtsDecryptSector(aes, NULL, c1, sizeof(c1), s1);
8537 #if defined(WOLFSSL_ASYNC_CRYPT)
8538     ret = wc_AsyncWait(ret, &aes->aes.asyncDev, WC_ASYNC_FLAG_NONE);
8539 #endif
8540     if (ret == 0)
8541         ERROR_OUT(-5707, out);
8542 
8543     ret = 0;
8544 
8545   out:
8546 
8547     if (aes_inited)
8548         wc_AesXtsFree(aes);
8549 
8550 #ifdef WOLFSSL_SMALL_STACK
8551     if (aes)
8552         XFREE(aes, HEAP_HINT, DYNAMIC_TYPE_AES);
8553 #endif
8554 
8555     return ret;
8556 }
8557 #endif /* WOLFSSL_AES_128 */
8558 #endif /* WOLFSSL_AES_XTS */
8559 
8560 #if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
aes_cbc_test(void)8561 static int aes_cbc_test(void)
8562 {
8563     byte cipher[AES_BLOCK_SIZE];
8564     byte plain[AES_BLOCK_SIZE];
8565     int  ret;
8566     WOLFSSL_SMALL_STACK_STATIC const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
8567         0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
8568         0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
8569         0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
8570     };
8571     byte key[] = "0123456789abcdef   ";  /* align */
8572     byte iv[]  = "1234567890abcdef   ";  /* align */
8573 
8574     XMEMSET(cipher, 0, AES_BLOCK_SIZE);
8575     XMEMSET(plain, 0, AES_BLOCK_SIZE);
8576 
8577     /* Parameter Validation testing. */
8578     ret = wc_AesCbcEncryptWithKey(cipher, msg, AES_BLOCK_SIZE, key, 17, NULL);
8579     if (ret != BAD_FUNC_ARG)
8580         return -5800;
8581 #ifdef HAVE_AES_DECRYPT
8582     ret = wc_AesCbcDecryptWithKey(plain, cipher, AES_BLOCK_SIZE, key, 17, NULL);
8583     if (ret != BAD_FUNC_ARG)
8584         return -5801;
8585 #endif
8586 
8587     ret = wc_AesCbcEncryptWithKey(cipher, msg, AES_BLOCK_SIZE, key,
8588                                   AES_BLOCK_SIZE, iv);
8589     if (ret != 0)
8590         return -5802;
8591 #ifdef HAVE_AES_DECRYPT
8592     ret = wc_AesCbcDecryptWithKey(plain, cipher, AES_BLOCK_SIZE, key,
8593                                   AES_BLOCK_SIZE, iv);
8594     if (ret != 0)
8595         return -5803;
8596     if (XMEMCMP(plain, msg, AES_BLOCK_SIZE) != 0)
8597         return -5804;
8598 #endif /* HAVE_AES_DECRYPT */
8599 
8600     (void)plain;
8601     return 0;
8602 }
8603 #endif
8604 
aes_test(void)8605 WOLFSSL_TEST_SUBROUTINE int aes_test(void)
8606 {
8607 #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_DIRECT)
8608 #ifdef WOLFSSL_SMALL_STACK
8609     Aes *enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES);
8610 #else
8611     Aes enc[1];
8612 #endif
8613     byte cipher[AES_BLOCK_SIZE * 4];
8614 #ifdef HAVE_AES_DECRYPT
8615 #ifdef WOLFSSL_SMALL_STACK
8616     Aes *dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES);
8617 #else
8618     Aes dec[1];
8619 #endif
8620     byte plain [AES_BLOCK_SIZE * 4];
8621 #endif /* HAVE_AES_DECRYPT */
8622 #endif /* HAVE_AES_CBC || WOLFSSL_AES_COUNTER || WOLFSSL_AES_DIRECT */
8623     int  ret = 0;
8624 
8625 #ifdef HAVE_AES_CBC
8626 #ifdef WOLFSSL_AES_128
8627     WOLFSSL_SMALL_STACK_STATIC const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
8628         0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
8629         0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
8630         0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
8631     };
8632 
8633     WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
8634     {
8635         0x95,0x94,0x92,0x57,0x5f,0x42,0x81,0x53,
8636         0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb
8637     };
8638 
8639     WOLFSSL_SMALL_STACK_STATIC const byte key[] = "0123456789abcdef   ";  /* align */
8640     WOLFSSL_SMALL_STACK_STATIC const byte iv[]  = "1234567890abcdef   ";  /* align */
8641 
8642 #ifdef WOLFSSL_SMALL_STACK
8643 #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_DIRECT)
8644     if (enc == NULL)
8645         ERROR_OUT(-5948, out);
8646 #endif
8647 #if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_DIRECT)
8648     if (dec == NULL)
8649         ERROR_OUT(-5949, out);
8650 #endif
8651 #endif
8652 
8653     if (wc_AesInit(enc, HEAP_HINT, devId) != 0)
8654         ERROR_OUT(-5900, out); /* note this error code is used programmatically in cleanup. */
8655 #if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_COUNTER)
8656     if (wc_AesInit(dec, HEAP_HINT, devId) != 0)
8657         ERROR_OUT(-5901, out); /* note this error code is used programmatically in cleanup. */
8658 #endif
8659 
8660     ret = wc_AesSetKey(enc, key, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
8661     if (ret != 0)
8662         ERROR_OUT(-5902, out);
8663 #if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_COUNTER)
8664     ret = wc_AesSetKey(dec, key, AES_BLOCK_SIZE, iv, AES_DECRYPTION);
8665     if (ret != 0)
8666         ERROR_OUT(-5903, out);
8667 #endif
8668 
8669     XMEMSET(cipher, 0, AES_BLOCK_SIZE * 4);
8670     ret = wc_AesCbcEncrypt(enc, cipher, msg, AES_BLOCK_SIZE);
8671 #if defined(WOLFSSL_ASYNC_CRYPT)
8672     ret = wc_AsyncWait(ret, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
8673 #endif
8674     if (ret != 0)
8675         ERROR_OUT(-5904, out);
8676 #ifdef HAVE_AES_DECRYPT
8677     XMEMSET(plain, 0, AES_BLOCK_SIZE * 4);
8678     ret = wc_AesCbcDecrypt(dec, plain, cipher, AES_BLOCK_SIZE);
8679 #if defined(WOLFSSL_ASYNC_CRYPT)
8680     ret = wc_AsyncWait(ret, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
8681 #endif
8682     if (ret != 0)
8683         ERROR_OUT(-5905, out);
8684 
8685     if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
8686         ERROR_OUT(-5906, out);
8687 #endif /* HAVE_AES_DECRYPT */
8688     if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
8689         ERROR_OUT(-5907, out);
8690 #endif /* WOLFSSL_AES_128 */
8691 
8692 #if defined(WOLFSSL_AESNI) && defined(HAVE_AES_DECRYPT)
8693     {
8694         WOLFSSL_SMALL_STACK_STATIC const byte bigMsg[] = {
8695             /* "All work and no play makes Jack a dull boy. " */
8696             0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
8697             0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
8698             0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
8699             0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
8700             0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
8701             0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
8702             0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
8703             0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
8704             0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
8705             0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
8706             0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
8707             0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
8708             0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
8709             0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
8710             0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
8711             0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
8712             0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
8713             0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
8714             0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
8715             0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
8716             0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
8717             0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
8718             0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
8719             0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
8720             0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
8721             0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
8722             0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
8723             0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
8724             0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
8725             0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
8726             0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
8727             0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
8728             0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
8729             0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
8730             0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
8731             0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
8732             0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
8733             0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
8734             0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
8735             0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
8736             0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
8737             0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
8738             0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
8739             0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
8740             0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
8741             0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
8742             0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
8743             0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20
8744         };
8745         WOLFSSL_SMALL_STACK_STATIC const byte bigKey[] = "0123456789abcdeffedcba9876543210";
8746         word32 keySz, msgSz;
8747 #ifdef WOLFSSL_SMALL_STACK
8748         byte *bigCipher = (byte *)XMALLOC(sizeof(bigMsg), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
8749         byte *bigPlain = (byte *)XMALLOC(sizeof(bigMsg), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
8750 
8751         if ((bigCipher == NULL) ||
8752             (bigPlain == NULL)) {
8753             if (bigCipher != NULL)
8754                 XFREE(bigCipher, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
8755             ERROR_OUT(-5947, out);
8756         }
8757 #else
8758         byte bigCipher[sizeof(bigMsg)];
8759         byte bigPlain[sizeof(bigMsg)];
8760 #endif
8761 
8762         /* Iterate from one AES_BLOCK_SIZE of bigMsg through the whole
8763          * message by AES_BLOCK_SIZE for each size of AES key. */
8764         for (keySz = 16; keySz <= 32; keySz += 8) {
8765             for (msgSz = AES_BLOCK_SIZE;
8766                  msgSz <= sizeof(bigMsg);
8767                  msgSz += AES_BLOCK_SIZE) {
8768 
8769                 XMEMSET(bigCipher, 0, sizeof(bigMsg));
8770                 XMEMSET(bigPlain, 0, sizeof(bigMsg));
8771                 ret = wc_AesSetKey(enc, bigKey, keySz, iv, AES_ENCRYPTION);
8772                 if (ret != 0) {
8773                     ret = -5908;
8774                     break;
8775                 }
8776                 ret = wc_AesSetKey(dec, bigKey, keySz, iv, AES_DECRYPTION);
8777                 if (ret != 0) {
8778                     ret = -5909;
8779                     break;
8780                 }
8781 
8782                 ret = wc_AesCbcEncrypt(enc, bigCipher, bigMsg, msgSz);
8783             #if defined(WOLFSSL_ASYNC_CRYPT)
8784                 ret = wc_AsyncWait(ret, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
8785             #endif
8786                 if (ret != 0) {
8787                     ret = -5910;
8788                     break;
8789                 }
8790 
8791                 ret = wc_AesCbcDecrypt(dec, bigPlain, bigCipher, msgSz);
8792             #if defined(WOLFSSL_ASYNC_CRYPT)
8793                 ret = wc_AsyncWait(ret, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
8794             #endif
8795                 if (ret != 0) {
8796                     ret = -5911;
8797                     break;
8798                 }
8799 
8800                 if (XMEMCMP(bigPlain, bigMsg, msgSz)) {
8801                     ret = -5912;
8802                     break;
8803                 }
8804             }
8805             if (ret != 0)
8806                 break;
8807         }
8808 
8809 #ifdef WOLFSSL_SMALL_STACK
8810         XFREE(bigCipher, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
8811         XFREE(bigPlain, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
8812 #endif
8813 
8814         if (ret != 0)
8815             goto out;
8816     }
8817 #endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT */
8818 
8819     /* Test of AES IV state with encrypt/decrypt */
8820 #ifdef WOLFSSL_AES_128
8821     {
8822         /* Test Vector from "NIST Special Publication 800-38A, 2001 Edition"
8823          * https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf
8824          */
8825         WOLFSSL_SMALL_STACK_STATIC const byte msg2[] =
8826         {
8827             0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
8828             0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
8829             0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
8830             0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51
8831         };
8832 
8833         WOLFSSL_SMALL_STACK_STATIC const byte verify2[] =
8834         {
8835             0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46,
8836             0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
8837             0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee,
8838             0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2
8839         };
8840         WOLFSSL_SMALL_STACK_STATIC const byte key2[] = {
8841             0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
8842             0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
8843         };
8844         WOLFSSL_SMALL_STACK_STATIC const byte iv2[]  = {
8845             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
8846             0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
8847         };
8848 
8849 
8850         ret = wc_AesSetKey(enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
8851         if (ret != 0)
8852             ERROR_OUT(-5913, out);
8853         XMEMSET(cipher, 0, AES_BLOCK_SIZE * 2);
8854         ret = wc_AesCbcEncrypt(enc, cipher, msg2, AES_BLOCK_SIZE);
8855     #if defined(WOLFSSL_ASYNC_CRYPT)
8856         ret = wc_AsyncWait(ret, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
8857     #endif
8858         if (ret != 0)
8859             ERROR_OUT(-5914, out);
8860         if (XMEMCMP(cipher, verify2, AES_BLOCK_SIZE))
8861             ERROR_OUT(-5915, out);
8862 
8863         ret = wc_AesCbcEncrypt(enc, cipher + AES_BLOCK_SIZE,
8864                 msg2 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
8865     #if defined(WOLFSSL_ASYNC_CRYPT)
8866         ret = wc_AsyncWait(ret, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
8867     #endif
8868         if (ret != 0)
8869             ERROR_OUT(-5916, out);
8870         if (XMEMCMP(cipher + AES_BLOCK_SIZE, verify2 + AES_BLOCK_SIZE,
8871                     AES_BLOCK_SIZE))
8872             ERROR_OUT(-5917, out);
8873 
8874         #if defined(HAVE_AES_DECRYPT)
8875         ret = wc_AesSetKey(dec, key2, sizeof(key2), iv2, AES_DECRYPTION);
8876         if (ret != 0)
8877             ERROR_OUT(-5918, out);
8878         XMEMSET(plain, 0, AES_BLOCK_SIZE * 2);
8879         ret = wc_AesCbcDecrypt(dec, plain, verify2, AES_BLOCK_SIZE);
8880     #if defined(WOLFSSL_ASYNC_CRYPT)
8881         ret = wc_AsyncWait(ret, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
8882     #endif
8883         if (ret != 0)
8884             ERROR_OUT(-5919, out);
8885         if (XMEMCMP(plain, msg2, AES_BLOCK_SIZE))
8886             ERROR_OUT(-5920, out);
8887 
8888         ret = wc_AesCbcDecrypt(dec, plain + AES_BLOCK_SIZE,
8889                 verify2 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
8890     #if defined(WOLFSSL_ASYNC_CRYPT)
8891         ret = wc_AsyncWait(ret, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
8892     #endif
8893         if (ret != 0)
8894             ERROR_OUT(-5921, out);
8895         if (XMEMCMP(plain + AES_BLOCK_SIZE, msg2 + AES_BLOCK_SIZE,
8896                     AES_BLOCK_SIZE))
8897             ERROR_OUT(-5922, out);
8898 
8899         #endif /* HAVE_AES_DECRYPT */
8900     }
8901 #endif /* WOLFSSL_AES_128 */
8902 #endif /* HAVE_AES_CBC */
8903 
8904 #ifdef WOLFSSL_AES_COUNTER
8905     {
8906         /* test vectors from "Recommendation for Block Cipher Modes of
8907          * Operation" NIST Special Publication 800-38A */
8908 
8909         WOLFSSL_SMALL_STACK_STATIC const byte ctrIv[] =
8910         {
8911             0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
8912             0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
8913         };
8914 
8915         WOLFSSL_SMALL_STACK_STATIC const byte ctrPlain[] =
8916         {
8917             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
8918             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
8919             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
8920             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
8921             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
8922             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
8923             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
8924             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
8925         };
8926 
8927 #ifdef WOLFSSL_AES_128
8928         WOLFSSL_SMALL_STACK_STATIC const byte oddCipher[] =
8929         {
8930             0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
8931             0xc2
8932         };
8933 
8934         WOLFSSL_SMALL_STACK_STATIC const byte ctr128Key[] =
8935         {
8936             0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
8937             0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
8938         };
8939 
8940         WOLFSSL_SMALL_STACK_STATIC const byte ctr128Cipher[] =
8941         {
8942             0x87,0x4d,0x61,0x91,0xb6,0x20,0xe3,0x26,
8943             0x1b,0xef,0x68,0x64,0x99,0x0d,0xb6,0xce,
8944             0x98,0x06,0xf6,0x6b,0x79,0x70,0xfd,0xff,
8945             0x86,0x17,0x18,0x7b,0xb9,0xff,0xfd,0xff,
8946             0x5a,0xe4,0xdf,0x3e,0xdb,0xd5,0xd3,0x5e,
8947             0x5b,0x4f,0x09,0x02,0x0d,0xb0,0x3e,0xab,
8948             0x1e,0x03,0x1d,0xda,0x2f,0xbe,0x03,0xd1,
8949             0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee
8950         };
8951 #endif /* WOLFSSL_AES_128 */
8952 
8953 #ifdef WOLFSSL_AES_192
8954         WOLFSSL_SMALL_STACK_STATIC const byte ctr192Key[] =
8955         {
8956             0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
8957             0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
8958             0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
8959         };
8960 
8961         WOLFSSL_SMALL_STACK_STATIC const byte ctr192Cipher[] =
8962         {
8963             0x1a,0xbc,0x93,0x24,0x17,0x52,0x1c,0xa2,
8964             0x4f,0x2b,0x04,0x59,0xfe,0x7e,0x6e,0x0b,
8965             0x09,0x03,0x39,0xec,0x0a,0xa6,0xfa,0xef,
8966             0xd5,0xcc,0xc2,0xc6,0xf4,0xce,0x8e,0x94,
8967             0x1e,0x36,0xb2,0x6b,0xd1,0xeb,0xc6,0x70,
8968             0xd1,0xbd,0x1d,0x66,0x56,0x20,0xab,0xf7,
8969             0x4f,0x78,0xa7,0xf6,0xd2,0x98,0x09,0x58,
8970             0x5a,0x97,0xda,0xec,0x58,0xc6,0xb0,0x50
8971         };
8972 #endif
8973 #ifdef WOLFSSL_AES_256
8974         WOLFSSL_SMALL_STACK_STATIC const byte ctr256Key[] =
8975         {
8976             0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
8977             0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
8978             0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
8979             0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
8980         };
8981 
8982         WOLFSSL_SMALL_STACK_STATIC const byte ctr256Cipher[] =
8983         {
8984             0x60,0x1e,0xc3,0x13,0x77,0x57,0x89,0xa5,
8985             0xb7,0xa7,0xf5,0x04,0xbb,0xf3,0xd2,0x28,
8986             0xf4,0x43,0xe3,0xca,0x4d,0x62,0xb5,0x9a,
8987             0xca,0x84,0xe9,0x90,0xca,0xca,0xf5,0xc5,
8988             0x2b,0x09,0x30,0xda,0xa2,0x3d,0xe9,0x4c,
8989             0xe8,0x70,0x17,0xba,0x2d,0x84,0x98,0x8d,
8990             0xdf,0xc9,0xc5,0x8d,0xb6,0x7a,0xad,0xa6,
8991             0x13,0xc2,0xdd,0x08,0x45,0x79,0x41,0xa6
8992         };
8993 #endif
8994 
8995 #ifdef WOLFSSL_AES_128
8996         wc_AesSetKeyDirect(enc, ctr128Key, sizeof(ctr128Key),
8997                            ctrIv, AES_ENCRYPTION);
8998         /* Ctr only uses encrypt, even on key setup */
8999         wc_AesSetKeyDirect(dec, ctr128Key, sizeof(ctr128Key),
9000                            ctrIv, AES_ENCRYPTION);
9001 
9002         ret = wc_AesCtrEncrypt(enc, cipher, ctrPlain, sizeof(ctrPlain));
9003         if (ret != 0) {
9004             ERROR_OUT(-5923, out);
9005         }
9006         ret = wc_AesCtrEncrypt(dec, plain, cipher, sizeof(ctrPlain));
9007         if (ret != 0) {
9008             ERROR_OUT(-5924, out);
9009         }
9010         if (XMEMCMP(plain, ctrPlain, sizeof(ctrPlain)))
9011             ERROR_OUT(-5925, out);
9012 
9013         if (XMEMCMP(cipher, ctr128Cipher, sizeof(ctr128Cipher)))
9014             ERROR_OUT(-5926, out);
9015 
9016         /* let's try with just 9 bytes, non block size test */
9017         wc_AesSetKeyDirect(enc, ctr128Key, AES_BLOCK_SIZE,
9018                            ctrIv, AES_ENCRYPTION);
9019         /* Ctr only uses encrypt, even on key setup */
9020         wc_AesSetKeyDirect(dec, ctr128Key, AES_BLOCK_SIZE,
9021                            ctrIv, AES_ENCRYPTION);
9022 
9023         ret = wc_AesCtrEncrypt(enc, cipher, ctrPlain, sizeof(oddCipher));
9024         if (ret != 0) {
9025             ERROR_OUT(-5927, out);
9026         }
9027         ret = wc_AesCtrEncrypt(dec, plain, cipher, sizeof(oddCipher));
9028         if (ret != 0) {
9029             ERROR_OUT(-5928, out);
9030         }
9031 
9032         if (XMEMCMP(plain, ctrPlain, sizeof(oddCipher)))
9033             ERROR_OUT(-5929, out);
9034 
9035         if (XMEMCMP(cipher, ctr128Cipher, sizeof(oddCipher)))
9036             ERROR_OUT(-5930, out);
9037 
9038         /* and an additional 9 bytes to reuse tmp left buffer */
9039         ret = wc_AesCtrEncrypt(enc, cipher, ctrPlain, sizeof(oddCipher));
9040         if (ret != 0) {
9041             ERROR_OUT(-5931, out);
9042         }
9043         ret = wc_AesCtrEncrypt(dec, plain, cipher, sizeof(oddCipher));
9044         if (ret != 0) {
9045             ERROR_OUT(-5932, out);
9046         }
9047 
9048         if (XMEMCMP(plain, ctrPlain, sizeof(oddCipher)))
9049             ERROR_OUT(-5933, out);
9050 
9051         if (XMEMCMP(cipher, oddCipher, sizeof(oddCipher)))
9052             ERROR_OUT(-5934, out);
9053 #endif /* WOLFSSL_AES_128 */
9054 
9055 #ifdef WOLFSSL_AES_192
9056         /* 192 bit key */
9057         wc_AesSetKeyDirect(enc, ctr192Key, sizeof(ctr192Key),
9058                            ctrIv, AES_ENCRYPTION);
9059         /* Ctr only uses encrypt, even on key setup */
9060         wc_AesSetKeyDirect(dec, ctr192Key, sizeof(ctr192Key),
9061                            ctrIv, AES_ENCRYPTION);
9062 
9063         XMEMSET(plain, 0, sizeof(plain));
9064         ret = wc_AesCtrEncrypt(enc, plain, ctr192Cipher, sizeof(ctr192Cipher));
9065         if (ret != 0) {
9066             ERROR_OUT(-5935, out);
9067         }
9068 
9069         if (XMEMCMP(plain, ctrPlain, sizeof(ctr192Cipher)))
9070             ERROR_OUT(-5936, out);
9071 
9072         ret = wc_AesCtrEncrypt(dec, cipher, ctrPlain, sizeof(ctrPlain));
9073         if (ret != 0) {
9074             ERROR_OUT(-5937, out);
9075         }
9076         if (XMEMCMP(ctr192Cipher, cipher, sizeof(ctr192Cipher)))
9077             ERROR_OUT(-5938, out);
9078 #endif /* WOLFSSL_AES_192 */
9079 
9080 #ifdef WOLFSSL_AES_256
9081         /* 256 bit key */
9082         wc_AesSetKeyDirect(enc, ctr256Key, sizeof(ctr256Key),
9083                            ctrIv, AES_ENCRYPTION);
9084         /* Ctr only uses encrypt, even on key setup */
9085         wc_AesSetKeyDirect(dec, ctr256Key, sizeof(ctr256Key),
9086                            ctrIv, AES_ENCRYPTION);
9087 
9088         XMEMSET(plain, 0, sizeof(plain));
9089         ret = wc_AesCtrEncrypt(enc, plain, ctr256Cipher, sizeof(ctr256Cipher));
9090         if (ret != 0) {
9091             ERROR_OUT(-5939, out);
9092         }
9093 
9094         if (XMEMCMP(plain, ctrPlain, sizeof(ctrPlain)))
9095             ERROR_OUT(-5940, out);
9096 
9097         ret = wc_AesCtrEncrypt(dec, cipher, ctrPlain, sizeof(ctrPlain));
9098         if (ret != 0) {
9099             ERROR_OUT(-5941, out);
9100         }
9101         if (XMEMCMP(ctr256Cipher, cipher, sizeof(ctr256Cipher)))
9102             ERROR_OUT(-5942, out);
9103 #endif /* WOLFSSL_AES_256 */
9104     }
9105 #endif /* WOLFSSL_AES_COUNTER */
9106 
9107 #if defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_256)
9108     {
9109         WOLFSSL_SMALL_STACK_STATIC const byte niPlain[] =
9110         {
9111             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
9112             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
9113         };
9114 
9115         WOLFSSL_SMALL_STACK_STATIC const byte niCipher[] =
9116         {
9117             0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
9118             0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
9119         };
9120 
9121         WOLFSSL_SMALL_STACK_STATIC const byte niKey[] =
9122         {
9123             0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
9124             0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
9125             0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
9126             0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
9127         };
9128 
9129         XMEMSET(cipher, 0, AES_BLOCK_SIZE);
9130         ret = wc_AesSetKey(enc, niKey, sizeof(niKey), cipher, AES_ENCRYPTION);
9131         if (ret != 0)
9132             ERROR_OUT(-5943, out);
9133 #ifdef WOLFSSL_LINUXKM
9134         if (wc_AesEncryptDirect(enc, cipher, niPlain) != 0)
9135             ERROR_OUT(-5950, out);
9136 #else
9137         wc_AesEncryptDirect(enc, cipher, niPlain);
9138 #endif
9139         if (XMEMCMP(cipher, niCipher, AES_BLOCK_SIZE) != 0)
9140             ERROR_OUT(-5944, out);
9141 
9142         XMEMSET(plain, 0, AES_BLOCK_SIZE);
9143         ret = wc_AesSetKey(dec, niKey, sizeof(niKey), plain, AES_DECRYPTION);
9144         if (ret != 0)
9145             ERROR_OUT(-5945, out);
9146 #ifdef WOLFSSL_LINUXKM
9147         if (wc_AesDecryptDirect(dec, plain, niCipher) != 0)
9148             ERROR_OUT(-5951, out);
9149 #else
9150         wc_AesDecryptDirect(dec, plain, niCipher);
9151 #endif
9152         if (XMEMCMP(plain, niPlain, AES_BLOCK_SIZE) != 0)
9153             ERROR_OUT(-5946, out);
9154     }
9155 #endif /* WOLFSSL_AES_DIRECT && WOLFSSL_AES_256 */
9156 
9157     ret = aes_key_size_test();
9158     if (ret != 0)
9159         goto out;
9160 
9161 #if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
9162     ret = aes_cbc_test();
9163     if (ret != 0)
9164         goto out;
9165 #endif
9166 
9167 #if defined(WOLFSSL_AES_XTS)
9168     #ifdef WOLFSSL_AES_128
9169     ret = aes_xts_128_test();
9170     if (ret != 0)
9171         goto out;
9172     #endif
9173     #ifdef WOLFSSL_AES_256
9174     ret = aes_xts_256_test();
9175     if (ret != 0)
9176         goto out;
9177     #endif
9178     #if defined(WOLFSSL_AES_128) && defined(WOLFSSL_AES_256)
9179     ret = aes_xts_sector_test();
9180     if (ret != 0)
9181         goto out;
9182     #endif
9183     #ifdef WOLFSSL_AES_128
9184     ret = aes_xts_args_test();
9185     if (ret != 0)
9186         goto out;
9187     #endif
9188 #endif
9189 
9190 #if defined(WOLFSSL_AES_CFB)
9191     ret = aescfb_test();
9192     if (ret != 0)
9193         goto out;
9194 #if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
9195     ret = aescfb1_test();
9196     if (ret != 0)
9197         goto out;
9198 
9199     ret = aescfb8_test();
9200     if (ret != 0)
9201         goto out;
9202 #endif
9203 #endif
9204 
9205   out:
9206 
9207 #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_DIRECT)
9208 #ifdef WOLFSSL_SMALL_STACK
9209     if (enc) {
9210         if (ret != -5900) /* note this must match ERRROR_OUT() code
9211                            * for wc_AesInit(enc, ...) failure above.
9212                            */
9213             wc_AesFree(enc);
9214         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
9215     }
9216 #else
9217     if (ret != -5900)
9218         wc_AesFree(enc);
9219 #endif
9220     (void)cipher;
9221 #ifdef HAVE_AES_DECRYPT
9222 #ifdef WOLFSSL_SMALL_STACK
9223     if (dec) {
9224         if ((ret != -5900) && (ret != -5901))
9225             /* note these codes must match the ERRROR_OUT() codes for
9226              * wc_AesInit() failures above.
9227              */
9228             wc_AesFree(dec);
9229         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
9230     }
9231 #else
9232     if ((ret != -5900) && (ret != -5901))
9233         wc_AesFree(dec);
9234 #endif
9235     (void)plain;
9236 #endif /* HAVE_AES_DECRYPT */
9237 #endif /* HAVE_AES_CBC || WOLFSSL_AES_COUNTER || WOLFSSL_AES_DIRECT */
9238 
9239     return ret;
9240 }
9241 
9242 #ifdef WOLFSSL_AES_192
aes192_test(void)9243 WOLFSSL_TEST_SUBROUTINE int aes192_test(void)
9244 {
9245 #ifdef HAVE_AES_CBC
9246 #ifdef WOLFSSL_SMALL_STACK
9247     Aes *enc = NULL;
9248 #else
9249     Aes enc[1];
9250 #endif
9251     byte cipher[AES_BLOCK_SIZE];
9252 #ifdef HAVE_AES_DECRYPT
9253 #ifdef WOLFSSL_SMALL_STACK
9254     Aes *dec = NULL;
9255 #else
9256     Aes dec[1];
9257 #endif
9258     byte plain[AES_BLOCK_SIZE];
9259 #endif
9260 #endif /* HAVE_AES_CBC */
9261     int  ret = 0;
9262 
9263 #ifdef HAVE_AES_CBC
9264     /* Test vectors from NIST Special Publication 800-38A, 2001 Edition
9265      * Appendix F.2.3  */
9266 
9267     WOLFSSL_SMALL_STACK_STATIC const byte msg[] = {
9268         0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
9269         0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
9270     };
9271 
9272     WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
9273     {
9274         0x4f,0x02,0x1d,0xb2,0x43,0xbc,0x63,0x3d,
9275         0x71,0x78,0x18,0x3a,0x9f,0xa0,0x71,0xe8
9276     };
9277 
9278     WOLFSSL_SMALL_STACK_STATIC byte key[] = {
9279         0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
9280         0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
9281         0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
9282     };
9283     WOLFSSL_SMALL_STACK_STATIC byte iv[]  = {
9284         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
9285         0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F
9286     };
9287 
9288 #ifdef WOLFSSL_SMALL_STACK
9289     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9290         ERROR_OUT(-6008, out);
9291 #ifdef HAVE_AES_DECRYPT
9292     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9293         ERROR_OUT(-6009, out);
9294 #endif
9295 #endif
9296 
9297     if (wc_AesInit(enc, HEAP_HINT, devId) != 0)
9298         ERROR_OUT(-6000, out);
9299 #ifdef HAVE_AES_DECRYPT
9300     if (wc_AesInit(dec, HEAP_HINT, devId) != 0)
9301         ERROR_OUT(-6001, out);
9302 #endif
9303 
9304     ret = wc_AesSetKey(enc, key, (int) sizeof(key), iv, AES_ENCRYPTION);
9305     if (ret != 0)
9306         ERROR_OUT(-6002, out);
9307 #ifdef HAVE_AES_DECRYPT
9308     ret = wc_AesSetKey(dec, key, (int) sizeof(key), iv, AES_DECRYPTION);
9309     if (ret != 0)
9310         ERROR_OUT(-6003, out);
9311 #endif
9312 
9313     XMEMSET(cipher, 0, AES_BLOCK_SIZE);
9314     ret = wc_AesCbcEncrypt(enc, cipher, msg, (int) sizeof(msg));
9315 #if defined(WOLFSSL_ASYNC_CRYPT)
9316     ret = wc_AsyncWait(ret, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
9317 #endif
9318     if (ret != 0)
9319         ERROR_OUT(-6004, out);
9320 #ifdef HAVE_AES_DECRYPT
9321     XMEMSET(plain, 0, AES_BLOCK_SIZE);
9322     ret = wc_AesCbcDecrypt(dec, plain, cipher, (int) sizeof(cipher));
9323 #if defined(WOLFSSL_ASYNC_CRYPT)
9324     ret = wc_AsyncWait(ret, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
9325 #endif
9326     if (ret != 0)
9327         ERROR_OUT(-6005, out);
9328     if (XMEMCMP(plain, msg, (int) sizeof(plain))) {
9329         ERROR_OUT(-6006, out);
9330     }
9331 #endif
9332 
9333     if (XMEMCMP(cipher, verify, (int) sizeof(cipher)))
9334         ERROR_OUT(-6007, out);
9335 
9336     wc_AesFree(enc);
9337 #ifdef HAVE_AES_DECRYPT
9338     wc_AesFree(dec);
9339 #endif
9340 
9341   out:
9342 #ifdef WOLFSSL_SMALL_STACK
9343     if (enc)
9344         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
9345 #ifdef HAVE_AES_DECRYPT
9346     if (dec)
9347         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
9348 #endif
9349 #endif
9350 #endif /* HAVE_AES_CBC */
9351 
9352     return ret;
9353 }
9354 #endif /* WOLFSSL_AES_192 */
9355 
9356 #ifdef WOLFSSL_AES_256
aes256_test(void)9357 WOLFSSL_TEST_SUBROUTINE int aes256_test(void)
9358 {
9359 #ifdef HAVE_AES_CBC
9360 #ifdef WOLFSSL_SMALL_STACK
9361     Aes *enc = NULL;
9362 #else
9363     Aes enc[1];
9364 #endif
9365     byte cipher[AES_BLOCK_SIZE];
9366 #ifdef HAVE_AES_DECRYPT
9367 #ifdef WOLFSSL_SMALL_STACK
9368     Aes *dec = NULL;
9369 #else
9370     Aes dec[1];
9371 #endif
9372     byte plain[AES_BLOCK_SIZE];
9373 #endif
9374 #endif /* HAVE_AES_CBC */
9375     int  ret = 0;
9376 
9377 #ifdef HAVE_AES_CBC
9378     /* Test vectors from NIST Special Publication 800-38A, 2001 Edition,
9379      * Appendix F.2.5  */
9380     WOLFSSL_SMALL_STACK_STATIC const byte msg[] = {
9381         0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
9382         0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
9383     };
9384 
9385     WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
9386     {
9387         0xf5,0x8c,0x4c,0x04,0xd6,0xe5,0xf1,0xba,
9388         0x77,0x9e,0xab,0xfb,0x5f,0x7b,0xfb,0xd6
9389     };
9390 
9391     WOLFSSL_SMALL_STACK_STATIC byte key[] = {
9392         0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
9393         0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
9394         0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
9395         0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
9396     };
9397     WOLFSSL_SMALL_STACK_STATIC byte iv[]  = {
9398         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
9399         0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F
9400     };
9401 
9402 #ifdef WOLFSSL_SMALL_STACK
9403     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9404         ERROR_OUT(-6108, out);
9405 #ifdef HAVE_AES_DECRYPT
9406     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9407         ERROR_OUT(-6109, out);
9408 #endif
9409 #endif
9410 
9411     if (wc_AesInit(enc, HEAP_HINT, devId) != 0)
9412         ERROR_OUT(-6100, out);
9413 #ifdef HAVE_AES_DECRYPT
9414     if (wc_AesInit(dec, HEAP_HINT, devId) != 0)
9415         ERROR_OUT(-6101, out);
9416 #endif
9417 
9418     ret = wc_AesSetKey(enc, key, (int) sizeof(key), iv, AES_ENCRYPTION);
9419     if (ret != 0)
9420         ERROR_OUT(-6102, out);
9421 #ifdef HAVE_AES_DECRYPT
9422     ret = wc_AesSetKey(dec, key, (int) sizeof(key), iv, AES_DECRYPTION);
9423     if (ret != 0)
9424         ERROR_OUT(-6103, out);
9425 #endif
9426 
9427     XMEMSET(cipher, 0, AES_BLOCK_SIZE);
9428     ret = wc_AesCbcEncrypt(enc, cipher, msg, (int) sizeof(msg));
9429 #if defined(WOLFSSL_ASYNC_CRYPT)
9430     ret = wc_AsyncWait(ret, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
9431 #endif
9432     if (ret != 0)
9433         ERROR_OUT(-6104, out);
9434 #ifdef HAVE_AES_DECRYPT
9435     XMEMSET(plain, 0, AES_BLOCK_SIZE);
9436     ret = wc_AesCbcDecrypt(dec, plain, cipher, (int) sizeof(cipher));
9437 #if defined(WOLFSSL_ASYNC_CRYPT)
9438     ret = wc_AsyncWait(ret, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
9439 #endif
9440     if (ret != 0)
9441         ERROR_OUT(-6105, out);
9442     if (XMEMCMP(plain, msg, (int) sizeof(plain))) {
9443         ERROR_OUT(-6106, out);
9444     }
9445 #endif
9446 
9447     if (XMEMCMP(cipher, verify, (int) sizeof(cipher)))
9448         ERROR_OUT(-6107, out);
9449 
9450     wc_AesFree(enc);
9451 #ifdef HAVE_AES_DECRYPT
9452     wc_AesFree(dec);
9453 #endif
9454 
9455   out:
9456 #ifdef WOLFSSL_SMALL_STACK
9457     if (enc)
9458         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
9459 #ifdef HAVE_AES_DECRYPT
9460     if (dec)
9461         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
9462 #endif
9463 #endif
9464 #endif /* HAVE_AES_CBC */
9465 
9466     return ret;
9467 }
9468 #endif /* WOLFSSL_AES_256 */
9469 
9470 
9471 #ifdef HAVE_AESGCM
9472 
aesgcm_default_test_helper(byte * key,int keySz,byte * iv,int ivSz,byte * plain,int plainSz,byte * cipher,int cipherSz,byte * aad,int aadSz,byte * tag,int tagSz)9473 static int aesgcm_default_test_helper(byte* key, int keySz, byte* iv, int ivSz,
9474                 byte* plain, int plainSz, byte* cipher, int cipherSz,
9475                 byte* aad, int aadSz, byte* tag, int tagSz)
9476 {
9477     int ret, enc_inited = 0, dec_inited = 0;
9478 #ifdef WOLFSSL_SMALL_STACK
9479     Aes *enc = NULL;
9480     Aes *dec = NULL;
9481 #else
9482     Aes enc[1];
9483     Aes dec[1];
9484 #endif
9485 
9486     byte resultT[AES_BLOCK_SIZE];
9487     byte resultP[AES_BLOCK_SIZE * 3];
9488     byte resultC[AES_BLOCK_SIZE * 3];
9489     int  result;
9490 
9491 #ifdef WOLFSSL_SMALL_STACK
9492     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9493         ERROR_OUT(-6118, out);
9494     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9495         ERROR_OUT(-6119, out);
9496 #endif
9497 
9498     XMEMSET(resultT, 0, sizeof(resultT));
9499     XMEMSET(resultC, 0, sizeof(resultC));
9500     XMEMSET(resultP, 0, sizeof(resultP));
9501 
9502     if (wc_AesInit(enc, HEAP_HINT, devId) != 0)
9503         ERROR_OUT(-6110, out);
9504     else
9505         enc_inited = 1;
9506     if (wc_AesInit(dec, HEAP_HINT, devId) != 0)
9507         ERROR_OUT(-6111, out);
9508     else
9509         dec_inited = 1;
9510 
9511     result = wc_AesGcmSetKey(enc, key, keySz);
9512     if (result != 0)
9513         ERROR_OUT(-6112, out);
9514 
9515     /* AES-GCM encrypt and decrypt both use AES encrypt internally */
9516     result = wc_AesGcmEncrypt(enc, resultC, plain, plainSz, iv, ivSz,
9517                                         resultT, tagSz, aad, aadSz);
9518 
9519 #if defined(WOLFSSL_ASYNC_CRYPT)
9520     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
9521 #endif
9522     if (result != 0)
9523         ERROR_OUT(-6113, out);
9524     if (cipher != NULL) {
9525         if (XMEMCMP(cipher, resultC, cipherSz))
9526             ERROR_OUT(-6114, out);
9527     }
9528     if (XMEMCMP(tag, resultT, tagSz))
9529         ERROR_OUT(-6115, out);
9530 
9531 
9532 #ifdef HAVE_AES_DECRYPT
9533     result = wc_AesGcmSetKey(dec, key, keySz);
9534     if (result != 0)
9535         ERROR_OUT(-6116, out);
9536 
9537     result = wc_AesGcmDecrypt(dec, resultP, resultC, cipherSz,
9538                       iv, ivSz, resultT, tagSz, aad, aadSz);
9539 #if defined(WOLFSSL_ASYNC_CRYPT)
9540     result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
9541 #endif
9542     if (result != 0)
9543         ERROR_OUT(-6117, out);
9544     if (plain != NULL) {
9545         if (XMEMCMP(plain, resultP, plainSz))
9546             ERROR_OUT(-6118, out);
9547     }
9548 
9549 #endif /* HAVE_AES_DECRYPT */
9550 
9551     ret = 0;
9552 
9553   out:
9554 
9555     if (enc_inited)
9556         wc_AesFree(enc);
9557     if (dec_inited)
9558         wc_AesFree(dec);
9559 
9560 #ifdef WOLFSSL_SMALL_STACK
9561     if (enc)
9562         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
9563     if (dec)
9564         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
9565 #endif
9566 
9567     return ret;
9568 }
9569 
9570 
9571 /* tests that only use 12 byte IV and 16 or less byte AAD
9572  * test vectors are from NIST SP 800-38D
9573  * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES*/
aesgcm_default_test(void)9574 WOLFSSL_TEST_SUBROUTINE int aesgcm_default_test(void)
9575 {
9576     byte key1[] = {
9577         0x29, 0x8e, 0xfa, 0x1c, 0xcf, 0x29, 0xcf, 0x62,
9578         0xae, 0x68, 0x24, 0xbf, 0xc1, 0x95, 0x57, 0xfc
9579     };
9580 
9581     byte iv1[] = {
9582         0x6f, 0x58, 0xa9, 0x3f, 0xe1, 0xd2, 0x07, 0xfa,
9583         0xe4, 0xed, 0x2f, 0x6d
9584     };
9585 
9586     ALIGN64 byte plain1[] = {
9587         0xcc, 0x38, 0xbc, 0xcd, 0x6b, 0xc5, 0x36, 0xad,
9588         0x91, 0x9b, 0x13, 0x95, 0xf5, 0xd6, 0x38, 0x01,
9589         0xf9, 0x9f, 0x80, 0x68, 0xd6, 0x5c, 0xa5, 0xac,
9590         0x63, 0x87, 0x2d, 0xaf, 0x16, 0xb9, 0x39, 0x01
9591     };
9592 
9593     byte aad1[] = {
9594         0x02, 0x1f, 0xaf, 0xd2, 0x38, 0x46, 0x39, 0x73,
9595         0xff, 0xe8, 0x02, 0x56, 0xe5, 0xb1, 0xc6, 0xb1
9596     };
9597 
9598     ALIGN64 byte cipher1[] = {
9599         0xdf, 0xce, 0x4e, 0x9c, 0xd2, 0x91, 0x10, 0x3d,
9600         0x7f, 0xe4, 0xe6, 0x33, 0x51, 0xd9, 0xe7, 0x9d,
9601         0x3d, 0xfd, 0x39, 0x1e, 0x32, 0x67, 0x10, 0x46,
9602         0x58, 0x21, 0x2d, 0xa9, 0x65, 0x21, 0xb7, 0xdb
9603     };
9604 
9605     byte tag1[] = {
9606         0x54, 0x24, 0x65, 0xef, 0x59, 0x93, 0x16, 0xf7,
9607         0x3a, 0x7a, 0x56, 0x05, 0x09, 0xa2, 0xd9, 0xf2
9608     };
9609 
9610     byte key2[] = {
9611         0x01, 0x6d, 0xbb, 0x38, 0xda, 0xa7, 0x6d, 0xfe,
9612         0x7d, 0xa3, 0x84, 0xeb, 0xf1, 0x24, 0x03, 0x64
9613     };
9614 
9615     byte iv2[] = {
9616         0x07, 0x93, 0xef, 0x3a, 0xda, 0x78, 0x2f, 0x78,
9617         0xc9, 0x8a, 0xff, 0xe3
9618     };
9619 
9620     ALIGN64 byte plain2[] = {
9621         0x4b, 0x34, 0xa9, 0xec, 0x57, 0x63, 0x52, 0x4b,
9622         0x19, 0x1d, 0x56, 0x16, 0xc5, 0x47, 0xf6, 0xb7
9623     };
9624 
9625     ALIGN64 byte cipher2[] = {
9626         0x60, 0x9a, 0xa3, 0xf4, 0x54, 0x1b, 0xc0, 0xfe,
9627         0x99, 0x31, 0xda, 0xad, 0x2e, 0xe1, 0x5d, 0x0c
9628     };
9629 
9630     byte tag2[] = {
9631         0x33, 0xaf, 0xec, 0x59, 0xc4, 0x5b, 0xaf, 0x68,
9632         0x9a, 0x5e, 0x1b, 0x13, 0xae, 0x42, 0x36, 0x19
9633     };
9634 
9635     byte key3[] = {
9636         0xb0, 0x1e, 0x45, 0xcc, 0x30, 0x88, 0xaa, 0xba,
9637         0x9f, 0xa4, 0x3d, 0x81, 0xd4, 0x81, 0x82, 0x3f
9638     };
9639 
9640     byte iv3[] = {
9641         0x5a, 0x2c, 0x4a, 0x66, 0x46, 0x87, 0x13, 0x45,
9642         0x6a, 0x4b, 0xd5, 0xe1
9643     };
9644 
9645     byte tag3[] = {
9646         0x01, 0x42, 0x80, 0xf9, 0x44, 0xf5, 0x3c, 0x68,
9647         0x11, 0x64, 0xb2, 0xff
9648     };
9649 
9650     int ret;
9651     ret = aesgcm_default_test_helper(key1, sizeof(key1), iv1, sizeof(iv1),
9652             plain1, sizeof(plain1), cipher1, sizeof(cipher1),
9653             aad1, sizeof(aad1), tag1, sizeof(tag1));
9654     if (ret != 0) {
9655         return ret;
9656     }
9657     ret = aesgcm_default_test_helper(key2, sizeof(key2), iv2, sizeof(iv2),
9658             plain2, sizeof(plain2), cipher2, sizeof(cipher2),
9659             NULL, 0, tag2, sizeof(tag2));
9660     if (ret != 0) {
9661         return ret;
9662     }
9663     ret = aesgcm_default_test_helper(key3, sizeof(key3), iv3, sizeof(iv3),
9664             NULL, 0, NULL, 0,
9665             NULL, 0, tag3, sizeof(tag3));
9666     if (ret != 0) {
9667         return ret;
9668     }
9669 
9670     return 0;
9671 }
9672 
aesgcm_test(void)9673 WOLFSSL_TEST_SUBROUTINE int aesgcm_test(void)
9674 {
9675 #ifdef WOLFSSL_SMALL_STACK
9676     Aes *enc = NULL;
9677     Aes *dec = NULL;
9678 #else
9679     Aes enc[1];
9680     Aes dec[1];
9681 #endif
9682 
9683     /*
9684      * This is Test Case 16 from the document Galois/
9685      * Counter Mode of Operation (GCM) by McGrew and
9686      * Viega.
9687      */
9688     WOLFSSL_SMALL_STACK_STATIC const byte p[] =
9689     {
9690         0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
9691         0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
9692         0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
9693         0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
9694         0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
9695         0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
9696         0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
9697         0xba, 0x63, 0x7b, 0x39
9698     };
9699 
9700 #if defined(WOLFSSL_AES_256)
9701     WOLFSSL_SMALL_STACK_STATIC const byte a[] =
9702     {
9703         0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
9704         0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
9705         0xab, 0xad, 0xda, 0xd2
9706     };
9707 #endif
9708 
9709 #ifdef WOLFSSL_AES_256
9710     WOLFSSL_SMALL_STACK_STATIC const byte k1[] =
9711     {
9712         0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
9713         0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
9714         0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
9715         0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
9716     };
9717 
9718     WOLFSSL_SMALL_STACK_STATIC const byte iv1[] =
9719     {
9720         0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
9721         0xde, 0xca, 0xf8, 0x88
9722     };
9723 
9724     WOLFSSL_SMALL_STACK_STATIC const byte c1[] =
9725     {
9726         0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
9727         0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
9728         0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
9729         0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
9730         0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
9731         0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
9732         0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
9733         0xbc, 0xc9, 0xf6, 0x62
9734     };
9735 #endif /* WOLFSSL_AES_256 */
9736 
9737     WOLFSSL_SMALL_STACK_STATIC const byte t1[] =
9738     {
9739         0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
9740         0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b
9741     };
9742 
9743     /* FIPS, QAT and PIC32MZ HW Crypto only support 12-byte IV */
9744 #if !defined(HAVE_FIPS) && \
9745         !defined(WOLFSSL_PIC32MZ_CRYPT) && \
9746         !defined(FREESCALE_LTC) && !defined(FREESCALE_MMCAU) && \
9747         !defined(WOLFSSL_XILINX_CRYPT) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
9748         !defined(WOLFSSL_SILABS_SE_ACCEL) && !defined(WOLFSSL_KCAPI_AES) && \
9749         !(defined(WOLF_CRYPTO_CB) && \
9750             (defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)))
9751 
9752     #define ENABLE_NON_12BYTE_IV_TEST
9753 #ifdef WOLFSSL_AES_192
9754     /* Test Case 12, uses same plaintext and AAD data. */
9755     WOLFSSL_SMALL_STACK_STATIC const byte k2[] =
9756     {
9757         0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
9758         0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
9759         0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
9760     };
9761 
9762     WOLFSSL_SMALL_STACK_STATIC const byte iv2[] =
9763     {
9764         0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
9765         0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
9766         0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
9767         0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
9768         0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
9769         0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
9770         0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
9771         0xa6, 0x37, 0xb3, 0x9b
9772     };
9773 
9774     WOLFSSL_SMALL_STACK_STATIC const byte c2[] =
9775     {
9776         0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
9777         0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
9778         0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
9779         0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
9780         0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
9781         0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
9782         0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
9783         0xe9, 0xb7, 0x37, 0x3b
9784     };
9785 
9786     WOLFSSL_SMALL_STACK_STATIC const byte t2[] =
9787     {
9788         0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
9789         0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9
9790     };
9791 #endif /* WOLFSSL_AES_192 */
9792 #ifdef WOLFSSL_AES_128
9793     /* The following is an interesting test case from the example
9794      * FIPS test vectors for AES-GCM. IVlen = 1 byte */
9795     WOLFSSL_SMALL_STACK_STATIC const byte p3[] =
9796     {
9797         0x57, 0xce, 0x45, 0x1f, 0xa5, 0xe2, 0x35, 0xa5,
9798         0x8e, 0x1a, 0xa2, 0x3b, 0x77, 0xcb, 0xaf, 0xe2
9799     };
9800 
9801     WOLFSSL_SMALL_STACK_STATIC const byte k3[] =
9802     {
9803         0xbb, 0x01, 0xd7, 0x03, 0x81, 0x1c, 0x10, 0x1a,
9804         0x35, 0xe0, 0xff, 0xd2, 0x91, 0xba, 0xf2, 0x4b
9805     };
9806 
9807     WOLFSSL_SMALL_STACK_STATIC const byte iv3[] =
9808     {
9809         0xca
9810     };
9811 
9812     WOLFSSL_SMALL_STACK_STATIC const byte c3[] =
9813     {
9814         0x6b, 0x5f, 0xb3, 0x9d, 0xc1, 0xc5, 0x7a, 0x4f,
9815         0xf3, 0x51, 0x4d, 0xc2, 0xd5, 0xf0, 0xd0, 0x07
9816     };
9817 
9818     WOLFSSL_SMALL_STACK_STATIC const byte a3[] =
9819     {
9820         0x40, 0xfc, 0xdc, 0xd7, 0x4a, 0xd7, 0x8b, 0xf1,
9821         0x3e, 0x7c, 0x60, 0x55, 0x50, 0x51, 0xdd, 0x54
9822     };
9823 
9824     WOLFSSL_SMALL_STACK_STATIC const byte t3[] =
9825     {
9826         0x06, 0x90, 0xed, 0x01, 0x34, 0xdd, 0xc6, 0x95,
9827         0x31, 0x2e, 0x2a, 0xf9, 0x57, 0x7a, 0x1e, 0xa6
9828     };
9829 #endif /* WOLFSSL_AES_128 */
9830 #ifdef WOLFSSL_AES_256
9831     int ivlen;
9832 #endif
9833 #endif
9834 
9835     byte resultT[sizeof(t1)];
9836     byte resultP[sizeof(p) + AES_BLOCK_SIZE];
9837     byte resultC[sizeof(p) + AES_BLOCK_SIZE];
9838     int  result = 0;
9839     int ret;
9840 #ifdef WOLFSSL_AES_256
9841     int  alen;
9842     #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
9843     int  plen;
9844     #endif
9845 #endif
9846 
9847 #if !defined(BENCH_EMBEDDED) && !defined(HAVE_CAVIUM)
9848     #if !defined(BENCH_AESGCM_LARGE)
9849         #define BENCH_AESGCM_LARGE 1024
9850     #endif
9851     byte *large_input = (byte *)XMALLOC(BENCH_AESGCM_LARGE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
9852     byte *large_output = (byte *)XMALLOC(BENCH_AESGCM_LARGE + AES_BLOCK_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
9853     byte *large_outdec = (byte *)XMALLOC(BENCH_AESGCM_LARGE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
9854 
9855     if ((! large_input) || (! large_output) || (! large_outdec))
9856         ERROR_OUT(MEMORY_E, out);
9857 
9858     XMEMSET(large_input, 0, BENCH_AESGCM_LARGE);
9859     XMEMSET(large_output, 0, BENCH_AESGCM_LARGE + AES_BLOCK_SIZE);
9860     XMEMSET(large_outdec, 0, BENCH_AESGCM_LARGE);
9861 #endif
9862 
9863 #ifdef WOLFSSL_SMALL_STACK
9864     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9865         ERROR_OUT(-6342, out);
9866     if ((dec = (Aes *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
9867         ERROR_OUT(-6343, out);
9868 #endif
9869 
9870     (void)result;
9871 
9872     XMEMSET(resultT, 0, sizeof(resultT));
9873     XMEMSET(resultC, 0, sizeof(resultC));
9874     XMEMSET(resultP, 0, sizeof(resultP));
9875 
9876     if (wc_AesInit(enc, HEAP_HINT, devId) != 0) {
9877         ERROR_OUT(-6300, out);
9878     }
9879     if (wc_AesInit(dec, HEAP_HINT, devId) != 0) {
9880         ERROR_OUT(-6301, out);
9881     }
9882 
9883 #ifdef WOLFSSL_AES_256
9884     result = wc_AesGcmSetKey(enc, k1, sizeof(k1));
9885     if (result != 0)
9886         ERROR_OUT(-6302, out);
9887 
9888     /* AES-GCM encrypt and decrypt both use AES encrypt internally */
9889     result = wc_AesGcmEncrypt(enc, resultC, p, sizeof(p), iv1, sizeof(iv1),
9890                                         resultT, sizeof(resultT), a, sizeof(a));
9891 #if defined(WOLFSSL_ASYNC_CRYPT)
9892     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
9893 #endif
9894     if (result != 0)
9895         ERROR_OUT(-6303, out);
9896     if (XMEMCMP(c1, resultC, sizeof(c1)))
9897         ERROR_OUT(-6304, out);
9898     if (XMEMCMP(t1, resultT, sizeof(resultT)))
9899         ERROR_OUT(-6305, out);
9900 
9901 #ifdef HAVE_AES_DECRYPT
9902     result = wc_AesGcmSetKey(dec, k1, sizeof(k1));
9903     if (result != 0)
9904         ERROR_OUT(-6306, out);
9905 
9906     result = wc_AesGcmDecrypt(dec, resultP, resultC, sizeof(c1),
9907                       iv1, sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
9908 #if defined(WOLFSSL_ASYNC_CRYPT)
9909     result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
9910 #endif
9911     if (result != 0)
9912         ERROR_OUT(-6307, out);
9913     if (XMEMCMP(p, resultP, sizeof(p)))
9914         ERROR_OUT(-6308, out);
9915 #endif /* HAVE_AES_DECRYPT */
9916 
9917     /* Large buffer test */
9918 #ifdef BENCH_AESGCM_LARGE
9919     /* setup test buffer */
9920     for (alen=0; alen<BENCH_AESGCM_LARGE; alen++)
9921         large_input[alen] = (byte)alen;
9922 
9923     /* AES-GCM encrypt and decrypt both use AES encrypt internally */
9924     result = wc_AesGcmEncrypt(enc, large_output, large_input,
9925                               BENCH_AESGCM_LARGE, iv1, sizeof(iv1),
9926                               resultT, sizeof(resultT), a, sizeof(a));
9927 #if defined(WOLFSSL_ASYNC_CRYPT)
9928     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
9929 #endif
9930     if (result != 0)
9931         ERROR_OUT(-6309, out);
9932 
9933 #ifdef HAVE_AES_DECRYPT
9934     result = wc_AesGcmDecrypt(dec, large_outdec, large_output,
9935                               BENCH_AESGCM_LARGE, iv1, sizeof(iv1), resultT,
9936                               sizeof(resultT), a, sizeof(a));
9937 #if defined(WOLFSSL_ASYNC_CRYPT)
9938     result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
9939 #endif
9940     if (result != 0)
9941         ERROR_OUT(-6310, out);
9942     if (XMEMCMP(large_input, large_outdec, BENCH_AESGCM_LARGE))
9943         ERROR_OUT(-6311, out);
9944 #endif /* HAVE_AES_DECRYPT */
9945 #endif /* BENCH_AESGCM_LARGE */
9946 #if defined(ENABLE_NON_12BYTE_IV_TEST) && defined(WOLFSSL_AES_256)
9947     /* Variable IV length test */
9948     for (ivlen=1; ivlen<(int)sizeof(k1); ivlen++) {
9949          /* AES-GCM encrypt and decrypt both use AES encrypt internally */
9950          result = wc_AesGcmEncrypt(enc, resultC, p, sizeof(p), k1,
9951                          (word32)ivlen, resultT, sizeof(resultT), a, sizeof(a));
9952 #if defined(WOLFSSL_ASYNC_CRYPT)
9953         result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
9954 #endif
9955         if (result != 0)
9956             ERROR_OUT(-6312, out);
9957 #ifdef HAVE_AES_DECRYPT
9958         result = wc_AesGcmDecrypt(dec, resultP, resultC, sizeof(c1), k1,
9959                          (word32)ivlen, resultT, sizeof(resultT), a, sizeof(a));
9960 #if defined(WOLFSSL_ASYNC_CRYPT)
9961         result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
9962 #endif
9963         if (result != 0)
9964             ERROR_OUT(-6313, out);
9965 #endif /* HAVE_AES_DECRYPT */
9966     }
9967 #endif
9968 
9969 #if !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
9970     /* Variable authenticated data length test */
9971     for (alen=0; alen<(int)sizeof(p); alen++) {
9972          /* AES-GCM encrypt and decrypt both use AES encrypt internally */
9973          result = wc_AesGcmEncrypt(enc, resultC, p, sizeof(p), iv1,
9974                         sizeof(iv1), resultT, sizeof(resultT), p, (word32)alen);
9975 #if defined(WOLFSSL_ASYNC_CRYPT)
9976         result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
9977 #endif
9978         if (result != 0)
9979             ERROR_OUT(-6314, out);
9980 #ifdef HAVE_AES_DECRYPT
9981         result = wc_AesGcmDecrypt(dec, resultP, resultC, sizeof(c1), iv1,
9982                         sizeof(iv1), resultT, sizeof(resultT), p, (word32)alen);
9983 #if defined(WOLFSSL_ASYNC_CRYPT)
9984         result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
9985 #endif
9986         if (result != 0)
9987             ERROR_OUT(-6315, out);
9988 #endif /* HAVE_AES_DECRYPT */
9989     }
9990 #endif
9991 
9992 #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
9993 #ifdef BENCH_AESGCM_LARGE
9994     /* Variable plain text length test */
9995     for (plen=1; plen<BENCH_AESGCM_LARGE; plen++) {
9996         /* AES-GCM encrypt and decrypt both use AES encrypt internally */
9997         result = wc_AesGcmEncrypt(enc, large_output, large_input,
9998                                   plen, iv1, sizeof(iv1), resultT,
9999                                   sizeof(resultT), a, sizeof(a));
10000 #if defined(WOLFSSL_ASYNC_CRYPT)
10001         result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10002 #endif
10003         if (result != 0)
10004             ERROR_OUT(-6316, out);
10005 
10006 #ifdef HAVE_AES_DECRYPT
10007         result = wc_AesGcmDecrypt(dec, large_outdec, large_output,
10008                                   plen, iv1, sizeof(iv1), resultT,
10009                                   sizeof(resultT), a, sizeof(a));
10010 #if defined(WOLFSSL_ASYNC_CRYPT)
10011         result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
10012 #endif
10013         if (result != 0)
10014             ERROR_OUT(-6317, out);
10015 #endif /* HAVE_AES_DECRYPT */
10016     }
10017 #else /* BENCH_AESGCM_LARGE */
10018     /* Variable plain text length test */
10019     for (plen=1; plen<(int)sizeof(p); plen++) {
10020          /* AES-GCM encrypt and decrypt both use AES encrypt internally */
10021          result = wc_AesGcmEncrypt(enc, resultC, p, (word32)plen, iv1,
10022                            sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
10023 #if defined(WOLFSSL_ASYNC_CRYPT)
10024         result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10025 #endif
10026         if (result != 0)
10027             ERROR_OUT(-6318, out);
10028 #ifdef HAVE_AES_DECRYPT
10029         result = wc_AesGcmDecrypt(dec, resultP, resultC, (word32)plen, iv1,
10030                            sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
10031 #if defined(WOLFSSL_ASYNC_CRYPT)
10032         result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
10033 #endif
10034         if (result != 0)
10035             ERROR_OUT(-6319, out);
10036 #endif /* HAVE_AES_DECRYPT */
10037     }
10038 #endif /* BENCH_AESGCM_LARGE */
10039 #endif
10040 #endif /* WOLFSSL_AES_256 */
10041 
10042     /* test with IV != 12 bytes */
10043 #ifdef ENABLE_NON_12BYTE_IV_TEST
10044     XMEMSET(resultT, 0, sizeof(resultT));
10045     XMEMSET(resultC, 0, sizeof(resultC));
10046     XMEMSET(resultP, 0, sizeof(resultP));
10047 
10048 #ifdef WOLFSSL_AES_192
10049     wc_AesGcmSetKey(enc, k2, sizeof(k2));
10050     /* AES-GCM encrypt and decrypt both use AES encrypt internally */
10051     result = wc_AesGcmEncrypt(enc, resultC, p, sizeof(p), iv2, sizeof(iv2),
10052                                         resultT, sizeof(resultT), a, sizeof(a));
10053 #if defined(WOLFSSL_ASYNC_CRYPT)
10054     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10055 #endif
10056     if (result != 0)
10057         ERROR_OUT(-6320, out);
10058     if (XMEMCMP(c2, resultC, sizeof(c2)))
10059         ERROR_OUT(-6321, out);
10060     if (XMEMCMP(t2, resultT, sizeof(resultT)))
10061         ERROR_OUT(-6322, out);
10062 
10063 #ifdef HAVE_AES_DECRYPT
10064     result = wc_AesGcmDecrypt(enc, resultP, resultC, sizeof(c1),
10065                       iv2, sizeof(iv2), resultT, sizeof(resultT), a, sizeof(a));
10066 #if defined(WOLFSSL_ASYNC_CRYPT)
10067     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10068 #endif
10069     if (result != 0)
10070         ERROR_OUT(-6323, out);
10071     if (XMEMCMP(p, resultP, sizeof(p)))
10072         ERROR_OUT(-6324, out);
10073 #endif /* HAVE_AES_DECRYPT */
10074 
10075     XMEMSET(resultT, 0, sizeof(resultT));
10076     XMEMSET(resultC, 0, sizeof(resultC));
10077     XMEMSET(resultP, 0, sizeof(resultP));
10078 #endif /* WOLFSSL_AES_192 */
10079 #ifdef WOLFSSL_AES_128
10080     wc_AesGcmSetKey(enc, k3, sizeof(k3));
10081     /* AES-GCM encrypt and decrypt both use AES encrypt internally */
10082     result = wc_AesGcmEncrypt(enc, resultC, p3, sizeof(p3), iv3, sizeof(iv3),
10083                                         resultT, sizeof(t3), a3, sizeof(a3));
10084 #if defined(WOLFSSL_ASYNC_CRYPT)
10085     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10086 #endif
10087     if (result != 0)
10088         ERROR_OUT(-6325, out);
10089     if (XMEMCMP(c3, resultC, sizeof(c3)))
10090         ERROR_OUT(-6326, out);
10091     if (XMEMCMP(t3, resultT, sizeof(t3)))
10092         ERROR_OUT(-6327, out);
10093 
10094 #ifdef HAVE_AES_DECRYPT
10095     result = wc_AesGcmDecrypt(enc, resultP, resultC, sizeof(c3),
10096                       iv3, sizeof(iv3), resultT, sizeof(t3), a3, sizeof(a3));
10097 #if defined(WOLFSSL_ASYNC_CRYPT)
10098     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10099 #endif
10100     if (result != 0)
10101         ERROR_OUT(-6328, out);
10102     if (XMEMCMP(p3, resultP, sizeof(p3)))
10103         ERROR_OUT(-6329, out);
10104 #endif /* HAVE_AES_DECRYPT */
10105 #endif /* WOLFSSL_AES_128 */
10106 #endif /* ENABLE_NON_12BYTE_IV_TEST */
10107 
10108 #if defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
10109     !defined(WOLFSSL_XILINX_CRYPT) && \
10110     !(defined(WOLF_CRYPTO_CB) && \
10111         defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC))
10112     XMEMSET(resultT, 0, sizeof(resultT));
10113     XMEMSET(resultC, 0, sizeof(resultC));
10114     XMEMSET(resultP, 0, sizeof(resultP));
10115 
10116     wc_AesGcmSetKey(enc, k1, sizeof(k1));
10117     /* AES-GCM encrypt and decrypt both use AES encrypt internally */
10118     result = wc_AesGcmEncrypt(enc, resultC, p, sizeof(p), iv1, sizeof(iv1),
10119                                 resultT + 1, sizeof(resultT) - 1, a, sizeof(a));
10120 #if defined(WOLFSSL_ASYNC_CRYPT)
10121     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10122 #endif
10123     if (result != 0)
10124         ERROR_OUT(-6330, out);
10125     if (XMEMCMP(c1, resultC, sizeof(c1)))
10126         ERROR_OUT(-6331, out);
10127     if (XMEMCMP(t1, resultT + 1, sizeof(resultT) - 1))
10128         ERROR_OUT(-6332, out);
10129 
10130 #ifdef HAVE_AES_DECRYPT
10131     result = wc_AesGcmDecrypt(enc, resultP, resultC, sizeof(p),
10132               iv1, sizeof(iv1), resultT + 1, sizeof(resultT) - 1, a, sizeof(a));
10133 #if defined(WOLFSSL_ASYNC_CRYPT)
10134     result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10135 #endif
10136     if (result != 0)
10137         ERROR_OUT(-6333, out);
10138     if (XMEMCMP(p, resultP, sizeof(p)))
10139         ERROR_OUT(-6334, out);
10140 #endif /* HAVE_AES_DECRYPT */
10141 #endif /* WOLFSSL_AES_256 */
10142 
10143 #if !defined(HAVE_FIPS) || \
10144     (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
10145     /* Test encrypt with internally generated IV */
10146 #if defined(WOLFSSL_AES_256) && !(defined(WC_NO_RNG) || defined(HAVE_SELFTEST)) \
10147     && !(defined(WOLF_CRYPTO_CB) && defined(HAVE_CAVIUM_OCTEON_SYNC))
10148     {
10149         WC_RNG rng;
10150         byte randIV[12];
10151 
10152         result = wc_InitRng_ex(&rng, HEAP_HINT, devId);
10153         if (result != 0)
10154             ERROR_OUT(-6335, out);
10155 
10156         XMEMSET(randIV, 0, sizeof(randIV));
10157         XMEMSET(resultT, 0, sizeof(resultT));
10158         XMEMSET(resultC, 0, sizeof(resultC));
10159         XMEMSET(resultP, 0, sizeof(resultP));
10160 
10161         wc_AesGcmSetKey(enc, k1, sizeof(k1));
10162         result = wc_AesGcmSetIV(enc, sizeof(randIV), NULL, 0, &rng);
10163         if (result != 0)
10164             ERROR_OUT(-6336, out);
10165 
10166         result = wc_AesGcmEncrypt_ex(enc,
10167                         resultC, p, sizeof(p),
10168                         randIV, sizeof(randIV),
10169                         resultT, sizeof(resultT),
10170                         a, sizeof(a));
10171     #if defined(WOLFSSL_ASYNC_CRYPT)
10172         result = wc_AsyncWait(result, &enc->asyncDev, WC_ASYNC_FLAG_NONE);
10173     #endif
10174         if (result != 0)
10175             ERROR_OUT(-6337, out);
10176 
10177         /* Check the IV has been set. */
10178         {
10179             word32 i, ivSum = 0;
10180 
10181             for (i = 0; i < sizeof(randIV); i++)
10182                 ivSum += randIV[i];
10183             if (ivSum == 0)
10184                 ERROR_OUT(-6338, out);
10185         }
10186 
10187 #ifdef HAVE_AES_DECRYPT
10188         wc_AesGcmSetKey(dec, k1, sizeof(k1));
10189         result = wc_AesGcmSetIV(dec, sizeof(randIV), NULL, 0, &rng);
10190         if (result != 0)
10191             ERROR_OUT(-6339, out);
10192 
10193         result = wc_AesGcmDecrypt(dec,
10194                           resultP, resultC, sizeof(c1),
10195                           randIV, sizeof(randIV),
10196                           resultT, sizeof(resultT),
10197                           a, sizeof(a));
10198 #if defined(WOLFSSL_ASYNC_CRYPT)
10199         result = wc_AsyncWait(result, &dec->asyncDev, WC_ASYNC_FLAG_NONE);
10200 #endif
10201         if (result != 0)
10202             ERROR_OUT(-6340, out);
10203         if (XMEMCMP(p, resultP, sizeof(p)))
10204             ERROR_OUT(-6341, out);
10205 #endif /* HAVE_AES_DECRYPT */
10206 
10207         wc_FreeRng(&rng);
10208     }
10209 #endif /* WOLFSSL_AES_256 && !(WC_NO_RNG || HAVE_SELFTEST) */
10210 #endif /* HAVE_FIPS_VERSION >= 2 */
10211 
10212 #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
10213 #ifdef WOLFSSL_AES_256
10214 #ifdef WOLFSSL_AESGCM_STREAM
10215     result = wc_AesGcmEncryptInit(enc, k1, sizeof(k1), iv1, sizeof(iv1));
10216     if (result != 0)
10217         ERROR_OUT(-6360, out);
10218     result = wc_AesGcmEncryptUpdate(enc, resultC, p, sizeof(p), a, sizeof(a));
10219     if (result != 0)
10220         ERROR_OUT(-6361, out);
10221     result = wc_AesGcmEncryptFinal(enc, resultT, sizeof(resultT));
10222     if (result != 0)
10223         ERROR_OUT(-6362, out);
10224     if (XMEMCMP(resultC, c1, sizeof(c1)) != 0)
10225         ERROR_OUT(-6363, out);
10226     if (XMEMCMP(resultT, t1, sizeof(t1)) != 0)
10227         ERROR_OUT(-6364, out);
10228 
10229 #ifdef HAVE_AES_DECRYPT
10230     result = wc_AesGcmDecryptInit(enc, k1, sizeof(k1), iv1, sizeof(iv1));
10231     if (result != 0)
10232         ERROR_OUT(-6370, out);
10233     result = wc_AesGcmDecryptUpdate(enc, resultP, c1, sizeof(c1), a, sizeof(a));
10234     if (result != 0)
10235         ERROR_OUT(-6371, out);
10236     result = wc_AesGcmDecryptFinal(enc, t1, sizeof(t1));
10237     if (result != 0)
10238         ERROR_OUT(-6372, out);
10239     if (XMEMCMP(resultP, p, sizeof(p)) != 0)
10240         ERROR_OUT(-6373, out);
10241 #endif
10242 
10243     /* alen is the size to pass in with each update. */
10244     for (alen = 1; alen < AES_BLOCK_SIZE + 1; alen++) {
10245         result = wc_AesGcmEncryptInit(enc, k1, sizeof(k1), iv1, sizeof(iv1));
10246         if (result != 0)
10247             ERROR_OUT(-6380, out);
10248 
10249         /* plen is the offset into AAD to update with. */
10250         for (plen = 0; plen < (int)sizeof(a); plen += alen)  {
10251             int len = sizeof(a) - plen;
10252             if (len > alen) len = alen;
10253             result = wc_AesGcmEncryptUpdate(enc, NULL, NULL, 0, a + plen, len);
10254             if (result != 0)
10255                 ERROR_OUT(-6381, out);
10256         }
10257         /* plen is the offset into plaintext to update with. */
10258         for (plen = 0; plen < (int)sizeof(p); plen += alen)  {
10259             int len = sizeof(p) - plen;
10260             if (len > alen) len = alen;
10261             result = wc_AesGcmEncryptUpdate(enc, resultC + plen, p + plen, len,
10262                 NULL, 0);
10263             if (result != 0)
10264                 ERROR_OUT(-6382, out);
10265         }
10266         result = wc_AesGcmEncryptFinal(enc, resultT, sizeof(resultT));
10267         if (result != 0)
10268             ERROR_OUT(-6383, out);
10269         if (XMEMCMP(resultC, c1, sizeof(c1)) != 0)
10270             ERROR_OUT(-6384, out);
10271         if (XMEMCMP(resultT, t1, sizeof(t1)) != 0)
10272             ERROR_OUT(-6385, out);
10273     }
10274 
10275 #ifdef HAVE_AES_DECRYPT
10276     for (alen = 1; alen < AES_BLOCK_SIZE + 1; alen++) {
10277         result = wc_AesGcmDecryptInit(enc, k1, sizeof(k1), iv1, sizeof(iv1));
10278         if (result != 0)
10279             ERROR_OUT(-6390, out);
10280 
10281         /* plen is the offset into AAD to update with. */
10282         for (plen = 0; plen < (int)sizeof(a); plen += alen)  {
10283             int len = sizeof(a) - plen;
10284             if (len > alen) len = alen;
10285             result = wc_AesGcmDecryptUpdate(enc, NULL, NULL, 0, a + plen, len);
10286             if (result != 0)
10287                 ERROR_OUT(-6391, out);
10288         }
10289         /* plen is the offset into cipher text to update with. */
10290         for (plen = 0; plen < (int)sizeof(c1); plen += alen)  {
10291             int len = sizeof(c1) - plen;
10292             if (len > alen) len = alen;
10293             result = wc_AesGcmDecryptUpdate(enc, resultP + plen, c1 + plen, len,
10294                 NULL, 0);
10295             if (result != 0)
10296                 ERROR_OUT(-6392, out);
10297         }
10298         result = wc_AesGcmDecryptFinal(enc, t1, sizeof(t1));
10299         if (result != 0)
10300             ERROR_OUT(-6393, out);
10301         if (XMEMCMP(resultP, p, sizeof(p)) != 0)
10302             ERROR_OUT(-6394, out);
10303     }
10304 #endif /* HAVE_AES_DECRYPT */
10305 #endif /* WOLFSSL_AESGCM_STREAM */
10306 #endif /* WOLFSSL_AES_256 */
10307 #endif /* !WOLFSSL_AFALG_XILINX_AES && !WOLFSSL_XILINX_CRYPT */
10308 
10309     wc_AesFree(enc);
10310     wc_AesFree(dec);
10311 
10312     ret = 0;
10313 
10314   out:
10315 
10316 #if !defined(BENCH_EMBEDDED) && !defined(HAVE_CAVIUM)
10317     if (large_input)
10318         XFREE(large_input, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
10319     if (large_output)
10320         XFREE(large_output, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
10321     if (large_outdec)
10322         XFREE(large_outdec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
10323 #endif
10324 
10325 
10326 #ifdef WOLFSSL_SMALL_STACK
10327     if (enc)
10328         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
10329     if (dec)
10330         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
10331 #endif
10332 
10333     return ret;
10334 }
10335 
10336 #ifdef WOLFSSL_AES_128
gmac_test(void)10337 WOLFSSL_TEST_SUBROUTINE int gmac_test(void)
10338 {
10339     int ret;
10340 #ifdef WOLFSSL_SMALL_STACK
10341     Gmac *gmac;
10342 #else
10343     Gmac gmac[1];
10344 #endif
10345 
10346     WOLFSSL_SMALL_STACK_STATIC const byte k1[] =
10347     {
10348         0x89, 0xc9, 0x49, 0xe9, 0xc8, 0x04, 0xaf, 0x01,
10349         0x4d, 0x56, 0x04, 0xb3, 0x94, 0x59, 0xf2, 0xc8
10350     };
10351     WOLFSSL_SMALL_STACK_STATIC const byte iv1[] =
10352     {
10353         0xd1, 0xb1, 0x04, 0xc8, 0x15, 0xbf, 0x1e, 0x94,
10354         0xe2, 0x8c, 0x8f, 0x16
10355     };
10356     WOLFSSL_SMALL_STACK_STATIC const byte a1[] =
10357     {
10358        0x82, 0xad, 0xcd, 0x63, 0x8d, 0x3f, 0xa9, 0xd9,
10359        0xf3, 0xe8, 0x41, 0x00, 0xd6, 0x1e, 0x07, 0x77
10360     };
10361     WOLFSSL_SMALL_STACK_STATIC const byte t1[] =
10362     {
10363         0x88, 0xdb, 0x9d, 0x62, 0x17, 0x2e, 0xd0, 0x43,
10364         0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
10365     };
10366 
10367 #if (!defined(HAVE_FIPS) ||                                             \
10368      (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
10369 
10370     /* FIPS builds only allow 16-byte auth tags. */
10371     /* This sample uses a 15-byte auth tag. */
10372     WOLFSSL_SMALL_STACK_STATIC const byte k2[] =
10373     {
10374         0x40, 0xf7, 0xec, 0xb2, 0x52, 0x6d, 0xaa, 0xd4,
10375         0x74, 0x25, 0x1d, 0xf4, 0x88, 0x9e, 0xf6, 0x5b
10376     };
10377     WOLFSSL_SMALL_STACK_STATIC const byte iv2[] =
10378     {
10379         0xee, 0x9c, 0x6e, 0x06, 0x15, 0x45, 0x45, 0x03,
10380         0x1a, 0x60, 0x24, 0xa7
10381     };
10382     WOLFSSL_SMALL_STACK_STATIC const byte a2[] =
10383     {
10384         0x94, 0x81, 0x2c, 0x87, 0x07, 0x4e, 0x15, 0x18,
10385         0x34, 0xb8, 0x35, 0xaf, 0x1c, 0xa5, 0x7e, 0x56
10386     };
10387     WOLFSSL_SMALL_STACK_STATIC const byte t2[] =
10388     {
10389         0xc6, 0x81, 0x79, 0x8e, 0x3d, 0xda, 0xb0, 0x9f,
10390         0x8d, 0x83, 0xb0, 0xbb, 0x14, 0xb6, 0x91
10391     };
10392 #endif
10393 
10394     byte tag[16];
10395 
10396 #ifdef WOLFSSL_SMALL_STACK
10397     if ((gmac = (Gmac *)XMALLOC(sizeof *gmac, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
10398         return -6409;
10399 #endif
10400 
10401     XMEMSET(gmac, 0, sizeof *gmac); /* clear context */
10402     (void)wc_AesInit((Aes*)gmac, HEAP_HINT, INVALID_DEVID); /* Make sure devId updated */
10403     XMEMSET(tag, 0, sizeof(tag));
10404     wc_GmacSetKey(gmac, k1, sizeof(k1));
10405     wc_GmacUpdate(gmac, iv1, sizeof(iv1), a1, sizeof(a1), tag, sizeof(t1));
10406     if (XMEMCMP(t1, tag, sizeof(t1)) != 0)
10407         ERROR_OUT(-6400, out);
10408 
10409 #if (!defined(HAVE_FIPS) ||                                  \
10410      (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) )
10411 
10412     XMEMSET(tag, 0, sizeof(tag));
10413     wc_GmacSetKey(gmac, k2, sizeof(k2));
10414     wc_GmacUpdate(gmac, iv2, sizeof(iv2), a2, sizeof(a2), tag, sizeof(t2));
10415     if (XMEMCMP(t2, tag, sizeof(t2)) != 0)
10416         ERROR_OUT(-6401, out);
10417 
10418 #if !defined(WC_NO_RNG) && !defined(HAVE_SELFTEST) && !defined(NO_AES_DECRYPT)
10419     {
10420         WOLFSSL_SMALL_STACK_STATIC const byte badT[] =
10421         {
10422             0xde, 0xad, 0xbe, 0xef, 0x17, 0x2e, 0xd0, 0x43,
10423             0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
10424         };
10425 
10426         WC_RNG rng;
10427         byte iv[12];
10428 
10429         #ifndef HAVE_FIPS
10430             if (wc_InitRng_ex(&rng, HEAP_HINT, devId) != 0)
10431                 ERROR_OUT(-6402, out);
10432         #else
10433             if (wc_InitRng(&rng) != 0)
10434                 ERROR_OUT(-6403, out);
10435         #endif
10436 
10437         if (wc_GmacVerify(k1, sizeof(k1), iv1, sizeof(iv1), a1, sizeof(a1),
10438                     t1, sizeof(t1)) != 0)
10439             ERROR_OUT(-6404, out);
10440         if (wc_GmacVerify(k1, sizeof(k1), iv1, sizeof(iv1), a1, sizeof(a1),
10441                     badT, sizeof(badT)) != AES_GCM_AUTH_E)
10442             ERROR_OUT(-6405, out);
10443         if (wc_GmacVerify(k2, sizeof(k2), iv2, sizeof(iv2), a2, sizeof(a2),
10444                     t2, sizeof(t2)) != 0)
10445             ERROR_OUT(-6406, out);
10446 
10447         XMEMSET(tag, 0, sizeof(tag));
10448         XMEMSET(iv, 0, sizeof(iv));
10449         if (wc_Gmac(k1, sizeof(k1), iv, sizeof(iv), a1, sizeof(a1),
10450                     tag, sizeof(tag), &rng) != 0)
10451             ERROR_OUT(-6407, out);
10452         if (wc_GmacVerify(k1, sizeof(k1), iv, sizeof(iv), a1, sizeof(a1),
10453                     tag, sizeof(tag)) != 0)
10454             ERROR_OUT(-6408, out);
10455         wc_FreeRng(&rng);
10456     }
10457 #endif /* !WC_NO_RNG && !HAVE_SELFTEST && !NO_AES_DECRYPT */
10458 #endif /* HAVE_FIPS */
10459 
10460     ret = 0;
10461 
10462   out:
10463 #ifdef WOLFSSL_SMALL_STACK
10464     XFREE(gmac, HEAP_HINT, DYNAMIC_TYPE_AES);
10465 #endif
10466 
10467     return ret;
10468 }
10469 #endif /* WOLFSSL_AES_128 */
10470 #endif /* HAVE_AESGCM */
10471 
10472 #if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
aesccm_test(void)10473 WOLFSSL_TEST_SUBROUTINE int aesccm_test(void)
10474 {
10475     int ret;
10476 #ifdef WOLFSSL_SMALL_STACK
10477     Aes *enc;
10478 #else
10479     Aes enc[1];
10480 #endif
10481 
10482     /* key */
10483     WOLFSSL_SMALL_STACK_STATIC const byte k[] =
10484     {
10485         0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
10486         0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf
10487     };
10488 
10489     /* nonce */
10490     WOLFSSL_SMALL_STACK_STATIC const byte iv[] =
10491     {
10492         0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xa0,
10493         0xa1, 0xa2, 0xa3, 0xa4, 0xa5
10494     };
10495 
10496     /* plaintext */
10497     WOLFSSL_SMALL_STACK_STATIC const byte p[] =
10498     {
10499         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
10500         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
10501         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
10502     };
10503     /* plaintext - long */
10504     WOLFSSL_SMALL_STACK_STATIC const byte pl[] =
10505     {
10506         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
10507         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
10508         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
10509         0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
10510         0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
10511         0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
10512         0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
10513         0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
10514         0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
10515         0x50
10516     };
10517 
10518 
10519     WOLFSSL_SMALL_STACK_STATIC const byte a[] =
10520     {
10521         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
10522     };
10523 
10524     /* ciphertext */
10525     WOLFSSL_SMALL_STACK_STATIC const byte c[] =
10526     {
10527         0x58, 0x8c, 0x97, 0x9a, 0x61, 0xc6, 0x63, 0xd2,
10528         0xf0, 0x66, 0xd0, 0xc2, 0xc0, 0xf9, 0x89, 0x80,
10529         0x6d, 0x5f, 0x6b, 0x61, 0xda, 0xc3, 0x84
10530     };
10531     /* tag - authentication */
10532     WOLFSSL_SMALL_STACK_STATIC const byte t[] =
10533     {
10534         0x17, 0xe8, 0xd1, 0x2c, 0xfd, 0xf9, 0x26, 0xe0
10535     };
10536     /* ciphertext - long */
10537     WOLFSSL_SMALL_STACK_STATIC const byte cl[] =
10538     {
10539         0x58, 0x8c, 0x97, 0x9a, 0x61, 0xc6, 0x63, 0xd2,
10540         0xf0, 0x66, 0xd0, 0xc2, 0xc0, 0xf9, 0x89, 0x80,
10541         0x6d, 0x5f, 0x6b, 0x61, 0xda, 0xc3, 0x84, 0xe0,
10542         0x44, 0x2d, 0xbe, 0x25, 0xfa, 0x48, 0x2b, 0xa8,
10543         0x36, 0x0b, 0xbf, 0x01, 0xc0, 0x12, 0x45, 0xa4,
10544         0x82, 0x9f, 0x20, 0x6c, 0xc3, 0xd6, 0xae, 0x5b,
10545         0x54, 0x8d, 0xd0, 0xb1, 0x69, 0x2c, 0xec, 0x5e,
10546         0x95, 0xa5, 0x6b, 0x48, 0xc3, 0xc6, 0xc8, 0x9e,
10547         0xc7, 0x92, 0x98, 0x9d, 0x26, 0x7d, 0x2a, 0x10,
10548         0x0b
10549     };
10550     /* tag - authentication - long */
10551     WOLFSSL_SMALL_STACK_STATIC const byte tl[] =
10552     {
10553         0x89, 0xd8, 0xd2, 0x02, 0xc5, 0xcf, 0xae, 0xf4
10554     };
10555 
10556     /* tag - authentication - empty plaintext */
10557     WOLFSSL_SMALL_STACK_STATIC const byte t_empty[] =
10558     {
10559         0xe4, 0x28, 0x8a, 0xc3, 0x78, 0x00, 0x0f, 0xf5
10560     };
10561 
10562     byte t2[sizeof(t)];
10563     byte p2[sizeof(p)];
10564     byte c2[sizeof(c)];
10565     byte iv2[sizeof(iv)];
10566     byte pl2[sizeof(pl)];
10567     byte cl2[sizeof(cl)];
10568     byte tl2[sizeof(tl)];
10569     byte t_empty2[sizeof(t_empty)];
10570 
10571     int result;
10572 
10573 #ifdef WOLFSSL_SMALL_STACK
10574     if ((enc = (Aes *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES)) == NULL)
10575         return -6521;
10576 #endif
10577 
10578     XMEMSET(enc, 0, sizeof *enc); /* clear context */
10579     XMEMSET(t2, 0, sizeof(t2));
10580     XMEMSET(c2, 0, sizeof(c2));
10581     XMEMSET(p2, 0, sizeof(p2));
10582 
10583     result = wc_AesCcmSetKey(enc, k, sizeof(k));
10584     if (result != 0)
10585         ERROR_OUT(-6500, out);
10586 
10587     /* AES-CCM encrypt and decrypt both use AES encrypt internally */
10588     result = wc_AesCcmEncrypt(enc, c2, p, sizeof(c2), iv, sizeof(iv),
10589                                                  t2, sizeof(t2), a, sizeof(a));
10590     if (result != 0)
10591         ERROR_OUT(-6501, out);
10592     if (XMEMCMP(c, c2, sizeof(c2)))
10593         ERROR_OUT(-6502, out);
10594     if (XMEMCMP(t, t2, sizeof(t2)))
10595         ERROR_OUT(-6503, out);
10596 
10597     result = wc_AesCcmDecrypt(enc, p2, c2, sizeof(p2), iv, sizeof(iv),
10598                                                  t2, sizeof(t2), a, sizeof(a));
10599     if (result != 0)
10600         ERROR_OUT(-6504, out);
10601     if (XMEMCMP(p, p2, sizeof(p2)))
10602         ERROR_OUT(-6505, out);
10603 
10604     /* Test the authentication failure */
10605     t2[0]++; /* Corrupt the authentication tag. */
10606     result = wc_AesCcmDecrypt(enc, p2, c, sizeof(p2), iv, sizeof(iv),
10607                                                  t2, sizeof(t2), a, sizeof(a));
10608     if (result == 0)
10609         ERROR_OUT(-6506, out);
10610 
10611     /* Clear c2 to compare against p2. p2 should be set to zero in case of
10612      * authentication fail. */
10613     XMEMSET(c2, 0, sizeof(c2));
10614     if (XMEMCMP(p2, c2, sizeof(p2)))
10615         ERROR_OUT(-6507, out);
10616 
10617     XMEMSET(enc, 0, sizeof(Aes)); /* clear context */
10618     XMEMSET(t2, 0, sizeof(t2));
10619     XMEMSET(c2, 0, sizeof(c2));
10620     XMEMSET(p2, 0, sizeof(p2));
10621     XMEMSET(iv2, 0, sizeof(iv2));
10622 
10623 #ifndef HAVE_SELFTEST
10624     /* selftest build does not have wc_AesCcmSetNonce() or
10625      * wc_AesCcmEncrypt_ex() */
10626     if (wc_AesCcmSetKey(enc, k, sizeof(k)) != 0)
10627         ERROR_OUT(-6508, out);
10628 
10629     if (wc_AesCcmSetNonce(enc, iv, sizeof(iv)) != 0)
10630         ERROR_OUT(-6509, out);
10631     if (wc_AesCcmEncrypt_ex(enc, c2, p, sizeof(c2), iv2, sizeof(iv2),
10632                             t2, sizeof(t2), a, sizeof(a)) != 0)
10633         ERROR_OUT(-6510, out);
10634     if (XMEMCMP(iv, iv2, sizeof(iv2)))
10635         ERROR_OUT(-6511, out);
10636     if (XMEMCMP(c, c2, sizeof(c2)))
10637         ERROR_OUT(-6512, out);
10638     if (XMEMCMP(t, t2, sizeof(t2)))
10639         ERROR_OUT(-6513, out);
10640 #endif
10641 
10642 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
10643     /* test fail on invalid IV sizes */
10644     result = wc_AesCcmSetKey(enc, k, sizeof(k));
10645     if (result != 0)
10646         ERROR_OUT(-6514, out);
10647 
10648     /* AES-CCM encrypt and decrypt both use AES encrypt internally */
10649     result = wc_AesCcmEncrypt(enc, c2, p, sizeof(c2), iv, sizeof(iv),
10650             t2, 1, a, sizeof(a));
10651     if (result == 0) {
10652         ERROR_OUT(-6515, out);
10653     }
10654 #endif
10655 
10656     /* AES-CCM encrypt and decrypt both use AES encrypt internally */
10657     result = wc_AesCcmEncrypt(enc, cl2, pl, sizeof(cl2), iv, sizeof(iv),
10658                                                 tl2, sizeof(tl2), a, sizeof(a));
10659     if (result != 0)
10660         ERROR_OUT(-6516, out);
10661     if (XMEMCMP(cl, cl2, sizeof(cl2)))
10662         ERROR_OUT(-6517, out);
10663     if (XMEMCMP(tl, tl2, sizeof(tl2)))
10664         ERROR_OUT(-6518, out);
10665 
10666     result = wc_AesCcmDecrypt(enc, pl2, cl2, sizeof(pl2), iv, sizeof(iv),
10667                                                 tl2, sizeof(tl2), a, sizeof(a));
10668     if (result != 0)
10669         ERROR_OUT(-6519, out);
10670     if (XMEMCMP(pl, pl2, sizeof(pl2)))
10671         ERROR_OUT(-6520, out);
10672 
10673     /* test empty message as null input or output with nonzero inSz. */
10674     result = wc_AesCcmEncrypt(enc, pl2 /* out */, NULL /* in */, 1 /* inSz */,
10675                               iv, sizeof(iv), t_empty2, sizeof(t_empty2),
10676                               a, sizeof(a));
10677     if (result != BAD_FUNC_ARG)
10678         ERROR_OUT(-6527, out);
10679     result = wc_AesCcmEncrypt(enc, NULL /* out */, (const byte *)"" /* in */, 1 /* inSz */,
10680                               iv, sizeof(iv), t_empty2, sizeof(t_empty2),
10681                               a, sizeof(a));
10682     if (result != BAD_FUNC_ARG)
10683         ERROR_OUT(-6528, out);
10684     result = wc_AesCcmDecrypt(enc, pl2, NULL /* in */, 1 /* inSz */,
10685                               iv, sizeof(iv), t_empty2, sizeof(t_empty2), a,
10686                               sizeof(a));
10687     if (result != BAD_FUNC_ARG)
10688         ERROR_OUT(-6529, out);
10689     result = wc_AesCcmDecrypt(enc, NULL /* out */, (const byte *)"" /* in */, 1 /* inSz */,
10690                               iv, sizeof(iv), t_empty2, sizeof(t_empty2), a,
10691                               sizeof(a));
10692     if (result != BAD_FUNC_ARG)
10693         ERROR_OUT(-6530, out);
10694 
10695     /* test empty message as null input and output with zero inSz --
10696      * must either succeed, or fail early with BAD_FUNC_ARG.
10697      */
10698     result = wc_AesCcmEncrypt(enc, NULL /* out */, NULL /* in */, 0 /* inSz */,
10699                               iv, sizeof(iv), t_empty2, sizeof(t_empty2),
10700                               a, sizeof(a));
10701     if (result != BAD_FUNC_ARG) {
10702         if (result != 0)
10703             ERROR_OUT(-6521, out);
10704         if (XMEMCMP(t_empty, t_empty2, sizeof(t_empty2)))
10705             ERROR_OUT(-6522, out);
10706 
10707         result = wc_AesCcmDecrypt(enc, NULL /* out */, NULL /* in */,
10708                                   0 /* inSz */, iv, sizeof(iv), t_empty2,
10709                                   sizeof(t_empty2), a, sizeof(a));
10710         if (result != 0)
10711             ERROR_OUT(-6523, out);
10712     }
10713 
10714     /* test empty message as zero-length string -- must work. */
10715     result = wc_AesCcmEncrypt(enc, pl2, (const byte *)"", 0 /* inSz */, iv,
10716                               sizeof(iv), t_empty2, sizeof(t_empty2), a,
10717                               sizeof(a));
10718     if (result != 0)
10719         ERROR_OUT(-6524, out);
10720     if (XMEMCMP(t_empty, t_empty2, sizeof(t_empty2)))
10721         ERROR_OUT(-6525, out);
10722 
10723     result = wc_AesCcmDecrypt(enc, pl2, (const byte *)"", 0 /* inSz */,
10724                               iv, sizeof(iv), t_empty2, sizeof(t_empty2), a,
10725                               sizeof(a));
10726     if (result != 0)
10727         ERROR_OUT(-6526, out);
10728 
10729     ret = 0;
10730 
10731   out:
10732 #ifdef WOLFSSL_SMALL_STACK
10733     XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
10734 #endif
10735 
10736     return ret;
10737 }
10738 #endif /* HAVE_AESCCM WOLFSSL_AES_128 */
10739 
10740 
10741 #ifdef HAVE_AES_KEYWRAP
10742 
10743 #define MAX_KEYWRAP_TEST_OUTLEN 40
10744 #define MAX_KEYWRAP_TEST_PLAINLEN 32
10745 
10746 typedef struct keywrapVector {
10747     const byte* kek;
10748     const byte* data;
10749     const byte* verify;
10750     word32 kekLen;
10751     word32 dataLen;
10752     word32 verifyLen;
10753 } keywrapVector;
10754 
aeskeywrap_test(void)10755 WOLFSSL_TEST_SUBROUTINE int aeskeywrap_test(void)
10756 {
10757     int wrapSz, plainSz, testSz, i;
10758 
10759     /* test vectors from RFC 3394 (kek, data, verify) */
10760 
10761 #ifdef WOLFSSL_AES_128
10762     /* Wrap 128 bits of Key Data with a 128-bit KEK */
10763     WOLFSSL_SMALL_STACK_STATIC const byte k1[] = {
10764         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
10765         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
10766     };
10767 
10768     WOLFSSL_SMALL_STACK_STATIC const byte d1[] = {
10769         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
10770         0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF
10771     };
10772 
10773     WOLFSSL_SMALL_STACK_STATIC const byte v1[] = {
10774         0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
10775         0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
10776         0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5
10777     };
10778 #endif /* WOLFSSL_AES_128 */
10779 
10780 #ifdef WOLFSSL_AES_192
10781     /* Wrap 128 bits of Key Data with a 192-bit KEK */
10782     WOLFSSL_SMALL_STACK_STATIC const byte k2[] = {
10783         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
10784         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
10785         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
10786     };
10787 
10788     WOLFSSL_SMALL_STACK_STATIC const byte d2[] = {
10789         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
10790         0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF
10791     };
10792 
10793     WOLFSSL_SMALL_STACK_STATIC const byte v2[] = {
10794         0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
10795         0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
10796         0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D
10797     };
10798 #endif
10799 
10800 #ifdef WOLFSSL_AES_256
10801     /* Wrap 128 bits of Key Data with a 256-bit KEK */
10802     WOLFSSL_SMALL_STACK_STATIC const byte k3[] = {
10803         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
10804         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
10805         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
10806         0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
10807     };
10808 
10809     WOLFSSL_SMALL_STACK_STATIC const byte d3[] = {
10810         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
10811         0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF
10812     };
10813 
10814     WOLFSSL_SMALL_STACK_STATIC const byte v3[] = {
10815         0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
10816         0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
10817         0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7
10818     };
10819 #endif
10820 
10821 #ifdef WOLFSSL_AES_192
10822     /* Wrap 192 bits of Key Data with a 192-bit KEK */
10823     WOLFSSL_SMALL_STACK_STATIC const byte k4[] = {
10824         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
10825         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
10826         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
10827     };
10828 
10829     WOLFSSL_SMALL_STACK_STATIC const byte d4[] = {
10830         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
10831         0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
10832         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
10833     };
10834 
10835     WOLFSSL_SMALL_STACK_STATIC const byte v4[] = {
10836         0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
10837         0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
10838         0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
10839         0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2
10840     };
10841 #endif
10842 
10843 #ifdef WOLFSSL_AES_256
10844     /* Wrap 192 bits of Key Data with a 256-bit KEK */
10845     WOLFSSL_SMALL_STACK_STATIC const byte k5[] = {
10846         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
10847         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
10848         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
10849         0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
10850     };
10851 
10852     WOLFSSL_SMALL_STACK_STATIC const byte d5[] = {
10853         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
10854         0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
10855         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
10856     };
10857 
10858     WOLFSSL_SMALL_STACK_STATIC const byte v5[] = {
10859         0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
10860         0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
10861         0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
10862         0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1
10863     };
10864 
10865     /* Wrap 256 bits of Key Data with a 256-bit KEK */
10866     WOLFSSL_SMALL_STACK_STATIC const byte k6[] = {
10867         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
10868         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
10869         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
10870         0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
10871     };
10872 
10873     WOLFSSL_SMALL_STACK_STATIC const byte d6[] = {
10874         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
10875         0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
10876         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
10877         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
10878     };
10879 
10880     WOLFSSL_SMALL_STACK_STATIC const byte v6[] = {
10881         0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
10882         0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
10883         0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
10884         0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
10885         0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21
10886     };
10887 #endif /* WOLFSSL_AES_256 */
10888 
10889     byte output[MAX_KEYWRAP_TEST_OUTLEN];
10890     byte plain [MAX_KEYWRAP_TEST_PLAINLEN];
10891 
10892     const keywrapVector test_wrap[] =
10893     {
10894     #ifdef WOLFSSL_AES_128
10895         {k1, d1, v1, sizeof(k1), sizeof(d1), sizeof(v1)},
10896     #endif
10897     #ifdef WOLFSSL_AES_192
10898         {k2, d2, v2, sizeof(k2), sizeof(d2), sizeof(v2)},
10899     #endif
10900     #ifdef WOLFSSL_AES_256
10901         {k3, d3, v3, sizeof(k3), sizeof(d3), sizeof(v3)},
10902     #endif
10903     #ifdef WOLFSSL_AES_192
10904         {k4, d4, v4, sizeof(k4), sizeof(d4), sizeof(v4)},
10905     #endif
10906     #ifdef WOLFSSL_AES_256
10907         {k5, d5, v5, sizeof(k5), sizeof(d5), sizeof(v5)},
10908         {k6, d6, v6, sizeof(k6), sizeof(d6), sizeof(v6)}
10909     #endif
10910     };
10911     testSz = sizeof(test_wrap) / sizeof(keywrapVector);
10912 
10913     XMEMSET(output, 0, sizeof(output));
10914     XMEMSET(plain,  0, sizeof(plain));
10915 
10916     for (i = 0; i < testSz; i++) {
10917 
10918         wrapSz = wc_AesKeyWrap(test_wrap[i].kek, test_wrap[i].kekLen,
10919                                test_wrap[i].data, test_wrap[i].dataLen,
10920                                output, sizeof(output), NULL);
10921 
10922         if ( (wrapSz < 0) || (wrapSz != (int)test_wrap[i].verifyLen) )
10923             return -6600;
10924 
10925         if (XMEMCMP(output, test_wrap[i].verify, test_wrap[i].verifyLen) != 0)
10926             return -6601;
10927 
10928         plainSz = wc_AesKeyUnWrap((byte*)test_wrap[i].kek, test_wrap[i].kekLen,
10929                                   output, wrapSz,
10930                                   plain, sizeof(plain), NULL);
10931 
10932         if ( (plainSz < 0) || (plainSz != (int)test_wrap[i].dataLen) )
10933             return -6602;
10934 
10935         if (XMEMCMP(plain, test_wrap[i].data, test_wrap[i].dataLen) != 0)
10936             return -6603 - i;
10937     }
10938 
10939     return 0;
10940 }
10941 #endif /* HAVE_AES_KEYWRAP */
10942 
10943 
10944 #endif /* NO_AES */
10945 
10946 
10947 #ifdef HAVE_CAMELLIA
10948 
10949 enum {
10950     CAM_ECB_ENC, CAM_ECB_DEC, CAM_CBC_ENC, CAM_CBC_DEC
10951 };
10952 
10953 typedef struct {
10954     int type;
10955     const byte* plaintext;
10956     const byte* iv;
10957     const byte* ciphertext;
10958     const byte* key;
10959     word32 keySz;
10960     int errorCode;
10961 } test_vector_t;
10962 
camellia_test(void)10963 WOLFSSL_TEST_SUBROUTINE int camellia_test(void)
10964 {
10965     /* Camellia ECB Test Plaintext */
10966     WOLFSSL_SMALL_STACK_STATIC const byte pte[] =
10967     {
10968         0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
10969         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
10970     };
10971 
10972     /* Camellia ECB Test Initialization Vector */
10973     WOLFSSL_SMALL_STACK_STATIC const byte ive[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
10974 
10975     /* Test 1: Camellia ECB 128-bit key */
10976     WOLFSSL_SMALL_STACK_STATIC const byte k1[] =
10977     {
10978         0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
10979         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
10980     };
10981     WOLFSSL_SMALL_STACK_STATIC const byte c1[] =
10982     {
10983         0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
10984         0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43
10985     };
10986 
10987     /* Test 2: Camellia ECB 192-bit key */
10988     WOLFSSL_SMALL_STACK_STATIC const byte k2[] =
10989     {
10990         0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
10991         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
10992         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
10993     };
10994     WOLFSSL_SMALL_STACK_STATIC const byte c2[] =
10995     {
10996         0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
10997         0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9
10998     };
10999 
11000     /* Test 3: Camellia ECB 256-bit key */
11001     WOLFSSL_SMALL_STACK_STATIC const byte k3[] =
11002     {
11003         0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
11004         0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
11005         0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
11006         0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
11007     };
11008     WOLFSSL_SMALL_STACK_STATIC const byte c3[] =
11009     {
11010         0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
11011         0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09
11012     };
11013 
11014     /* Camellia CBC Test Plaintext */
11015     WOLFSSL_SMALL_STACK_STATIC const byte ptc[] =
11016     {
11017         0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
11018         0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A
11019     };
11020 
11021     /* Camellia CBC Test Initialization Vector */
11022     WOLFSSL_SMALL_STACK_STATIC const byte ivc[] =
11023     {
11024         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
11025         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
11026     };
11027 
11028     /* Test 4: Camellia-CBC 128-bit key */
11029     WOLFSSL_SMALL_STACK_STATIC const byte k4[] =
11030     {
11031         0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
11032         0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C
11033     };
11034     WOLFSSL_SMALL_STACK_STATIC const byte c4[] =
11035     {
11036         0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
11037         0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB
11038     };
11039 
11040     /* Test 5: Camellia-CBC 192-bit key */
11041     WOLFSSL_SMALL_STACK_STATIC const byte k5[] =
11042     {
11043         0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
11044         0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
11045         0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B
11046     };
11047     WOLFSSL_SMALL_STACK_STATIC const byte c5[] =
11048     {
11049         0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
11050         0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93
11051     };
11052 
11053     /* Test 6: CBC 256-bit key */
11054     WOLFSSL_SMALL_STACK_STATIC const byte k6[] =
11055     {
11056         0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
11057         0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
11058         0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
11059         0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4
11060     };
11061     WOLFSSL_SMALL_STACK_STATIC const byte c6[] =
11062     {
11063         0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
11064         0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA
11065     };
11066 
11067     byte out[CAMELLIA_BLOCK_SIZE];
11068     Camellia cam;
11069     int i, testsSz, ret;
11070     WOLFSSL_SMALL_STACK_STATIC const test_vector_t testVectors[] =
11071     {
11072         {CAM_ECB_ENC, pte, ive, c1, k1, sizeof(k1), -114},
11073         {CAM_ECB_ENC, pte, ive, c2, k2, sizeof(k2), -115},
11074         {CAM_ECB_ENC, pte, ive, c3, k3, sizeof(k3), -116},
11075         {CAM_ECB_DEC, pte, ive, c1, k1, sizeof(k1), -117},
11076         {CAM_ECB_DEC, pte, ive, c2, k2, sizeof(k2), -118},
11077         {CAM_ECB_DEC, pte, ive, c3, k3, sizeof(k3), -119},
11078         {CAM_CBC_ENC, ptc, ivc, c4, k4, sizeof(k4), -120},
11079         {CAM_CBC_ENC, ptc, ivc, c5, k5, sizeof(k5), -121},
11080         {CAM_CBC_ENC, ptc, ivc, c6, k6, sizeof(k6), -122},
11081         {CAM_CBC_DEC, ptc, ivc, c4, k4, sizeof(k4), -123},
11082         {CAM_CBC_DEC, ptc, ivc, c5, k5, sizeof(k5), -124},
11083         {CAM_CBC_DEC, ptc, ivc, c6, k6, sizeof(k6), -125}
11084     };
11085 
11086     testsSz = sizeof(testVectors)/sizeof(test_vector_t);
11087     for (i = 0; i < testsSz; i++) {
11088         if (wc_CamelliaSetKey(&cam, testVectors[i].key, testVectors[i].keySz,
11089                                                         testVectors[i].iv) != 0)
11090             return testVectors[i].errorCode;
11091 
11092         switch (testVectors[i].type) {
11093             case CAM_ECB_ENC:
11094                 ret = wc_CamelliaEncryptDirect(&cam, out,
11095                                                 testVectors[i].plaintext);
11096                 if (ret != 0 || XMEMCMP(out, testVectors[i].ciphertext,
11097                                                         CAMELLIA_BLOCK_SIZE))
11098                     return testVectors[i].errorCode;
11099                 break;
11100             case CAM_ECB_DEC:
11101                 ret = wc_CamelliaDecryptDirect(&cam, out,
11102                                                     testVectors[i].ciphertext);
11103                 if (ret != 0 || XMEMCMP(out, testVectors[i].plaintext,
11104                                                         CAMELLIA_BLOCK_SIZE))
11105                     return testVectors[i].errorCode;
11106                 break;
11107             case CAM_CBC_ENC:
11108                 ret = wc_CamelliaCbcEncrypt(&cam, out, testVectors[i].plaintext,
11109                                                            CAMELLIA_BLOCK_SIZE);
11110                 if (ret != 0 || XMEMCMP(out, testVectors[i].ciphertext,
11111                                                         CAMELLIA_BLOCK_SIZE))
11112                     return testVectors[i].errorCode;
11113                 break;
11114             case CAM_CBC_DEC:
11115                 ret = wc_CamelliaCbcDecrypt(&cam, out,
11116                                 testVectors[i].ciphertext, CAMELLIA_BLOCK_SIZE);
11117                 if (ret != 0 || XMEMCMP(out, testVectors[i].plaintext,
11118                                                            CAMELLIA_BLOCK_SIZE))
11119                     return testVectors[i].errorCode;
11120                 break;
11121             default:
11122                 break;
11123         }
11124     }
11125 
11126     /* Setting the IV and checking it was actually set. */
11127     ret = wc_CamelliaSetIV(&cam, ivc);
11128     if (ret != 0 || XMEMCMP(cam.reg, ivc, CAMELLIA_BLOCK_SIZE))
11129         return -6700;
11130 
11131     /* Setting the IV to NULL should be same as all zeros IV */
11132     if (wc_CamelliaSetIV(&cam, NULL) != 0 ||
11133                                     XMEMCMP(cam.reg, ive, CAMELLIA_BLOCK_SIZE))
11134         return -6701;
11135 
11136     /* First parameter should never be null */
11137     if (wc_CamelliaSetIV(NULL, NULL) == 0)
11138         return -6702;
11139 
11140     /* First parameter should never be null, check it fails */
11141     if (wc_CamelliaSetKey(NULL, k1, sizeof(k1), NULL) == 0)
11142         return -6703;
11143 
11144     /* Key should have a size of 16, 24, or 32 */
11145     if (wc_CamelliaSetKey(&cam, k1, 0, NULL) == 0)
11146         return -6704;
11147 
11148     return 0;
11149 }
11150 #endif /* HAVE_CAMELLIA */
11151 
11152 #ifdef HAVE_IDEA
idea_test(void)11153 WOLFSSL_TEST_SUBROUTINE int idea_test(void)
11154 {
11155     int ret;
11156     word16 i, j;
11157 
11158     Idea idea;
11159     byte data[IDEA_BLOCK_SIZE];
11160 
11161     /* Project NESSIE test vectors */
11162 #define IDEA_NB_TESTS   6
11163 #define IDEA_NB_TESTS_EXTRA 4
11164 
11165     WOLFSSL_SMALL_STACK_STATIC const byte v_key[IDEA_NB_TESTS][IDEA_KEY_SIZE] = {
11166         { 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37,
11167             0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37 },
11168         { 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57,
11169             0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 },
11170         { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
11171             0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F },
11172         { 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xB3, 0x00,
11173             0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48 },
11174         { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
11175             0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F },
11176         { 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xB3, 0x00,
11177             0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48 },
11178     };
11179 
11180     WOLFSSL_SMALL_STACK_STATIC const byte v1_plain[IDEA_NB_TESTS][IDEA_BLOCK_SIZE] = {
11181         { 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37 },
11182         { 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 },
11183         { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
11184         { 0xEA, 0x02, 0x47, 0x14, 0xAD, 0x5C, 0x4D, 0x84 },
11185         { 0xDB, 0x2D, 0x4A, 0x92, 0xAA, 0x68, 0x27, 0x3F },
11186         { 0xF1, 0x29, 0xA6, 0x60, 0x1E, 0xF6, 0x2A, 0x47 },
11187     };
11188 
11189     WOLFSSL_SMALL_STACK_STATIC const byte v1_cipher[IDEA_NB_TESTS][IDEA_BLOCK_SIZE] = {
11190         { 0x54, 0xCF, 0x21, 0xE3, 0x89, 0xD8, 0x73, 0xEC },
11191         { 0x85, 0x52, 0x4D, 0x41, 0x0E, 0xB4, 0x28, 0xAE },
11192         { 0xF5, 0x26, 0xAB, 0x9A, 0x62, 0xC0, 0xD2, 0x58 },
11193         { 0xC8, 0xFB, 0x51, 0xD3, 0x51, 0x66, 0x27, 0xA8 },
11194         { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
11195         { 0xEA, 0x02, 0x47, 0x14, 0xAD, 0x5C, 0x4D, 0x84 },
11196     };
11197 
11198     WOLFSSL_SMALL_STACK_STATIC const byte v1_cipher_100[IDEA_NB_TESTS_EXTRA][IDEA_BLOCK_SIZE]  = {
11199         { 0x12, 0x46, 0x2F, 0xD0, 0xFB, 0x3A, 0x63, 0x39 },
11200         { 0x15, 0x61, 0xE8, 0xC9, 0x04, 0x54, 0x8B, 0xE9 },
11201         { 0x42, 0x12, 0x2A, 0x94, 0xB0, 0xF6, 0xD2, 0x43 },
11202         { 0x53, 0x4D, 0xCD, 0x48, 0xDD, 0xD5, 0xF5, 0x9C },
11203     };
11204 
11205     WOLFSSL_SMALL_STACK_STATIC const byte v1_cipher_1000[IDEA_NB_TESTS_EXTRA][IDEA_BLOCK_SIZE] = {
11206         { 0x44, 0x1B, 0x38, 0x5C, 0x77, 0x29, 0x75, 0x34 },
11207         { 0xF0, 0x4E, 0x58, 0x88, 0x44, 0x99, 0x22, 0x2D },
11208         { 0xB3, 0x5F, 0x93, 0x7F, 0x6A, 0xA0, 0xCD, 0x1F },
11209         { 0x9A, 0xEA, 0x46, 0x8F, 0x42, 0x9B, 0xBA, 0x15 },
11210     };
11211 
11212     /* CBC test */
11213     const char *message = "International Data Encryption Algorithm";
11214     byte msg_enc[40], msg_dec[40];
11215 
11216     for (i = 0; i < IDEA_NB_TESTS; i++) {
11217         /* Set encryption key */
11218         XMEMSET(&idea, 0, sizeof(Idea));
11219         ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
11220                             NULL, IDEA_ENCRYPTION);
11221         if (ret != 0) {
11222             printf("wc_IdeaSetKey (enc) failed\n");
11223             return -6800;
11224         }
11225 
11226         /* Data encryption */
11227         ret = wc_IdeaCipher(&idea, data, v1_plain[i]);
11228         if (ret != 0 || XMEMCMP(&v1_cipher[i], data, IDEA_BLOCK_SIZE)) {
11229             printf("Bad encryption\n");
11230             return -6801;
11231         }
11232 
11233         /* Set decryption key */
11234         XMEMSET(&idea, 0, sizeof(Idea));
11235         ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
11236                             NULL, IDEA_DECRYPTION);
11237         if (ret != 0) {
11238             printf("wc_IdeaSetKey (dec) failed\n");
11239             return -6802;
11240         }
11241 
11242         /* Data decryption */
11243         ret = wc_IdeaCipher(&idea, data, data);
11244         if (ret != 0 || XMEMCMP(v1_plain[i], data, IDEA_BLOCK_SIZE)) {
11245             printf("Bad decryption\n");
11246             return -6803;
11247         }
11248 
11249         /* Set encryption key */
11250         XMEMSET(&idea, 0, sizeof(Idea));
11251         ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
11252                             v_key[i], IDEA_ENCRYPTION);
11253         if (ret != 0) {
11254             printf("wc_IdeaSetKey (enc) failed\n");
11255             return -6804;
11256         }
11257 
11258         XMEMSET(msg_enc, 0, sizeof(msg_enc));
11259         ret = wc_IdeaCbcEncrypt(&idea, msg_enc, (byte *)message,
11260                                 (word32)XSTRLEN(message)+1);
11261         if (ret != 0) {
11262             printf("wc_IdeaCbcEncrypt failed\n");
11263             return -6805;
11264         }
11265 
11266         /* Set decryption key */
11267         XMEMSET(&idea, 0, sizeof(Idea));
11268         ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
11269                             v_key[i], IDEA_DECRYPTION);
11270         if (ret != 0) {
11271             printf("wc_IdeaSetKey (dec) failed\n");
11272             return -6806;
11273         }
11274 
11275         XMEMSET(msg_dec, 0, sizeof(msg_dec));
11276         ret = wc_IdeaCbcDecrypt(&idea, msg_dec, msg_enc,
11277                                 (word32)XSTRLEN(message)+1);
11278         if (ret != 0) {
11279             printf("wc_IdeaCbcDecrypt failed\n");
11280             return -6807;
11281         }
11282 
11283         if (XMEMCMP(message, msg_dec, (word32)XSTRLEN(message))) {
11284             printf("Bad CBC decryption\n");
11285             return -6808;
11286         }
11287     }
11288 
11289     for (i = 0; i < IDEA_NB_TESTS_EXTRA; i++) {
11290         /* Set encryption key */
11291         XMEMSET(&idea, 0, sizeof(Idea));
11292         ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
11293                             NULL, IDEA_ENCRYPTION);
11294         if (ret != 0) {
11295             printf("wc_IdeaSetKey (enc) failed\n");
11296             return -6809;
11297         }
11298 
11299         /* 100 times data encryption */
11300         XMEMCPY(data, v1_plain[i], IDEA_BLOCK_SIZE);
11301         for (j = 0; j < 100; j++) {
11302             ret = wc_IdeaCipher(&idea, data, data);
11303             if (ret != 0) {
11304                 return -6810;
11305             }
11306         }
11307 
11308         if (XMEMCMP(v1_cipher_100[i], data, IDEA_BLOCK_SIZE)) {
11309             printf("Bad encryption (100 times)\n");
11310             return -6811;
11311         }
11312 
11313         /* 1000 times data encryption */
11314         XMEMCPY(data, v1_plain[i], IDEA_BLOCK_SIZE);
11315         for (j = 0; j < 1000; j++) {
11316             ret = wc_IdeaCipher(&idea, data, data);
11317             if (ret != 0) {
11318                 return -6812;
11319             }
11320         }
11321 
11322         if (XMEMCMP(v1_cipher_1000[i], data, IDEA_BLOCK_SIZE)) {
11323             printf("Bad encryption (100 times)\n");
11324             return -6813;
11325         }
11326     }
11327 
11328 #ifndef WC_NO_RNG
11329     /* random test for CBC */
11330     {
11331         WC_RNG rng;
11332         byte key[IDEA_KEY_SIZE], iv[IDEA_BLOCK_SIZE],
11333         *rnd, *enc, *dec;
11334 
11335 #define IDEA_SCRATCH_BUFFER_SIZE 1000
11336         rnd = (byte *)XMALLOC(IDEA_SCRATCH_BUFFER_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11337         enc = (byte *)XMALLOC(IDEA_SCRATCH_BUFFER_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11338         dec = (byte *)XMALLOC(IDEA_SCRATCH_BUFFER_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11339 
11340         if ((rnd == NULL) || (enc == NULL) || (dec == NULL)) {
11341             if (rnd)
11342                 XFREE(rnd, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11343             if (enc)
11344                 XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11345             if (dec)
11346                 XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11347             return -6823;
11348         }
11349 
11350         /* random values */
11351     #ifndef HAVE_FIPS
11352         ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
11353     #else
11354         ret = wc_InitRng(&rng);
11355     #endif
11356         if (ret != 0)
11357             return -6814;
11358 
11359         for (i = 0; i < 1000; i++) {
11360             /* random key */
11361             ret = wc_RNG_GenerateBlock(&rng, key, sizeof(key));
11362             if (ret != 0)
11363                 return -6815;
11364 
11365             /* random iv */
11366             ret = wc_RNG_GenerateBlock(&rng, iv, sizeof(iv));
11367             if (ret != 0)
11368                 return -6816;
11369 
11370             /* random data */
11371             ret = wc_RNG_GenerateBlock(&rng, rnd, IDEA_SCRATCH_BUFFER_SIZE);
11372             if (ret != 0)
11373                 return -6817;
11374 
11375             /* Set encryption key */
11376             XMEMSET(&idea, 0, sizeof(Idea));
11377             ret = wc_IdeaSetKey(&idea, key, IDEA_KEY_SIZE, iv, IDEA_ENCRYPTION);
11378             if (ret != 0) {
11379                 printf("wc_IdeaSetKey (enc) failed\n");
11380                 return -6818;
11381             }
11382 
11383             /* Data encryption */
11384             XMEMSET(enc, 0, IDEA_SCRATCH_BUFFER_SIZE);
11385             ret = wc_IdeaCbcEncrypt(&idea, enc, rnd, IDEA_SCRATCH_BUFFER_SIZE);
11386             if (ret != 0) {
11387                 printf("wc_IdeaCbcEncrypt failed\n");
11388                 return -6819;
11389             }
11390 
11391             /* Set decryption key */
11392             XMEMSET(&idea, 0, sizeof(Idea));
11393             ret = wc_IdeaSetKey(&idea, key, IDEA_KEY_SIZE, iv, IDEA_DECRYPTION);
11394             if (ret != 0) {
11395                 printf("wc_IdeaSetKey (enc) failed\n");
11396                 return -6820;
11397             }
11398 
11399             /* Data decryption */
11400             XMEMSET(dec, 0, IDEA_SCRATCH_BUFFER_SIZE);
11401             ret = wc_IdeaCbcDecrypt(&idea, dec, enc, IDEA_SCRATCH_BUFFER_SIZE);
11402             if (ret != 0) {
11403                 printf("wc_IdeaCbcDecrypt failed\n");
11404                 return -6821;
11405             }
11406 
11407             if (XMEMCMP(rnd, dec, IDEA_SCRATCH_BUFFER_SIZE)) {
11408                 printf("Bad CBC decryption\n");
11409                 return -6822;
11410             }
11411         }
11412 
11413         XFREE(rnd, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11414         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11415         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11416 #undef IDEA_SCRATCH_BUFFER_SIZE
11417 
11418         wc_FreeRng(&rng);
11419     }
11420 #endif /* WC_NO_RNG */
11421 
11422     return 0;
11423 }
11424 #endif /* HAVE_IDEA */
11425 
11426 #ifdef HAVE_XCHACHA
XChaCha_test(void)11427 WOLFSSL_TEST_SUBROUTINE int XChaCha_test(void) {
11428     int ret = -6830;
11429 
11430     WOLFSSL_SMALL_STACK_STATIC const byte Plaintext[] = {
11431         0x54, 0x68, 0x65, 0x20, 0x64, 0x68, 0x6f, 0x6c, 0x65, 0x20, 0x28, 0x70, 0x72, 0x6f, 0x6e, 0x6f, /* The dhole (prono */
11432         0x75, 0x6e, 0x63, 0x65, 0x64, 0x20, 0x22, 0x64, 0x6f, 0x6c, 0x65, 0x22, 0x29, 0x20, 0x69, 0x73, /* unced "dole") is */
11433         0x20, 0x61, 0x6c, 0x73, 0x6f, 0x20, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x20, 0x61, 0x73, 0x20, 0x74, /*  also known as t */
11434         0x68, 0x65, 0x20, 0x41, 0x73, 0x69, 0x61, 0x74, 0x69, 0x63, 0x20, 0x77, 0x69, 0x6c, 0x64, 0x20, /* he Asiatic wild  */
11435         0x64, 0x6f, 0x67, 0x2c, 0x20, 0x72, 0x65, 0x64, 0x20, 0x64, 0x6f, 0x67, 0x2c, 0x20, 0x61, 0x6e, /* dog, red dog, an */
11436         0x64, 0x20, 0x77, 0x68, 0x69, 0x73, 0x74, 0x6c, 0x69, 0x6e, 0x67, 0x20, 0x64, 0x6f, 0x67, 0x2e, /* d whistling dog. */
11437         0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x61, 0x62, 0x6f, 0x75, 0x74, 0x20, 0x74, 0x68, 0x65, /*  It is about the */
11438         0x20, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x61, 0x20, 0x47, 0x65, 0x72, 0x6d, 0x61, /*  size of a Germa */
11439         0x6e, 0x20, 0x73, 0x68, 0x65, 0x70, 0x68, 0x65, 0x72, 0x64, 0x20, 0x62, 0x75, 0x74, 0x20, 0x6c, /* n shepherd but l */
11440         0x6f, 0x6f, 0x6b, 0x73, 0x20, 0x6d, 0x6f, 0x72, 0x65, 0x20, 0x6c, 0x69, 0x6b, 0x65, 0x20, 0x61, /* ooks more like a */
11441         0x20, 0x6c, 0x6f, 0x6e, 0x67, 0x2d, 0x6c, 0x65, 0x67, 0x67, 0x65, 0x64, 0x20, 0x66, 0x6f, 0x78, /*  long-legged fox */
11442         0x2e, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x79, 0x20, 0x65, 0x6c, /* . This highly el */
11443         0x75, 0x73, 0x69, 0x76, 0x65, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6b, 0x69, 0x6c, 0x6c, 0x65, /* usive and skille */
11444         0x64, 0x20, 0x6a, 0x75, 0x6d, 0x70, 0x65, 0x72, 0x20, 0x69, 0x73, 0x20, 0x63, 0x6c, 0x61, 0x73, /* d jumper is clas */
11445         0x73, 0x69, 0x66, 0x69, 0x65, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x77, 0x6f, 0x6c, 0x76, /* sified with wolv */
11446         0x65, 0x73, 0x2c, 0x20, 0x63, 0x6f, 0x79, 0x6f, 0x74, 0x65, 0x73, 0x2c, 0x20, 0x6a, 0x61, 0x63, /* es, coyotes, jac */
11447         0x6b, 0x61, 0x6c, 0x73, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x66, 0x6f, 0x78, 0x65, 0x73, 0x20, /* kals, and foxes  */
11448         0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74, 0x61, 0x78, 0x6f, 0x6e, 0x6f, 0x6d, 0x69, 0x63, /* in the taxonomic */
11449         0x20, 0x66, 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x20, 0x43, 0x61, 0x6e, 0x69, 0x64, 0x61, 0x65, 0x2e  /*  family Canidae. */
11450     };
11451 
11452     WOLFSSL_SMALL_STACK_STATIC const byte Key[] = {
11453         0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
11454         0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
11455     };
11456 
11457     WOLFSSL_SMALL_STACK_STATIC const byte IV[] = {
11458         0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, /* @ABCDEFGHIJKLMNO */
11459         0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x58 };                                               /* PQRSTUVW */
11460 
11461     WOLFSSL_SMALL_STACK_STATIC const byte Ciphertext[] = {
11462         0x45, 0x59, 0xab, 0xba, 0x4e, 0x48, 0xc1, 0x61, 0x02, 0xe8, 0xbb, 0x2c, 0x05, 0xe6, 0x94, 0x7f,
11463         0x50, 0xa7, 0x86, 0xde, 0x16, 0x2f, 0x9b, 0x0b, 0x7e, 0x59, 0x2a, 0x9b, 0x53, 0xd0, 0xd4, 0xe9,
11464         0x8d, 0x8d, 0x64, 0x10, 0xd5, 0x40, 0xa1, 0xa6, 0x37, 0x5b, 0x26, 0xd8, 0x0d, 0xac, 0xe4, 0xfa,
11465         0xb5, 0x23, 0x84, 0xc7, 0x31, 0xac, 0xbf, 0x16, 0xa5, 0x92, 0x3c, 0x0c, 0x48, 0xd3, 0x57, 0x5d,
11466         0x4d, 0x0d, 0x2c, 0x67, 0x3b, 0x66, 0x6f, 0xaa, 0x73, 0x10, 0x61, 0x27, 0x77, 0x01, 0x09, 0x3a,
11467         0x6b, 0xf7, 0xa1, 0x58, 0xa8, 0x86, 0x42, 0x92, 0xa4, 0x1c, 0x48, 0xe3, 0xa9, 0xb4, 0xc0, 0xda,
11468         0xec, 0xe0, 0xf8, 0xd9, 0x8d, 0x0d, 0x7e, 0x05, 0xb3, 0x7a, 0x30, 0x7b, 0xbb, 0x66, 0x33, 0x31,
11469         0x64, 0xec, 0x9e, 0x1b, 0x24, 0xea, 0x0d, 0x6c, 0x3f, 0xfd, 0xdc, 0xec, 0x4f, 0x68, 0xe7, 0x44,
11470         0x30, 0x56, 0x19, 0x3a, 0x03, 0xc8, 0x10, 0xe1, 0x13, 0x44, 0xca, 0x06, 0xd8, 0xed, 0x8a, 0x2b,
11471         0xfb, 0x1e, 0x8d, 0x48, 0xcf, 0xa6, 0xbc, 0x0e, 0xb4, 0xe2, 0x46, 0x4b, 0x74, 0x81, 0x42, 0x40,
11472         0x7c, 0x9f, 0x43, 0x1a, 0xee, 0x76, 0x99, 0x60, 0xe1, 0x5b, 0xa8, 0xb9, 0x68, 0x90, 0x46, 0x6e,
11473         0xf2, 0x45, 0x75, 0x99, 0x85, 0x23, 0x85, 0xc6, 0x61, 0xf7, 0x52, 0xce, 0x20, 0xf9, 0xda, 0x0c,
11474         0x09, 0xab, 0x6b, 0x19, 0xdf, 0x74, 0xe7, 0x6a, 0x95, 0x96, 0x74, 0x46, 0xf8, 0xd0, 0xfd, 0x41,
11475         0x5e, 0x7b, 0xee, 0x2a, 0x12, 0xa1, 0x14, 0xc2, 0x0e, 0xb5, 0x29, 0x2a, 0xe7, 0xa3, 0x49, 0xae,
11476         0x57, 0x78, 0x20, 0xd5, 0x52, 0x0a, 0x1f, 0x3f, 0xb6, 0x2a, 0x17, 0xce, 0x6a, 0x7e, 0x68, 0xfa,
11477         0x7c, 0x79, 0x11, 0x1d, 0x88, 0x60, 0x92, 0x0b, 0xc0, 0x48, 0xef, 0x43, 0xfe, 0x84, 0x48, 0x6c,
11478         0xcb, 0x87, 0xc2, 0x5f, 0x0a, 0xe0, 0x45, 0xf0, 0xcc, 0xe1, 0xe7, 0x98, 0x9a, 0x9a, 0xa2, 0x20,
11479         0xa2, 0x8b, 0xdd, 0x48, 0x27, 0xe7, 0x51, 0xa2, 0x4a, 0x6d, 0x5c, 0x62, 0xd7, 0x90, 0xa6, 0x63,
11480         0x93, 0xb9, 0x31, 0x11, 0xc1, 0xa5, 0x5d, 0xd7, 0x42, 0x1a, 0x10, 0x18, 0x49, 0x74, 0xc7, 0xc5
11481     };
11482 
11483 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
11484     struct ChaCha *chacha = (struct ChaCha *)XMALLOC(sizeof *chacha, HEAP_HINT, DYNAMIC_TYPE_CIPHER);
11485     byte *buf1 = (byte *)XMALLOC(sizeof Plaintext, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11486     byte *buf2 = (byte *)XMALLOC(sizeof Plaintext, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11487 
11488     if ((chacha == NULL) || (buf1 == NULL) || (buf2 == NULL))
11489         ERROR_OUT(MEMORY_E, out);
11490 #else
11491     struct ChaCha chacha[1];
11492     byte buf1[sizeof Plaintext];
11493     byte buf2[sizeof Plaintext];
11494 #endif
11495 
11496     ret = wc_XChacha_SetKey(chacha, Key, sizeof Key, IV, sizeof IV, 0);
11497     if (ret < 0)
11498         ERROR_OUT(-6831, out);
11499 
11500     ret = wc_Chacha_Process(chacha, buf1, Plaintext, sizeof Plaintext);
11501     if (ret < 0)
11502         ERROR_OUT(-6832, out);
11503 
11504     if (XMEMCMP(buf1, Ciphertext, sizeof Plaintext))
11505         ERROR_OUT(-6833, out);
11506 
11507     ret = wc_XChacha_SetKey(chacha, Key, sizeof Key, IV, sizeof IV, 0);
11508     if (ret < 0)
11509         ERROR_OUT(-6834, out);
11510 
11511     ret = wc_Chacha_Process(chacha, buf2, buf1, sizeof Plaintext);
11512     if (ret < 0)
11513         ERROR_OUT(-6835, out);
11514 
11515     if (XMEMCMP(buf2, Plaintext, sizeof Plaintext))
11516         ERROR_OUT(-6836, out);
11517 
11518   out:
11519 
11520 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
11521     if (chacha)
11522         XFREE(chacha, HEAP_HINT, DYNAMIC_TYPE_CIPHER);
11523     if (buf1)
11524         XFREE(buf1, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11525     if (buf2)
11526         XFREE(buf2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11527 #endif
11528 
11529     return ret;
11530 }
11531 #endif /* HAVE_XCHACHA */
11532 
11533 #if defined(HAVE_XCHACHA) && defined(HAVE_POLY1305)
XChaCha20Poly1305_test(void)11534 WOLFSSL_TEST_SUBROUTINE int XChaCha20Poly1305_test(void) {
11535     int ret;
11536 
11537     WOLFSSL_SMALL_STACK_STATIC const byte Plaintext[] = {
11538         0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c, /* Ladies and Gentl */
11539         0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, /* emen of the clas */
11540         0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, /* s of '99: If I c */
11541         0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, /* ould offer you o */
11542         0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20, /* nly one tip for */
11543         0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73, /* the future, suns */
11544         0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, /* creen would be i */
11545         0x74, 0x2e };                                                                                   /* t. */
11546 
11547     WOLFSSL_SMALL_STACK_STATIC const byte AAD[] = { 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 }; /* PQRS........ */
11548 
11549     WOLFSSL_SMALL_STACK_STATIC const byte Key[] = {
11550         0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
11551         0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
11552     };
11553 
11554     WOLFSSL_SMALL_STACK_STATIC const byte IV[] = {
11555         0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, /* @ABCDEFGHIJKLMNO */
11556         0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57 };                                               /* PQRSTUVW */
11557 
11558     WOLFSSL_SMALL_STACK_STATIC const byte Ciphertext[] = {
11559       0xbd, 0x6d, 0x17, 0x9d, 0x3e, 0x83, 0xd4, 0x3b, 0x95, 0x76, 0x57, 0x94, 0x93, 0xc0, 0xe9, 0x39,
11560       0x57, 0x2a, 0x17, 0x00, 0x25, 0x2b, 0xfa, 0xcc, 0xbe, 0xd2, 0x90, 0x2c, 0x21, 0x39, 0x6c, 0xbb,
11561       0x73, 0x1c, 0x7f, 0x1b, 0x0b, 0x4a, 0xa6, 0x44, 0x0b, 0xf3, 0xa8, 0x2f, 0x4e, 0xda, 0x7e, 0x39,
11562       0xae, 0x64, 0xc6, 0x70, 0x8c, 0x54, 0xc2, 0x16, 0xcb, 0x96, 0xb7, 0x2e, 0x12, 0x13, 0xb4, 0x52,
11563       0x2f, 0x8c, 0x9b, 0xa4, 0x0d, 0xb5, 0xd9, 0x45, 0xb1, 0x1b, 0x69, 0xb9, 0x82, 0xc1, 0xbb, 0x9e,
11564       0x3f, 0x3f, 0xac, 0x2b, 0xc3, 0x69, 0x48, 0x8f, 0x76, 0xb2, 0x38, 0x35, 0x65, 0xd3, 0xff, 0xf9,
11565       0x21, 0xf9, 0x66, 0x4c, 0x97, 0x63, 0x7d, 0xa9, 0x76, 0x88, 0x12, 0xf6, 0x15, 0xc6, 0x8b, 0x13,
11566       0xb5, 0x2e };
11567 
11568     WOLFSSL_SMALL_STACK_STATIC const byte Tag[] = {
11569       0xc0, 0x87, 0x59, 0x24, 0xc1, 0xc7, 0x98, 0x79, 0x47, 0xde, 0xaf, 0xd8, 0x78, 0x0a, 0xcf, 0x49
11570     };
11571 
11572 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
11573     byte *buf1 = (byte *)XMALLOC(sizeof Ciphertext + sizeof Tag, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11574     byte *buf2 = (byte *)XMALLOC(sizeof Plaintext, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11575 
11576     if ((buf1 == NULL) || (buf2 == NULL))
11577         ERROR_OUT(-6480, out);
11578 #else
11579     byte buf1[sizeof Ciphertext + sizeof Tag];
11580     byte buf2[sizeof Plaintext];
11581 #endif
11582 
11583     ret = wc_XChaCha20Poly1305_Encrypt(buf1, sizeof Ciphertext + sizeof Tag,
11584                                        Plaintext, sizeof Plaintext,
11585                                        AAD, sizeof AAD,
11586                                        IV, sizeof IV,
11587                                        Key, sizeof Key);
11588 
11589     if (ret < 0)
11590         ERROR_OUT(-6841, out);
11591 
11592     if (XMEMCMP(buf1, Ciphertext, sizeof Ciphertext))
11593         ERROR_OUT(-6842, out);
11594 
11595     if (XMEMCMP(buf1 + sizeof Ciphertext, Tag, CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE))
11596         ERROR_OUT(-6843, out);
11597 
11598     ret = wc_XChaCha20Poly1305_Decrypt(buf2, sizeof Plaintext,
11599                                  buf1, sizeof Ciphertext + sizeof Tag,
11600                                        AAD, sizeof AAD,
11601                                        IV, sizeof IV,
11602                                        Key, sizeof Key);
11603 
11604     if (ret < 0)
11605         ERROR_OUT(-6844, out);
11606 
11607     if (XMEMCMP(buf2, Plaintext, sizeof Plaintext))
11608         ERROR_OUT(-6845, out);
11609 
11610   out:
11611 
11612 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
11613     if (buf1 != NULL)
11614         XFREE(buf1, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11615     if (buf2 != NULL)
11616         XFREE(buf2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11617 #endif
11618 
11619     return ret;
11620 }
11621 #endif /* defined(HAVE_XCHACHA) && defined(HAVE_POLY1305) */
11622 
11623 #ifndef WC_NO_RNG
_rng_test(WC_RNG * rng,int errorOffset)11624 static int _rng_test(WC_RNG* rng, int errorOffset)
11625 {
11626     byte block[32];
11627     int ret, i;
11628 
11629     XMEMSET(block, 0, sizeof(block));
11630 
11631     ret = wc_RNG_GenerateBlock(rng, block, sizeof(block));
11632     if (ret != 0) {
11633         ret = -6850;
11634         goto exit;
11635     }
11636 
11637     /* Check for 0's */
11638     for (i=0; i<(int)sizeof(block); i++) {
11639         if (block[i] == 0) {
11640             ret++;
11641         }
11642     }
11643     /* All zeros count check */
11644     if (ret >= (int)sizeof(block)) {
11645         ret = -6851;
11646         goto exit;
11647     }
11648 
11649     ret = wc_RNG_GenerateByte(rng, block);
11650     if (ret != 0) {
11651         ret = -6852;
11652         goto exit;
11653     }
11654 
11655     /* Parameter validation testing. */
11656     ret = wc_RNG_GenerateBlock(NULL, block, sizeof(block));
11657     if (ret != BAD_FUNC_ARG) {
11658         ret = -6853;
11659         goto exit;
11660     }
11661     ret = wc_RNG_GenerateBlock(rng, NULL, sizeof(block));
11662     if (ret != BAD_FUNC_ARG) {
11663         ret = -6854;
11664         goto exit;
11665     }
11666 
11667     ret = wc_RNG_GenerateByte(NULL, block);
11668     if (ret != BAD_FUNC_ARG) {
11669         ret = -6855;
11670         goto exit;
11671     }
11672     ret = wc_RNG_GenerateByte(rng, NULL);
11673     if (ret != BAD_FUNC_ARG) {
11674         ret = -6856;
11675         goto exit;
11676     }
11677 
11678     ret = 0;
11679 
11680 exit:
11681     if (ret != 0)
11682         ret += errorOffset;
11683 
11684     return ret;
11685 }
11686 
11687 
random_rng_test(void)11688 static int random_rng_test(void)
11689 {
11690     WC_RNG localRng;
11691     WC_RNG* rng;
11692     int ret;
11693 
11694     rng = &localRng;
11695     /* Test stack based RNG. */
11696 #ifndef HAVE_FIPS
11697     ret = wc_InitRng_ex(rng, HEAP_HINT, devId);
11698 #else
11699     ret = wc_InitRng(rng);
11700 #endif
11701     if (ret != 0) return -6900;
11702 
11703     ret = _rng_test(rng, -6300);
11704 
11705     /* Make sure and free RNG */
11706     wc_FreeRng(rng);
11707 
11708     if (ret != 0) return ret;
11709 
11710 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && !defined(WOLFSSL_NO_MALLOC)
11711     {
11712         byte nonce[8] = { 0 };
11713         /* Test dynamic RNG. */
11714         rng = wc_rng_new(nonce, (word32)sizeof(nonce), HEAP_HINT);
11715         if (rng == NULL) return -6901;
11716 
11717         ret = _rng_test(rng, -6310);
11718 
11719         wc_rng_free(rng);
11720     }
11721 #endif
11722 
11723     return ret;
11724 }
11725 
11726 #if defined(HAVE_HASHDRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK)
11727 
11728 #ifdef WC_RNG_SEED_CB
seed_cb(OS_Seed * os,byte * output,word32 sz)11729 static int seed_cb(OS_Seed* os, byte* output, word32 sz)
11730 {
11731     word32 i;
11732     (void)os;
11733     /* Known answer test. Set the seed to the same value every time. */
11734     for (i = 0; i < sz; i++)
11735         output[i] = (byte)i;
11736     return 0;
11737 }
11738 
rng_seed_test(void)11739 static int rng_seed_test(void)
11740 {
11741 #ifndef HAVE_FIPS
11742     WOLFSSL_SMALL_STACK_STATIC const byte check[] =
11743     {
11744         0x83, 0x46, 0x65, 0x2f, 0x5c, 0x44, 0x16, 0x5f,
11745         0xb3, 0x89, 0x26, 0xde, 0x0b, 0x6b, 0xa2, 0x06,
11746         0x7e, 0xa7, 0x9a, 0x55, 0x22, 0x01, 0xb0, 0x22,
11747         0xf4, 0x7e, 0xa2, 0x66, 0xc4, 0x08, 0x6f, 0xba
11748     };
11749 #else
11750     /* FIPS uses a longer seed, so different check value. */
11751     WOLFSSL_SMALL_STACK_STATIC const byte check[] =
11752     {
11753         0xaf, 0x31, 0xcc, 0xef, 0xa9, 0x29, 0x4c, 0x24,
11754         0xbd, 0xa5, 0xa3, 0x52, 0x69, 0xf3, 0xb9, 0xb2,
11755         0x1e, 0xd4, 0x52, 0x3b, 0x9a, 0x96, 0x06, 0x20,
11756         0xc0, 0x5f, 0x44, 0x06, 0x1f, 0x80, 0xdf, 0xe0
11757     };
11758 #endif
11759     byte output[WC_SHA256_DIGEST_SIZE];
11760     WC_RNG rng;
11761     int ret;
11762 
11763     ret = wc_SetSeed_Cb(seed_cb);
11764     if (ret != 0) {
11765         ret = -7007;
11766         goto exit;
11767     }
11768     ret = wc_InitRng(&rng);
11769     if (ret != 0) {
11770         ret = -7008;
11771         goto exit;
11772     }
11773     ret = wc_RNG_GenerateBlock(&rng, output, sizeof(output));
11774     if (ret != 0) {
11775         ret = -7009;
11776         goto exit;
11777     }
11778     ret = XMEMCMP(output, check, sizeof(output));
11779     if (ret != 0) {
11780         ret = -7010;
11781         goto exit;
11782     }
11783     ret = wc_FreeRng(&rng);
11784     if (ret != 0) {
11785         ret = -7011;
11786         goto exit;
11787     }
11788     ret = wc_SetSeed_Cb(wc_GenerateSeed);
11789     if (ret != 0) {
11790         ret = -7012;
11791     }
11792 
11793 exit:
11794     return ret;
11795 }
11796 #endif
11797 
11798 
random_test(void)11799 WOLFSSL_TEST_SUBROUTINE int random_test(void)
11800 {
11801     WOLFSSL_SMALL_STACK_STATIC const byte test1Entropy[] =
11802     {
11803         0xa6, 0x5a, 0xd0, 0xf3, 0x45, 0xdb, 0x4e, 0x0e, 0xff, 0xe8, 0x75, 0xc3,
11804         0xa2, 0xe7, 0x1f, 0x42, 0xc7, 0x12, 0x9d, 0x62, 0x0f, 0xf5, 0xc1, 0x19,
11805         0xa9, 0xef, 0x55, 0xf0, 0x51, 0x85, 0xe0, 0xfb, 0x85, 0x81, 0xf9, 0x31,
11806         0x75, 0x17, 0x27, 0x6e, 0x06, 0xe9, 0x60, 0x7d, 0xdb, 0xcb, 0xcc, 0x2e
11807     };
11808     WOLFSSL_SMALL_STACK_STATIC const byte test1Output[] =
11809     {
11810         0xd3, 0xe1, 0x60, 0xc3, 0x5b, 0x99, 0xf3, 0x40, 0xb2, 0x62, 0x82, 0x64,
11811         0xd1, 0x75, 0x10, 0x60, 0xe0, 0x04, 0x5d, 0xa3, 0x83, 0xff, 0x57, 0xa5,
11812         0x7d, 0x73, 0xa6, 0x73, 0xd2, 0xb8, 0xd8, 0x0d, 0xaa, 0xf6, 0xa6, 0xc3,
11813         0x5a, 0x91, 0xbb, 0x45, 0x79, 0xd7, 0x3f, 0xd0, 0xc8, 0xfe, 0xd1, 0x11,
11814         0xb0, 0x39, 0x13, 0x06, 0x82, 0x8a, 0xdf, 0xed, 0x52, 0x8f, 0x01, 0x81,
11815         0x21, 0xb3, 0xfe, 0xbd, 0xc3, 0x43, 0xe7, 0x97, 0xb8, 0x7d, 0xbb, 0x63,
11816         0xdb, 0x13, 0x33, 0xde, 0xd9, 0xd1, 0xec, 0xe1, 0x77, 0xcf, 0xa6, 0xb7,
11817         0x1f, 0xe8, 0xab, 0x1d, 0xa4, 0x66, 0x24, 0xed, 0x64, 0x15, 0xe5, 0x1c,
11818         0xcd, 0xe2, 0xc7, 0xca, 0x86, 0xe2, 0x83, 0x99, 0x0e, 0xea, 0xeb, 0x91,
11819         0x12, 0x04, 0x15, 0x52, 0x8b, 0x22, 0x95, 0x91, 0x02, 0x81, 0xb0, 0x2d,
11820         0xd4, 0x31, 0xf4, 0xc9, 0xf7, 0x04, 0x27, 0xdf
11821     };
11822     WOLFSSL_SMALL_STACK_STATIC const byte test2EntropyA[] =
11823     {
11824         0x63, 0x36, 0x33, 0x77, 0xe4, 0x1e, 0x86, 0x46, 0x8d, 0xeb, 0x0a, 0xb4,
11825         0xa8, 0xed, 0x68, 0x3f, 0x6a, 0x13, 0x4e, 0x47, 0xe0, 0x14, 0xc7, 0x00,
11826         0x45, 0x4e, 0x81, 0xe9, 0x53, 0x58, 0xa5, 0x69, 0x80, 0x8a, 0xa3, 0x8f,
11827         0x2a, 0x72, 0xa6, 0x23, 0x59, 0x91, 0x5a, 0x9f, 0x8a, 0x04, 0xca, 0x68
11828     };
11829     WOLFSSL_SMALL_STACK_STATIC const byte test2EntropyB[] =
11830     {
11831         0xe6, 0x2b, 0x8a, 0x8e, 0xe8, 0xf1, 0x41, 0xb6, 0x98, 0x05, 0x66, 0xe3,
11832         0xbf, 0xe3, 0xc0, 0x49, 0x03, 0xda, 0xd4, 0xac, 0x2c, 0xdf, 0x9f, 0x22,
11833         0x80, 0x01, 0x0a, 0x67, 0x39, 0xbc, 0x83, 0xd3
11834     };
11835     WOLFSSL_SMALL_STACK_STATIC const byte test2Output[] =
11836     {
11837         0x04, 0xee, 0xc6, 0x3b, 0xb2, 0x31, 0xdf, 0x2c, 0x63, 0x0a, 0x1a, 0xfb,
11838         0xe7, 0x24, 0x94, 0x9d, 0x00, 0x5a, 0x58, 0x78, 0x51, 0xe1, 0xaa, 0x79,
11839         0x5e, 0x47, 0x73, 0x47, 0xc8, 0xb0, 0x56, 0x62, 0x1c, 0x18, 0xbd, 0xdc,
11840         0xdd, 0x8d, 0x99, 0xfc, 0x5f, 0xc2, 0xb9, 0x20, 0x53, 0xd8, 0xcf, 0xac,
11841         0xfb, 0x0b, 0xb8, 0x83, 0x12, 0x05, 0xfa, 0xd1, 0xdd, 0xd6, 0xc0, 0x71,
11842         0x31, 0x8a, 0x60, 0x18, 0xf0, 0x3b, 0x73, 0xf5, 0xed, 0xe4, 0xd4, 0xd0,
11843         0x71, 0xf9, 0xde, 0x03, 0xfd, 0x7a, 0xea, 0x10, 0x5d, 0x92, 0x99, 0xb8,
11844         0xaf, 0x99, 0xaa, 0x07, 0x5b, 0xdb, 0x4d, 0xb9, 0xaa, 0x28, 0xc1, 0x8d,
11845         0x17, 0x4b, 0x56, 0xee, 0x2a, 0x01, 0x4d, 0x09, 0x88, 0x96, 0xff, 0x22,
11846         0x82, 0xc9, 0x55, 0xa8, 0x19, 0x69, 0xe0, 0x69, 0xfa, 0x8c, 0xe0, 0x07,
11847         0xa1, 0x80, 0x18, 0x3a, 0x07, 0xdf, 0xae, 0x17
11848     };
11849 
11850     byte output[WC_SHA256_DIGEST_SIZE * 4];
11851     int ret;
11852 
11853     ret = wc_RNG_HealthTest(0, test1Entropy, sizeof(test1Entropy), NULL, 0,
11854                             output, sizeof(output));
11855     if (ret != 0)
11856         return -7000;
11857 
11858     if (XMEMCMP(test1Output, output, sizeof(output)) != 0)
11859         return -7001;
11860 
11861     ret = wc_RNG_HealthTest(1, test2EntropyA, sizeof(test2EntropyA),
11862                             test2EntropyB, sizeof(test2EntropyB),
11863                             output, sizeof(output));
11864     if (ret != 0)
11865         return -7002;
11866 
11867     if (XMEMCMP(test2Output, output, sizeof(output)) != 0)
11868         return -7003;
11869 
11870     /* Basic RNG generate block test */
11871     if ((ret = random_rng_test()) != 0)
11872         return ret;
11873 
11874     /* Test the seed check function. */
11875 #if !(defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) || \
11876     (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
11877     {
11878         word32 i, outputSz;
11879 
11880         /* Repeat the same byte over and over. Should fail. */
11881         outputSz = sizeof(output);
11882         XMEMSET(output, 1, outputSz);
11883         ret = wc_RNG_TestSeed(output, outputSz);
11884         if (ret == 0)
11885             return -7004;
11886 
11887         /* Every byte of the entropy scratch is different,
11888          * entropy is a single byte that shouldn't match. */
11889         outputSz = (sizeof(word32) * 2) + 1;
11890         for (i = 0; i < outputSz; i++)
11891             output[i] = (byte)i;
11892         ret = wc_RNG_TestSeed(output, outputSz);
11893         if (ret != 0)
11894             return -7005;
11895 
11896         outputSz = sizeof(output);
11897         for (i = 0; i < outputSz; i++)
11898             output[i] = (byte)i;
11899         ret = wc_RNG_TestSeed(output, outputSz);
11900         if (ret != 0)
11901             return -7006;
11902     }
11903 #endif
11904 
11905     /* Test the seed callback. */
11906 #ifdef WC_RNG_SEED_CB
11907     if ((ret = rng_seed_test()) != 0)
11908         return ret;
11909 #endif
11910 
11911     return 0;
11912 }
11913 
11914 #else
11915 
random_test(void)11916 WOLFSSL_TEST_SUBROUTINE int random_test(void)
11917 {
11918     /* Basic RNG generate block test */
11919     return random_rng_test();
11920 }
11921 
11922 #endif /* HAVE_HASHDRBG && !CUSTOM_RAND_GENERATE_BLOCK */
11923 #endif /* WC_NO_RNG */
11924 
11925 #ifndef MEM_TEST_SZ
11926     #define MEM_TEST_SZ 1024
11927 #endif
11928 
11929 #if defined(WOLFSSL_STATIC_MEMORY) || !defined(WOLFSSL_NO_MALLOC)
simple_mem_test(int sz)11930 static int simple_mem_test(int sz)
11931 {
11932     int ret = 0;
11933     byte* b;
11934     int i;
11935 
11936     b = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11937     if (b == NULL) {
11938         return -7110;
11939     }
11940     /* utilize memory */
11941     for (i = 0; i < sz; i++) {
11942         b[i] = (byte)i;
11943     }
11944     /* read back and verify */
11945     for (i = 0; i < sz; i++) {
11946         if (b[i] != (byte)i) {
11947             ret = -7111;
11948             break;
11949         }
11950     }
11951     XFREE(b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
11952     return ret;
11953 }
11954 #endif
11955 
memory_test(void)11956 WOLFSSL_TEST_SUBROUTINE int memory_test(void)
11957 {
11958     int ret = 0;
11959 #if !defined(USE_FAST_MATH) && !defined(WOLFSSL_NO_MALLOC)
11960     byte* b = NULL;
11961 #endif
11962 #if defined(COMPLEX_MEM_TEST) || defined(WOLFSSL_STATIC_MEMORY)
11963     int i;
11964 #endif
11965 #ifdef WOLFSSL_STATIC_MEMORY
11966     word32 size[] = { WOLFMEM_BUCKETS };
11967     word32 dist[] = { WOLFMEM_DIST };
11968     byte buffer[30000]; /* make large enough to involve many bucket sizes */
11969     int pad = -(int)((wc_ptr_t)buffer) & (WOLFSSL_STATIC_ALIGN - 1);
11970               /* pad to account for if head of buffer is not at set memory
11971                * alignment when tests are ran */
11972 #endif
11973 
11974 #ifdef WOLFSSL_STATIC_MEMORY
11975     /* check macro settings */
11976     if (sizeof(size)/sizeof(word32) != WOLFMEM_MAX_BUCKETS) {
11977         return -7200;
11978     }
11979 
11980     if (sizeof(dist)/sizeof(word32) != WOLFMEM_MAX_BUCKETS) {
11981         return -7201;
11982     }
11983 
11984     for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) {
11985         if ((size[i] % WOLFSSL_STATIC_ALIGN) != 0) {
11986             /* each element in array should be divisible by alignment size */
11987             return -7202;
11988         }
11989     }
11990 
11991     for (i = 1; i < WOLFMEM_MAX_BUCKETS; i++) {
11992         if (size[i - 1] >= size[i]) {
11993             return -7203; /* sizes should be in increasing order  */
11994         }
11995     }
11996 
11997     /* check that padding size returned is possible */
11998     if (wolfSSL_MemoryPaddingSz() < WOLFSSL_STATIC_ALIGN) {
11999         return -7204; /* no room for wc_Memory struct */
12000     }
12001 
12002     if (wolfSSL_MemoryPaddingSz() < 0) {
12003         return -7205;
12004     }
12005 
12006     if (wolfSSL_MemoryPaddingSz() % WOLFSSL_STATIC_ALIGN != 0) {
12007         return -7206; /* not aligned! */
12008     }
12009 
12010     /* check function to return optimum buffer size (rounded down) */
12011     ret = wolfSSL_StaticBufferSz(buffer, sizeof(buffer), WOLFMEM_GENERAL);
12012     if ((ret - pad) % WOLFSSL_STATIC_ALIGN != 0) {
12013         return -7207; /* not aligned! */
12014     }
12015 
12016     if (ret < 0) {
12017         return -7208;
12018     }
12019 
12020     if ((unsigned int)ret > sizeof(buffer)) {
12021         return -7209; /* did not round down as expected */
12022     }
12023 
12024     if (ret != wolfSSL_StaticBufferSz(buffer, ret, WOLFMEM_GENERAL)) {
12025         return -7210; /* return value changed when using suggested value */
12026     }
12027 
12028     ret = wolfSSL_MemoryPaddingSz();
12029     ret += pad; /* add space that is going to be needed if buffer not aligned */
12030     if (wolfSSL_StaticBufferSz(buffer, size[0] + ret + 1, WOLFMEM_GENERAL) !=
12031             (ret + (int)size[0])) {
12032         return -7211; /* did not round down to nearest bucket value */
12033     }
12034 
12035     ret = wolfSSL_StaticBufferSz(buffer, sizeof(buffer), WOLFMEM_IO_POOL);
12036     if ((ret - pad) < 0) {
12037         return -7212;
12038     }
12039 
12040     if (((ret - pad) % (WOLFMEM_IO_SZ + wolfSSL_MemoryPaddingSz())) != 0) {
12041         return -7213; /* not even chunks of memory for IO size */
12042     }
12043 
12044     if (((ret - pad) % WOLFSSL_STATIC_ALIGN) != 0) {
12045         return -7214; /* memory not aligned */
12046     }
12047 
12048     /* check for passing bad or unknown arguments to functions */
12049     if (wolfSSL_StaticBufferSz(NULL, 1, WOLFMEM_GENERAL) > 0) {
12050         return -7215;
12051     }
12052 
12053     if (wolfSSL_StaticBufferSz(buffer, 1, WOLFMEM_GENERAL) != 0) {
12054         return -7216; /* should round to 0 since struct + bucket will not fit */
12055     }
12056 
12057     (void)dist; /* avoid static analysis warning of variable not used */
12058 #endif
12059 
12060 #if defined(WOLFSSL_STATIC_MEMORY) || !defined(WOLFSSL_NO_MALLOC)
12061     /* simple test */
12062     ret = simple_mem_test(MEM_TEST_SZ);
12063     if (ret != 0)
12064         return ret;
12065 #endif
12066 
12067 #ifdef COMPLEX_MEM_TEST
12068     /* test various size blocks */
12069     for (i = 1; i < MEM_TEST_SZ; i*=2) {
12070         ret = simple_mem_test(i);
12071         if (ret != 0)
12072             return ret;
12073     }
12074 #endif
12075 
12076 #if !defined(USE_FAST_MATH) && !defined(WOLFSSL_NO_MALLOC)
12077     /* realloc test */
12078     b = (byte*)XMALLOC(MEM_TEST_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12079     if (b) {
12080         b = (byte*)XREALLOC(b, MEM_TEST_SZ+sizeof(word32), HEAP_HINT,
12081             DYNAMIC_TYPE_TMP_BUFFER);
12082     }
12083     if (b == NULL) {
12084         return -7217;
12085     }
12086     XFREE(b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12087 #endif
12088 
12089     return ret;
12090 }
12091 
12092 #ifndef NO_FILESYSTEM
12093 
12094 /* Cert Paths */
12095 #ifdef FREESCALE_MQX
12096     #define CERT_PREFIX "a:\\"
12097     #define CERT_PATH_SEP "\\"
12098 #elif defined(WOLFSSL_uTKERNEL2)
12099     #define CERT_PREFIX "/uda/"
12100     #define CERT_PATH_SEP "/"
12101 #elif defined(_WIN32_WCE)
12102     #define CERT_PREFIX "\\windows\\"
12103     #define CERT_PATH_SEP "\\"
12104 #endif
12105 
12106 #ifndef CERT_PREFIX
12107     #define CERT_PREFIX "./"
12108 #endif
12109 #ifndef CERT_PATH_SEP
12110     #define CERT_PATH_SEP "/"
12111 #endif
12112 #ifndef CERT_WRITE_TEMP_DIR
12113     #define CERT_WRITE_TEMP_DIR CERT_PREFIX
12114 #endif
12115 
12116 #define CERT_ROOT CERT_PREFIX "certs" CERT_PATH_SEP
12117 
12118 /* Generated Test Certs */
12119 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
12120     !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
12121     #if !defined(NO_RSA) && !defined(NO_ASN)
12122         static const char* clientKey  = CERT_ROOT "client-key.der";
12123         static const char* clientCert = CERT_ROOT "client-cert.der";
12124         #ifdef WOLFSSL_CERT_EXT
12125             static const char* clientKeyPub  = CERT_ROOT "client-keyPub.der";
12126         #endif
12127     #endif /* !NO_RSA && !NO_ASN */
12128 #endif
12129 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
12130     #if !defined(NO_RSA) && !defined(NO_ASN)
12131         #if defined(WOLFSSL_CERT_GEN) || defined(HAVE_PKCS7)
12132             static const char* rsaCaKeyFile  = CERT_ROOT "ca-key.der";
12133             #ifdef WOLFSSL_CERT_GEN
12134             static const char* rsaCaCertFile = CERT_ROOT "ca-cert.pem";
12135             #endif
12136             #if defined(WOLFSSL_ALT_NAMES) || defined(HAVE_PKCS7)
12137             static const char* rsaCaCertDerFile = CERT_ROOT "ca-cert.der";
12138             #endif
12139             #ifdef HAVE_PKCS7
12140                 static const char* rsaServerCertDerFile =
12141                                                CERT_ROOT "server-cert.der";
12142                 static const char* rsaServerKeyDerFile =
12143                                                CERT_ROOT "server-key.der";
12144             #endif
12145         #endif
12146     #endif /* !NO_RSA && !NO_ASN */
12147 #endif /* !USE_CERT_BUFFER_* */
12148 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
12149     !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
12150     #if !defined(NO_ASN) && !defined(NO_DH)
12151         static const char* dhParamsFile = CERT_ROOT "dh2048.der";
12152     #endif
12153 #endif
12154 #if !defined(NO_ASN) && !defined(NO_DH)
12155     #if defined(WOLFSSL_DH_EXTRA) && (!defined(HAVE_FIPS) ||                \
12156         (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
12157         static const char* dhKeyFile = CERT_ROOT "statickeys/dh-ffdhe2048.der";
12158         static const char* dhKeyPubFile = CERT_ROOT "statickeys/dh-ffdhe2048-pub.der";
12159     #endif
12160 #endif
12161 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
12162     #ifndef NO_DSA
12163         static const char* dsaKey = CERT_ROOT "dsa2048.der";
12164     #endif
12165 #endif /* !USE_CERT_BUFFER_* */
12166 #if !defined(USE_CERT_BUFFERS_256) && !defined(NO_ECC256)
12167     #ifdef HAVE_ECC
12168         /* cert files to be used in rsa cert gen test, check if RSA enabled */
12169         #ifdef HAVE_ECC_KEY_IMPORT
12170             static const char* eccKeyDerFile = CERT_ROOT "ecc-key.der";
12171         #endif
12172 #endif
12173 #if !defined(USE_CERT_BUFFERS_256) && !defined(NO_ASN)
12174         #if defined(HAVE_ECC) && defined(WOLFSSL_CERT_GEN)
12175             #ifndef NO_RSA
12176                 static const char* eccKeyPubFileDer = CERT_ROOT "ecc-keyPub.der";
12177             #endif
12178             static const char* eccCaKeyFile  = CERT_ROOT "ca-ecc-key.der";
12179             static const char* eccCaCertFile = CERT_ROOT "ca-ecc-cert.pem";
12180             #ifdef ENABLE_ECC384_CERT_GEN_TEST
12181                 static const char* eccCaKey384File =
12182                                                CERT_ROOT "ca-ecc384-key.der";
12183                 static const char* eccCaCert384File =
12184                                                CERT_ROOT "ca-ecc384-cert.pem";
12185             #endif
12186         #endif
12187         #if defined(HAVE_PKCS7) && defined(HAVE_ECC)
12188             static const char* eccClientKey  = CERT_ROOT "ecc-client-key.der";
12189             static const char* eccClientCert = CERT_ROOT "client-ecc-cert.der";
12190         #endif
12191     #endif /* HAVE_ECC */
12192     #ifdef HAVE_ED25519
12193         #ifdef WOLFSSL_TEST_CERT
12194             static const char* serverEd25519Cert =
12195                                          CERT_ROOT "ed25519/server-ed25519.der";
12196             static const char* caEd25519Cert     =
12197                                              CERT_ROOT "ed25519/ca-ed25519.der";
12198         #endif
12199     #endif
12200     #ifdef HAVE_ED448
12201         #ifdef WOLFSSL_TEST_CERT
12202             static const char* serverEd448Cert =
12203                                              CERT_ROOT "ed448/server-ed448.der";
12204             static const char* caEd448Cert     = CERT_ROOT "ed448/ca-ed448.der";
12205         #endif
12206     #endif
12207 #endif /* !USE_CERT_BUFFER_* */
12208 
12209 #ifndef NO_WRITE_TEMP_FILES
12210 #ifdef HAVE_ECC
12211     #ifdef WOLFSSL_CERT_GEN
12212          static const char* certEccPemFile =   CERT_WRITE_TEMP_DIR "certecc.pem";
12213     #endif
12214     #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
12215         static const char* certEccRsaPemFile = CERT_WRITE_TEMP_DIR "certeccrsa.pem";
12216         static const char* certEccRsaDerFile = CERT_WRITE_TEMP_DIR "certeccrsa.der";
12217     #endif
12218     #if defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG)
12219         static const char* eccCaKeyPemFile  = CERT_WRITE_TEMP_DIR "ecc-key.pem";
12220         static const char* eccPubKeyDerFile = CERT_WRITE_TEMP_DIR "ecc-public-key.der";
12221         static const char* eccCaKeyTempFile = CERT_WRITE_TEMP_DIR "ecc-key.der";
12222     #if defined(HAVE_PKCS8) && !defined(WC_NO_RNG)
12223         static const char* eccPkcs8KeyDerFile = CERT_WRITE_TEMP_DIR "ecc-key-pkcs8.der";
12224     #endif
12225     #endif /* HAVE_ECC_KEY_EXPORT */
12226     #if defined(WOLFSSL_CERT_GEN) || \
12227             (defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT))
12228         static const char* certEccDerFile = CERT_WRITE_TEMP_DIR "certecc.der";
12229     #endif
12230 #endif /* HAVE_ECC */
12231 
12232 #ifndef NO_RSA
12233     #if defined(WOLFSSL_CERT_GEN) || \
12234         (defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT))
12235         static const char* otherCertDerFile = CERT_WRITE_TEMP_DIR "othercert.der";
12236         static const char* certDerFile = CERT_WRITE_TEMP_DIR "cert.der";
12237     #endif
12238     #ifdef WOLFSSL_CERT_GEN
12239         static const char* otherCertPemFile = CERT_WRITE_TEMP_DIR "othercert.pem";
12240         static const char* certPemFile = CERT_WRITE_TEMP_DIR "cert.pem";
12241         #ifdef WOLFSSL_CERT_REQ
12242             static const char* certReqDerFile = CERT_WRITE_TEMP_DIR "certreq.der";
12243             static const char* certReqPemFile = CERT_WRITE_TEMP_DIR "certreq.pem";
12244         #endif
12245     #endif
12246 #endif /* !NO_RSA */
12247 
12248 #if !defined(NO_RSA) || !defined(NO_DSA)
12249     #ifdef WOLFSSL_KEY_GEN
12250         static const char* keyDerFile = CERT_WRITE_TEMP_DIR "key.der";
12251         static const char* keyPemFile = CERT_WRITE_TEMP_DIR "key.pem";
12252     #endif
12253 #endif
12254 
12255 #endif /* !NO_WRITE_TEMP_FILES */
12256 #endif /* !NO_FILESYSTEM */
12257 
12258 
12259 #if defined(WOLFSSL_CERT_GEN) && (!defined(NO_RSA) || defined(HAVE_ECC)) || \
12260   (defined(WOLFSSL_TEST_CERT) && (defined(HAVE_ED25519) || defined(HAVE_ED448)))
12261 static CertName certDefaultName;
initDefaultName(void)12262 static void initDefaultName(void)
12263 {
12264 #if defined(WOLFSSL_MULTI_ATTRIB) && defined(WOLFSSL_TEST_CERT)
12265     NameAttrib* n;
12266 #endif
12267 
12268     XMEMCPY(certDefaultName.country, "US", sizeof("US"));
12269     certDefaultName.countryEnc = CTC_PRINTABLE;
12270     XMEMCPY(certDefaultName.state, "Oregon", sizeof("Oregon"));
12271     certDefaultName.stateEnc = CTC_UTF8;
12272     XMEMCPY(certDefaultName.street, "Main St", sizeof("Main St"));
12273     certDefaultName.streetEnc = CTC_UTF8;
12274     XMEMCPY(certDefaultName.locality, "Portland", sizeof("Portland"));
12275     certDefaultName.localityEnc = CTC_UTF8;
12276     XMEMCPY(certDefaultName.sur, "Test", sizeof("Test"));
12277     certDefaultName.surEnc = CTC_UTF8;
12278     XMEMCPY(certDefaultName.org, "wolfSSL", sizeof("wolfSSL"));
12279     certDefaultName.orgEnc = CTC_UTF8;
12280     XMEMCPY(certDefaultName.unit, "Development", sizeof("Development"));
12281     certDefaultName.unitEnc = CTC_UTF8;
12282     XMEMCPY(certDefaultName.commonName, "www.wolfssl.com", sizeof("www.wolfssl.com"));
12283     certDefaultName.commonNameEnc = CTC_UTF8;
12284     XMEMCPY(certDefaultName.serialDev, "wolfSSL12345", sizeof("wolfSSL12345"));
12285     certDefaultName.serialDevEnc = CTC_PRINTABLE;
12286     XMEMCPY(certDefaultName.postalCode, "12-456", sizeof("12-456"));
12287     certDefaultName.postalCodeEnc = CTC_PRINTABLE;
12288 #ifdef WOLFSSL_CERT_EXT
12289     XMEMCPY(certDefaultName.busCat, "Private Organization", sizeof("Private Organization"));
12290     certDefaultName.busCatEnc = CTC_UTF8;
12291     XMEMCPY(certDefaultName.joiSt, "US", sizeof("US"));
12292     certDefaultName.joiStEnc = CTC_PRINTABLE;
12293     XMEMCPY(certDefaultName.joiC, "Oregon", sizeof("Oregon"));
12294     certDefaultName.joiCEnc = CTC_PRINTABLE;
12295 #endif
12296     XMEMCPY(certDefaultName.email, "info@wolfssl.com", sizeof("info@wolfssl.com"));
12297 
12298 #if defined(WOLFSSL_MULTI_ATTRIB) && defined(WOLFSSL_TEST_CERT)
12299     /* test having additional OUs and setting DC */
12300     n = &certDefaultName.name[0];
12301     n->id   = ASN_ORGUNIT_NAME;
12302     n->type = CTC_UTF8;
12303     n->sz   = sizeof("Development-2");
12304     XMEMCPY(n->value, "Development-2", sizeof("Development-2"));
12305 
12306     #if CTC_MAX_ATTRIB > 3
12307     n = &certDefaultName.name[1];
12308     n->id   = ASN_DOMAIN_COMPONENT;
12309     n->type = CTC_UTF8;
12310     n->sz   = sizeof("com");
12311     XMEMCPY(n->value, "com", sizeof("com"));
12312 
12313     n = &certDefaultName.name[2];
12314     n->id   = ASN_DOMAIN_COMPONENT;
12315     n->type = CTC_UTF8;
12316     n->sz   = sizeof("wolfssl");
12317     XMEMCPY(n->value, "wolfssl", sizeof("wolfssl"));
12318     #endif
12319 #endif /* WOLFSSL_MULTI_ATTRIB && WOLFSSL_TEST_CERT */
12320 
12321 #ifdef WOLFSSL_CUSTOM_OID
12322     /* TODO: Add test case for custom OID's */
12323 #endif
12324 }
12325 
12326 #ifdef WOLFSSL_CERT_EXT
12327     #if ((defined(HAVE_ED25519) || defined(HAVE_ED448)) && \
12328                                 defined(WOLFSSL_TEST_CERT)) || defined(HAVE_ECC)
12329     WOLFSSL_SMALL_STACK_STATIC const char certKeyUsage[] =
12330         "digitalSignature,nonRepudiation";
12331     #endif
12332     #if defined(WOLFSSL_CERT_REQ) && !defined(NO_RSA)
12333         WOLFSSL_SMALL_STACK_STATIC const char certKeyUsage2[] =
12334         "digitalSignature,nonRepudiation,keyEncipherment,keyAgreement";
12335     #endif
12336 #endif /* WOLFSSL_CERT_EXT */
12337 #endif /* WOLFSSL_CERT_GEN */
12338 
12339 #ifndef NO_RSA
12340 
12341 #if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
12342     !defined(NO_FILESYSTEM)
12343 static byte minSerial[] = { 0x02, 0x01, 0x01 };
12344 static byte minName[] = { 0x30, 0x00 };
12345 static byte nameBad[] = {
12346     0x30, 0x08,
12347           0x31, 0x06,
12348                 0x30, 0x04,
12349                       0x06, 0x02,
12350                             0x55, 0x04,
12351 };
12352 static byte minDates[] = {
12353     0x30, 0x1e,
12354           0x17, 0x0d,
12355                 0x31, 0x38, 0x30, 0x34, 0x31, 0x33, 0x31, 0x35,
12356                 0x32, 0x33, 0x31, 0x30, 0x5a,
12357           0x17, 0x0d,
12358                 0x32, 0x31, 0x30, 0x31, 0x30, 0x37, 0x31, 0x35,
12359                 0x32, 0x33, 0x31, 0x30, 0x5a
12360 };
12361 static byte minPubKey[] = {
12362     0x30, 0x1c,
12363           0x30, 0x0d,
12364                 0x06, 0x09,
12365                       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
12366                       0x01,
12367                 0x05, 0x00,
12368           0x03, 0x0b,
12369                 0x00, 0x30, 0x08,
12370                             0x02, 0x01,
12371                                   0x03,
12372                             0x02, 0x03,
12373                                   0x01, 0x00, 0x01
12374 };
12375 static byte minSigAlg[] = {
12376     0x30, 0x0d,
12377           0x06, 0x09,
12378                 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
12379                 0x0b,
12380           0x05, 0x00
12381 };
12382 static byte minSig[] = {
12383     0x03, 0x01,
12384           0x00
12385 };
12386 
add_seq(byte * certData,int offset,byte * data,byte length)12387 static int add_seq(byte* certData, int offset, byte* data, byte length)
12388 {
12389     XMEMMOVE(certData + offset + 2, data, length);
12390     certData[offset++] = 0x30;
12391     certData[offset++] = length;
12392     return offset + length;
12393 }
add_data(byte * certData,int offset,byte * data,byte length)12394 static int add_data(byte* certData, int offset, byte* data, byte length)
12395 {
12396     XMEMCPY(certData + offset, data, length);
12397     return offset + length;
12398 }
12399 
cert_asn1_test(void)12400 static int cert_asn1_test(void)
12401 {
12402     int ret;
12403     int len[3];
12404     DecodedCert cert;
12405     byte certData[106];
12406     byte* badCert = NULL;
12407 
12408     len[2] = add_data(certData, 0, minSerial, (byte)sizeof(minSerial));
12409     len[2] = add_data(certData, len[2], minSigAlg, (byte)sizeof(minSigAlg));
12410     len[2] = add_data(certData, len[2], minName, (byte)sizeof(minName));
12411     len[2] = add_data(certData, len[2], minDates, (byte)sizeof(minDates));
12412     len[2] = add_data(certData, len[2], minName, (byte)sizeof(minName));
12413     len[2] = add_data(certData, len[2], minPubKey, (byte)sizeof(minPubKey));
12414     len[1] = add_seq(certData, 0, certData, len[2]);
12415     len[1] = add_data(certData, len[1], minSigAlg, (byte)sizeof(minSigAlg));
12416     len[1] = add_data(certData, len[1], minSig, (byte)sizeof(minSig));
12417     len[0] = add_seq(certData, 0, certData, len[1]);
12418 
12419     /* Minimal good certificate */
12420     InitDecodedCert(&cert, certData, len[0], 0);
12421     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
12422     FreeDecodedCert(&cert);
12423     if (ret != 0) {
12424         ERROR_OUT(-7300, done);
12425     }
12426 
12427     /* Bad issuer name */
12428     len[2] = add_data(certData, 0, minSerial, (byte)sizeof(minSerial));
12429     len[2] = add_data(certData, len[2], minSigAlg, (byte)sizeof(minSigAlg));
12430     len[2] = add_data(certData, len[2], nameBad, (byte)sizeof(nameBad));
12431     len[1] = add_seq(certData, 0, certData, len[2]);
12432     len[0] = add_seq(certData, 0, certData, len[1]);
12433     /* Put data into allocated buffer to allow access error checking. */
12434     badCert = (byte*)XMALLOC(len[0], HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12435     XMEMCPY(badCert, certData, len[0]);
12436     InitDecodedCert(&cert, badCert, len[0], 0);
12437     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
12438     FreeDecodedCert(&cert);
12439     if (ret != ASN_PARSE_E) {
12440         ERROR_OUT(-7301, done);
12441     }
12442     XFREE(badCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12443     badCert = NULL;
12444     ret = 0;
12445 
12446 done:
12447     if (badCert != NULL)
12448         XFREE(badCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12449     return ret;
12450 }
12451 
cert_test(void)12452 WOLFSSL_TEST_SUBROUTINE int cert_test(void)
12453 {
12454 #if !defined(NO_FILESYSTEM)
12455     DecodedCert cert;
12456     byte*       tmp;
12457     size_t      bytes;
12458     XFILE       file;
12459     int         ret;
12460 
12461     tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12462     if (tmp == NULL)
12463         return -7400;
12464 
12465     /* Certificate with Name Constraints extension. */
12466 #ifdef FREESCALE_MQX
12467     file = XFOPEN(".\\certs\\test\\cert-ext-nc.der", "rb");
12468 #else
12469     file = XFOPEN("./certs/test/cert-ext-nc.der", "rb");
12470 #endif
12471     if (!file) {
12472         ERROR_OUT(-7401, done);
12473     }
12474     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
12475     XFCLOSE(file);
12476     InitDecodedCert(&cert, tmp, (word32)bytes, 0);
12477     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
12478     if (ret != 0) {
12479         ERROR_OUT(-7402, done);
12480     }
12481     FreeDecodedCert(&cert);
12482 
12483     /* Certificate with Inhibit Any Policy extension. */
12484 #ifdef FREESCALE_MQX
12485     file = XFOPEN(".\\certs\\test\\cert-ext-ia.der", "rb");
12486 #else
12487     file = XFOPEN("./certs/test/cert-ext-ia.der", "rb");
12488 #endif
12489     if (!file) {
12490         ERROR_OUT(-7403, done);
12491     }
12492     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
12493     XFCLOSE(file);
12494     InitDecodedCert(&cert, tmp, (word32)bytes, 0);
12495     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
12496     if (ret != 0) {
12497         ERROR_OUT(-7404, done);
12498     }
12499     FreeDecodedCert(&cert);
12500 
12501     /* Certificate with Netscape Certificate Type extension. */
12502 #ifdef FREESCALE_MQX
12503     file = XFOPEN(".\\certs\\test\\cert-ext-nct.der", "rb");
12504 #else
12505     file = XFOPEN("./certs/test/cert-ext-nct.der", "rb");
12506 #endif
12507     if (!file) {
12508         ERROR_OUT(-7405, done);
12509     }
12510     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
12511     XFCLOSE(file);
12512     InitDecodedCert(&cert, tmp, (word32)bytes, 0);
12513     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
12514 #ifndef IGNORE_NETSCAPE_CERT_TYPE
12515     if (ret != 0) {
12516         ERROR_OUT(-7406, done);
12517     }
12518 #else
12519     if (ret != ASN_CRIT_EXT_E) {
12520         ERROR_OUT(-7407, done);
12521     }
12522     ret = 0;
12523 #endif
12524 
12525 done:
12526     FreeDecodedCert(&cert);
12527     XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12528 #endif /* !NO_FILESYSTEM */
12529 
12530     if (ret == 0)
12531         ret = cert_asn1_test();
12532 
12533     return ret;
12534 }
12535 #endif /* WOLFSSL_TEST_CERT */
12536 
12537 #if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) && \
12538    !defined(NO_FILESYSTEM)
certext_test(void)12539 WOLFSSL_TEST_SUBROUTINE int certext_test(void)
12540 {
12541     DecodedCert cert;
12542     byte*       tmp;
12543     size_t      bytes;
12544     XFILE       file;
12545     int         ret;
12546 
12547     /* created from rsa_test : othercert.der */
12548     byte skid_rsa[]   = "\x33\xD8\x45\x66\xD7\x68\x87\x18\x7E\x54"
12549                         "\x0D\x70\x27\x91\xC7\x26\xD7\x85\x65\xC0";
12550 
12551     /* created from rsa_test : othercert.der */
12552     byte akid_rsa[] = "\x27\x8E\x67\x11\x74\xC3\x26\x1D\x3F\xED"
12553                       "\x33\x63\xB3\xA4\xD8\x1D\x30\xE5\xE8\xD5";
12554 
12555 #ifdef HAVE_ECC
12556    /* created from ecc_test_cert_gen : certecc.der */
12557 #ifdef ENABLE_ECC384_CERT_GEN_TEST
12558     /* Authority key id from ./certs/ca-ecc384-cert.pem */
12559     byte akid_ecc[] = "\xAB\xE0\xC3\x26\x4C\x18\xD4\x72\xBB\xD2"
12560                       "\x84\x8C\x9C\x0A\x05\x92\x80\x12\x53\x52";
12561 #else
12562     /* Authority key id from ./certs/ca-ecc-cert.pem */
12563     byte akid_ecc[] = "\x56\x8E\x9A\xC3\xF0\x42\xDE\x18\xB9\x45"
12564                       "\x55\x6E\xF9\x93\xCF\xEA\xC3\xF3\xA5\x21";
12565 #endif
12566 #endif /* HAVE_ECC */
12567 
12568     /* created from rsa_test : cert.der */
12569     byte kid_ca[] = "\x33\xD8\x45\x66\xD7\x68\x87\x18\x7E\x54"
12570                     "\x0D\x70\x27\x91\xC7\x26\xD7\x85\x65\xC0";
12571 
12572     tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12573     if (tmp == NULL)
12574         return -7500;
12575 
12576     /* load othercert.der (Cert signed by an authority) */
12577     file = XFOPEN(otherCertDerFile, "rb");
12578     if (!file) {
12579         XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
12580         return -7501;
12581     }
12582 
12583     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
12584     XFCLOSE(file);
12585 
12586     InitDecodedCert(&cert, tmp, (word32)bytes, 0);
12587 
12588     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
12589     if (ret != 0)
12590         return -7502;
12591 
12592     /* check the SKID from a RSA certificate */
12593     if (XMEMCMP(skid_rsa, cert.extSubjKeyId, sizeof(cert.extSubjKeyId)))
12594         return -7503;
12595 
12596     /* check the AKID from an RSA certificate */
12597     if (XMEMCMP(akid_rsa, cert.extAuthKeyId, sizeof(cert.extAuthKeyId)))
12598         return -7504;
12599 
12600     /* check the Key Usage from an RSA certificate */
12601     if (!cert.extKeyUsageSet)
12602         return -7505;
12603 
12604     if (cert.extKeyUsage != (KEYUSE_KEY_ENCIPHER|KEYUSE_KEY_AGREE))
12605         return -7506;
12606 
12607     /* check the CA Basic Constraints from an RSA certificate */
12608     if (cert.isCA)
12609         return -7507;
12610 
12611 #ifndef WOLFSSL_SEP /* test only if not using SEP policies */
12612     /* check the Certificate Policies Id */
12613     if (cert.extCertPoliciesNb != 1)
12614         return -7508;
12615 
12616     if (strncmp(cert.extCertPolicies[0], "2.16.840.1.101.3.4.1.42", 23))
12617         return -7509;
12618 #endif
12619 
12620     FreeDecodedCert(&cert);
12621 
12622 #ifdef HAVE_ECC
12623     /* load certecc.der (Cert signed by our ECC CA test in ecc_test_cert_gen) */
12624     file = XFOPEN(certEccDerFile, "rb");
12625     if (!file) {
12626         XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
12627         return -7510;
12628     }
12629 
12630     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
12631     XFCLOSE(file);
12632 
12633     InitDecodedCert(&cert, tmp, (word32)bytes, 0);
12634 
12635     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
12636     if (ret != 0)
12637         return -7511;
12638 
12639     /* check the SKID from a ECC certificate - generated dynamically */
12640 
12641     /* check the AKID from an ECC certificate */
12642     if (XMEMCMP(akid_ecc, cert.extAuthKeyId, sizeof(cert.extAuthKeyId)))
12643         return -7512;
12644 
12645     /* check the Key Usage from an ECC certificate */
12646     if (!cert.extKeyUsageSet)
12647         return -7513;
12648 
12649     if (cert.extKeyUsage != (KEYUSE_DIGITAL_SIG|KEYUSE_CONTENT_COMMIT))
12650         return -7514;
12651 
12652     /* check the CA Basic Constraints from an ECC certificate */
12653     if (cert.isCA)
12654         return -7515;
12655 
12656 #ifndef WOLFSSL_SEP /* test only if not using SEP policies */
12657     /* check the Certificate Policies Id */
12658     if (cert.extCertPoliciesNb != 2)
12659         return -7516;
12660 
12661     if (strncmp(cert.extCertPolicies[0], "2.4.589440.587.101.2.1.9632587.1", 32))
12662         return -7517;
12663 
12664     if (strncmp(cert.extCertPolicies[1], "1.2.13025.489.1.113549", 22))
12665         return -7518;
12666 #endif
12667 
12668     FreeDecodedCert(&cert);
12669 #endif /* HAVE_ECC */
12670 
12671     /* load cert.der (self signed certificate) */
12672     file = XFOPEN(certDerFile, "rb");
12673     if (!file) {
12674         XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
12675         return -7519;
12676     }
12677 
12678     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
12679     XFCLOSE(file);
12680 
12681     InitDecodedCert(&cert, tmp, (word32)bytes, 0);
12682 
12683     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
12684     if (ret != 0)
12685         return -7520;
12686 
12687     /* check the SKID from a CA certificate */
12688     if (XMEMCMP(kid_ca, cert.extSubjKeyId, sizeof(cert.extSubjKeyId)))
12689         return -7521;
12690 
12691     /* check the AKID from an CA certificate */
12692     if (XMEMCMP(kid_ca, cert.extAuthKeyId, sizeof(cert.extAuthKeyId)))
12693         return -7522;
12694 
12695     /* check the Key Usage from CA certificate */
12696     if (!cert.extKeyUsageSet)
12697         return -7523;
12698 
12699     if (cert.extKeyUsage != (KEYUSE_KEY_CERT_SIGN|KEYUSE_CRL_SIGN))
12700         return -7524;
12701 
12702     /* check the CA Basic Constraints CA certificate */
12703     if (!cert.isCA)
12704         return -7525;
12705 
12706 #ifndef WOLFSSL_SEP /* test only if not using SEP policies */
12707     /* check the Certificate Policies Id */
12708     if (cert.extCertPoliciesNb != 2)
12709         return -7526;
12710 
12711     if (strncmp(cert.extCertPolicies[0], "2.16.840.1.101.3.4.1.42", 23))
12712         return -7527;
12713 
12714     if (strncmp(cert.extCertPolicies[1], "1.2.840.113549.1.9.16.6.5", 25))
12715         return -7528;
12716 #endif
12717 
12718     FreeDecodedCert(&cert);
12719     XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
12720 
12721     return 0;
12722 }
12723 #endif /* WOLFSSL_CERT_EXT && WOLFSSL_TEST_CERT && !NO_FILESYSTEM */
12724 
12725 #if defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) && \
12726     defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)
decodedCertCache_test(void)12727 WOLFSSL_TEST_SUBROUTINE int decodedCertCache_test(void)
12728 {
12729     int ret = 0;
12730     Cert cert;
12731     FILE* file;
12732     byte* der;
12733     word32 derSz;
12734 
12735     derSz = FOURK_BUF;
12736     der = (byte *)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
12737     if (der == NULL)
12738         ret = -7600;
12739 
12740     if (ret == 0) {
12741         /* load cert.der */
12742         file = XFOPEN(certDerFile, "rb");
12743         if (file != NULL) {
12744             derSz = (word32)XFREAD(der, 1, FOURK_BUF, file);
12745             XFCLOSE(file);
12746         }
12747         else
12748             ret = -7601;
12749     }
12750 
12751     if (ret == 0) {
12752         if (wc_InitCert_ex(&cert, HEAP_HINT, devId)) {
12753             ret = -7602;
12754         }
12755     }
12756 
12757     if (ret == 0) {
12758         ret = wc_SetSubjectBuffer(&cert, der, derSz);
12759     }
12760 
12761     if (ret == 0) {
12762         if(wc_SetSubjectBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
12763             ret = -7603;
12764     }
12765 
12766     if (ret == 0) {
12767         if (wc_SetSubjectRaw(&cert, der, derSz) != 0)
12768             ret = -7604;
12769     }
12770 
12771     if (ret == 0) {
12772         if(wc_SetSubjectRaw(NULL, der, derSz) != BAD_FUNC_ARG)
12773             ret = -7605;
12774     }
12775 
12776     if (ret == 0) {
12777         if(wc_SetIssuerBuffer(&cert, der, derSz) != 0)
12778             ret = -7606;
12779     }
12780 
12781     if (ret == 0) {
12782         if(wc_SetIssuerBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
12783             ret = -7607;
12784     }
12785 
12786     if (ret == 0) {
12787         if(wc_SetIssuerRaw(&cert, der, derSz) != 0)
12788             ret = -7608;
12789     }
12790 
12791     if (ret == 0) {
12792         if(wc_SetIssuerRaw(NULL, der, derSz) != BAD_FUNC_ARG)
12793             ret = -7609;
12794     }
12795 
12796 #ifdef WOLFSSL_ALT_NAMES
12797     if (ret == 0) {
12798         if(wc_SetAltNamesBuffer(&cert, der, derSz) != 0)
12799             ret = -7610;
12800     }
12801 
12802     if (ret == 0) {
12803         if(wc_SetAltNamesBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
12804             ret = -7611;
12805     }
12806 
12807     if (ret == 0) {
12808         if(wc_SetDatesBuffer(&cert, der, derSz) != 0)
12809             ret = -7612;
12810     }
12811 
12812     if (ret == 0) {
12813         if(wc_SetDatesBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
12814             ret = -7613;
12815     }
12816 #endif
12817 
12818     if (ret == 0) {
12819         if(wc_SetAuthKeyIdFromCert(&cert, der, derSz) != 0)
12820             ret = -7614;
12821     }
12822 
12823     if (ret == 0) {
12824         if(wc_SetAuthKeyIdFromCert(NULL, der, derSz) != BAD_FUNC_ARG)
12825             ret = -7615;
12826     }
12827 
12828     wc_SetCert_Free(&cert);
12829     if (ret == 0) {
12830         if(cert.decodedCert != NULL)
12831             ret = -7616;
12832     }
12833 
12834     XFREE(der, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
12835 
12836     return ret;
12837 }
12838 #endif /* defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) &&
12839           defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) */
12840 
12841 #define RSA_TEST_BYTES 512 /* up to 4096-bit key */
12842 
12843 #if !defined(NO_ASN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
12844                                                !defined(WOLFSSL_RSA_VERIFY_ONLY)
rsa_flatten_test(RsaKey * key)12845 static int rsa_flatten_test(RsaKey* key)
12846 {
12847     int    ret;
12848     byte   e[RSA_TEST_BYTES];
12849     byte   n[RSA_TEST_BYTES];
12850     word32 eSz = sizeof(e);
12851     word32 nSz = sizeof(n);
12852 
12853     /* Parameter Validation testing. */
12854     ret = wc_RsaFlattenPublicKey(NULL, e, &eSz, n, &nSz);
12855 #ifdef HAVE_USER_RSA
12856     /* Implementation using IPP Libraries returns:
12857      *     -101 = USER_CRYPTO_ERROR
12858      */
12859     if (ret == 0)
12860 #else
12861     if (ret != BAD_FUNC_ARG)
12862 #endif
12863         return -7620;
12864     ret = wc_RsaFlattenPublicKey(key, NULL, &eSz, n, &nSz);
12865 #ifdef HAVE_USER_RSA
12866     /* Implementation using IPP Libraries returns:
12867      *     -101 = USER_CRYPTO_ERROR
12868      */
12869     if (ret == 0)
12870 #else
12871     if (ret != BAD_FUNC_ARG)
12872 #endif
12873         return -7621;
12874     ret = wc_RsaFlattenPublicKey(key, e, NULL, n, &nSz);
12875 #ifdef HAVE_USER_RSA
12876     /* Implementation using IPP Libraries returns:
12877      *     -101 = USER_CRYPTO_ERROR
12878      */
12879     if (ret == 0)
12880 #else
12881     if (ret != BAD_FUNC_ARG)
12882 #endif
12883         return -7622;
12884     ret = wc_RsaFlattenPublicKey(key, e, &eSz, NULL, &nSz);
12885 #ifdef HAVE_USER_RSA
12886     /* Implementation using IPP Libraries returns:
12887      *     -101 = USER_CRYPTO_ERROR
12888      */
12889     if (ret == 0)
12890 #else
12891     if (ret != BAD_FUNC_ARG)
12892 #endif
12893         return -7623;
12894     ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, NULL);
12895 #ifdef HAVE_USER_RSA
12896     /* Implementation using IPP Libraries returns:
12897      *     -101 = USER_CRYPTO_ERROR
12898      */
12899     if (ret == 0)
12900 #else
12901     if (ret != BAD_FUNC_ARG)
12902 #endif
12903         return -7624;
12904     ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz);
12905     if (ret != 0)
12906         return -7625;
12907     eSz = 0;
12908     ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz);
12909 #ifdef HAVE_USER_RSA
12910     /* Implementation using IPP Libraries returns:
12911      *     -101 = USER_CRYPTO_ERROR
12912      */
12913     if (ret == 0)
12914 #elif defined(HAVE_FIPS) && \
12915       (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
12916     if (ret != 0)
12917 #else
12918     if (ret != RSA_BUFFER_E)
12919 #endif
12920         return -7626;
12921     eSz = sizeof(e);
12922     nSz = 0;
12923     ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz);
12924 #ifdef HAVE_USER_RSA
12925     /* Implementation using IPP Libraries returns:
12926      *     -101 = USER_CRYPTO_ERROR
12927      */
12928     if (ret == 0)
12929 #else
12930     if (ret != RSA_BUFFER_E)
12931 #endif
12932         return -7627;
12933 
12934     return 0;
12935 }
12936 #endif /* NO_ASN */
12937 
12938 #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(NO_ASN) \
12939     && !defined(WOLFSSL_RSA_VERIFY_ONLY)
rsa_export_key_test(RsaKey * key)12940 static int rsa_export_key_test(RsaKey* key)
12941 {
12942     int ret;
12943     byte e[3];
12944     word32 eSz = sizeof(e);
12945     byte n[RSA_TEST_BYTES];
12946     word32 nSz = sizeof(n);
12947     byte d[RSA_TEST_BYTES];
12948     word32 dSz = sizeof(d);
12949     byte p[RSA_TEST_BYTES/2];
12950     word32 pSz = sizeof(p);
12951     byte q[RSA_TEST_BYTES/2];
12952     word32 qSz = sizeof(q);
12953     word32 zero = 0;
12954 
12955     ret = wc_RsaExportKey(NULL, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
12956     if (ret != BAD_FUNC_ARG)
12957         return -7630;
12958     ret = wc_RsaExportKey(key, NULL, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
12959     if (ret != BAD_FUNC_ARG)
12960         return -7631;
12961     ret = wc_RsaExportKey(key, e, NULL, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
12962     if (ret != BAD_FUNC_ARG)
12963         return -7632;
12964     ret = wc_RsaExportKey(key, e, &eSz, NULL, &nSz, d, &dSz, p, &pSz, q, &qSz);
12965     if (ret != BAD_FUNC_ARG)
12966         return -7633;
12967     ret = wc_RsaExportKey(key, e, &eSz, n, NULL, d, &dSz, p, &pSz, q, &qSz);
12968     if (ret != BAD_FUNC_ARG)
12969         return -7634;
12970     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, NULL, &dSz, p, &pSz, q, &qSz);
12971     if (ret != BAD_FUNC_ARG)
12972         return -7635;
12973     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, NULL, p, &pSz, q, &qSz);
12974     if (ret != BAD_FUNC_ARG)
12975         return -7636;
12976     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, NULL, &pSz, q, &qSz);
12977     if (ret != BAD_FUNC_ARG)
12978         return -7637;
12979     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, NULL, q, &qSz);
12980     if (ret != BAD_FUNC_ARG)
12981         return -7638;
12982     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, NULL, &qSz);
12983     if (ret != BAD_FUNC_ARG)
12984         return -7639;
12985     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, NULL);
12986     if (ret != BAD_FUNC_ARG)
12987         return -7640;
12988 
12989     ret = wc_RsaExportKey(key, e, &zero, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
12990     if (ret != RSA_BUFFER_E)
12991         return -7641;
12992     ret = wc_RsaExportKey(key, e, &eSz, n, &zero, d, &dSz, p, &pSz, q, &qSz);
12993     if (ret != RSA_BUFFER_E)
12994         return -7642;
12995 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
12996     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &zero, p, &pSz, q, &qSz);
12997     if (ret != RSA_BUFFER_E)
12998         return -7643;
12999     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &zero, q, &qSz);
13000     if (ret != RSA_BUFFER_E)
13001         return -7644;
13002     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &zero);
13003     if (ret != RSA_BUFFER_E)
13004         return -7645;
13005 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
13006 
13007     ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
13008     if (ret != 0)
13009         return -7646;
13010 
13011     return 0;
13012 }
13013 #endif /* !HAVE_FIPS && !USER_RSA && !NO_ASN */
13014 
13015 #ifndef NO_SIG_WRAPPER
rsa_sig_test(RsaKey * key,word32 keyLen,int modLen,WC_RNG * rng)13016 static int rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG* rng)
13017 {
13018     int ret;
13019     word32 sigSz;
13020     WOLFSSL_SMALL_STACK_STATIC const byte in[] = TEST_STRING;
13021     WOLFSSL_SMALL_STACK_STATIC const byte hash[] = {
13022         0xf2, 0x02, 0x95, 0x65, 0xcb, 0xf6, 0x2a, 0x59,
13023         0x39, 0x2c, 0x05, 0xff, 0x0e, 0x29, 0xaf, 0xfe,
13024         0x47, 0x33, 0x8c, 0x99, 0x8d, 0x58, 0x64, 0x83,
13025         0xa6, 0x58, 0x0a, 0x33, 0x0b, 0x84, 0x5f, 0x5f
13026     };
13027     WOLFSSL_SMALL_STACK_STATIC const byte hashEnc[] = {
13028         0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
13029         0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
13030         0x00, 0x04, 0x20,
13031 
13032         0xf2, 0x02, 0x95, 0x65, 0xcb, 0xf6, 0x2a, 0x59,
13033         0x39, 0x2c, 0x05, 0xff, 0x0e, 0x29, 0xaf, 0xfe,
13034         0x47, 0x33, 0x8c, 0x99, 0x8d, 0x58, 0x64, 0x83,
13035         0xa6, 0x58, 0x0a, 0x33, 0x0b, 0x84, 0x5f, 0x5f
13036     };
13037     word32 inLen = (word32)XSTRLEN((char*)in);
13038     byte   out[RSA_TEST_BYTES];
13039 
13040     /* Parameter Validation testing. */
13041     ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_NONE, key, keyLen);
13042     if (ret != BAD_FUNC_ARG)
13043         return -7650;
13044     ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA, key, 0);
13045     if (ret != BAD_FUNC_ARG)
13046         return -7651;
13047 
13048     sigSz = (word32)modLen;
13049     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, NULL,
13050                                inLen, out, &sigSz, key, keyLen, rng);
13051     if (ret != BAD_FUNC_ARG)
13052         return -7652;
13053     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13054                                0, out, &sigSz, key, keyLen, rng);
13055     if (ret != BAD_FUNC_ARG)
13056         return -7653;
13057     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13058                                inLen, NULL, &sigSz, key, keyLen, rng);
13059     if (ret != BAD_FUNC_ARG)
13060         return -7654;
13061     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13062                                inLen, out, NULL, key, keyLen, rng);
13063     if (ret != BAD_FUNC_ARG)
13064         return -7655;
13065     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13066                                inLen, out, &sigSz, NULL, keyLen, rng);
13067     if (ret != BAD_FUNC_ARG)
13068         return -7656;
13069     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13070                                inLen, out, &sigSz, key, 0, rng);
13071     if (ret != BAD_FUNC_ARG)
13072         return -7657;
13073     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13074                                inLen, out, &sigSz, key, keyLen, NULL);
13075 #ifdef HAVE_USER_RSA
13076     /* Implementation using IPP Libraries returns:
13077      *     -101 = USER_CRYPTO_ERROR
13078      */
13079     if (ret == 0)
13080 #elif defined(WOLFSSL_AFALG_XILINX_RSA) || defined(WOLFSSL_XILINX_CRYPT)
13081     /* blinding / rng handled with hardware acceleration */
13082     if (ret != 0)
13083 #elif defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
13084     /* async may not require RNG */
13085     if (ret != 0 && ret != MISSING_RNG_E)
13086 #elif defined(HAVE_FIPS) || !defined(WC_RSA_BLINDING)
13087     /* FIPS140 implementation does not do blinding */
13088     if (ret != 0)
13089 #elif defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_RSA_VERIFY_ONLY)
13090     if (ret != SIG_TYPE_E)
13091 #elif defined(WOLFSSL_CRYPTOCELL)
13092     /* RNG is handled with the cryptocell */
13093     if (ret != 0)
13094 #else
13095     if (ret != MISSING_RNG_E)
13096 #endif
13097         return -7658;
13098     sigSz = 0;
13099     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13100                                inLen, out, &sigSz, key, keyLen, rng);
13101     if (ret != BAD_FUNC_ARG)
13102         return -7659;
13103 
13104     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, NULL,
13105                              inLen, out, (word32)modLen, key, keyLen);
13106     if (ret != BAD_FUNC_ARG)
13107         return -7660;
13108     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13109                              0, out, (word32)modLen, key, keyLen);
13110     if (ret != BAD_FUNC_ARG)
13111         return -7661;
13112     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13113                              inLen, NULL, (word32)modLen, key, keyLen);
13114     if (ret != BAD_FUNC_ARG)
13115         return -7662;
13116     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13117                              inLen, out, 0, key, keyLen);
13118     if (ret != BAD_FUNC_ARG)
13119         return -7663;
13120     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13121                              inLen, out, (word32)modLen, NULL, keyLen);
13122     if (ret != BAD_FUNC_ARG)
13123         return -7664;
13124     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13125                              inLen, out, (word32)modLen, key, 0);
13126     if (ret != BAD_FUNC_ARG)
13127         return -7665;
13128 
13129 #ifndef HAVE_ECC
13130     ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_ECC, key, keyLen);
13131     if (ret != SIG_TYPE_E)
13132         return -7666;
13133 #endif
13134 
13135     /* Use APIs. */
13136     ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA, key, keyLen);
13137     if (ret != modLen)
13138         return -7667;
13139     ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA_W_ENC, key, keyLen);
13140     if (ret != modLen)
13141         return -7668;
13142 
13143     sigSz = (word32)ret;
13144 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
13145     XMEMSET(out, 0, sizeof(out));
13146     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13147                                inLen, out, &sigSz, key, keyLen, rng);
13148     if (ret != 0)
13149         return -7669;
13150 
13151     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13152                              inLen, out, (word32)modLen, key, keyLen);
13153     if (ret != 0)
13154         return -7670;
13155 
13156     sigSz = (word32)sizeof(out);
13157     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
13158                                in, inLen, out, &sigSz, key, keyLen, rng);
13159     if (ret != 0)
13160         return -7671;
13161 
13162     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
13163                              in, inLen, out, (word32)modLen, key, keyLen);
13164     if (ret != 0)
13165         return -7672;
13166 
13167     /* Wrong signature type. */
13168     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
13169                              inLen, out, (word32)modLen, key, keyLen);
13170     if (ret == 0)
13171         return -7673;
13172 
13173     /* check hash functions */
13174     sigSz = (word32)sizeof(out);
13175     ret = wc_SignatureGenerateHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA,
13176         hash, (int)sizeof(hash), out, &sigSz, key, keyLen, rng);
13177     if (ret != 0)
13178         return -7674;
13179 
13180     ret = wc_SignatureVerifyHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA,
13181         hash, (int)sizeof(hash), out, (word32)modLen, key, keyLen);
13182     if (ret != 0)
13183         return -7675;
13184 
13185     sigSz = (word32)sizeof(out);
13186     ret = wc_SignatureGenerateHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
13187         hashEnc, (int)sizeof(hashEnc), out, &sigSz, key, keyLen, rng);
13188     if (ret != 0)
13189         return -7676;
13190 
13191     ret = wc_SignatureVerifyHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
13192         hashEnc, (int)sizeof(hashEnc), out, (word32)modLen, key, keyLen);
13193     if (ret != 0)
13194         return -7677;
13195 #else
13196     (void)hash;
13197     (void)hashEnc;
13198 #endif /* !WOLFSSL_RSA_PUBLIC_ONLY && !WOLFSSL_RSA_VERIFY_ONLY */
13199 
13200     return 0;
13201 }
13202 #endif /* !NO_SIG_WRAPPER */
13203 
13204 #ifdef WC_RSA_NONBLOCK
rsa_nb_test(RsaKey * key,const byte * in,word32 inLen,byte * out,word32 outSz,byte * plain,word32 plainSz,WC_RNG * rng)13205 static int rsa_nb_test(RsaKey* key, const byte* in, word32 inLen, byte* out,
13206     word32 outSz, byte* plain, word32 plainSz, WC_RNG* rng)
13207 {
13208     int ret = 0, count;
13209     int signSz = 0;
13210     RsaNb nb;
13211     byte* inlinePlain = NULL;
13212 
13213     /* Enable non-blocking RSA mode - provide context */
13214     ret = wc_RsaSetNonBlock(key, &nb);
13215     if (ret != 0)
13216         return ret;
13217 
13218 #ifdef WC_RSA_NONBLOCK_TIME
13219     /* Enable time based RSA blocking. 8 microseconds max (3.1GHz) */
13220     ret = wc_RsaSetNonBlockTime(key, 8, 3100);
13221     if (ret != 0)
13222         return ret;
13223 #endif
13224 
13225     count = 0;
13226     do {
13227         ret = wc_RsaSSL_Sign(in, inLen, out, outSz, key, rng);
13228         count++; /* track number of would blocks */
13229         if (ret == FP_WOULDBLOCK) {
13230             /* do "other" work here */
13231         }
13232     } while (ret == FP_WOULDBLOCK);
13233     if (ret < 0) {
13234         return ret;
13235     }
13236 #ifdef DEBUG_WOLFSSL
13237     printf("RSA non-block sign: %d times\n", count);
13238 #endif
13239     signSz = ret;
13240 
13241     /* Test non-blocking verify */
13242     XMEMSET(plain, 0, plainSz);
13243     count = 0;
13244     do {
13245         ret = wc_RsaSSL_Verify(out, (word32)signSz, plain, plainSz, key);
13246         count++; /* track number of would blocks */
13247         if (ret == FP_WOULDBLOCK) {
13248             /* do "other" work here */
13249         }
13250     } while (ret == FP_WOULDBLOCK);
13251     if (ret < 0) {
13252         return ret;
13253     }
13254 #ifdef DEBUG_WOLFSSL
13255     printf("RSA non-block verify: %d times\n", count);
13256 #endif
13257 
13258     if (signSz == ret && XMEMCMP(plain, in, (size_t)ret)) {
13259         return SIG_VERIFY_E;
13260     }
13261 
13262     /* Test inline non-blocking verify */
13263     count = 0;
13264     do {
13265         ret = wc_RsaSSL_VerifyInline(out, (word32)signSz, &inlinePlain, key);
13266         count++; /* track number of would blocks */
13267         if (ret == FP_WOULDBLOCK) {
13268             /* do "other" work here */
13269         }
13270     } while (ret == FP_WOULDBLOCK);
13271     if (ret < 0) {
13272         return ret;
13273     }
13274 #ifdef DEBUG_WOLFSSL
13275     printf("RSA non-block inline verify: %d times\n", count);
13276 #endif
13277 
13278     if (signSz == ret && XMEMCMP(inlinePlain, in, (size_t)ret)) {
13279         return SIG_VERIFY_E;
13280     }
13281 
13282     /* Disabling non-block RSA mode */
13283     ret = wc_RsaSetNonBlock(key, NULL);
13284 
13285     (void)count;
13286 
13287     return 0;
13288 }
13289 #endif
13290 
13291 #if !defined(HAVE_USER_RSA) && !defined(NO_ASN)
rsa_decode_test(RsaKey * keyPub)13292 static int rsa_decode_test(RsaKey* keyPub)
13293 {
13294     int        ret;
13295     word32     inSz;
13296     word32     inOutIdx;
13297     WOLFSSL_SMALL_STACK_STATIC const byte n[2] = { 0x00, 0x23 };
13298     WOLFSSL_SMALL_STACK_STATIC const byte e[2] = { 0x00, 0x03 };
13299     WOLFSSL_SMALL_STACK_STATIC const byte good[] = { 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1,
13300            0x03 };
13301     WOLFSSL_SMALL_STACK_STATIC const byte goodAlgId[] = {
13302             0x30, 0x18, 0x30, 0x16,
13303             0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
13304             0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
13305     WOLFSSL_SMALL_STACK_STATIC const byte goodAlgIdNull[] = {
13306             0x30, 0x1a, 0x30, 0x18,
13307             0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
13308             0x05, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23,
13309             0x02, 0x1, 0x03 };
13310     WOLFSSL_SMALL_STACK_STATIC const byte badAlgIdNull[] = {
13311             0x30, 0x1b, 0x30, 0x19,
13312             0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
13313             0x05, 0x01, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23,
13314             0x02, 0x1, 0x03 };
13315     WOLFSSL_SMALL_STACK_STATIC const byte badNotBitString[] = {
13316             0x30, 0x18, 0x30, 0x16,
13317             0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
13318             0x04, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
13319     WOLFSSL_SMALL_STACK_STATIC const byte badBitStringLen[] = {
13320             0x30, 0x18, 0x30, 0x16,
13321             0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
13322             0x03, 0x0a, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
13323     WOLFSSL_SMALL_STACK_STATIC const byte badNoSeq[] = {
13324             0x30, 0x16, 0x30, 0x14,
13325             0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
13326             0x07, 0x00, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
13327     WOLFSSL_SMALL_STACK_STATIC const byte badNoObj[] = {
13328             0x30, 0x0f, 0x30, 0x0d, 0x05, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06,
13329             0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
13330     WOLFSSL_SMALL_STACK_STATIC const byte badIntN[] = {
13331             0x30, 0x06, 0x02, 0x05, 0x23, 0x02, 0x1, 0x03 };
13332     WOLFSSL_SMALL_STACK_STATIC const byte badNotIntE[] = {
13333             0x30, 0x06, 0x02, 0x01, 0x23, 0x04, 0x1, 0x03 };
13334     WOLFSSL_SMALL_STACK_STATIC const byte badLength[] = {
13335             0x30, 0x04, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
13336     WOLFSSL_SMALL_STACK_STATIC const byte badBitStrNoZero[] = {
13337             0x30, 0x17, 0x30, 0x15,
13338             0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
13339             0x03, 0x08, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
13340 
13341     ret = wc_InitRsaKey(keyPub, NULL);
13342     if (ret != 0)
13343         return -7690;
13344 
13345     /* Parameter Validation testing. */
13346     ret = wc_RsaPublicKeyDecodeRaw(NULL, sizeof(n), e, sizeof(e), keyPub);
13347     if (ret != BAD_FUNC_ARG) {
13348         ret = -7691;
13349         goto done;
13350     }
13351     ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), NULL, sizeof(e), keyPub);
13352     if (ret != BAD_FUNC_ARG) {
13353         ret = -7692;
13354         goto done;
13355     }
13356     ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, sizeof(e), NULL);
13357     if (ret != BAD_FUNC_ARG) {
13358         ret = -7693;
13359         goto done;
13360     }
13361     ret = wc_RsaPublicKeyDecodeRaw(n, (word32)-1, e, sizeof(e), keyPub);
13362 #if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL)
13363     if (ret != 0) {
13364 #else
13365     if (ret != ASN_GETINT_E) {
13366 #endif
13367         ret = -7694;
13368         goto done;
13369     }
13370     wc_FreeRsaKey(keyPub);
13371     ret = wc_InitRsaKey(keyPub, NULL);
13372     if (ret != 0)
13373         return -7695;
13374     ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, (word32)-1, keyPub);
13375 #if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL)
13376     if (ret != 0) {
13377 #else
13378     if (ret != ASN_GETINT_E) {
13379 #endif
13380         ret = -7696;
13381         goto done;
13382     }
13383     wc_FreeRsaKey(keyPub);
13384     ret = wc_InitRsaKey(keyPub, NULL);
13385     if (ret != 0)
13386         return -7697;
13387 
13388     /* Use API. */
13389     ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, sizeof(e), keyPub);
13390     if (ret != 0) {
13391         ret = -7698;
13392         goto done;
13393     }
13394     wc_FreeRsaKey(keyPub);
13395     ret = wc_InitRsaKey(keyPub, NULL);
13396     if (ret != 0)
13397         return -7699;
13398 
13399     /* Parameter Validation testing. */
13400     inSz = sizeof(good);
13401     ret = wc_RsaPublicKeyDecode(NULL, &inOutIdx, keyPub, inSz);
13402     if (ret != BAD_FUNC_ARG) {
13403         ret = -7700;
13404         goto done;
13405     }
13406     ret = wc_RsaPublicKeyDecode(good, NULL, keyPub, inSz);
13407     if (ret != BAD_FUNC_ARG) {
13408         ret = -7701;
13409         goto done;
13410     }
13411     ret = wc_RsaPublicKeyDecode(good, &inOutIdx, NULL, inSz);
13412     if (ret != BAD_FUNC_ARG) {
13413         ret = -7702;
13414         goto done;
13415     }
13416 
13417     /* Use good data and offset to bad data. */
13418     inOutIdx = 2;
13419     inSz = sizeof(good) - inOutIdx;
13420     ret = wc_RsaPublicKeyDecode(good, &inOutIdx, keyPub, inSz);
13421     if (ret != ASN_PARSE_E) {
13422         ret = -7703;
13423         goto done;
13424     }
13425     inOutIdx = 2;
13426     inSz = sizeof(goodAlgId) - inOutIdx;
13427     ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, keyPub, inSz);
13428     if (ret != ASN_PARSE_E) {
13429         ret = -7704;
13430         goto done;
13431     }
13432     inOutIdx = 2;
13433     inSz = sizeof(goodAlgId);
13434     ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, keyPub, inSz);
13435 #ifndef WOLFSSL_NO_DECODE_EXTRA
13436     if (ret != ASN_PARSE_E)
13437 #else
13438     if (ret != ASN_RSA_KEY_E)
13439 #endif
13440     {
13441         ret = -7705;
13442         goto done;
13443     }
13444     /* Try different bad data. */
13445     inSz = sizeof(badAlgIdNull);
13446     inOutIdx = 0;
13447     ret = wc_RsaPublicKeyDecode(badAlgIdNull, &inOutIdx, keyPub, inSz);
13448     if (ret != ASN_EXPECT_0_E) {
13449         ret = -7706;
13450         goto done;
13451     }
13452     inSz = sizeof(badNotBitString);
13453     inOutIdx = 0;
13454     ret = wc_RsaPublicKeyDecode(badNotBitString, &inOutIdx, keyPub, inSz);
13455     if (ret != ASN_BITSTR_E) {
13456         ret = -7707;
13457         goto done;
13458     }
13459     inSz = sizeof(badBitStringLen);
13460     inOutIdx = 0;
13461     ret = wc_RsaPublicKeyDecode(badBitStringLen, &inOutIdx, keyPub, inSz);
13462     if (ret != ASN_PARSE_E) {
13463         ret = -7708;
13464         goto done;
13465     }
13466     inSz = sizeof(badNoSeq);
13467     inOutIdx = 0;
13468     ret = wc_RsaPublicKeyDecode(badNoSeq, &inOutIdx, keyPub, inSz);
13469     if (ret != ASN_PARSE_E) {
13470         ret = -7709;
13471         goto done;
13472     }
13473     inSz = sizeof(badNoObj);
13474     inOutIdx = 0;
13475     ret = wc_RsaPublicKeyDecode(badNoObj, &inOutIdx, keyPub, inSz);
13476     if (ret != ASN_PARSE_E && ret != ASN_OBJECT_ID_E) {
13477         ret = -7710;
13478         goto done;
13479     }
13480     inSz = sizeof(badIntN);
13481     inOutIdx = 0;
13482     ret = wc_RsaPublicKeyDecode(badIntN, &inOutIdx, keyPub, inSz);
13483     if (ret != ASN_RSA_KEY_E && ret != ASN_PARSE_E) {
13484         ret = -7711;
13485         goto done;
13486     }
13487     inSz = sizeof(badNotIntE);
13488     inOutIdx = 0;
13489     ret = wc_RsaPublicKeyDecode(badNotIntE, &inOutIdx, keyPub, inSz);
13490     if (ret != ASN_RSA_KEY_E && ret != ASN_PARSE_E) {
13491         ret = -7712;
13492         goto done;
13493     }
13494     /* TODO: Shouldn't pass as the sequence length is too small. */
13495     inSz = sizeof(badLength);
13496     inOutIdx = 0;
13497     ret = wc_RsaPublicKeyDecode(badLength, &inOutIdx, keyPub, inSz);
13498 #ifndef WOLFSSL_ASN_TEMPLATE
13499     if (ret != 0)
13500 #else
13501     if (ret != ASN_PARSE_E)
13502 #endif
13503     {
13504         ret = -7713;
13505         goto done;
13506     }
13507     /* TODO: Shouldn't ignore object id's data. */
13508     wc_FreeRsaKey(keyPub);
13509     ret = wc_InitRsaKey(keyPub, NULL);
13510     if (ret != 0)
13511         return -7714;
13512 
13513     inSz = sizeof(badBitStrNoZero);
13514     inOutIdx = 0;
13515     ret = wc_RsaPublicKeyDecode(badBitStrNoZero, &inOutIdx, keyPub, inSz);
13516     if (ret != ASN_EXPECT_0_E && ret != ASN_PARSE_E) {
13517         ret = -7715;
13518         goto done;
13519     }
13520     wc_FreeRsaKey(keyPub);
13521     ret = wc_InitRsaKey(keyPub, NULL);
13522     if (ret != 0)
13523         return -7716;
13524 
13525     /* Valid data cases. */
13526     inSz = sizeof(good);
13527     inOutIdx = 0;
13528     ret = wc_RsaPublicKeyDecode(good, &inOutIdx, keyPub, inSz);
13529     if (ret != 0) {
13530         ret = -7717;
13531         goto done;
13532     }
13533     if (inOutIdx != inSz) {
13534         ret = -7718;
13535         goto done;
13536     }
13537     wc_FreeRsaKey(keyPub);
13538     ret = wc_InitRsaKey(keyPub, NULL);
13539     if (ret != 0)
13540         return -7719;
13541 
13542     inSz = sizeof(goodAlgId);
13543     inOutIdx = 0;
13544     ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, keyPub, inSz);
13545     if (ret != 0) {
13546         ret = -7720;
13547         goto done;
13548     }
13549     if (inOutIdx != inSz) {
13550         ret = -7721;
13551         goto done;
13552     }
13553     wc_FreeRsaKey(keyPub);
13554     ret = wc_InitRsaKey(keyPub, NULL);
13555     if (ret != 0)
13556         return -7722;
13557 
13558     inSz = sizeof(goodAlgIdNull);
13559     inOutIdx = 0;
13560     ret = wc_RsaPublicKeyDecode(goodAlgIdNull, &inOutIdx, keyPub, inSz);
13561     if (ret != 0) {
13562         ret = -7723;
13563         goto done;
13564     }
13565     if (inOutIdx != inSz) {
13566         ret = -7724;
13567         goto done;
13568     }
13569 
13570 done:
13571     wc_FreeRsaKey(keyPub);
13572     return ret;
13573 }
13574 #endif
13575 
13576 #if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
13577 /* Need to create known good signatures to test with this. */
13578 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
13579 static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
13580 {
13581     byte             digest[WC_MAX_DIGEST_SIZE];
13582     int              ret     = 0;
13583     const char       inStr[] = TEST_STRING;
13584     word32           inLen   = (word32)TEST_STRING_SZ;
13585     word32           outSz;
13586     word32           plainSz;
13587     word32           digestSz;
13588     int              i, j;
13589 #ifdef RSA_PSS_TEST_WRONG_PARAMS
13590     int              k, l;
13591 #endif
13592     int              len;
13593     byte*            plain;
13594     int              mgf[]   = {
13595 #ifndef NO_SHA
13596                                  WC_MGF1SHA1,
13597 #endif
13598 #ifdef WOLFSSL_SHA224
13599                                  WC_MGF1SHA224,
13600 #endif
13601                                  WC_MGF1SHA256,
13602 #ifdef WOLFSSL_SHA384
13603                                  WC_MGF1SHA384,
13604 #endif
13605 #ifdef WOLFSSL_SHA512
13606                                  WC_MGF1SHA512
13607 #endif
13608                                };
13609     enum wc_HashType hash[]  = {
13610 #ifndef NO_SHA
13611                                  WC_HASH_TYPE_SHA,
13612 #endif
13613 #ifdef WOLFSSL_SHA224
13614                                  WC_HASH_TYPE_SHA224,
13615 #endif
13616                                  WC_HASH_TYPE_SHA256,
13617 #ifdef WOLFSSL_SHA384
13618                                  WC_HASH_TYPE_SHA384,
13619 #endif
13620 #ifdef WOLFSSL_SHA512
13621                                  WC_HASH_TYPE_SHA512,
13622 #endif
13623                                };
13624 
13625     WC_DECLARE_VAR(in, byte, RSA_TEST_BYTES, HEAP_HINT);
13626     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
13627     WC_DECLARE_VAR(sig, byte, RSA_TEST_BYTES, HEAP_HINT);
13628 
13629 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
13630     if (in == NULL || out == NULL || sig == NULL)
13631         ERROR_OUT(MEMORY_E, exit_rsa_pss);
13632 #endif
13633     XMEMCPY(in, inStr, inLen);
13634 
13635     /* Test all combinations of hash and MGF. */
13636     for (j = 0; j < (int)(sizeof(hash)/sizeof(*hash)); j++) {
13637         /* Calculate hash of message. */
13638         ret = wc_Hash(hash[j], in, inLen, digest, sizeof(digest));
13639         if (ret != 0)
13640             ERROR_OUT(-7730, exit_rsa_pss);
13641         digestSz = wc_HashGetDigestSize(hash[j]);
13642 
13643         for (i = 0; i < (int)(sizeof(mgf)/sizeof(*mgf)); i++) {
13644             outSz = RSA_TEST_BYTES;
13645             do {
13646             #if defined(WOLFSSL_ASYNC_CRYPT)
13647                 ret = wc_AsyncWait(ret, &key->asyncDev,
13648                     WC_ASYNC_FLAG_CALL_AGAIN);
13649             #endif
13650                 if (ret >= 0) {
13651                     ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz,
13652                         hash[j], mgf[i], -1, key, rng);
13653                 }
13654             } while (ret == WC_PENDING_E);
13655             if (ret <= 0)
13656                 ERROR_OUT(-7731, exit_rsa_pss);
13657             outSz = ret;
13658 
13659             XMEMCPY(sig, out, outSz);
13660             plain = NULL;
13661             TEST_SLEEP();
13662 
13663             do {
13664             #if defined(WOLFSSL_ASYNC_CRYPT)
13665                 ret = wc_AsyncWait(ret, &key->asyncDev,
13666                     WC_ASYNC_FLAG_CALL_AGAIN);
13667             #endif
13668                 if (ret >= 0) {
13669                     ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[j],
13670                         mgf[i], -1, key);
13671                 }
13672             } while (ret == WC_PENDING_E);
13673             if (ret <= 0)
13674                 ERROR_OUT(-7732, exit_rsa_pss);
13675             plainSz = ret;
13676             TEST_SLEEP();
13677 
13678 #if defined(HAVE_SELFTEST) && \
13679     (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2))
13680             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13681                                          hash[j], -1);
13682 #elif defined(HAVE_SELFTEST) && (HAVE_SELFTEST_VERSION == 2)
13683             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13684                                          hash[j], -1, 0);
13685 #else
13686             ret = wc_RsaPSS_CheckPadding_ex2(digest, digestSz, plain, plainSz,
13687                               hash[j], -1, wc_RsaEncryptSize(key)*8, HEAP_HINT);
13688 #endif
13689             if (ret != 0)
13690                 ERROR_OUT(-7733, exit_rsa_pss);
13691 
13692 #ifdef RSA_PSS_TEST_WRONG_PARAMS
13693             for (k = 0; k < (int)(sizeof(mgf)/sizeof(*mgf)); k++) {
13694                 for (l = 0; l < (int)(sizeof(hash)/sizeof(*hash)); l++) {
13695                     if (i == k && j == l)
13696                         continue;
13697 
13698                     XMEMCPY(sig, out, outSz);
13699 
13700                     do {
13701                     #if defined(WOLFSSL_ASYNC_CRYPT)
13702                         ret = wc_AsyncWait(ret, &key->asyncDev,
13703                             WC_ASYNC_FLAG_CALL_AGAIN);
13704                     #endif
13705                         if (ret >= 0) {
13706                             ret = wc_RsaPSS_VerifyInline_ex(sig, outSz,
13707                                 (byte**)&plain, hash[l], mgf[k], -1, key);
13708                         }
13709                     } while (ret == WC_PENDING_E);
13710                     if (ret >= 0)
13711                         ERROR_OUT(-7734, exit_rsa_pss);
13712                 }
13713             }
13714 #endif
13715         }
13716     }
13717 
13718     /* Test that a salt length of zero works. */
13719     digestSz = wc_HashGetDigestSize(hash[0]);
13720     outSz = RSA_TEST_BYTES;
13721     do {
13722     #if defined(WOLFSSL_ASYNC_CRYPT)
13723         ret = wc_AsyncWait(ret, &key->asyncDev,
13724             WC_ASYNC_FLAG_CALL_AGAIN);
13725     #endif
13726         if (ret >= 0) {
13727             ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz, hash[0],
13728                 mgf[0], 0, key, rng);
13729         }
13730     } while (ret == WC_PENDING_E);
13731     if (ret <= 0)
13732         ERROR_OUT(-7735, exit_rsa_pss);
13733     outSz = ret;
13734     TEST_SLEEP();
13735 
13736     do {
13737     #if defined(WOLFSSL_ASYNC_CRYPT)
13738         ret = wc_AsyncWait(ret, &key->asyncDev,
13739             WC_ASYNC_FLAG_CALL_AGAIN);
13740     #endif
13741         if (ret >= 0) {
13742             ret = wc_RsaPSS_Verify_ex(out, outSz, sig, outSz, hash[0], mgf[0],
13743                 0, key);
13744         }
13745     } while (ret == WC_PENDING_E);
13746     if (ret <= 0)
13747         ERROR_OUT(-7736, exit_rsa_pss);
13748     plainSz = ret;
13749     TEST_SLEEP();
13750 
13751     do {
13752     #if defined(WOLFSSL_ASYNC_CRYPT)
13753         ret = wc_AsyncWait(ret, &key->asyncDev,
13754             WC_ASYNC_FLAG_CALL_AGAIN);
13755     #endif
13756         if (ret >= 0) {
13757 #if defined(HAVE_SELFTEST) && \
13758     (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2))
13759             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, sig, plainSz,
13760                                          hash[0], 0);
13761 #elif defined(HAVE_SELFTEST) && (HAVE_SELFTEST_VERSION == 2)
13762             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, sig, plainSz,
13763                                          hash[0], 0, 0);
13764 #else
13765             ret = wc_RsaPSS_CheckPadding_ex2(digest, digestSz, sig, plainSz,
13766                 hash[0], 0, 0, HEAP_HINT);
13767 #endif
13768         }
13769     } while (ret == WC_PENDING_E);
13770     if (ret != 0)
13771         ERROR_OUT(-7737, exit_rsa_pss);
13772 
13773     XMEMCPY(sig, out, outSz);
13774     plain = NULL;
13775     do {
13776     #if defined(WOLFSSL_ASYNC_CRYPT)
13777         ret = wc_AsyncWait(ret, &key->asyncDev,
13778             WC_ASYNC_FLAG_CALL_AGAIN);
13779     #endif
13780         if (ret >= 0) {
13781             ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[0], mgf[0],
13782                 0, key);
13783         }
13784     } while (ret == WC_PENDING_E);
13785     if (ret <= 0)
13786         ERROR_OUT(-7738, exit_rsa_pss);
13787     plainSz = ret;
13788     TEST_SLEEP();
13789 
13790 #if defined(HAVE_SELFTEST) && \
13791     (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2))
13792             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13793                                          hash[0], 0);
13794 #elif defined(HAVE_SELFTEST) && (HAVE_SELFTEST_VERSION == 2)
13795             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13796                                          hash[0], 0, 0);
13797 #else
13798     ret = wc_RsaPSS_CheckPadding_ex2(digest, digestSz, plain, plainSz, hash[0],
13799                                     0, 0, HEAP_HINT);
13800 #endif
13801     if (ret != 0)
13802         ERROR_OUT(-7739, exit_rsa_pss);
13803 
13804     /* Test bad salt lengths in various APIs. */
13805     digestSz = wc_HashGetDigestSize(hash[0]);
13806     outSz = RSA_TEST_BYTES;
13807 #ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
13808     len = -2;
13809 #else
13810     len = -3;
13811 #endif
13812     do {
13813     #if defined(WOLFSSL_ASYNC_CRYPT)
13814         ret = wc_AsyncWait(ret, &key->asyncDev,
13815             WC_ASYNC_FLAG_CALL_AGAIN);
13816     #endif
13817         if (ret >= 0) {
13818             ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz, hash[0],
13819                 mgf[0], len, key, rng);
13820         }
13821     } while (ret == WC_PENDING_E);
13822     if (ret != PSS_SALTLEN_E)
13823         ERROR_OUT(-7740, exit_rsa_pss);
13824 
13825     do {
13826     #if defined(WOLFSSL_ASYNC_CRYPT)
13827         ret = wc_AsyncWait(ret, &key->asyncDev,
13828             WC_ASYNC_FLAG_CALL_AGAIN);
13829     #endif
13830         if (ret >= 0) {
13831             ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz, hash[0],
13832                 mgf[0], digestSz + 1, key, rng);
13833         }
13834     } while (ret == WC_PENDING_E);
13835     if (ret != PSS_SALTLEN_E)
13836         ERROR_OUT(-7741, exit_rsa_pss);
13837     TEST_SLEEP();
13838 
13839     do {
13840     #if defined(WOLFSSL_ASYNC_CRYPT)
13841         ret = wc_AsyncWait(ret, &key->asyncDev,
13842             WC_ASYNC_FLAG_CALL_AGAIN);
13843     #endif
13844         if (ret >= 0) {
13845             ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[0],
13846                 mgf[0], -2, key);
13847         }
13848     } while (ret == WC_PENDING_E);
13849     if (ret != PSS_SALTLEN_E)
13850         ERROR_OUT(-7742, exit_rsa_pss);
13851     TEST_SLEEP();
13852 
13853     do {
13854     #if defined(WOLFSSL_ASYNC_CRYPT)
13855         ret = wc_AsyncWait(ret, &key->asyncDev,
13856             WC_ASYNC_FLAG_CALL_AGAIN);
13857     #endif
13858         if (ret >= 0) {
13859             ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[0], mgf[0],
13860                 digestSz + 1, key);
13861         }
13862     } while (ret == WC_PENDING_E);
13863     if (ret != PSS_SALTLEN_E)
13864         ERROR_OUT(-7743, exit_rsa_pss);
13865     TEST_SLEEP();
13866 
13867 #ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
13868     len = -2;
13869 #else
13870     len = -3;
13871 #endif
13872 #if defined(HAVE_SELFTEST) && \
13873     (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2))
13874             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13875                                          hash[0], len);
13876 #elif defined(HAVE_SELFTEST) && (HAVE_SELFTEST_VERSION == 2)
13877             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13878                                          hash[0], len, 0);
13879 #else
13880     ret = wc_RsaPSS_CheckPadding_ex2(digest, digestSz, plain, plainSz, hash[0],
13881                                     len, 0, HEAP_HINT);
13882 #endif
13883     if (ret != PSS_SALTLEN_E)
13884         ERROR_OUT(-7744, exit_rsa_pss);
13885 #ifndef WOLFSSL_PSS_LONG_SALT
13886     len = digestSz + 1;
13887 #else
13888     len = plainSz - digestSz - 1;
13889 #endif
13890 #if defined(HAVE_SELFTEST) && \
13891     (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2))
13892             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13893                                          hash[0], len);
13894 #elif defined(HAVE_SELFTEST) && (HAVE_SELFTEST_VERSION == 2)
13895             ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
13896                                          hash[0], len, 0);
13897 #else
13898     ret = wc_RsaPSS_CheckPadding_ex2(digest, digestSz, plain, plainSz, hash[0],
13899                                     len, 0, HEAP_HINT);
13900 #endif
13901     if (ret != PSS_SALTLEN_E)
13902         ERROR_OUT(-7745, exit_rsa_pss);
13903 
13904     ret = 0;
13905 exit_rsa_pss:
13906     WC_FREE_VAR(sig, HEAP_HINT);
13907     WC_FREE_VAR(in, HEAP_HINT);
13908     WC_FREE_VAR(out, HEAP_HINT);
13909 
13910     return ret;
13911 }
13912 #endif /* !WOLFSSL_RSA_VERIFY_ONLY && !WOLFSSL_RSA_PUBLIC_ONLY */
13913 #endif
13914 
13915 #ifdef WC_RSA_NO_PADDING
13916 WOLFSSL_TEST_SUBROUTINE int rsa_no_pad_test(void)
13917 {
13918     WC_RNG rng;
13919     byte*  tmp = NULL;
13920     size_t bytes;
13921     int    ret;
13922     word32 inLen   = 0;
13923     word32 idx     = 0;
13924     word32 outSz   = RSA_TEST_BYTES;
13925     word32 plainSz = RSA_TEST_BYTES;
13926 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
13927     !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) && \
13928     !defined(NO_FILESYSTEM)
13929     XFILE  file;
13930 #endif
13931     WC_DECLARE_VAR(key, RsaKey, 1, HEAP_HINT);
13932     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
13933     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
13934 
13935 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
13936     if (key == NULL || out == NULL || plain == NULL)
13937         ERROR_OUT(MEMORY_E, exit_rsa_nopadding);
13938 #endif
13939 
13940     /* initialize stack structures */
13941     XMEMSET(&rng, 0, sizeof(rng));
13942     XMEMSET(key, 0, sizeof(RsaKey));
13943 #ifdef USE_CERT_BUFFERS_1024
13944     bytes = (size_t)sizeof_client_key_der_1024;
13945     if (bytes < (size_t)sizeof_client_cert_der_1024)
13946         bytes = (size_t)sizeof_client_cert_der_1024;
13947 #elif defined(USE_CERT_BUFFERS_2048)
13948     bytes = (size_t)sizeof_client_key_der_2048;
13949     if (bytes < (size_t)sizeof_client_cert_der_2048)
13950         bytes = (size_t)sizeof_client_cert_der_2048;
13951 #else
13952     bytes = FOURK_BUF;
13953 #endif
13954 
13955     tmp = (byte*)XMALLOC(bytes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
13956     if (tmp == NULL
13957     #ifdef WOLFSSL_ASYNC_CRYPT
13958         || out == NULL || plain == NULL
13959     #endif
13960     ) {
13961         ERROR_OUT(-7800, exit_rsa_nopadding);
13962     }
13963 
13964 #ifdef USE_CERT_BUFFERS_1024
13965     XMEMCPY(tmp, client_key_der_1024, (size_t)sizeof_client_key_der_1024);
13966 #elif defined(USE_CERT_BUFFERS_2048)
13967     XMEMCPY(tmp, client_key_der_2048, (size_t)sizeof_client_key_der_2048);
13968 #elif defined(USE_CERT_BUFFERS_3072)
13969     XMEMCPY(tmp, client_key_der_3072, (size_t)sizeof_client_key_der_3072);
13970 #elif defined(USE_CERT_BUFFERS_4096)
13971     XMEMCPY(tmp, client_key_der_4096, (size_t)sizeof_client_key_der_4096);
13972 #elif !defined(NO_FILESYSTEM)
13973     file = XFOPEN(clientKey, "rb");
13974     if (!file) {
13975         err_sys("can't open clientKey, Please run from wolfSSL home dir", -40);
13976         ERROR_OUT(-7801, exit_rsa_nopadding);
13977     }
13978 
13979     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
13980     XFCLOSE(file);
13981 #else
13982     /* No key to use. */
13983     ERROR_OUT(-7802, exit_rsa_nopadding);
13984 #endif /* USE_CERT_BUFFERS */
13985 
13986     ret = wc_InitRsaKey_ex(key, HEAP_HINT, devId);
13987     if (ret != 0) {
13988         ERROR_OUT(-7803, exit_rsa_nopadding);
13989     }
13990     ret = wc_RsaPrivateKeyDecode(tmp, &idx, key, (word32)bytes);
13991     if (ret != 0) {
13992         ERROR_OUT(-7804, exit_rsa_nopadding);
13993     }
13994 
13995     /* after loading in key use tmp as the test buffer */
13996 
13997 #ifndef HAVE_FIPS
13998     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
13999 #else
14000     ret = wc_InitRng(&rng);
14001 #endif
14002     if (ret != 0) {
14003         ERROR_OUT(-7805, exit_rsa_nopadding);
14004     }
14005 
14006 #ifndef WOLFSSL_RSA_VERIFY_ONLY
14007     inLen = wc_RsaEncryptSize(key);
14008     outSz   = inLen;
14009     plainSz = inLen;
14010     XMEMSET(tmp, 7, inLen);
14011     do {
14012     #if defined(WOLFSSL_ASYNC_CRYPT)
14013         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
14014     #endif
14015         if (ret >= 0) {
14016             ret = wc_RsaDirect(tmp, inLen, out, &outSz, key,
14017                     RSA_PRIVATE_ENCRYPT, &rng);
14018         }
14019     } while (ret == WC_PENDING_E);
14020     if (ret <= 0) {
14021         ERROR_OUT(-7806, exit_rsa_nopadding);
14022     }
14023 
14024     /* encrypted result should not be the same as input */
14025     if (XMEMCMP(out, tmp, inLen) == 0) {
14026         ERROR_OUT(-7807, exit_rsa_nopadding);
14027     }
14028     TEST_SLEEP();
14029 
14030     /* decrypt with public key and compare result */
14031     do {
14032     #if defined(WOLFSSL_ASYNC_CRYPT)
14033         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
14034     #endif
14035         if (ret >= 0) {
14036             ret = wc_RsaDirect(out, outSz, plain, &plainSz, key,
14037                     RSA_PUBLIC_DECRYPT, &rng);
14038         }
14039     } while (ret == WC_PENDING_E);
14040     if (ret <= 0) {
14041         ERROR_OUT(-7808, exit_rsa_nopadding);
14042     }
14043 
14044     if (XMEMCMP(plain, tmp, inLen) != 0) {
14045         ERROR_OUT(-7809, exit_rsa_nopadding);
14046     }
14047     TEST_SLEEP();
14048 #endif
14049 
14050 #ifdef WC_RSA_BLINDING
14051     ret = wc_RsaSetRNG(NULL, &rng);
14052     if (ret != BAD_FUNC_ARG) {
14053         ERROR_OUT(-7810, exit_rsa_nopadding);
14054     }
14055 
14056     ret = wc_RsaSetRNG(key, &rng);
14057     if (ret < 0) {
14058         ERROR_OUT(-7811, exit_rsa_nopadding);
14059     }
14060 #endif
14061 
14062     /* test encrypt and decrypt using WC_RSA_NO_PAD */
14063 #ifndef WOLFSSL_RSA_VERIFY_ONLY
14064     do {
14065     #if defined(WOLFSSL_ASYNC_CRYPT)
14066         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
14067     #endif
14068         if (ret >= 0) {
14069             ret = wc_RsaPublicEncrypt_ex(tmp, inLen, out, (int)outSz, key, &rng,
14070                 WC_RSA_NO_PAD, WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0);
14071         }
14072     } while (ret == WC_PENDING_E);
14073     if (ret < 0) {
14074         ERROR_OUT(-7812, exit_rsa_nopadding);
14075     }
14076     TEST_SLEEP();
14077 #endif /* WOLFSSL_RSA_VERIFY_ONLY */
14078 
14079 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
14080     do {
14081     #if defined(WOLFSSL_ASYNC_CRYPT)
14082         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
14083     #endif
14084         if (ret >= 0) {
14085             ret = wc_RsaPrivateDecrypt_ex(out, outSz, plain, (int)plainSz, key,
14086                 WC_RSA_NO_PAD, WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0);
14087         }
14088     } while (ret == WC_PENDING_E);
14089     if (ret < 0) {
14090         ERROR_OUT(-7813, exit_rsa_nopadding);
14091     }
14092 
14093     if (XMEMCMP(plain, tmp, inLen) != 0) {
14094         ERROR_OUT(-7814, exit_rsa_nopadding);
14095     }
14096     TEST_SLEEP();
14097 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
14098 
14099     /* test some bad arguments */
14100     ret = wc_RsaDirect(out, outSz, plain, &plainSz, key, -1,
14101             &rng);
14102     if (ret != BAD_FUNC_ARG) {
14103         ERROR_OUT(-7815, exit_rsa_nopadding);
14104     }
14105 
14106     ret = wc_RsaDirect(out, outSz, plain, &plainSz, NULL, RSA_PUBLIC_DECRYPT,
14107             &rng);
14108     if (ret != BAD_FUNC_ARG) {
14109         ERROR_OUT(-7816, exit_rsa_nopadding);
14110     }
14111 
14112     ret = wc_RsaDirect(out, outSz, NULL, &plainSz, key, RSA_PUBLIC_DECRYPT,
14113             &rng);
14114     if (ret != LENGTH_ONLY_E || plainSz != inLen) {
14115         ERROR_OUT(-7817, exit_rsa_nopadding);
14116     }
14117 
14118     ret = wc_RsaDirect(out, outSz - 10, plain, &plainSz, key,
14119             RSA_PUBLIC_DECRYPT, &rng);
14120     if (ret != BAD_FUNC_ARG) {
14121         ERROR_OUT(-7818, exit_rsa_nopadding);
14122     }
14123 
14124     /* if making it to this point of code without hitting an ERROR_OUT then
14125      * all tests have passed */
14126     ret = 0;
14127 
14128 exit_rsa_nopadding:
14129     wc_FreeRsaKey(key);
14130     XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14131     WC_FREE_VAR(key, HEAP_HINT);
14132     WC_FREE_VAR(out, HEAP_HINT);
14133     WC_FREE_VAR(plain, HEAP_HINT);
14134     wc_FreeRng(&rng);
14135 
14136     return ret;
14137 }
14138 #endif /* WC_RSA_NO_PADDING */
14139 
14140 #if defined(WOLFSSL_HAVE_SP_RSA) && defined(USE_FAST_MATH)
14141 static int rsa_even_mod_test(WC_RNG* rng, RsaKey* key)
14142 {
14143     byte*  tmp = NULL;
14144     size_t bytes;
14145     int    ret;
14146     word32 inLen   = 0;
14147 #ifndef NO_ASN
14148     word32 idx     = 0;
14149 #endif
14150     word32 outSz   = RSA_TEST_BYTES;
14151 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
14152     word32 plainSz = RSA_TEST_BYTES;
14153 #endif
14154 #if !defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_3072) && \
14155     !defined(USE_CERT_BUFFERS_4096) && !defined(NO_FILESYSTEM)
14156     XFILE  file;
14157 #endif
14158     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
14159 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
14160     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
14161 #endif
14162 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
14163     if (out == NULL
14164     #ifndef WOLFSSL_RSA_PUBLIC_ONLY
14165         || plain == NULL
14166     #endif
14167     ) {
14168         ERROR_OUT(MEMORY_E, exit_rsa_even_mod);
14169     }
14170 #endif
14171 
14172 #if defined(USE_CERT_BUFFERS_2048)
14173     bytes = (size_t)sizeof_client_key_der_2048;
14174     if (bytes < (size_t)sizeof_client_cert_der_2048)
14175         bytes = (size_t)sizeof_client_cert_der_2048;
14176 #else
14177     bytes = FOURK_BUF;
14178 #endif
14179 
14180     tmp = (byte*)XMALLOC(bytes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14181     if (tmp == NULL
14182     #ifdef WOLFSSL_ASYNC_CRYPT
14183         || out == NULL || plain == NULL
14184     #endif
14185     ) {
14186         ERROR_OUT(-7800, exit_rsa_even_mod);
14187     }
14188 
14189 #if defined(USE_CERT_BUFFERS_2048)
14190     XMEMCPY(tmp, client_key_der_2048, (size_t)sizeof_client_key_der_2048);
14191 #elif defined(USE_CERT_BUFFERS_3072)
14192     XMEMCPY(tmp, client_key_der_3072, (size_t)sizeof_client_key_der_3072);
14193 #elif defined(USE_CERT_BUFFERS_4096)
14194     XMEMCPY(tmp, client_key_der_4096, (size_t)sizeof_client_key_der_4096);
14195 #elif !defined(NO_FILESYSTEM)
14196     file = XFOPEN(clientKey, "rb");
14197     if (!file) {
14198         err_sys("can't open ./certs/client-key.der, "
14199                 "Please run from wolfSSL home dir", -40);
14200         ERROR_OUT(-7801, exit_rsa_even_mod);
14201     }
14202 
14203     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
14204     XFCLOSE(file);
14205 #else
14206     /* No key to use. */
14207     ERROR_OUT(-7802, exit_rsa_even_mod);
14208 #endif /* USE_CERT_BUFFERS */
14209 
14210 #ifndef NO_ASN
14211     ret = wc_RsaPrivateKeyDecode(tmp, &idx, key, (word32)bytes);
14212     if (ret != 0) {
14213         ERROR_OUT(-7804, exit_rsa_even_mod);
14214     }
14215 #else
14216     #ifdef USE_CERT_BUFFERS_2048
14217         ret = mp_read_unsigned_bin(&key->n, &tmp[12], 256);
14218         if (ret != 0) {
14219             ERROR_OUT(-7804, exit_rsa_even_mod);
14220         }
14221         ret = mp_set_int(&key->e, WC_RSA_EXPONENT);
14222         if (ret != 0) {
14223             ERROR_OUT(-7804, exit_rsa_even_mod);
14224         }
14225 #ifndef NO_SIG_WRAPPER
14226         modLen = 2048;
14227 #endif
14228     #else
14229         #error Not supported yet!
14230     #endif
14231 #endif
14232 
14233     key->n.dp[0] &= (mp_digit)-2;
14234     if (ret != 0) {
14235         ERROR_OUT(-7804, exit_rsa_even_mod);
14236     }
14237 
14238     /* after loading in key use tmp as the test buffer */
14239 #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2) && \
14240     !defined(WOLFSSL_SP_ARM64_ASM)
14241     /* The ARM64_ASM code that was FIPS validated did not return these expected
14242      * failure codes. These tests cases were added after the assembly was
14243      * in-lined in the module and validated, these tests will be available in
14244      * the 140-3 module */
14245 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
14246     inLen = 32;
14247     outSz   = wc_RsaEncryptSize(key);
14248     XMEMSET(tmp, 7, plainSz);
14249     ret = wc_RsaSSL_Sign(tmp, inLen, out, outSz, key, rng);
14250     if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != MP_INVMOD_E) {
14251         ERROR_OUT(-7806, exit_rsa_even_mod);
14252     }
14253 
14254     ret = wc_RsaSSL_Verify(out, outSz, tmp, inLen, key);
14255     if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
14256         ERROR_OUT(-7808, exit_rsa_even_mod);
14257     }
14258 #endif
14259 
14260 #ifdef WC_RSA_BLINDING
14261     ret = wc_RsaSetRNG(key, rng);
14262     if (ret < 0) {
14263         ERROR_OUT(-7811, exit_rsa_even_mod);
14264     }
14265 #endif
14266 
14267     /* test encrypt and decrypt using WC_RSA_NO_PAD */
14268 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
14269     ret = wc_RsaPublicEncrypt(tmp, inLen, out, (int)outSz, key, rng);
14270     if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
14271         ERROR_OUT(-7812, exit_rsa_even_mod);
14272     }
14273 #endif /* WOLFSSL_RSA_VERIFY_ONLY */
14274 
14275 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
14276     ret = wc_RsaPrivateDecrypt(out, outSz, plain, (int)plainSz, key);
14277     if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != MP_INVMOD_E) {
14278         ERROR_OUT(-7813, exit_rsa_even_mod);
14279     }
14280 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
14281 #endif /* HAVE_FIPS_VERSION == 2 && !WOLFSSL_SP_ARM64_ASM */
14282     /* if making it to this point of code without hitting an ERROR_OUT then
14283      * all tests have passed */
14284     ret = 0;
14285 
14286 exit_rsa_even_mod:
14287     XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14288     WC_FREE_VAR(out, HEAP_HINT);
14289 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
14290     WC_FREE_VAR(plain, HEAP_HINT);
14291 #endif
14292 
14293     (void)out;
14294     (void)outSz;
14295 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
14296     (void)plain;
14297     (void)plainSz;
14298 #endif
14299     (void)inLen;
14300     (void)rng;
14301 
14302     return ret;
14303 }
14304 #endif /* WOLFSSL_HAVE_SP_RSA */
14305 
14306 #ifdef WOLFSSL_CERT_GEN
14307 static int rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng, byte* tmp)
14308 {
14309 #ifdef WOLFSSL_SMALL_STACK
14310     RsaKey      *caKey = (RsaKey *)XMALLOC(sizeof *caKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14311 #ifdef WOLFSSL_TEST_CERT
14312     DecodedCert *decode = (DecodedCert *)XMALLOC(sizeof *decode, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14313 #endif
14314 #else
14315     RsaKey      caKey[1];
14316 #ifdef WOLFSSL_TEST_CERT
14317     DecodedCert decode[1];
14318 #endif
14319 #endif
14320     byte*       der = NULL;
14321     int         ret;
14322     Cert*       myCert = NULL;
14323     int         certSz;
14324     size_t      bytes3;
14325     word32      idx3 = 0;
14326 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
14327     XFILE       file3;
14328 #endif
14329 #if defined(WOLFSSL_ALT_NAMES) && !defined(NO_ASN_TIME)
14330     struct tm beforeTime;
14331     struct tm afterTime;
14332 #endif
14333     const byte  mySerial[8] = {1,2,3,4,5,6,7,8};
14334 
14335     (void)keypub;
14336 
14337 #ifdef WOLFSSL_SMALL_STACK
14338     if (caKey == NULL)
14339         ERROR_OUT(MEMORY_E, exit_rsa);
14340 #ifdef WOLFSSL_TEST_CERT
14341     if (decode == NULL)
14342         ERROR_OUT(MEMORY_E, exit_rsa);
14343 #endif
14344 
14345 #endif
14346 
14347     XMEMSET(caKey, 0, sizeof *caKey);
14348 
14349     der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14350     if (der == NULL) {
14351         ERROR_OUT(-7820, exit_rsa);
14352     }
14353     myCert = (Cert*)XMALLOC(sizeof(Cert), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14354     if (myCert == NULL) {
14355         ERROR_OUT(-7821, exit_rsa);
14356     }
14357 
14358     /* self signed */
14359     if (wc_InitCert_ex(myCert, HEAP_HINT, devId)) {
14360         ERROR_OUT(-7822, exit_rsa);
14361     }
14362 
14363     XMEMCPY(&myCert->subject, &certDefaultName, sizeof(CertName));
14364     XMEMCPY(myCert->serial, mySerial, sizeof(mySerial));
14365     myCert->serialSz = (int)sizeof(mySerial);
14366     myCert->isCA    = 1;
14367 #ifndef NO_SHA256
14368     myCert->sigType = CTC_SHA256wRSA;
14369 #else
14370     myCert->sigType = CTC_SHAwRSA;
14371 #endif
14372 
14373 #ifdef WOLFSSL_CERT_EXT
14374     /* add Policies */
14375     XSTRNCPY(myCert->certPolicies[0], "2.16.840.1.101.3.4.1.42",
14376             CTC_MAX_CERTPOL_SZ);
14377     XSTRNCPY(myCert->certPolicies[1], "1.2.840.113549.1.9.16.6.5",
14378             CTC_MAX_CERTPOL_SZ);
14379     myCert->certPoliciesNb = 2;
14380 
14381     /* add SKID from the Public Key */
14382     if (wc_SetSubjectKeyIdFromPublicKey(myCert, keypub, NULL) != 0) {
14383         ERROR_OUT(-7823, exit_rsa);
14384     }
14385 
14386      /* add AKID from the Public Key */
14387      if (wc_SetAuthKeyIdFromPublicKey(myCert, keypub, NULL) != 0) {
14388         ERROR_OUT(-7824, exit_rsa);
14389     }
14390 
14391     /* add Key Usage */
14392     if (wc_SetKeyUsage(myCert,"cRLSign,keyCertSign") != 0) {
14393         ERROR_OUT(-7825, exit_rsa);
14394     }
14395 #ifdef WOLFSSL_EKU_OID
14396     {
14397         const char unique[] = "2.16.840.1.111111.100.1.10.1";
14398         if (wc_SetExtKeyUsageOID(myCert, unique, sizeof(unique), 0,
14399                     HEAP_HINT) != 0) {
14400             ERROR_OUT(-7826, exit_rsa);
14401         }
14402     }
14403 #endif /* WOLFSSL_EKU_OID */
14404 #endif /* WOLFSSL_CERT_EXT */
14405 
14406     ret = 0;
14407     do {
14408 #if defined(WOLFSSL_ASYNC_CRYPT)
14409         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
14410 #endif
14411         if (ret >= 0) {
14412             ret = wc_MakeSelfCert(myCert, der, FOURK_BUF, key, rng);
14413         }
14414     } while (ret == WC_PENDING_E);
14415     if (ret < 0) {
14416         ERROR_OUT(-7827, exit_rsa);
14417     }
14418     certSz = ret;
14419 
14420 #ifdef WOLFSSL_TEST_CERT
14421     InitDecodedCert(decode, der, certSz, HEAP_HINT);
14422     ret = ParseCert(decode, CERT_TYPE, NO_VERIFY, 0);
14423     if (ret != 0) {
14424         FreeDecodedCert(decode);
14425         ERROR_OUT(-7828, exit_rsa);
14426     }
14427     FreeDecodedCert(decode);
14428 #endif
14429 
14430     ret = SaveDerAndPem(der, certSz, certDerFile, certPemFile,
14431         CERT_TYPE, -5578);
14432     if (ret != 0) {
14433         goto exit_rsa;
14434     }
14435 
14436     /* Setup Certificate */
14437     if (wc_InitCert_ex(myCert, HEAP_HINT, devId)) {
14438         ERROR_OUT(-7829, exit_rsa);
14439     }
14440 
14441 #ifdef WOLFSSL_ALT_NAMES
14442         /* Get CA Cert for testing */
14443     #ifdef USE_CERT_BUFFERS_1024
14444         XMEMCPY(tmp, ca_cert_der_1024, sizeof_ca_cert_der_1024);
14445         bytes3 = sizeof_ca_cert_der_1024;
14446     #elif defined(USE_CERT_BUFFERS_2048)
14447         XMEMCPY(tmp, ca_cert_der_2048, sizeof_ca_cert_der_2048);
14448         bytes3 = sizeof_ca_cert_der_2048;
14449     #else
14450         file3 = XFOPEN(rsaCaCertDerFile, "rb");
14451         if (!file3) {
14452             ERROR_OUT(-7830, exit_rsa);
14453         }
14454         bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
14455         XFCLOSE(file3);
14456     #endif /* USE_CERT_BUFFERS */
14457 
14458     #if !defined(NO_FILESYSTEM) && !defined(USE_CERT_BUFFERS_1024) && \
14459         !defined(USE_CERT_BUFFERS_2048) && !defined(NO_ASN)
14460         ret = wc_SetAltNames(myCert, rsaCaCertFile);
14461         if (ret != 0) {
14462             ERROR_OUT(-7831, exit_rsa);
14463         }
14464     #endif
14465         /* get alt names from der */
14466         ret = wc_SetAltNamesBuffer(myCert, tmp, (int)bytes3);
14467         if (ret != 0) {
14468             ERROR_OUT(-7832, exit_rsa);
14469         }
14470 
14471         /* get dates from der */
14472         ret = wc_SetDatesBuffer(myCert, tmp, (int)bytes3);
14473         if (ret != 0) {
14474             ERROR_OUT(-7833, exit_rsa);
14475         }
14476 
14477     #ifndef NO_ASN_TIME
14478         ret = wc_GetCertDates(myCert, &beforeTime, &afterTime);
14479         if (ret < 0) {
14480             ERROR_OUT(-7834, exit_rsa);
14481         }
14482     #endif
14483 #endif /* WOLFSSL_ALT_NAMES */
14484 
14485     /* Get CA Key */
14486 #ifdef USE_CERT_BUFFERS_1024
14487     XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024);
14488     bytes3 = sizeof_ca_key_der_1024;
14489 #elif defined(USE_CERT_BUFFERS_2048)
14490     XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048);
14491     bytes3 = sizeof_ca_key_der_2048;
14492 #else
14493     file3 = XFOPEN(rsaCaKeyFile, "rb");
14494     if (!file3) {
14495         ERROR_OUT(-7835, exit_rsa);
14496     }
14497 
14498     bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
14499     XFCLOSE(file3);
14500 #endif /* USE_CERT_BUFFERS */
14501 
14502     ret = wc_InitRsaKey(caKey, HEAP_HINT);
14503     if (ret != 0) {
14504         ERROR_OUT(-7836, exit_rsa);
14505     }
14506     ret = wc_RsaPrivateKeyDecode(tmp, &idx3, caKey, (word32)bytes3);
14507     if (ret != 0) {
14508         ERROR_OUT(-7837, exit_rsa);
14509     }
14510 
14511 #ifndef NO_SHA256
14512     myCert->sigType = CTC_SHA256wRSA;
14513 #else
14514     myCert->sigType = CTC_SHAwRSA;
14515 #endif
14516 
14517     XMEMCPY(&myCert->subject, &certDefaultName, sizeof(CertName));
14518 
14519 #ifdef WOLFSSL_CERT_EXT
14520     /* add Policies */
14521     XSTRNCPY(myCert->certPolicies[0], "2.16.840.1.101.3.4.1.42",
14522             CTC_MAX_CERTPOL_SZ);
14523     myCert->certPoliciesNb =1;
14524 
14525     /* add SKID from the Public Key */
14526     if (wc_SetSubjectKeyIdFromPublicKey(myCert, key, NULL) != 0) {
14527         ERROR_OUT(-7838, exit_rsa);
14528     }
14529 
14530     /* add AKID from the CA certificate */
14531 #if defined(USE_CERT_BUFFERS_2048)
14532     ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_2048,
14533                                         sizeof_ca_cert_der_2048);
14534 #elif defined(USE_CERT_BUFFERS_1024)
14535     ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_1024,
14536                                         sizeof_ca_cert_der_1024);
14537 #else
14538     ret = wc_SetAuthKeyId(myCert, rsaCaCertFile);
14539 #endif
14540     if (ret != 0) {
14541         ERROR_OUT(-7839, exit_rsa);
14542     }
14543 
14544     /* add Key Usage */
14545     if (wc_SetKeyUsage(myCert,"keyEncipherment,keyAgreement") != 0) {
14546         ERROR_OUT(-7840, exit_rsa);
14547     }
14548 #endif /* WOLFSSL_CERT_EXT */
14549 
14550 #if defined(USE_CERT_BUFFERS_2048)
14551     ret = wc_SetIssuerBuffer(myCert, ca_cert_der_2048,
14552                                       sizeof_ca_cert_der_2048);
14553 #elif defined(USE_CERT_BUFFERS_1024)
14554     ret = wc_SetIssuerBuffer(myCert, ca_cert_der_1024,
14555                                       sizeof_ca_cert_der_1024);
14556 #else
14557     ret = wc_SetIssuer(myCert, rsaCaCertFile);
14558 #endif
14559     if (ret < 0) {
14560         ERROR_OUT(-7841, exit_rsa);
14561     }
14562 
14563     certSz = wc_MakeCert(myCert, der, FOURK_BUF, key, NULL, rng);
14564     if (certSz < 0) {
14565         ERROR_OUT(-7842, exit_rsa);
14566     }
14567 
14568     ret = 0;
14569     do {
14570     #if defined(WOLFSSL_ASYNC_CRYPT)
14571         ret = wc_AsyncWait(ret, &caKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
14572     #endif
14573         if (ret >= 0) {
14574             ret = wc_SignCert(myCert->bodySz, myCert->sigType, der, FOURK_BUF,
14575                       caKey, NULL, rng);
14576         }
14577     } while (ret == WC_PENDING_E);
14578     if (ret < 0) {
14579         ERROR_OUT(-7843, exit_rsa);
14580     }
14581     certSz = ret;
14582 
14583 #ifdef WOLFSSL_TEST_CERT
14584     InitDecodedCert(decode, der, certSz, HEAP_HINT);
14585     ret = ParseCert(decode, CERT_TYPE, NO_VERIFY, 0);
14586     if (ret != 0) {
14587         FreeDecodedCert(decode);
14588         ERROR_OUT(-7844, exit_rsa);
14589     }
14590     FreeDecodedCert(decode);
14591 #endif
14592 
14593     ret = SaveDerAndPem(der, certSz, otherCertDerFile, otherCertPemFile,
14594         CERT_TYPE, -5598);
14595     if (ret != 0) {
14596         goto exit_rsa;
14597     }
14598 
14599 exit_rsa:
14600 
14601 #ifdef WOLFSSL_SMALL_STACK
14602     if (caKey != NULL) {
14603         wc_FreeRsaKey(caKey);
14604         XFREE(caKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14605     }
14606 #ifdef WOLFSSL_TEST_CERT
14607     if (decode != NULL)
14608         XFREE(decode, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14609 #endif
14610 #else
14611     wc_FreeRsaKey(caKey);
14612 #endif
14613 
14614     XFREE(myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14615     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14616 
14617     return ret;
14618 }
14619 #endif
14620 
14621 #if !defined(NO_RSA) && defined(HAVE_ECC) && defined(WOLFSSL_CERT_GEN)
14622 /* Make Cert / Sign example for ECC cert and RSA CA */
14623 static int rsa_ecc_certgen_test(WC_RNG* rng, byte* tmp)
14624 {
14625 #ifdef WOLFSSL_SMALL_STACK
14626     RsaKey      *caKey = (RsaKey *)XMALLOC(sizeof *caKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14627     ecc_key     *caEccKey = (ecc_key *)XMALLOC(sizeof *caEccKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14628     ecc_key     *caEccKeyPub = (ecc_key *)XMALLOC(sizeof *caEccKeyPub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14629 #ifdef WOLFSSL_TEST_CERT
14630     DecodedCert *decode = (DecodedCert *)XMALLOC(sizeof *decode, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14631 #endif
14632 #else
14633     RsaKey      caKey[1];
14634     ecc_key     caEccKey[1];
14635     ecc_key     caEccKeyPub[1];
14636 #ifdef WOLFSSL_TEST_CERT
14637     DecodedCert decode[1];
14638 #endif
14639 #endif
14640     byte*       der = NULL;
14641     Cert*       myCert = NULL;
14642     int         certSz;
14643     size_t      bytes3;
14644     word32      idx3 = 0;
14645 #if (!defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)) \
14646     || !defined(USE_CERT_BUFFERS_256)
14647     XFILE       file3;
14648 #endif
14649     int ret;
14650 
14651 #ifdef WOLFSSL_SMALL_STACK
14652     if ((caKey == NULL) || (caEccKey == NULL) || (caEccKeyPub == NULL)
14653 #ifdef WOLFSSL_TEST_CERT
14654         || (decode == NULL)
14655 #endif
14656         )
14657         ERROR_OUT(MEMORY_E, exit_rsa);
14658 #endif
14659 
14660     XMEMSET(caKey, 0, sizeof *caKey);
14661     XMEMSET(caEccKey, 0, sizeof *caEccKey);
14662     XMEMSET(caEccKeyPub, 0, sizeof *caEccKeyPub);
14663 
14664     der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14665     if (der == NULL) {
14666         ERROR_OUT(-7850, exit_rsa);
14667     }
14668     myCert = (Cert*)XMALLOC(sizeof(Cert), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14669     if (myCert == NULL) {
14670         ERROR_OUT(-7851, exit_rsa);
14671     }
14672 
14673     /* Get CA Key */
14674 #ifdef USE_CERT_BUFFERS_1024
14675     XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024);
14676     bytes3 = sizeof_ca_key_der_1024;
14677 #elif defined(USE_CERT_BUFFERS_2048)
14678     XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048);
14679     bytes3 = sizeof_ca_key_der_2048;
14680 #else
14681     file3 = XFOPEN(rsaCaKeyFile, "rb");
14682     if (!file3) {
14683         ERROR_OUT(-7852, exit_rsa);
14684     }
14685 
14686     bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
14687     XFCLOSE(file3);
14688 #endif /* USE_CERT_BUFFERS */
14689 
14690     ret = wc_InitRsaKey(caKey, HEAP_HINT);
14691     if (ret != 0) {
14692         ERROR_OUT(-7853, exit_rsa);
14693     }
14694     ret = wc_RsaPrivateKeyDecode(tmp, &idx3, caKey, (word32)bytes3);
14695     if (ret != 0) {
14696         ERROR_OUT(-7854, exit_rsa);
14697     }
14698 
14699     /* Get Cert Key */
14700 #ifdef USE_CERT_BUFFERS_256
14701     XMEMCPY(tmp, ecc_key_pub_der_256, sizeof_ecc_key_pub_der_256);
14702     bytes3 = sizeof_ecc_key_pub_der_256;
14703 #else
14704     file3 = XFOPEN(eccKeyPubFileDer, "rb");
14705     if (!file3) {
14706         ERROR_OUT(-7855, exit_rsa);
14707     }
14708 
14709     bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
14710     XFCLOSE(file3);
14711 #endif
14712 
14713     ret = wc_ecc_init_ex(caEccKeyPub, HEAP_HINT, devId);
14714     if (ret != 0) {
14715         ERROR_OUT(-7856, exit_rsa);
14716     }
14717 
14718     idx3 = 0;
14719     ret = wc_EccPublicKeyDecode(tmp, &idx3, caEccKeyPub, (word32)bytes3);
14720     if (ret != 0) {
14721         ERROR_OUT(-7857, exit_rsa);
14722     }
14723 
14724     /* Setup Certificate */
14725     if (wc_InitCert_ex(myCert, HEAP_HINT, devId)) {
14726         ERROR_OUT(-7858, exit_rsa);
14727     }
14728 
14729 #ifndef NO_SHA256
14730     myCert->sigType = CTC_SHA256wRSA;
14731 #else
14732     myCert->sigType = CTC_SHAwRSA;
14733 #endif
14734 
14735     XMEMCPY(&myCert->subject, &certDefaultName, sizeof(CertName));
14736 
14737 #ifdef WOLFSSL_CERT_EXT
14738     /* add Policies */
14739     XSTRNCPY(myCert->certPolicies[0], "2.4.589440.587.101.2.1.9632587.1",
14740             CTC_MAX_CERTPOL_SZ);
14741     XSTRNCPY(myCert->certPolicies[1], "1.2.13025.489.1.113549",
14742             CTC_MAX_CERTPOL_SZ);
14743     myCert->certPoliciesNb = 2;
14744 
14745     /* add SKID from the Public Key */
14746     if (wc_SetSubjectKeyIdFromPublicKey(myCert, NULL, caEccKeyPub) != 0) {
14747         ERROR_OUT(-7859, exit_rsa);
14748     }
14749 
14750     /* add AKID from the CA certificate */
14751 #if defined(USE_CERT_BUFFERS_2048)
14752     ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_2048,
14753                                            sizeof_ca_cert_der_2048);
14754 #elif defined(USE_CERT_BUFFERS_1024)
14755     ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_1024,
14756                                            sizeof_ca_cert_der_1024);
14757 #else
14758     ret = wc_SetAuthKeyId(myCert, rsaCaCertFile);
14759 #endif
14760     if (ret != 0) {
14761         ERROR_OUT(-7860, exit_rsa);
14762     }
14763 
14764     /* add Key Usage */
14765     if (wc_SetKeyUsage(myCert, certKeyUsage) != 0) {
14766         ERROR_OUT(-7861, exit_rsa);
14767     }
14768 #endif /* WOLFSSL_CERT_EXT */
14769 
14770 #if defined(USE_CERT_BUFFERS_2048)
14771     ret = wc_SetIssuerBuffer(myCert, ca_cert_der_2048,
14772                                       sizeof_ca_cert_der_2048);
14773 #elif defined(USE_CERT_BUFFERS_1024)
14774     ret = wc_SetIssuerBuffer(myCert, ca_cert_der_1024,
14775                                       sizeof_ca_cert_der_1024);
14776 #else
14777     ret = wc_SetIssuer(myCert, rsaCaCertFile);
14778 #endif
14779     if (ret < 0) {
14780         ERROR_OUT(-7862, exit_rsa);
14781     }
14782 
14783     certSz = wc_MakeCert(myCert, der, FOURK_BUF, NULL, caEccKeyPub, rng);
14784     if (certSz < 0) {
14785         ERROR_OUT(-7863, exit_rsa);
14786     }
14787 
14788     ret = 0;
14789     do {
14790     #if defined(WOLFSSL_ASYNC_CRYPT)
14791         ret = wc_AsyncWait(ret, &caEccKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
14792     #endif
14793         if (ret >= 0) {
14794             ret = wc_SignCert(myCert->bodySz, myCert->sigType, der,
14795                               FOURK_BUF, caKey, NULL, rng);
14796         }
14797     } while (ret == WC_PENDING_E);
14798     if (ret < 0) {
14799         ERROR_OUT(-7864, exit_rsa);
14800     }
14801     certSz = ret;
14802 
14803 #ifdef WOLFSSL_TEST_CERT
14804     InitDecodedCert(decode, der, certSz, 0);
14805     ret = ParseCert(decode, CERT_TYPE, NO_VERIFY, 0);
14806     if (ret != 0) {
14807         FreeDecodedCert(decode);
14808         ERROR_OUT(-7865, exit_rsa);
14809 
14810     }
14811     FreeDecodedCert(decode);
14812 #endif
14813 
14814     ret = SaveDerAndPem(der, certSz, certEccRsaDerFile, certEccRsaPemFile,
14815         CERT_TYPE, -5616);
14816     if (ret != 0) {
14817         goto exit_rsa;
14818     }
14819 
14820 exit_rsa:
14821 
14822 #ifdef WOLFSSL_SMALL_STACK
14823     if (caKey != NULL) {
14824         wc_FreeRsaKey(caKey);
14825         XFREE(caKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14826     }
14827     if (caEccKey != NULL) {
14828         wc_ecc_free(caEccKey);
14829         XFREE(caEccKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14830     }
14831     if (caEccKeyPub != NULL) {
14832         wc_ecc_free(caEccKeyPub);
14833         XFREE(caEccKeyPub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14834     }
14835 #ifdef WOLFSSL_TEST_CERT
14836     if (decode != NULL)
14837         XFREE(decode, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14838 #endif
14839 #else
14840     wc_FreeRsaKey(caKey);
14841     wc_ecc_free(caEccKey);
14842     wc_ecc_free(caEccKeyPub);
14843 #endif
14844 
14845     XFREE(myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14846     myCert = NULL;
14847     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14848     der = NULL;
14849 
14850     if (ret >= 0)
14851         ret = 0;
14852     return ret;
14853 }
14854 #endif /* !NO_RSA && HAVE_ECC && WOLFSSL_CERT_GEN */
14855 
14856 #ifdef WOLFSSL_KEY_GEN
14857 static int rsa_keygen_test(WC_RNG* rng)
14858 {
14859 #ifdef WOLFSSL_SMALL_STACK
14860     RsaKey *genKey = (RsaKey *)XMALLOC(sizeof *genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14861 #else
14862     RsaKey genKey[1];
14863 #endif
14864     int    ret;
14865     byte*  der = NULL;
14866 #ifndef WOLFSSL_CRYPTOCELL
14867     word32 idx = 0;
14868 #endif
14869     int    derSz = 0;
14870 #if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FIPS)
14871     int    keySz = 1024;
14872 #else
14873     int    keySz = 2048;
14874 #endif
14875 
14876 #ifdef WOLFSSL_SMALL_STACK
14877     if (! genKey)
14878         ERROR_OUT(MEMORY_E, exit_rsa);
14879 #endif
14880 
14881     XMEMSET(genKey, 0, sizeof *genKey);
14882 
14883     ret = wc_InitRsaKey_ex(genKey, HEAP_HINT, devId);
14884     if (ret != 0) {
14885         ERROR_OUT(-7870, exit_rsa);
14886     }
14887 
14888 #ifdef HAVE_FIPS
14889     for (;;) {
14890 #endif
14891         ret = wc_MakeRsaKey(genKey, keySz, WC_RSA_EXPONENT, rng);
14892 #if defined(WOLFSSL_ASYNC_CRYPT)
14893         ret = wc_AsyncWait(ret, &genKey->asyncDev, WC_ASYNC_FLAG_NONE);
14894 #endif
14895 #ifdef HAVE_FIPS
14896         if (ret == PRIME_GEN_E)
14897             continue;
14898         break;
14899     }
14900 #endif
14901 
14902     if (ret != 0) {
14903         ERROR_OUT(-7871, exit_rsa);
14904     }
14905     TEST_SLEEP();
14906 
14907     /* If not using old FIPS, or not using FAST or USER RSA... */
14908     #if !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \
14909         (!defined(HAVE_FIPS) || \
14910          (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
14911         !defined(HAVE_SELFTEST) && !defined(HAVE_INTEL_QA) \
14912         && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
14913     ret = wc_CheckRsaKey(genKey);
14914     if (ret != 0) {
14915         ERROR_OUT(-7872, exit_rsa);
14916     }
14917     #endif
14918     der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14919     if (der == NULL) {
14920         ERROR_OUT(-7873, exit_rsa);
14921     }
14922 
14923     derSz = wc_RsaKeyToDer(genKey, der, FOURK_BUF);
14924     if (derSz < 0) {
14925         ERROR_OUT(-7874, exit_rsa);
14926     }
14927 
14928     ret = SaveDerAndPem(der, derSz, keyDerFile, keyPemFile,
14929         PRIVATEKEY_TYPE, -5555);
14930     if (ret != 0) {
14931         goto exit_rsa;
14932     }
14933 
14934     wc_FreeRsaKey(genKey);
14935     ret = wc_InitRsaKey(genKey, HEAP_HINT);
14936     if (ret != 0) {
14937         ERROR_OUT(-7875, exit_rsa);
14938     }
14939 
14940 #ifndef WOLFSSL_CRYPTOCELL
14941     idx = 0;
14942     /* The private key part of the key gen pairs from cryptocell can't be exported */
14943     ret = wc_RsaPrivateKeyDecode(der, &idx, genKey, derSz);
14944     if (ret != 0) {
14945         ERROR_OUT(-7876, exit_rsa);
14946     }
14947 #endif /* WOLFSSL_CRYPTOCELL */
14948 
14949 exit_rsa:
14950 
14951 #ifdef WOLFSSL_SMALL_STACK
14952     if (genKey) {
14953         wc_FreeRsaKey(genKey);
14954         XFREE(genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14955     }
14956 #else
14957     wc_FreeRsaKey(genKey);
14958 #endif
14959 
14960     if (der != NULL) {
14961         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
14962         der = NULL;
14963     }
14964 
14965     return ret;
14966 }
14967 #endif
14968 
14969 #ifndef WOLFSSL_RSA_VERIFY_ONLY
14970 #if !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG) && \
14971     !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \
14972      (!defined(HAVE_FIPS) || \
14973       (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
14974 static int rsa_oaep_padding_test(RsaKey* key, WC_RNG* rng)
14975 {
14976     int ret = 0;
14977     word32 idx = 0;
14978     const char inStr[] = TEST_STRING;
14979     const word32 inLen = (word32)TEST_STRING_SZ;
14980     const word32 outSz   = RSA_TEST_BYTES;
14981     const word32 plainSz = RSA_TEST_BYTES;
14982     byte*  res = NULL;
14983 
14984     WC_DECLARE_VAR(in, byte, TEST_STRING_SZ, HEAP_HINT);
14985     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
14986     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
14987 
14988 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
14989     if (in == NULL || out == NULL || plain == NULL)
14990         ERROR_OUT(MEMORY_E, exit_rsa);
14991 #endif
14992 
14993     XMEMCPY(in, inStr, inLen);
14994 
14995 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
14996     if (in == NULL || out == NULL || plain == NULL)
14997         ERROR_OUT(MEMORY_E, exit_rsa);
14998 #endif
14999 
15000 #ifndef NO_SHA
15001     do {
15002 #if defined(WOLFSSL_ASYNC_CRYPT)
15003         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15004 #endif
15005 
15006         if (ret >= 0) {
15007             ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, key, rng,
15008                        WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA, WC_MGF1SHA1, NULL, 0);
15009         }
15010     } while (ret == WC_PENDING_E);
15011     if (ret < 0) {
15012         ERROR_OUT(-7918, exit_rsa);
15013     }
15014     TEST_SLEEP();
15015 
15016 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
15017     idx = (word32)ret;
15018     do {
15019 #if defined(WOLFSSL_ASYNC_CRYPT)
15020         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15021 #endif
15022         if (ret >= 0) {
15023             ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, key,
15024                        WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA, WC_MGF1SHA1, NULL, 0);
15025         }
15026     } while (ret == WC_PENDING_E);
15027     if (ret < 0) {
15028         ERROR_OUT(-7919, exit_rsa);
15029     }
15030 
15031     if (XMEMCMP(plain, in, inLen)) {
15032         ERROR_OUT(-7920, exit_rsa);
15033     }
15034     TEST_SLEEP();
15035     #endif /* NO_SHA */
15036 #endif
15037 
15038     #ifndef NO_SHA256
15039     XMEMSET(plain, 0, plainSz);
15040 #ifndef WOLFSSL_RSA_VERIFY_ONLY
15041     do {
15042 #if defined(WOLFSSL_ASYNC_CRYPT)
15043         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15044 #endif
15045         if (ret >= 0) {
15046             ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, key, rng,
15047                   WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
15048         }
15049     } while (ret == WC_PENDING_E);
15050     if (ret < 0) {
15051         ERROR_OUT(-7921, exit_rsa);
15052     }
15053     TEST_SLEEP();
15054 #endif /* WOLFSSL_RSA_VERIFY_ONLY */
15055 
15056     idx = (word32)ret;
15057 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
15058     do {
15059 #if defined(WOLFSSL_ASYNC_CRYPT)
15060         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15061 #endif
15062         if (ret >= 0) {
15063             ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, key,
15064                   WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
15065         }
15066     } while (ret == WC_PENDING_E);
15067     if (ret < 0) {
15068         ERROR_OUT(-7922, exit_rsa);
15069     }
15070 
15071     if (XMEMCMP(plain, in, inLen)) {
15072         ERROR_OUT(-7923, exit_rsa);
15073     }
15074     TEST_SLEEP();
15075 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
15076 
15077 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
15078     do {
15079 #if defined(WOLFSSL_ASYNC_CRYPT)
15080         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15081 #endif
15082         if (ret >= 0) {
15083             ret = wc_RsaPrivateDecryptInline_ex(out, idx, &res, key,
15084                 WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
15085         }
15086     } while (ret == WC_PENDING_E);
15087     if (ret < 0) {
15088         ERROR_OUT(-7924, exit_rsa);
15089     }
15090     if (ret != (int)inLen) {
15091         ERROR_OUT(-7925, exit_rsa);
15092     }
15093     if (XMEMCMP(res, in, inLen)) {
15094         ERROR_OUT(-7926, exit_rsa);
15095     }
15096     TEST_SLEEP();
15097 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
15098 
15099     /* check fails if not using the same optional label */
15100     XMEMSET(plain, 0, plainSz);
15101 #ifndef WOLFSSL_RSA_VERIFY_ONLY
15102     do {
15103 #if defined(WOLFSSL_ASYNC_CRYPT)
15104         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15105 #endif
15106         if (ret >= 0) {
15107             ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, key, rng,
15108                   WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
15109         }
15110     } while (ret == WC_PENDING_E);
15111     if (ret < 0) {
15112         ERROR_OUT(-7927, exit_rsa);
15113     }
15114     TEST_SLEEP();
15115 #endif /* WOLFSSL_RSA_VERIFY_ONLY */
15116 
15117 /* TODO: investigate why Cavium Nitrox doesn't detect decrypt error here */
15118 #if !defined(HAVE_CAVIUM) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
15119     !defined(WOLFSSL_CRYPTOCELL)
15120 /* label is unused in cryptocell so it won't detect decrypt error due to label */
15121     idx = (word32)ret;
15122     do {
15123 #if defined(WOLFSSL_ASYNC_CRYPT)
15124         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15125 #endif
15126         if (ret >= 0) {
15127             ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, key,
15128                WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, in, inLen);
15129         }
15130     } while (ret == WC_PENDING_E);
15131     if (ret > 0) { /* in this case decrypt should fail */
15132         ERROR_OUT(-7928, exit_rsa);
15133     }
15134     ret = 0;
15135     TEST_SLEEP();
15136 #endif /* !HAVE_CAVIUM */
15137 
15138     /* check using optional label with encrypt/decrypt */
15139     XMEMSET(plain, 0, plainSz);
15140 #ifndef WOLFSSL_RSA_VERIFY_ONLY
15141     do {
15142 #if defined(WOLFSSL_ASYNC_CRYPT)
15143         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15144 #endif
15145         if (ret >= 0) {
15146             ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, key, rng,
15147                WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, in, inLen);
15148         }
15149     } while (ret == WC_PENDING_E);
15150     if (ret < 0) {
15151         ERROR_OUT(-7929, exit_rsa);
15152     }
15153     TEST_SLEEP();
15154 #endif /* WOLFSSL_RSA_VERIFY_ONLY */
15155 
15156     idx = (word32)ret;
15157 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
15158     do {
15159 #if defined(WOLFSSL_ASYNC_CRYPT)
15160         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15161 #endif
15162         if (ret >= 0) {
15163             ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, key,
15164                WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, in, inLen);
15165         }
15166     } while (ret == WC_PENDING_E);
15167     if (ret < 0) {
15168         ERROR_OUT(-7930, exit_rsa);
15169     }
15170 
15171     if (XMEMCMP(plain, in, inLen)) {
15172         ERROR_OUT(-7931, exit_rsa);
15173     }
15174     TEST_SLEEP();
15175 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
15176 
15177 #ifndef WOLFSSL_RSA_VERIFY_ONLY
15178     #ifndef NO_SHA
15179         /* check fail using mismatch hash algorithms */
15180         XMEMSET(plain, 0, plainSz);
15181         do {
15182     #if defined(WOLFSSL_ASYNC_CRYPT)
15183             ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15184     #endif
15185             if (ret >= 0) {
15186                 ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, key, rng,
15187                     WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA, WC_MGF1SHA1, in, inLen);
15188             }
15189         } while (ret == WC_PENDING_E);
15190         if (ret < 0) {
15191             ERROR_OUT(-7932, exit_rsa);
15192         }
15193         TEST_SLEEP();
15194 
15195 /* TODO: investigate why Cavium Nitrox doesn't detect decrypt error here */
15196 #if !defined(HAVE_CAVIUM) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
15197     !defined(WOLFSSL_CRYPTOCELL)
15198         idx = (word32)ret;
15199         do {
15200     #if defined(WOLFSSL_ASYNC_CRYPT)
15201             ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15202     #endif
15203             if (ret >= 0) {
15204                 ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, key,
15205                     WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256,
15206                     in, inLen);
15207             }
15208         } while (ret == WC_PENDING_E);
15209         if (ret > 0) { /* should fail */
15210             ERROR_OUT(-7933, exit_rsa);
15211         }
15212         ret = 0;
15213         TEST_SLEEP();
15214     #endif /* !HAVE_CAVIUM */
15215     #endif /* NO_SHA */
15216 #endif /* WOLFSSL_RSA_VERIFY_ONLY */
15217 #endif /* NO_SHA256 */
15218 
15219 #ifdef WOLFSSL_SHA512
15220     /* Check valid RSA key size is used while using hash length of SHA512
15221        If key size is less than (hash length * 2) + 2 then is invalid use
15222        and test, since OAEP padding requires this.
15223        BAD_FUNC_ARG is returned when this case is not met */
15224     if (wc_RsaEncryptSize(key) > ((int)WC_SHA512_DIGEST_SIZE * 2) + 2) {
15225         XMEMSET(plain, 0, plainSz);
15226         do {
15227     #if defined(WOLFSSL_ASYNC_CRYPT)
15228             ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15229     #endif
15230             if (ret >= 0) {
15231                 ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, key, rng,
15232                   WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA512, WC_MGF1SHA512, NULL, 0);
15233             }
15234         } while (ret == WC_PENDING_E);
15235         if (ret < 0) {
15236             ERROR_OUT(-7934, exit_rsa);
15237         }
15238         TEST_SLEEP();
15239 
15240         idx = ret;
15241 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
15242         do {
15243     #if defined(WOLFSSL_ASYNC_CRYPT)
15244             ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15245     #endif
15246             if (ret >= 0) {
15247                 ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, key,
15248                   WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA512, WC_MGF1SHA512, NULL, 0);
15249             }
15250         } while (ret == WC_PENDING_E);
15251         if (ret < 0) {
15252             ERROR_OUT(-7935, exit_rsa);
15253         }
15254 
15255         if (XMEMCMP(plain, in, inLen)) {
15256             ERROR_OUT(-7936, exit_rsa);
15257         }
15258         TEST_SLEEP();
15259 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
15260     }
15261 #endif /* WOLFSSL_SHA512 */
15262 
15263     /* check using pkcsv15 padding with _ex API */
15264     XMEMSET(plain, 0, plainSz);
15265     do {
15266 #if defined(WOLFSSL_ASYNC_CRYPT)
15267         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15268 #endif
15269         if (ret >= 0) {
15270             ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, key, rng,
15271                   WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0);
15272         }
15273     } while (ret == WC_PENDING_E);
15274     if (ret < 0) {
15275         ERROR_OUT(-7937, exit_rsa);
15276     }
15277     TEST_SLEEP();
15278 
15279     idx = (word32)ret;
15280 #ifndef WOLFSSL_RSA_PUBLIC_ONLY
15281     do {
15282 #if defined(WOLFSSL_ASYNC_CRYPT)
15283         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15284 #endif
15285         if (ret >= 0) {
15286             ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, key,
15287                   WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0);
15288         }
15289     } while (ret == WC_PENDING_E);
15290     if (ret < 0) {
15291         ERROR_OUT(-7938, exit_rsa);
15292     }
15293 
15294     if (XMEMCMP(plain, in, inLen)) {
15295         ERROR_OUT(-7939, exit_rsa);
15296     }
15297     TEST_SLEEP();
15298 #endif /* WOLFSSL_RSA_PUBLIC_ONLY */
15299 
15300 exit_rsa:
15301     WC_FREE_VAR(in, HEAP_HINT);
15302     WC_FREE_VAR(out, HEAP_HINT);
15303     WC_FREE_VAR(plain, HEAP_HINT);
15304 
15305     (void)idx;
15306     (void)inStr;
15307     (void)res;
15308 
15309     if (ret >= 0)
15310         ret = 0;
15311 
15312     return ret;
15313 
15314 }
15315 #endif
15316 #endif
15317 
15318 WOLFSSL_TEST_SUBROUTINE int rsa_test(void)
15319 {
15320     int    ret;
15321     byte*  tmp = NULL;
15322     byte*  der = NULL;
15323     size_t bytes;
15324     WC_RNG rng;
15325 #ifdef WOLFSSL_SMALL_STACK
15326     RsaKey *key = (RsaKey *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15327 #else
15328     RsaKey key[1];
15329 #endif
15330 #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
15331 #ifdef WOLFSSL_SMALL_STACK
15332     RsaKey *keypub = (RsaKey *)XMALLOC(sizeof *keypub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15333 #else
15334     RsaKey keypub[1];
15335 #endif
15336 #endif
15337     word32 idx = 0;
15338     const char inStr[] = TEST_STRING;
15339     const word32 inLen = (word32)TEST_STRING_SZ;
15340     const word32 outSz   = RSA_TEST_BYTES;
15341     const word32 plainSz = RSA_TEST_BYTES;
15342     byte*  res = NULL;
15343 #ifndef NO_SIG_WRAPPER
15344     int modLen;
15345 #endif
15346 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
15347     !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) && \
15348     !defined(NO_FILESYSTEM)
15349     XFILE   file;
15350 #ifdef WOLFSSL_TEST_CERT
15351     XFILE   file2;
15352 #endif
15353 #endif
15354 #ifdef WOLFSSL_TEST_CERT
15355 #ifdef WOLFSSL_SMALL_STACK
15356     DecodedCert *cert = (DecodedCert *)XMALLOC(sizeof *cert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15357 #else
15358     DecodedCert cert[1];
15359 #endif
15360 #ifndef NO_ASN_TIME
15361     struct tm   timearg;
15362     const byte* date;
15363     byte        dateFormat;
15364     int         dateLength;
15365 #endif
15366 #endif
15367 
15368     WC_DECLARE_VAR(in, byte, TEST_STRING_SZ, HEAP_HINT);
15369     WC_DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
15370     WC_DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
15371 
15372 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
15373     if (in == NULL || out == NULL || plain == NULL)
15374         ERROR_OUT(MEMORY_E, exit_rsa);
15375 #endif
15376 
15377     XMEMCPY(in, inStr, inLen);
15378 
15379 #ifdef WOLFSSL_SMALL_STACK
15380     if (key == NULL)
15381         ERROR_OUT(MEMORY_E, exit_rsa);
15382 #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
15383     if (keypub == NULL)
15384         ERROR_OUT(MEMORY_E, exit_rsa);
15385 #endif
15386 #ifdef WOLFSSL_TEST_CERT
15387     if (cert == NULL)
15388         ERROR_OUT(MEMORY_E, exit_rsa);
15389 #endif
15390 #endif /* WOLFSSL_SMALL_STACK */
15391 
15392     /* initialize stack structures */
15393     XMEMSET(&rng, 0, sizeof(rng));
15394     XMEMSET(key, 0, sizeof *key);
15395 #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
15396     XMEMSET(keypub, 0, sizeof *keypub);
15397 #endif
15398 
15399 #if !defined(HAVE_USER_RSA) && !defined(NO_ASN)
15400     ret = rsa_decode_test(key);
15401     if (ret != 0)
15402         ERROR_OUT(ret, exit_rsa);
15403 #endif
15404 
15405 #ifdef USE_CERT_BUFFERS_1024
15406     bytes = (size_t)sizeof_client_key_der_1024;
15407     if (bytes < (size_t)sizeof_client_cert_der_1024)
15408         bytes = (size_t)sizeof_client_cert_der_1024;
15409 #elif defined(USE_CERT_BUFFERS_2048)
15410     bytes = (size_t)sizeof_client_key_der_2048;
15411     if (bytes < (size_t)sizeof_client_cert_der_2048)
15412         bytes = (size_t)sizeof_client_cert_der_2048;
15413 #elif defined(USE_CERT_BUFFERS_3072)
15414     bytes = (size_t)sizeof_client_key_der_3072;
15415     if (bytes < (size_t)sizeof_client_cert_der_3072)
15416         bytes = (size_t)sizeof_client_cert_der_3072;
15417 #elif defined(USE_CERT_BUFFERS_4096)
15418     bytes = (size_t)sizeof_client_key_der_4096;
15419     if (bytes < (size_t)sizeof_client_cert_der_4096)
15420         bytes = (size_t)sizeof_client_cert_der_4096;
15421 #else
15422     bytes = FOURK_BUF;
15423 #endif
15424 
15425     tmp = (byte*)XMALLOC(bytes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15426     if (tmp == NULL)
15427         ERROR_OUT(-7900, exit_rsa);
15428 
15429 #ifdef USE_CERT_BUFFERS_1024
15430     XMEMCPY(tmp, client_key_der_1024, (size_t)sizeof_client_key_der_1024);
15431 #elif defined(USE_CERT_BUFFERS_2048)
15432     XMEMCPY(tmp, client_key_der_2048, (size_t)sizeof_client_key_der_2048);
15433 #elif defined(USE_CERT_BUFFERS_3072)
15434     XMEMCPY(tmp, client_key_der_3072, (size_t)sizeof_client_key_der_3072);
15435 #elif defined(USE_CERT_BUFFERS_4096)
15436     XMEMCPY(tmp, client_key_der_4096, (size_t)sizeof_client_key_der_4096);
15437 #elif !defined(NO_FILESYSTEM)
15438     file = XFOPEN(clientKey, "rb");
15439     if (!file) {
15440         err_sys("can't open ./certs/client-key.der, "
15441                 "Please run from wolfSSL home dir", -40);
15442         ERROR_OUT(-7901, exit_rsa);
15443     }
15444 
15445     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
15446     XFCLOSE(file);
15447 #else
15448     /* No key to use. */
15449     ERROR_OUT(-7902, exit_rsa);
15450 #endif /* USE_CERT_BUFFERS */
15451 
15452     ret = wc_InitRsaKey_ex(key, HEAP_HINT, devId);
15453     if (ret != 0) {
15454         ERROR_OUT(-7903, exit_rsa);
15455     }
15456 #ifndef NO_ASN
15457     ret = wc_RsaPrivateKeyDecode(tmp, &idx, key, (word32)bytes);
15458     if (ret != 0) {
15459         ERROR_OUT(-7904, exit_rsa);
15460     }
15461 #ifndef NO_SIG_WRAPPER
15462     modLen = wc_RsaEncryptSize(key);
15463 #endif
15464 #else
15465     #ifdef USE_CERT_BUFFERS_2048
15466         ret = mp_read_unsigned_bin(&key->n, &tmp[12], 256);
15467         if (ret != 0) {
15468             ERROR_OUT(-7905, exit_rsa);
15469         }
15470         ret = mp_set_int(&key->e, WC_RSA_EXPONENT);
15471         if (ret != 0) {
15472             ERROR_OUT(-7906, exit_rsa);
15473         }
15474 #ifndef NO_SIG_WRAPPER
15475         modLen = 2048;
15476 #endif
15477     #else
15478         #error Not supported yet!
15479     #endif
15480 #endif
15481 
15482 #ifndef WC_NO_RNG
15483 #ifndef HAVE_FIPS
15484     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
15485 #else
15486     ret = wc_InitRng(&rng);
15487 #endif
15488     if (ret != 0) {
15489         ERROR_OUT(-7907, exit_rsa);
15490     }
15491 #endif
15492 
15493 #ifndef NO_SIG_WRAPPER
15494     ret = rsa_sig_test(key, sizeof *key, modLen, &rng);
15495     if (ret != 0)
15496         goto exit_rsa;
15497 #endif
15498 
15499 #ifdef WC_RSA_NONBLOCK
15500     ret = rsa_nb_test(key, in, inLen, out, outSz, plain, plainSz, &rng);
15501     if (ret != 0)
15502         goto exit_rsa;
15503 #endif
15504 
15505 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
15506     !defined(WC_NO_RNG)
15507     do {
15508 #if defined(WOLFSSL_ASYNC_CRYPT)
15509         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15510 #endif
15511         if (ret >= 0) {
15512             ret = wc_RsaPublicEncrypt(in, inLen, out, outSz, key, &rng);
15513         }
15514     } while (ret == WC_PENDING_E);
15515     if (ret < 0) {
15516         ERROR_OUT(-7908, exit_rsa);
15517     }
15518     TEST_SLEEP();
15519 
15520 #ifdef WC_RSA_BLINDING
15521     {
15522         int tmpret = ret;
15523         ret = wc_RsaSetRNG(key, &rng);
15524         if (ret < 0) {
15525             ERROR_OUT(-7909, exit_rsa);
15526         }
15527         ret = tmpret;
15528     }
15529 #endif
15530 
15531     idx = (word32)ret; /* save off encrypted length */
15532     do {
15533 #if defined(WOLFSSL_ASYNC_CRYPT)
15534         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15535 #endif
15536         if (ret >= 0) {
15537             ret = wc_RsaPrivateDecrypt(out, idx, plain, plainSz, key);
15538         }
15539     } while (ret == WC_PENDING_E);
15540     if (ret < 0) {
15541         ERROR_OUT(-7910, exit_rsa);
15542     }
15543 
15544     if (XMEMCMP(plain, in, inLen)) {
15545         ERROR_OUT(-7911, exit_rsa);
15546     }
15547     TEST_SLEEP();
15548 
15549     do {
15550 #if defined(WOLFSSL_ASYNC_CRYPT)
15551         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15552 #endif
15553         if (ret >= 0) {
15554             ret = wc_RsaPrivateDecryptInline(out, idx, &res, key);
15555         }
15556     } while (ret == WC_PENDING_E);
15557     if (ret < 0) {
15558         ERROR_OUT(-7912, exit_rsa);
15559     }
15560     if (ret != (int)inLen) {
15561         ERROR_OUT(-7913, exit_rsa);
15562     }
15563     if (XMEMCMP(res, in, inLen)) {
15564         ERROR_OUT(-7914, exit_rsa);
15565     }
15566     TEST_SLEEP();
15567 
15568     do {
15569 #if defined(WOLFSSL_ASYNC_CRYPT)
15570         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15571 #endif
15572         if (ret >= 0) {
15573             ret = wc_RsaSSL_Sign(in, inLen, out, outSz, key, &rng);
15574         }
15575     } while (ret == WC_PENDING_E);
15576     if (ret < 0) {
15577         ERROR_OUT(-7915, exit_rsa);
15578     }
15579     TEST_SLEEP();
15580 
15581 #elif defined(WOLFSSL_PUBLIC_MP)
15582     {
15583         static byte signature_2048[] = {
15584             0x07, 0x6f, 0xc9, 0x85, 0x73, 0x9e, 0x21, 0x79,
15585             0x47, 0xf1, 0xa3, 0xd7, 0xf4, 0x27, 0x29, 0xbe,
15586             0x99, 0x5d, 0xac, 0xb2, 0x10, 0x3f, 0x95, 0xda,
15587             0x89, 0x23, 0xb8, 0x96, 0x13, 0x57, 0x72, 0x30,
15588             0xa1, 0xfe, 0x5a, 0x68, 0x9c, 0x99, 0x9d, 0x1e,
15589             0x05, 0xa4, 0x80, 0xb0, 0xbb, 0xd9, 0xd9, 0xa1,
15590             0x69, 0x97, 0x74, 0xb3, 0x41, 0x21, 0x3b, 0x47,
15591             0xf5, 0x51, 0xb1, 0xfb, 0xc7, 0xaa, 0xcc, 0xdc,
15592             0xcd, 0x76, 0xa0, 0x28, 0x4d, 0x27, 0x14, 0xa4,
15593             0xb9, 0x41, 0x68, 0x7c, 0xb3, 0x66, 0xe6, 0x6f,
15594             0x40, 0x76, 0xe4, 0x12, 0xfd, 0xae, 0x29, 0xb5,
15595             0x63, 0x60, 0x87, 0xce, 0x49, 0x6b, 0xf3, 0x05,
15596             0x9a, 0x14, 0xb5, 0xcc, 0xcd, 0xf7, 0x30, 0x95,
15597             0xd2, 0x72, 0x52, 0x1d, 0x5b, 0x7e, 0xef, 0x4a,
15598             0x02, 0x96, 0x21, 0x6c, 0x55, 0xa5, 0x15, 0xb1,
15599             0x57, 0x63, 0x2c, 0xa3, 0x8e, 0x9d, 0x3d, 0x45,
15600             0xcc, 0xb8, 0xe6, 0xa1, 0xc8, 0x59, 0xcd, 0xf5,
15601             0xdc, 0x0a, 0x51, 0xb6, 0x9d, 0xfb, 0xf4, 0x6b,
15602             0xfd, 0x32, 0x71, 0x6e, 0xcf, 0xcb, 0xb3, 0xd9,
15603             0xe0, 0x4a, 0x77, 0x34, 0xd6, 0x61, 0xf5, 0x7c,
15604             0xf9, 0xa9, 0xa4, 0xb0, 0x8e, 0x3b, 0xd6, 0x04,
15605             0xe0, 0xde, 0x2b, 0x5b, 0x5a, 0xbf, 0xd9, 0xef,
15606             0x8d, 0xa3, 0xf5, 0xb1, 0x67, 0xf3, 0xb9, 0x72,
15607             0x0a, 0x37, 0x12, 0x35, 0x6c, 0x8e, 0x10, 0x8b,
15608             0x38, 0x06, 0x16, 0x4b, 0x20, 0x20, 0x13, 0x00,
15609             0x2e, 0x6d, 0xc2, 0x59, 0x23, 0x67, 0x4a, 0x6d,
15610             0xa1, 0x46, 0x8b, 0xee, 0xcf, 0x44, 0xb4, 0x3e,
15611             0x56, 0x75, 0x00, 0x68, 0xb5, 0x7d, 0x0f, 0x20,
15612             0x79, 0x5d, 0x7f, 0x12, 0x15, 0x32, 0x89, 0x61,
15613             0x6b, 0x29, 0xb7, 0x52, 0xf5, 0x25, 0xd8, 0x98,
15614             0xe8, 0x6f, 0xf9, 0x22, 0xb4, 0xbb, 0xe5, 0xff,
15615             0xd0, 0x92, 0x86, 0x9a, 0x88, 0xa2, 0xaf, 0x6b
15616         };
15617         ret = sizeof(signature_2048);
15618         XMEMCPY(out, signature_2048, ret);
15619     }
15620 #endif
15621 
15622 #if !defined(WC_NO_RNG) && !defined(WC_NO_RSA_OAEP) && \
15623     ((!defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
15624     defined(WOLFSSL_PUBLIC_MP))
15625     idx = (word32)ret;
15626     XMEMSET(plain, 0, plainSz);
15627     do {
15628 #if defined(WOLFSSL_ASYNC_CRYPT)
15629         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15630 #endif
15631         if (ret >= 0) {
15632 #ifndef WOLFSSL_RSA_VERIFY_INLINE
15633 
15634 #if defined(WOLFSSL_CRYPTOCELL)
15635         /*
15636         Cryptocell requires the input data and signature byte array to verify.
15637 
15638         first argument must be the input data
15639         second argument must be the length of input data
15640         third argument must be the signature byte array or the output from
15641                                                                 wc_RsaSSL_Sign()
15642         fourth argument must be the length of the signature byte array
15643         */
15644 
15645         ret = wc_RsaSSL_Verify(in, inLen, out, outSz, key);
15646 #else
15647         ret = wc_RsaSSL_Verify(out, idx, plain, plainSz, key);
15648 #endif /* WOLFSSL_CRYPTOCELL */
15649 #else
15650             byte* dec = NULL;
15651             ret = wc_RsaSSL_VerifyInline(out, idx, &dec, key);
15652             if (ret > 0) {
15653                 XMEMCPY(plain, dec, ret);
15654             }
15655 #endif
15656         }
15657     } while (ret == WC_PENDING_E);
15658     if (ret < 0) {
15659         ERROR_OUT(-7916, exit_rsa);
15660     }
15661 
15662     if (XMEMCMP(plain, in, (size_t)ret)) {
15663         ERROR_OUT(-7917, exit_rsa);
15664     }
15665     TEST_SLEEP();
15666 #endif
15667 
15668 #ifndef WOLFSSL_RSA_VERIFY_ONLY
15669     #if !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG)
15670     #if !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \
15671         (!defined(HAVE_FIPS) || \
15672          (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
15673     ret = rsa_oaep_padding_test(key, &rng);
15674     if (ret != 0)
15675         return ret;
15676 
15677     #endif /* !HAVE_FAST_RSA && !HAVE_FIPS */
15678     #endif /* WC_NO_RSA_OAEP && !WC_NO_RNG */
15679 #endif /* WOLFSSL_RSA_VERIFY_ONLY */
15680 
15681 #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(NO_ASN) \
15682     && !defined(WOLFSSL_RSA_VERIFY_ONLY)
15683     ret = rsa_export_key_test(key);
15684     if (ret != 0)
15685         return ret;
15686 #endif
15687 
15688 #if !defined(NO_ASN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
15689                                                !defined(WOLFSSL_RSA_VERIFY_ONLY)
15690     ret = rsa_flatten_test(key);
15691     if (ret != 0)
15692         return ret;
15693 #endif
15694 
15695 #if !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_ASN) && \
15696     !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
15697     !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
15698     (void)clientCert;
15699 #endif
15700 
15701 #ifdef WOLFSSL_TEST_CERT
15702 #if defined(WOLFSSL_MDK_ARM)
15703     #define sizeof(s) XSTRLEN((char *)(s))
15704 #endif
15705 
15706 #ifdef USE_CERT_BUFFERS_1024
15707     XMEMCPY(tmp, client_cert_der_1024, (size_t)sizeof_client_cert_der_1024);
15708     bytes = (size_t)sizeof_client_cert_der_1024;
15709 #elif defined(USE_CERT_BUFFERS_2048)
15710     XMEMCPY(tmp, client_cert_der_2048, (size_t)sizeof_client_cert_der_2048);
15711     bytes = (size_t)sizeof_client_cert_der_2048;
15712 #elif defined(USE_CERT_BUFFERS_3072)
15713     XMEMCPY(tmp, client_cert_der_3072, (size_t)sizeof_client_cert_der_3072);
15714     bytes = (size_t)sizeof_client_cert_der_3072;
15715 #elif defined(USE_CERT_BUFFERS_4096)
15716     XMEMCPY(tmp, client_cert_der_4096, (size_t)sizeof_client_cert_der_4096);
15717     bytes = (size_t)sizeof_client_cert_der_4096;
15718 #elif !defined(NO_FILESYSTEM)
15719     file2 = XFOPEN(clientCert, "rb");
15720     if (!file2) {
15721         ERROR_OUT(-7940, exit_rsa);
15722     }
15723 
15724     bytes = XFREAD(tmp, 1, FOURK_BUF, file2);
15725     XFCLOSE(file2);
15726 #else
15727     /* No certificate to use. */
15728     ERROR_OUT(-7941, exit_rsa);
15729 #endif
15730 
15731 #ifdef sizeof
15732     #undef sizeof
15733 #endif
15734     InitDecodedCert(cert, tmp, (word32)bytes, NULL);
15735 
15736     ret = ParseCert(cert, CERT_TYPE, NO_VERIFY, NULL);
15737     if (ret != 0) {
15738         FreeDecodedCert(cert);
15739         ERROR_OUT(-7942, exit_rsa);
15740     }
15741 
15742 #ifndef NO_ASN_TIME
15743     ret = wc_GetDateInfo(cert->afterDate, cert->afterDateLen, &date,
15744                          &dateFormat, &dateLength);
15745     if (ret != 0) {
15746         FreeDecodedCert(cert);
15747         ERROR_OUT(-7943, exit_rsa);
15748     }
15749     ret = wc_GetDateAsCalendarTime(date, dateLength, dateFormat, &timearg);
15750     if (ret != 0) {
15751         FreeDecodedCert(cert);
15752         ERROR_OUT(-7944, exit_rsa);
15753     }
15754 #endif
15755 
15756     FreeDecodedCert(cert);
15757 #endif /* WOLFSSL_TEST_CERT */
15758 
15759 #ifdef WOLFSSL_CERT_EXT
15760 
15761 #ifdef USE_CERT_BUFFERS_1024
15762     XMEMCPY(tmp, client_keypub_der_1024, sizeof_client_keypub_der_1024);
15763     bytes = sizeof_client_keypub_der_1024;
15764 #elif defined(USE_CERT_BUFFERS_2048)
15765     XMEMCPY(tmp, client_keypub_der_2048, sizeof_client_keypub_der_2048);
15766     bytes = sizeof_client_keypub_der_2048;
15767 #elif defined(USE_CERT_BUFFERS_3072)
15768     XMEMCPY(tmp, client_keypub_der_3072, sizeof_client_keypub_der_3072);
15769     bytes = sizeof_client_keypub_der_3072;
15770 #elif defined(USE_CERT_BUFFERS_4096)
15771     XMEMCPY(tmp, client_keypub_der_4096, sizeof_client_keypub_der_4096);
15772     bytes = sizeof_client_keypub_der_4096;
15773 #else
15774     file = XFOPEN(clientKeyPub, "rb");
15775     if (!file) {
15776         err_sys("can't open ./certs/client-keyPub.der, "
15777                 "Please run from wolfSSL home dir", -40);
15778         ERROR_OUT(-7945, exit_rsa);
15779     }
15780 
15781     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
15782     XFCLOSE(file);
15783 #endif /* USE_CERT_BUFFERS */
15784 
15785     ret = wc_InitRsaKey(keypub, HEAP_HINT);
15786     if (ret != 0) {
15787         ERROR_OUT(-7946, exit_rsa);
15788     }
15789     idx = 0;
15790 
15791     ret = wc_RsaPublicKeyDecode(tmp, &idx, keypub, (word32)bytes);
15792     if (ret != 0) {
15793         ERROR_OUT(-7947, exit_rsa);
15794     }
15795 #endif /* WOLFSSL_CERT_EXT */
15796 
15797 #ifdef WOLFSSL_KEY_GEN
15798     ret = rsa_keygen_test(&rng);
15799     if (ret != 0)
15800         goto exit_rsa;
15801 #endif
15802 
15803 #ifdef WOLFSSL_CERT_GEN
15804     /* Make Cert / Sign example for RSA cert and RSA CA */
15805     ret = rsa_certgen_test(key, keypub, &rng, tmp);
15806     if (ret != 0)
15807         goto exit_rsa;
15808 
15809 #if !defined(NO_RSA) && defined(HAVE_ECC)
15810     ret = rsa_ecc_certgen_test(&rng, tmp);
15811     if (ret != 0)
15812         goto exit_rsa;
15813 #endif
15814 
15815 #ifdef WOLFSSL_CERT_REQ
15816     {
15817         Cert        *req;
15818         int         derSz;
15819 
15820         req = (Cert *)XMALLOC(sizeof *req, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15821         if (! req)
15822             ERROR_OUT(MEMORY_E, exit_rsa);
15823         der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
15824         if (der == NULL) {
15825             ERROR_OUT(-7964, exit_rsa);
15826         }
15827 
15828         if (wc_InitCert_ex(req, HEAP_HINT, devId)) {
15829             ERROR_OUT(-7965, exit_rsa);
15830         }
15831 
15832         req->version = 0;
15833         req->isCA    = 1;
15834         XSTRNCPY(req->challengePw, "wolf123", CTC_NAME_SIZE);
15835         XMEMCPY(&req->subject, &certDefaultName, sizeof(CertName));
15836 
15837     #ifndef NO_SHA256
15838         req->sigType = CTC_SHA256wRSA;
15839     #else
15840         req->sigType = CTC_SHAwRSA;
15841     #endif
15842 
15843     #ifdef WOLFSSL_CERT_EXT
15844         /* add SKID from the Public Key */
15845         if (wc_SetSubjectKeyIdFromPublicKey(req, keypub, NULL) != 0) {
15846             ERROR_OUT(-7966, exit_rsa);
15847         }
15848 
15849         /* add Key Usage */
15850         if (wc_SetKeyUsage(req, certKeyUsage2) != 0) {
15851             ERROR_OUT(-7967, exit_rsa);
15852         }
15853 
15854         /* add Extended Key Usage */
15855         if (wc_SetExtKeyUsage(req, "serverAuth,clientAuth,codeSigning,"
15856                             "emailProtection,timeStamping,OCSPSigning") != 0) {
15857             ERROR_OUT(-7968, exit_rsa);
15858         }
15859     #ifdef WOLFSSL_EKU_OID
15860         {
15861             WOLFSSL_SMALL_STACK_STATIC const char unique[] = "2.16.840.1.111111.100.1.10.1";
15862             if (wc_SetExtKeyUsageOID(req, unique, sizeof(unique), 0,
15863                         HEAP_HINT) != 0) {
15864                 ERROR_OUT(-7969, exit_rsa);
15865             }
15866         }
15867     #endif /* WOLFSSL_EKU_OID */
15868     #endif /* WOLFSSL_CERT_EXT */
15869 
15870         derSz = wc_MakeCertReq(req, der, FOURK_BUF, key, NULL);
15871         if (derSz < 0) {
15872             ERROR_OUT(-7970, exit_rsa);
15873         }
15874 
15875     #ifdef WOLFSSL_CERT_EXT
15876         /* Try again with "any" flag set, will override all others */
15877         if (wc_SetExtKeyUsage(req, "any") != 0) {
15878             ERROR_OUT(-7971, exit_rsa);
15879         }
15880         derSz = wc_MakeCertReq(req, der, FOURK_BUF, key, NULL);
15881         if (derSz < 0) {
15882             ERROR_OUT(-7972, exit_rsa);
15883         }
15884     #endif /* WOLFSSL_CERT_EXT */
15885 
15886         ret = 0;
15887         do {
15888         #if defined(WOLFSSL_ASYNC_CRYPT)
15889             ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
15890         #endif
15891             if (ret >= 0) {
15892                 ret = wc_SignCert(req->bodySz, req->sigType, der, FOURK_BUF,
15893                           key, NULL, &rng);
15894             }
15895         } while (ret == WC_PENDING_E);
15896         if (ret < 0) {
15897             ERROR_OUT(-7973, exit_rsa);
15898         }
15899         derSz = ret;
15900 
15901         ret = SaveDerAndPem(der, derSz, certReqDerFile, certReqPemFile,
15902             CERTREQ_TYPE, -5650);
15903         if (ret != 0) {
15904             goto exit_rsa;
15905         }
15906 
15907         derSz = wc_MakeCertReq_ex(req, der, FOURK_BUF, RSA_TYPE, key);
15908         if (derSz < 0) {
15909             ERROR_OUT(-7974, exit_rsa);
15910         }
15911 
15912         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15913         XFREE(req, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15914         der = NULL;
15915     }
15916 #endif /* WOLFSSL_CERT_REQ */
15917 #endif /* WOLFSSL_CERT_GEN */
15918 
15919 #if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
15920 /* Need to create known good signatures to test with this. */
15921 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
15922     ret = rsa_pss_test(&rng, key);
15923     if (ret != 0)
15924         goto exit_rsa;
15925 #endif
15926 #endif
15927 
15928 #if defined(WOLFSSL_HAVE_SP_RSA) && defined(USE_FAST_MATH)
15929 #ifdef WOLFSSL_SMALL_STACK
15930     /* New key to be loaded in rsa_even_mod_test(). */
15931     if (key != NULL)
15932 #endif
15933         wc_FreeRsaKey(key);
15934     /* New key to be loaded in rsa_even_mod_test(). */
15935     ret = rsa_even_mod_test(&rng, key);
15936 #endif
15937 
15938 exit_rsa:
15939 
15940 #ifdef WOLFSSL_SMALL_STACK
15941     if (key != NULL) {
15942         wc_FreeRsaKey(key);
15943         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15944     }
15945     #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
15946     if (keypub != NULL) {
15947         wc_FreeRsaKey(keypub);
15948         XFREE(keypub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15949     }
15950     #endif
15951     #ifdef WOLFSSL_TEST_CERT
15952     if (cert != NULL)
15953         XFREE(cert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15954     #endif
15955 #else
15956     wc_FreeRsaKey(key);
15957     #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
15958     wc_FreeRsaKey(keypub);
15959     #endif
15960 #endif /* WOLFSSL_SMALL_STACK */
15961 
15962     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15963     XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
15964     wc_FreeRng(&rng);
15965 
15966     WC_FREE_VAR(in, HEAP_HINT);
15967     WC_FREE_VAR(out, HEAP_HINT);
15968     WC_FREE_VAR(plain, HEAP_HINT);
15969 
15970     (void)res;
15971     (void)bytes;
15972     (void)idx;
15973     (void)in;
15974     (void)out;
15975     (void)plain;
15976     (void)idx;
15977     (void)inStr;
15978     (void)inLen;
15979     (void)outSz;
15980     (void)plainSz;
15981 
15982     /* ret can be greater then 0 with certgen but all negative values should
15983      * be returned and treated as an error */
15984     if (ret >= 0) {
15985         return 0;
15986     }
15987     else {
15988         return ret;
15989     }
15990 }
15991 
15992 #endif /* !NO_RSA */
15993 
15994 
15995 #ifndef NO_DH
15996 
15997 static int dh_fips_generate_test(WC_RNG *rng)
15998 {
15999     int    ret = 0;
16000 #ifdef WOLFSSL_SMALL_STACK
16001     DhKey  *key = (DhKey *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);;
16002 #else
16003     DhKey  key[1];
16004 #endif
16005     WOLFSSL_SMALL_STACK_STATIC const byte p[] = {
16006         0xc5, 0x7c, 0xa2, 0x4f, 0x4b, 0xd6, 0x8c, 0x3c,
16007         0xda, 0xc7, 0xba, 0xaa, 0xea, 0x2e, 0x5c, 0x1e,
16008         0x18, 0xb2, 0x7b, 0x8c, 0x55, 0x65, 0x9f, 0xea,
16009         0xe0, 0xa1, 0x36, 0x53, 0x2b, 0x36, 0xe0, 0x4e,
16010         0x3e, 0x64, 0xa9, 0xe4, 0xfc, 0x8f, 0x32, 0x62,
16011         0x97, 0xe4, 0xbe, 0xf7, 0xc1, 0xde, 0x07, 0x5a,
16012         0x89, 0x28, 0xf3, 0xfe, 0x4f, 0xfe, 0x68, 0xbc,
16013         0xfb, 0x0a, 0x7c, 0xa4, 0xb3, 0x14, 0x48, 0x89,
16014         0x9f, 0xaf, 0xb8, 0x43, 0xe2, 0xa0, 0x62, 0x5c,
16015         0xb4, 0x88, 0x3f, 0x06, 0x50, 0x11, 0xfe, 0x65,
16016         0x8d, 0x49, 0xd2, 0xf5, 0x4b, 0x74, 0x79, 0xdb,
16017         0x06, 0x62, 0x92, 0x89, 0xed, 0xda, 0xcb, 0x87,
16018         0x37, 0x16, 0xd2, 0xa1, 0x7a, 0xe8, 0xde, 0x92,
16019         0xee, 0x3e, 0x41, 0x4a, 0x91, 0x5e, 0xed, 0xf3,
16020         0x6c, 0x6b, 0x7e, 0xfd, 0x15, 0x92, 0x18, 0xfc,
16021         0xa7, 0xac, 0x42, 0x85, 0x57, 0xe9, 0xdc, 0xda,
16022         0x55, 0xc9, 0x8b, 0x28, 0x9e, 0xc1, 0xc4, 0x46,
16023         0x4d, 0x88, 0xed, 0x62, 0x8e, 0xdb, 0x3f, 0xb9,
16024         0xd7, 0xc8, 0xe3, 0xcf, 0xb8, 0x34, 0x2c, 0xd2,
16025         0x6f, 0x28, 0x06, 0x41, 0xe3, 0x66, 0x8c, 0xfc,
16026         0x72, 0xff, 0x26, 0x3b, 0x6b, 0x6c, 0x6f, 0x73,
16027         0xde, 0xf2, 0x90, 0x29, 0xe0, 0x61, 0x32, 0xc4,
16028         0x12, 0x74, 0x09, 0x52, 0xec, 0xf3, 0x1b, 0xa6,
16029         0x45, 0x98, 0xac, 0xf9, 0x1c, 0x65, 0x8e, 0x3a,
16030         0x91, 0x84, 0x4b, 0x23, 0x8a, 0xb2, 0x3c, 0xc9,
16031         0xfa, 0xea, 0xf1, 0x38, 0xce, 0xd8, 0x05, 0xe0,
16032         0xfa, 0x44, 0x68, 0x1f, 0xeb, 0xd9, 0x57, 0xb8,
16033         0x4a, 0x97, 0x5b, 0x88, 0xc5, 0xf1, 0xbb, 0xb0,
16034         0x49, 0xc3, 0x91, 0x7c, 0xd3, 0x13, 0xb9, 0x47,
16035         0xbb, 0x91, 0x8f, 0xe5, 0x26, 0x07, 0xab, 0xa9,
16036         0xc5, 0xd0, 0x3d, 0x95, 0x41, 0x26, 0x92, 0x9d,
16037         0x13, 0x67, 0xf2, 0x7e, 0x11, 0x88, 0xdc, 0x2d
16038     };
16039     WOLFSSL_SMALL_STACK_STATIC const byte g[] = {
16040         0x4a, 0x1a, 0xf3, 0xa4, 0x92, 0xe9, 0xee, 0x74,
16041         0x6e, 0x57, 0xd5, 0x8c, 0x2c, 0x5b, 0x41, 0x41,
16042         0x5e, 0xd4, 0x55, 0x19, 0xdc, 0xd9, 0x32, 0x91,
16043         0xf7, 0xfd, 0xc2, 0x57, 0xff, 0x03, 0x14, 0xdb,
16044         0xf1, 0xb7, 0x60, 0x0c, 0x43, 0x59, 0x3f, 0xff,
16045         0xac, 0xf1, 0x80, 0x9a, 0x15, 0x6f, 0xd8, 0x6e,
16046         0xb7, 0x85, 0x18, 0xc8, 0xec, 0x4e, 0x59, 0x4a,
16047         0xe2, 0x91, 0x43, 0x4c, 0xeb, 0x95, 0xb6, 0x2e,
16048         0x9a, 0xea, 0x53, 0x68, 0x80, 0x64, 0x69, 0x40,
16049         0xf9, 0xec, 0xbd, 0x85, 0x89, 0x26, 0x97, 0x67,
16050         0xaf, 0xb0, 0xad, 0x00, 0x1b, 0xd4, 0xfd, 0x94,
16051         0xd3, 0xe9, 0x92, 0xb1, 0xb4, 0xbc, 0x5a, 0xaa,
16052         0x92, 0x80, 0x89, 0x3b, 0x39, 0x05, 0x6c, 0x22,
16053         0x26, 0xfe, 0x5a, 0x28, 0x6c, 0x37, 0x50, 0x5a,
16054         0x38, 0x99, 0xcf, 0xf3, 0xc1, 0x96, 0x45, 0xdc,
16055         0x01, 0xcb, 0x20, 0x87, 0xa5, 0x00, 0x8c, 0xf5,
16056         0x4d, 0xc2, 0xef, 0xb8, 0x9b, 0xd1, 0x87, 0xbe,
16057         0xed, 0xd5, 0x0a, 0x29, 0x15, 0x34, 0x59, 0x4c,
16058         0x3a, 0x05, 0x22, 0x05, 0x44, 0x4f, 0x9f, 0xc8,
16059         0x47, 0x12, 0x24, 0x8e, 0xa8, 0x79, 0xe4, 0x67,
16060         0xba, 0x4d, 0x5b, 0x75, 0x56, 0x95, 0xeb, 0xe8,
16061         0x8a, 0xfa, 0x8e, 0x01, 0x8c, 0x1b, 0x74, 0x63,
16062         0xd9, 0x2f, 0xf7, 0xd3, 0x44, 0x8f, 0xa8, 0xf5,
16063         0xaf, 0x6c, 0x4f, 0xdb, 0xe7, 0xc9, 0x6c, 0x71,
16064         0x22, 0xa3, 0x1d, 0xf1, 0x40, 0xb2, 0xe0, 0x9a,
16065         0xb6, 0x72, 0xc9, 0xc0, 0x13, 0x16, 0xa2, 0x4a,
16066         0xe1, 0x92, 0xc7, 0x54, 0x23, 0xab, 0x9d, 0xa1,
16067         0xa1, 0xe5, 0x0b, 0xed, 0xba, 0xe8, 0x84, 0x37,
16068         0xb2, 0xe7, 0xfe, 0x32, 0x8d, 0xfa, 0x1c, 0x53,
16069         0x77, 0x97, 0xc7, 0xf3, 0x48, 0xc9, 0xdb, 0x2d,
16070         0x75, 0x52, 0x9d, 0x42, 0x51, 0x78, 0x62, 0x68,
16071         0x05, 0x45, 0x15, 0xf8, 0xa2, 0x4e, 0xf3, 0x0b
16072     };
16073     WOLFSSL_SMALL_STACK_STATIC const byte q[] = {
16074         0xe0, 0x35, 0x37, 0xaf, 0xb2, 0x50, 0x91, 0x8e,
16075         0xf2, 0x62, 0x2b, 0xd9, 0x9f, 0x6c, 0x11, 0x75,
16076         0xec, 0x24, 0x5d, 0x78, 0x59, 0xe7, 0x8d, 0xb5,
16077         0x40, 0x52, 0xed, 0x41
16078     };
16079     WOLFSSL_SMALL_STACK_STATIC const byte q0[] = {
16080                                                   0x00,
16081         0xe0, 0x35, 0x37, 0xaf, 0xb2, 0x50, 0x91, 0x8e,
16082         0xf2, 0x62, 0x2b, 0xd9, 0x9f, 0x6c, 0x11, 0x75,
16083         0xec, 0x24, 0x5d, 0x78, 0x59, 0xe7, 0x8d, 0xb5,
16084         0x40, 0x52, 0xed, 0x41
16085     };
16086     byte   priv[256];
16087     byte   pub[256];
16088     word32 privSz = sizeof(priv);
16089     word32 pubSz = sizeof(pub);
16090 
16091 #ifdef WOLFSSL_SMALL_STACK
16092     if (key == NULL)
16093         ERROR_OUT(MEMORY_E, exit_gen_test);
16094 #endif
16095 
16096     /* Parameter Validation testing. */
16097     ret = wc_DhGenerateKeyPair(NULL, rng, priv, &privSz, pub, &pubSz);
16098     if (ret != BAD_FUNC_ARG)
16099         ERROR_OUT(-7980, exit_gen_test);
16100     ret = wc_DhGenerateKeyPair(key, NULL, priv, &privSz, pub, &pubSz);
16101     if (ret != BAD_FUNC_ARG)
16102         ERROR_OUT(-7981, exit_gen_test);
16103     ret = wc_DhGenerateKeyPair(key, rng, NULL, &privSz, pub, &pubSz);
16104     if (ret != BAD_FUNC_ARG)
16105         ERROR_OUT(-7982, exit_gen_test);
16106     ret = wc_DhGenerateKeyPair(key, rng, priv, NULL, pub, &pubSz);
16107     if (ret != BAD_FUNC_ARG)
16108         ERROR_OUT(-7983, exit_gen_test);
16109     ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, NULL, &pubSz);
16110     if (ret != BAD_FUNC_ARG)
16111         ERROR_OUT(-7984, exit_gen_test);
16112     ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, NULL);
16113     if (ret != BAD_FUNC_ARG)
16114         ERROR_OUT(-7985, exit_gen_test);
16115 
16116     ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
16117     if (ret != 0)
16118         ERROR_OUT(-7986, exit_gen_test);
16119 
16120     ret = wc_DhSetKey_ex(key, p, sizeof(p), g, sizeof(g), q0, sizeof(q0));
16121     if (ret != 0) {
16122         ERROR_OUT(-7987, exit_gen_test);
16123     }
16124 
16125     wc_FreeDhKey(key);
16126 
16127     ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
16128     if (ret != 0)
16129         ERROR_OUT(-7988, exit_gen_test);
16130 
16131     ret = wc_DhSetKey_ex(key, p, sizeof(p), g, sizeof(g), q, sizeof(q));
16132     if (ret != 0) {
16133         ERROR_OUT(-7989, exit_gen_test);
16134     }
16135 
16136     /* Use API. */
16137     ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
16138 #if defined(WOLFSSL_ASYNC_CRYPT)
16139     ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
16140 #endif
16141     if (ret != 0) {
16142         ERROR_OUT(-7990, exit_gen_test);
16143     }
16144 
16145     ret = wc_DhCheckPubKey_ex(key, pub, pubSz, q0, sizeof(q0));
16146     if (ret != 0) {
16147         ERROR_OUT(-7991, exit_gen_test);
16148     }
16149 
16150     wc_FreeDhKey(key);
16151     ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
16152     if (ret != 0)
16153         ERROR_OUT(-7992, exit_gen_test);
16154 
16155     ret = wc_DhSetKey(key, p, sizeof(p), g, sizeof(g));
16156     if (ret != 0) {
16157         ERROR_OUT(-7993, exit_gen_test);
16158     }
16159 
16160     ret = wc_DhCheckPubKey_ex(key, pub, pubSz, q, sizeof(q));
16161     if (ret != 0) {
16162         ERROR_OUT(-7994, exit_gen_test);
16163     }
16164 
16165 #ifndef HAVE_SELFTEST
16166     ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz);
16167     if (ret != 0) {
16168         ERROR_OUT(-7995, exit_gen_test);
16169     }
16170 
16171     /* Taint the public key so the check fails. */
16172     pub[0]++;
16173     ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz);
16174     if (ret != MP_CMP_E) {
16175         ERROR_OUT(-7996, exit_gen_test);
16176     }
16177 
16178 #ifdef WOLFSSL_KEY_GEN
16179     wc_FreeDhKey(key);
16180     ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
16181     if (ret != 0)
16182         ERROR_OUT(-7997, exit_gen_test);
16183 
16184     ret = wc_DhGenerateParams(rng, 2048, key);
16185     if (ret != 0) {
16186         ERROR_OUT(-7998, exit_gen_test);
16187     }
16188 
16189     privSz = sizeof(priv);
16190     pubSz = sizeof(pub);
16191 
16192     ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
16193 #if defined(WOLFSSL_ASYNC_CRYPT)
16194     ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
16195 #endif
16196     if (ret != 0) {
16197         ERROR_OUT(-7999, exit_gen_test);
16198     }
16199 #endif /* WOLFSSL_KEY_GEN */
16200 #endif /* HAVE_SELFTEST */
16201 
16202     ret = 0;
16203 
16204 exit_gen_test:
16205 
16206 #ifdef WOLFSSL_SMALL_STACK
16207     if (key) {
16208         wc_FreeDhKey(key);
16209         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16210     }
16211 #else
16212     wc_FreeDhKey(key);
16213 #endif
16214 
16215     return ret;
16216 }
16217 
16218 static int dh_generate_test(WC_RNG *rng)
16219 {
16220     int    ret = 0;
16221 #ifdef WOLFSSL_SMALL_STACK
16222     DhKey  *smallKey = NULL;
16223 #else
16224     DhKey  smallKey[1];
16225 #endif
16226     byte   p[2] = { 1, 7 }; /* 263 in decimal */
16227     byte   g[2] = { 0, 2 };
16228 #if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FFDHE)
16229 #ifdef WOLFSSL_DH_CONST
16230     /* the table for constant DH lookup will round to the lowest byte size 21 */
16231     byte   priv[21];
16232     byte   pub[21];
16233 #else
16234     byte   priv[2];
16235     byte   pub[2];
16236 #endif
16237     word32 privSz = sizeof(priv);
16238     word32 pubSz = sizeof(pub);
16239 #endif
16240     int smallKey_inited = 0;
16241 
16242 #ifdef WOLFSSL_SMALL_STACK
16243     if ((smallKey = (DhKey *)XMALLOC(sizeof(*smallKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
16244         return -8019;
16245 #endif
16246 
16247     ret = wc_InitDhKey_ex(smallKey, HEAP_HINT, devId);
16248     if (ret != 0)
16249         ERROR_OUT(-8010, exit_gen_test);
16250     smallKey_inited = 1;
16251 
16252     /* Parameter Validation testing. */
16253     ret = wc_InitDhKey_ex(NULL, HEAP_HINT, devId);
16254     if (ret != BAD_FUNC_ARG)
16255         return -8011;
16256     wc_FreeDhKey(NULL);
16257 
16258     ret = wc_DhSetKey(NULL, p, sizeof(p), g, sizeof(g));
16259     if (ret != BAD_FUNC_ARG) {
16260         ERROR_OUT(-8012, exit_gen_test);
16261     }
16262     ret = wc_DhSetKey(smallKey, NULL, sizeof(p), g, sizeof(g));
16263     if (ret != BAD_FUNC_ARG) {
16264         ERROR_OUT(-8013, exit_gen_test);
16265     }
16266     ret = wc_DhSetKey(smallKey, p, 0, g, sizeof(g));
16267     if (ret != BAD_FUNC_ARG) {
16268         ERROR_OUT(-8014, exit_gen_test);
16269     }
16270     ret = wc_DhSetKey(smallKey, p, sizeof(p), NULL, sizeof(g));
16271     if (ret != BAD_FUNC_ARG) {
16272         ERROR_OUT(-8015, exit_gen_test);
16273     }
16274     ret = wc_DhSetKey(smallKey, p, sizeof(p), g, 0);
16275     if (ret != BAD_FUNC_ARG) {
16276         ERROR_OUT(-8016, exit_gen_test);
16277     }
16278     ret = wc_DhSetKey(smallKey, p, sizeof(p), g, sizeof(g));
16279     if (ret != 0) {
16280         ERROR_OUT(-8017, exit_gen_test);
16281     }
16282 
16283 #if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FFDHE)
16284     /* Use API. */
16285     ret = wc_DhGenerateKeyPair(smallKey, rng, priv, &privSz, pub, &pubSz);
16286 #if defined(WOLFSSL_ASYNC_CRYPT)
16287     ret = wc_AsyncWait(ret, &smallKey->asyncDev, WC_ASYNC_FLAG_NONE);
16288 #endif
16289     if (ret != 0) {
16290         ret = -8018;
16291     }
16292 #else
16293     (void)rng;
16294     ret = 0;
16295 #endif
16296 
16297 exit_gen_test:
16298     if (smallKey_inited)
16299         wc_FreeDhKey(smallKey);
16300 
16301 #ifdef WOLFSSL_SMALL_STACK
16302     if (smallKey != NULL)
16303         XFREE(smallKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16304 #endif
16305 
16306     return ret;
16307 }
16308 
16309 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
16310 typedef struct dh_pubvalue_test {
16311     const byte* data;
16312     word32 len;
16313 } dh_pubvalue_test;
16314 
16315 static int dh_test_check_pubvalue(void)
16316 {
16317     int ret;
16318     word32 i;
16319     WOLFSSL_SMALL_STACK_STATIC const byte prime[] = {0x01, 0x00, 0x01};
16320     WOLFSSL_SMALL_STACK_STATIC const byte pubValZero[] = { 0x00 };
16321     WOLFSSL_SMALL_STACK_STATIC const byte pubValZeroLong[] = { 0x00, 0x00, 0x00 };
16322     WOLFSSL_SMALL_STACK_STATIC const byte pubValOne[] = { 0x01 };
16323     WOLFSSL_SMALL_STACK_STATIC const byte pubValOneLong[] = { 0x00, 0x00, 0x01 };
16324     WOLFSSL_SMALL_STACK_STATIC const byte pubValPrimeMinusOne[] = { 0x01, 0x00, 0x00 };
16325     WOLFSSL_SMALL_STACK_STATIC const byte pubValPrimeLong[] = {0x00, 0x01, 0x00, 0x01};
16326     WOLFSSL_SMALL_STACK_STATIC const byte pubValPrimePlusOne[] = { 0x01, 0x00, 0x02 };
16327     WOLFSSL_SMALL_STACK_STATIC const byte pubValTooBig0[] = { 0x02, 0x00, 0x01 };
16328     WOLFSSL_SMALL_STACK_STATIC const byte pubValTooBig1[] = { 0x01, 0x01, 0x01 };
16329     WOLFSSL_SMALL_STACK_STATIC const byte pubValTooLong[] = { 0x01, 0x00, 0x00, 0x01 };
16330     const dh_pubvalue_test dh_pubval_fail[] = {
16331         { prime, sizeof(prime) },
16332         { pubValZero, sizeof(pubValZero) },
16333         { pubValZeroLong, sizeof(pubValZeroLong) },
16334         { pubValOne, sizeof(pubValOne) },
16335         { pubValOneLong, sizeof(pubValOneLong) },
16336         { pubValPrimeMinusOne, sizeof(pubValPrimeMinusOne) },
16337         { pubValPrimeLong, sizeof(pubValPrimeLong) },
16338         { pubValPrimePlusOne, sizeof(pubValPrimePlusOne) },
16339         { pubValTooBig0, sizeof(pubValTooBig0) },
16340         { pubValTooBig1, sizeof(pubValTooBig1) },
16341         { pubValTooLong, sizeof(pubValTooLong) },
16342     };
16343     WOLFSSL_SMALL_STACK_STATIC const byte pubValTwo[] = { 0x02 };
16344     WOLFSSL_SMALL_STACK_STATIC const byte pubValTwoLong[] = { 0x00, 0x00, 0x02 };
16345     WOLFSSL_SMALL_STACK_STATIC const byte pubValGood[] = { 0x12, 0x34 };
16346     WOLFSSL_SMALL_STACK_STATIC const byte pubValGoodLen[] = { 0x00, 0x12, 0x34 };
16347     WOLFSSL_SMALL_STACK_STATIC const byte pubValGoodLong[] = { 0x00, 0x00, 0x12, 0x34 };
16348     const dh_pubvalue_test dh_pubval_pass[] = {
16349         { pubValTwo, sizeof(pubValTwo) },
16350         { pubValTwoLong, sizeof(pubValTwoLong) },
16351         { pubValGood, sizeof(pubValGood) },
16352         { pubValGoodLen, sizeof(pubValGoodLen) },
16353         { pubValGoodLong, sizeof(pubValGoodLong) },
16354     };
16355 
16356     for (i = 0; i < sizeof(dh_pubval_fail) / sizeof(*dh_pubval_fail); i++) {
16357         ret = wc_DhCheckPubValue(prime, sizeof(prime), dh_pubval_fail[i].data,
16358                                                          dh_pubval_fail[i].len);
16359         if (ret != MP_VAL)
16360             return -8020 - (int)i;
16361     }
16362 
16363     for (i = 0; i < sizeof(dh_pubval_pass) / sizeof(*dh_pubval_pass); i++) {
16364         ret = wc_DhCheckPubValue(prime, sizeof(prime), dh_pubval_pass[i].data,
16365                                                          dh_pubval_pass[i].len);
16366         if (ret != 0)
16367             return -8030 - (int)i;
16368     }
16369 
16370     return 0;
16371 }
16372 #endif
16373 
16374 #if defined(HAVE_FFDHE)
16375 
16376 #if defined(HAVE_FFDHE_4096)
16377     #define MAX_DH_PRIV_SZ 39
16378     #define MAX_DH_KEY_SZ  512
16379 #elif defined(HAVE_FFDHE_3072)
16380     #define MAX_DH_PRIV_SZ 34
16381     #define MAX_DH_KEY_SZ  384
16382 #else
16383     #define MAX_DH_PRIV_SZ 29
16384     #define MAX_DH_KEY_SZ  256
16385 #endif
16386 
16387 #ifndef WC_NO_RNG
16388 #ifdef HAVE_PUBLIC_FFDHE
16389 static int dh_ffdhe_test(WC_RNG *rng, const DhParams* params)
16390 #else
16391 static int dh_ffdhe_test(WC_RNG *rng, int name)
16392 #endif
16393 {
16394     int    ret;
16395     word32 privSz, pubSz, privSz2, pubSz2;
16396 #ifdef WOLFSSL_SMALL_STACK
16397     byte   *priv = (byte*)XMALLOC(MAX_DH_PRIV_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16398     byte   *pub = (byte*)XMALLOC(MAX_DH_KEY_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16399     byte   *priv2 = (byte*)XMALLOC(MAX_DH_PRIV_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16400     byte   *pub2 = (byte*)XMALLOC(MAX_DH_KEY_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16401     byte   *agree = (byte*)XMALLOC(MAX_DH_KEY_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16402     byte   *agree2 = (byte*)XMALLOC(MAX_DH_KEY_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16403     DhKey  *key = (DhKey*)XMALLOC(sizeof(*key), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16404     DhKey  *key2 = (DhKey*)XMALLOC(sizeof(*key2), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16405 #else
16406     byte   priv[MAX_DH_PRIV_SZ];
16407     byte   pub[MAX_DH_KEY_SZ];
16408     byte   priv2[MAX_DH_PRIV_SZ];
16409     byte   pub2[MAX_DH_KEY_SZ];
16410     byte   agree[MAX_DH_KEY_SZ];
16411     byte   agree2[MAX_DH_KEY_SZ];
16412     DhKey  key[1];
16413     DhKey  key2[1];
16414 #endif
16415     word32 agreeSz = MAX_DH_KEY_SZ;
16416     word32 agreeSz2 = MAX_DH_KEY_SZ;
16417 
16418 #ifdef WOLFSSL_SMALL_STACK
16419     if ((priv == NULL) ||
16420         (pub == NULL) ||
16421         (priv2 == NULL) ||
16422         (pub2 == NULL) ||
16423         (agree == NULL) ||
16424         (agree2 == NULL) ||
16425         (key == NULL) ||
16426         (key2 == NULL))
16427         ERROR_OUT(-8050, done);
16428 #endif
16429 
16430     pubSz = MAX_DH_KEY_SZ;
16431     pubSz2 = MAX_DH_KEY_SZ;
16432     #ifdef HAVE_PUBLIC_FFDHE
16433     privSz = MAX_DH_PRIV_SZ;
16434     privSz2 = MAX_DH_PRIV_SZ;
16435     #else
16436     privSz = wc_DhGetNamedKeyMinSize(name);
16437     privSz2 = privSz;
16438     #endif
16439 
16440     XMEMSET(key, 0, sizeof(*key));
16441     XMEMSET(key2, 0, sizeof(*key2));
16442 
16443     ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
16444     if (ret != 0) {
16445         ERROR_OUT(-8051, done);
16446     }
16447     ret = wc_InitDhKey_ex(key2, HEAP_HINT, devId);
16448     if (ret != 0) {
16449         ERROR_OUT(-8052, done);
16450     }
16451 
16452 #ifdef HAVE_PUBLIC_FFDHE
16453     ret = wc_DhSetKey(key, params->p, params->p_len, params->g, params->g_len);
16454 #else
16455     ret = wc_DhSetNamedKey(key, name);
16456 #endif
16457     if (ret != 0) {
16458         ERROR_OUT(-8053, done);
16459     }
16460 
16461 #ifdef HAVE_PUBLIC_FFDHE
16462     ret = wc_DhSetKey(key2, params->p, params->p_len, params->g,
16463                                                                  params->g_len);
16464 #else
16465     ret = wc_DhSetNamedKey(key2, name);
16466 #endif
16467     if (ret != 0) {
16468         ERROR_OUT(-8054, done);
16469     }
16470 
16471     ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
16472 #if defined(WOLFSSL_ASYNC_CRYPT)
16473     ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
16474 #endif
16475     if (ret != 0) {
16476         ERROR_OUT(-8055, done);
16477     }
16478 
16479     ret = wc_DhGenerateKeyPair(key2, rng, priv2, &privSz2, pub2, &pubSz2);
16480 #if defined(WOLFSSL_ASYNC_CRYPT)
16481     ret = wc_AsyncWait(ret, &key2->asyncDev, WC_ASYNC_FLAG_NONE);
16482 #endif
16483     if (ret != 0) {
16484         ERROR_OUT(-8056, done);
16485     }
16486 
16487     ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
16488 #if defined(WOLFSSL_ASYNC_CRYPT)
16489     ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
16490 #endif
16491     if (ret != 0) {
16492         ERROR_OUT(-8057, done);
16493     }
16494 
16495     ret = wc_DhAgree(key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz);
16496 #if defined(WOLFSSL_ASYNC_CRYPT)
16497     ret = wc_AsyncWait(ret, &key2->asyncDev, WC_ASYNC_FLAG_NONE);
16498 #endif
16499     if (ret != 0) {
16500         ERROR_OUT(-8058, done);
16501     }
16502 
16503     if (agreeSz != agreeSz2 || XMEMCMP(agree, agree2, agreeSz)) {
16504         ERROR_OUT(-8059, done);
16505     }
16506 
16507 #if defined(WOLFSSL_HAVE_SP_DH) && defined(USE_FAST_MATH)
16508     /* Make p even */
16509     key->p.dp[0] &= (mp_digit)-2;
16510     if (ret != 0) {
16511         ERROR_OUT(-8058, done);
16512     }
16513 
16514     ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
16515     if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
16516         ERROR_OUT(-8058, done);
16517     }
16518 
16519     ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
16520     if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
16521         ERROR_OUT(-8057, done);
16522     }
16523 
16524     ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz);
16525     if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
16526         ERROR_OUT(-8057, done);
16527     }
16528 
16529     /* Getting here means success - set ret to 0. */
16530     ret = 0;
16531 #endif
16532 
16533 done:
16534 
16535 #if defined(WOLFSSL_SMALL_STACK) && !defined(WC_NO_RNG)
16536     if (priv)
16537         XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16538     if (pub)
16539         XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16540     if (priv2)
16541         XFREE(priv2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16542     if (pub2)
16543         XFREE(pub2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16544     if (agree)
16545         XFREE(agree, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16546     if (agree2)
16547         XFREE(agree2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16548     if (key) {
16549         wc_FreeDhKey(key);
16550         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16551     }
16552     if (key2) {
16553         wc_FreeDhKey(key2);
16554         XFREE(key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16555     }
16556 #else
16557     wc_FreeDhKey(key);
16558     wc_FreeDhKey(key2);
16559 #endif
16560 
16561     return ret;
16562 }
16563 #endif /* !WC_NO_RNG */
16564 #endif /* HAVE_FFDHE */
16565 
16566 WOLFSSL_TEST_SUBROUTINE int dh_test(void)
16567 {
16568     int    ret;
16569     word32 bytes;
16570     word32 idx = 0, privSz, pubSz, privSz2, pubSz2;
16571 #ifndef WC_NO_RNG
16572     WC_RNG rng;
16573 #endif
16574     int keyInit = 0;
16575 
16576 #define DH_TEST_TMP_SIZE 1024
16577 #if !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
16578     #define DH_TEST_BUF_SIZE 256
16579 #else
16580     #define DH_TEST_BUF_SIZE 512
16581 #endif
16582 #ifndef WC_NO_RNG
16583     word32 agreeSz = DH_TEST_BUF_SIZE;
16584     word32 agreeSz2 = DH_TEST_BUF_SIZE;
16585 #endif
16586 
16587 #ifdef WOLFSSL_SMALL_STACK
16588     DhKey *key = (DhKey *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16589     DhKey *key2 = (DhKey *)XMALLOC(sizeof *key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16590     byte  *tmp = (byte *)XMALLOC(DH_TEST_TMP_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16591 #else
16592     DhKey key[1];
16593     DhKey key2[1];
16594     byte  tmp[DH_TEST_TMP_SIZE];
16595 #endif
16596 
16597 #ifndef WC_NO_RNG
16598 #ifdef WOLFSSL_SMALL_STACK
16599     byte *priv = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16600     byte *pub = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16601     byte *priv2 = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16602     byte *pub2 = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16603     byte *agree = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16604     byte *agree2 = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16605     if (priv == NULL || pub == NULL || priv2 == NULL || pub2 == NULL ||
16606             agree == NULL || agree2 == NULL) {
16607         ERROR_OUT(-8100, done);
16608     }
16609 #else
16610     byte priv[DH_TEST_BUF_SIZE];
16611     byte pub[DH_TEST_BUF_SIZE];
16612     byte priv2[DH_TEST_BUF_SIZE];
16613     byte pub2[DH_TEST_BUF_SIZE];
16614     byte agree[DH_TEST_BUF_SIZE];
16615     byte agree2[DH_TEST_BUF_SIZE];
16616 #endif
16617 #endif /* !WC_NO_RNG */
16618 
16619 #ifdef WOLFSSL_SMALL_STACK
16620     if (key == NULL || key2 == NULL || tmp == NULL) {
16621         ERROR_OUT(-8100, done);
16622     }
16623 #endif
16624 
16625 #ifdef USE_CERT_BUFFERS_1024
16626     XMEMCPY(tmp, dh_key_der_1024, (size_t)sizeof_dh_key_der_1024);
16627     bytes = (size_t)sizeof_dh_key_der_1024;
16628 #elif defined(USE_CERT_BUFFERS_2048)
16629     XMEMCPY(tmp, dh_key_der_2048, (size_t)sizeof_dh_key_der_2048);
16630     bytes = (size_t)sizeof_dh_key_der_2048;
16631 #elif defined(USE_CERT_BUFFERS_3072)
16632     XMEMCPY(tmp, dh_key_der_3072, (size_t)sizeof_dh_key_der_3072);
16633     bytes = (size_t)sizeof_dh_key_der_3072;
16634 #elif defined(USE_CERT_BUFFERS_4096)
16635     XMEMCPY(tmp, dh_key_der_4096, (size_t)sizeof_dh_key_der_4096);
16636     bytes = (size_t)sizeof_dh_key_der_4096;
16637 #elif defined(NO_ASN)
16638     /* don't use file, no DER parsing */
16639 #elif !defined(NO_FILESYSTEM)
16640     {
16641         XFILE file = XFOPEN(dhParamsFile, "rb");
16642         if (! file)
16643             ERROR_OUT(-8101, done);
16644 
16645         bytes = (word32) XFREAD(tmp, 1, DH_TEST_TMP_SIZE, file);
16646         XFCLOSE(file);
16647     }
16648 #else
16649     /* No DH key to use. */
16650     ERROR_OUT(-8102, done);
16651 #endif /* USE_CERT_BUFFERS */
16652 
16653     (void)idx;
16654     (void)tmp;
16655     (void)bytes;
16656 
16657     pubSz = DH_TEST_BUF_SIZE;
16658     pubSz2 = DH_TEST_BUF_SIZE;
16659     privSz = DH_TEST_BUF_SIZE;
16660     privSz2 = DH_TEST_BUF_SIZE;
16661 
16662 #ifndef WC_NO_RNG
16663     XMEMSET(&rng, 0, sizeof(rng));
16664 #endif
16665 
16666     /* Use API for coverage. */
16667     ret = wc_InitDhKey(key);
16668     if (ret != 0) {
16669         ERROR_OUT(-8103, done);
16670     }
16671     wc_FreeDhKey(key);
16672 
16673     ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
16674     if (ret != 0) {
16675         ERROR_OUT(-8104, done);
16676     }
16677     keyInit = 1;
16678     ret = wc_InitDhKey_ex(key2, HEAP_HINT, devId);
16679     if (ret != 0) {
16680         ERROR_OUT(-8105, done);
16681     }
16682 
16683 #ifdef NO_ASN
16684 #ifndef WOLFSSL_SP_MATH
16685     ret = wc_DhSetKey(key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
16686     if (ret != 0) {
16687         ERROR_OUT(-8106, done);
16688     }
16689 
16690     ret = wc_DhSetKey(key2, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
16691     if (ret != 0) {
16692         ERROR_OUT(-8107, done);
16693     }
16694 #else
16695     ret = wc_DhSetKey(key, dh2048_p, sizeof(dh2048_p), dh2048_g,
16696         sizeof(dh2048_g));
16697     if (ret != 0) {
16698         ERROR_OUT(-8106, done);
16699     }
16700 
16701     ret = wc_DhSetKey(key2, dh2048_p, sizeof(dh2048_p), dh2048_g,
16702         sizeof(dh2048_g));
16703     if (ret != 0) {
16704         ERROR_OUT(-8107, done);
16705     }
16706 #endif
16707 #else
16708     ret = wc_DhKeyDecode(tmp, &idx, key, bytes);
16709     if (ret != 0) {
16710         ERROR_OUT(-8108, done);
16711     }
16712 
16713     idx = 0;
16714     ret = wc_DhKeyDecode(tmp, &idx, key2, bytes);
16715     if (ret != 0) {
16716         ERROR_OUT(-8109, done);
16717     }
16718 #endif
16719 
16720 #ifndef WC_NO_RNG
16721 #ifndef HAVE_FIPS
16722     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
16723 #else
16724     ret = wc_InitRng(&rng);
16725 #endif
16726     if (ret != 0) {
16727         ERROR_OUT(-8110, done);
16728     }
16729 
16730     ret = wc_DhGenerateKeyPair(key, &rng, priv, &privSz, pub, &pubSz);
16731 #if defined(WOLFSSL_ASYNC_CRYPT)
16732     ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
16733 #endif
16734     if (ret != 0) {
16735         ERROR_OUT(-8111, done);
16736     }
16737 
16738     ret = wc_DhGenerateKeyPair(key2, &rng, priv2, &privSz2, pub2, &pubSz2);
16739 #if defined(WOLFSSL_ASYNC_CRYPT)
16740     ret = wc_AsyncWait(ret, &key2->asyncDev, WC_ASYNC_FLAG_NONE);
16741 #endif
16742     if (ret != 0) {
16743         ERROR_OUT(-8112, done);
16744     }
16745 
16746     ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
16747 #if defined(WOLFSSL_ASYNC_CRYPT)
16748     ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
16749 #endif
16750     if (ret != 0) {
16751         ERROR_OUT(-8113, done);
16752     }
16753 
16754     ret = wc_DhAgree(key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz);
16755 #if defined(WOLFSSL_ASYNC_CRYPT)
16756     ret = wc_AsyncWait(ret, &key2->asyncDev, WC_ASYNC_FLAG_NONE);
16757 #endif
16758     if (ret != 0) {
16759         ERROR_OUT(-8114, done);
16760     }
16761 
16762     if (agreeSz != agreeSz2 || XMEMCMP(agree, agree2, agreeSz)) {
16763         ERROR_OUT(-8115, done);
16764     }
16765 #endif /* !WC_NO_RNG */
16766 
16767 #if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
16768     if (wc_DhCheckPrivKey(NULL, NULL, 0) != BAD_FUNC_ARG)
16769         ERROR_OUT(-8116, done);
16770 
16771     if (wc_DhCheckPrivKey(key, priv, privSz) != 0)
16772         ERROR_OUT(-8117, done);
16773 
16774     if (wc_DhExportParamsRaw(NULL, NULL, NULL, NULL, NULL, NULL, NULL) != BAD_FUNC_ARG)
16775         ERROR_OUT(-8118, done);
16776     {
16777         word32 pSz, qSz, gSz;
16778         if (wc_DhExportParamsRaw(key, NULL, &pSz, NULL, &qSz, NULL, &gSz) != LENGTH_ONLY_E)
16779             ERROR_OUT(-8119, done);
16780     }
16781 #endif
16782 
16783     /* Test DH key import / export */
16784 #if defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) && \
16785         (!defined(HAVE_FIPS) || \
16786         (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
16787     wc_FreeDhKey(key);
16788     ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
16789     if (ret != 0) {
16790         ERROR_OUT(-8120, done);
16791     }
16792 
16793 #ifndef NO_ASN
16794     {
16795         /* DH Private - Key Export / Import */
16796     #ifdef WOLFSSL_SMALL_STACK
16797         byte *tmp2;
16798     #else
16799         byte  tmp2[DH_TEST_TMP_SIZE];
16800     #endif
16801         XFILE file = XFOPEN(dhKeyFile, "rb");
16802         if (!file)
16803             ERROR_OUT(-8130, done);
16804         bytes = (word32)XFREAD(tmp, 1, DH_TEST_TMP_SIZE, file);
16805         XFCLOSE(file);
16806 
16807     #ifdef WOLFSSL_SMALL_STACK
16808         tmp2 = (byte*)XMALLOC(DH_TEST_TMP_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16809         if (tmp2 == NULL)
16810             ERROR_OUT(-8131, done);
16811     #endif
16812         idx = 0;
16813         XMEMSET(tmp2, 0, DH_TEST_TMP_SIZE);
16814 
16815         /* Import DH Private key as DER */
16816         ret = wc_DhKeyDecode(tmp, &idx, key, bytes);
16817         if (ret == 0) {
16818             /* Export as DER */
16819             idx = DH_TEST_TMP_SIZE;
16820             ret = wc_DhPrivKeyToDer(key, tmp2, &idx);
16821         }
16822 
16823         /* Verify export matches original */
16824         if (ret <= 0 || bytes != idx || XMEMCMP(tmp, tmp2, bytes) != 0) {
16825             ERROR_OUT(-8132, done);
16826         }
16827 
16828 
16829         /* DH Public Key - Export / Import */
16830         file = XFOPEN(dhKeyPubFile, "rb");
16831         if (!file)
16832             ERROR_OUT(-8133, done);
16833         bytes = (word32)XFREAD(tmp, 1, DH_TEST_TMP_SIZE, file);
16834         XFCLOSE(file);
16835 
16836         /* for HAVE_WOLF_BIGINT prevent leak */
16837         wc_FreeDhKey(key);
16838         (void)wc_InitDhKey_ex(key, HEAP_HINT, devId);
16839 
16840         idx = 0;
16841         XMEMSET(tmp2, 0, DH_TEST_TMP_SIZE);
16842 
16843         /* Import DH Public key as DER */
16844         ret = wc_DhKeyDecode(tmp, &idx, key, bytes);
16845         if (ret == 0) {
16846             /* Export as DER */
16847             idx = DH_TEST_TMP_SIZE;
16848             ret = wc_DhPubKeyToDer(key, tmp2, &idx);
16849         }
16850 
16851         /* Verify export matches original */
16852         if (ret <= 0 || bytes != idx || XMEMCMP(tmp, tmp2, bytes) != 0) {
16853             ERROR_OUT(-8134, done);
16854         }
16855 
16856     #ifdef WOLFSSL_SMALL_STACK
16857         XFREE(tmp2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16858     #endif
16859     }
16860 #else
16861     ret = wc_DhSetKey(key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
16862     if (ret != 0) {
16863         ERROR_OUT(-8121, done);
16864     }
16865 #endif /* !NO_ASN */
16866 
16867     privSz = DH_TEST_BUF_SIZE;
16868     pubSz = DH_TEST_BUF_SIZE;
16869     ret = wc_DhExportKeyPair(key, priv, &privSz, pub, &pubSz);
16870     if (ret != 0) {
16871         ERROR_OUT(-8122, done);
16872     }
16873     ret = wc_DhImportKeyPair(key2, priv, privSz, pub, pubSz);
16874     if (ret != 0) {
16875         ERROR_OUT(-8125, done);
16876     }
16877 #endif /* WOLFSSL_DH_EXTRA && !NO_FILESYSTEM && !FIPS <= 2 */
16878 
16879 #ifndef WC_NO_RNG
16880     ret = dh_generate_test(&rng);
16881     if (ret != 0)
16882         ERROR_OUT(-8123, done);
16883 
16884     ret = dh_fips_generate_test(&rng);
16885     if (ret != 0)
16886         ERROR_OUT(-8124, done);
16887 #endif /* !WC_NO_RNG */
16888 
16889 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
16890     ret = dh_test_check_pubvalue();
16891     if (ret != 0)
16892         ERROR_OUT(-8125, done);
16893 #endif
16894 
16895 #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2) && \
16896     !defined(WOLFSSL_SP_ARM64_ASM)
16897 /* RNG with DH and SP_ASM code not supported in the in-lined FIPS ASM code,
16898  * this will be available for testing in the 140-3 module */
16899 #ifndef WC_NO_RNG
16900     /* Specialized code for key gen when using FFDHE-2048, FFDHE-3072 and FFDHE-4096 */
16901     #ifdef HAVE_FFDHE_2048
16902     #ifdef HAVE_PUBLIC_FFDHE
16903     ret = dh_ffdhe_test(&rng, wc_Dh_ffdhe2048_Get());
16904     #else
16905     ret = dh_ffdhe_test(&rng, WC_FFDHE_2048);
16906     #endif
16907     if (ret != 0)
16908         ERROR_OUT(-8126, done);
16909     #endif
16910     #ifdef HAVE_FFDHE_3072
16911     #ifdef HAVE_PUBLIC_FFDHE
16912     ret = dh_ffdhe_test(&rng, wc_Dh_ffdhe3072_Get());
16913     #else
16914     ret = dh_ffdhe_test(&rng, WC_FFDHE_3072);
16915     #endif
16916     if (ret != 0)
16917         ERROR_OUT(-8127, done);
16918     #endif
16919     #ifdef HAVE_FFDHE_4096
16920     #ifdef HAVE_PUBLIC_FFDHE
16921     ret = dh_ffdhe_test(&rng, wc_Dh_ffdhe4096_Get());
16922     if (ret != 0)
16923         ERROR_OUT(-8128, done);
16924     #else
16925     ret = dh_ffdhe_test(&rng, WC_FFDHE_4096);
16926     #endif
16927     #endif
16928 #endif /* !WC_NO_RNG */
16929 #endif /* HAVE_FIPS_VERSION == 2 && !WOLFSSL_SP_ARM64_ASM */
16930 
16931     wc_FreeDhKey(key);
16932     keyInit = 0;
16933 
16934 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
16935     !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(WC_NO_RNG)
16936     /* Test Check Key */
16937     ret = wc_DhSetCheckKey(key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g),
16938                            NULL, 0, 0, &rng);
16939     if (ret != 0)
16940         ERROR_OUT(-8129, done);
16941     keyInit = 1; /* DhSetCheckKey also initializes the key, free it */
16942 #endif
16943 
16944 done:
16945 
16946 #ifndef WC_NO_RNG
16947     wc_FreeRng(&rng);
16948 #endif
16949 
16950 #ifdef WOLFSSL_SMALL_STACK
16951     if (key) {
16952         if (keyInit)
16953             wc_FreeDhKey(key);
16954         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16955     }
16956     if (key2) {
16957         wc_FreeDhKey(key2);
16958         XFREE(key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16959     }
16960     if (tmp)
16961         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16962     if (priv)
16963         XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16964     if (pub)
16965         XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16966     if (priv2)
16967         XFREE(priv2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16968     if (pub2)
16969         XFREE(pub2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16970     if (agree)
16971         XFREE(agree, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16972     if (agree2)
16973         XFREE(agree2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
16974 #else
16975     if (keyInit)
16976         wc_FreeDhKey(key);
16977     wc_FreeDhKey(key2);
16978 #endif
16979 
16980     (void)privSz;
16981     (void)pubSz;
16982     (void)pubSz2;
16983     (void)privSz2;
16984 
16985     return ret;
16986 #undef DH_TEST_BUF_SIZE
16987 #undef DH_TEST_TMP_SIZE
16988 }
16989 
16990 #endif /* NO_DH */
16991 
16992 
16993 #ifndef NO_DSA
16994 
16995 WOLFSSL_TEST_SUBROUTINE int dsa_test(void)
16996 {
16997     int    ret = 0, answer;
16998     word32 bytes;
16999     word32 idx = 0;
17000     WC_RNG rng;
17001     wc_Sha sha;
17002     byte   hash[WC_SHA_DIGEST_SIZE];
17003     byte   signature[40];
17004 #ifdef WOLFSSL_KEY_GEN
17005     byte*  der = 0;
17006 #endif
17007 #define DSA_TEST_TMP_SIZE 1024
17008 #ifdef WOLFSSL_SMALL_STACK
17009     byte   *tmp = (byte *)XMALLOC(DSA_TEST_TMP_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17010     DsaKey *key = (DsaKey *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17011 #ifdef WOLFSSL_KEY_GEN
17012     DsaKey *derIn = (DsaKey *)XMALLOC(sizeof *derIn, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17013     DsaKey *genKey = (DsaKey *)XMALLOC(sizeof *genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17014 #endif
17015     if ((tmp == NULL) ||
17016         (key == NULL)
17017 #ifdef WOLFSSL_KEY_GEN
17018         || (derIn == NULL)
17019         || (genKey == NULL)
17020 #endif
17021         ) {
17022         ret = -8216;
17023         goto out;
17024     }
17025 #else
17026     byte   tmp[1024];
17027     DsaKey key[1];
17028 #ifdef WOLFSSL_KEY_GEN
17029     DsaKey derIn[1];
17030     DsaKey genKey[1];
17031 #endif
17032 #endif
17033 
17034 #ifdef USE_CERT_BUFFERS_1024
17035     XMEMCPY(tmp, dsa_key_der_1024, sizeof_dsa_key_der_1024);
17036     bytes = sizeof_dsa_key_der_1024;
17037 #elif defined(USE_CERT_BUFFERS_2048)
17038     XMEMCPY(tmp, dsa_key_der_2048, sizeof_dsa_key_der_2048);
17039     bytes = sizeof_dsa_key_der_2048;
17040 #else
17041     {
17042         XFILE  file = XFOPEN(dsaKey, "rb");
17043         if (!file)
17044             ERROR_OUT(-8200, out);
17045 
17046         bytes = (word32) XFREAD(tmp, 1, DSA_TEST_TMP_SIZE, file);
17047         XFCLOSE(file);
17048     }
17049 #endif /* USE_CERT_BUFFERS */
17050 
17051     ret = wc_InitSha_ex(&sha, HEAP_HINT, devId);
17052     if (ret != 0)
17053         ERROR_OUT(-8201, out);
17054     wc_ShaUpdate(&sha, tmp, bytes);
17055     wc_ShaFinal(&sha, hash);
17056     wc_ShaFree(&sha);
17057 
17058     ret = wc_InitDsaKey(key);
17059     if (ret != 0)
17060         ERROR_OUT(-8202, out);
17061 
17062     ret = wc_DsaPrivateKeyDecode(tmp, &idx, key, bytes);
17063     if (ret != 0)
17064         ERROR_OUT(-8203, out);
17065 
17066 #ifndef HAVE_FIPS
17067     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
17068 #else
17069     ret = wc_InitRng(&rng);
17070 #endif
17071     if (ret != 0)
17072         ERROR_OUT(-8204, out);
17073 
17074     ret = wc_DsaSign(hash, signature, key, &rng);
17075     if (ret != 0)
17076         ERROR_OUT(-8205, out);
17077 
17078     ret = wc_DsaVerify(hash, signature, key, &answer);
17079     if (ret != 0)
17080         ERROR_OUT(-8206, out);
17081     if (answer != 1)
17082         ERROR_OUT(-8207, out);
17083 
17084     wc_FreeDsaKey(key);
17085 
17086 #ifdef WOLFSSL_KEY_GEN
17087     {
17088     int    derSz = 0;
17089 
17090     ret = wc_InitDsaKey(genKey);
17091     if (ret != 0)
17092         ERROR_OUT(-8208, out);
17093 
17094     ret = wc_MakeDsaParameters(&rng, 1024, genKey);
17095     if (ret != 0) {
17096         wc_FreeDsaKey(genKey);
17097         ERROR_OUT(-8209, out);
17098     }
17099 
17100     ret = wc_MakeDsaKey(&rng, genKey);
17101     if (ret != 0) {
17102         wc_FreeDsaKey(genKey);
17103         ERROR_OUT(-8210, out);
17104     }
17105 
17106     der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17107     if (der == NULL) {
17108         wc_FreeDsaKey(genKey);
17109         ERROR_OUT(-8211, out);
17110     }
17111 
17112     derSz = wc_DsaKeyToDer(genKey, der, FOURK_BUF);
17113     if (derSz < 0) {
17114         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17115         ERROR_OUT(-8212, out);
17116     }
17117 
17118     ret = SaveDerAndPem(der, derSz, keyDerFile, keyPemFile,
17119         DSA_PRIVATEKEY_TYPE, -5814);
17120     if (ret != 0) {
17121         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17122         wc_FreeDsaKey(genKey);
17123         goto out;
17124     }
17125 
17126     ret = wc_InitDsaKey(derIn);
17127     if (ret != 0) {
17128         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17129         wc_FreeDsaKey(genKey);
17130         ERROR_OUT(-8213, out);
17131     }
17132 
17133     idx = 0;
17134     ret = wc_DsaPrivateKeyDecode(der, &idx, derIn, derSz);
17135     if (ret != 0) {
17136         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17137         wc_FreeDsaKey(derIn);
17138         wc_FreeDsaKey(genKey);
17139         ERROR_OUT(-8214, out);
17140     }
17141 
17142     }
17143 #endif /* WOLFSSL_KEY_GEN */
17144 
17145   out:
17146 
17147 #ifdef WOLFSSL_SMALL_STACK
17148     if (key) {
17149 #endif
17150         if (wc_InitDsaKey_h(key, NULL) != 0)
17151             ret = -8215;
17152 #ifdef WOLFSSL_SMALL_STACK
17153     }
17154 #endif
17155 
17156 #ifdef WOLFSSL_KEY_GEN
17157     if (der)
17158         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17159 #endif
17160 
17161 #ifdef WOLFSSL_SMALL_STACK
17162     if (tmp)
17163         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17164     if (key)
17165         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17166 #ifdef WOLFSSL_KEY_GEN
17167     if (derIn) {
17168         wc_FreeDsaKey(derIn);
17169         XFREE(derIn, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17170     }
17171     if (genKey) {
17172         wc_FreeDsaKey(genKey);
17173         XFREE(genKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17174     }
17175 #endif
17176 
17177 #else /* !WOLFSSL_SMALL_STACK */
17178 
17179 #ifdef WOLFSSL_KEY_GEN
17180     wc_FreeDsaKey(derIn);
17181     wc_FreeDsaKey(genKey);
17182 #endif
17183 
17184 #endif
17185 
17186     wc_FreeRng(&rng);
17187 
17188     return ret;
17189 }
17190 
17191 #endif /* NO_DSA */
17192 
17193 #ifdef WOLFCRYPT_HAVE_SRP
17194 
17195 static int generate_random_salt(byte *buf, word32 size)
17196 {
17197     int ret = -8220;
17198     WC_RNG rng;
17199 
17200     if(NULL == buf || !size)
17201         return -8221;
17202 
17203     if (buf && size && wc_InitRng_ex(&rng, HEAP_HINT, devId) == 0) {
17204         ret = wc_RNG_GenerateBlock(&rng, (byte *)buf, size);
17205 
17206         wc_FreeRng(&rng);
17207     }
17208 
17209     return ret;
17210 }
17211 
17212 static int srp_test_digest(SrpType dgstType)
17213 {
17214     int r;
17215 
17216     byte clientPubKey[192]; /* A */
17217     byte serverPubKey[192]; /* B */
17218     word32 clientPubKeySz = 192;
17219     word32 serverPubKeySz = 192;
17220 
17221     byte username[] = "user";
17222     word32 usernameSz = 4;
17223 
17224     byte password[] = "password";
17225     word32 passwordSz = 8;
17226 
17227     WOLFSSL_SMALL_STACK_STATIC const byte N[] = {
17228         0xfc, 0x58, 0x7a, 0x8a, 0x70, 0xfb, 0x5a, 0x9a,
17229         0x5d, 0x39, 0x48, 0xbf, 0x1c, 0x46, 0xd8, 0x3b,
17230         0x7a, 0xe9, 0x1f, 0x85, 0x36, 0x18, 0xc4, 0x35,
17231         0x3f, 0xf8, 0x8a, 0x8f, 0x8c, 0x10, 0x2e, 0x01,
17232         0x58, 0x1d, 0x41, 0xcb, 0xc4, 0x47, 0xa8, 0xaf,
17233         0x9a, 0x6f, 0x58, 0x14, 0xa4, 0x68, 0xf0, 0x9c,
17234         0xa6, 0xe7, 0xbf, 0x0d, 0xe9, 0x62, 0x0b, 0xd7,
17235         0x26, 0x46, 0x5b, 0x27, 0xcb, 0x4c, 0xf9, 0x7e,
17236         0x1e, 0x8b, 0xe6, 0xdd, 0x29, 0xb7, 0xb7, 0x15,
17237         0x2e, 0xcf, 0x23, 0xa6, 0x4b, 0x97, 0x9f, 0x89,
17238         0xd4, 0x86, 0xc4, 0x90, 0x63, 0x92, 0xf4, 0x30,
17239         0x26, 0x69, 0x48, 0x9d, 0x7a, 0x4f, 0xad, 0xb5,
17240         0x6a, 0x51, 0xad, 0xeb, 0xf9, 0x90, 0x31, 0x77,
17241         0x53, 0x30, 0x2a, 0x85, 0xf7, 0x11, 0x21, 0x0c,
17242         0xb8, 0x4b, 0x56, 0x03, 0x5e, 0xbb, 0x25, 0x33,
17243         0x7c, 0xd9, 0x5a, 0xd1, 0x5c, 0xb2, 0xd4, 0x53,
17244         0xc5, 0x16, 0x68, 0xf0, 0xdf, 0x48, 0x55, 0x3e,
17245         0xd4, 0x59, 0x87, 0x64, 0x59, 0xaa, 0x39, 0x01,
17246         0x45, 0x89, 0x9c, 0x72, 0xff, 0xdd, 0x8f, 0x6d,
17247         0xa0, 0x42, 0xbc, 0x6f, 0x6e, 0x62, 0x18, 0x2d,
17248         0x50, 0xe8, 0x18, 0x97, 0x87, 0xfc, 0xef, 0x1f,
17249         0xf5, 0x53, 0x68, 0xe8, 0x49, 0xd1, 0xa2, 0xe8,
17250         0xb9, 0x26, 0x03, 0xba, 0xb5, 0x58, 0x6f, 0x6c,
17251         0x8b, 0x08, 0xa1, 0x7b, 0x6f, 0x42, 0xc9, 0x53
17252     };
17253 
17254     WOLFSSL_SMALL_STACK_STATIC const byte g[] = {
17255         0x02
17256     };
17257 
17258     byte salt[10];
17259 
17260     byte verifier[192];
17261     word32 v_size = sizeof(verifier);
17262 
17263     word32 clientProofSz = SRP_MAX_DIGEST_SIZE;
17264     word32 serverProofSz = SRP_MAX_DIGEST_SIZE;
17265 #ifdef WOLFSSL_SMALL_STACK
17266     Srp *cli = (Srp *)XMALLOC(sizeof *cli, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17267     Srp *srv = (Srp *)XMALLOC(sizeof *srv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17268     byte *clientProof = (byte *)XMALLOC(SRP_MAX_DIGEST_SIZE, HEAP_HINT,
17269                                         DYNAMIC_TYPE_TMP_BUFFER); /* M1 */
17270     byte *serverProof = (byte *)XMALLOC(SRP_MAX_DIGEST_SIZE, HEAP_HINT,
17271                                         DYNAMIC_TYPE_TMP_BUFFER); /* M2 */
17272 
17273     if ((cli == NULL) ||
17274         (srv == NULL) ||
17275         (clientProof == NULL) ||
17276         (serverProof == NULL)) {
17277         r = -8222;
17278         goto out;
17279     }
17280 #else
17281     Srp cli[1], srv[1];
17282     byte clientProof[SRP_MAX_DIGEST_SIZE]; /* M1 */
17283     byte serverProof[SRP_MAX_DIGEST_SIZE]; /* M2 */
17284 #endif
17285 
17286 
17287     /* set as 0's so if second init on srv not called SrpTerm is not on
17288      * garbage values */
17289     XMEMSET(srv, 0, sizeof *srv);
17290     XMEMSET(cli, 0, sizeof *cli);
17291 
17292     /* generating random salt */
17293 
17294     r = generate_random_salt(salt, sizeof(salt));
17295 
17296     /* client knows username and password.   */
17297     /* server knows N, g, salt and verifier. */
17298 
17299     if (!r) r = wc_SrpInit_ex(cli, dgstType, SRP_CLIENT_SIDE, HEAP_HINT, devId);
17300     if (!r) r = wc_SrpSetUsername(cli, username, usernameSz);
17301 
17302     /* loading N, g and salt in advance to generate the verifier. */
17303 
17304     if (!r) r = wc_SrpSetParams(cli, N,    sizeof(N),
17305                                       g,    sizeof(g),
17306                                       salt, sizeof(salt));
17307     if (!r) r = wc_SrpSetPassword(cli, password, passwordSz);
17308     if (!r) r = wc_SrpGetVerifier(cli, verifier, &v_size);
17309 
17310     /* client sends username to server */
17311 
17312     if (!r) r = wc_SrpInit_ex(srv, dgstType, SRP_SERVER_SIDE, HEAP_HINT, devId);
17313     if (!r) r = wc_SrpSetUsername(srv, username, usernameSz);
17314     if (!r) r = wc_SrpSetParams(srv, N,    sizeof(N),
17315                                       g,    sizeof(g),
17316                                       salt, sizeof(salt));
17317     if (!r) r = wc_SrpSetVerifier(srv, verifier, v_size);
17318     if (!r) r = wc_SrpGetPublic(srv, serverPubKey, &serverPubKeySz);
17319 
17320     /* server sends N, g, salt and B to client */
17321 
17322     if (!r) r = wc_SrpGetPublic(cli, clientPubKey, &clientPubKeySz);
17323     if (!r) r = wc_SrpComputeKey(cli, clientPubKey, clientPubKeySz,
17324                                        serverPubKey, serverPubKeySz);
17325     if (!r) r = wc_SrpGetProof(cli, clientProof, &clientProofSz);
17326 
17327     /* client sends A and M1 to server */
17328 
17329     if (!r) r = wc_SrpComputeKey(srv, clientPubKey, clientPubKeySz,
17330                                        serverPubKey, serverPubKeySz);
17331     if (!r) r = wc_SrpVerifyPeersProof(srv, clientProof, clientProofSz);
17332     if (!r) r = wc_SrpGetProof(srv, serverProof, &serverProofSz);
17333 
17334     /* server sends M2 to client */
17335 
17336     if (!r) r = wc_SrpVerifyPeersProof(cli, serverProof, serverProofSz);
17337 
17338     wc_SrpTerm(cli);
17339     wc_SrpTerm(srv);
17340 
17341 #ifdef WOLFSSL_SMALL_STACK
17342   out:
17343 
17344     if (cli)
17345         XFREE(cli, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17346     if (srv)
17347         XFREE(srv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17348     if (clientProof)
17349         XFREE(clientProof, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17350     if (serverProof)
17351         XFREE(serverProof, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
17352 #endif
17353 
17354     return r;
17355 }
17356 
17357 WOLFSSL_TEST_SUBROUTINE int srp_test(void)
17358 {
17359     int ret;
17360 
17361 #ifndef NO_SHA
17362     ret = srp_test_digest(SRP_TYPE_SHA);
17363     if (ret != 0)
17364         return ret;
17365 #endif
17366 #ifndef NO_SHA256
17367     ret = srp_test_digest(SRP_TYPE_SHA256);
17368     if (ret != 0)
17369         return ret;
17370 #endif
17371 #ifdef WOLFSSL_SHA384
17372     ret = srp_test_digest(SRP_TYPE_SHA384);
17373     if (ret != 0)
17374         return ret;
17375 #endif
17376 #ifdef WOLFSSL_SHA512
17377     ret = srp_test_digest(SRP_TYPE_SHA512);
17378     if (ret != 0)
17379         return ret;
17380 #endif
17381 
17382     return ret;
17383 }
17384 
17385 #endif /* WOLFCRYPT_HAVE_SRP */
17386 
17387 #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
17388 
17389 #if !defined(NO_AES) && !defined(WOLFCRYPT_ONLY)
17390 static int openssl_aes_test(void)
17391 {
17392 #ifdef HAVE_AES_CBC
17393 #ifdef WOLFSSL_AES_128
17394     {
17395         /* EVP_CipherUpdate test */
17396         WOLFSSL_SMALL_STACK_STATIC const byte cbcPlain[] =
17397         {
17398             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
17399             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
17400             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
17401             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
17402             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
17403             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
17404             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
17405             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
17406         };
17407 
17408         WOLFSSL_SMALL_STACK_STATIC const byte key[] =
17409             "0123456789abcdef   ";  /* align */
17410         WOLFSSL_SMALL_STACK_STATIC const byte iv[]  =
17411             "1234567890abcdef   ";  /* align */
17412 
17413         byte cipher[AES_BLOCK_SIZE * 4];
17414         byte plain [AES_BLOCK_SIZE * 4];
17415 #ifdef WOLFSSL_SMALL_STACK
17416         EVP_CIPHER_CTX *en = wolfSSL_EVP_CIPHER_CTX_new();
17417         EVP_CIPHER_CTX *de = wolfSSL_EVP_CIPHER_CTX_new();
17418 #else
17419         EVP_CIPHER_CTX en[1];
17420         EVP_CIPHER_CTX de[1];
17421 #endif
17422         int outlen ;
17423         int total = 0;
17424         int i;
17425 
17426 #ifdef WOLFSSL_SMALL_STACK
17427         if ((en == NULL) || (de == NULL))
17428             return MEMORY_E;
17429 #endif
17430 
17431         EVP_CIPHER_CTX_init(en);
17432         if (EVP_CipherInit(en, EVP_aes_128_cbc(),
17433             (unsigned char*)key, (unsigned char*)iv, 1) == 0)
17434             return -8400;
17435         if (EVP_CipherUpdate(en, (byte*)cipher, &outlen,
17436                     (byte*)cbcPlain, 9) == 0)
17437             return -8401;
17438         if (outlen != 0)
17439             return -8402;
17440         total += outlen;
17441 
17442         if (EVP_CipherUpdate(en, (byte*)&cipher[total], &outlen,
17443                     (byte*)&cbcPlain[9]  , 9) == 0)
17444             return -8403;
17445         if (outlen != 16)
17446             return -8404;
17447         total += outlen;
17448 
17449         if (EVP_CipherFinal(en, (byte*)&cipher[total], &outlen) == 0)
17450             return -8405;
17451         if (outlen != 16)
17452             return -8406;
17453         total += outlen;
17454         if (total != 32)
17455             return 3408;
17456 
17457         total = 0;
17458         EVP_CIPHER_CTX_init(de);
17459         if (EVP_CipherInit(de, EVP_aes_128_cbc(),
17460             (unsigned char*)key, (unsigned char*)iv, 0) == 0)
17461             return -8407;
17462 
17463         if (EVP_CipherUpdate(de, (byte*)plain, &outlen, (byte*)cipher, 6) == 0)
17464             return -8408;
17465         if (outlen != 0)
17466             return -8409;
17467         total += outlen;
17468 
17469         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen,
17470                     (byte*)&cipher[6], 12) == 0)
17471             return -8410;
17472         if (outlen != 0)
17473         total += outlen;
17474 
17475         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen,
17476                     (byte*)&cipher[6+12], 14) == 0)
17477             return -8411;
17478         if (outlen != 16)
17479             return -8412;
17480         total += outlen;
17481 
17482         if (EVP_CipherFinal(de, (byte*)&plain[total], &outlen) == 0)
17483             return -8413;
17484         if (outlen != 2)
17485             return -8414;
17486         total += outlen;
17487 
17488         if (total != 18)
17489             return 3427;
17490 
17491         if (XMEMCMP(plain, cbcPlain, 18))
17492             return -8415;
17493 
17494         /* test with encrypting/decrypting more than 16 bytes at once */
17495         total = 0;
17496         EVP_CIPHER_CTX_init(en);
17497         if (EVP_CipherInit(en, EVP_aes_128_cbc(),
17498             (unsigned char*)key, (unsigned char*)iv, 1) == 0)
17499             return -8416;
17500         if (EVP_CipherUpdate(en, (byte*)cipher, &outlen,
17501                     (byte*)cbcPlain, 17) == 0)
17502             return -8417;
17503         if (outlen != 16)
17504             return -8418;
17505         total += outlen;
17506 
17507         if (EVP_CipherUpdate(en, (byte*)&cipher[total], &outlen,
17508                     (byte*)&cbcPlain[17]  , 1) == 0)
17509             return -8419;
17510         if (outlen != 0)
17511             return -8420;
17512         total += outlen;
17513 
17514         if (EVP_CipherFinal(en, (byte*)&cipher[total], &outlen) == 0)
17515             return -8421;
17516         if (outlen != 16)
17517             return -8422;
17518         total += outlen;
17519         if (total != 32)
17520             return -8423;
17521 
17522         total = 0;
17523         EVP_CIPHER_CTX_init(de);
17524         if (EVP_CipherInit(de, EVP_aes_128_cbc(),
17525             (unsigned char*)key, (unsigned char*)iv, 0) == 0)
17526             return -8424;
17527 
17528         if (EVP_CipherUpdate(de, (byte*)plain, &outlen, (byte*)cipher, 17) == 0)
17529             return -8425;
17530         if (outlen != 16)
17531             return -8426;
17532         total += outlen;
17533 
17534         /* final call on non block size should fail */
17535         if (EVP_CipherFinal(de, (byte*)&plain[total], &outlen) != 0)
17536             return -8427;
17537 
17538         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen,
17539                     (byte*)&cipher[17], 1) == 0)
17540             return -8428;
17541         if (outlen != 0)
17542         total += outlen;
17543 
17544         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen,
17545                     (byte*)&cipher[17+1], 14) == 0)
17546             return -8429;
17547         if (outlen != 0)
17548             return -8430;
17549         total += outlen;
17550 
17551         if (EVP_CipherFinal(de, (byte*)&plain[total], &outlen) == 0)
17552             return -8431;
17553         if (outlen != 2)
17554             return -8432;
17555         total += outlen;
17556 
17557         if (total != 18)
17558             return -8433;
17559 
17560         if (XMEMCMP(plain, cbcPlain, 18))
17561             return -8434;
17562 
17563         /* test byte by byte decrypt */
17564         for (i = 0; i < AES_BLOCK_SIZE * 3; i++) {
17565             plain[i] = i;
17566         }
17567 
17568         total = 0;
17569         EVP_CIPHER_CTX_init(en);
17570         if (EVP_CipherInit(en, EVP_aes_128_cbc(),
17571             (unsigned char*)key, (unsigned char*)iv, 1) == 0)
17572             return -8435;
17573         if (EVP_CipherUpdate(en, (byte*)cipher, &outlen,
17574                     (byte*)plain, AES_BLOCK_SIZE * 3) == 0)
17575             return -8436;
17576         if (outlen != AES_BLOCK_SIZE * 3)
17577             return -8437;
17578         total += outlen;
17579 
17580         if (EVP_CipherFinal(en, (byte*)&cipher[total], &outlen) == 0)
17581             return -8438;
17582         if (outlen != AES_BLOCK_SIZE)
17583             return -8439;
17584         total += outlen;
17585         if (total != sizeof(plain))
17586             return -8440;
17587 
17588         total = 0;
17589         EVP_CIPHER_CTX_init(de);
17590         if (EVP_CipherInit(de, EVP_aes_128_cbc(),
17591             (unsigned char*)key, (unsigned char*)iv, 0) == 0)
17592             return -8441;
17593 
17594         for (i = 0; i < AES_BLOCK_SIZE * 4; i++) {
17595             if (EVP_CipherUpdate(de, (byte*)plain + total, &outlen,
17596                         (byte*)cipher + i, 1) == 0)
17597                 return -8442;
17598 
17599             if (outlen > 0) {
17600                 int j;
17601 
17602                 total += outlen;
17603                 for (j = 0; j < total; j++) {
17604                     if (plain[j] != j) {
17605                         return -8443;
17606                     }
17607                 }
17608             }
17609         }
17610 
17611         if (EVP_CipherFinal(de, (byte*)&plain[total], &outlen) == 0)
17612             return -8444;
17613         total += outlen;
17614         if (total != AES_BLOCK_SIZE * 3) {
17615             return -8445;
17616         }
17617         for (i = 0; i < AES_BLOCK_SIZE * 3; i++) {
17618             if (plain[i] != i) {
17619                 return -8446;
17620             }
17621         }
17622 
17623 #ifdef WOLFSSL_SMALL_STACK
17624         wolfSSL_EVP_CIPHER_CTX_free(en);
17625         wolfSSL_EVP_CIPHER_CTX_free(de);
17626 #endif
17627     }
17628 
17629     /* set buffers to be exact size to catch potential over read/write */
17630     {
17631         /* EVP_CipherUpdate test */
17632         WOLFSSL_SMALL_STACK_STATIC const byte cbcPlain[] =
17633         {
17634             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
17635             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
17636             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
17637             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
17638             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
17639             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
17640             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
17641             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
17642         };
17643 
17644         WOLFSSL_SMALL_STACK_STATIC const byte key[] =
17645             "0123456789abcdef   ";  /* align */
17646         WOLFSSL_SMALL_STACK_STATIC const byte iv[]  =
17647             "1234567890abcdef   ";  /* align */
17648 
17649         #define EVP_TEST_BUF_SZ 18
17650         #define EVP_TEST_BUF_PAD 32
17651         byte cipher[EVP_TEST_BUF_SZ];
17652         byte plain [EVP_TEST_BUF_SZ];
17653         byte padded[EVP_TEST_BUF_PAD];
17654 #ifdef WOLFSSL_SMALL_STACK
17655         EVP_CIPHER_CTX *en = wolfSSL_EVP_CIPHER_CTX_new();
17656         EVP_CIPHER_CTX *de = wolfSSL_EVP_CIPHER_CTX_new();
17657 #else
17658         EVP_CIPHER_CTX en[1];
17659         EVP_CIPHER_CTX de[1];
17660 #endif
17661         int outlen ;
17662         int total = 0;
17663 
17664 #ifdef WOLFSSL_SMALL_STACK
17665         if ((en == NULL) || (de == NULL))
17666             return MEMORY_E;
17667 #endif
17668 
17669         EVP_CIPHER_CTX_init(en);
17670         if (EVP_CipherInit(en, EVP_aes_128_cbc(),
17671             (unsigned char*)key, (unsigned char*)iv, 1) == 0)
17672             return -8447;
17673         if (EVP_CIPHER_CTX_set_padding(en, 0) != 1)
17674             return -8448;
17675         if (EVP_CipherUpdate(en, (byte*)cipher, &outlen,
17676                     (byte*)cbcPlain, EVP_TEST_BUF_SZ) == 0)
17677             return -8449;
17678         if (outlen != 16)
17679             return -8450;
17680         total += outlen;
17681 
17682         /* should fail here */
17683         if (EVP_CipherFinal(en, (byte*)&cipher[total], &outlen) != 0)
17684             return -8451;
17685 
17686         /* turn padding back on and do successful encrypt */
17687         total = 0;
17688         EVP_CIPHER_CTX_init(en);
17689         if (EVP_CipherInit(en, EVP_aes_128_cbc(),
17690             (unsigned char*)key, (unsigned char*)iv, 1) == 0)
17691             return -8452;
17692         if (EVP_CIPHER_CTX_set_padding(en, 1) != 1)
17693             return -8453;
17694         if (EVP_CipherUpdate(en, (byte*)padded, &outlen,
17695                     (byte*)cbcPlain, EVP_TEST_BUF_SZ) == 0)
17696             return -8454;
17697         if (outlen != 16)
17698             return -8455;
17699         total += outlen;
17700 
17701         if (EVP_CipherFinal(en, (byte*)&padded[total], &outlen) == 0)
17702             return -8456;
17703         total += outlen;
17704         if (total != 32)
17705             return -8457;
17706         XMEMCPY(cipher, padded, EVP_TEST_BUF_SZ);
17707 
17708         /* test out of bounds read on buffers w/o padding during decryption */
17709         total = 0;
17710         EVP_CIPHER_CTX_init(de);
17711         if (EVP_CipherInit(de, EVP_aes_128_cbc(),
17712             (unsigned char*)key, (unsigned char*)iv, 0) == 0)
17713             return -8458;
17714 
17715         if (EVP_CIPHER_CTX_set_padding(de, 0) != 1)
17716             return -8459;
17717         if (EVP_CipherUpdate(de, (byte*)plain, &outlen, (byte*)cipher,
17718                     EVP_TEST_BUF_SZ) == 0)
17719             return -8460;
17720         if (outlen != 16)
17721             return -8461;
17722         total += outlen;
17723 
17724         /* should fail since not using padding */
17725         if (EVP_CipherFinal(de, (byte*)&plain[total], &outlen) != 0)
17726             return -8462;
17727 
17728         total = 0;
17729         EVP_CIPHER_CTX_init(de);
17730         if (EVP_CipherInit(de, EVP_aes_128_cbc(),
17731             (unsigned char*)key, (unsigned char*)iv, 0) == 0)
17732             return -8463;
17733         if (EVP_CIPHER_CTX_set_padding(de, 1) != 1)
17734             return -8464;
17735         if (EVP_CipherUpdate(de, (byte*)padded, &outlen, (byte*)padded,
17736                     EVP_TEST_BUF_PAD) == 0)
17737             return -8465;
17738         if (outlen != 16)
17739             return -8466;
17740         total += outlen;
17741 
17742         if (EVP_CipherFinal(de, (byte*)&padded[total], &outlen) == 0)
17743             return -8467;
17744         if (XMEMCMP(padded, cbcPlain, EVP_TEST_BUF_SZ))
17745             return -8468;
17746 
17747 #ifdef WOLFSSL_SMALL_STACK
17748         wolfSSL_EVP_CIPHER_CTX_free(en);
17749         wolfSSL_EVP_CIPHER_CTX_free(de);
17750 #endif
17751     }
17752 
17753     {  /* evp_cipher test: EVP_aes_128_cbc */
17754 #ifdef WOLFSSL_SMALL_STACK
17755         EVP_CIPHER_CTX *ctx = wolfSSL_EVP_CIPHER_CTX_new();
17756 #else
17757         EVP_CIPHER_CTX ctx[1];
17758 #endif
17759 
17760         WOLFSSL_SMALL_STACK_STATIC const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
17761             0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
17762             0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
17763             0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
17764         };
17765 
17766         WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
17767         {
17768             0x95,0x94,0x92,0x57,0x5f,0x42,0x81,0x53,
17769             0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb
17770         };
17771 
17772         WOLFSSL_SMALL_STACK_STATIC const byte key[] =
17773             "0123456789abcdef   ";  /* align */
17774         WOLFSSL_SMALL_STACK_STATIC const byte iv[]  =
17775             "1234567890abcdef   ";  /* align */
17776 
17777         byte cipher[AES_BLOCK_SIZE * 4];
17778         byte plain [AES_BLOCK_SIZE * 4];
17779 
17780 #ifdef WOLFSSL_SMALL_STACK
17781         if (ctx == NULL)
17782             return MEMORY_E;
17783 #endif
17784 
17785         EVP_CIPHER_CTX_init(ctx);
17786         if (EVP_CipherInit(ctx, EVP_aes_128_cbc(), key, iv, 1) == 0)
17787             return -8469;
17788 
17789         if (EVP_Cipher(ctx, cipher, (byte*)msg, 16) != 16)
17790             return -8470;
17791 
17792         if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
17793             return -8471;
17794 
17795         EVP_CIPHER_CTX_init(ctx);
17796         if (EVP_CipherInit(ctx, EVP_aes_128_cbc(), key, iv, 0) == 0)
17797             return -8472;
17798 
17799         if (EVP_Cipher(ctx, plain, cipher, 16) != 16)
17800             return -8473;
17801 
17802         if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
17803             return -8474;
17804 
17805 #ifdef WOLFSSL_SMALL_STACK
17806         wolfSSL_EVP_CIPHER_CTX_free(ctx);
17807 #endif
17808     }  /* end evp_cipher test: EVP_aes_128_cbc*/
17809 #endif /* WOLFSSL_AES_128 */
17810 #endif /* HAVE_AES_CBC */
17811 
17812 #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256)
17813     {  /* evp_cipher test: EVP_aes_256_ecb*/
17814 #ifdef WOLFSSL_SMALL_STACK
17815         EVP_CIPHER_CTX *ctx = wolfSSL_EVP_CIPHER_CTX_new();
17816 #else
17817         EVP_CIPHER_CTX ctx[1];
17818 #endif
17819         WOLFSSL_SMALL_STACK_STATIC const byte msg[] =
17820         {
17821           0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
17822           0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
17823         };
17824 
17825         WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
17826         {
17827             0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
17828             0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
17829         };
17830 
17831         WOLFSSL_SMALL_STACK_STATIC const byte key[] =
17832         {
17833           0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
17834           0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
17835           0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
17836           0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
17837         };
17838 
17839 
17840         byte cipher[AES_BLOCK_SIZE * 4];
17841         byte plain [AES_BLOCK_SIZE * 4];
17842 
17843 #ifdef WOLFSSL_SMALL_STACK
17844         if (ctx == NULL)
17845             return MEMORY_E;
17846 #endif
17847 
17848         EVP_CIPHER_CTX_init(ctx);
17849         if (EVP_CipherInit(ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 1) == 0)
17850             return -8475;
17851 
17852         if (EVP_Cipher(ctx, cipher, (byte*)msg, 16) != 16)
17853             return -8476;
17854 
17855         if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
17856             return -8477;
17857 
17858         EVP_CIPHER_CTX_init(ctx);
17859         if (EVP_CipherInit(ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 0) == 0)
17860             return -8478;
17861 
17862         if (EVP_Cipher(ctx, plain, cipher, 16) != 16)
17863             return -8479;
17864 
17865         if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
17866             return -8480;
17867 
17868 #ifdef WOLFSSL_SMALL_STACK
17869         wolfSSL_EVP_CIPHER_CTX_free(ctx);
17870 #endif
17871     }  /* end evp_cipher test */
17872 #endif /* HAVE_AES_ECB && WOLFSSL_AES_256 */
17873 
17874 #if defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_256)
17875     /* enable HAVE_AES_DECRYPT for AES_encrypt/decrypt */
17876     {
17877         /* Test: AES_encrypt/decrypt/set Key */
17878 #ifdef WOLFSSL_SMALL_STACK
17879         AES_KEY *enc = (AES_KEY *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES);
17880         #ifdef HAVE_AES_DECRYPT
17881         AES_KEY *dec = (AES_KEY *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES);
17882         #endif
17883 #else
17884         AES_KEY enc[1];
17885         #ifdef HAVE_AES_DECRYPT
17886         AES_KEY dec[1];
17887         #endif
17888 #endif
17889 
17890         WOLFSSL_SMALL_STACK_STATIC const byte msg[] =
17891         {
17892             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
17893             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
17894         };
17895 
17896         WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
17897         {
17898             0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
17899             0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
17900         };
17901 
17902         WOLFSSL_SMALL_STACK_STATIC const byte key[] =
17903         {
17904             0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
17905             0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
17906             0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
17907             0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
17908         };
17909 
17910         byte plain[sizeof(msg)];
17911         byte cipher[sizeof(msg)];
17912 
17913 #ifdef WOLFSSL_SMALL_STACK
17914         if (enc == NULL)
17915             return MEMORY_E;
17916         #ifdef HAVE_AES_DECRYPT
17917         if (dec == NULL)
17918             return MEMORY_E;
17919         #endif
17920 #endif
17921 
17922         AES_set_encrypt_key(key, sizeof(key)*8, enc);
17923         AES_set_decrypt_key(key,  sizeof(key)*8, dec);
17924 
17925         AES_encrypt(msg, cipher, enc);
17926 
17927         #ifdef HAVE_AES_DECRYPT
17928         AES_decrypt(cipher, plain, dec);
17929         if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
17930             return -8481;
17931         #endif /* HAVE_AES_DECRYPT */
17932 
17933         if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
17934             return -8482;
17935 
17936 #ifdef WOLFSSL_SMALL_STACK
17937         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
17938         #ifdef HAVE_AES_DECRYPT
17939         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
17940         #endif
17941 #endif
17942     }
17943 #endif /* WOLFSSL_AES_DIRECT && WOLFSSL_AES_256 */
17944 
17945 /* EVP_Cipher with EVP_aes_xxx_ctr() */
17946 #ifdef WOLFSSL_AES_COUNTER
17947     {
17948         byte plainBuff [64];
17949         byte cipherBuff[64];
17950 
17951 #ifdef WOLFSSL_AES_128
17952         WOLFSSL_SMALL_STACK_STATIC const byte ctrKey[] =
17953         {
17954             0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
17955             0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
17956         };
17957 
17958         WOLFSSL_SMALL_STACK_STATIC const byte ctrIv[] =
17959         {
17960             0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
17961             0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
17962         };
17963 
17964 
17965         WOLFSSL_SMALL_STACK_STATIC const byte ctrPlain[] =
17966         {
17967             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
17968             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
17969             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
17970             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
17971             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
17972             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
17973             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
17974             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
17975         };
17976 
17977         WOLFSSL_SMALL_STACK_STATIC const byte ctrCipher[] =
17978         {
17979             0x87,0x4d,0x61,0x91,0xb6,0x20,0xe3,0x26,
17980             0x1b,0xef,0x68,0x64,0x99,0x0d,0xb6,0xce,
17981             0x98,0x06,0xf6,0x6b,0x79,0x70,0xfd,0xff,
17982             0x86,0x17,0x18,0x7b,0xb9,0xff,0xfd,0xff,
17983             0x5a,0xe4,0xdf,0x3e,0xdb,0xd5,0xd3,0x5e,
17984             0x5b,0x4f,0x09,0x02,0x0d,0xb0,0x3e,0xab,
17985             0x1e,0x03,0x1d,0xda,0x2f,0xbe,0x03,0xd1,
17986             0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee
17987         };
17988 
17989         WOLFSSL_SMALL_STACK_STATIC const byte oddCipher[] =
17990         {
17991             0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
17992             0xc2
17993         };
17994 #endif
17995 
17996         /* test vector from "Recommendation for Block Cipher Modes of Operation"
17997          * NIST Special Publication 800-38A */
17998 #ifdef WOLFSSL_AES_192
17999         WOLFSSL_SMALL_STACK_STATIC const byte ctr192Key[] =
18000         {
18001             0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
18002             0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
18003             0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
18004         };
18005 
18006         WOLFSSL_SMALL_STACK_STATIC const byte ctr192Iv[] =
18007         {
18008             0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
18009             0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
18010         };
18011 
18012 
18013         WOLFSSL_SMALL_STACK_STATIC const byte ctr192Plain[] =
18014         {
18015             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
18016             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
18017         };
18018 
18019         WOLFSSL_SMALL_STACK_STATIC const byte ctr192Cipher[] =
18020         {
18021             0x1a,0xbc,0x93,0x24,0x17,0x52,0x1c,0xa2,
18022             0x4f,0x2b,0x04,0x59,0xfe,0x7e,0x6e,0x0b
18023         };
18024 #endif /* WOLFSSL_AES_192 */
18025 
18026 #ifdef WOLFSSL_AES_256
18027         /* test vector from "Recommendation for Block Cipher Modes of Operation"
18028          * NIST Special Publication 800-38A */
18029         WOLFSSL_SMALL_STACK_STATIC const byte ctr256Key[] =
18030         {
18031             0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
18032             0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
18033             0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
18034             0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
18035         };
18036 
18037         WOLFSSL_SMALL_STACK_STATIC const byte ctr256Iv[] =
18038         {
18039             0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
18040             0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
18041         };
18042 
18043 
18044         WOLFSSL_SMALL_STACK_STATIC const byte ctr256Plain[] =
18045         {
18046             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
18047             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
18048         };
18049 
18050         WOLFSSL_SMALL_STACK_STATIC const byte ctr256Cipher[] =
18051         {
18052             0x60,0x1e,0xc3,0x13,0x77,0x57,0x89,0xa5,
18053             0xb7,0xa7,0xf5,0x04,0xbb,0xf3,0xd2,0x28
18054         };
18055 #endif /* WOLFSSL_AES_256 */
18056 
18057 #ifdef WOLFSSL_SMALL_STACK
18058         EVP_CIPHER_CTX *en = wolfSSL_EVP_CIPHER_CTX_new();
18059         EVP_CIPHER_CTX *de = wolfSSL_EVP_CIPHER_CTX_new();
18060 #else
18061         EVP_CIPHER_CTX en[1];
18062         EVP_CIPHER_CTX de[1];
18063 #endif
18064 #ifdef WOLFSSL_AES_128
18065 
18066 #ifndef WOLFSSL_SMALL_STACK
18067         EVP_CIPHER_CTX *p_en;
18068         EVP_CIPHER_CTX *p_de;
18069 #endif
18070 
18071 #ifdef WOLFSSL_SMALL_STACK
18072         if ((en == NULL) || (de == NULL))
18073             return MEMORY_E;
18074 #endif
18075 
18076         EVP_CIPHER_CTX_init(en);
18077         if (EVP_CipherInit(en, EVP_aes_128_ctr(),
18078                 (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
18079             return -8483;
18080         if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctrPlain,
18081                 AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
18082             return -8484;
18083         EVP_CIPHER_CTX_init(de);
18084         if (EVP_CipherInit(de, EVP_aes_128_ctr(),
18085                 (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
18086             return -8485;
18087 
18088         if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff,
18089                 AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
18090             return -8486;
18091 
18092         if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
18093             return -8487;
18094         if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
18095             return -8488;
18096 
18097 #ifndef WOLFSSL_SMALL_STACK
18098         p_en = wolfSSL_EVP_CIPHER_CTX_new();
18099         if (p_en == NULL)
18100             return -8489;
18101         p_de = wolfSSL_EVP_CIPHER_CTX_new();
18102         if (p_de == NULL)
18103             return -8490;
18104 
18105         if (EVP_CipherInit(p_en, EVP_aes_128_ctr(),
18106                 (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
18107             return -8491;
18108         if (EVP_Cipher(p_en, (byte*)cipherBuff, (byte*)ctrPlain,
18109                 AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
18110             return -8492;
18111         if (EVP_CipherInit(p_de, EVP_aes_128_ctr(),
18112                 (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
18113             return -8493;
18114 
18115         if (EVP_Cipher(p_de, (byte*)plainBuff, (byte*)cipherBuff,
18116                 AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
18117             return -8494;
18118 
18119         wolfSSL_EVP_CIPHER_CTX_free(p_en);
18120         wolfSSL_EVP_CIPHER_CTX_free(p_de);
18121 #endif /* !WOLFSSL_SMALL_STACK */
18122 
18123         if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
18124             return -8495;
18125         if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
18126             return -8496;
18127 
18128         EVP_CIPHER_CTX_init(en);
18129         if (EVP_CipherInit(en, EVP_aes_128_ctr(),
18130             (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
18131             return -8497;
18132         if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctrPlain, 9) != 9)
18133             return -8498;
18134 
18135         EVP_CIPHER_CTX_init(de);
18136         if (EVP_CipherInit(de, EVP_aes_128_ctr(),
18137             (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
18138             return -8499;
18139 
18140         if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff, 9) != 9)
18141             return -8500;
18142 
18143         if (XMEMCMP(plainBuff, ctrPlain, 9))
18144             return -8501;
18145         if (XMEMCMP(cipherBuff, ctrCipher, 9))
18146             return -8502;
18147 
18148         if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctrPlain, 9) != 9)
18149             return -8503;
18150         if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff, 9) != 9)
18151             return -8504;
18152 
18153         if (XMEMCMP(plainBuff, ctrPlain, 9))
18154             return -8505;
18155         if (XMEMCMP(cipherBuff, oddCipher, 9))
18156             return -8506;
18157 #endif /* WOLFSSL_AES_128 */
18158 
18159 #ifdef WOLFSSL_AES_192
18160         EVP_CIPHER_CTX_init(en);
18161         if (EVP_CipherInit(en, EVP_aes_192_ctr(),
18162                 (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
18163             return -8507;
18164         if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctr192Plain,
18165                 AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
18166             return -8508;
18167         EVP_CIPHER_CTX_init(de);
18168         if (EVP_CipherInit(de, EVP_aes_192_ctr(),
18169             (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
18170             return -8509;
18171 
18172         XMEMSET(plainBuff, 0, sizeof(plainBuff));
18173         if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff,
18174                 AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
18175             return -8510;
18176 
18177         if (XMEMCMP(plainBuff, ctr192Plain, sizeof(ctr192Plain)))
18178             return -8511;
18179         if (XMEMCMP(ctr192Cipher, cipherBuff, sizeof(ctr192Cipher)))
18180             return -8512;
18181 #endif /* WOLFSSL_AES_192 */
18182 
18183 #ifdef WOLFSSL_AES_256
18184         EVP_CIPHER_CTX_init(en);
18185         if (EVP_CipherInit(en, EVP_aes_256_ctr(),
18186             (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
18187             return -8513;
18188         if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctr256Plain,
18189                 AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
18190             return -8514;
18191         EVP_CIPHER_CTX_init(de);
18192         if (EVP_CipherInit(de, EVP_aes_256_ctr(),
18193             (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
18194             return -8515;
18195 
18196         XMEMSET(plainBuff, 0, sizeof(plainBuff));
18197         if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff,
18198                 AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
18199             return -8516;
18200 
18201         if (XMEMCMP(plainBuff, ctr256Plain, sizeof(ctr256Plain)))
18202             return -8517;
18203         if (XMEMCMP(ctr256Cipher, cipherBuff, sizeof(ctr256Cipher)))
18204             return -8518;
18205 
18206 #ifdef WOLFSSL_SMALL_STACK
18207         wolfSSL_EVP_CIPHER_CTX_free(en);
18208         wolfSSL_EVP_CIPHER_CTX_free(de);
18209 #endif
18210 
18211 #endif /* WOLFSSL_AES_256 */
18212     }
18213 #endif /* HAVE_AES_COUNTER */
18214 
18215 #if defined(WOLFSSL_AES_CFB) && defined(WOLFSSL_AES_128)
18216     {
18217 #ifdef WOLFSSL_SMALL_STACK
18218         AES_KEY *enc = (AES_KEY *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES);
18219         AES_KEY *dec = (AES_KEY *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES);
18220 #else
18221         AES_KEY enc[1];
18222         AES_KEY dec[1];
18223 #endif
18224 
18225         WOLFSSL_SMALL_STACK_STATIC const byte setIv[] = {
18226             0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
18227             0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
18228         };
18229 
18230         WOLFSSL_SMALL_STACK_STATIC const byte key[] =
18231         {
18232             0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
18233             0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
18234         };
18235 
18236         WOLFSSL_SMALL_STACK_STATIC const byte cipher1[] =
18237         {
18238             0x3b,0x3f,0xd9,0x2e,0xb7,0x2d,0xad,0x20,
18239             0x33,0x34,0x49,0xf8,0xe8,0x3c,0xfb,0x4a,
18240             0xc8,0xa6,0x45,0x37,0xa0,0xb3,0xa9,0x3f,
18241             0xcd,0xe3,0xcd,0xad,0x9f,0x1c,0xe5,0x8b
18242         };
18243 
18244         WOLFSSL_SMALL_STACK_STATIC const byte msg[] =
18245         {
18246             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
18247             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
18248             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
18249             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51
18250         };
18251 
18252         byte cipher[AES_BLOCK_SIZE * 2];
18253         byte iv[AES_BLOCK_SIZE]; /* iv buffer is updeated by API */
18254         int  num = 0;
18255 
18256 #ifdef WOLFSSL_SMALL_STACK
18257         if ((enc == NULL) || (dec == NULL))
18258             return MEMORY_E;
18259 #endif
18260 
18261         XMEMCPY(iv, setIv, sizeof(setIv));
18262         wolfSSL_AES_set_encrypt_key(key, sizeof(key) * 8, enc);
18263         wolfSSL_AES_set_encrypt_key(key, sizeof(key) * 8, dec);
18264 
18265         wolfSSL_AES_cfb128_encrypt(msg, cipher, AES_BLOCK_SIZE - 1, enc, iv,
18266                 &num, AES_ENCRYPT);
18267 
18268         if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE - 1))
18269             return -8519;
18270 
18271         if (num != 15) /* should have used 15 of the 16 bytes */
18272             return -8520;
18273 
18274         wolfSSL_AES_cfb128_encrypt(msg + AES_BLOCK_SIZE - 1,
18275                 cipher + AES_BLOCK_SIZE - 1, AES_BLOCK_SIZE + 1, enc, iv,
18276                 &num, AES_ENCRYPT);
18277 
18278         if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 2))
18279             return -8521;
18280 
18281         if (num != 0)
18282             return -8522;
18283 
18284 #ifdef WOLFSSL_SMALL_STACK
18285         XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
18286         XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
18287 #endif
18288     }
18289 #endif /* WOLFSSL_AES_CFB && WOLFSSL_AES_128 */
18290     return 0;
18291 }
18292 
18293 
18294 #endif /* !defined(NO_AES) && !defined(WOLFCRYPT_ONLY) */
18295 
18296 WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
18297 {
18298     int ret;
18299     EVP_MD_CTX md_ctx;
18300     testVector a, b, c, d, e, f;
18301     byte       hash[WC_SHA256_DIGEST_SIZE*2];  /* max size */
18302 
18303     a.inLen = 0;
18304     b.inLen = c.inLen = d.inLen = e.inLen = f.inLen = a.inLen;
18305 
18306     (void)a;
18307     (void)b;
18308     (void)c;
18309     (void)d;
18310     (void)e;
18311     (void)f;
18312 
18313     /* test malloc / free , 10 is an arbitrary amount of memory chosen */
18314     {
18315         byte* p;
18316 
18317         p = (byte*)CRYPTO_malloc(10, "", 0);
18318 
18319         if (p == NULL) {
18320             return -8600;
18321         }
18322         XMEMSET(p, 0, 10);
18323         CRYPTO_free(p, "", 0);
18324     }
18325 
18326 #ifndef NO_MD5
18327     a.input  = "1234567890123456789012345678901234567890123456789012345678"
18328                "9012345678901234567890";
18329     a.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6"
18330                "\x7a";
18331     a.inLen  = XSTRLEN(a.input);
18332     a.outLen = WC_MD5_DIGEST_SIZE;
18333 
18334     EVP_MD_CTX_init(&md_ctx);
18335     ret = EVP_DigestInit(&md_ctx, EVP_md5());
18336     if (ret == WOLFSSL_SUCCESS) {
18337         ret = EVP_DigestUpdate(&md_ctx, a.input, (unsigned long)a.inLen);
18338     }
18339     if (ret == WOLFSSL_SUCCESS) {
18340         ret = EVP_DigestFinal(&md_ctx, hash, 0);
18341     }
18342     EVP_MD_CTX_cleanup(&md_ctx);
18343     if (ret != WOLFSSL_SUCCESS ||
18344             XMEMCMP(hash, a.output, WC_MD5_DIGEST_SIZE) != 0) {
18345         return -8601;
18346     }
18347 #endif /* NO_MD5 */
18348 
18349 #ifndef NO_SHA
18350     b.input  = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
18351                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
18352                "aaaaaaaaaa";
18353     b.output = "\xAD\x5B\x3F\xDB\xCB\x52\x67\x78\xC2\x83\x9D\x2F\x15\x1E\xA7"
18354                "\x53\x99\x5E\x26\xA0";
18355     b.inLen  = XSTRLEN(b.input);
18356     b.outLen = WC_SHA_DIGEST_SIZE;
18357 
18358     EVP_MD_CTX_init(&md_ctx);
18359     ret = EVP_DigestInit(&md_ctx, EVP_sha1());
18360     if (ret == WOLFSSL_SUCCESS) {
18361         ret = EVP_DigestUpdate(&md_ctx, b.input, (unsigned long)b.inLen);
18362         if (ret == WOLFSSL_SUCCESS)
18363             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18364     }
18365     EVP_MD_CTX_cleanup(&md_ctx);
18366     if (ret != WOLFSSL_SUCCESS ||
18367             XMEMCMP(hash, b.output, WC_SHA_DIGEST_SIZE) != 0) {
18368         return -8602;
18369     }
18370 #endif /* NO_SHA */
18371 
18372 #ifdef WOLFSSL_SHA224
18373     e.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18374                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18375     e.output = "\xc9\x7c\xa9\xa5\x59\x85\x0c\xe9\x7a\x04\xa9\x6d\xef\x6d\x99"
18376                "\xa9\xe0\xe0\xe2\xab\x14\xe6\xb8\xdf\x26\x5f\xc0\xb3";
18377     e.inLen  = XSTRLEN(e.input);
18378     e.outLen = WC_SHA224_DIGEST_SIZE;
18379 
18380     EVP_MD_CTX_init(&md_ctx);
18381     ret = EVP_DigestInit(&md_ctx, EVP_sha224());
18382     if (ret == WOLFSSL_SUCCESS) {
18383         ret = EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
18384         if (ret == WOLFSSL_SUCCESS)
18385             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18386     }
18387     EVP_MD_CTX_cleanup(&md_ctx);
18388     if (ret != WOLFSSL_SUCCESS ||
18389             XMEMCMP(hash, e.output, WC_SHA224_DIGEST_SIZE) != 0) {
18390         return -8603;
18391     }
18392 #endif /* WOLFSSL_SHA224 */
18393 
18394 #ifndef NO_SHA256
18395     d.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
18396     d.output = "\x24\x8D\x6A\x61\xD2\x06\x38\xB8\xE5\xC0\x26\x93\x0C\x3E\x60"
18397                "\x39\xA3\x3C\xE4\x59\x64\xFF\x21\x67\xF6\xEC\xED\xD4\x19\xDB"
18398                "\x06\xC1";
18399     d.inLen  = XSTRLEN(d.input);
18400     d.outLen = WC_SHA256_DIGEST_SIZE;
18401 
18402     EVP_MD_CTX_init(&md_ctx);
18403     ret = EVP_DigestInit(&md_ctx, EVP_sha256());
18404     if (ret == WOLFSSL_SUCCESS) {
18405         ret = EVP_DigestUpdate(&md_ctx, d.input, (unsigned long)d.inLen);
18406         if (ret == WOLFSSL_SUCCESS)
18407             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18408     }
18409     EVP_MD_CTX_cleanup(&md_ctx);
18410     if (ret != WOLFSSL_SUCCESS ||
18411             XMEMCMP(hash, d.output, WC_SHA256_DIGEST_SIZE) != 0) {
18412         return -8604;
18413     }
18414 #endif /* !NO_SHA256 */
18415 
18416 #ifdef WOLFSSL_SHA384
18417     e.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18418                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18419     e.output = "\x09\x33\x0c\x33\xf7\x11\x47\xe8\x3d\x19\x2f\xc7\x82\xcd\x1b"
18420                "\x47\x53\x11\x1b\x17\x3b\x3b\x05\xd2\x2f\xa0\x80\x86\xe3\xb0"
18421                "\xf7\x12\xfc\xc7\xc7\x1a\x55\x7e\x2d\xb9\x66\xc3\xe9\xfa\x91"
18422                "\x74\x60\x39";
18423     e.inLen  = XSTRLEN(e.input);
18424     e.outLen = WC_SHA384_DIGEST_SIZE;
18425 
18426     EVP_MD_CTX_init(&md_ctx);
18427     ret = EVP_DigestInit(&md_ctx, EVP_sha384());
18428     if (ret == WOLFSSL_SUCCESS) {
18429         ret = EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
18430         if (ret == WOLFSSL_SUCCESS)
18431             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18432     }
18433     EVP_MD_CTX_cleanup(&md_ctx);
18434     if (ret != WOLFSSL_SUCCESS ||
18435             XMEMCMP(hash, e.output, WC_SHA384_DIGEST_SIZE) != 0) {
18436         return -8605;
18437     }
18438 #endif /* WOLFSSL_SHA384 */
18439 
18440 #ifdef WOLFSSL_SHA512
18441     f.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18442                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18443     f.output = "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14"
18444                "\x3f\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88"
18445                "\x90\x18\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4"
18446                "\xb5\x43\x3a\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b"
18447                "\x87\x4b\xe9\x09";
18448     f.inLen  = XSTRLEN(f.input);
18449     f.outLen = WC_SHA512_DIGEST_SIZE;
18450 
18451     EVP_MD_CTX_init(&md_ctx);
18452     ret = EVP_DigestInit(&md_ctx, EVP_sha512());
18453     if (ret == WOLFSSL_SUCCESS) {
18454         ret = EVP_DigestUpdate(&md_ctx, f.input, (unsigned long)f.inLen);
18455         if (ret == WOLFSSL_SUCCESS)
18456             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18457     }
18458     EVP_MD_CTX_cleanup(&md_ctx);
18459     if (ret != WOLFSSL_SUCCESS ||
18460             XMEMCMP(hash, f.output, WC_SHA512_DIGEST_SIZE) != 0) {
18461         return -8606;
18462     }
18463 #endif /* WOLFSSL_SHA512 */
18464 
18465 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
18466 #if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
18467     f.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18468                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18469     f.output = "\x23\xfe\xc5\xbb\x94\xd6\x0b\x23\x30\x81\x92\x64\x0b\x0c\x45"
18470                "\x33\x35\xd6\x64\x73\x4f\xe4\x0e\x72\x68\x67\x4a\xf9";
18471     f.inLen  = XSTRLEN(f.input);
18472     f.outLen = WC_SHA512_224_DIGEST_SIZE;
18473 
18474     EVP_MD_CTX_init(&md_ctx);
18475     ret = EVP_DigestInit(&md_ctx, EVP_sha512_224());
18476     if (ret == WOLFSSL_SUCCESS) {
18477         ret = EVP_DigestUpdate(&md_ctx, f.input, (unsigned long)f.inLen);
18478         if (ret == WOLFSSL_SUCCESS)
18479             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18480     }
18481     EVP_MD_CTX_cleanup(&md_ctx);
18482     if (ret != WOLFSSL_SUCCESS ||
18483             XMEMCMP(hash, f.output, WC_SHA512_224_DIGEST_SIZE) != 0) {
18484         return -8722;
18485     }
18486 #endif /* WOLFSSL_SHA512 && !WOLFSSL_NOSHA512_224 */
18487 #endif /* !HAVE_FIPS && !HAVE_SELFTEST */
18488 
18489 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
18490 #if defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
18491     f.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18492                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18493     f.output = "\x39\x28\xe1\x84\xfb\x86\x90\xf8\x40\xda\x39\x88\x12\x1d\x31"
18494                "\xbe\x65\xcb\x9d\x3e\xf8\x3e\xe6\x14\x6f\xea\xc8\x61\xe1\x9b"
18495                "\x56\x3a";
18496     f.inLen  = XSTRLEN(f.input);
18497     f.outLen = WC_SHA512_256_DIGEST_SIZE;
18498 
18499     EVP_MD_CTX_init(&md_ctx);
18500     ret = EVP_DigestInit(&md_ctx, EVP_sha512_256());
18501     if (ret == WOLFSSL_SUCCESS) {
18502         ret = EVP_DigestUpdate(&md_ctx, f.input, (unsigned long)f.inLen);
18503         if (ret == WOLFSSL_SUCCESS)
18504             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18505     }
18506     EVP_MD_CTX_cleanup(&md_ctx);
18507     if (ret != WOLFSSL_SUCCESS ||
18508             XMEMCMP(hash, f.output, WC_SHA512_256_DIGEST_SIZE) != 0) {
18509         return -8723;
18510     }
18511 #endif /* WOLFSSL_SHA512 && !WOLFSSL_NOSHA512_224 */
18512 #endif /* !HAVE_FIPS && !HAVE_SELFTEST */
18513 
18514 #ifdef WOLFSSL_SHA3
18515 #ifndef WOLFSSL_NOSHA3_224
18516     e.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18517                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18518     e.output = "\x54\x3e\x68\x68\xe1\x66\x6c\x1a\x64\x36\x30\xdf\x77\x36\x7a"
18519                "\xe5\xa6\x2a\x85\x07\x0a\x51\xc1\x4c\xbf\x66\x5c\xbc";
18520     e.inLen  = XSTRLEN(e.input);
18521     e.outLen = WC_SHA3_224_DIGEST_SIZE;
18522 
18523     EVP_MD_CTX_init(&md_ctx);
18524     ret = EVP_DigestInit(&md_ctx, EVP_sha3_224());
18525     if (ret == WOLFSSL_SUCCESS) {
18526         ret = EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
18527         if (ret == WOLFSSL_SUCCESS)
18528             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18529     }
18530     EVP_MD_CTX_cleanup(&md_ctx);
18531     if (ret != WOLFSSL_SUCCESS ||
18532             XMEMCMP(hash, e.output, WC_SHA3_224_DIGEST_SIZE) != 0) {
18533         return -8607;
18534     }
18535 #endif /* WOLFSSL_NOSHA3_224 */
18536 
18537 #ifndef WOLFSSL_NOSHA3_256
18538     d.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18539                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18540     d.output = "\x91\x6f\x60\x61\xfe\x87\x97\x41\xca\x64\x69\xb4\x39\x71\xdf"
18541                "\xdb\x28\xb1\xa3\x2d\xc3\x6c\xb3\x25\x4e\x81\x2b\xe2\x7a\xad"
18542                "\x1d\x18";
18543     d.inLen  = XSTRLEN(d.input);
18544     d.outLen = WC_SHA3_256_DIGEST_SIZE;
18545 
18546     EVP_MD_CTX_init(&md_ctx);
18547     ret = EVP_DigestInit(&md_ctx, EVP_sha3_256());
18548     if (ret == WOLFSSL_SUCCESS) {
18549         ret = EVP_DigestUpdate(&md_ctx, d.input, (unsigned long)d.inLen);
18550         if (ret == WOLFSSL_SUCCESS)
18551             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18552     }
18553     EVP_MD_CTX_cleanup(&md_ctx);
18554     if (ret != WOLFSSL_SUCCESS ||
18555             XMEMCMP(hash, d.output, WC_SHA3_256_DIGEST_SIZE) != 0) {
18556         return -8608;
18557     }
18558 #endif /* WOLFSSL_NOSHA3_256 */
18559 
18560     e.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18561                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18562     e.output = "\x79\x40\x7d\x3b\x59\x16\xb5\x9c\x3e\x30\xb0\x98\x22\x97\x47"
18563                "\x91\xc3\x13\xfb\x9e\xcc\x84\x9e\x40\x6f\x23\x59\x2d\x04\xf6"
18564                "\x25\xdc\x8c\x70\x9b\x98\xb4\x3b\x38\x52\xb3\x37\x21\x61\x79"
18565                "\xaa\x7f\xc7";
18566     e.inLen  = XSTRLEN(e.input);
18567     e.outLen = WC_SHA3_384_DIGEST_SIZE;
18568 
18569     EVP_MD_CTX_init(&md_ctx);
18570     ret = EVP_DigestInit(&md_ctx, EVP_sha3_384());
18571     if (ret == WOLFSSL_SUCCESS) {
18572         ret = EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
18573         if (ret == WOLFSSL_SUCCESS)
18574             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18575     }
18576     EVP_MD_CTX_cleanup(&md_ctx);
18577     if (ret != WOLFSSL_SUCCESS ||
18578             XMEMCMP(hash, e.output, WC_SHA3_384_DIGEST_SIZE) != 0) {
18579         return -8609;
18580     }
18581 
18582 #ifndef WOLFSSL_NOSHA3_512
18583     f.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
18584                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
18585     f.output = "\xaf\xeb\xb2\xef\x54\x2e\x65\x79\xc5\x0c\xad\x06\xd2\xe5\x78"
18586                "\xf9\xf8\xdd\x68\x81\xd7\xdc\x82\x4d\x26\x36\x0f\xee\xbf\x18"
18587                "\xa4\xfa\x73\xe3\x26\x11\x22\x94\x8e\xfc\xfd\x49\x2e\x74\xe8"
18588                "\x2e\x21\x89\xed\x0f\xb4\x40\xd1\x87\xf3\x82\x27\x0c\xb4\x55"
18589                "\xf2\x1d\xd1\x85";
18590     f.inLen  = XSTRLEN(f.input);
18591     f.outLen = WC_SHA3_512_DIGEST_SIZE;
18592 
18593     EVP_MD_CTX_init(&md_ctx);
18594     ret = EVP_DigestInit(&md_ctx, EVP_sha3_512());
18595     if (ret == WOLFSSL_SUCCESS) {
18596         ret = EVP_DigestUpdate(&md_ctx, f.input, (unsigned long)f.inLen);
18597         if (ret == WOLFSSL_SUCCESS)
18598             ret = EVP_DigestFinal(&md_ctx, hash, 0);
18599     }
18600     EVP_MD_CTX_cleanup(&md_ctx);
18601     if (ret != WOLFSSL_SUCCESS ||
18602             XMEMCMP(hash, f.output, WC_SHA3_512_DIGEST_SIZE) != 0) {
18603         return -8610;
18604     }
18605 #endif /* WOLFSSL_NOSHA3_512 */
18606 #endif /* WOLFSSL_SHA3 */
18607 
18608 #ifndef WC_NO_RNG
18609     if (RAND_bytes(hash, sizeof(hash)) != WOLFSSL_SUCCESS)
18610         return -8611;
18611 #endif
18612 
18613 #ifndef NO_MD5
18614     c.input  = "what do ya want for nothing?";
18615     c.output = "\x55\x78\xe8\x48\x4b\xcc\x93\x80\x93\xec\x53\xaf\x22\xd6\x14"
18616                "\x76";
18617     c.inLen  = XSTRLEN(c.input);
18618     c.outLen = WC_MD5_DIGEST_SIZE;
18619 
18620     if (HMAC(EVP_md5(), "JefeJefeJefeJefe", 16, (byte*)c.input, (int)c.inLen,
18621             hash, 0) == NULL ||
18622         XMEMCMP(hash, c.output, WC_MD5_DIGEST_SIZE) != 0)
18623     {
18624         return -8612;
18625     }
18626 #endif /* NO_MD5 */
18627 
18628 #ifndef NO_DES3
18629     { /* des test */
18630     WOLFSSL_SMALL_STACK_STATIC const byte vector[] = { /* "now is the time for all " w/o trailing 0 */
18631         0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
18632         0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
18633         0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
18634     };
18635     byte plain[24];
18636     byte cipher[24];
18637     const_DES_cblock key = {
18638         0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef
18639     };
18640     DES_cblock iv = {
18641         0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef
18642     };
18643     DES_key_schedule sched;
18644     WOLFSSL_SMALL_STACK_STATIC const byte verify[] = {
18645         0x8b,0x7c,0x52,0xb0,0x01,0x2b,0x6c,0xb8,
18646         0x4f,0x0f,0xeb,0xf3,0xfb,0x5f,0x86,0x73,
18647         0x15,0x85,0xb3,0x22,0x4b,0x86,0x2b,0x4b
18648     };
18649 
18650     DES_key_sched(&key, &sched);
18651 
18652     DES_cbc_encrypt(vector, cipher, sizeof(vector), &sched, &iv, DES_ENCRYPT);
18653     DES_cbc_encrypt(cipher, plain, sizeof(vector), &sched, &iv, DES_DECRYPT);
18654 
18655     if (XMEMCMP(plain, vector, sizeof(vector)) != 0)
18656         return -8613;
18657 
18658     if (XMEMCMP(cipher, verify, sizeof(verify)) != 0)
18659         return -8614;
18660 
18661         /* test changing iv */
18662     DES_ncbc_encrypt(vector, cipher, 8, &sched, &iv, DES_ENCRYPT);
18663     DES_ncbc_encrypt(vector + 8, cipher + 8, 16, &sched, &iv, DES_ENCRYPT);
18664 
18665     if (XMEMCMP(cipher, verify, sizeof(verify)) != 0)
18666         return -8615;
18667 
18668     }  /* end des test */
18669 #endif /* NO_DES3 */
18670 
18671 #if !defined(NO_AES) && !defined(WOLFCRYPT_ONLY)
18672     if (openssl_aes_test() != 0) {
18673         return -8616;
18674     }
18675 #if defined(WOLFSSL_AES_128) && defined(HAVE_AES_CBC)
18676     {   /* evp_cipher test: EVP_aes_128_cbc */
18677 #ifdef WOLFSSL_SMALL_STACK
18678         EVP_CIPHER_CTX *ctx = wolfSSL_EVP_CIPHER_CTX_new();
18679 #else
18680         EVP_CIPHER_CTX ctx[1];
18681 #endif
18682         int idx, cipherSz, plainSz;
18683         WOLFSSL_SMALL_STACK_STATIC const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
18684             0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
18685             0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
18686             0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
18687         };
18688         WOLFSSL_SMALL_STACK_STATIC const byte verify[] = {
18689             0x95,0x94,0x92,0x57,0x5f,0x42,0x81,0x53,
18690             0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb,
18691             0x3b,0x5d,0x41,0x97,0x94,0x25,0xa4,0xb4,
18692             0xae,0x7b,0x34,0xd0,0x3f,0x0c,0xbc,0x06
18693         };
18694         WOLFSSL_SMALL_STACK_STATIC const byte verify2[] = {
18695             0x95,0x94,0x92,0x57,0x5f,0x42,0x81,0x53,
18696             0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb,
18697             0x7d,0x37,0x7b,0x0b,0x44,0xaa,0xb5,0xf0,
18698             0x5f,0x34,0xb4,0xde,0xb5,0xbd,0x2a,0xbb
18699         };
18700         WOLFSSL_SMALL_STACK_STATIC const byte key[] =
18701             "0123456789abcdef   ";  /* align */
18702         WOLFSSL_SMALL_STACK_STATIC const byte iv[]  =
18703             "1234567890abcdef   ";  /* align */
18704         byte cipher[AES_BLOCK_SIZE * 4];
18705         byte plain [AES_BLOCK_SIZE * 4];
18706 
18707 #ifdef WOLFSSL_SMALL_STACK
18708         if (ctx == NULL)
18709             return MEMORY_E;
18710 #endif
18711 
18712         cipherSz = 0;
18713         EVP_CIPHER_CTX_init(ctx);
18714         ret = EVP_CipherInit(ctx, EVP_aes_128_cbc(), key, iv, 1);
18715         if (ret == WOLFSSL_SUCCESS) {
18716             ret = EVP_CipherUpdate(ctx, cipher, &idx, (byte*)msg, sizeof(msg));
18717             if (ret == WOLFSSL_SUCCESS)
18718                 cipherSz += idx;
18719         }
18720         if (ret == WOLFSSL_SUCCESS) {
18721             ret = EVP_CipherFinal(ctx, cipher + cipherSz, &idx);
18722             if (ret == WOLFSSL_SUCCESS)
18723                 cipherSz += idx;
18724         }
18725         EVP_CIPHER_CTX_cleanup(ctx);
18726         if (ret != WOLFSSL_SUCCESS)
18727             return -8617;
18728         if (cipherSz != (int)sizeof(verify) || XMEMCMP(cipher, verify, cipherSz))
18729             return -8618;
18730 
18731         /* check partial decrypt (not enough padding for full block) */
18732         plainSz = 0;
18733         EVP_CIPHER_CTX_init(ctx);
18734         ret = EVP_CipherInit(ctx, EVP_aes_128_cbc(), key, iv, 0);
18735         if (ret == WOLFSSL_SUCCESS) {
18736             ret = EVP_CipherUpdate(ctx, plain, &idx, cipher, 1);
18737             if (ret == WOLFSSL_SUCCESS)
18738                 plainSz += idx;
18739         }
18740         if (ret == WOLFSSL_SUCCESS) {
18741             /* this test should fail... not enough padding for full block */
18742             ret = EVP_CipherFinal(ctx, plain + plainSz, &idx);
18743             if (plainSz == 0 && ret != WOLFSSL_SUCCESS)
18744                 ret = WOLFSSL_SUCCESS;
18745             else
18746                 ret = -8619;
18747         }
18748         else
18749             ret = -8620;
18750         EVP_CIPHER_CTX_cleanup(ctx);
18751         if (ret != WOLFSSL_SUCCESS)
18752             return ret;
18753 
18754         plainSz = 0;
18755         EVP_CIPHER_CTX_init(ctx);
18756         ret = EVP_CipherInit(ctx, EVP_aes_128_cbc(), key, iv, 0);
18757         if (ret == WOLFSSL_SUCCESS) {
18758             ret = EVP_CipherUpdate(ctx, plain, &idx, cipher, cipherSz);
18759             if (ret == WOLFSSL_SUCCESS)
18760                 plainSz += idx;
18761         }
18762         if (ret == WOLFSSL_SUCCESS) {
18763             ret = EVP_CipherFinal(ctx, plain + plainSz, &idx);
18764             if (ret == WOLFSSL_SUCCESS)
18765                 plainSz += idx;
18766         }
18767         EVP_CIPHER_CTX_cleanup(ctx);
18768         if (ret != WOLFSSL_SUCCESS)
18769             return -8621;
18770         if (plainSz != (int)sizeof(msg) || XMEMCMP(plain, msg, sizeof(msg)))
18771             return -8622;
18772 
18773         cipherSz = 0;
18774         EVP_CIPHER_CTX_init(ctx);
18775         ret = EVP_CipherInit(ctx, EVP_aes_128_cbc(), key, iv, 1);
18776         if (ret == WOLFSSL_SUCCESS) {
18777             ret = EVP_CipherUpdate(ctx, cipher, &idx, msg, AES_BLOCK_SIZE);
18778             if (ret == WOLFSSL_SUCCESS)
18779                 cipherSz += idx;
18780         }
18781         if (ret == WOLFSSL_SUCCESS) {
18782             ret = EVP_CipherFinal(ctx, cipher + cipherSz, &idx);
18783             if (ret == WOLFSSL_SUCCESS)
18784                 cipherSz += idx;
18785         }
18786         EVP_CIPHER_CTX_cleanup(ctx);
18787         if (ret != WOLFSSL_SUCCESS)
18788             return -8623;
18789         if (cipherSz != (int)sizeof(verify2) || XMEMCMP(cipher, verify2, cipherSz))
18790             return -8624;
18791 
18792 #ifdef WOLFSSL_SMALL_STACK
18793         wolfSSL_EVP_CIPHER_CTX_free(ctx);
18794 #endif
18795     }  /* end evp_cipher test: EVP_aes_128_cbc*/
18796 #endif /* WOLFSSL_AES_128 && HAVE_AES_CBC */
18797 
18798 #if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256)
18799     {   /* evp_cipher test: EVP_aes_256_ecb*/
18800 #ifdef WOLFSSL_SMALL_STACK
18801         EVP_CIPHER_CTX *ctx = wolfSSL_EVP_CIPHER_CTX_new();
18802 #else
18803         EVP_CIPHER_CTX ctx[1];
18804 #endif
18805         WOLFSSL_SMALL_STACK_STATIC const byte msg[] = {
18806           0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
18807           0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
18808         };
18809         WOLFSSL_SMALL_STACK_STATIC const byte verify[] = {
18810             0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
18811             0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
18812         };
18813         WOLFSSL_SMALL_STACK_STATIC const byte key[] = {
18814           0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
18815           0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
18816           0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
18817           0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
18818         };
18819         byte cipher[AES_BLOCK_SIZE * 4];
18820         byte plain [AES_BLOCK_SIZE * 4];
18821 
18822 #ifdef WOLFSSL_SMALL_STACK
18823         if (ctx == NULL)
18824             return MEMORY_E;
18825 #endif
18826 
18827         EVP_CIPHER_CTX_init(ctx);
18828         ret = EVP_CipherInit(ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 1);
18829         if (ret == WOLFSSL_SUCCESS)
18830             ret = EVP_Cipher(ctx, cipher, (byte*)msg, 16);
18831         EVP_CIPHER_CTX_cleanup(ctx);
18832         if (ret != 16)
18833             return -8625;
18834         if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
18835             return -8626;
18836 
18837         EVP_CIPHER_CTX_init(ctx);
18838         ret = EVP_CipherInit(ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 0);
18839         if (ret == WOLFSSL_SUCCESS)
18840             ret = EVP_Cipher(ctx, plain, cipher, 16);
18841         EVP_CIPHER_CTX_cleanup(ctx);
18842         if (ret != 16)
18843             return -8627;
18844         if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
18845             return -8628;
18846 
18847 #ifdef WOLFSSL_SMALL_STACK
18848         wolfSSL_EVP_CIPHER_CTX_free(ctx);
18849 #endif
18850     }  /* end evp_cipher test */
18851 #endif /* HAVE_AES_ECB && WOLFSSL_AES_128 */
18852 
18853 #define OPENSSL_TEST_ERROR (-10000)
18854 
18855 
18856 #if defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_256)
18857   /* enable HAVE_AES_DECRYPT for AES_encrypt/decrypt */
18858 {
18859 
18860   /* Test: AES_encrypt/decrypt/set Key */
18861 #ifdef WOLFSSL_SMALL_STACK
18862   AES_KEY *enc = (AES_KEY *)XMALLOC(sizeof *enc, HEAP_HINT, DYNAMIC_TYPE_AES);
18863   #ifdef HAVE_AES_DECRYPT
18864   AES_KEY *dec = (AES_KEY *)XMALLOC(sizeof *dec, HEAP_HINT, DYNAMIC_TYPE_AES);
18865   #endif
18866 #else
18867   AES_KEY enc[1];
18868   #ifdef HAVE_AES_DECRYPT
18869   AES_KEY dec[1];
18870   #endif
18871 #endif
18872 
18873   WOLFSSL_SMALL_STACK_STATIC const byte msg[] =
18874   {
18875       0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
18876       0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
18877   };
18878 
18879   WOLFSSL_SMALL_STACK_STATIC const byte verify[] =
18880   {
18881       0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
18882       0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
18883   };
18884 
18885   WOLFSSL_SMALL_STACK_STATIC const byte key[] =
18886   {
18887       0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
18888       0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
18889       0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
18890       0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
18891   };
18892 
18893   byte plain[sizeof(msg)];
18894   byte cipher[sizeof(msg)];
18895 
18896   printf("openSSL extra test\n") ;
18897 
18898 #ifdef WOLFSSL_SMALL_STACK
18899   if (enc == NULL)
18900       return MEMORY_E;
18901   #ifdef HAVE_AES_DECRYPT
18902   if (dec == NULL)
18903       return MEMORY_E;
18904   #endif
18905 #endif
18906 
18907   AES_set_encrypt_key(key, sizeof(key)*8, enc);
18908   AES_set_decrypt_key(key,  sizeof(key)*8, dec);
18909 
18910   AES_encrypt(msg, cipher, enc);
18911 
18912 #ifdef HAVE_AES_DECRYPT
18913   AES_decrypt(cipher, plain, dec);
18914   if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
18915       return OPENSSL_TEST_ERROR-60;
18916 #endif /* HAVE_AES_DECRYPT */
18917 
18918   if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
18919       return OPENSSL_TEST_ERROR-61;
18920 
18921 #ifdef WOLFSSL_SMALL_STACK
18922   XFREE(enc, HEAP_HINT, DYNAMIC_TYPE_AES);
18923   #ifdef HAVE_AES_DECRYPT
18924   XFREE(dec, HEAP_HINT, DYNAMIC_TYPE_AES);
18925   #endif
18926 #endif
18927 }
18928 
18929 #endif /* WOLFSSL_AES_DIRECT && WOLFSSL_AES_256 */
18930 
18931 /* EVP_Cipher with EVP_aes_xxx_ctr() */
18932 #ifdef WOLFSSL_AES_COUNTER
18933 {
18934     byte plainBuff [64];
18935     byte cipherBuff[64];
18936 
18937 #ifdef WOLFSSL_AES_128
18938     WOLFSSL_SMALL_STACK_STATIC const byte ctrKey[] =
18939     {
18940         0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
18941         0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
18942     };
18943 
18944     WOLFSSL_SMALL_STACK_STATIC const byte ctrIv[] =
18945     {
18946         0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
18947         0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
18948     };
18949 
18950     WOLFSSL_SMALL_STACK_STATIC const byte ctrPlain[] =
18951     {
18952         0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
18953         0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
18954         0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
18955         0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
18956         0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
18957         0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
18958         0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
18959         0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
18960     };
18961 
18962     WOLFSSL_SMALL_STACK_STATIC const byte ctrCipher[] =
18963     {
18964         0x87,0x4d,0x61,0x91,0xb6,0x20,0xe3,0x26,
18965         0x1b,0xef,0x68,0x64,0x99,0x0d,0xb6,0xce,
18966         0x98,0x06,0xf6,0x6b,0x79,0x70,0xfd,0xff,
18967         0x86,0x17,0x18,0x7b,0xb9,0xff,0xfd,0xff,
18968         0x5a,0xe4,0xdf,0x3e,0xdb,0xd5,0xd3,0x5e,
18969         0x5b,0x4f,0x09,0x02,0x0d,0xb0,0x3e,0xab,
18970         0x1e,0x03,0x1d,0xda,0x2f,0xbe,0x03,0xd1,
18971         0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee
18972     };
18973 
18974     WOLFSSL_SMALL_STACK_STATIC const byte oddCipher[] =
18975     {
18976         0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
18977         0xc2
18978     };
18979 #endif /* WOLFSSL_AES_128 */
18980 
18981 #ifdef WOLFSSL_AES_192
18982     /* test vector from "Recommendation for Block Cipher Modes of Operation"
18983      * NIST Special Publication 800-38A */
18984     WOLFSSL_SMALL_STACK_STATIC const byte ctr192Key[] =
18985     {
18986         0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
18987         0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
18988         0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
18989     };
18990 
18991     WOLFSSL_SMALL_STACK_STATIC const byte ctr192Iv[] =
18992     {
18993         0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
18994         0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
18995     };
18996 
18997 
18998     WOLFSSL_SMALL_STACK_STATIC const byte ctr192Plain[] =
18999     {
19000         0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
19001         0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
19002     };
19003 
19004     WOLFSSL_SMALL_STACK_STATIC const byte ctr192Cipher[] =
19005     {
19006         0x1a,0xbc,0x93,0x24,0x17,0x52,0x1c,0xa2,
19007         0x4f,0x2b,0x04,0x59,0xfe,0x7e,0x6e,0x0b
19008     };
19009 #endif /* WOLFSSL_AES_192 */
19010 
19011 #ifdef WOLFSSL_AES_256
19012     /* test vector from "Recommendation for Block Cipher Modes of Operation"
19013      * NIST Special Publication 800-38A */
19014     WOLFSSL_SMALL_STACK_STATIC const byte ctr256Key[] =
19015     {
19016         0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
19017         0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
19018         0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
19019         0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
19020     };
19021 
19022     WOLFSSL_SMALL_STACK_STATIC const byte ctr256Iv[] =
19023     {
19024         0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
19025         0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
19026     };
19027 
19028 
19029     WOLFSSL_SMALL_STACK_STATIC const byte ctr256Plain[] =
19030     {
19031         0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
19032         0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
19033     };
19034 
19035     WOLFSSL_SMALL_STACK_STATIC const byte ctr256Cipher[] =
19036     {
19037         0x60,0x1e,0xc3,0x13,0x77,0x57,0x89,0xa5,
19038         0xb7,0xa7,0xf5,0x04,0xbb,0xf3,0xd2,0x28
19039     };
19040 #endif /* WOLFSSL_AES_256 */
19041 
19042 #ifdef WOLFSSL_SMALL_STACK
19043     EVP_CIPHER_CTX *en = wolfSSL_EVP_CIPHER_CTX_new();
19044     EVP_CIPHER_CTX *de = wolfSSL_EVP_CIPHER_CTX_new();
19045     if ((en == NULL) || (de == NULL))
19046         return MEMORY_E;
19047 #else
19048     EVP_CIPHER_CTX en[1];
19049     EVP_CIPHER_CTX de[1];
19050 #endif
19051 
19052 #ifdef WOLFSSL_AES_128
19053 
19054 #ifndef WOLFSSL_SMALL_STACK
19055     EVP_CIPHER_CTX *p_en;
19056     EVP_CIPHER_CTX *p_de;
19057 #endif
19058 
19059     EVP_CIPHER_CTX_init(en);
19060     if (EVP_CipherInit(en, EVP_aes_128_ctr(),
19061             (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
19062         return -8629;
19063     if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctrPlain,
19064             AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
19065         return -8630;
19066     EVP_CIPHER_CTX_init(de);
19067     if (EVP_CipherInit(de, EVP_aes_128_ctr(),
19068             (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
19069         return -8631;
19070 
19071     if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff,
19072             AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
19073         return -8632;
19074 
19075     if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
19076         return -8633;
19077     if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
19078         return -8634;
19079 
19080 #ifndef WOLFSSL_SMALL_STACK
19081     p_en = wolfSSL_EVP_CIPHER_CTX_new();
19082     if(p_en == NULL)return -8635;
19083     p_de = wolfSSL_EVP_CIPHER_CTX_new();
19084     if(p_de == NULL)return -8636;
19085 
19086     if (EVP_CipherInit(p_en, EVP_aes_128_ctr(),
19087             (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
19088         return -8637;
19089     if (EVP_Cipher(p_en, (byte*)cipherBuff, (byte*)ctrPlain,
19090             AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
19091         return -8638;
19092     if (EVP_CipherInit(p_de, EVP_aes_128_ctr(),
19093             (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
19094         return -8639;
19095 
19096     if (EVP_Cipher(p_de, (byte*)plainBuff, (byte*)cipherBuff,
19097             AES_BLOCK_SIZE*4) != AES_BLOCK_SIZE*4)
19098         return -8640;
19099 
19100     wolfSSL_EVP_CIPHER_CTX_free(p_en);
19101     wolfSSL_EVP_CIPHER_CTX_free(p_de);
19102 #endif /* !WOLFSSL_SMALL_STACK */
19103 
19104     if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
19105         return -8641;
19106     if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
19107         return -8642;
19108 
19109     EVP_CIPHER_CTX_init(en);
19110     if (EVP_CipherInit(en, EVP_aes_128_ctr(),
19111         (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
19112         return -8643;
19113     if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctrPlain, 9) != 9)
19114         return -8644;
19115 
19116     EVP_CIPHER_CTX_init(de);
19117     if (EVP_CipherInit(de, EVP_aes_128_ctr(),
19118         (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
19119         return -8645;
19120 
19121     if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff, 9) != 9)
19122         return -8646;
19123 
19124     if (XMEMCMP(plainBuff, ctrPlain, 9))
19125         return -8647;
19126     if (XMEMCMP(cipherBuff, ctrCipher, 9))
19127         return -8648;
19128 
19129     if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctrPlain, 9) != 9)
19130         return -8649;
19131     if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff, 9) != 9)
19132         return -8650;
19133 
19134     if (XMEMCMP(plainBuff, ctrPlain, 9))
19135         return -8651;
19136     if (XMEMCMP(cipherBuff, oddCipher, 9))
19137         return -8652;
19138 #endif /* WOLFSSL_AES_128 */
19139 
19140 #ifdef WOLFSSL_AES_192
19141     EVP_CIPHER_CTX_init(en);
19142     if (EVP_CipherInit(en, EVP_aes_192_ctr(),
19143             (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
19144         return -8653;
19145     if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctr192Plain,
19146             AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
19147         return -8654;
19148     EVP_CIPHER_CTX_init(de);
19149     if (EVP_CipherInit(de, EVP_aes_192_ctr(),
19150         (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
19151         return -8655;
19152 
19153     XMEMSET(plainBuff, 0, sizeof(plainBuff));
19154     if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff,
19155             AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
19156         return -8656;
19157 
19158     if (XMEMCMP(plainBuff, ctr192Plain, sizeof(ctr192Plain)))
19159         return -8657;
19160     if (XMEMCMP(ctr192Cipher, cipherBuff, sizeof(ctr192Cipher)))
19161         return -8658;
19162 #endif /* WOLFSSL_AES_192 */
19163 
19164 #ifdef WOLFSSL_AES_256
19165     EVP_CIPHER_CTX_init(en);
19166     if (EVP_CipherInit(en, EVP_aes_256_ctr(),
19167         (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
19168         return -8659;
19169     if (EVP_Cipher(en, (byte*)cipherBuff, (byte*)ctr256Plain,
19170             AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
19171         return -8660;
19172     EVP_CIPHER_CTX_init(de);
19173     if (EVP_CipherInit(de, EVP_aes_256_ctr(),
19174         (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
19175         return -8661;
19176 
19177     XMEMSET(plainBuff, 0, sizeof(plainBuff));
19178     if (EVP_Cipher(de, (byte*)plainBuff, (byte*)cipherBuff,
19179             AES_BLOCK_SIZE) != AES_BLOCK_SIZE)
19180         return -8662;
19181 
19182     if (XMEMCMP(plainBuff, ctr256Plain, sizeof(ctr256Plain)))
19183         return -8663;
19184     if (XMEMCMP(ctr256Cipher, cipherBuff, sizeof(ctr256Cipher)))
19185         return -8664;
19186 #endif /* WOLFSSL_AES_256 */
19187 
19188 #ifdef WOLFSSL_SMALL_STACK
19189     wolfSSL_EVP_CIPHER_CTX_free(en);
19190     wolfSSL_EVP_CIPHER_CTX_free(de);
19191 #endif
19192 }
19193 #endif /* HAVE_AES_COUNTER */
19194 
19195 #if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
19196 {
19197       /* EVP_CipherUpdate test */
19198 
19199 
19200         WOLFSSL_SMALL_STACK_STATIC const byte cbcPlain[] =
19201         {
19202             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
19203             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
19204             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
19205             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
19206             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
19207             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
19208             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
19209             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
19210         };
19211 
19212         byte key[] = "0123456789abcdef   ";  /* align */
19213         byte iv[]  = "1234567890abcdef   ";  /* align */
19214 
19215         byte cipher[AES_BLOCK_SIZE * 4];
19216         byte plain [AES_BLOCK_SIZE * 4];
19217 #ifdef WOLFSSL_SMALL_STACK
19218         EVP_CIPHER_CTX *en = wolfSSL_EVP_CIPHER_CTX_new();
19219         EVP_CIPHER_CTX *de = wolfSSL_EVP_CIPHER_CTX_new();
19220 #else
19221         EVP_CIPHER_CTX en[1];
19222         EVP_CIPHER_CTX de[1];
19223 #endif
19224         int outlen ;
19225         int total = 0;
19226 
19227 #ifdef WOLFSSL_SMALL_STACK
19228         if ((en == NULL) || (de == NULL))
19229             return MEMORY_E;
19230 #endif
19231 
19232         EVP_CIPHER_CTX_init(en);
19233         if (EVP_CipherInit(en, EVP_aes_128_cbc(),
19234             (unsigned char*)key, (unsigned char*)iv, 1) == 0)
19235             return -8665;
19236         /* openSSL compatibility, if(inlen == 0)return 1; */
19237         if (EVP_CipherUpdate(en, (byte*)cipher, &outlen,
19238                                                     (byte*)cbcPlain, 0) != 1)
19239             return -8666;
19240 
19241         EVP_CIPHER_CTX_init(en);
19242         if (EVP_CipherInit(en, EVP_aes_128_cbc(),
19243             (unsigned char*)key, (unsigned char*)iv, 1) == 0)
19244             return -8667;
19245         if (EVP_CipherUpdate(en, (byte*)cipher, &outlen,
19246                                                     (byte*)cbcPlain, 9) == 0)
19247             return -8668;
19248         if(outlen != 0)
19249             return -8669;
19250         total += outlen;
19251 
19252         if (EVP_CipherUpdate(en, (byte*)&cipher[total], &outlen,
19253                                                 (byte*)&cbcPlain[9]  , 9) == 0)
19254             return -8670;
19255         if(outlen != 16)
19256             return -8671;
19257         total += outlen;
19258 
19259         if (EVP_CipherFinal(en, (byte*)&cipher[total], &outlen) == 0)
19260             return -8672;
19261         if(outlen != 16)
19262             return -8673;
19263         total += outlen;
19264         if(total != 32)
19265             return -8674;
19266 
19267         total = 0;
19268         EVP_CIPHER_CTX_init(de);
19269         if (EVP_CipherInit(de, EVP_aes_128_cbc(),
19270             (unsigned char*)key, (unsigned char*)iv, 0) == 0)
19271             return -8675;
19272 
19273         if (EVP_CipherUpdate(de, (byte*)plain, &outlen, (byte*)cipher, 6) == 0)
19274             return -8676;
19275         if(outlen != 0)
19276             return -8677;
19277         total += outlen;
19278 
19279         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen,
19280                                                     (byte*)&cipher[6], 12) == 0)
19281             return -8678;
19282         if(outlen != 0)
19283         total += outlen;
19284 
19285         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen,
19286                                                 (byte*)&cipher[6+12], 14) == 0)
19287             return -8679;
19288         if(outlen != 16)
19289             return -8680;
19290         total += outlen;
19291 
19292         if (EVP_CipherFinal(de, (byte*)&plain[total], &outlen) == 0)
19293             return -8681;
19294         if(outlen != 2)
19295             return -8682;
19296         total += outlen;
19297 
19298         if(total != 18)
19299             return -8683;
19300 
19301         if (XMEMCMP(plain, cbcPlain, 18))
19302             return -8684;
19303 
19304         total = 0;
19305         EVP_CIPHER_CTX_init(en);
19306         if (EVP_EncryptInit(en, EVP_aes_128_cbc(),
19307             (unsigned char*)key, (unsigned char*)iv) == 0)
19308             return -8685;
19309         if (EVP_CipherUpdate(en, (byte*)cipher, &outlen, (byte*)cbcPlain, 9) == 0)
19310             return -8686;
19311         if(outlen != 0)
19312             return -8687;
19313         total += outlen;
19314 
19315         if (EVP_CipherUpdate(en, (byte*)&cipher[total], &outlen, (byte*)&cbcPlain[9]  , 9) == 0)
19316             return -8688;
19317         if(outlen != 16)
19318             return -8689;
19319         total += outlen;
19320 
19321         if (EVP_EncryptFinal(en, (byte*)&cipher[total], &outlen) == 0)
19322             return -8690;
19323         if(outlen != 16)
19324             return -8691;
19325         total += outlen;
19326         if(total != 32)
19327             return 3438;
19328 
19329         total = 0;
19330         EVP_CIPHER_CTX_init(de);
19331         if (EVP_DecryptInit(de, EVP_aes_128_cbc(),
19332             (unsigned char*)key, (unsigned char*)iv) == 0)
19333             return -8692;
19334 
19335         if (EVP_CipherUpdate(de, (byte*)plain, &outlen, (byte*)cipher, 6) == 0)
19336             return -8693;
19337         if(outlen != 0)
19338             return -8694;
19339         total += outlen;
19340 
19341         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen, (byte*)&cipher[6], 12) == 0)
19342             return -8695;
19343         if(outlen != 0)
19344         total += outlen;
19345 
19346         if (EVP_CipherUpdate(de, (byte*)&plain[total], &outlen, (byte*)&cipher[6+12], 14) == 0)
19347             return -8696;
19348         if(outlen != 16)
19349             return -8697;
19350         total += outlen;
19351 
19352         if (EVP_DecryptFinal(de, (byte*)&plain[total], &outlen) == 0)
19353             return -8698;
19354         if(outlen != 2)
19355             return -8699;
19356         total += outlen;
19357 
19358         if(total != 18)
19359             return 3447;
19360 
19361         if (XMEMCMP(plain, cbcPlain, 18))
19362             return -8700;
19363 
19364         if (EVP_CIPHER_key_length(NULL) != 0)
19365             return -8701;
19366 
19367         if (EVP_CIPHER_key_length(EVP_aes_128_cbc()) != 16)
19368             return -8702;
19369 
19370         if (EVP_CIPHER_CTX_mode(NULL) != 0)
19371             return -8703;
19372 
19373         if (EVP_CIPHER_CTX_mode(en) != (en->flags & WOLFSSL_EVP_CIPH_MODE))
19374             return -8704;
19375 
19376         EVP_CIPHER_CTX_init(en);
19377         if (EVP_CipherInit_ex(en, EVP_aes_128_cbc(), NULL,
19378             (unsigned char*)key, (unsigned char*)iv, 0) == 0)
19379             return -8705;
19380 
19381         EVP_CIPHER_CTX_init(en);
19382         if (EVP_EncryptInit_ex(en, EVP_aes_128_cbc(), NULL,
19383                 (unsigned char*)key, (unsigned char*)iv) == 0)
19384             return -8706;
19385 
19386         if (wolfSSL_EVP_EncryptFinal_ex(NULL, NULL, NULL) != WOLFSSL_FAILURE)
19387             return -8707;
19388 
19389         if (wolfSSL_EVP_EncryptFinal(NULL, NULL, NULL) != WOLFSSL_FAILURE)
19390             return -8708;
19391 
19392         EVP_CIPHER_CTX_init(de);
19393         if (EVP_DecryptInit_ex(de, EVP_aes_128_cbc(), NULL,
19394                 (unsigned char*)key, (unsigned char*)iv) == 0)
19395             return -8709;
19396 
19397         if (wolfSSL_EVP_DecryptFinal(NULL, NULL, NULL) != WOLFSSL_FAILURE)
19398             return -8710;
19399 
19400         if (wolfSSL_EVP_DecryptFinal_ex(NULL, NULL, NULL) != WOLFSSL_FAILURE)
19401             return -8711;
19402 
19403         if (EVP_CIPHER_CTX_block_size(NULL) != BAD_FUNC_ARG)
19404             return -8712;
19405 
19406         EVP_CIPHER_CTX_init(en);
19407         EVP_EncryptInit_ex(en, EVP_aes_128_cbc(), NULL,
19408                 (unsigned char*)key, (unsigned char*)iv);
19409         if (EVP_CIPHER_CTX_block_size(en) != en->block_size)
19410             return -8713;
19411 
19412         if (EVP_CIPHER_block_size(NULL) != BAD_FUNC_ARG)
19413             return -8714;
19414 
19415         if (EVP_CIPHER_block_size(EVP_aes_128_cbc()) != AES_BLOCK_SIZE)
19416             return -8715;
19417 
19418         if (WOLFSSL_EVP_CIPHER_mode(NULL) != 0)
19419             return -8716;
19420 
19421         if (EVP_CIPHER_flags(EVP_aes_128_cbc()) != WOLFSSL_EVP_CIPH_CBC_MODE)
19422             return -8717;
19423 
19424         EVP_CIPHER_CTX_clear_flags(en, 0xFFFFFFFF);
19425         EVP_CIPHER_CTX_set_flags(en, 42);
19426         if (en->flags != 42)
19427             return -8718;
19428 
19429         if (EVP_CIPHER_CTX_set_padding(NULL, 0) != BAD_FUNC_ARG)
19430             return -8719;
19431         if (EVP_CIPHER_CTX_set_padding(en, 0) != WOLFSSL_SUCCESS)
19432             return -8720;
19433         if (EVP_CIPHER_CTX_set_padding(en, 1) != WOLFSSL_SUCCESS)
19434             return -8721;
19435 
19436 #ifdef WOLFSSL_SMALL_STACK
19437         wolfSSL_EVP_CIPHER_CTX_free(en);
19438         wolfSSL_EVP_CIPHER_CTX_free(de);
19439 #endif
19440     }
19441 #endif /* WOLFSSL_AES_128 && HAVE_AES_CBC */
19442 #endif /* ifndef NO_AES */
19443     return 0;
19444 }
19445 
19446 WOLFSSL_TEST_SUBROUTINE int openSSL_evpMD_test(void)
19447 {
19448     int ret = 0;
19449 #if !defined(NO_SHA256) && !defined(NO_SHA)
19450     WOLFSSL_EVP_MD_CTX* ctx;
19451     WOLFSSL_EVP_MD_CTX* ctx2;
19452 
19453     ctx = EVP_MD_CTX_create();
19454     ctx2 = EVP_MD_CTX_create();
19455 
19456     ret = EVP_DigestInit(ctx, EVP_sha256());
19457     if (ret != SSL_SUCCESS) {
19458         ret = -8800;
19459         goto openSSL_evpMD_test_done;
19460     }
19461 
19462     ret = EVP_MD_CTX_copy(ctx2, ctx);
19463     if (ret != SSL_SUCCESS) {
19464         ret = -8801;
19465         goto openSSL_evpMD_test_done;
19466     }
19467 
19468     if (EVP_MD_type(EVP_sha256()) != EVP_MD_CTX_type(ctx2)) {
19469         ret = -8802;
19470         goto openSSL_evpMD_test_done;
19471     }
19472 
19473     ret = EVP_DigestInit(ctx, EVP_sha1());
19474     if (ret != SSL_SUCCESS) {
19475         ret = -8803;
19476         goto openSSL_evpMD_test_done;
19477     }
19478 
19479     if (EVP_MD_type(EVP_sha256()) != EVP_MD_CTX_type(ctx2)) {
19480         ret = -8804;
19481         goto openSSL_evpMD_test_done;
19482     }
19483 
19484     ret = EVP_MD_CTX_copy_ex(ctx2, ctx);
19485     if (ret != SSL_SUCCESS) {
19486         ret = -8805;
19487         goto openSSL_evpMD_test_done;
19488     }
19489 
19490     if (EVP_MD_type(EVP_sha256()) == EVP_MD_CTX_type(ctx2)) {
19491         ret = -8806;
19492         goto openSSL_evpMD_test_done;
19493     }
19494 
19495     if (EVP_MD_type(EVP_sha1()) != EVP_MD_CTX_type(ctx2)) {
19496         ret = -8807;
19497         goto openSSL_evpMD_test_done;
19498     }
19499 
19500     if (EVP_DigestInit_ex(ctx, EVP_sha1(), NULL) != SSL_SUCCESS) {
19501         ret = -8808;
19502         goto openSSL_evpMD_test_done;
19503     }
19504 
19505     if (EVP_add_digest(NULL) != 0) {
19506         ret = -8809;
19507         goto openSSL_evpMD_test_done;
19508     }
19509 
19510     if (wolfSSL_EVP_add_cipher(NULL) != 0) {
19511         ret = -8810;
19512         goto openSSL_evpMD_test_done;
19513     }
19514 
19515     ret = 0; /* got to success state without jumping to end with a fail */
19516 
19517 openSSL_evpMD_test_done:
19518     EVP_MD_CTX_destroy(ctx);
19519     EVP_MD_CTX_destroy(ctx2);
19520 #endif /* NO_SHA256 */
19521 
19522     return ret;
19523 }
19524 
19525 #ifdef DEBUG_SIGN
19526 static void show(const char *title, const char *p, unsigned int s) {
19527     char* i;
19528     printf("%s: ", title);
19529     for (i = p;
19530             i < p + s;
19531             printf("%c", *i), i++);
19532     printf("\n");
19533 }
19534 #else
19535 #define show(a,b,c)
19536 #endif
19537 
19538 #define FOURK_BUFF 4096
19539 
19540 #define ERR_BASE_PKEY -5000
19541 WOLFSSL_TEST_SUBROUTINE int openssl_pkey0_test(void)
19542 {
19543     int ret = 0;
19544 #if !defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(NO_SHA)
19545     byte*   prvTmp;
19546     byte*   pubTmp;
19547     int prvBytes;
19548     int pubBytes;
19549     RSA *prvRsa = NULL;
19550     RSA *pubRsa = NULL;
19551     EVP_PKEY *prvPkey = NULL;
19552     EVP_PKEY *pubPkey = NULL;
19553     EVP_PKEY_CTX *enc = NULL;
19554     EVP_PKEY_CTX *dec = NULL;
19555 
19556     byte   in[] = TEST_STRING;
19557     byte   out[256];
19558     size_t outlen;
19559     size_t keySz;
19560     byte   plain[256];
19561 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
19562     XFILE  keyFile;
19563     XFILE  keypubFile;
19564     char cliKey[]    = "./certs/client-key.der";
19565     char cliKeypub[] = "./certs/client-keyPub.der";
19566 
19567 #endif
19568 
19569     prvTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19570     if (prvTmp == NULL)
19571         return ERR_BASE_PKEY-1;
19572     pubTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19573     if (pubTmp == NULL) {
19574         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
19575         return ERR_BASE_PKEY-2;
19576     }
19577 
19578 #ifdef USE_CERT_BUFFERS_1024
19579     XMEMCPY(prvTmp, client_key_der_1024, sizeof_client_key_der_1024);
19580     prvBytes = sizeof_client_key_der_1024;
19581     XMEMCPY(pubTmp, client_keypub_der_1024, sizeof_client_keypub_der_1024);
19582     pubBytes = sizeof_client_keypub_der_1024;
19583 #elif defined(USE_CERT_BUFFERS_2048)
19584     XMEMCPY(prvTmp, client_key_der_2048, sizeof_client_key_der_2048);
19585     prvBytes = sizeof_client_key_der_2048;
19586     XMEMCPY(pubTmp, client_keypub_der_2048, sizeof_client_keypub_der_2048);
19587     pubBytes = sizeof_client_keypub_der_2048;
19588 #else
19589     keyFile = XFOPEN(cliKey, "rb");
19590     if (!keyFile) {
19591         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
19592         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
19593         err_sys("can't open ./certs/client-key.der, "
19594                 "Please run from wolfSSL home dir", ERR_BASE_PKEY-3);
19595         return ERR_BASE_PKEY-3;
19596     }
19597     prvBytes = (int)XFREAD(prvTmp, 1, (int)FOURK_BUFF, keyFile);
19598     XFCLOSE(keyFile);
19599     keypubFile = XFOPEN(cliKeypub, "rb");
19600     if (!keypubFile) {
19601         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
19602         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
19603         err_sys("can't open ./certs/client-cert.der, "
19604                 "Please run from wolfSSL home dir", -4);
19605         return ERR_BASE_PKEY-4;
19606     }
19607     pubBytes = (int)XFREAD(pubTmp, 1, (int)FOURK_BUFF, keypubFile);
19608     XFCLOSE(keypubFile);
19609 #endif /* USE_CERT_BUFFERS */
19610 
19611         prvRsa = wolfSSL_RSA_new();
19612         pubRsa = wolfSSL_RSA_new();
19613         if((prvRsa == NULL) || (pubRsa == NULL)){
19614             printf("error with RSA_new\n");
19615             ret = ERR_BASE_PKEY-10;
19616             goto openssl_pkey0_test_done;
19617         }
19618 
19619         ret = wolfSSL_RSA_LoadDer_ex(prvRsa, prvTmp, prvBytes, WOLFSSL_RSA_LOAD_PRIVATE);
19620         if(ret != SSL_SUCCESS){
19621             printf("error with RSA_LoadDer_ex\n");
19622             ret = ERR_BASE_PKEY-11;
19623             goto openssl_pkey0_test_done;
19624         }
19625 
19626         ret = wolfSSL_RSA_LoadDer_ex(pubRsa, pubTmp, pubBytes, WOLFSSL_RSA_LOAD_PUBLIC);
19627         if(ret != SSL_SUCCESS){
19628             printf("error with RSA_LoadDer_ex\n");
19629             ret = ERR_BASE_PKEY-12;
19630             goto openssl_pkey0_test_done;
19631         }
19632         keySz = (size_t)RSA_size(pubRsa);
19633 
19634         prvPkey = wolfSSL_EVP_PKEY_new();
19635         pubPkey = wolfSSL_EVP_PKEY_new();
19636         if((prvPkey == NULL) || (pubPkey == NULL)){
19637             printf("error with PKEY_new\n");
19638             ret = ERR_BASE_PKEY-13;
19639             goto openssl_pkey0_test_done;
19640         }
19641         ret  = wolfSSL_EVP_PKEY_set1_RSA(prvPkey, prvRsa);
19642         ret += wolfSSL_EVP_PKEY_set1_RSA(pubPkey, pubRsa);
19643         if(ret != 2){
19644             printf("error with PKEY_set1_RSA\n");
19645             ret = ERR_BASE_PKEY-14;
19646             goto openssl_pkey0_test_done;
19647         }
19648 
19649         dec = EVP_PKEY_CTX_new(prvPkey, NULL);
19650         enc = EVP_PKEY_CTX_new(pubPkey, NULL);
19651         if((dec == NULL)||(enc==NULL)){
19652             printf("error with EVP_PKEY_CTX_new\n");
19653             ret = ERR_BASE_PKEY-15;
19654             goto openssl_pkey0_test_done;
19655         }
19656 
19657         ret = EVP_PKEY_decrypt_init(dec);
19658         if (ret != 1) {
19659             printf("error with decrypt init\n");
19660             ret = ERR_BASE_PKEY-16;
19661             goto openssl_pkey0_test_done;
19662         }
19663         ret = EVP_PKEY_encrypt_init(enc);
19664         if (ret != 1) {
19665             printf("error with encrypt init\n");
19666             ret = ERR_BASE_PKEY-17;
19667             goto openssl_pkey0_test_done;
19668         }
19669         XMEMSET(out, 0, sizeof(out));
19670         ret = EVP_PKEY_encrypt(enc, out, &outlen, in, sizeof(in));
19671         if (ret != 1) {
19672             printf("error encrypting msg\n");
19673             ret = ERR_BASE_PKEY-18;
19674             goto openssl_pkey0_test_done;
19675         }
19676 
19677         show("encrypted msg", out, outlen);
19678 
19679         XMEMSET(plain, 0, sizeof(plain));
19680         ret = EVP_PKEY_decrypt(dec, plain, &outlen, out, keySz);
19681         if (ret != 1) {
19682             printf("error decrypting msg\n");
19683             ret = ERR_BASE_PKEY-19;
19684             goto openssl_pkey0_test_done;
19685         }
19686         show("decrypted msg", plain, outlen);
19687 
19688         /* RSA_PKCS1_OAEP_PADDING test */
19689         ret = EVP_PKEY_decrypt_init(dec);
19690         if (ret != 1) {
19691             printf("error with decrypt init\n");
19692             ret = ERR_BASE_PKEY-30;
19693             goto openssl_pkey0_test_done;
19694         }
19695         ret = EVP_PKEY_encrypt_init(enc);
19696         if (ret != 1) {
19697             printf("error with encrypt init\n");
19698             ret = ERR_BASE_PKEY-31;
19699             goto openssl_pkey0_test_done;
19700         }
19701 
19702         if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_PADDING) <= 0) {
19703             printf("first set rsa padding error\n");
19704             ret = ERR_BASE_PKEY-32;
19705             goto openssl_pkey0_test_done;
19706         }
19707 
19708 #ifndef HAVE_FIPS
19709         if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_OAEP_PADDING) <= 0){
19710             printf("second set rsa padding error\n");
19711             ret = ERR_BASE_PKEY-33;
19712             goto openssl_pkey0_test_done;
19713         }
19714 
19715         if (EVP_PKEY_CTX_set_rsa_padding(enc, RSA_PKCS1_OAEP_PADDING) <= 0) {
19716             printf("third set rsa padding error\n");
19717             ret = ERR_BASE_PKEY-34;
19718             goto openssl_pkey0_test_done;
19719         }
19720 #endif
19721 
19722         XMEMSET(out, 0, sizeof(out));
19723         ret = EVP_PKEY_encrypt(enc, out, &outlen, in, sizeof(in));
19724         if (ret != 1) {
19725             printf("error encrypting msg\n");
19726             ret = ERR_BASE_PKEY-35;
19727             goto openssl_pkey0_test_done;
19728         }
19729 
19730         show("encrypted msg", out, outlen);
19731 
19732         XMEMSET(plain, 0, sizeof(plain));
19733         ret = EVP_PKEY_decrypt(dec, plain, &outlen, out, keySz);
19734         if (ret != 1) {
19735             printf("error decrypting msg\n");
19736             ret = ERR_BASE_PKEY-36;
19737             goto openssl_pkey0_test_done;
19738         }
19739 
19740         show("decrypted msg", plain, outlen);
19741 
19742         ret = 0; /* made it to this point without error then set success */
19743 openssl_pkey0_test_done:
19744 
19745         wolfSSL_RSA_free(prvRsa);
19746         wolfSSL_RSA_free(pubRsa);
19747         EVP_PKEY_free(pubPkey);
19748         EVP_PKEY_free(prvPkey);
19749         EVP_PKEY_CTX_free(dec);
19750         EVP_PKEY_CTX_free(enc);
19751         XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19752         XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19753 #endif /* NO_RSA */
19754 
19755         return ret;
19756 }
19757 
19758 
19759 WOLFSSL_TEST_SUBROUTINE int openssl_pkey1_test(void)
19760 {
19761     int ret = 0;
19762 #if !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) && \
19763     !defined(NO_SHA)
19764     EVP_PKEY_CTX* dec = NULL;
19765     EVP_PKEY_CTX* enc = NULL;
19766     EVP_PKEY* pubKey  = NULL;
19767     EVP_PKEY* prvKey  = NULL;
19768     X509* x509 = NULL;
19769 
19770     WOLFSSL_SMALL_STACK_STATIC const unsigned char msg[] = "sugar slapped";
19771     const unsigned char* clikey;
19772     long cliKeySz;
19773     size_t outlen;
19774     int keyLenBits = 2048;
19775 #ifdef WOLFSSL_SMALL_STACK
19776     unsigned char *tmp = (unsigned char *)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19777     unsigned char *cipher = (unsigned char *)XMALLOC(RSA_TEST_BYTES, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19778     unsigned char *plain = (unsigned char *)XMALLOC(RSA_TEST_BYTES, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19779 
19780     if ((tmp == NULL) ||
19781         (cipher == NULL) ||
19782         (plain == NULL)) {
19783         ret = -9015;
19784         goto openssl_pkey1_test_done;
19785     }
19786 #else
19787     unsigned char tmp[FOURK_BUF];
19788     unsigned char cipher[RSA_TEST_BYTES];
19789     unsigned char plain[RSA_TEST_BYTES];
19790 #endif
19791 
19792 #if defined(USE_CERT_BUFFERS_1024)
19793     XMEMCPY(tmp, client_key_der_1024, sizeof_client_key_der_1024);
19794     cliKeySz = (long)sizeof_client_key_der_1024;
19795 
19796     x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_1024,
19797             sizeof_client_cert_der_1024, SSL_FILETYPE_ASN1);
19798     keyLenBits = 1024;
19799 #elif defined(USE_CERT_BUFFERS_2048)
19800     XMEMCPY(tmp, client_key_der_2048, sizeof_client_key_der_2048);
19801     cliKeySz = (long)sizeof_client_key_der_2048;
19802 
19803     x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_2048,
19804             sizeof_client_cert_der_2048, SSL_FILETYPE_ASN1);
19805 #elif defined(USE_CERT_BUFFERS_3072)
19806     XMEMCPY(tmp, client_key_der_3072, sizeof_client_key_der_3072);
19807     cliKeySz = (long)sizeof_client_key_der_3072;
19808 
19809     x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_3072,
19810             sizeof_client_cert_der_3072, SSL_FILETYPE_ASN1);
19811     keyLenBits = 3072;
19812 #elif defined(USE_CERT_BUFFERS_4096)
19813     XMEMCPY(tmp, client_key_der_4096, sizeof_client_key_der_4096);
19814     cliKeySz = (long)sizeof_client_key_der_4096;
19815 
19816     x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_4096,
19817             sizeof_client_cert_der_4096, SSL_FILETYPE_ASN1);
19818     keyLenBits = 4096;
19819 #else
19820     XFILE f;
19821 
19822     f = XFOPEN(clientKey, "rb");
19823 
19824     if (!f) {
19825         err_sys("can't open ./certs/client-key.der, "
19826                 "Please run from wolfSSL home dir", -41);
19827         ret = -9000;
19828         goto openssl_pkey1_test_done;
19829     }
19830 
19831     cliKeySz = (long)XFREAD(tmp, 1, FOURK_BUF, f);
19832     XFCLOSE(f);
19833 
19834     /* using existing wolfSSL api to get public and private key */
19835     x509 = wolfSSL_X509_load_certificate_file(clientCert, SSL_FILETYPE_ASN1);
19836 #endif /* USE_CERT_BUFFERS */
19837     clikey = tmp;
19838 
19839     if ((prvKey = EVP_PKEY_new()) == NULL) {
19840         ret = -9001;
19841         goto openssl_pkey1_test_done;
19842     }
19843     EVP_PKEY_free(prvKey);
19844     prvKey = NULL;
19845 
19846     if (x509 == NULL) {
19847         ret = -9002;
19848         goto openssl_pkey1_test_done;
19849     }
19850 
19851     pubKey = X509_get_pubkey(x509);
19852     if (pubKey == NULL) {
19853         ret = -9003;
19854         goto openssl_pkey1_test_done;
19855     }
19856 
19857     prvKey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &clikey, cliKeySz);
19858     if (prvKey == NULL) {
19859         ret = -9004;
19860         goto openssl_pkey1_test_done;
19861     }
19862 
19863     /* phase 2 API to create EVP_PKEY_CTX and encrypt/decrypt */
19864     if (EVP_PKEY_bits(prvKey) != keyLenBits) {
19865         ret = -9005;
19866         goto openssl_pkey1_test_done;
19867     }
19868 
19869     if (EVP_PKEY_size(prvKey) != keyLenBits/8) {
19870         ret = -9006;
19871         goto openssl_pkey1_test_done;
19872     }
19873 
19874     dec = EVP_PKEY_CTX_new(prvKey, NULL);
19875     enc = EVP_PKEY_CTX_new(pubKey, NULL);
19876     if (dec == NULL || enc == NULL) {
19877         ret = -9007;
19878         goto openssl_pkey1_test_done;
19879     }
19880 
19881     if (EVP_PKEY_decrypt_init(dec) != 1) {
19882         ret = -9008;
19883         goto openssl_pkey1_test_done;
19884     }
19885 
19886     if (EVP_PKEY_encrypt_init(enc) != 1) {
19887         ret = -9009;
19888         goto openssl_pkey1_test_done;
19889     }
19890 
19891     if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_PADDING) <= 0) {
19892         ret = -9010;
19893         goto openssl_pkey1_test_done;
19894     }
19895 
19896 #ifndef HAVE_FIPS
19897     if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_OAEP_PADDING) <= 0){
19898         ret = -9011;
19899         goto openssl_pkey1_test_done;
19900     }
19901 
19902     if (EVP_PKEY_CTX_set_rsa_padding(enc, RSA_PKCS1_OAEP_PADDING) <= 0) {
19903         ret = -9012;
19904         goto openssl_pkey1_test_done;
19905     }
19906 #endif
19907 
19908     XMEMSET(cipher, 0, RSA_TEST_BYTES);
19909     outlen = keyLenBits/8;
19910     if (EVP_PKEY_encrypt(enc, cipher, &outlen, msg, sizeof(msg)) < 0) {
19911         ret = -9013;
19912         goto openssl_pkey1_test_done;
19913     }
19914 
19915     XMEMSET(plain, 0, RSA_TEST_BYTES);
19916     if (EVP_PKEY_decrypt(dec, plain, &outlen, cipher, outlen) != 1) {
19917         ret = -9014;
19918         goto openssl_pkey1_test_done;
19919     }
19920 
19921 openssl_pkey1_test_done:
19922     if (pubKey != NULL) {
19923         EVP_PKEY_free(pubKey);
19924     }
19925     if (prvKey != NULL) {
19926         EVP_PKEY_free(prvKey);
19927     }
19928     if (dec != NULL) {
19929         EVP_PKEY_CTX_free(dec);
19930     }
19931     if (enc != NULL) {
19932         EVP_PKEY_CTX_free(enc);
19933     }
19934     if (x509 != NULL) {
19935         X509_free(x509);
19936     }
19937 
19938 #ifdef WOLFSSL_SMALL_STACK
19939     if (tmp != NULL)
19940         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19941     if (cipher != NULL)
19942         XFREE(cipher, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19943     if (plain != NULL)
19944         XFREE(plain, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19945 #endif
19946 #endif
19947 
19948     return ret;
19949 }
19950 
19951 
19952 #define ERR_BASE_EVPSIG -5100
19953 
19954 WOLFSSL_TEST_SUBROUTINE int openssl_evpSig_test(void)
19955 {
19956 #if !defined(NO_RSA) && !defined(NO_SHA) && !defined(HAVE_USER_RSA)
19957     byte*   prvTmp;
19958     byte*   pubTmp;
19959     int prvBytes;
19960     int pubBytes;
19961     RSA *prvRsa;
19962     RSA *pubRsa;
19963     EVP_PKEY *prvPkey;
19964     EVP_PKEY *pubPkey;
19965 
19966     EVP_MD_CTX* sign;
19967     EVP_MD_CTX* verf;
19968     char msg[] = "see spot run";
19969     unsigned char sig[256];
19970     unsigned int sigSz;
19971     const void* pt;
19972     unsigned int count;
19973     int ret, ret1, ret2;
19974 
19975     #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
19976     XFILE   keyFile;
19977     XFILE   keypubFile;
19978     char cliKey[]    = "./certs/client-key.der";
19979     char cliKeypub[] = "./certs/client-keyPub.der";
19980     #endif
19981 
19982     prvTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19983     if (prvTmp == NULL)
19984         return ERR_BASE_EVPSIG-1;
19985     pubTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19986     if (pubTmp == NULL) {
19987         XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
19988         return ERR_BASE_EVPSIG-2;
19989     }
19990 
19991 #ifdef USE_CERT_BUFFERS_1024
19992     XMEMCPY(prvTmp, client_key_der_1024, sizeof_client_key_der_1024);
19993     prvBytes = sizeof_client_key_der_1024;
19994     XMEMCPY(pubTmp, client_keypub_der_1024, sizeof_client_keypub_der_1024);
19995     pubBytes = sizeof_client_keypub_der_1024;
19996 #elif defined(USE_CERT_BUFFERS_2048)
19997     XMEMCPY(prvTmp, client_key_der_2048, sizeof_client_key_der_2048);
19998     prvBytes = sizeof_client_key_der_2048;
19999     XMEMCPY(pubTmp, client_keypub_der_2048, sizeof_client_keypub_der_2048);
20000     pubBytes = sizeof_client_keypub_der_2048;
20001 #else
20002     keyFile = XFOPEN(cliKey, "rb");
20003     if (!keyFile) {
20004         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20005         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20006         err_sys("can't open ./certs/client-key.der, "
20007                 "Please run from wolfSSL home dir", -40);
20008         return ERR_BASE_EVPSIG-3;
20009     }
20010     prvBytes = (int)XFREAD(prvTmp, 1, (int)FOURK_BUFF, keyFile);
20011     XFCLOSE(keyFile);
20012     keypubFile = XFOPEN(cliKeypub, "rb");
20013     if (!keypubFile) {
20014         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20015         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20016         err_sys("can't open ./certs/client-cert.der, "
20017                 "Please run from wolfSSL home dir", -41);
20018         return ERR_BASE_EVPSIG-4;
20019     }
20020     pubBytes = (int)XFREAD(pubTmp, 1, (int)FOURK_BUFF, keypubFile);
20021     XFCLOSE(keypubFile);
20022     #endif /* USE_CERT_BUFFERS */
20023 
20024     prvRsa = wolfSSL_RSA_new();
20025     pubRsa = wolfSSL_RSA_new();
20026     if((prvRsa == NULL) || (pubRsa == NULL)){
20027         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20028         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20029         err_sys("ERROR with RSA_new", -9100);
20030         return ERR_BASE_EVPSIG-5;
20031     }
20032 
20033     ret1 = wolfSSL_RSA_LoadDer_ex(prvRsa, prvTmp, prvBytes, WOLFSSL_RSA_LOAD_PRIVATE);
20034     ret2 = wolfSSL_RSA_LoadDer_ex(pubRsa, pubTmp, pubBytes, WOLFSSL_RSA_LOAD_PUBLIC);
20035     if((ret1 != SSL_SUCCESS) || (ret2 != SSL_SUCCESS)){
20036       printf("error with RSA_LoadDer_ex\n");
20037       return ERR_BASE_EVPSIG-6;
20038     }
20039 
20040     prvPkey = wolfSSL_EVP_PKEY_new();
20041     pubPkey = wolfSSL_EVP_PKEY_new();
20042     if((prvPkey == NULL) || (pubPkey == NULL)){
20043         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20044         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20045         printf("error with KEY_new\n");
20046         return ERR_BASE_EVPSIG-7;
20047     }
20048     ret1  = wolfSSL_EVP_PKEY_set1_RSA(prvPkey, prvRsa);
20049     ret2  = wolfSSL_EVP_PKEY_set1_RSA(pubPkey, pubRsa);
20050     if((ret1 != 1) || (ret2 != 1)){
20051         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20052         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20053         printf("error with EVP_PKEY_set1_RSA\n");
20054         return ERR_BASE_EVPSIG-8;
20055     }
20056 
20057     /****************** sign and verify *******************/
20058     sign = EVP_MD_CTX_create();
20059     verf = EVP_MD_CTX_create();
20060     if((sign == NULL)||(verf == NULL)){
20061         printf("error with EVP_MD_CTX_create\n");
20062         EVP_MD_CTX_destroy(sign);
20063         EVP_MD_CTX_destroy(verf);
20064         return ERR_BASE_EVPSIG-10;
20065     }
20066 
20067     ret = EVP_SignInit(sign, EVP_sha1());
20068     if (ret != SSL_SUCCESS){
20069         printf("error with EVP_SignInit\n");
20070         EVP_MD_CTX_destroy(sign);
20071         EVP_MD_CTX_destroy(verf);
20072         return ERR_BASE_EVPSIG-11;
20073     }
20074 
20075     count = sizeof(msg);
20076     show("message = ", (char *)msg, count);
20077 
20078     /* sign */
20079     XMEMSET(sig, 0, sizeof(sig));
20080     pt = (const void*)msg;
20081     ret1 = EVP_SignUpdate(sign, pt, count);
20082     ret2 = EVP_SignFinal(sign, sig, &sigSz, prvPkey);
20083     if((ret1 != SSL_SUCCESS) || (ret2 != SSL_SUCCESS)){
20084         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20085         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20086         EVP_MD_CTX_destroy(sign);
20087         EVP_MD_CTX_destroy(verf);
20088         printf("error with EVP_MD_CTX_create\n");
20089         return ERR_BASE_EVPSIG-12;
20090     }
20091     show("signature = ", (char *)sig, sigSz);
20092 
20093     /* verify */
20094     pt = (const void*)msg;
20095     ret1 = EVP_VerifyInit(verf, EVP_sha1());
20096     ret2 = EVP_VerifyUpdate(verf, pt, count);
20097     if((ret1 != SSL_SUCCESS) || (ret2 != SSL_SUCCESS)){
20098         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20099         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20100         EVP_MD_CTX_destroy(sign);
20101         EVP_MD_CTX_destroy(verf);
20102         printf("error with EVP_Verify\n");
20103         return ERR_BASE_EVPSIG-13;
20104     }
20105     if (EVP_VerifyFinal(verf, sig, sigSz, pubPkey) != 1) {
20106         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20107         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20108         EVP_MD_CTX_destroy(sign);
20109         EVP_MD_CTX_destroy(verf);
20110         printf("error with EVP_VerifyFinal\n");
20111         return ERR_BASE_EVPSIG-14;
20112     }
20113 
20114     /* expect fail without update */
20115     EVP_VerifyInit(verf, EVP_sha1());
20116     if (EVP_VerifyFinal(verf, sig, sigSz, pubPkey) == 1) {
20117         XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20118         XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20119         EVP_MD_CTX_destroy(sign);
20120         EVP_MD_CTX_destroy(verf);
20121         printf("EVP_VerifyInit without update not detected\n");
20122         return ERR_BASE_EVPSIG-15;
20123     }
20124 
20125     XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20126     XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
20127     EVP_MD_CTX_destroy(sign);
20128     EVP_MD_CTX_destroy(verf);
20129 
20130     wolfSSL_RSA_free(prvRsa);
20131     wolfSSL_RSA_free(pubRsa);
20132     EVP_PKEY_free(pubPkey);
20133     EVP_PKEY_free(prvPkey);
20134 
20135 #endif /* NO_RSA */
20136     return 0;
20137 }
20138 #endif /* OPENSSL_EXTRA */
20139 
20140 
20141 #ifndef NO_PWDBASED
20142 #ifdef HAVE_SCRYPT
20143 /* Test vectors taken from RFC 7914: scrypt PBKDF - Section 12. */
20144 WOLFSSL_TEST_SUBROUTINE int scrypt_test(void)
20145 {
20146 #ifdef HAVE_FIPS
20147     /* RFC 7914 test vector keys are too short for FIPS. */
20148 #else
20149     int   ret;
20150     byte  derived[64];
20151 
20152     WOLFSSL_SMALL_STACK_STATIC const byte verify1[] = {
20153         0x77, 0xd6, 0x57, 0x62, 0x38, 0x65, 0x7b, 0x20,
20154         0x3b, 0x19, 0xca, 0x42, 0xc1, 0x8a, 0x04, 0x97,
20155         0xf1, 0x6b, 0x48, 0x44, 0xe3, 0x07, 0x4a, 0xe8,
20156         0xdf, 0xdf, 0xfa, 0x3f, 0xed, 0xe2, 0x14, 0x42,
20157         0xfc, 0xd0, 0x06, 0x9d, 0xed, 0x09, 0x48, 0xf8,
20158         0x32, 0x6a, 0x75, 0x3a, 0x0f, 0xc8, 0x1f, 0x17,
20159         0xe8, 0xd3, 0xe0, 0xfb, 0x2e, 0x0d, 0x36, 0x28,
20160         0xcf, 0x35, 0xe2, 0x0c, 0x38, 0xd1, 0x89, 0x06
20161     };
20162     WOLFSSL_SMALL_STACK_STATIC const byte verify2[] = {
20163         0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
20164         0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
20165         0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
20166         0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
20167         0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
20168         0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
20169         0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
20170         0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
20171     };
20172 #if !defined(BENCH_EMBEDDED) && !defined(WOLFSSL_LINUXKM) && !defined(HAVE_INTEL_QA)
20173     WOLFSSL_SMALL_STACK_STATIC const byte verify3[] = {
20174         0x70, 0x23, 0xbd, 0xcb, 0x3a, 0xfd, 0x73, 0x48,
20175         0x46, 0x1c, 0x06, 0xcd, 0x81, 0xfd, 0x38, 0xeb,
20176         0xfd, 0xa8, 0xfb, 0xba, 0x90, 0x4f, 0x8e, 0x3e,
20177         0xa9, 0xb5, 0x43, 0xf6, 0x54, 0x5d, 0xa1, 0xf2,
20178         0xd5, 0x43, 0x29, 0x55, 0x61, 0x3f, 0x0f, 0xcf,
20179         0x62, 0xd4, 0x97, 0x05, 0x24, 0x2a, 0x9a, 0xf9,
20180         0xe6, 0x1e, 0x85, 0xdc, 0x0d, 0x65, 0x1e, 0x40,
20181         0xdf, 0xcf, 0x01, 0x7b, 0x45, 0x57, 0x58, 0x87
20182     };
20183 #endif
20184 #ifdef SCRYPT_TEST_ALL
20185     /* Test case is very slow.
20186      * Use for confirmation after code change or new platform.
20187      */
20188     WOLFSSL_SMALL_STACK_STATIC const byte verify4[] = {
20189         0x21, 0x01, 0xcb, 0x9b, 0x6a, 0x51, 0x1a, 0xae,
20190         0xad, 0xdb, 0xbe, 0x09, 0xcf, 0x70, 0xf8, 0x81,
20191         0xec, 0x56, 0x8d, 0x57, 0x4a, 0x2f, 0xfd, 0x4d,
20192         0xab, 0xe5, 0xee, 0x98, 0x20, 0xad, 0xaa, 0x47,
20193         0x8e, 0x56, 0xfd, 0x8f, 0x4b, 0xa5, 0xd0, 0x9f,
20194         0xfa, 0x1c, 0x6d, 0x92, 0x7c, 0x40, 0xf4, 0xc3,
20195         0x37, 0x30, 0x40, 0x49, 0xe8, 0xa9, 0x52, 0xfb,
20196         0xcb, 0xf4, 0x5c, 0x6f, 0xa7, 0x7a, 0x41, 0xa4
20197     };
20198 #endif
20199 
20200     ret = wc_scrypt(derived, NULL, 0, NULL, 0, 4, 1, 1, sizeof(verify1));
20201     if (ret != 0)
20202         return -9200;
20203     if (XMEMCMP(derived, verify1, sizeof(verify1)) != 0)
20204         return -9201;
20205 
20206     ret = wc_scrypt(derived, (byte*)"password", 8, (byte*)"NaCl", 4, 10, 8, 16,
20207                     sizeof(verify2));
20208     if (ret != 0)
20209         return -9202;
20210     if (XMEMCMP(derived, verify2, sizeof(verify2)) != 0)
20211         return -9203;
20212 
20213     /* Test case with parallel overflowing */
20214     ret = wc_scrypt(derived, (byte*)"password", 16, (byte*)"NaCl", 16, 2, 4, 8388608,
20215                     sizeof(verify2));
20216     if (ret != BAD_FUNC_ARG)
20217         return -9210;
20218 
20219     /* Don't run these test on embedded, since they use large mallocs */
20220 #if !defined(BENCH_EMBEDDED) && !defined(WOLFSSL_LINUXKM) && !defined(HAVE_INTEL_QA)
20221     ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
20222                     (byte*)"SodiumChloride", 14, 14, 8, 1, sizeof(verify3));
20223     if (ret != 0)
20224         return -9204;
20225     if (XMEMCMP(derived, verify3, sizeof(verify3)) != 0)
20226         return -9205;
20227 
20228 #ifdef SCRYPT_TEST_ALL
20229     ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
20230                     (byte*)"SodiumChloride", 14, 20, 8, 1, sizeof(verify4));
20231     if (ret != 0)
20232         return -9206;
20233     if (XMEMCMP(derived, verify4, sizeof(verify4)) != 0)
20234         return -9207;
20235 #endif
20236 #endif /* !BENCH_EMBEDDED && !defined(WOLFSSL_LINUXKM) && !HAVE_INTEL_QA */
20237 
20238     ret = wc_scrypt_ex(derived, (byte*)"password", 8, (byte*)"NaCl", 4, 1<<10,
20239                        8, 16, sizeof(verify2));
20240     if (ret != 0)
20241         return -9208;
20242     if (XMEMCMP(derived, verify2, sizeof(verify2)) != 0)
20243         return -9209;
20244 
20245 #endif /* !HAVE_FIPS */
20246 
20247     return 0;
20248 }
20249 #endif
20250 
20251 #ifdef HAVE_PKCS12
20252 WOLFSSL_TEST_SUBROUTINE int pkcs12_test(void)
20253 {
20254     WOLFSSL_SMALL_STACK_STATIC const byte passwd[] = { 0x00, 0x73, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x67,
20255                             0x00, 0x00 };
20256     WOLFSSL_SMALL_STACK_STATIC const byte salt[] =   { 0x0a, 0x58, 0xCF, 0x64, 0x53, 0x0d, 0x82, 0x3f };
20257 
20258     WOLFSSL_SMALL_STACK_STATIC const byte passwd2[] = { 0x00, 0x71, 0x00, 0x75, 0x00, 0x65, 0x00, 0x65,
20259                              0x00, 0x67, 0x00, 0x00 };
20260     WOLFSSL_SMALL_STACK_STATIC const byte salt2[] =   { 0x16, 0x82, 0xC0, 0xfC, 0x5b, 0x3f, 0x7e, 0xc5 };
20261     byte  derived[64];
20262 
20263     WOLFSSL_SMALL_STACK_STATIC const byte verify[] = {
20264         0x27, 0xE9, 0x0D, 0x7E, 0xD5, 0xA1, 0xC4, 0x11,
20265         0xBA, 0x87, 0x8B, 0xC0, 0x90, 0xF5, 0xCE, 0xBE,
20266         0x5E, 0x9D, 0x5F, 0xE3, 0xD6, 0x2B, 0x73, 0xAA
20267     };
20268 
20269     WOLFSSL_SMALL_STACK_STATIC const byte verify2[] = {
20270         0x90, 0x1B, 0x49, 0x70, 0xF0, 0x94, 0xF0, 0xF8,
20271         0x45, 0xC0, 0xF3, 0xF3, 0x13, 0x59, 0x18, 0x6A,
20272         0x35, 0xE3, 0x67, 0xFE, 0xD3, 0x21, 0xFD, 0x7C
20273     };
20274 
20275     int id         =  1;
20276     int kLen       = 24;
20277     int iterations =  1;
20278     int ret = wc_PKCS12_PBKDF(derived, passwd, sizeof(passwd), salt, 8,
20279                                                   iterations, kLen, WC_SHA256, id);
20280 
20281     if (ret < 0)
20282         return -9300;
20283 
20284     if (XMEMCMP(derived, verify, kLen) != 0)
20285         return -9301;
20286 
20287     iterations = 1000;
20288     ret = wc_PKCS12_PBKDF(derived, passwd2, sizeof(passwd2), salt2, 8,
20289                                                   iterations, kLen, WC_SHA256, id);
20290     if (ret < 0)
20291         return -9302;
20292 
20293     ret = wc_PKCS12_PBKDF_ex(derived, passwd2, sizeof(passwd2), salt2, 8,
20294                                        iterations, kLen, WC_SHA256, id, HEAP_HINT);
20295     if (ret < 0)
20296         return -9303;
20297 
20298     if (XMEMCMP(derived, verify2, 24) != 0)
20299         return -9304;
20300 
20301     return 0;
20302 }
20303 #endif /* HAVE_PKCS12 */
20304 
20305 #if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
20306 WOLFSSL_TEST_SUBROUTINE int pbkdf2_test(void)
20307 {
20308     char passwd[] = "passwordpassword";
20309     WOLFSSL_SMALL_STACK_STATIC const byte salt[] = { 0x78, 0x57, 0x8E, 0x5a, 0x5d, 0x63, 0xcb, 0x06 };
20310     int   iterations = 2048;
20311     int   kLen = 24;
20312     byte  derived[64];
20313 
20314     WOLFSSL_SMALL_STACK_STATIC const byte verify[] = {
20315         0x43, 0x6d, 0xb5, 0xe8, 0xd0, 0xfb, 0x3f, 0x35, 0x42, 0x48, 0x39, 0xbc,
20316         0x2d, 0xd4, 0xf9, 0x37, 0xd4, 0x95, 0x16, 0xa7, 0x2a, 0x9a, 0x21, 0xd1
20317     };
20318 
20319     int ret = wc_PBKDF2_ex(derived, (byte*)passwd, (int)XSTRLEN(passwd), salt,
20320               (int)sizeof(salt), iterations, kLen, WC_SHA256, HEAP_HINT, devId);
20321     if (ret != 0)
20322         return ret;
20323 
20324     if (XMEMCMP(derived, verify, sizeof(verify)) != 0)
20325         return -9400;
20326 
20327     return 0;
20328 
20329 }
20330 #endif /* HAVE_PBKDF2 && !NO_SHA256 */
20331 
20332 #if defined(HAVE_PBKDF1) && !defined(NO_SHA)
20333 WOLFSSL_TEST_SUBROUTINE int pbkdf1_test(void)
20334 {
20335     char passwd[] = "password";
20336     WOLFSSL_SMALL_STACK_STATIC const byte salt[] = { 0x78, 0x57, 0x8E, 0x5a, 0x5d, 0x63, 0xcb, 0x06 };
20337     int   iterations = 1000;
20338     int   kLen = 16;
20339     byte  derived[16];
20340 
20341     WOLFSSL_SMALL_STACK_STATIC const byte verify[] = {
20342         0xDC, 0x19, 0x84, 0x7E, 0x05, 0xC6, 0x4D, 0x2F,
20343         0xAF, 0x10, 0xEB, 0xFB, 0x4A, 0x3D, 0x2A, 0x20
20344     };
20345 
20346     int ret = wc_PBKDF1_ex(derived, kLen, NULL, 0, (byte*)passwd,
20347         (int)XSTRLEN(passwd), salt, (int)sizeof(salt), iterations, WC_SHA,
20348         HEAP_HINT);
20349     if (ret != 0)
20350         return ret;
20351 
20352     if (XMEMCMP(derived, verify, sizeof(verify)) != 0)
20353         return -9500;
20354 
20355     return 0;
20356 }
20357 #endif /* HAVE_PBKDF2 && !NO_SHA */
20358 
20359 WOLFSSL_TEST_SUBROUTINE int pwdbased_test(void)
20360 {
20361    int ret = 0;
20362 
20363 #if defined(HAVE_PBKDF1) && !defined(NO_SHA)
20364    ret = pbkdf1_test();
20365    if (ret != 0)
20366       return ret;
20367 #endif
20368 #if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
20369    ret = pbkdf2_test();
20370    if (ret != 0)
20371       return ret;
20372 #endif
20373 #ifdef HAVE_PKCS12
20374    ret = pkcs12_test();
20375    if (ret != 0)
20376       return ret;
20377 #endif
20378 #ifdef HAVE_SCRYPT
20379    ret = scrypt_test();
20380    if (ret != 0)
20381       return ret;
20382 #endif
20383    return ret;
20384 }
20385 
20386 #endif /* NO_PWDBASED */
20387 
20388 #if defined(HAVE_HKDF) && !defined(NO_HMAC)
20389 
20390 /* WOLFSSL_TEST_SUBROUTINE */ static int hkdf_test(void)
20391 {
20392     int ret = 0;
20393 
20394 #if !defined(NO_SHA) || !defined(NO_SHA256)
20395     int L = 42;
20396     byte okm1[42];
20397     byte ikm1[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
20398                       0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
20399                       0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
20400 #ifndef HAVE_FIPS
20401     byte salt1[13] ={ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
20402                       0x08, 0x09, 0x0a, 0x0b, 0x0c };
20403     byte info1[10] ={ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
20404                       0xf8, 0xf9 };
20405 #endif
20406 #ifndef NO_SHA
20407     byte res1[42] = { 0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61,
20408                       0xd1, 0xe5, 0x52, 0x98, 0xda, 0x9d, 0x05, 0x06,
20409                       0xb9, 0xae, 0x52, 0x05, 0x72, 0x20, 0xa3, 0x06,
20410                       0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0,
20411                       0xea, 0x00, 0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3,
20412                       0x49, 0x18 };
20413 #ifndef HAVE_FIPS
20414     byte res2[42] = { 0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69,
20415                       0x33, 0x06, 0x8b, 0x56, 0xef, 0xa5, 0xad, 0x81,
20416                       0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, 0x09, 0x15,
20417                       0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2,
20418                       0xc2, 0x2e, 0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3,
20419                       0xf8, 0x96 };
20420 #endif
20421 #endif /* !NO_SHA */
20422 #ifndef NO_SHA256
20423     byte res3[42] = { 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f,
20424                       0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31,
20425                       0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e,
20426                       0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d,
20427                       0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a,
20428                       0x96, 0xc8 };
20429 #ifndef HAVE_FIPS
20430     byte res4[42] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
20431                       0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
20432                       0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
20433                       0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
20434                       0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
20435                       0x58, 0x65 };
20436 #endif
20437 #endif /* !NO_SHA256 */
20438 
20439 #ifndef NO_SHA
20440     ret = wc_HKDF(WC_SHA, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
20441     if (ret != 0)
20442         return -9700;
20443 
20444     if (XMEMCMP(okm1, res1, L) != 0)
20445         return -9701;
20446 
20447 #ifndef HAVE_FIPS
20448     /* fips can't have key size under 14 bytes, salt is key too */
20449     ret = wc_HKDF(WC_SHA, ikm1, 11, salt1, 13, info1, 10, okm1, L);
20450     if (ret != 0)
20451         return -9702;
20452 
20453     if (XMEMCMP(okm1, res2, L) != 0)
20454         return -9703;
20455 #endif /* HAVE_FIPS */
20456 #endif /* !NO_SHA */
20457 
20458 #ifndef NO_SHA256
20459     ret = wc_HKDF(WC_SHA256, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
20460     if (ret != 0)
20461         return -9704;
20462 
20463     if (XMEMCMP(okm1, res3, L) != 0)
20464         return -9705;
20465 
20466 #ifndef HAVE_FIPS
20467     /* fips can't have key size under 14 bytes, salt is key too */
20468     ret = wc_HKDF(WC_SHA256, ikm1, 22, salt1, 13, info1, 10, okm1, L);
20469     if (ret != 0)
20470         return -9706;
20471 
20472     if (XMEMCMP(okm1, res4, L) != 0)
20473         return -9707;
20474 #endif /* HAVE_FIPS */
20475 #endif /* !NO_SHA256 */
20476 #endif /* !NO_SHA || !NO_SHA256 */
20477 
20478     return ret;
20479 }
20480 
20481 #endif /* HAVE_HKDF */
20482 
20483 
20484 #ifdef WOLFSSL_WOLFSSH
20485 
20486 typedef struct {
20487     byte hashId;
20488     byte keyId;
20489     const byte* k;
20490     word32 kSz;
20491     const byte* h;
20492     word32 hSz;
20493     const byte* sessionId;
20494     word32 sessionIdSz;
20495     const byte* expectedKey;
20496     word32 expectedKeySz;
20497 } SshKdfTestVector;
20498 
20499 
20500 /** Test Vector Set #3: SHA-256 **/
20501 static const byte sshKdfTvSet3k[] = {
20502     0x6A, 0xC3, 0x82, 0xEA, 0xAC, 0xA0, 0x93, 0xE1,
20503     0x25, 0xE2, 0x5C, 0x24, 0xBE, 0xBC, 0x84, 0x64,
20504     0x0C, 0x11, 0x98, 0x75, 0x07, 0x34, 0x4B, 0x5C,
20505     0x73, 0x9C, 0xEB, 0x84, 0xA9, 0xE0, 0xB2, 0x22,
20506     0xB9, 0xA8, 0xB5, 0x1C, 0x83, 0x9E, 0x5E, 0xBE,
20507     0x49, 0xCF, 0xAD, 0xBF, 0xB3, 0x95, 0x99, 0x76,
20508     0x4E, 0xD5, 0x22, 0x09, 0x9D, 0xC9, 0x12, 0x75,
20509     0x19, 0x50, 0xDC, 0x7D, 0xC9, 0x7F, 0xBD, 0xC0,
20510     0x63, 0x28, 0xB6, 0x8F, 0x22, 0x78, 0x1F, 0xD3,
20511     0x15, 0xAF, 0x56, 0x80, 0x09, 0xA5, 0x50, 0x9E,
20512     0x5B, 0x87, 0xA1, 0x1B, 0xF5, 0x27, 0xC0, 0x56,
20513     0xDA, 0xFF, 0xD8, 0x2A, 0xB6, 0xCB, 0xC2, 0x5C,
20514     0xCA, 0x37, 0x14, 0x34, 0x59, 0xE7, 0xBC, 0x63,
20515     0xBC, 0xDE, 0x52, 0x75, 0x7A, 0xDE, 0xB7, 0xDF,
20516     0x01, 0xCF, 0x12, 0x17, 0x3F, 0x1F, 0xEF, 0x81,
20517     0x02, 0xEC, 0x5A, 0xB1, 0x42, 0xC2, 0x13, 0xDD,
20518     0x9D, 0x30, 0x69, 0x62, 0x78, 0xA8, 0xD8, 0xBC,
20519     0x32, 0xDD, 0xE9, 0x59, 0x2D, 0x28, 0xC0, 0x78,
20520     0xC6, 0xD9, 0x2B, 0x94, 0x7D, 0x82, 0x5A, 0xCA,
20521     0xAB, 0x64, 0x94, 0x84, 0x6A, 0x49, 0xDE, 0x24,
20522     0xB9, 0x62, 0x3F, 0x48, 0x89, 0xE8, 0xAD, 0xC3,
20523     0x8E, 0x8C, 0x66, 0x9E, 0xFF, 0xEF, 0x17, 0x60,
20524     0x40, 0xAD, 0x94, 0x5E, 0x90, 0xA7, 0xD3, 0xEE,
20525     0xC1, 0x5E, 0xFE, 0xEE, 0x78, 0xAE, 0x71, 0x04,
20526     0x3C, 0x96, 0x51, 0x11, 0x03, 0xA1, 0x6B, 0xA7,
20527     0xCA, 0xF0, 0xAC, 0xD0, 0x64, 0x2E, 0xFD, 0xBE,
20528     0x80, 0x99, 0x34, 0xFA, 0xA1, 0xA5, 0xF1, 0xBD,
20529     0x11, 0x04, 0x36, 0x49, 0xB2, 0x5C, 0xCD, 0x1F,
20530     0xEE, 0x2E, 0x38, 0x81, 0x5D, 0x4D, 0x5F, 0x5F,
20531     0xC6, 0xB4, 0x10, 0x29, 0x69, 0xF2, 0x1C, 0x22,
20532     0xAE, 0x1B, 0x0E, 0x7D, 0x36, 0x03, 0xA5, 0x56,
20533     0xA1, 0x32, 0x62, 0xFF, 0x62, 0x8D, 0xE2, 0x22
20534 };
20535 static const byte sshKdfTvSet3h[] = {
20536     0x7B, 0x70, 0x01, 0x18, 0x5E, 0x25, 0x6D, 0x44,
20537     0x93, 0x44, 0x5F, 0x39, 0xA5, 0x5F, 0xB9, 0x05,
20538     0xE6, 0x32, 0x1F, 0x4B, 0x5D, 0xD8, 0xBB, 0xF3,
20539     0x10, 0x0D, 0x51, 0xBA, 0x0B, 0xDA, 0x3D, 0x2D
20540 };
20541 static const byte sshKdfTvSet3sid[] = {
20542     0x7B, 0x70, 0x01, 0x18, 0x5E, 0x25, 0x6D, 0x44,
20543     0x93, 0x44, 0x5F, 0x39, 0xA5, 0x5F, 0xB9, 0x05,
20544     0xE6, 0x32, 0x1F, 0x4B, 0x5D, 0xD8, 0xBB, 0xF3,
20545     0x10, 0x0D, 0x51, 0xBA, 0x0B, 0xDA, 0x3D, 0x2D
20546 };
20547 static const byte sshKdfTvSet3a[] = {
20548     0x81, 0xF0, 0x33, 0x0E, 0xF6, 0xF0, 0x53, 0x61,
20549     0xB3, 0x82, 0x3B, 0xFD, 0xED, 0x6E, 0x1D, 0xE9
20550 };
20551 static const byte sshKdfTvSet3b[] = {
20552     0x3F, 0x6F, 0xD2, 0x06, 0x5E, 0xEB, 0x2B, 0x0B,
20553     0x1D, 0x93, 0x19, 0x5A, 0x1F, 0xED, 0x48, 0xA5
20554 };
20555 static const byte sshKdfTvSet3c[] = {
20556     0xC3, 0x54, 0x71, 0x03, 0x4E, 0x6F, 0xD6, 0x54,
20557     0x76, 0x13, 0x17, 0x8E, 0x23, 0x43, 0x5F, 0x21
20558 };
20559 static const byte sshKdfTvSet3d[] = {
20560     0x7E, 0x9D, 0x79, 0x03, 0x20, 0x90, 0xD9, 0x9F,
20561     0x98, 0xB0, 0x15, 0x63, 0x4D, 0xD9, 0xF4, 0x62
20562 };
20563 static const byte sshKdfTvSet3e[] = {
20564     0x24, 0xEE, 0x55, 0x9A, 0xD7, 0xCE, 0x71, 0x2B,
20565     0x68, 0x5D, 0x0B, 0x22, 0x71, 0xE4, 0x43, 0xC1,
20566     0x7A, 0xB1, 0xD1, 0xDC, 0xEB, 0x5A, 0x36, 0x05,
20567     0x69, 0xD2, 0x5D, 0x5D, 0xC2, 0x43, 0x00, 0x2F
20568 };
20569 static const byte sshKdfTvSet3f[] = {
20570     0xC3, 0x41, 0x9C, 0x2B, 0x96, 0x62, 0x35, 0x86,
20571     0x9D, 0x71, 0x4B, 0xA5, 0xAC, 0x48, 0xDD, 0xB7,
20572     0xD9, 0xE3, 0x5C, 0x8C, 0x19, 0xAA, 0xC7, 0x34,
20573     0x22, 0x33, 0x7A, 0x37, 0x34, 0x53, 0x60, 0x7E
20574 };
20575 
20576 static const SshKdfTestVector sshKdfTestVectors[] = {
20577     {WC_HASH_TYPE_SHA256, 'A',
20578         sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
20579         sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
20580         sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
20581         sshKdfTvSet3a, sizeof(sshKdfTvSet3a)},
20582     {WC_HASH_TYPE_SHA256, 'B',
20583         sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
20584         sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
20585         sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
20586         sshKdfTvSet3b, sizeof(sshKdfTvSet3b)},
20587     {WC_HASH_TYPE_SHA256, 'C',
20588         sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
20589         sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
20590         sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
20591         sshKdfTvSet3c, sizeof(sshKdfTvSet3c)},
20592     {WC_HASH_TYPE_SHA256, 'D',
20593         sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
20594         sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
20595         sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
20596         sshKdfTvSet3d, sizeof(sshKdfTvSet3d)},
20597     {WC_HASH_TYPE_SHA256, 'E',
20598         sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
20599         sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
20600         sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
20601         sshKdfTvSet3e, sizeof(sshKdfTvSet3e)},
20602     {WC_HASH_TYPE_SHA256, 'F',
20603         sshKdfTvSet3k, sizeof(sshKdfTvSet3k),
20604         sshKdfTvSet3h, sizeof(sshKdfTvSet3h),
20605         sshKdfTvSet3sid, sizeof(sshKdfTvSet3sid),
20606         sshKdfTvSet3f, sizeof(sshKdfTvSet3f)},
20607 };
20608 
20609 
20610 int sshkdf_test(void)
20611 {
20612     int result = 0;
20613     word32 i;
20614     word32 tc = sizeof(sshKdfTestVectors)/sizeof(SshKdfTestVector);
20615     const SshKdfTestVector* tv = NULL;
20616     byte cKey[32]; /* Greater of SHA256_DIGEST_SIZE and AES_BLOCK_SIZE */
20617     /* sId - Session ID, eKey - Expected Key, cKey - Calculated Key */
20618 
20619     for (i = 0, tv = sshKdfTestVectors; i < tc; i++, tv++) {
20620         result = wc_SSH_KDF(tv->hashId, tv->keyId,
20621                 cKey, tv->expectedKeySz,
20622                 tv->k, tv->kSz, tv->h, tv->hSz,
20623                 tv->sessionId, tv->sessionIdSz);
20624 
20625         if (result != 0) {
20626             printf("KDF: Could not derive key.\n");
20627             result = -101;
20628         }
20629         else {
20630             if (memcmp(cKey, tv->expectedKey, tv->expectedKeySz) != 0) {
20631                 printf("KDF: Calculated Key does not match Expected Key.\n");
20632                 result = -102;
20633             }
20634         }
20635 
20636         if (result != 0) break;
20637     }
20638 
20639     return result;
20640 }
20641 
20642 #endif /* WOLFSSL_WOLFSSH */
20643 
20644 
20645 #if defined(HAVE_ECC) && defined(HAVE_X963_KDF)
20646 
20647 WOLFSSL_TEST_SUBROUTINE int x963kdf_test(void)
20648 {
20649     int ret;
20650     byte kek[128];
20651 
20652 #ifndef NO_SHA
20653     /* SHA-1, COUNT = 0
20654      * shared secret length: 192
20655      * SharedInfo length: 0
20656      * key data length: 128
20657      */
20658     WOLFSSL_SMALL_STACK_STATIC const byte Z[] = {
20659         0x1c, 0x7d, 0x7b, 0x5f, 0x05, 0x97, 0xb0, 0x3d,
20660         0x06, 0xa0, 0x18, 0x46, 0x6e, 0xd1, 0xa9, 0x3e,
20661         0x30, 0xed, 0x4b, 0x04, 0xdc, 0x64, 0xcc, 0xdd
20662     };
20663 
20664     WOLFSSL_SMALL_STACK_STATIC const byte verify[] = {
20665         0xbf, 0x71, 0xdf, 0xfd, 0x8f, 0x4d, 0x99, 0x22,
20666         0x39, 0x36, 0xbe, 0xb4, 0x6f, 0xee, 0x8c, 0xcc
20667     };
20668 #endif
20669 
20670 #ifndef NO_SHA256
20671     /* SHA-256, COUNT = 3
20672      * shared secret length: 192
20673      * SharedInfo length: 0
20674      * key data length: 128
20675      */
20676     WOLFSSL_SMALL_STACK_STATIC const byte Z2[] = {
20677         0xd3, 0x8b, 0xdb, 0xe5, 0xc4, 0xfc, 0x16, 0x4c,
20678         0xdd, 0x96, 0x7f, 0x63, 0xc0, 0x4f, 0xe0, 0x7b,
20679         0x60, 0xcd, 0xe8, 0x81, 0xc2, 0x46, 0x43, 0x8c
20680     };
20681 
20682     WOLFSSL_SMALL_STACK_STATIC const byte verify2[] = {
20683         0x5e, 0x67, 0x4d, 0xb9, 0x71, 0xba, 0xc2, 0x0a,
20684         0x80, 0xba, 0xd0, 0xd4, 0x51, 0x4d, 0xc4, 0x84
20685     };
20686 #endif
20687 
20688 #ifdef WOLFSSL_SHA512
20689     /* SHA-512, COUNT = 0
20690      * shared secret length: 192
20691      * SharedInfo length: 0
20692      * key data length: 128
20693      */
20694     WOLFSSL_SMALL_STACK_STATIC const byte Z3[] = {
20695         0x87, 0xfc, 0x0d, 0x8c, 0x44, 0x77, 0x48, 0x5b,
20696         0xb5, 0x74, 0xf5, 0xfc, 0xea, 0x26, 0x4b, 0x30,
20697         0x88, 0x5d, 0xc8, 0xd9, 0x0a, 0xd8, 0x27, 0x82
20698     };
20699 
20700     WOLFSSL_SMALL_STACK_STATIC const byte verify3[] = {
20701         0x94, 0x76, 0x65, 0xfb, 0xb9, 0x15, 0x21, 0x53,
20702         0xef, 0x46, 0x02, 0x38, 0x50, 0x6a, 0x02, 0x45
20703     };
20704 
20705     /* SHA-512, COUNT = 0
20706      * shared secret length: 521
20707      * SharedInfo length: 128
20708      * key data length: 1024
20709      */
20710     WOLFSSL_SMALL_STACK_STATIC const byte Z4[] = {
20711         0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89,
20712         0xfa, 0x58, 0xce, 0xad, 0xc0, 0x47, 0x19, 0x7f,
20713         0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
20714         0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8,
20715         0x15, 0x07, 0x39, 0x2f, 0x1a, 0x86, 0xdd, 0xfd,
20716         0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
20717         0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47,
20718         0x47, 0xa9, 0xe2, 0xe7, 0x53, 0xf5, 0x5e, 0xf0,
20719         0x5a, 0x2d
20720     };
20721 
20722     WOLFSSL_SMALL_STACK_STATIC const byte info4[] = {
20723         0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d,
20724         0x2b, 0x3a, 0x2f, 0x99, 0x37, 0x89, 0x5d, 0x31
20725     };
20726 
20727     WOLFSSL_SMALL_STACK_STATIC const byte verify4[] = {
20728         0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76,
20729         0x9b, 0x52, 0x26, 0x4b, 0x01, 0x12, 0xb5, 0x85,
20730         0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
20731         0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d,
20732         0x6e, 0x4d, 0xd2, 0xa5, 0x99, 0xac, 0xce, 0xb3,
20733         0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
20734         0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50,
20735         0xa5, 0xa8, 0xee, 0xee, 0x20, 0x80, 0x02, 0x26,
20736         0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
20737         0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d,
20738         0xea, 0x9c, 0x4f, 0xf7, 0x45, 0xa2, 0x5a, 0xc2,
20739         0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
20740         0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc,
20741         0x0a, 0xb2, 0xaa, 0x8e, 0x2e, 0xfa, 0x7b, 0x17,
20742         0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
20743         0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
20744     };
20745 #endif
20746 
20747 #ifndef NO_SHA
20748     ret = wc_X963_KDF(WC_HASH_TYPE_SHA, Z, sizeof(Z), NULL, 0,
20749                       kek, sizeof(verify));
20750     if (ret != 0)
20751         return -9800;
20752 
20753     if (XMEMCMP(verify, kek, sizeof(verify)) != 0)
20754         return -9801;
20755 #endif
20756 
20757 #ifndef NO_SHA256
20758     ret = wc_X963_KDF(WC_HASH_TYPE_SHA256, Z2, sizeof(Z2), NULL, 0,
20759                       kek, sizeof(verify2));
20760     if (ret != 0)
20761         return -9802;
20762 
20763     if (XMEMCMP(verify2, kek, sizeof(verify2)) != 0)
20764         return -9803;
20765 #endif
20766 
20767 #ifdef WOLFSSL_SHA512
20768     ret = wc_X963_KDF(WC_HASH_TYPE_SHA512, Z3, sizeof(Z3), NULL, 0,
20769                       kek, sizeof(verify3));
20770     if (ret != 0)
20771         return -9804;
20772 
20773     if (XMEMCMP(verify3, kek, sizeof(verify3)) != 0)
20774         return -9805;
20775 
20776     ret = wc_X963_KDF(WC_HASH_TYPE_SHA512, Z4, sizeof(Z4), info4,
20777                       sizeof(info4), kek, sizeof(verify4));
20778     if (ret != 0)
20779         return -9806;
20780 
20781     if (XMEMCMP(verify4, kek, sizeof(verify4)) != 0)
20782         return -9807;
20783 #endif
20784 
20785     return 0;
20786 }
20787 
20788 #endif /* HAVE_X963_KDF */
20789 
20790 
20791 #ifdef HAVE_ECC
20792 
20793 /* size to use for ECC key gen tests */
20794 #ifndef ECC_KEYGEN_SIZE
20795     #ifndef NO_ECC256
20796         #define ECC_KEYGEN_SIZE 32
20797     #elif defined(HAVE_ECC384)
20798         #define ECC_KEYGEN_SIZE 48
20799     #elif defined(HAVE_ECC224)
20800         #define ECC_KEYGEN_SIZE 28
20801     #elif defined(HAVE_ECC521)
20802         #define ECC_KEYGEN_SIZE 66
20803     #else
20804         #error No ECC keygen size defined for test
20805     #endif
20806 #endif
20807 #ifdef BENCH_EMBEDDED
20808     #define ECC_SHARED_SIZE 128
20809 #else
20810     #define ECC_SHARED_SIZE MAX_ECC_BYTES
20811 #endif
20812 #define ECC_DIGEST_SIZE     MAX_ECC_BYTES
20813 #define ECC_SIG_SIZE        ECC_MAX_SIG_SIZE
20814 
20815 #ifndef NO_ECC_VECTOR_TEST
20816     #if (defined(HAVE_ECC192) || defined(HAVE_ECC224) ||\
20817          !defined(NO_ECC256) || defined(HAVE_ECC384) ||\
20818          defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES))
20819         #define HAVE_ECC_VECTOR_TEST
20820     #endif
20821 #endif
20822 
20823 #ifdef HAVE_ECC_VECTOR_TEST
20824 typedef struct eccVector {
20825     const char* msg; /* SHA-1 Encoded Message */
20826     const char* Qx;
20827     const char* Qy;
20828     const char* d; /* Private Key */
20829     const char* R;
20830     const char* S;
20831     const char* curveName;
20832     word32 msgLen;
20833     word32 keySize;
20834 #ifndef NO_ASN
20835     const byte* r;
20836     word32      rSz;
20837     const byte* s;
20838     word32      sSz;
20839 #endif
20840 } eccVector;
20841 
20842 static int ecc_test_vector_item(const eccVector* vector)
20843 {
20844     int ret = 0, verify = 0;
20845     word32  sigSz;
20846 #ifdef WOLFSSL_SMALL_STACK
20847     ecc_key *userA = (ecc_key *)XMALLOC(sizeof *userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
20848 #else
20849     ecc_key userA[1];
20850 #endif
20851     WC_DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
20852 #if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
20853     word32  sigRawSz, rSz = MAX_ECC_BYTES, sSz = MAX_ECC_BYTES;
20854     WC_DECLARE_VAR(sigRaw, byte, ECC_SIG_SIZE, HEAP_HINT);
20855     WC_DECLARE_VAR(r, byte, MAX_ECC_BYTES, HEAP_HINT);
20856     WC_DECLARE_VAR(s, byte, MAX_ECC_BYTES, HEAP_HINT);
20857 #endif
20858 
20859 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
20860     if (sig == NULL)
20861         ERROR_OUT(MEMORY_E, done);
20862 #if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
20863     if (sigRaw == NULL || r == NULL || s == NULL)
20864         ERROR_OUT(MEMORY_E, done);
20865 #endif
20866 #endif
20867 
20868 #ifdef WOLFSSL_SMALL_STACK
20869     if (userA == NULL)
20870         ERROR_OUT(MEMORY_E, done);
20871 #endif
20872 
20873     ret = wc_ecc_init_ex(userA, HEAP_HINT, devId);
20874     if (ret != 0)
20875         goto done;
20876 
20877     ret = wc_ecc_import_raw(userA, vector->Qx, vector->Qy,
20878                                                   vector->d, vector->curveName);
20879     if (ret != 0)
20880         goto done;
20881 
20882     XMEMSET(sig, 0, ECC_SIG_SIZE);
20883     sigSz = ECC_SIG_SIZE;
20884     ret = wc_ecc_rs_to_sig(vector->R, vector->S, sig, &sigSz);
20885     if (ret != 0)
20886         goto done;
20887 
20888 #if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
20889     XMEMSET(sigRaw, 0, ECC_SIG_SIZE);
20890     sigRawSz = ECC_SIG_SIZE;
20891     ret = wc_ecc_rs_raw_to_sig(vector->r, vector->rSz, vector->s, vector->sSz,
20892                                                              sigRaw, &sigRawSz);
20893     if (ret != 0)
20894         goto done;
20895     if (sigSz != sigRawSz || XMEMCMP(sig, sigRaw, sigSz) != 0) {
20896         ret = -9810;
20897         goto done;
20898     }
20899 
20900     ret = wc_ecc_sig_to_rs(sig, sigSz, r, &rSz, s, &sSz);
20901     if (ret != 0)
20902         goto done;
20903     if (rSz != vector->rSz || XMEMCMP(r, vector->r, rSz) != 0 ||
20904         sSz != vector->sSz || XMEMCMP(s, vector->s, sSz) != 0) {
20905         ret = -9811;
20906         goto done;
20907     }
20908 #endif
20909 
20910     do {
20911     #if defined(WOLFSSL_ASYNC_CRYPT)
20912         ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
20913     #endif
20914         if (ret == 0)
20915             ret = wc_ecc_verify_hash(sig, sigSz, (byte*)vector->msg,
20916                                                vector->msgLen, &verify, userA);
20917     } while (ret == WC_PENDING_E);
20918     if (ret != 0)
20919         goto done;
20920     TEST_SLEEP();
20921 
20922     if (verify != 1)
20923         ret = -9812;
20924 
20925 done:
20926 
20927 #ifdef WOLFSSL_SMALL_STACK
20928     if (userA != NULL) {
20929         wc_ecc_free(userA);
20930         XFREE(userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
20931     }
20932 #else
20933     wc_ecc_free(userA);
20934 #endif
20935 
20936 #if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
20937     WC_FREE_VAR(sigRaw, HEAP_HINT);
20938     WC_FREE_VAR(r, HEAP_HINT);
20939     WC_FREE_VAR(s, HEAP_HINT);
20940 #endif
20941     WC_FREE_VAR(sig, HEAP_HINT);
20942 
20943     return ret;
20944 }
20945 
20946 static int ecc_test_vector(int keySize)
20947 {
20948     int     ret;
20949     eccVector vec;
20950 
20951     XMEMSET(&vec, 0, sizeof(vec));
20952     vec.keySize = (word32)keySize;
20953 
20954     switch(keySize) {
20955 
20956 #if defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)
20957     case 14:
20958         return 0;
20959 #endif /* HAVE_ECC112 */
20960 #if defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)
20961     case 16:
20962         return 0;
20963 #endif /* HAVE_ECC128 */
20964 #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
20965     case 20:
20966         return 0;
20967 #endif /* HAVE_ECC160 */
20968 
20969 #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
20970     case 24:
20971         /* first [P-192,SHA-1] vector from FIPS 186-3 NIST vectors */
20972         #if 1
20973             vec.msg = "\x60\x80\x79\x42\x3f\x12\x42\x1d\xe6\x16\xb7\x49\x3e\xbe\x55\x1c\xf4\xd6\x5b\x92";
20974             vec.msgLen = 20;
20975         #else
20976             /* This is the raw message prior to SHA-1 */
20977             vec.msg =
20978                 "\xeb\xf7\x48\xd7\x48\xeb\xbc\xa7\xd2\x9f\xb4\x73\x69\x8a\x6e\x6b"
20979                 "\x4f\xb1\x0c\x86\x5d\x4a\xf0\x24\xcc\x39\xae\x3d\xf3\x46\x4b\xa4"
20980                 "\xf1\xd6\xd4\x0f\x32\xbf\x96\x18\xa9\x1b\xb5\x98\x6f\xa1\xa2\xaf"
20981                 "\x04\x8a\x0e\x14\xdc\x51\xe5\x26\x7e\xb0\x5e\x12\x7d\x68\x9d\x0a"
20982                 "\xc6\xf1\xa7\xf1\x56\xce\x06\x63\x16\xb9\x71\xcc\x7a\x11\xd0\xfd"
20983                 "\x7a\x20\x93\xe2\x7c\xf2\xd0\x87\x27\xa4\xe6\x74\x8c\xc3\x2f\xd5"
20984                 "\x9c\x78\x10\xc5\xb9\x01\x9d\xf2\x1c\xdc\xc0\xbc\xa4\x32\xc0\xa3"
20985                 "\xee\xd0\x78\x53\x87\x50\x88\x77\x11\x43\x59\xce\xe4\xa0\x71\xcf";
20986             vec.msgLen = 128;
20987         #endif
20988         vec.Qx  = "07008ea40b08dbe76432096e80a2494c94982d2d5bcf98e6";
20989         vec.Qy  = "76fab681d00b414ea636ba215de26d98c41bd7f2e4d65477";
20990         vec.d   = "e14f37b3d1374ff8b03f41b9b3fdd2f0ebccf275d660d7f3";
20991         vec.R   = "6994d962bdd0d793ffddf855ec5bf2f91a9698b46258a63e";
20992         vec.S   = "02ba6465a234903744ab02bc8521405b73cf5fc00e1a9f41";
20993         vec.curveName = "SECP192R1";
20994     #ifndef NO_ASN
20995         vec.r   = (byte*)"\x69\x94\xd9\x62\xbd\xd0\xd7\x93\xff\xdd\xf8\x55"
20996                          "\xec\x5b\xf2\xf9\x1a\x96\x98\xb4\x62\x58\xa6\x3e";
20997         vec.rSz = 24;
20998         vec.s   = (byte*)"\x02\xba\x64\x65\xa2\x34\x90\x37\x44\xab\x02\xbc"
20999                          "\x85\x21\x40\x5b\x73\xcf\x5f\xc0\x0e\x1a\x9f\x41";
21000         vec.sSz = 24;
21001     #endif
21002         break;
21003 #endif /* HAVE_ECC192 */
21004 
21005 #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
21006     case 28:
21007         /* first [P-224,SHA-1] vector from FIPS 186-3 NIST vectors */
21008         #if 1
21009             vec.msg = "\xb9\xa3\xb8\x6d\xb0\xba\x99\xfd\xc6\xd2\x94\x6b\xfe\xbe\x9c\xe8\x3f\x10\x74\xfc";
21010             vec.msgLen = 20;
21011         #else
21012             /* This is the raw message prior to SHA-1 */
21013             vec.msg =
21014                 "\x36\xc8\xb2\x29\x86\x48\x7f\x67\x7c\x18\xd0\x97\x2a\x9e\x20\x47"
21015                 "\xb3\xaf\xa5\x9e\xc1\x62\x76\x4e\xc3\x0b\x5b\x69\xe0\x63\x0f\x99"
21016                 "\x0d\x4e\x05\xc2\x73\xb0\xe5\xa9\xd4\x28\x27\xb6\x95\xfc\x2d\x64"
21017                 "\xd9\x13\x8b\x1c\xf4\xc1\x21\x55\x89\x4c\x42\x13\x21\xa7\xbb\x97"
21018                 "\x0b\xdc\xe0\xfb\xf0\xd2\xae\x85\x61\xaa\xd8\x71\x7f\x2e\x46\xdf"
21019                 "\xe3\xff\x8d\xea\xb4\xd7\x93\x23\x56\x03\x2c\x15\x13\x0d\x59\x9e"
21020                 "\x26\xc1\x0f\x2f\xec\x96\x30\x31\xac\x69\x38\xa1\x8d\x66\x45\x38"
21021                 "\xb9\x4d\xac\x55\x34\xef\x7b\x59\x94\x24\xd6\x9b\xe1\xf7\x1c\x20";
21022             vec.msgLen = 128;
21023         #endif
21024         vec.Qx  = "8a4dca35136c4b70e588e23554637ae251077d1365a6ba5db9585de7";
21025         vec.Qy  = "ad3dee06de0be8279d4af435d7245f14f3b4f82eb578e519ee0057b1";
21026         vec.d   = "97c4b796e1639dd1035b708fc00dc7ba1682cec44a1002a1a820619f";
21027         vec.R   = "147b33758321e722a0360a4719738af848449e2c1d08defebc1671a7";
21028         vec.S   = "24fc7ed7f1352ca3872aa0916191289e2e04d454935d50fe6af3ad5b";
21029         vec.curveName = "SECP224R1";
21030     #ifndef NO_ASN
21031         vec.r   = (byte*)"\x14\x7b\x33\x75\x83\x21\xe7\x22\xa0\x36\x0a\x47"
21032                          "\x19\x73\x8a\xf8\x48\x44\x9e\x2c\x1d\x08\xde\xfe"
21033                          "\xbc\x16\x71\xa7";
21034         vec.rSz = 28;
21035         vec.s   = (byte*)"\x24\xfc\x7e\xd7\xf1\x35\x2c\xa3\x87\x2a\xa0\x91"
21036                          "\x61\x91\x28\x9e\x2e\x04\xd4\x54\x93\x5d\x50\xfe"
21037                          "\x6a\xf3\xad\x5b";
21038         vec.sSz = 28;
21039     #endif
21040         break;
21041 #endif /* HAVE_ECC224 */
21042 
21043 #if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
21044     case 30:
21045         return 0;
21046 #endif /* HAVE_ECC239 */
21047 
21048 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
21049     case 32:
21050         /* first [P-256,SHA-1] vector from FIPS 186-3 NIST vectors */
21051         #if 1
21052             vec.msg = "\xa3\xf9\x1a\xe2\x1b\xa6\xb3\x03\x98\x64\x47\x2f\x18\x41\x44\xc6\xaf\x62\xcd\x0e";
21053             vec.msgLen = 20;
21054         #else
21055             /* This is the raw message prior to SHA-1 */
21056             vec.msg =
21057                 "\xa2\x4b\x21\x76\x2e\x6e\xdb\x15\x3c\xc1\x14\x38\xdb\x0e\x92\xcd"
21058                 "\xf5\x2b\x86\xb0\x6c\xa9\x70\x16\x06\x27\x59\xc7\x0d\x36\xd1\x56"
21059                 "\x2c\xc9\x63\x0d\x7f\xc7\xc7\x74\xb2\x8b\x54\xe3\x1e\xf5\x58\x72"
21060                 "\xb2\xa6\x5d\xf1\xd7\xec\x26\xde\xbb\x33\xe7\xd9\x27\xef\xcc\xf4"
21061                 "\x6b\x63\xde\x52\xa4\xf4\x31\xea\xca\x59\xb0\x5d\x2e\xde\xc4\x84"
21062                 "\x5f\xff\xc0\xee\x15\x03\x94\xd6\x1f\x3d\xfe\xcb\xcd\xbf\x6f\x5a"
21063                 "\x73\x38\xd0\xbe\x3f\x2a\x77\x34\x51\x98\x3e\xba\xeb\x48\xf6\x73"
21064                 "\x8f\xc8\x95\xdf\x35\x7e\x1a\x48\xa6\x53\xbb\x35\x5a\x31\xa1\xb4"
21065             vec.msgLen = 128;
21066         #endif
21067         vec.Qx  = "fa2737fb93488d19caef11ae7faf6b7f4bcd67b286e3fc54e8a65c2b74aeccb0";
21068         vec.Qy  = "d4ccd6dae698208aa8c3a6f39e45510d03be09b2f124bfc067856c324f9b4d09";
21069         vec.d   = "be34baa8d040a3b991f9075b56ba292f755b90e4b6dc10dad36715c33cfdac25";
21070         vec.R   = "2b826f5d44e2d0b6de531ad96b51e8f0c56fdfead3c236892e4d84eacfc3b75c";
21071         vec.S   = "a2248b62c03db35a7cd63e8a120a3521a89d3d2f61ff99035a2148ae32e3a248";
21072     #ifndef NO_ASN
21073         vec.r   = (byte*)"\x2b\x82\x6f\x5d\x44\xe2\xd0\xb6\xde\x53\x1a\xd9"
21074                          "\x6b\x51\xe8\xf0\xc5\x6f\xdf\xea\xd3\xc2\x36\x89"
21075                          "\x2e\x4d\x84\xea\xcf\xc3\xb7\x5c";
21076         vec.rSz = 32;
21077         vec.s   = (byte*)"\xa2\x24\x8b\x62\xc0\x3d\xb3\x5a\x7c\xd6\x3e\x8a"
21078                          "\x12\x0a\x35\x21\xa8\x9d\x3d\x2f\x61\xff\x99\x03"
21079                          "\x5a\x21\x48\xae\x32\xe3\xa2\x48";
21080         vec.sSz = 32;
21081     #endif
21082         vec.curveName = "SECP256R1";
21083         break;
21084 #endif /* !NO_ECC256 */
21085 
21086 #if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)
21087     case 40:
21088         return 0;
21089 #endif /* HAVE_ECC320 */
21090 
21091 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
21092     case 48:
21093         /* first [P-384,SHA-1] vector from FIPS 186-3 NIST vectors */
21094         #if 1
21095             vec.msg = "\x9b\x9f\x8c\x95\x35\xa5\xca\x26\x60\x5d\xb7\xf2\xfa\x57\x3b\xdf\xc3\x2e\xab\x8b";
21096             vec.msgLen = 20;
21097         #else
21098             /* This is the raw message prior to SHA-1 */
21099             vec.msg =
21100                 "\xab\xe1\x0a\xce\x13\xe7\xe1\xd9\x18\x6c\x48\xf7\x88\x9d\x51\x47"
21101                 "\x3d\x3a\x09\x61\x98\x4b\xc8\x72\xdf\x70\x8e\xcc\x3e\xd3\xb8\x16"
21102                 "\x9d\x01\xe3\xd9\x6f\xc4\xf1\xd5\xea\x00\xa0\x36\x92\xbc\xc5\xcf"
21103                 "\xfd\x53\x78\x7c\x88\xb9\x34\xaf\x40\x4c\x03\x9d\x32\x89\xb5\xba"
21104                 "\xc5\xae\x7d\xb1\x49\x68\x75\xb5\xdc\x73\xc3\x09\xf9\x25\xc1\x3d"
21105                 "\x1c\x01\xab\xda\xaf\xeb\xcd\xac\x2c\xee\x43\x39\x39\xce\x8d\x4a"
21106                 "\x0a\x5d\x57\xbb\x70\x5f\x3b\xf6\xec\x08\x47\x95\x11\xd4\xb4\xa3"
21107                 "\x21\x1f\x61\x64\x9a\xd6\x27\x43\x14\xbf\x0d\x43\x8a\x81\xe0\x60"
21108             vec.msgLen = 128;
21109         #endif
21110         vec.Qx  = "e55fee6c49d8d523f5ce7bf9c0425ce4ff650708b7de5cfb095901523979a7f042602db30854735369813b5c3f5ef868";
21111         vec.Qy  = "28f59cc5dc509892a988d38a8e2519de3d0c4fd0fbdb0993e38f18506c17606c5e24249246f1ce94983a5361c5be983e";
21112         vec.d   = "a492ce8fa90084c227e1a32f7974d39e9ff67a7e8705ec3419b35fb607582bebd461e0b1520ac76ec2dd4e9b63ebae71";
21113         vec.R   = "6820b8585204648aed63bdff47f6d9acebdea62944774a7d14f0e14aa0b9a5b99545b2daee6b3c74ebf606667a3f39b7";
21114         vec.S   = "491af1d0cccd56ddd520b233775d0bc6b40a6255cc55207d8e9356741f23c96c14714221078dbd5c17f4fdd89b32a907";
21115         vec.curveName = "SECP384R1";
21116     #ifndef NO_ASN
21117         vec.r   = (byte*)"\x68\x20\xb8\x58\x52\x04\x64\x8a\xed\x63\xbd\xff"
21118                          "\x47\xf6\xd9\xac\xeb\xde\xa6\x29\x44\x77\x4a\x7d"
21119                          "\x14\xf0\xe1\x4a\xa0\xb9\xa5\xb9\x95\x45\xb2\xda"
21120                          "\xee\x6b\x3c\x74\xeb\xf6\x06\x66\x7a\x3f\x39\xb7";
21121         vec.rSz = 48;
21122         vec.s   = (byte*)"\x49\x1a\xf1\xd0\xcc\xcd\x56\xdd\xd5\x20\xb2\x33"
21123                          "\x77\x5d\x0b\xc6\xb4\x0a\x62\x55\xcc\x55\x20\x7d"
21124                          "\x8e\x93\x56\x74\x1f\x23\xc9\x6c\x14\x71\x42\x21"
21125                          "\x07\x8d\xbd\x5c\x17\xf4\xfd\xd8\x9b\x32\xa9\x07";
21126         vec.sSz = 48;
21127     #endif
21128         break;
21129 #endif /* HAVE_ECC384 */
21130 
21131 #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
21132     case 64:
21133         return 0;
21134 #endif /* HAVE_ECC512 */
21135 
21136 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
21137     case 66:
21138         /* first [P-521,SHA-1] vector from FIPS 186-3 NIST vectors */
21139         #if 1
21140             vec.msg = "\x1b\xf7\x03\x9c\xca\x23\x94\x27\x3f\x11\xa1\xd4\x8d\xcc\xb4\x46\x6f\x31\x61\xdf";
21141             vec.msgLen = 20;
21142         #else
21143             /* This is the raw message prior to SHA-1 */
21144             vec.msg =
21145                 "\x50\x3f\x79\x39\x34\x0a\xc7\x23\xcd\x4a\x2f\x4e\x6c\xcc\x27\x33"
21146                 "\x38\x3a\xca\x2f\xba\x90\x02\x19\x9d\x9e\x1f\x94\x8b\xe0\x41\x21"
21147                 "\x07\xa3\xfd\xd5\x14\xd9\x0c\xd4\xf3\x7c\xc3\xac\x62\xef\x00\x3a"
21148                 "\x2d\xb1\xd9\x65\x7a\xb7\x7f\xe7\x55\xbf\x71\xfa\x59\xe4\xd9\x6e"
21149                 "\xa7\x2a\xe7\xbf\x9d\xe8\x7d\x79\x34\x3b\xc1\xa4\xbb\x14\x4d\x16"
21150                 "\x28\xd1\xe9\xe9\xc8\xed\x80\x8b\x96\x2c\x54\xe5\xf9\x6d\x53\xda"
21151                 "\x14\x7a\x96\x38\xf9\x4a\x91\x75\xd8\xed\x61\x05\x5f\x0b\xa5\x73"
21152                 "\xa8\x2b\xb7\xe0\x18\xee\xda\xc4\xea\x7b\x36\x2e\xc8\x9c\x38\x2b"
21153             vec.msgLen = 128;
21154         #endif
21155         vec.Qx  = "12fbcaeffa6a51f3ee4d3d2b51c5dec6d7c726ca353fc014ea2bf7cfbb9b910d32cbfa6a00fe39b6cdb8946f22775398b2e233c0cf144d78c8a7742b5c7a3bb5d23";
21156         vec.Qy  = "09cdef823dd7bf9a79e8cceacd2e4527c231d0ae5967af0958e931d7ddccf2805a3e618dc3039fec9febbd33052fe4c0fee98f033106064982d88f4e03549d4a64d";
21157         vec.d   = "1bd56bd106118eda246155bd43b42b8e13f0a6e25dd3bb376026fab4dc92b6157bc6dfec2d15dd3d0cf2a39aa68494042af48ba9601118da82c6f2108a3a203ad74";
21158         vec.R   = "0bd117b4807710898f9dd7778056485777668f0e78e6ddf5b000356121eb7a220e9493c7f9a57c077947f89ac45d5acb6661bbcd17abb3faea149ba0aa3bb1521be";
21159         vec.S   = "019cd2c5c3f9870ecdeb9b323abdf3a98cd5e231d85c6ddc5b71ab190739f7f226e6b134ba1d5889ddeb2751dabd97911dff90c34684cdbe7bb669b6c3d22f2480c";
21160         vec.curveName = "SECP521R1";
21161     #ifndef NO_ASN
21162         vec.r   = (byte*)"\xbd\x11\x7b\x48\x07\x71\x08\x98\xf9\xdd\x77\x78"
21163                          "\x05\x64\x85\x77\x76\x68\xf0\xe7\x8e\x6d\xdf\x5b"
21164                          "\x00\x03\x56\x12\x1e\xb7\xa2\x20\xe9\x49\x3c\x7f"
21165                          "\x9a\x57\xc0\x77\x94\x7f\x89\xac\x45\xd5\xac\xb6"
21166                          "\x66\x1b\xbc\xd1\x7a\xbb\x3f\xae\xa1\x49\xba\x0a"
21167                          "\xa3\xbb\x15\x21\xbe";
21168         vec.rSz = 65;
21169         vec.s   = (byte*)"\x19\xcd\x2c\x5c\x3f\x98\x70\xec\xde\xb9\xb3\x23"
21170                          "\xab\xdf\x3a\x98\xcd\x5e\x23\x1d\x85\xc6\xdd\xc5"
21171                          "\xb7\x1a\xb1\x90\x73\x9f\x7f\x22\x6e\x6b\x13\x4b"
21172                          "\xa1\xd5\x88\x9d\xde\xb2\x75\x1d\xab\xd9\x79\x11"
21173                          "\xdf\xf9\x0c\x34\x68\x4c\xdb\xe7\xbb\x66\x9b\x6c"
21174                          "\x3d\x22\xf2\x48\x0c";
21175         vec.sSz = 65;
21176     #endif
21177         break;
21178 #endif /* HAVE_ECC521 */
21179     default:
21180         return NOT_COMPILED_IN; /* Invalid key size / Not supported */
21181     }; /* Switch */
21182 
21183     ret = ecc_test_vector_item(&vec);
21184     if (ret < 0) {
21185         return ret;
21186     }
21187 
21188     return 0;
21189 }
21190 
21191 #if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_DETERMINISTIC_K)
21192 static int ecc_test_deterministic_k(WC_RNG* rng)
21193 {
21194     int ret;
21195     ecc_key key;
21196     byte sig[72];
21197     word32 sigSz;
21198     unsigned char msg[] = "sample";
21199     unsigned char hash[32];
21200     const char* dIUT =
21201         "C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721";
21202     const char* QIUTx =
21203         "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6";
21204     const char* QIUTy =
21205         "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299";
21206     const byte expSig[] = {
21207         0x30, 0x46, 0x02, 0x21, 0x00, 0xEF, 0xD4, 0x8B,
21208         0x2A, 0xAC, 0xB6, 0xA8, 0xFD, 0x11, 0x40, 0xDD,
21209         0x9C, 0xD4, 0x5E, 0x81, 0xD6, 0x9D, 0x2C, 0x87,
21210         0x7B, 0x56, 0xAA, 0xF9, 0x91, 0xC3, 0x4D, 0x0E,
21211         0xA8, 0x4E, 0xAF, 0x37, 0x16, 0x02, 0x21, 0x00,
21212         0xF7, 0xCB, 0x1C, 0x94, 0x2D, 0x65, 0x7C, 0x41,
21213         0xD4, 0x36, 0xC7, 0xA1, 0xB6, 0xE2, 0x9F, 0x65,
21214         0xF3, 0xE9, 0x00, 0xDB, 0xB9, 0xAF, 0xF4, 0x06,
21215         0x4D, 0xC4, 0xAB, 0x2F, 0x84, 0x3A, 0xCD, 0xA8
21216     };
21217 
21218     ret = wc_ecc_init_ex(&key, HEAP_HINT, devId);
21219     if (ret != 0) {
21220         return ret;
21221     }
21222     ret = wc_ecc_import_raw(&key, QIUTx, QIUTy, dIUT, "SECP256R1");
21223     if (ret != 0) {
21224         goto done;
21225     }
21226 
21227     ret = wc_Hash(WC_HASH_TYPE_SHA256, msg,
21228             (word32)XSTRLEN((const char*)msg), hash, sizeof(hash));
21229     if (ret != 0) {
21230         goto done;
21231     }
21232 
21233     ret = wc_ecc_set_deterministic(&key, 1);
21234     if (ret != 0) {
21235         goto done;
21236     }
21237 
21238     sigSz = sizeof(sig);
21239     do {
21240     #if defined(WOLFSSL_ASYNC_CRYPT)
21241         ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21242     #endif
21243         if (ret == 0)
21244             ret = wc_ecc_sign_hash(hash, sizeof(hash), sig, &sigSz, rng, &key);
21245     } while (ret == WC_PENDING_E);
21246     if (ret != 0) {
21247         goto done;
21248     }
21249     TEST_SLEEP();
21250 
21251     if (sigSz != sizeof(expSig)) {
21252         ret = -9830;
21253         goto done;
21254     }
21255     if (XMEMCMP(sig, expSig, sigSz) != 0) {
21256         ret = -9831;
21257         goto done;
21258     }
21259 
21260     sigSz = sizeof(sig);
21261     do {
21262     #if defined(WOLFSSL_ASYNC_CRYPT)
21263         ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21264     #endif
21265         if (ret == 0)
21266             ret = wc_ecc_sign_hash(hash, sizeof(hash), sig, &sigSz, rng, &key);
21267     } while (ret == WC_PENDING_E);
21268     if (ret != 0) {
21269         goto done;
21270     }
21271     TEST_SLEEP();
21272 
21273 done:
21274     wc_ecc_free(&key);
21275     return ret;
21276 }
21277 #endif
21278 
21279 
21280 #if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K)
21281 static int ecc_test_sign_vectors(WC_RNG* rng)
21282 {
21283     int ret;
21284 #ifdef WOLFSSL_SMALL_STACK
21285     ecc_key *key = NULL;
21286 #else
21287     ecc_key key[1];
21288 #endif
21289     int key_inited = 0;
21290     byte sig[72];
21291     word32 sigSz;
21292     WOLFSSL_SMALL_STACK_STATIC const unsigned char hash[32] = "test wolfSSL deterministic sign";
21293     WOLFSSL_SMALL_STACK_STATIC const char* dIUT =   "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534";
21294     WOLFSSL_SMALL_STACK_STATIC const char* QIUTx =  "ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230";
21295     WOLFSSL_SMALL_STACK_STATIC const char* QIUTy =  "28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141";
21296     WOLFSSL_SMALL_STACK_STATIC const byte k[1] = { 0x02 };
21297     WOLFSSL_SMALL_STACK_STATIC const byte expSig[71] = {
21298         0x30, 0x45, 0x02, 0x20, 0x7c, 0xf2, 0x7b, 0x18,
21299         0x8d, 0x03, 0x4f, 0x7e, 0x8a, 0x52, 0x38, 0x03,
21300         0x04, 0xb5, 0x1a, 0xc3, 0xc0, 0x89, 0x69, 0xe2,
21301         0x77, 0xf2, 0x1b, 0x35, 0xa6, 0x0b, 0x48, 0xfc,
21302         0x47, 0x66, 0x99, 0x78, 0x02, 0x21, 0x00, 0xa8,
21303         0x43, 0xa0, 0xce, 0x6c, 0x5e, 0x17, 0x8a, 0x53,
21304         0x4d, 0xaf, 0xd2, 0x95, 0x78, 0x9f, 0x84, 0x4f,
21305         0x94, 0xb8, 0x75, 0xa3, 0x19, 0xa5, 0xd4, 0xdf,
21306         0xe1, 0xd4, 0x5e, 0x9d, 0x97, 0xfe, 0x81
21307     };
21308 
21309 #ifdef WOLFSSL_SMALL_STACK
21310     if ((key = (ecc_key *)XMALLOC(sizeof(*key), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
21311         return MEMORY_E;
21312 #endif
21313 
21314     ret = wc_ecc_init_ex(key, HEAP_HINT, devId);
21315     if (ret != 0) {
21316         goto done;
21317     }
21318     key_inited = 1;
21319 
21320     ret = wc_ecc_import_raw(key, QIUTx, QIUTy, dIUT, "SECP256R1");
21321     if (ret != 0) {
21322         goto done;
21323     }
21324     wc_ecc_set_flags(key, WC_ECC_FLAG_DEC_SIGN);
21325 
21326     ret = wc_ecc_sign_set_k(k, sizeof(k), key);
21327     if (ret != 0) {
21328         goto done;
21329     }
21330 
21331     sigSz = sizeof(sig);
21332     do {
21333     #if defined(WOLFSSL_ASYNC_CRYPT)
21334         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21335     #endif
21336         if (ret == 0)
21337             ret = wc_ecc_sign_hash(hash, sizeof(hash), sig, &sigSz, rng, key);
21338     } while (ret == WC_PENDING_E);
21339     if (ret != 0) {
21340         goto done;
21341     }
21342     TEST_SLEEP();
21343 
21344     if (sigSz != sizeof(expSig)) {
21345         ret = -9830;
21346         goto done;
21347     }
21348     if (XMEMCMP(sig, expSig, sigSz) != 0) {
21349         ret = -9831;
21350         goto done;
21351     }
21352 
21353     sigSz = sizeof(sig);
21354     do {
21355     #if defined(WOLFSSL_ASYNC_CRYPT)
21356         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21357     #endif
21358         if (ret == 0)
21359             ret = wc_ecc_sign_hash(hash, sizeof(hash), sig, &sigSz, rng, key);
21360     } while (ret == WC_PENDING_E);
21361     if (ret != 0) {
21362         goto done;
21363     }
21364     TEST_SLEEP();
21365 
21366 done:
21367     if (key_inited)
21368         wc_ecc_free(key);
21369 #ifdef WOLFSSL_SMALL_STACK
21370     XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21371 #endif
21372 
21373     return ret;
21374 }
21375 #endif
21376 
21377 #ifdef HAVE_ECC_CDH
21378 static int ecc_test_cdh_vectors(WC_RNG* rng)
21379 {
21380     int ret;
21381 #ifdef WOLFSSL_SMALL_STACK
21382     ecc_key *pub_key = (ecc_key *)XMALLOC(sizeof *pub_key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21383     ecc_key *priv_key = (ecc_key *)XMALLOC(sizeof *priv_key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21384 #else
21385     ecc_key pub_key[1], priv_key[1];
21386 #endif
21387     byte    sharedA[32] = {0}, sharedB[32] = {0};
21388     word32  x, z;
21389 
21390     WOLFSSL_SMALL_STACK_STATIC const char* QCAVSx = "700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287";
21391     WOLFSSL_SMALL_STACK_STATIC const char* QCAVSy = "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac";
21392     WOLFSSL_SMALL_STACK_STATIC const char* dIUT =   "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534";
21393     WOLFSSL_SMALL_STACK_STATIC const char* QIUTx =  "ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230";
21394     WOLFSSL_SMALL_STACK_STATIC const char* QIUTy =  "28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141";
21395     WOLFSSL_SMALL_STACK_STATIC const char* ZIUT =   "46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b";
21396 
21397 #ifdef WOLFSSL_SMALL_STACK
21398     if ((pub_key == NULL) ||
21399         (priv_key == NULL)) {
21400         ret = MEMORY_E;
21401         goto done;
21402     }
21403 #endif
21404 
21405     XMEMSET(pub_key, 0, sizeof *pub_key);
21406     XMEMSET(priv_key, 0, sizeof *priv_key);
21407 
21408     /* setup private and public keys */
21409     ret = wc_ecc_init_ex(pub_key, HEAP_HINT, devId);
21410     if (ret != 0)
21411         goto done;
21412     ret = wc_ecc_init_ex(priv_key, HEAP_HINT, devId);
21413     if (ret != 0)
21414         goto done;
21415 #ifdef HAVE_ECC_CDH
21416     wc_ecc_set_flags(pub_key, WC_ECC_FLAG_COFACTOR);
21417     wc_ecc_set_flags(priv_key, WC_ECC_FLAG_COFACTOR);
21418 #endif
21419     ret = wc_ecc_import_raw(pub_key, QCAVSx, QCAVSy, NULL, "SECP256R1");
21420     if (ret != 0)
21421         goto done;
21422     ret = wc_ecc_import_raw(priv_key, QIUTx, QIUTy, dIUT, "SECP256R1");
21423     if (ret != 0)
21424         goto done;
21425 
21426 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
21427     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
21428     !defined(HAVE_SELFTEST)
21429     ret = wc_ecc_set_rng(priv_key, rng);
21430     if (ret != 0)
21431         goto done;
21432 #else
21433     (void)rng;
21434 #endif
21435 
21436     /* compute ECC Cofactor shared secret */
21437     x = sizeof(sharedA);
21438     do {
21439     #if defined(WOLFSSL_ASYNC_CRYPT)
21440         ret = wc_AsyncWait(ret, &priv_key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21441     #endif
21442         if (ret == 0)
21443             ret = wc_ecc_shared_secret(priv_key, pub_key, sharedA, &x);
21444     } while (ret == WC_PENDING_E);
21445     if (ret != 0) {
21446         goto done;
21447     }
21448     TEST_SLEEP();
21449 
21450     /* read in expected Z */
21451     z = sizeof(sharedB);
21452     ret = Base16_Decode((const byte*)ZIUT, (word32)XSTRLEN(ZIUT), sharedB, &z);
21453     if (ret != 0)
21454         goto done;
21455 
21456     /* compare results */
21457     if (x != z || XMEMCMP(sharedA, sharedB, x)) {
21458         ERROR_OUT(-9840, done);
21459     }
21460 
21461 done:
21462 
21463 #ifdef WOLFSSL_SMALL_STACK
21464     if (priv_key) {
21465         wc_ecc_free(priv_key);
21466         XFREE(priv_key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21467     }
21468     if (pub_key) {
21469         wc_ecc_free(pub_key);
21470         XFREE(pub_key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21471     }
21472 #else
21473     wc_ecc_free(priv_key);
21474     wc_ecc_free(pub_key);
21475 #endif
21476 
21477     return ret;
21478 }
21479 #endif /* HAVE_ECC_CDH */
21480 #endif /* HAVE_ECC_VECTOR_TEST */
21481 
21482 #ifdef HAVE_ECC_KEY_IMPORT
21483 /* returns 0 on success */
21484 static int ecc_test_make_pub(WC_RNG* rng)
21485 {
21486 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
21487     ecc_key *key = (ecc_key *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21488 #if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT)
21489     ecc_key *pub = (ecc_key *)XMALLOC(sizeof *pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21490 #endif
21491     byte *exportBuf = (byte *)XMALLOC(ECC_BUFSIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21492     byte *tmp = (byte *)XMALLOC(ECC_BUFSIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21493 #else
21494     ecc_key key[1];
21495 #if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG)
21496     ecc_key pub[1];
21497 #endif
21498     byte exportBuf[ECC_BUFSIZE];
21499     byte tmp[ECC_BUFSIZE];
21500 #endif
21501     const byte* msg = (const byte*)"test wolfSSL ECC public gen";
21502     word32 x;
21503     word32 tmpSz;
21504     int ret = 0;
21505     ecc_point* pubPoint = NULL;
21506 #ifdef HAVE_ECC_VERIFY
21507     int verify = 0;
21508 #endif
21509 
21510 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
21511     if ((key == NULL) ||
21512 #if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT)
21513         (pub == NULL) ||
21514 #endif
21515         (exportBuf == NULL) ||
21516         (tmp == NULL))
21517         ERROR_OUT(MEMORY_E, done);
21518 #endif
21519 
21520     (void)msg;
21521     (void)verify;
21522     (void)exportBuf;
21523     (void)rng;
21524 
21525     wc_ecc_init_ex(key, HEAP_HINT, devId);
21526 
21527 #ifndef NO_ECC256
21528 #ifdef USE_CERT_BUFFERS_256
21529     XMEMCPY(tmp, ecc_key_der_256, (size_t)sizeof_ecc_key_der_256);
21530     tmpSz = (size_t)sizeof_ecc_key_der_256;
21531 #else
21532     {
21533         XFILE file = XFOPEN(eccKeyDerFile, "rb");
21534         if (!file) {
21535             ERROR_OUT(-9850, done);
21536         }
21537 
21538         tmpSz = (word32)XFREAD(tmp, 1, ECC_BUFSIZE, file);
21539         XFCLOSE(file);
21540     }
21541 #endif /* USE_CERT_BUFFERS_256 */
21542 
21543     /* import private only then test with */
21544     ret = wc_ecc_import_private_key(tmp, tmpSz, NULL, 0, NULL);
21545     if (ret == 0) {
21546         ERROR_OUT(-9851, done);
21547     }
21548 
21549     ret = wc_ecc_import_private_key(NULL, tmpSz, NULL, 0, key);
21550     if (ret == 0) {
21551         ERROR_OUT(-9852, done);
21552     }
21553 
21554     x = 0;
21555     ret = wc_EccPrivateKeyDecode(tmp, &x, key, tmpSz);
21556     if (ret != 0) {
21557         ERROR_OUT(-9853, done);
21558     }
21559 
21560 #ifdef HAVE_ECC_KEY_EXPORT
21561     x = ECC_BUFSIZE;
21562     ret = wc_ecc_export_private_only(key, exportBuf, &x);
21563     if (ret != 0) {
21564         ERROR_OUT(-9854, done);
21565     }
21566 
21567     /* make private only key */
21568     wc_ecc_free(key);
21569     wc_ecc_init_ex(key, HEAP_HINT, devId);
21570     ret = wc_ecc_import_private_key(exportBuf, x, NULL, 0, key);
21571     if (ret != 0) {
21572         ERROR_OUT(-9855, done);
21573     }
21574 
21575     x = ECC_BUFSIZE;
21576     ret = wc_ecc_export_x963_ex(key, exportBuf, &x, 0);
21577     if (ret == 0) {
21578         ERROR_OUT(-9856, done);
21579     }
21580 
21581 #endif /* HAVE_ECC_KEY_EXPORT */
21582 
21583     ret = wc_ecc_make_pub(NULL, NULL);
21584     if (ret == 0) {
21585         ERROR_OUT(-9857, done);
21586     }
21587     TEST_SLEEP();
21588 
21589 #ifndef WOLFSSL_NO_MALLOC
21590     pubPoint = wc_ecc_new_point_h(HEAP_HINT);
21591     if (pubPoint == NULL) {
21592         ERROR_OUT(-9858, done);
21593     }
21594 #if !defined(WOLFSSL_CRYPTOCELL)
21595     ret = wc_ecc_make_pub(key, pubPoint);
21596     if (ret != 0) {
21597        ERROR_OUT(-9859, done);
21598     }
21599 #endif
21600     TEST_SLEEP();
21601 
21602 #ifdef HAVE_ECC_KEY_EXPORT
21603     /* export should still fail, is private only key */
21604     x = ECC_BUFSIZE;
21605     ret = wc_ecc_export_x963_ex(key, exportBuf, &x, 0);
21606     if (ret == 0) {
21607         ERROR_OUT(-9860, done);
21608     }
21609 #endif /* HAVE_ECC_KEY_EXPORT */
21610 #endif /* !WOLFSSL_NO_MALLOC */
21611 #endif /* !NO_ECC256 */
21612 
21613     /* create a new key since above test for loading key is not supported */
21614 #if defined(WOLFSSL_CRYPTOCELL) || defined(NO_ECC256) || \
21615     defined(WOLFSSL_QNX_CAAM) || defined(WOLFSSL_SE050)
21616     ret  = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
21617     if (ret != 0) {
21618         ERROR_OUT(-9861, done);
21619     }
21620 #endif
21621 
21622 #if defined(HAVE_ECC_SIGN) && (!defined(ECC_TIMING_RESISTANT) || \
21623     (defined(ECC_TIMING_RESISTANT) && !defined(WC_NO_RNG)))
21624     tmpSz = ECC_BUFSIZE;
21625     ret = 0;
21626     do {
21627     #if defined(WOLFSSL_ASYNC_CRYPT)
21628         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21629     #endif
21630         if (ret == 0) {
21631             ret = wc_ecc_sign_hash(msg, (word32)XSTRLEN((const char* )msg), tmp,
21632                 &tmpSz, rng, key);
21633         }
21634     } while (ret == WC_PENDING_E);
21635     if (ret != 0) {
21636         ERROR_OUT(-9862, done);
21637     }
21638     TEST_SLEEP();
21639 
21640 #ifdef HAVE_ECC_VERIFY
21641     /* try verify with private only key */
21642     ret = 0;
21643     do {
21644     #if defined(WOLFSSL_ASYNC_CRYPT)
21645         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21646     #endif
21647         if (ret == 0) {
21648             ret = wc_ecc_verify_hash(tmp, tmpSz, msg,
21649                 (word32)XSTRLEN((const char*)msg), &verify, key);
21650         }
21651     } while (ret == WC_PENDING_E);
21652     if (ret != 0) {
21653         ERROR_OUT(-9863, done);
21654     }
21655 
21656     if (verify != 1) {
21657         ERROR_OUT(-9864, done);
21658     }
21659     TEST_SLEEP();
21660 #ifdef HAVE_ECC_KEY_EXPORT
21661     /* exporting the public part should now work */
21662     x = ECC_BUFSIZE;
21663     ret = wc_ecc_export_x963_ex(key, exportBuf, &x, 0);
21664     if (ret != 0) {
21665         ERROR_OUT(-9865, done);
21666     }
21667 #endif /* HAVE_ECC_KEY_EXPORT */
21668 #endif /* HAVE_ECC_VERIFY */
21669 
21670 #endif /* HAVE_ECC_SIGN */
21671 
21672 #if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG)
21673     /* now test private only key with creating a shared secret */
21674     x = ECC_BUFSIZE;
21675     ret = wc_ecc_export_private_only(key, exportBuf, &x);
21676     if (ret != 0) {
21677         ERROR_OUT(-9866, done);
21678     }
21679 
21680 #if !defined(WOLFSSL_QNX_CAAM) && !defined(WOLFSSL_SE050)
21681     /* make private only key */
21682     wc_ecc_free(key);
21683     wc_ecc_init_ex(key, HEAP_HINT, devId);
21684     ret = wc_ecc_import_private_key(exportBuf, x, NULL, 0, key);
21685     if (ret != 0) {
21686         ERROR_OUT(-9867, done);
21687     }
21688 
21689     /* check that public export fails with private only key */
21690     x = ECC_BUFSIZE;
21691     ret = wc_ecc_export_x963_ex(key, exportBuf, &x, 0);
21692     if (ret == 0) {
21693         ERROR_OUT(-9868, done);
21694     }
21695 #endif /* WOLFSSL_QNX_CAAM */
21696 
21697     /* make public key for shared secret */
21698     wc_ecc_init_ex(pub, HEAP_HINT, devId);
21699     ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, pub);
21700 #ifdef HAVE_ECC_CDH
21701     wc_ecc_set_flags(key, WC_ECC_FLAG_COFACTOR);
21702 #endif
21703 #if defined(WOLFSSL_ASYNC_CRYPT)
21704     ret = wc_AsyncWait(ret, &pub->asyncDev, WC_ASYNC_FLAG_NONE);
21705 #endif
21706     if (ret != 0) {
21707         ERROR_OUT(-9869, done);
21708     }
21709     TEST_SLEEP();
21710 
21711 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
21712     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
21713     !defined(HAVE_SELFTEST)
21714     ret = wc_ecc_set_rng(key, rng);
21715     if (ret != 0)
21716         goto done;
21717 #endif
21718 
21719     x = ECC_BUFSIZE;
21720     do {
21721     #if defined(WOLFSSL_ASYNC_CRYPT)
21722         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
21723     #endif
21724         if (ret == 0) {
21725             ret = wc_ecc_shared_secret(key, pub, exportBuf, &x);
21726         }
21727     } while (ret == WC_PENDING_E);
21728     wc_ecc_free(pub);
21729     if (ret != 0) {
21730         ERROR_OUT(-9870, done);
21731     }
21732     TEST_SLEEP();
21733 #endif /* HAVE_ECC_DHE && HAVE_ECC_KEY_EXPORT && !WC_NO_RNG */
21734 
21735     ret = 0;
21736 
21737 done:
21738 
21739     wc_ecc_del_point_h(pubPoint, HEAP_HINT);
21740 
21741 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
21742     if (key != NULL) {
21743         wc_ecc_free(key);
21744         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21745     }
21746 #if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT)
21747     if (pub != NULL)
21748         XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21749 #endif
21750     if (exportBuf != NULL)
21751         XFREE(exportBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21752     if (tmp != NULL)
21753         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21754 #else
21755     wc_ecc_free(key);
21756 #endif
21757 
21758     return ret;
21759 }
21760 
21761 #if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)
21762 static int ecc_test_key_decode(WC_RNG* rng, int keySize)
21763 {
21764     int ret;
21765 #ifdef WOLFSSL_SMALL_STACK
21766     ecc_key *eccKey = (ecc_key *)XMALLOC(sizeof *eccKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21767     byte *tmpBuf = (byte *)XMALLOC(ECC_BUFSIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21768 #else
21769     ecc_key eccKey[1];
21770     byte tmpBuf[ECC_BUFSIZE];
21771 #endif
21772     word32 tmpSz;
21773     word32 idx;
21774 
21775 #ifdef WOLFSSL_SMALL_STACK
21776     if ((eccKey == NULL) || (tmpBuf == NULL))
21777         ERROR_OUT(MEMORY_E, done);
21778 #endif
21779 
21780     ret = wc_ecc_init(eccKey);
21781     if (ret != 0) {
21782         goto done;
21783     }
21784     ret = wc_ecc_make_key(rng, keySize, eccKey);
21785 #if defined(WOLFSSL_ASYNC_CRYPT)
21786     ret = wc_AsyncWait(ret, &eccKey->asyncDev, WC_ASYNC_FLAG_NONE);
21787 #endif
21788     if (ret != 0) {
21789         goto done;
21790     }
21791 
21792     tmpSz = ECC_BUFSIZE;
21793     ret = wc_EccKeyToDer(eccKey, tmpBuf, tmpSz);
21794     wc_ecc_free(eccKey);
21795     if (ret < 0) {
21796         goto done;
21797     }
21798     tmpSz = ret;
21799 
21800     ret = wc_ecc_init(eccKey);
21801     if (ret != 0) {
21802         goto done;
21803     }
21804     idx = 0;
21805     ret = wc_EccPrivateKeyDecode(tmpBuf, &idx, eccKey, tmpSz);
21806     if (ret != 0) {
21807         goto done;
21808     }
21809     wc_ecc_free(eccKey);
21810 
21811     ret = wc_ecc_init(eccKey);
21812     if (ret != 0) {
21813         goto done;
21814     }
21815 
21816     idx = 0;
21817     ret = wc_EccPublicKeyDecode(tmpBuf, &idx, eccKey, tmpSz);
21818     if (ret != 0) {
21819         goto done;
21820     }
21821 
21822     ret = 0;
21823 
21824   done:
21825 
21826 #ifdef WOLFSSL_SMALL_STACK
21827     if (eccKey != NULL) {
21828         wc_ecc_free(eccKey);
21829         XFREE(eccKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21830     }
21831     if (tmpBuf != NULL)
21832         XFREE(tmpBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21833 #else
21834     wc_ecc_free(eccKey);
21835 #endif
21836 
21837     return ret;
21838 }
21839 #endif /* HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */
21840 #endif /* HAVE_ECC_KEY_IMPORT */
21841 
21842 #if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)
21843 static int ecc_test_key_gen(WC_RNG* rng, int keySize)
21844 {
21845     int    ret = 0;
21846     int    derSz;
21847 #ifdef HAVE_PKCS8
21848     word32 pkcs8Sz;
21849 #endif
21850 #ifdef WOLFSSL_SMALL_STACK
21851     byte *der = (byte *)XMALLOC(ECC_BUFSIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21852     ecc_key *userA = (ecc_key *)XMALLOC(sizeof *userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21853 #else
21854     byte der[ECC_BUFSIZE];
21855     ecc_key userA[1];
21856 #endif
21857 
21858 #ifdef WOLFSSL_SMALL_STACK
21859     if ((der == NULL) || (userA == NULL))
21860         ERROR_OUT(MEMORY_E, done);
21861 #endif
21862 
21863     ret = wc_ecc_init_ex(userA, HEAP_HINT, devId);
21864     if (ret != 0)
21865         goto done;
21866 
21867     ret = wc_ecc_make_key(rng, keySize, userA);
21868 #if defined(WOLFSSL_ASYNC_CRYPT)
21869     ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_NONE);
21870 #endif
21871     if (ret != 0)
21872         goto done;
21873     TEST_SLEEP();
21874 
21875     ret = wc_ecc_check_key(userA);
21876     if (ret != 0)
21877         goto done;
21878     TEST_SLEEP();
21879 
21880     derSz = wc_EccKeyToDer(userA, der, ECC_BUFSIZE);
21881     if (derSz < 0) {
21882         ERROR_OUT(derSz, done);
21883     }
21884 
21885     ret = SaveDerAndPem(der, derSz, eccCaKeyTempFile, eccCaKeyPemFile,
21886         ECC_PRIVATEKEY_TYPE, -8347);
21887     if (ret != 0) {
21888         goto done;
21889     }
21890 
21891     /* test export of public key */
21892     derSz = wc_EccPublicKeyToDer(userA, der, ECC_BUFSIZE, 1);
21893     if (derSz < 0) {
21894         ERROR_OUT(derSz, done);
21895     }
21896     if (derSz == 0) {
21897         ERROR_OUT(-9890, done);
21898     }
21899 
21900     ret = SaveDerAndPem(der, derSz, eccPubKeyDerFile, NULL, 0, -8348);
21901     if (ret != 0) {
21902         goto done;
21903     }
21904 
21905 #ifdef HAVE_PKCS8
21906     /* test export of PKCS#8 unencrypted private key */
21907     pkcs8Sz = FOURK_BUF;
21908     derSz = wc_EccPrivateKeyToPKCS8(userA, der, &pkcs8Sz);
21909     if (derSz < 0) {
21910         ERROR_OUT(derSz, done);
21911     }
21912 
21913     if (derSz == 0) {
21914         ERROR_OUT(-9891, done);
21915     }
21916 
21917     ret = SaveDerAndPem(der, derSz, eccPkcs8KeyDerFile, NULL, 0, -8349);
21918     if (ret != 0) {
21919         goto done;
21920     }
21921 #endif /* HAVE_PKCS8 */
21922 
21923 done:
21924 
21925 #ifdef WOLFSSL_SMALL_STACK
21926     if (der != NULL)
21927         XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21928     if (userA != NULL) {
21929         wc_ecc_free(userA);
21930         XFREE(userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21931     }
21932 #else
21933     wc_ecc_free(userA);
21934 #endif
21935 
21936     return ret;
21937 }
21938 #endif /* HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */
21939 
21940 static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
21941     int curve_id, const ecc_set_type* dp)
21942 {
21943 #if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \
21944     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
21945     WC_DECLARE_VAR(sharedA, byte, ECC_SHARED_SIZE, HEAP_HINT);
21946     WC_DECLARE_VAR(sharedB, byte, ECC_SHARED_SIZE, HEAP_HINT);
21947 #endif
21948 #ifdef HAVE_ECC_KEY_EXPORT
21949     #define ECC_KEY_EXPORT_BUF_SIZE (MAX_ECC_BYTES * 2 + 32)
21950     WC_DECLARE_VAR(exportBuf, byte, ECC_KEY_EXPORT_BUF_SIZE, HEAP_HINT);
21951 #endif
21952     word32  x = 0;
21953 #if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \
21954     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
21955     word32  y;
21956 #endif
21957 #ifdef HAVE_ECC_SIGN
21958     WC_DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
21959     WC_DECLARE_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT);
21960     int     i;
21961 #ifdef HAVE_ECC_VERIFY
21962     int     verify;
21963 #endif /* HAVE_ECC_VERIFY */
21964 #endif /* HAVE_ECC_SIGN */
21965     int     ret;
21966 #ifdef WOLFSSL_SMALL_STACK
21967     ecc_key *userA = (ecc_key *)XMALLOC(sizeof *userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21968     ecc_key *userB = (ecc_key *)XMALLOC(sizeof *userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21969     ecc_key *pubKey = (ecc_key *)XMALLOC(sizeof *pubKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
21970 #else
21971     ecc_key userA[1];
21972     ecc_key userB[1];
21973     ecc_key pubKey[1];
21974 #endif
21975 #ifndef WC_NO_RNG
21976     int     curveSize;
21977 #endif
21978 
21979 #ifdef WC_DECLARE_VAR_IS_HEAP_ALLOC
21980 #if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \
21981     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
21982     if (sharedA == NULL || sharedB == NULL)
21983         ERROR_OUT(-9900, done);
21984 #endif
21985 
21986 #ifdef HAVE_ECC_KEY_EXPORT
21987     if (exportBuf == NULL)
21988         ERROR_OUT(-9901, done);
21989 #endif
21990 
21991 #ifdef HAVE_ECC_SIGN
21992     if (sig == NULL || digest == NULL)
21993         ERROR_OUT(-9902, done);
21994 #endif
21995 #endif /* WOLFSSL_SMALL_STACK */
21996 
21997     (void)testVerifyCount;
21998     (void)dp;
21999     (void)x;
22000 
22001 #ifdef WOLFSSL_SMALL_STACK
22002     if ((userA == NULL) ||
22003         (userB == NULL) ||
22004         (pubKey == NULL))
22005         ERROR_OUT(-9903, done);
22006 #endif
22007 
22008     XMEMSET(userA, 0, sizeof *userA);
22009     XMEMSET(userB, 0, sizeof *userB);
22010     XMEMSET(pubKey, 0, sizeof *pubKey);
22011 
22012     ret = wc_ecc_init_ex(userA, HEAP_HINT, devId);
22013     if (ret != 0)
22014         ERROR_OUT(-9904, done);
22015     ret = wc_ecc_init_ex(userB, HEAP_HINT, devId);
22016     if (ret != 0)
22017         ERROR_OUT(-9905, done);
22018     ret = wc_ecc_init_ex(pubKey, HEAP_HINT, devId);
22019     if (ret != 0)
22020         ERROR_OUT(-9906, done);
22021 
22022 #ifdef WOLFSSL_CUSTOM_CURVES
22023     if (dp != NULL) {
22024         ret = wc_ecc_set_custom_curve(userA, dp);
22025         if (ret != 0)
22026             ERROR_OUT(-9907, done);
22027         ret = wc_ecc_set_custom_curve(userB, dp);
22028         if (ret != 0)
22029             ERROR_OUT(-9908, done);
22030     }
22031 #endif
22032 
22033 #ifndef WC_NO_RNG
22034     ret = wc_ecc_make_key_ex(rng, keySize, userA, curve_id);
22035 #if defined(WOLFSSL_ASYNC_CRYPT)
22036     ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_NONE);
22037 #endif
22038     if (ret == ECC_CURVE_OID_E)
22039         goto done; /* catch case, where curve is not supported */
22040     if (ret != 0)
22041         ERROR_OUT(-9910, done);
22042     TEST_SLEEP();
22043 
22044     if (wc_ecc_get_curve_idx(curve_id) != -1) {
22045         curveSize = wc_ecc_get_curve_size_from_id(userA->dp->id);
22046         if (curveSize != userA->dp->size)
22047             ERROR_OUT(-9911, done);
22048     }
22049 
22050     ret = wc_ecc_check_key(userA);
22051     if (ret != 0)
22052         ERROR_OUT(-9912, done);
22053     TEST_SLEEP();
22054 
22055 /* ATECC508/608 configuration may not support more than one ECDH key */
22056 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
22057 
22058     ret = wc_ecc_make_key_ex(rng, keySize, userB, curve_id);
22059 #if defined(WOLFSSL_ASYNC_CRYPT)
22060     ret = wc_AsyncWait(ret, &userB->asyncDev, WC_ASYNC_FLAG_NONE);
22061 #endif
22062     if (ret != 0)
22063         ERROR_OUT(-9914, done);
22064     TEST_SLEEP();
22065 
22066     /* only perform the below tests if the key size matches */
22067     if (dp == NULL && keySize > 0 && wc_ecc_size(userA) != keySize)
22068         ERROR_OUT(ECC_CURVE_OID_E, done);
22069 
22070 #ifdef HAVE_ECC_DHE
22071 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
22072     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
22073     !defined(HAVE_SELFTEST)
22074     ret = wc_ecc_set_rng(userA, rng);
22075     if (ret != 0)
22076         ERROR_OUT(-9915, done);
22077     ret = wc_ecc_set_rng(userB, rng);
22078     if (ret != 0)
22079         ERROR_OUT(-9916, done);
22080 #endif
22081 
22082     x = ECC_SHARED_SIZE;
22083     do {
22084     #if defined(WOLFSSL_ASYNC_CRYPT)
22085         ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22086     #endif
22087         if (ret == 0)
22088             ret = wc_ecc_shared_secret(userA, userB, sharedA, &x);
22089     } while (ret == WC_PENDING_E);
22090     if (ret != 0) {
22091         ERROR_OUT(-9917, done);
22092     }
22093     TEST_SLEEP();
22094 
22095     y = ECC_SHARED_SIZE;
22096     do {
22097     #if defined(WOLFSSL_ASYNC_CRYPT)
22098         ret = wc_AsyncWait(ret, &userB->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22099     #endif
22100         if (ret == 0)
22101             ret = wc_ecc_shared_secret(userB, userA, sharedB, &y);
22102     } while (ret == WC_PENDING_E);
22103     if (ret != 0)
22104         ERROR_OUT(-9918, done);
22105 
22106     if (y != x)
22107         ERROR_OUT(-9919, done);
22108 
22109     if (XMEMCMP(sharedA, sharedB, x))
22110         ERROR_OUT(-9920, done);
22111     TEST_SLEEP();
22112 #endif /* HAVE_ECC_DHE */
22113 
22114 #ifdef HAVE_ECC_CDH
22115     /* add cofactor flag */
22116     wc_ecc_set_flags(userA, WC_ECC_FLAG_COFACTOR);
22117     wc_ecc_set_flags(userB, WC_ECC_FLAG_COFACTOR);
22118 
22119     x = ECC_SHARED_SIZE;
22120     do {
22121     #if defined(WOLFSSL_ASYNC_CRYPT)
22122         ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22123     #endif
22124         if (ret == 0)
22125             ret = wc_ecc_shared_secret(userA, userB, sharedA, &x);
22126     } while (ret == WC_PENDING_E);
22127     if (ret != 0)
22128         ERROR_OUT(-9921, done);
22129     TEST_SLEEP();
22130 
22131     y = ECC_SHARED_SIZE;
22132     do {
22133     #if defined(WOLFSSL_ASYNC_CRYPT)
22134         ret = wc_AsyncWait(ret, &userB->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22135     #endif
22136         if (ret == 0)
22137             ret = wc_ecc_shared_secret(userB, userA, sharedB, &y);
22138     } while (ret == WC_PENDING_E);
22139     if (ret != 0)
22140         ERROR_OUT(-9922, done);
22141 
22142     if (y != x)
22143         ERROR_OUT(-9923, done);
22144 
22145     if (XMEMCMP(sharedA, sharedB, x))
22146         ERROR_OUT(-9924, done);
22147     TEST_SLEEP();
22148 
22149     /* remove cofactor flag */
22150     wc_ecc_set_flags(userA, 0);
22151     wc_ecc_set_flags(userB, 0);
22152 #endif /* HAVE_ECC_CDH */
22153 #endif /* !WOLFSSL_ATECC508A && WOLFSSL_ATECC608A */
22154 
22155 #ifdef HAVE_ECC_KEY_EXPORT
22156     x = ECC_KEY_EXPORT_BUF_SIZE;
22157     ret = wc_ecc_export_x963_ex(userA, exportBuf, &x, 0);
22158     if (ret != 0)
22159         ERROR_OUT(-9925, done);
22160 
22161 #ifdef HAVE_ECC_KEY_IMPORT
22162     #ifdef WOLFSSL_CUSTOM_CURVES
22163         if (dp != NULL) {
22164             ret = wc_ecc_set_custom_curve(pubKey, dp);
22165             if (ret != 0)
22166                 ERROR_OUT(-9926, done);
22167         }
22168     #endif
22169     ret = wc_ecc_import_x963_ex(exportBuf, x, pubKey, curve_id);
22170     if (ret != 0)
22171         ERROR_OUT(-9927, done);
22172 
22173 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
22174 #ifdef HAVE_ECC_DHE
22175     y = ECC_SHARED_SIZE;
22176     do {
22177     #if defined(WOLFSSL_ASYNC_CRYPT)
22178         ret = wc_AsyncWait(ret, &userB->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22179     #endif
22180         if (ret == 0)
22181             ret = wc_ecc_shared_secret(userB, pubKey, sharedB, &y);
22182     } while (ret == WC_PENDING_E);
22183     if (ret != 0)
22184         ERROR_OUT(-9928, done);
22185 
22186     if (XMEMCMP(sharedA, sharedB, y))
22187         ERROR_OUT(-9929, done);
22188     TEST_SLEEP();
22189 #endif /* HAVE_ECC_DHE */
22190 
22191     #ifdef HAVE_COMP_KEY
22192         /* try compressed export / import too */
22193         x = ECC_KEY_EXPORT_BUF_SIZE;
22194         ret = wc_ecc_export_x963_ex(userA, exportBuf, &x, 1);
22195         if (ret != 0)
22196             ERROR_OUT(-9930, done);
22197         wc_ecc_free(pubKey);
22198 
22199         ret = wc_ecc_init_ex(pubKey, HEAP_HINT, devId);
22200         if (ret != 0)
22201             ERROR_OUT(-9931, done);
22202     #ifdef WOLFSSL_CUSTOM_CURVES
22203         if (dp != NULL) {
22204             ret = wc_ecc_set_custom_curve(pubKey, dp);
22205             if (ret != 0)
22206                 ERROR_OUT(-9932, done);
22207         }
22208     #endif
22209         ret = wc_ecc_import_x963_ex(exportBuf, x, pubKey, curve_id);
22210         if (ret != 0)
22211             ERROR_OUT(-9933, done);
22212 
22213     #ifdef HAVE_ECC_DHE
22214         y = ECC_SHARED_SIZE;
22215         do {
22216         #if defined(WOLFSSL_ASYNC_CRYPT)
22217             ret = wc_AsyncWait(ret, &userB->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22218         #endif
22219             if (ret == 0)
22220                 ret = wc_ecc_shared_secret(userB, pubKey, sharedB, &y);
22221         } while (ret == WC_PENDING_E);
22222         if (ret != 0)
22223             ERROR_OUT(-9934, done);
22224 
22225         if (XMEMCMP(sharedA, sharedB, y))
22226             ERROR_OUT(-9935, done);
22227         TEST_SLEEP();
22228     #endif /* HAVE_ECC_DHE */
22229     #endif /* HAVE_COMP_KEY */
22230 
22231 #endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A */
22232 #endif /* !WC_NO_RNG */
22233 
22234 #endif /* HAVE_ECC_KEY_IMPORT */
22235 #endif /* HAVE_ECC_KEY_EXPORT */
22236 
22237 #if !defined(ECC_TIMING_RESISTANT) || (defined(ECC_TIMING_RESISTANT) && !defined(WC_NO_RNG))
22238 #ifdef HAVE_ECC_SIGN
22239     /* ECC w/out Shamir has issue with all 0 digest */
22240     /* WC_BIGINT doesn't have 0 len well on hardware */
22241     /* Cryptocell has issues with all 0 digest */
22242 #if defined(ECC_SHAMIR) && !defined(WOLFSSL_ASYNC_CRYPT) && \
22243     !defined(WOLFSSL_CRYPTOCELL)
22244     /* test DSA sign hash with zeros */
22245     for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) {
22246         digest[i] = 0;
22247     }
22248 
22249     x = ECC_SIG_SIZE;
22250     do {
22251     #if defined(WOLFSSL_ASYNC_CRYPT)
22252         ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22253     #endif
22254         if (ret == 0)
22255             ret = wc_ecc_sign_hash(digest, ECC_DIGEST_SIZE, sig, &x, rng,
22256                                                                         userA);
22257     } while (ret == WC_PENDING_E);
22258     if (ret != 0)
22259         ERROR_OUT(-9936, done);
22260     TEST_SLEEP();
22261 
22262 #ifdef HAVE_ECC_VERIFY
22263     for (i=0; i<testVerifyCount; i++) {
22264         verify = 0;
22265         do {
22266         #if defined(WOLFSSL_ASYNC_CRYPT)
22267             ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22268         #endif
22269             if (ret == 0)
22270                 ret = wc_ecc_verify_hash(sig, x, digest, ECC_DIGEST_SIZE,
22271                                                                &verify, userA);
22272         } while (ret == WC_PENDING_E);
22273         if (ret != 0)
22274             ERROR_OUT(-9937, done);
22275         if (verify != 1)
22276             ERROR_OUT(-9938, done);
22277         TEST_SLEEP();
22278     }
22279 #endif /* HAVE_ECC_VERIFY */
22280 #endif /* ECC_SHAMIR && !WOLFSSL_ASYNC_CRYPT && !WOLFSSL_CRYPTOCELL */
22281 
22282     /* test DSA sign hash with sequence (0,1,2,3,4,...) */
22283     for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) {
22284         digest[i] = (byte)i;
22285     }
22286 
22287     x = ECC_SIG_SIZE;
22288     do {
22289     #if defined(WOLFSSL_ASYNC_CRYPT)
22290         ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22291     #endif
22292         if (ret == 0)
22293             ret = wc_ecc_sign_hash(digest, ECC_DIGEST_SIZE, sig, &x, rng,
22294                                                                         userA);
22295     } while (ret == WC_PENDING_E);
22296     if (ret != 0)
22297         ERROR_OUT(-9939, done);
22298     TEST_SLEEP();
22299 
22300 #ifdef HAVE_ECC_VERIFY
22301     for (i=0; i<testVerifyCount; i++) {
22302         verify = 0;
22303         do {
22304         #if defined(WOLFSSL_ASYNC_CRYPT)
22305             ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22306         #endif
22307             if (ret == 0)
22308                 ret = wc_ecc_verify_hash(sig, x, digest, ECC_DIGEST_SIZE,
22309                                                                &verify, userA);
22310         } while (ret == WC_PENDING_E);
22311         if (ret != 0)
22312             ERROR_OUT(-9940, done);
22313         if (verify != 1)
22314             ERROR_OUT(-9941, done);
22315         TEST_SLEEP();
22316     }
22317 #endif /* HAVE_ECC_VERIFY */
22318 #endif /* HAVE_ECC_SIGN */
22319 #endif /* !ECC_TIMING_RESISTANT || (ECC_TIMING_RESISTANT && !WC_NO_RNG) */
22320 
22321 #if defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) && \
22322     !defined(WOLFSSL_ATECC508) && !defined(WOLFSSL_ATECC608A)
22323     x = ECC_KEY_EXPORT_BUF_SIZE;
22324     ret = wc_ecc_export_private_only(userA, exportBuf, &x);
22325     if (ret != 0)
22326         ERROR_OUT(-9942, done);
22327 #elif defined(HAVE_ECC_KEY_EXPORT)
22328     (void)exportBuf;
22329 #endif /* HAVE_ECC_KEY_EXPORT */
22330 
22331 done:
22332 
22333 #ifdef WOLFSSL_SMALL_STACK
22334     if (userA != NULL) {
22335         wc_ecc_free(userA);
22336         XFREE(userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22337     }
22338     if (userB != NULL) {
22339         wc_ecc_free(userB);
22340         XFREE(userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22341     }
22342     if (pubKey != NULL) {
22343         wc_ecc_free(pubKey);
22344         XFREE(pubKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22345     }
22346 #else
22347     wc_ecc_free(pubKey);
22348     wc_ecc_free(userB);
22349     wc_ecc_free(userA);
22350 #endif
22351 
22352 #if defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)
22353     WC_FREE_VAR(sharedA, HEAP_HINT);
22354     WC_FREE_VAR(sharedB, HEAP_HINT);
22355 #endif
22356 #ifdef HAVE_ECC_KEY_EXPORT
22357     WC_FREE_VAR(exportBuf, HEAP_HINT);
22358 #endif
22359 #ifdef HAVE_ECC_SIGN
22360     WC_FREE_VAR(sig, HEAP_HINT);
22361     WC_FREE_VAR(digest, HEAP_HINT);
22362 #endif
22363 
22364     (void)keySize;
22365     (void)curve_id;
22366     (void)rng;
22367 
22368     return ret;
22369 }
22370 
22371 #undef  ECC_TEST_VERIFY_COUNT
22372 #define ECC_TEST_VERIFY_COUNT 2
22373 static int ecc_test_curve(WC_RNG* rng, int keySize)
22374 {
22375     int ret;
22376 
22377     ret = ecc_test_curve_size(rng, keySize, ECC_TEST_VERIFY_COUNT,
22378         ECC_CURVE_DEF, NULL);
22379     if (ret < 0) {
22380         if (ret == ECC_CURVE_OID_E) {
22381             /* ignore error for curves not found */
22382             /* some curve sizes are only available with:
22383                 HAVE_ECC_SECPR2, HAVE_ECC_SECPR3, HAVE_ECC_BRAINPOOL
22384                 and HAVE_ECC_KOBLITZ */
22385         }
22386         else {
22387             printf("ecc_test_curve_size %d failed!: %d\n", keySize, ret);
22388             return ret;
22389         }
22390     }
22391 
22392 #ifdef HAVE_ECC_VECTOR_TEST
22393     ret = ecc_test_vector(keySize);
22394     if (ret < 0) {
22395         printf("ecc_test_vector %d failed!: %d\n", keySize, ret);
22396         return ret;
22397     }
22398 #endif
22399 
22400 #if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \
22401     !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)
22402     ret = ecc_test_key_decode(rng, keySize);
22403     if (ret < 0) {
22404         if (ret == ECC_CURVE_OID_E) {
22405             /* ignore error for curves not found */
22406         }
22407         else {
22408             printf("ecc_test_key_decode %d failed!: %d\n", keySize, ret);
22409             return ret;
22410         }
22411     }
22412 #endif
22413 
22414 #if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)
22415     ret = ecc_test_key_gen(rng, keySize);
22416     if (ret < 0) {
22417         if (ret == ECC_CURVE_OID_E) {
22418             /* ignore error for curves not found */
22419         }
22420         else {
22421             printf("ecc_test_key_gen %d failed!: %d\n", keySize, ret);
22422             return ret;
22423         }
22424     }
22425 #endif
22426 
22427     return 0;
22428 }
22429 
22430 #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
22431 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
22432     defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \
22433     !defined(WOLFSSL_NO_MALLOC)
22434 static int ecc_point_test(void)
22435 {
22436     int        ret;
22437     ecc_point* point;
22438     ecc_point* point2;
22439 #ifdef HAVE_COMP_KEY
22440     ecc_point* point3;
22441     ecc_point* point4;
22442 #endif
22443     word32     outLen;
22444     byte       out[65];
22445     byte       der[] = { 0x04, /* = Uncompressed */
22446                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22447                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22448                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22449                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22450                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22451                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22452                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22453                          0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
22454 #if defined(HAVE_COMP_KEY) && (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) || \
22455     (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
22456     byte       derComp0[] = { 0x02, /* = Compressed, y even */
22457                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22458                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22459                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22460                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
22461     byte       derComp1[] = { 0x03, /* = Compressed, y odd */
22462                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22463                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22464                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
22465                               0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
22466 #endif
22467     byte       altDer[] = { 0x04, /* = Uncompressed */
22468                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
22469                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
22470                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
22471                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
22472                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
22473                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
22474                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
22475                             0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
22476     int curve_idx = wc_ecc_get_curve_idx(ECC_SECP256R1);
22477 
22478     /* if curve P256 is not enabled then test should not fail */
22479     if (curve_idx == ECC_CURVE_INVALID)
22480         return 0;
22481 
22482     outLen = sizeof(out);
22483     point = wc_ecc_new_point();
22484     if (point == NULL)
22485         return -10000;
22486     point2 = wc_ecc_new_point();
22487     if (point2 == NULL) {
22488         wc_ecc_del_point(point);
22489         return -10001;
22490     }
22491 #ifdef HAVE_COMP_KEY
22492     point3 = wc_ecc_new_point();
22493     if (point3 == NULL) {
22494         wc_ecc_del_point(point2);
22495         wc_ecc_del_point(point);
22496         return -10002;
22497     }
22498     point4 = wc_ecc_new_point();
22499     if (point4 == NULL) {
22500         wc_ecc_del_point(point3);
22501         wc_ecc_del_point(point2);
22502         wc_ecc_del_point(point);
22503         return -10003;
22504     }
22505 #endif
22506 
22507     /* Parameter Validation testing. */
22508     wc_ecc_del_point(NULL);
22509     ret = wc_ecc_import_point_der(NULL, sizeof(der), curve_idx, point);
22510     if (ret != ECC_BAD_ARG_E) {
22511         ret = -10004;
22512         goto done;
22513     }
22514     ret = wc_ecc_import_point_der(der, sizeof(der), ECC_CURVE_INVALID, point);
22515     if (ret != ECC_BAD_ARG_E) {
22516         ret = -10005;
22517         goto done;
22518     }
22519     ret = wc_ecc_import_point_der(der, sizeof(der), curve_idx, NULL);
22520     if (ret != ECC_BAD_ARG_E) {
22521         ret = -10006;
22522         goto done;
22523     }
22524     ret = wc_ecc_export_point_der(-1, point, out, &outLen);
22525     if (ret != ECC_BAD_ARG_E) {
22526         ret = -10007;
22527         goto done;
22528     }
22529     ret = wc_ecc_export_point_der(curve_idx, NULL, out, &outLen);
22530     if (ret != ECC_BAD_ARG_E) {
22531         ret = -10008;
22532         goto done;
22533     }
22534     ret = wc_ecc_export_point_der(curve_idx, point, NULL, &outLen);
22535     if (ret != LENGTH_ONLY_E || outLen != sizeof(out)) {
22536         ret = -10009;
22537         goto done;
22538     }
22539     ret = wc_ecc_export_point_der(curve_idx, point, out, NULL);
22540     if (ret != ECC_BAD_ARG_E) {
22541         ret = -10010;
22542         goto done;
22543     }
22544     outLen = 0;
22545     ret = wc_ecc_export_point_der(curve_idx, point, out, &outLen);
22546     if (ret != BUFFER_E) {
22547         ret = -10011;
22548         goto done;
22549     }
22550     ret = wc_ecc_copy_point(NULL, NULL);
22551     if (ret != ECC_BAD_ARG_E) {
22552         ret = -10012;
22553         goto done;
22554     }
22555     ret = wc_ecc_copy_point(NULL, point2);
22556     if (ret != ECC_BAD_ARG_E) {
22557         ret = -10013;
22558         goto done;
22559     }
22560     ret = wc_ecc_copy_point(point, NULL);
22561     if (ret != ECC_BAD_ARG_E) {
22562         ret = -10014;
22563         goto done;
22564     }
22565     ret = wc_ecc_cmp_point(NULL, NULL);
22566     if (ret != BAD_FUNC_ARG) {
22567         ret = -10015;
22568         goto done;
22569     }
22570     ret = wc_ecc_cmp_point(NULL, point2);
22571     if (ret != BAD_FUNC_ARG) {
22572         ret = -10016;
22573         goto done;
22574     }
22575     ret = wc_ecc_cmp_point(point, NULL);
22576     if (ret != BAD_FUNC_ARG) {
22577         ret = -10017;
22578         goto done;
22579     }
22580 
22581     /* Use API. */
22582     ret = wc_ecc_import_point_der(der, sizeof(der), curve_idx, point);
22583     if (ret != 0) {
22584         ret = -10018;
22585         goto done;
22586     }
22587 
22588     outLen = sizeof(out);
22589     ret = wc_ecc_export_point_der(curve_idx, point, out, &outLen);
22590     if (ret != 0) {
22591         ret = -10019;
22592         goto done;
22593     }
22594     if (outLen != sizeof(der)) {
22595         ret = -10020;
22596         goto done;
22597     }
22598     if (XMEMCMP(out, der, outLen) != 0) {
22599         ret = -10021;
22600         goto done;
22601     }
22602 
22603     ret = wc_ecc_copy_point(point2, point);
22604     if (ret != MP_OKAY) {
22605         ret = -10022;
22606         goto done;
22607     }
22608     ret = wc_ecc_cmp_point(point2, point);
22609     if (ret != MP_EQ) {
22610         ret = -10023;
22611         goto done;
22612     }
22613 
22614     ret = wc_ecc_import_point_der(altDer, sizeof(altDer), curve_idx, point2);
22615     if (ret != 0) {
22616         ret = -10024;
22617         goto done;
22618     }
22619     ret = wc_ecc_cmp_point(point2, point);
22620     if (ret != MP_GT) {
22621         ret = -10025;
22622         goto done;
22623     }
22624 
22625 #if defined(HAVE_COMP_KEY) && (!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) || \
22626     (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
22627     ret = wc_ecc_import_point_der(derComp0, sizeof(derComp0)*2-1, curve_idx, point3);
22628     if (ret != 0) {
22629         ret = -10026;
22630         goto done;
22631     }
22632 
22633     ret = wc_ecc_import_point_der_ex(derComp0, sizeof(derComp0), curve_idx, point4, 0);
22634     if (ret != 0) {
22635         ret = -10027;
22636         goto done;
22637     }
22638 
22639     ret = wc_ecc_cmp_point(point3, point4);
22640     if (ret != MP_EQ) {
22641         ret = -10028;
22642         goto done;
22643     }
22644 
22645     ret = wc_ecc_import_point_der(derComp1, sizeof(derComp1)*2-1, curve_idx, point3);
22646     if (ret != 0) {
22647         ret = -10029;
22648         goto done;
22649     }
22650 
22651     ret = wc_ecc_import_point_der_ex(derComp1, sizeof(derComp1), curve_idx, point4, 0);
22652     if (ret != 0) {
22653         ret = -10030;
22654         goto done;
22655     }
22656 
22657     ret = wc_ecc_cmp_point(point3, point4);
22658     if (ret != MP_EQ) {
22659         ret = -10031;
22660         goto done;
22661     }
22662 #endif
22663 
22664 done:
22665 #ifdef HAVE_COMP_KEY
22666     wc_ecc_del_point(point4);
22667     wc_ecc_del_point(point3);
22668 #endif
22669     wc_ecc_del_point(point2);
22670     wc_ecc_del_point(point);
22671 
22672     return ret;
22673 }
22674 #endif /* !WOLFSSL_ATECC508A && HAVE_ECC_KEY_IMPORT && HAVE_ECC_KEY_EXPORT */
22675 
22676 #ifndef NO_SIG_WRAPPER
22677 static int ecc_sig_test(WC_RNG* rng, ecc_key* key)
22678 {
22679     int     ret;
22680     word32  sigSz;
22681     int     size;
22682     byte    out[ECC_MAX_SIG_SIZE];
22683     byte    in[] = TEST_STRING;
22684     WOLFSSL_SMALL_STACK_STATIC const byte hash[] = {
22685         0xf2, 0x02, 0x95, 0x65, 0xcb, 0xf6, 0x2a, 0x59,
22686         0x39, 0x2c, 0x05, 0xff, 0x0e, 0x29, 0xaf, 0xfe,
22687         0x47, 0x33, 0x8c, 0x99, 0x8d, 0x58, 0x64, 0x83,
22688         0xa6, 0x58, 0x0a, 0x33, 0x0b, 0x84, 0x5f, 0x5f
22689     };
22690     word32 inLen = (word32)XSTRLEN((char*)in);
22691 
22692     size = wc_ecc_sig_size(key);
22693 
22694     ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_ECC, key, sizeof(*key));
22695     if (ret != size)
22696         return -10040;
22697 
22698     sigSz = (word32)ret;
22699     ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC, in,
22700                                inLen, out, &sigSz, key, sizeof(*key), rng);
22701     if (ret != 0)
22702         return -10041;
22703     TEST_SLEEP();
22704 
22705     ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC, in,
22706                              inLen, out, sigSz, key, sizeof(*key));
22707     if (ret != 0)
22708         return -10042;
22709     TEST_SLEEP();
22710 
22711     sigSz = (word32)sizeof(out);
22712     ret = wc_SignatureGenerateHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC,
22713         hash, (int)sizeof(hash), out, &sigSz, key, sizeof(*key), rng);
22714     if (ret != 0)
22715         return -10043;
22716     TEST_SLEEP();
22717 
22718     ret = wc_SignatureVerifyHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC,
22719         hash, (int)sizeof(hash), out, sigSz, key, sizeof(*key));
22720     if (ret != 0)
22721         return -10044;
22722     TEST_SLEEP();
22723 
22724     return 0;
22725 }
22726 #endif
22727 
22728 #if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)
22729 
22730 static int ecc_exp_imp_test(ecc_key* key)
22731 {
22732     int        ret;
22733     int        curve_id;
22734 #ifdef WOLFSSL_SMALL_STACK
22735     ecc_key    *keyImp = (ecc_key *)XMALLOC(sizeof *keyImp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);;
22736 #else
22737     ecc_key    keyImp[1];
22738 #endif
22739     byte       priv[32];
22740     word32     privLen;
22741     byte       pub[65*2];
22742     word32     pubLen, pubLenX, pubLenY;
22743     const char qx[] = "7a4e287890a1a47ad3457e52f2f76a83"
22744                       "ce46cbc947616d0cbaa82323818a793d";
22745     const char qy[] = "eec4084f5b29ebf29c44cce3b3059610"
22746                       "922f8b30ea6e8811742ac7238fe87308";
22747     const char d[]  = "8c14b793cb19137e323a6d2e2a870bca"
22748                       "2e7a493ec1153b3a95feb8a4873f8d08";
22749 
22750 #ifdef WOLFSSL_SMALL_STACK
22751     if (keyImp == NULL)
22752         ERROR_OUT(-10050, done);
22753 #endif
22754 
22755     wc_ecc_init_ex(keyImp, HEAP_HINT, devId);
22756 
22757     privLen = sizeof(priv);
22758     ret = wc_ecc_export_private_only(key, priv, &privLen);
22759     if (ret != 0) {
22760         ret = -10051;
22761         goto done;
22762     }
22763     pubLen = sizeof(pub);
22764     ret = wc_ecc_export_point_der(key->idx, &key->pubkey, pub, &pubLen);
22765     if (ret != 0) {
22766         ret = -10052;
22767         goto done;
22768     }
22769 
22770     ret = wc_ecc_import_private_key(priv, privLen, pub, pubLen, keyImp);
22771     if (ret != 0) {
22772         ret = -10053;
22773         goto done;
22774     }
22775 
22776     wc_ecc_free(keyImp);
22777     wc_ecc_init_ex(keyImp, HEAP_HINT, devId);
22778 
22779     ret = wc_ecc_import_raw_ex(keyImp, qx, qy, d, ECC_SECP256R1);
22780     if (ret != 0) {
22781         ret = -10054;
22782         goto done;
22783     }
22784 
22785     wc_ecc_free(keyImp);
22786     wc_ecc_init_ex(keyImp, HEAP_HINT, devId);
22787 
22788     curve_id = wc_ecc_get_curve_id(key->idx);
22789     if (curve_id < 0) {
22790         ret = -10055;
22791         goto done;
22792     }
22793 
22794     /* test import private only */
22795     ret = wc_ecc_import_private_key_ex(priv, privLen, NULL, 0, keyImp,
22796                                        curve_id);
22797     if (ret != 0) {
22798         ret = -10056;
22799         goto done;
22800     }
22801 
22802     wc_ecc_free(keyImp);
22803     wc_ecc_init_ex(keyImp, HEAP_HINT, devId);
22804 
22805     /* test export public raw */
22806     pubLenX = pubLenY = 32;
22807     ret = wc_ecc_export_public_raw(key, pub, &pubLenX, &pub[32], &pubLenY);
22808     if (ret != 0) {
22809         ret = -10057;
22810         goto done;
22811     }
22812 
22813 #ifndef HAVE_SELFTEST
22814     /* test import of public */
22815     ret = wc_ecc_import_unsigned(keyImp, pub, &pub[32], NULL, ECC_SECP256R1);
22816     if (ret != 0) {
22817         ret = -10058;
22818         goto done;
22819     }
22820 #endif
22821 
22822     wc_ecc_free(keyImp);
22823     wc_ecc_init_ex(keyImp, HEAP_HINT, devId);
22824 
22825     /* test export private and public raw */
22826     pubLenX = pubLenY = privLen = 32;
22827     ret = wc_ecc_export_private_raw(key, pub, &pubLenX, &pub[32], &pubLenY,
22828         priv, &privLen);
22829     if (ret != 0) {
22830         ret = -10059;
22831         goto done;
22832     }
22833 
22834 #ifndef HAVE_SELFTEST
22835     /* test import of private and public */
22836     ret = wc_ecc_import_unsigned(keyImp, pub, &pub[32], priv, ECC_SECP256R1);
22837     if (ret != 0) {
22838         ret = -10060;
22839         goto done;
22840     }
22841 #endif
22842 
22843 done:
22844 
22845 #ifdef WOLFSSL_SMALL_STACK
22846     if (keyImp != NULL) {
22847         wc_ecc_free(keyImp);
22848         XFREE(keyImp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22849     }
22850 #else
22851     wc_ecc_free(keyImp);
22852 #endif
22853 
22854     return ret;
22855 }
22856 #endif /* HAVE_ECC_KEY_IMPORT && HAVE_ECC_KEY_EXPORT */
22857 
22858 #if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \
22859     !defined(WOLFSSL_CRYPTOCELL)
22860 static int ecc_mulmod_test(ecc_key* key1)
22861 {
22862     int ret;
22863 #ifdef WOLFSSL_SMALL_STACK
22864     ecc_key    *key2 = (ecc_key *)XMALLOC(sizeof *key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22865     ecc_key    *key3 = (ecc_key *)XMALLOC(sizeof *key3, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22866 #else
22867     ecc_key    key2[1];
22868     ecc_key    key3[1];
22869 #endif
22870 
22871 #ifdef WOLFSSL_SMALL_STACK
22872     if ((key2 == NULL) || (key3 == NULL))
22873         ERROR_OUT(MEMORY_E, done);
22874 #endif
22875 
22876     wc_ecc_init_ex(key2, HEAP_HINT, devId);
22877     wc_ecc_init_ex(key3, HEAP_HINT, devId);
22878 
22879     /* TODO: Use test data, test with WOLFSSL_VALIDATE_ECC_IMPORT. */
22880     /* Need base point (Gx,Gy) and parameter A - load them as the public and
22881      * private key in key2.
22882      */
22883     ret = wc_ecc_import_raw_ex(key2, key1->dp->Gx, key1->dp->Gy, key1->dp->Af,
22884                                ECC_SECP256R1);
22885     if (ret != 0)
22886         goto done;
22887 
22888     /* Need a point (Gx,Gy) and prime - load them as the public and private key
22889      * in key3.
22890      */
22891     ret = wc_ecc_import_raw_ex(key3, key1->dp->Gx, key1->dp->Gy,
22892                                key1->dp->prime, ECC_SECP256R1);
22893     if (ret != 0)
22894         goto done;
22895 
22896     ret = wc_ecc_mulmod(&key1->k, &key2->pubkey, &key3->pubkey, &key2->k, &key3->k,
22897                         1);
22898     if (ret != 0) {
22899         ret = -10070;
22900         goto done;
22901     }
22902 
22903 done:
22904 
22905 #ifdef WOLFSSL_SMALL_STACK
22906     if (key2 != NULL) {
22907         wc_ecc_free(key2);
22908         XFREE(key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22909     }
22910     if (key3 != NULL) {
22911         wc_ecc_free(key3);
22912         XFREE(key3, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22913     }
22914 #else
22915     wc_ecc_free(key3);
22916     wc_ecc_free(key2);
22917 #endif
22918 
22919     return ret;
22920 }
22921 #endif
22922 
22923 #if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG)
22924 static int ecc_ssh_test(ecc_key* key, WC_RNG* rng)
22925 {
22926     int    ret;
22927     byte   out[128];
22928     word32 outLen = sizeof(out);
22929 
22930     /* Parameter Validation testing. */
22931     ret = wc_ecc_shared_secret_ssh(NULL, &key->pubkey, out, &outLen);
22932     if (ret != BAD_FUNC_ARG)
22933         return -10080;
22934     ret = wc_ecc_shared_secret_ssh(key, NULL, out, &outLen);
22935     if (ret != BAD_FUNC_ARG)
22936         return -10081;
22937     ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, NULL, &outLen);
22938     if (ret != BAD_FUNC_ARG)
22939         return -10082;
22940     ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, out, NULL);
22941     if (ret != BAD_FUNC_ARG)
22942         return -10083;
22943 
22944 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
22945     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
22946     !defined(HAVE_SELFTEST)
22947     ret = wc_ecc_set_rng(key, rng);
22948     if (ret != 0)
22949         return -10084;
22950 #else
22951     (void)rng;
22952 #endif
22953 
22954     /* Use API. */
22955     ret = 0;
22956     do {
22957     #if defined(WOLFSSL_ASYNC_CRYPT)
22958         ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
22959     #endif
22960         if (ret == 0)
22961             ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, out, &outLen);
22962     } while (ret == WC_PENDING_E);
22963     if (ret != 0)
22964         return -10085;
22965 
22966     TEST_SLEEP();
22967     return 0;
22968 }
22969 #endif /* HAVE_ECC_DHE && !WC_NO_RNG */
22970 
22971 static int ecc_def_curve_test(WC_RNG *rng)
22972 {
22973     int     ret;
22974 #ifdef WOLFSSL_SMALL_STACK
22975     ecc_key *key = (ecc_key *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
22976 #else
22977     ecc_key key[1];
22978 #endif
22979 #if (defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)) || \
22980     (defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT))
22981     word32 idx = 0;
22982 #endif
22983 
22984 #ifdef WOLFSSL_SMALL_STACK
22985     if (key == NULL)
22986         ERROR_OUT(MEMORY_E, done);
22987 #endif
22988 
22989     wc_ecc_init_ex(key, HEAP_HINT, devId);
22990 
22991     /* Use API */
22992     ret = wc_ecc_set_flags(NULL, 0);
22993     if (ret != BAD_FUNC_ARG) {
22994         ret = -10090;
22995         goto done;
22996     }
22997     ret = wc_ecc_set_flags(key, 0);
22998     if (ret != 0) {
22999         ret = -10091;
23000         goto done;
23001     }
23002 
23003 #ifndef WC_NO_RNG
23004     ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
23005     #if defined(WOLFSSL_ASYNC_CRYPT)
23006     ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
23007     #endif
23008     if (ret != 0) {
23009         goto done;
23010     }
23011 
23012     #ifndef NO_SIG_WRAPPER
23013     ret = ecc_sig_test(rng, key);
23014     if (ret < 0)
23015         goto done;
23016     #endif
23017     TEST_SLEEP();
23018 
23019     #if defined(HAVE_ECC_DHE) && !defined(WOLFSSL_CRYPTOCELL)
23020     ret = ecc_ssh_test(key, rng);
23021     if (ret < 0)
23022         goto done;
23023     #endif
23024 
23025     wc_ecc_free(key);
23026 #else
23027     (void)rng;
23028 #endif /* !WC_NO_RNG */
23029 
23030 #if (defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)) || \
23031     (defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT))
23032     /* Use test ECC key - ensure real private "d" exists */
23033     #ifdef USE_CERT_BUFFERS_256
23034     ret = wc_EccPrivateKeyDecode(ecc_key_der_256, &idx, key,
23035         sizeof_ecc_key_der_256);
23036     #else
23037     {
23038         XFILE file = XFOPEN("./certs/ecc-key.der", "rb");
23039         byte der[128];
23040         word32 derSz;
23041         if (!file) {
23042             ERROR_OUT(-10093, done);
23043         }
23044         derSz = (word32)XFREAD(der, 1, sizeof(der), file);
23045         XFCLOSE(file);
23046         ret = wc_EccPrivateKeyDecode(der, &idx, key, derSz);
23047     }
23048     #endif
23049     if (ret != 0) {
23050         goto done;
23051     }
23052 
23053 #if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)
23054     ret = ecc_exp_imp_test(key);
23055     if (ret < 0)
23056         goto done;
23057 #endif
23058 #if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \
23059     !defined(WOLFSSL_CRYPTOCELL)
23060     ret = ecc_mulmod_test(key);
23061     if (ret < 0)
23062         goto done;
23063 #endif
23064 #endif
23065 
23066 done:
23067 
23068     wc_ecc_free(key);
23069 #ifdef WOLFSSL_SMALL_STACK
23070     if (key != NULL) {
23071         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23072     }
23073 #endif
23074 
23075     return ret;
23076 }
23077 #endif /* !NO_ECC256 || HAVE_ALL_CURVES */
23078 
23079 #ifdef WOLFSSL_CERT_EXT
23080 static int ecc_decode_test(void)
23081 {
23082     int        ret;
23083     word32     inSz;
23084     word32     inOutIdx;
23085 #ifdef WOLFSSL_SMALL_STACK
23086     ecc_key    *key = (ecc_key *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23087 #else
23088     ecc_key    key[1];
23089 #endif
23090 
23091     /* SECP256R1 OID: 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 */
23092 
23093     /* This is ecc_clikeypub_der_256. */
23094     WOLFSSL_SMALL_STACK_STATIC const byte good[] = {
23095             0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce,
23096             0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
23097             0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x55, 0xbf, 0xf4,
23098             0x0f, 0x44, 0x50, 0x9a, 0x3d, 0xce, 0x9b, 0xb7, 0xf0, 0xc5,
23099             0x4d, 0xf5, 0x70, 0x7b, 0xd4, 0xec, 0x24, 0x8e, 0x19, 0x80,
23100             0xec, 0x5a, 0x4c, 0xa2, 0x24, 0x03, 0x62, 0x2c, 0x9b, 0xda,
23101             0xef, 0xa2, 0x35, 0x12, 0x43, 0x84, 0x76, 0x16, 0xc6, 0x56,
23102             0x95, 0x06, 0xcc, 0x01, 0xa9, 0xbd, 0xf6, 0x75, 0x1a, 0x42,
23103             0xf7, 0xbd, 0xa9, 0xb2, 0x36, 0x22, 0x5f, 0xc7, 0x5d, 0x7f,
23104             0xb4 };
23105     WOLFSSL_SMALL_STACK_STATIC const byte badNoObjId[] = { 0x30, 0x08, 0x30, 0x06, 0x03, 0x04,
23106             0x00, 0x04, 0x01, 0x01 };
23107     WOLFSSL_SMALL_STACK_STATIC const byte badOneObjId[] = { 0x30, 0x0a, 0x30, 0x08, 0x06, 0x00,
23108             0x03, 0x04, 0x00, 0x04, 0x01, 0x01 };
23109     WOLFSSL_SMALL_STACK_STATIC const byte badObjId1Len[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x09,
23110             0x06, 0x00, 0x03, 0x04, 0x00, 0x04, 0x01, 0x01 };
23111     WOLFSSL_SMALL_STACK_STATIC const byte badObj2d1Len[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x00,
23112             0x06, 0x07, 0x03, 0x04, 0x00, 0x04, 0x01, 0x01 };
23113     WOLFSSL_SMALL_STACK_STATIC const byte badNotBitStr[] = { 0x30, 0x14, 0x30, 0x0b, 0x06, 0x00,
23114             0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
23115             0x04, 0x04, 0x00, 0x04, 0x01, 0x01 };
23116     WOLFSSL_SMALL_STACK_STATIC const byte badBitStrLen[] = { 0x30, 0x14, 0x30, 0x0b, 0x06, 0x00,
23117             0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
23118             0x03, 0x05, 0x00, 0x04, 0x01, 0x01 };
23119     WOLFSSL_SMALL_STACK_STATIC const byte badNoBitStrZero[] = { 0x30, 0x13, 0x30, 0x0a, 0x06, 0x00,
23120             0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
23121             0x03, 0x03, 0x04, 0x01, 0x01 };
23122     WOLFSSL_SMALL_STACK_STATIC const byte badPoint[] = { 0x30, 0x12, 0x30, 0x09, 0x06, 0x00,
23123             0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
23124             0x03, 0x03, 0x00, 0x04, 0x01 };
23125 
23126 #ifdef WOLFSSL_SMALL_STACK
23127     if (key == NULL)
23128         ERROR_OUT(MEMORY_E, done);
23129 #endif
23130 
23131     XMEMSET(key, 0, sizeof *key);
23132     wc_ecc_init_ex(key, HEAP_HINT, devId);
23133 
23134     inSz = sizeof(good);
23135     ret = wc_EccPublicKeyDecode(NULL, &inOutIdx, key, inSz);
23136     if (ret != BAD_FUNC_ARG) {
23137         ret = -10100;
23138         goto done;
23139     }
23140     ret = wc_EccPublicKeyDecode(good, NULL, key, inSz);
23141     if (ret != BAD_FUNC_ARG) {
23142         ret = -10101;
23143         goto done;
23144     }
23145     ret = wc_EccPublicKeyDecode(good, &inOutIdx, NULL, inSz);
23146     if (ret != BAD_FUNC_ARG) {
23147         ret = -10102;
23148         goto done;
23149     }
23150     ret = wc_EccPublicKeyDecode(good, &inOutIdx, key, 0);
23151     if (ret != BAD_FUNC_ARG) {
23152         ret = -10103;
23153         goto done;
23154     }
23155 
23156     /* Change offset to produce bad input data. */
23157     inOutIdx = 2;
23158     inSz = sizeof(good) - inOutIdx;
23159     ret = wc_EccPublicKeyDecode(good, &inOutIdx, key, inSz);
23160     if (ret != ASN_PARSE_E) {
23161         ret = -10104;
23162         goto done;
23163     }
23164     inOutIdx = 4;
23165     inSz = sizeof(good) - inOutIdx;
23166     ret = wc_EccPublicKeyDecode(good, &inOutIdx, key, inSz);
23167     if (ret != ASN_PARSE_E) {
23168         ret = -10105;
23169         goto done;
23170     }
23171     /* Bad data. */
23172     inSz = sizeof(badNoObjId);
23173     inOutIdx = 0;
23174     ret = wc_EccPublicKeyDecode(badNoObjId, &inOutIdx, key, inSz);
23175     if (ret != ASN_OBJECT_ID_E && ret != ASN_PARSE_E) {
23176         ret = -10106;
23177         goto done;
23178     }
23179     inSz = sizeof(badOneObjId);
23180     inOutIdx = 0;
23181     ret = wc_EccPublicKeyDecode(badOneObjId, &inOutIdx, key, inSz);
23182     if (ret != ASN_OBJECT_ID_E && ret != ASN_PARSE_E) {
23183         ret = -10107;
23184         goto done;
23185     }
23186     inSz = sizeof(badObjId1Len);
23187     inOutIdx = 0;
23188     ret = wc_EccPublicKeyDecode(badObjId1Len, &inOutIdx, key, inSz);
23189     if (ret != ASN_PARSE_E) {
23190         ret = -10108;
23191         goto done;
23192     }
23193     inSz = sizeof(badObj2d1Len);
23194     inOutIdx = 0;
23195     ret = wc_EccPublicKeyDecode(badObj2d1Len, &inOutIdx, key, inSz);
23196     if (ret != ASN_PARSE_E) {
23197         ret = -10109;
23198         goto done;
23199     }
23200     inSz = sizeof(badNotBitStr);
23201     inOutIdx = 0;
23202     ret = wc_EccPublicKeyDecode(badNotBitStr, &inOutIdx, key, inSz);
23203     if (ret != ASN_BITSTR_E && ret != ASN_PARSE_E) {
23204         ret = -10110;
23205         goto done;
23206     }
23207     inSz = sizeof(badBitStrLen);
23208     inOutIdx = 0;
23209     ret = wc_EccPublicKeyDecode(badBitStrLen, &inOutIdx, key, inSz);
23210     if (ret != ASN_PARSE_E) {
23211         ret = -10111;
23212         goto done;
23213     }
23214     inSz = sizeof(badNoBitStrZero);
23215     inOutIdx = 0;
23216     ret = wc_EccPublicKeyDecode(badNoBitStrZero, &inOutIdx, key, inSz);
23217     if (ret != ASN_EXPECT_0_E && ret != ASN_PARSE_E) {
23218         ret = -10112;
23219         goto done;
23220     }
23221     inSz = sizeof(badPoint);
23222     inOutIdx = 0;
23223     ret = wc_EccPublicKeyDecode(badPoint, &inOutIdx, key, inSz);
23224     if (ret != ASN_ECC_KEY_E && ret != ASN_PARSE_E) {
23225         ret = -10113;
23226         goto done;
23227     }
23228 
23229     inSz = sizeof(good);
23230     inOutIdx = 0;
23231     ret = wc_EccPublicKeyDecode(good, &inOutIdx, key, inSz);
23232     if (ret != 0) {
23233         ret = -10114;
23234         goto done;
23235     }
23236 
23237 done:
23238 
23239 #ifdef WOLFSSL_SMALL_STACK
23240     if (key != NULL) {
23241         wc_ecc_free(key);
23242         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23243     }
23244 #else
23245     wc_ecc_free(key);
23246 #endif
23247 
23248     return ret;
23249 }
23250 #endif /* WOLFSSL_CERT_EXT */
23251 
23252 #ifdef WOLFSSL_CUSTOM_CURVES
23253 static const byte eccKeyExplicitCurve[] = {
23254     0x30, 0x81, 0xf5, 0x30, 0x81, 0xae, 0x06, 0x07,
23255     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x30,
23256     0x81, 0xa2, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06,
23257     0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01,
23258     0x02, 0x21, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
23259     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23260     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23261     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff,
23262     0xff, 0xfc, 0x2f, 0x30, 0x06, 0x04, 0x01, 0x00,
23263     0x04, 0x01, 0x07, 0x04, 0x41, 0x04, 0x79, 0xbe,
23264     0x66, 0x7e, 0xf9, 0xdc, 0xbb, 0xac, 0x55, 0xa0,
23265     0x62, 0x95, 0xce, 0x87, 0x0b, 0x07, 0x02, 0x9b,
23266     0xfc, 0xdb, 0x2d, 0xce, 0x28, 0xd9, 0x59, 0xf2,
23267     0x81, 0x5b, 0x16, 0xf8, 0x17, 0x98, 0x48, 0x3a,
23268     0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4,
23269     0xfb, 0xfc, 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17,
23270     0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, 0x9c, 0x47,
23271     0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, 0x02, 0x21,
23272     0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23273     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23274     0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
23275     0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
23276     0x41, 0x02, 0x01, 0x01, 0x03, 0x42, 0x00, 0x04,
23277     0x3c, 0x4c, 0xc9, 0x5e, 0x2e, 0xa2, 0x3d, 0x49,
23278     0xcc, 0x5b, 0xff, 0x4f, 0xc9, 0x2e, 0x1d, 0x4a,
23279     0xc6, 0x21, 0xf6, 0xf3, 0xe6, 0x0b, 0x4f, 0xa9,
23280     0x9d, 0x74, 0x99, 0xdd, 0x97, 0xc7, 0x6e, 0xbe,
23281     0x14, 0x2b, 0x39, 0x9d, 0x63, 0xc7, 0x97, 0x0d,
23282     0x45, 0x25, 0x40, 0x30, 0x77, 0x05, 0x76, 0x88,
23283     0x38, 0x96, 0x29, 0x7d, 0x9c, 0xe1, 0x50, 0xbe,
23284     0xac, 0xf0, 0x1d, 0x86, 0xf4, 0x2f, 0x65, 0x0b
23285 };
23286 
23287 static int ecc_test_custom_curves(WC_RNG* rng)
23288 {
23289     int     ret;
23290     word32  inOutIdx;
23291 #ifdef WOLFSSL_SMALL_STACK
23292     ecc_key *key = (ecc_key *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23293 #else
23294     ecc_key key[1];
23295 #endif
23296 
23297     /* test use of custom curve - using BRAINPOOLP256R1 for test */
23298 #ifdef HAVE_ECC_BRAINPOOL
23299     #ifndef WOLFSSL_ECC_CURVE_STATIC
23300         WOLFSSL_SMALL_STACK_STATIC const ecc_oid_t ecc_oid_brainpoolp256r1[] = {
23301             0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07
23302         };
23303         #define ecc_oid_brainpoolp256r1_sz \
23304               (sizeof(ecc_oid_brainpoolp256r1) / sizeof(ecc_oid_t))
23305     #else
23306         #define ecc_oid_brainpoolp256r1 { \
23307             0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07 \
23308         }
23309         #define ecc_oid_brainpoolp256r1_sz 9
23310     #endif
23311     #define ecc_oid_brainpoolp256r1_sum 104
23312 
23313     WOLFSSL_SMALL_STACK_STATIC const ecc_set_type ecc_dp_brainpool256r1 = {
23314         32,                                                                 /* size/bytes */
23315         ECC_CURVE_CUSTOM,                                                   /* ID         */
23316         "BRAINPOOLP256R1",                                                  /* curve name */
23317         "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", /* prime      */
23318         "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", /* A          */
23319         "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", /* B          */
23320         "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", /* order      */
23321         "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", /* Gx         */
23322         "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", /* Gy         */
23323         ecc_oid_brainpoolp256r1,                                            /* oid/oidSz  */
23324         ecc_oid_brainpoolp256r1_sz,
23325         ecc_oid_brainpoolp256r1_sum,                                        /* oid sum    */
23326         1,                                                                  /* cofactor   */
23327     };
23328 #endif /* HAVE_ECC_BRAINPOOL */
23329 
23330 #ifdef WOLFSSL_SMALL_STACK
23331     if (! key) {
23332         ret = MEMORY_E;
23333         goto done;
23334     }
23335 #endif
23336 
23337     XMEMSET(key, 0, sizeof *key);
23338 
23339 #ifdef HAVE_ECC_BRAINPOOL
23340     ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF,
23341         &ecc_dp_brainpool256r1);
23342     if (ret != 0) {
23343         printf("ECC test for custom curve failed! %d\n", ret);
23344         goto done;
23345     }
23346 #endif
23347 
23348 #if defined(HAVE_ECC_BRAINPOOL) || defined(HAVE_ECC_KOBLITZ)
23349     {
23350         int curve_id;
23351         #ifdef HAVE_ECC_BRAINPOOL
23352             curve_id = ECC_BRAINPOOLP256R1;
23353         #else
23354             curve_id = ECC_SECP256K1;
23355         #endif
23356         /* Test and demonstrate use of non-SECP curve */
23357         ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, curve_id, NULL);
23358         if (ret < 0) {
23359             printf("ECC test for curve_id %d failed! %d\n", curve_id, ret);
23360             goto done;
23361         }
23362     }
23363 #endif
23364 
23365     ret = wc_ecc_init_ex(key, HEAP_HINT, devId);
23366     if (ret != 0) {
23367         ret = -10120;
23368         goto done;
23369     }
23370 
23371     inOutIdx = 0;
23372     ret = wc_EccPublicKeyDecode(eccKeyExplicitCurve, &inOutIdx, key,
23373                                                    sizeof(eccKeyExplicitCurve));
23374     if (ret != 0)
23375         ret = -10121;
23376 
23377   done:
23378 
23379 #ifdef WOLFSSL_SMALL_STACK
23380     if (key) {
23381         wc_ecc_free(key);
23382         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23383     }
23384 #else
23385     wc_ecc_free(key);
23386 #endif
23387 
23388     (void)rng;
23389 
23390     return ret;
23391 }
23392 #endif /* WOLFSSL_CUSTOM_CURVES */
23393 
23394 #ifdef WOLFSSL_CERT_GEN
23395 
23396 /* Make Cert / Sign example for ECC cert and ECC CA */
23397 static int ecc_test_cert_gen(WC_RNG* rng)
23398 {
23399     int ret;
23400 #ifdef WOLFSSL_SMALL_STACK
23401     Cert        *myCert = (Cert *)XMALLOC(sizeof *myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23402     #ifdef WOLFSSL_TEST_CERT
23403     DecodedCert *decode = (DecodedCert *)XMALLOC(sizeof *decode, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23404     #endif
23405     ecc_key *caEccKey = (ecc_key *)XMALLOC(sizeof *caEccKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23406     ecc_key *certPubKey = (ecc_key *)XMALLOC(sizeof *certPubKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23407 #else
23408     Cert        myCert[1];
23409     #ifdef WOLFSSL_TEST_CERT
23410     DecodedCert decode[1];
23411     #endif
23412     ecc_key caEccKey[1];
23413     ecc_key certPubKey[1];
23414 #endif
23415     int         certSz;
23416     size_t      bytes;
23417     word32      idx = 0;
23418 #ifndef USE_CERT_BUFFERS_256
23419     XFILE       file;
23420 #endif
23421 #ifdef WOLFSSL_SMALL_STACK
23422     byte* der = NULL;
23423 #else
23424     byte der[FOURK_BUF];
23425 #endif
23426 
23427 #ifdef WOLFSSL_SMALL_STACK
23428     if ((myCert == NULL)
23429     #ifdef WOLFSSL_TEST_CERT
23430         || (decode == NULL)
23431     #endif
23432         || (caEccKey == NULL) || (certPubKey == NULL))
23433         ERROR_OUT(MEMORY_E, exit);
23434 #endif
23435 
23436     XMEMSET(caEccKey, 0, sizeof *caEccKey);
23437     XMEMSET(certPubKey, 0, sizeof *certPubKey);
23438 
23439 #ifdef WOLFSSL_SMALL_STACK
23440     der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23441     if (der == NULL) {
23442         ERROR_OUT(-10130, exit);
23443     }
23444 #endif
23445 
23446     /* Get cert private key */
23447 #ifdef ENABLE_ECC384_CERT_GEN_TEST
23448     /* Get Cert Key 384 */
23449 #ifdef USE_CERT_BUFFERS_256
23450     XMEMCPY(der, ca_ecc_key_der_384, sizeof_ca_ecc_key_der_384);
23451     bytes = sizeof_ca_ecc_key_der_384;
23452 #else
23453     file = XFOPEN(eccCaKey384File, "rb");
23454     if (!file) {
23455         ERROR_OUT(-10131, exit);
23456     }
23457 
23458     bytes = XFREAD(der, 1, FOURK_BUF, file);
23459     XFCLOSE(file);
23460     (void)eccCaKeyFile;
23461 #endif /* USE_CERT_BUFFERS_256 */
23462 #else
23463 #ifdef USE_CERT_BUFFERS_256
23464     XMEMCPY(der, ca_ecc_key_der_256, sizeof_ca_ecc_key_der_256);
23465     bytes = sizeof_ca_ecc_key_der_256;
23466 #else
23467     file = XFOPEN(eccCaKeyFile, "rb");
23468     if (!file) {
23469         ERROR_OUT(-10132, exit);
23470     }
23471     bytes = XFREAD(der, 1, FOURK_BUF, file);
23472     XFCLOSE(file);
23473 #ifdef ENABLE_ECC384_CERT_GEN_TEST
23474     (void)eccCaKey384File;
23475 #endif
23476 #endif /* USE_CERT_BUFFERS_256 */
23477 #endif /* ENABLE_ECC384_CERT_GEN_TEST */
23478 
23479     /* Get CA Key */
23480     ret = wc_ecc_init_ex(caEccKey, HEAP_HINT, devId);
23481     if (ret != 0) {
23482         ERROR_OUT(-10133, exit);
23483     }
23484     ret = wc_EccPrivateKeyDecode(der, &idx, caEccKey, (word32)bytes);
23485     if (ret != 0) {
23486         ERROR_OUT(-10134, exit);
23487     }
23488 
23489     /* Make a public key */
23490     ret = wc_ecc_init_ex(certPubKey, HEAP_HINT, devId);
23491     if (ret != 0) {
23492         ERROR_OUT(-10135, exit);
23493     }
23494 
23495     ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, certPubKey);
23496 #if defined(WOLFSSL_ASYNC_CRYPT)
23497     ret = wc_AsyncWait(ret, &certPubKey->asyncDev, WC_ASYNC_FLAG_NONE);
23498 #endif
23499     if (ret != 0) {
23500         ERROR_OUT(-10136, exit);
23501     }
23502     TEST_SLEEP();
23503 
23504     /* Setup Certificate */
23505     if (wc_InitCert_ex(myCert, HEAP_HINT, devId)) {
23506         ERROR_OUT(-10137, exit);
23507     }
23508 
23509 #ifndef NO_SHA256
23510     myCert->sigType = CTC_SHA256wECDSA;
23511 #else
23512     myCert->sigType = CTC_SHAwECDSA;
23513 #endif
23514     XMEMCPY(&myCert->subject, &certDefaultName, sizeof(CertName));
23515 
23516 #ifdef WOLFSSL_CERT_EXT
23517     /* add Policies */
23518     XSTRNCPY(myCert->certPolicies[0], "2.4.589440.587.101.2.1.9632587.1",
23519             CTC_MAX_CERTPOL_SZ);
23520     XSTRNCPY(myCert->certPolicies[1], "1.2.13025.489.1.113549",
23521             CTC_MAX_CERTPOL_SZ);
23522     myCert->certPoliciesNb = 2;
23523 
23524     /* add SKID from the Public Key */
23525     if (wc_SetSubjectKeyIdFromPublicKey(myCert, NULL, certPubKey) != 0) {
23526         ERROR_OUT(-10138, exit);
23527     }
23528 
23529     /* add AKID from the Public Key */
23530     if (wc_SetAuthKeyIdFromPublicKey(myCert, NULL, caEccKey) != 0) {
23531         ERROR_OUT(-10139, exit);
23532     }
23533 
23534     /* add Key Usage */
23535     if (wc_SetKeyUsage(myCert, certKeyUsage) != 0) {
23536         ERROR_OUT(-10140, exit);
23537     }
23538 #endif /* WOLFSSL_CERT_EXT */
23539 
23540 #ifdef ENABLE_ECC384_CERT_GEN_TEST
23541 #if defined(USE_CERT_BUFFERS_256)
23542     ret = wc_SetIssuerBuffer(myCert, ca_ecc_cert_der_384,
23543                                       sizeof_ca_ecc_cert_der_384);
23544 #else
23545     ret = wc_SetIssuer(myCert, eccCaCert384File);
23546     (void)eccCaCertFile;
23547 #endif
23548 #else
23549 #if defined(USE_CERT_BUFFERS_256)
23550     ret = wc_SetIssuerBuffer(myCert, ca_ecc_cert_der_256,
23551                                       sizeof_ca_ecc_cert_der_256);
23552 #else
23553     ret = wc_SetIssuer(myCert, eccCaCertFile);
23554     #ifdef ENABLE_ECC384_CERT_GEN_TEST
23555     (void)eccCaCert384File;
23556     #endif
23557 #endif
23558 #endif /* ENABLE_ECC384_CERT_GEN_TEST */
23559     if (ret < 0) {
23560         ERROR_OUT(-10141, exit);
23561     }
23562 
23563     certSz = wc_MakeCert(myCert, der, FOURK_BUF, NULL, certPubKey, rng);
23564     if (certSz < 0) {
23565         ERROR_OUT(-10142, exit);
23566     }
23567 
23568     ret = 0;
23569     do {
23570     #if defined(WOLFSSL_ASYNC_CRYPT)
23571         ret = wc_AsyncWait(ret, &caEccKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
23572     #endif
23573         if (ret >= 0) {
23574             ret = wc_SignCert(myCert->bodySz, myCert->sigType, der,
23575                               FOURK_BUF, NULL, caEccKey, rng);
23576         }
23577     } while (ret == WC_PENDING_E);
23578     if (ret < 0) {
23579         ERROR_OUT(-10143, exit);
23580     }
23581     certSz = ret;
23582     TEST_SLEEP();
23583 
23584 #ifdef WOLFSSL_TEST_CERT
23585     InitDecodedCert(decode, der, certSz, 0);
23586     ret = ParseCert(decode, CERT_TYPE, NO_VERIFY, 0);
23587     if (ret != 0) {
23588         FreeDecodedCert(decode);
23589         ERROR_OUT(-10144, exit);
23590 
23591     }
23592     FreeDecodedCert(decode);
23593 #endif
23594 
23595     ret = SaveDerAndPem(der, certSz, certEccDerFile, certEccPemFile,
23596         CERT_TYPE, -6735);
23597     if (ret != 0) {
23598         goto exit;
23599     }
23600 
23601 exit:
23602 #ifdef WOLFSSL_SMALL_STACK
23603     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23604 #endif
23605 
23606 #ifdef WOLFSSL_SMALL_STACK
23607     if (myCert != NULL)
23608         XFREE(myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23609 #ifdef WOLFSSL_TEST_CERT
23610     if (decode != NULL)
23611         XFREE(decode, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23612 #endif
23613     if (caEccKey != NULL) {
23614         wc_ecc_free(caEccKey);
23615         XFREE(caEccKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23616     }
23617     if (certPubKey != NULL) {
23618         wc_ecc_free(certPubKey);
23619         XFREE(certPubKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
23620     }
23621 #else
23622     wc_ecc_free(certPubKey);
23623     wc_ecc_free(caEccKey);
23624 #endif
23625 
23626     return ret;
23627 }
23628 #endif /* WOLFSSL_CERT_GEN */
23629 
23630 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && !defined(WOLFSSL_NO_MALLOC)
23631 /* Test for the wc_ecc_key_new() and wc_ecc_key_free() functions. */
23632 static int ecc_test_allocator(WC_RNG* rng)
23633 {
23634     int ret = 0;
23635     ecc_key* key;
23636 #ifdef WC_NO_RNG
23637     word32 idx = 0;
23638 #endif
23639 
23640     key = wc_ecc_key_new(HEAP_HINT);
23641     if (key == NULL) {
23642         ERROR_OUT(-10150, exit);
23643     }
23644 
23645 #ifndef WC_NO_RNG
23646     ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key);
23647     if (ret != 0) {
23648         ERROR_OUT(-10151, exit);
23649     }
23650 #else
23651     /* use test ECC key */
23652     ret = wc_EccPrivateKeyDecode(ecc_key_der_256, &idx, key,
23653         (word32)sizeof_ecc_key_der_256);
23654     (void)rng;
23655 #endif
23656 
23657 exit:
23658     wc_ecc_key_free(key);
23659     return ret;
23660 }
23661 #endif
23662 
23663 /* ECC Non-blocking tests for Sign and Verify */
23664 /* Requires SP math and supports P384 or P256 */
23665 /* ./configure --enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS="-DWOLFSSL_PUBLIC_MP" */
23666 #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_PUBLIC_MP) && \
23667     defined(HAVE_ECC_SIGN) && defined(HAVE_ECC_VERIFY)
23668 /* Test Data - Random */
23669 static const uint8_t kMsg[] = {
23670     0x69, 0xbc, 0x9f, 0xce, 0x68, 0x17, 0xc2, 0x10, 0xea, 0xfc, 0x10, 0x65, 0x67, 0x52, 0xed, 0x78,
23671     0x6e, 0xb8, 0x83, 0x9c, 0x9a, 0xb4, 0x56, 0x0d, 0xc1, 0x0d, 0x1f, 0x78, 0x6e, 0x75, 0xd7, 0xbe,
23672     0x92, 0x6b, 0x12, 0xf6, 0x76, 0x60, 0x8e, 0xb1, 0xf4, 0x19, 0x0c, 0x81, 0xe7, 0x54, 0x5e, 0xbc,
23673     0xe0, 0xae, 0xc2, 0x7d, 0x1b, 0xc4, 0x6e, 0xec, 0xb1, 0x99, 0x6c, 0xbf, 0x0e, 0x38, 0xa8, 0x01,
23674     0xa6, 0x9a, 0x48, 0x12, 0xe4, 0xc9, 0x3b, 0xf0, 0x63, 0x46, 0x15, 0xb4, 0x61, 0xa8, 0x1a, 0x60,
23675     0x71, 0x87, 0x98, 0xd7, 0x6f, 0x98, 0x7b, 0x2d, 0xb9, 0x19, 0x1b, 0x21, 0x9c, 0x70, 0x58, 0xe8,
23676     0x0d, 0x0f, 0xe9, 0x2d, 0x9a, 0x9a, 0xf1, 0x55, 0xa0, 0x4c, 0xd3, 0x07, 0xbd, 0x97, 0x48, 0xec,
23677     0x88, 0x0a, 0xaf, 0xb3, 0x80, 0x78, 0xa4, 0x59, 0x43, 0x57, 0xd3, 0xa7, 0x01, 0x66, 0x0e, 0xfc
23678 };
23679 
23680 /* ECC Private Key "d" */
23681 static const uint8_t kPrivKey[] = {
23682 #ifdef HAVE_ECC384
23683     /* SECP384R1 */
23684     /* d */
23685     0xa4, 0xe5, 0x06, 0xe8, 0x06, 0x16, 0x3e, 0xab,
23686     0x89, 0xf8, 0x60, 0x43, 0xc0, 0x60, 0x25, 0xdb,
23687     0xba, 0x7b, 0xfe, 0x19, 0x35, 0x08, 0x55, 0x65,
23688     0x76, 0xe2, 0xdc, 0xe0, 0x01, 0x8b, 0x6b, 0x68,
23689     0xdf, 0xcf, 0x6f, 0x80, 0x12, 0xce, 0x79, 0x37,
23690     0xeb, 0x2b, 0x9c, 0x7b, 0xc4, 0x68, 0x1c, 0x74
23691 #else
23692     /* SECP256R1 */
23693     /* d */
23694     0x1e, 0xe7, 0x70, 0x07, 0xd3, 0x30, 0x94, 0x39,
23695     0x28, 0x90, 0xdf, 0x23, 0x88, 0x2c, 0x4a, 0x34,
23696     0x15, 0xdb, 0x4c, 0x43, 0xcd, 0xfa, 0xe5, 0x1f,
23697     0x3d, 0x4c, 0x37, 0xfe, 0x59, 0x3b, 0x96, 0xd8
23698 #endif
23699 };
23700 
23701 /* ECC public key Qx/Qy */
23702 static const uint8_t kPubKey[] = {
23703 #ifdef HAVE_ECC384
23704     /* SECP384R1 */
23705     /* Qx */
23706     0xea, 0xcf, 0x93, 0x4f, 0x2c, 0x09, 0xbb, 0x39,
23707     0x14, 0x0f, 0x56, 0x64, 0xc3, 0x40, 0xb4, 0xdf,
23708     0x0e, 0x63, 0xae, 0xe5, 0x71, 0x4b, 0x00, 0xcc,
23709     0x04, 0x97, 0xff, 0xe1, 0xe9, 0x38, 0x96, 0xbb,
23710     0x5f, 0x91, 0xb2, 0x6a, 0xcc, 0xb5, 0x39, 0x5f,
23711     0x8f, 0x70, 0x59, 0xf1, 0x01, 0xf6, 0x5a, 0x2b,
23712     /* Qy */
23713     0x01, 0x6c, 0x68, 0x0b, 0xcf, 0x55, 0x25, 0xaf,
23714     0x6d, 0x98, 0x48, 0x0a, 0xa8, 0x74, 0xc9, 0xa9,
23715     0x17, 0xa0, 0x0c, 0xc3, 0xfb, 0xd3, 0x23, 0x68,
23716     0xfe, 0x04, 0x3c, 0x63, 0x50, 0x88, 0x3b, 0xb9,
23717     0x4f, 0x7c, 0x67, 0x34, 0xf7, 0x3b, 0xa9, 0x73,
23718     0xe7, 0x1b, 0xc3, 0x51, 0x5e, 0x22, 0x18, 0xec
23719 #else
23720     /* SECP256R1 */
23721     /* Qx */
23722     0x96, 0x93, 0x1c, 0x53, 0x0b, 0x43, 0x6c, 0x42,
23723     0x0c, 0x52, 0x90, 0xe4, 0xa7, 0xec, 0x98, 0xb1,
23724     0xaf, 0xd4, 0x14, 0x49, 0xd8, 0xc1, 0x42, 0x82,
23725     0x04, 0x78, 0xd1, 0x90, 0xae, 0xa0, 0x6c, 0x07,
23726     /* Qy */
23727     0xf2, 0x3a, 0xb5, 0x10, 0x32, 0x8d, 0xce, 0x9e,
23728     0x76, 0xa0, 0xd2, 0x8c, 0xf3, 0xfc, 0xa9, 0x94,
23729     0x43, 0x24, 0xe6, 0x82, 0x00, 0x40, 0xc6, 0xdb,
23730     0x1c, 0x2f, 0xcd, 0x38, 0x4b, 0x60, 0xdd, 0x61
23731 #endif
23732 };
23733 
23734 /* ECC Curve */
23735 #ifdef HAVE_ECC384
23736     /* SECP384R1 */
23737     #define ECC_CURVE_SZ 48
23738     #define ECC_CURVE_ID ECC_SECP384R1
23739 #else
23740     /* SECP256R1 */
23741     #define ECC_CURVE_SZ 32
23742     #define ECC_CURVE_ID ECC_SECP256R1
23743 #endif
23744 
23745 /* Hash Algorithm */
23746 #if defined(HAVE_ECC384) && defined(WOLFSSL_SHA3)
23747     #define HASH_DIGEST_SZ  WC_SHA3_384_DIGEST_SIZE
23748     #define HASH_SHA_VER    3
23749     #define CRYPTO_HASH_FN  crypto_sha3_384
23750 #elif defined(HAVE_ECC384) && defined(WOLFSSL_SHA384)
23751     #define HASH_DIGEST_SZ  WC_SHA384_DIGEST_SIZE
23752     #define HASH_SHA_VER    2
23753     #define CRYPTO_HASH_FN  crypto_sha2_384
23754 #elif !defined(NO_SHA256)
23755     #define HASH_DIGEST_SZ  WC_SHA256_DIGEST_SIZE
23756     #define HASH_SHA_VER    2
23757     #define CRYPTO_HASH_FN  crypto_sha2_256
23758 #else
23759     #error test configuration not supported
23760 #endif
23761 
23762 #if defined(HAVE_ECC384) && defined(WOLFSSL_SHA3)
23763 /* helper to perform hashing block by block */
23764 static int crypto_sha3_384(const uint8_t *buf, uint32_t len, uint8_t *hash,
23765     uint32_t hashSz, uint32_t blkSz)
23766 {
23767     int ret;
23768     uint32_t i = 0, chunk;
23769     wc_Sha3 sha3;
23770 
23771     /* validate arguments */
23772     if ((buf == NULL && len > 0) || hash == NULL ||
23773         hashSz < WC_SHA3_384_DIGEST_SIZE || blkSz == 0)
23774     {
23775         return BAD_FUNC_ARG;
23776     }
23777 
23778     /* Init Sha3_384 structure */
23779     ret = wc_InitSha3_384(&sha3, NULL, INVALID_DEVID);
23780     if (ret != 0) {
23781         return ret;
23782     }
23783     while (i < len) {
23784         chunk = blkSz;
23785         if ((chunk + i) > len)
23786             chunk = len - i;
23787         /* Perform chunked update */
23788         ret = wc_Sha3_384_Update(&sha3, (buf + i), chunk);
23789         if (ret != 0) {
23790             break;
23791         }
23792         i += chunk;
23793     }
23794     if (ret == 0) {
23795         /* Get final digest result */
23796         ret = wc_Sha3_384_Final(&sha3, hash);
23797     }
23798     return ret;
23799 }
23800 #elif defined(HAVE_ECC384) && defined(WOLFSSL_SHA384)
23801 /* helper to perform hashing block by block */
23802 static int crypto_sha2_384(const uint8_t *buf, uint32_t len, uint8_t *hash,
23803     uint32_t hashSz, uint32_t blkSz)
23804 {
23805     int ret;
23806     uint32_t i = 0, chunk;
23807     wc_Sha384 sha384;
23808 
23809     /* validate arguments */
23810     if ((buf == NULL && len > 0) || hash == NULL ||
23811         hashSz < WC_SHA384_DIGEST_SIZE || blkSz == 0)
23812     {
23813         return BAD_FUNC_ARG;
23814     }
23815 
23816     /* Init Sha384 structure */
23817     ret = wc_InitSha384(&sha384);
23818     if (ret != 0) {
23819         return ret;
23820     }
23821     while (i < len) {
23822         chunk = blkSz;
23823         if ((chunk + i) > len)
23824             chunk = len - i;
23825         /* Perform chunked update */
23826         ret = wc_Sha384Update(&sha384, (buf + i), chunk);
23827         if (ret != 0) {
23828             break;
23829         }
23830         i += chunk;
23831     }
23832     if (ret == 0) {
23833         /* Get final digest result */
23834         ret = wc_Sha384Final(&sha384, hash);
23835     }
23836     return ret;
23837 }
23838 #elif !defined(NO_SHA256)
23839 /* helper to perform hashing block by block */
23840 static int crypto_sha2_256(const uint8_t *buf, uint32_t len, uint8_t *hash,
23841     uint32_t hashSz, uint32_t blkSz)
23842 {
23843     int ret;
23844     uint32_t i = 0, chunk;
23845     wc_Sha256 sha256;
23846 
23847     /* validate arguments */
23848     if ((buf == NULL && len > 0) || hash == NULL ||
23849         hashSz < WC_SHA256_DIGEST_SIZE || blkSz == 0)
23850     {
23851         return BAD_FUNC_ARG;
23852     }
23853 
23854     /* Init Sha256 structure */
23855     ret = wc_InitSha256(&sha256);
23856     if (ret != 0) {
23857         return ret;
23858     }
23859     while (i < len) {
23860         chunk = blkSz;
23861         if ((chunk + i) > len)
23862             chunk = len - i;
23863         /* Perform chunked update */
23864         ret = wc_Sha256Update(&sha256, (buf + i), chunk);
23865         if (ret != 0) {
23866             break;
23867         }
23868         i += chunk;
23869     }
23870     if (ret == 0) {
23871         /* Get final digest result */
23872         ret = wc_Sha256Final(&sha256, hash);
23873     }
23874     return ret;
23875 }
23876 #endif
23877 
23878 /* perform verify of signature and hash using public key */
23879 /* key is public Qx + public Qy */
23880 /* sig is r + s */
23881 static int crypto_ecc_verify(const uint8_t *key, uint32_t keySz,
23882     const uint8_t *hash, uint32_t hashSz, const uint8_t *sig, uint32_t sigSz,
23883     uint32_t curveSz, int curveId)
23884 {
23885     int ret, verify_res = 0, count = 0;
23886     mp_int r, s;
23887     ecc_key ecc;
23888     ecc_nb_ctx_t nb_ctx;
23889 
23890     /* validate arguments */
23891     if (key == NULL || hash == NULL || sig == NULL || curveSz == 0 ||
23892         hashSz == 0 || keySz < (curveSz*2) || sigSz < (curveSz*2))
23893     {
23894         return BAD_FUNC_ARG;
23895     }
23896 
23897     /* Setup the ECC key */
23898     ret = wc_ecc_init(&ecc);
23899     if (ret < 0) {
23900         return ret;
23901     }
23902 
23903     ret = wc_ecc_set_nonblock(&ecc, &nb_ctx);
23904     if (ret != MP_OKAY) {
23905         wc_ecc_free(&ecc);
23906         return ret;
23907     }
23908 
23909     /* Setup the signature r/s variables */
23910     ret = mp_init(&r);
23911     if (ret != MP_OKAY) {
23912         wc_ecc_free(&ecc);
23913         return ret;
23914     }
23915     ret = mp_init(&s);
23916     if (ret != MP_OKAY) {
23917         mp_clear(&r);
23918         wc_ecc_free(&ecc);
23919         return ret;
23920     }
23921 
23922     /* Import public key x/y */
23923     ret = wc_ecc_import_unsigned(
23924         &ecc,
23925         (byte*)key,             /* Public "x" Coordinate */
23926         (byte*)(key + curveSz), /* Public "y" Coordinate */
23927         NULL,                   /* Private "d" (optional) */
23928         curveId                 /* ECC Curve Id */
23929     );
23930     /* Make sure it was a public key imported */
23931     if (ret == 0 && ecc.type != ECC_PUBLICKEY) {
23932         ret = ECC_BAD_ARG_E;
23933     }
23934 
23935     /* Import signature r/s */
23936     if (ret == 0) {
23937         ret = mp_read_unsigned_bin(&r, sig,  curveSz);
23938     }
23939     if (ret == 0) {
23940         ret = mp_read_unsigned_bin(&s, sig + curveSz, curveSz);
23941     }
23942 
23943     /* Verify ECC Signature */
23944     if (ret == 0) {
23945         do {
23946             ret = wc_ecc_verify_hash_ex(
23947                 &r, &s,       /* r/s as mp_int */
23948                 hash, hashSz, /* computed hash digest */
23949                 &verify_res,  /* verification result 1=success */
23950                 &ecc
23951             );
23952             count++;
23953 
23954             /* This is where real-time work could be called */
23955         } while (ret == FP_WOULDBLOCK);
23956     #ifdef DEBUG_WOLFSSL
23957         printf("ECC non-block verify: %d times\n", count);
23958     #endif
23959     }
23960 
23961     /* check verify result */
23962     if (ret == 0 && verify_res == 0) {
23963         ret = SIG_VERIFY_E;
23964     }
23965 
23966     mp_clear(&r);
23967     mp_clear(&s);
23968     wc_ecc_free(&ecc);
23969 
23970     (void)count;
23971 
23972     return ret;
23973 }
23974 
23975 /* perform signature operation against hash using private key */
23976 static int crypto_ecc_sign(const uint8_t *key, uint32_t keySz,
23977     const uint8_t *hash, uint32_t hashSz, uint8_t *sig, uint32_t* sigSz,
23978     uint32_t curveSz, int curveId, WC_RNG* rng)
23979 {
23980     int ret, count = 0;
23981     mp_int r, s;
23982     ecc_key ecc;
23983     ecc_nb_ctx_t nb_ctx;
23984 
23985     /* validate arguments */
23986     if (key == NULL || hash == NULL || sig == NULL || sigSz == NULL ||
23987         curveSz == 0 || hashSz == 0 || keySz < curveSz || *sigSz < (curveSz*2))
23988     {
23989         return BAD_FUNC_ARG;
23990     }
23991 
23992     /* Initialize signature result */
23993     memset(sig, 0, curveSz*2);
23994 
23995     /* Setup the ECC key */
23996     ret = wc_ecc_init(&ecc);
23997     if (ret < 0) {
23998         return ret;
23999     }
24000 
24001     ret = wc_ecc_set_nonblock(&ecc, &nb_ctx);
24002     if (ret != MP_OKAY) {
24003         wc_ecc_free(&ecc);
24004         return ret;
24005     }
24006 
24007     /* Setup the signature r/s variables */
24008     ret = mp_init(&r);
24009     if (ret != MP_OKAY) {
24010         wc_ecc_free(&ecc);
24011         return ret;
24012     }
24013     ret = mp_init(&s);
24014     if (ret != MP_OKAY) {
24015         mp_clear(&r);
24016         wc_ecc_free(&ecc);
24017         return ret;
24018     }
24019 
24020     /* Import private key "k" */
24021     ret = wc_ecc_import_private_key_ex(
24022         key, keySz, /* private key "d" */
24023         NULL, 0,    /* public (optional) */
24024         &ecc,
24025         curveId     /* ECC Curve Id */
24026     );
24027 
24028     if (ret == 0) {
24029         do {
24030             /* Verify ECC Signature */
24031             ret = wc_ecc_sign_hash_ex(
24032                 hash, hashSz, /* computed hash digest */
24033                 rng, &ecc,    /* random and key context */
24034                 &r, &s        /* r/s as mp_int */
24035             );
24036             count++;
24037 
24038             /* This is where real-time work could be called */
24039         } while (ret == FP_WOULDBLOCK);
24040 
24041     #ifdef DEBUG_WOLFSSL
24042         printf("ECC non-block sign: %d times\n", count);
24043     #endif
24044     }
24045 
24046     if (ret == 0) {
24047         /* export r/s */
24048         mp_to_unsigned_bin_len(&r, sig, curveSz);
24049         mp_to_unsigned_bin_len(&s, sig + curveSz, curveSz);
24050     }
24051 
24052     mp_clear(&r);
24053     mp_clear(&s);
24054     wc_ecc_free(&ecc);
24055 
24056     (void)count;
24057 
24058     return ret;
24059 }
24060 
24061 static int ecc_test_nonblock(WC_RNG* rng)
24062 {
24063     int ret;
24064     uint8_t hash[HASH_DIGEST_SZ];
24065     uint8_t sig[ECC_CURVE_SZ*2];
24066     uint32_t sigSz = sizeof(sig);
24067 
24068     ret = CRYPTO_HASH_FN(
24069         kMsg, sizeof(kMsg), /* input message */
24070         hash, sizeof(hash), /* hash digest result */
24071         32                  /* configurable block / chunk size */
24072     );
24073     if (ret == 0) {
24074         /* Sign hash using private key */
24075         /* Note: result of an ECC sign varies for each call even with same
24076             private key and hash. This is because a new random public key is
24077             used for each operation. */
24078         ret = crypto_ecc_sign(
24079             kPrivKey, sizeof(kPrivKey), /* private key */
24080             hash, sizeof(hash),         /* computed hash digest */
24081             sig, &sigSz,                /* signature r/s */
24082             ECC_CURVE_SZ,               /* curve size in bytes */
24083             ECC_CURVE_ID,               /* curve id */
24084             rng
24085         );
24086     }
24087 
24088     if (ret == 0) {
24089         /* Verify generated signature is valid */
24090         ret = crypto_ecc_verify(
24091             kPubKey, sizeof(kPubKey),   /* public key point x/y */
24092             hash, sizeof(hash),         /* computed hash digest */
24093             sig, sigSz,                 /* signature r/s */
24094             ECC_CURVE_SZ,               /* curve size in bytes */
24095             ECC_CURVE_ID                /* curve id */
24096         );
24097     }
24098 
24099     return ret;
24100 }
24101 #endif /* WC_ECC_NONBLOCK && WOLFSSL_PUBLIC_MP && HAVE_ECC_SIGN && HAVE_ECC_VERIFY */
24102 
24103 WOLFSSL_TEST_SUBROUTINE int ecc_test(void)
24104 {
24105     int ret;
24106     WC_RNG rng;
24107 
24108 #ifdef WOLFSSL_CERT_EXT
24109     ret = ecc_decode_test();
24110     if (ret < 0)
24111         return ret;
24112 #endif
24113 
24114 #ifndef HAVE_FIPS
24115     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
24116 #else
24117     ret = wc_InitRng(&rng);
24118 #endif
24119 #ifndef WC_NO_RNG
24120     if (ret != 0)
24121         return -10300;
24122 #else
24123     (void)ret;
24124 #endif
24125 
24126 #if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 112
24127     ret = ecc_test_curve(&rng, 14);
24128     if (ret < 0) {
24129         goto done;
24130     }
24131 #endif /* HAVE_ECC112 */
24132 #if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 128
24133     ret = ecc_test_curve(&rng, 16);
24134     if (ret < 0) {
24135         goto done;
24136     }
24137 #endif /* HAVE_ECC128 */
24138 #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
24139     ret = ecc_test_curve(&rng, 20);
24140     if (ret < 0) {
24141         goto done;
24142     }
24143 #endif /* HAVE_ECC160 */
24144 #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
24145     ret = ecc_test_curve(&rng, 24);
24146     if (ret < 0) {
24147         goto done;
24148     }
24149 #endif /* HAVE_ECC192 */
24150 #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
24151     ret = ecc_test_curve(&rng, 28);
24152     if (ret < 0) {
24153         goto done;
24154     }
24155 #endif /* HAVE_ECC224 */
24156 #if (defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 239
24157     ret = ecc_test_curve(&rng, 30);
24158     if (ret < 0) {
24159         goto done;
24160     }
24161 #endif /* HAVE_ECC239 */
24162 #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
24163     ret = ecc_test_curve(&rng, 32);
24164     if (ret < 0) {
24165         goto done;
24166     }
24167 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
24168     defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \
24169     !defined(WOLFSSL_NO_MALLOC)
24170     ret = ecc_point_test();
24171     if (ret < 0) {
24172         goto done;
24173     }
24174 #endif
24175     ret = ecc_def_curve_test(&rng);
24176     if (ret < 0) {
24177         goto done;
24178     }
24179 #endif /* !NO_ECC256 */
24180 #if (defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 320
24181     ret = ecc_test_curve(&rng, 40);
24182     if (ret < 0) {
24183         goto done;
24184     }
24185 #endif /* HAVE_ECC320 */
24186 #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
24187     ret = ecc_test_curve(&rng, 48);
24188     if (ret < 0) {
24189         goto done;
24190     }
24191 #endif /* HAVE_ECC384 */
24192 #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
24193     ret = ecc_test_curve(&rng, 64);
24194     if (ret < 0) {
24195         goto done;
24196     }
24197 #endif /* HAVE_ECC512 */
24198 #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
24199     ret = ecc_test_curve(&rng, 66);
24200     if (ret < 0) {
24201         goto done;
24202     }
24203 #endif /* HAVE_ECC521 */
24204 
24205 #if defined(WOLFSSL_CUSTOM_CURVES)
24206     ret = ecc_test_custom_curves(&rng);
24207     if (ret != 0) {
24208         goto done;
24209     }
24210 #endif
24211 
24212 #if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_DETERMINISTIC_K)
24213     ret = ecc_test_deterministic_k(&rng);
24214     if (ret != 0) {
24215         printf("ecc_test_deterministic_k failed! %d\n", ret);
24216         goto done;
24217     }
24218 #endif
24219 
24220 #if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K)
24221     ret = ecc_test_sign_vectors(&rng);
24222     if (ret != 0) {
24223         printf("ecc_test_sign_vectors failed! %d\n", ret);
24224         goto done;
24225     }
24226 #endif
24227 #ifdef HAVE_ECC_CDH
24228     ret = ecc_test_cdh_vectors(&rng);
24229     if (ret != 0) {
24230         printf("ecc_test_cdh_vectors failed! %d\n", ret);
24231         goto done;
24232     }
24233 #endif
24234 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
24235   !defined(WOLFSSL_STM32_PKA) && !defined(WOLFSSL_SILABS_SE_ACCEL)
24236     ret = ecc_test_make_pub(&rng);
24237     if (ret != 0) {
24238         printf("ecc_test_make_pub failed!: %d\n", ret);
24239         goto done;
24240     }
24241 #elif defined(HAVE_ECC_KEY_IMPORT)
24242     (void)ecc_test_make_pub; /* for compiler warning */
24243 #endif
24244 #ifdef WOLFSSL_CERT_GEN
24245     ret = ecc_test_cert_gen(&rng);
24246     if (ret != 0) {
24247         printf("ecc_test_cert_gen failed!: %d\n", ret);
24248         goto done;
24249     }
24250 #endif
24251 #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && !defined(WOLFSSL_NO_MALLOC)
24252     ret = ecc_test_allocator(&rng);
24253     if (ret != 0) {
24254         printf("ecc_test_allocator failed!: %d\n", ret);
24255         goto done;
24256     }
24257 #endif
24258 
24259 #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_PUBLIC_MP) && \
24260     defined(HAVE_ECC_SIGN) && defined(HAVE_ECC_VERIFY)
24261     ret = ecc_test_nonblock(&rng);
24262     if (ret != 0) {
24263         printf("ecc_test_nonblock failed!: %d\n", ret);
24264         goto done;
24265     }
24266 #endif
24267 
24268 done:
24269     wc_FreeRng(&rng);
24270 
24271     return ret;
24272 }
24273 
24274 #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \
24275     defined(WOLFSSL_AES_128)
24276 
24277 #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
24278 static int ecc_encrypt_kat(WC_RNG *rng)
24279 {
24280     int ret = 0;
24281 #ifdef WOLFSSL_ECIES_OLD
24282 #ifdef WOLFSSL_SMALL_STACK
24283     ecc_key* userA = NULL;
24284 #else
24285     ecc_key  userA[1];
24286 #endif
24287     int      userAInit = 0;
24288 #endif
24289 #ifdef WOLFSSL_SMALL_STACK
24290     ecc_key* userB = NULL;
24291 #else
24292     ecc_key  userB[1];
24293 #endif
24294     int      userBInit = 0;
24295     ecc_key* tmpKey;
24296     byte     plain[48];
24297     word32   plainSz = sizeof(plain);
24298 
24299     WOLFSSL_SMALL_STACK_STATIC const byte privKey[] = {
24300         0x04, 0x80, 0xef, 0x1d, 0xbe, 0x02, 0x0c, 0x20,
24301         0x5b, 0xab, 0x80, 0x35, 0x5b, 0x2a, 0x0f, 0x6d,
24302         0xd3, 0xb0, 0x7f, 0x7e, 0x7f, 0x86, 0x8a, 0x49,
24303         0xee, 0xb4, 0xaa, 0x09, 0x2d, 0x1e, 0x1d, 0x02
24304     };
24305 #ifdef WOLFSSL_ECIES_OLD
24306     WOLFSSL_SMALL_STACK_STATIC const byte pubKey[] = {
24307         0x04,
24308         /* X */
24309         0x50, 0xf2, 0x93, 0xa2, 0x48, 0xa9, 0xc0, 0x5a,
24310         0x9a, 0xa7, 0x70, 0x34, 0xb7, 0x7f, 0x4c, 0x3a,
24311         0xad, 0xfc, 0xd8, 0xb6, 0x76, 0x0a, 0xe3, 0xc1,
24312         0x87, 0x17, 0x07, 0x2d, 0x8d, 0xa3, 0x63, 0xa0,
24313         /* X */
24314         0xc1, 0x27, 0xb2, 0x97, 0x9b, 0x84, 0xe7, 0xcd,
24315         0x20, 0x65, 0x8d, 0x2b, 0x6a, 0x93, 0x75, 0xaa,
24316         0x8b, 0xe1, 0x3a, 0x7b, 0x24, 0x1a, 0xbe, 0xe8,
24317         0x36, 0xd2, 0xe6, 0x34, 0x8a, 0x7a, 0xb3, 0x28
24318     };
24319 #endif
24320     WOLFSSL_SMALL_STACK_STATIC const byte enc_msg[] = {
24321 #ifdef WOLFSSL_ECIES_OLD
24322         0x42, 0x70, 0xbf, 0xf9, 0xf4, 0x7e, 0x4b, 0x9b,
24323         0xb5, 0x4c, 0xcc, 0xc5, 0x94, 0xa7, 0xef, 0xaa,
24324         0xc3, 0x7c, 0x85, 0xa6, 0x51, 0x6e, 0xd3, 0xfa,
24325         0x56, 0xc9, 0x10, 0x4d, 0x14, 0x32, 0x61, 0xb8,
24326         0xbb, 0x66, 0x7a, 0xb5, 0xbc, 0x95, 0xf8, 0xca,
24327         0xd1, 0x2a, 0x19, 0x51, 0x44, 0xd8, 0x0e, 0x57,
24328         0x34, 0xed, 0x45, 0x89, 0x2e, 0x57, 0xbe, 0xd5,
24329         0x06, 0x22, 0xd7, 0x13, 0x0a, 0x0e, 0x40, 0x36,
24330         0x0d, 0x05, 0x0d, 0xb6, 0xae, 0x61, 0x37, 0x18,
24331         0x83, 0x90, 0x0a, 0x27, 0x95, 0x41, 0x8c, 0x45
24332 #elif defined(WOLFSSL_ECIES_ISO18033)
24333         0x04, 0x50, 0xf2, 0x93, 0xa2, 0x48, 0xa9, 0xc0,
24334         0x5a, 0x9a, 0xa7, 0x70, 0x34, 0xb7, 0x7f, 0x4c,
24335         0x3a, 0xad, 0xfc, 0xd8, 0xb6, 0x76, 0x0a, 0xe3,
24336         0xc1, 0x87, 0x17, 0x07, 0x2d, 0x8d, 0xa3, 0x63,
24337         0xa0, 0xc1, 0x27, 0xb2, 0x97, 0x9b, 0x84, 0xe7,
24338         0xcd, 0x20, 0x65, 0x8d, 0x2b, 0x6a, 0x93, 0x75,
24339         0xaa, 0x8b, 0xe1, 0x3a, 0x7b, 0x24, 0x1a, 0xbe,
24340         0xe8, 0x36, 0xd2, 0xe6, 0x34, 0x8a, 0x7a, 0xb3,
24341         0x28, 0xbb, 0x9f, 0xa8, 0x2d, 0xe1, 0xf1, 0x67,
24342         0x45, 0x02, 0x19, 0xdc, 0xc8, 0x24, 0x8b, 0x20,
24343         0x02, 0xa0, 0x8f, 0x95, 0x12, 0x55, 0x51, 0xf8,
24344         0x03, 0xc4, 0x54, 0x13, 0x98, 0x2d, 0xf0, 0x31,
24345         0x51, 0x80, 0x45, 0x24, 0xcb, 0x8b, 0x48, 0xa6,
24346         0x8b, 0x8e, 0x97, 0x9c, 0x56, 0x4d, 0x70, 0x00,
24347         0x53, 0xd3, 0x47, 0x00, 0x5a, 0x23, 0x8c, 0xf9,
24348         0xfd, 0xd2, 0x33, 0x2c, 0x43, 0x6e, 0x9e, 0xb2,
24349         0xf4, 0x95, 0xd4, 0xcf, 0x30, 0xd6, 0xa2, 0xc5,
24350         0x35, 0x96, 0x6a, 0xd4, 0x36, 0x15, 0xa9, 0xbd,
24351         0x7f
24352 #else
24353         0x04, 0x50, 0xf2, 0x93, 0xa2, 0x48, 0xa9, 0xc0,
24354         0x5a, 0x9a, 0xa7, 0x70, 0x34, 0xb7, 0x7f, 0x4c,
24355         0x3a, 0xad, 0xfc, 0xd8, 0xb6, 0x76, 0x0a, 0xe3,
24356         0xc1, 0x87, 0x17, 0x07, 0x2d, 0x8d, 0xa3, 0x63,
24357         0xa0, 0xc1, 0x27, 0xb2, 0x97, 0x9b, 0x84, 0xe7,
24358         0xcd, 0x20, 0x65, 0x8d, 0x2b, 0x6a, 0x93, 0x75,
24359         0xaa, 0x8b, 0xe1, 0x3a, 0x7b, 0x24, 0x1a, 0xbe,
24360         0xe8, 0x36, 0xd2, 0xe6, 0x34, 0x8a, 0x7a, 0xb3,
24361         0x28, 0xe5, 0x17, 0xaf, 0x0d, 0x65, 0x4d, 0x3d,
24362         0x50, 0x96, 0x05, 0xc9, 0x63, 0x2c, 0xef, 0x1c,
24363         0x1f, 0x78, 0xc9, 0x90, 0x7a, 0x14, 0x00, 0xfc,
24364         0x44, 0x71, 0x6d, 0x57, 0x8c, 0xdf, 0x23, 0xca,
24365         0x65, 0xcf, 0x93, 0x06, 0xb6, 0x9a, 0xf4, 0x61,
24366         0xbd, 0x44, 0x1a, 0xeb, 0x52, 0x68, 0x0f, 0xd1,
24367         0xde, 0xc7, 0x3f, 0x6f, 0xce, 0xbe, 0x49, 0x61,
24368         0x48, 0x01, 0x77, 0x41, 0xd0, 0xd8, 0x5b, 0x48,
24369         0xca, 0x4e, 0x47, 0x3e, 0x47, 0xbf, 0x1d, 0x28,
24370         0x4c, 0x18, 0x1a, 0xfb, 0x96, 0x95, 0xda, 0xde,
24371         0x55
24372 #endif
24373     };
24374     WOLFSSL_SMALL_STACK_STATIC const byte msg[] = {
24375         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24376         0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
24377         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
24378         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
24379         0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
24380         0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
24381     };
24382 
24383 #ifdef WOLFSSL_SMALL_STACK
24384     userB = (ecc_key *)XMALLOC(sizeof(*userB), HEAP_HINT,
24385                                                        DYNAMIC_TYPE_TMP_BUFFER);
24386     if (userB == NULL) {
24387         ret = -10451;
24388     }
24389 #ifdef WOLFSSL_ECIES_OLD
24390     if (ret == 0) {
24391         userA = (ecc_key *)XMALLOC(sizeof(*userA), HEAP_HINT,
24392                                                        DYNAMIC_TYPE_TMP_BUFFER);
24393         if (userA == NULL) {
24394             ret = -10450;
24395         }
24396     }
24397 #endif
24398 #endif
24399 
24400     if (ret == 0) {
24401         ret = wc_ecc_init_ex(userB, HEAP_HINT, devId);
24402         if (ret != 0)
24403             ret = -10453;
24404     }
24405     if (ret == 0) {
24406         userBInit = 1;
24407 #ifdef WOLFSSL_ECIES_OLD
24408         ret = wc_ecc_init_ex(userA, HEAP_HINT, devId);
24409         if (ret != 0)
24410             ret = -10452;
24411     }
24412     if (ret == 0) {
24413         userAInit = 1;
24414         tmpKey = userA;
24415 #else
24416         tmpKey = NULL;
24417 #endif
24418     }
24419 
24420 
24421     if (ret == 0) {
24422         ret = wc_ecc_import_private_key_ex(privKey, sizeof(privKey), NULL, 0,
24423                                                           userB, ECC_SECP256R1);
24424         if (ret != 0)
24425             ret = -10454;
24426     }
24427 
24428 #ifdef WOLFSSL_ECIES_OLD
24429     if (ret == 0) {
24430         ret = wc_ecc_import_x963_ex(pubKey, sizeof(pubKey), userA,
24431                                                                  ECC_SECP256R1);
24432         if (ret != 0)
24433             ret = -10455;
24434     }
24435 #endif
24436 
24437 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
24438     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
24439     !defined(HAVE_SELFTEST)
24440     if (ret == 0) {
24441         ret = wc_ecc_set_rng(userB, rng);
24442         if (ret != 0) {
24443             ret = -10456;
24444         }
24445     }
24446 #else
24447     (void)rng;
24448 #endif
24449 
24450     if (ret == 0) {
24451         ret = wc_ecc_decrypt(userB, tmpKey, enc_msg, sizeof(enc_msg), plain,
24452                                                                 &plainSz, NULL);
24453         if (ret != 0)
24454             ret = -10457;
24455     }
24456     if (ret == 0) {
24457         if (XMEMCMP(plain, msg, sizeof(msg)) != 0) {
24458             ret = -10458;
24459         }
24460     }
24461 
24462     if (userBInit)
24463         wc_ecc_free(userB);
24464 #ifdef WOLFSSL_ECIES_OLD
24465     if (userAInit)
24466         wc_ecc_free(userA);
24467 #endif
24468 #ifdef WOLFSSL_SMALL_STACK
24469     if (userB != NULL) {
24470         XFREE(userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24471     }
24472 #ifdef WOLFSSL_ECIES_OLD
24473     if (userA != NULL) {
24474         XFREE(userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24475     }
24476 #endif
24477 #endif
24478 
24479     return ret;
24480 }
24481 #endif
24482 
24483 WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void)
24484 {
24485     WC_RNG  rng;
24486     int     ret = 0;
24487 #ifdef WOLFSSL_SMALL_STACK
24488     ecc_key *userA = (ecc_key *)XMALLOC(sizeof *userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER),
24489         *userB = (ecc_key *)XMALLOC(sizeof *userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER),
24490         *tmpKey = (ecc_key *)XMALLOC(sizeof *userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24491 #else
24492     ecc_key userA[1], userB[1], tmpKey[1];
24493 #endif
24494     byte    msg[48];
24495     byte    plain[48];
24496 #ifdef WOLFSSL_ECIES_OLD
24497     byte    out[80];
24498 #else
24499     byte    out[1 + ECC_KEYGEN_SIZE * 2 + 80];
24500 #endif
24501     word32  outSz   = sizeof(out);
24502     word32  plainSz = sizeof(plain);
24503     int     i;
24504     ecEncCtx* cliCtx = NULL;
24505     ecEncCtx* srvCtx = NULL;
24506     byte cliSalt[EXCHANGE_SALT_SZ];
24507     byte srvSalt[EXCHANGE_SALT_SZ];
24508     const byte* tmpSalt;
24509     byte    msg2[48];
24510     byte    plain2[48];
24511 #ifdef WOLFSSL_ECIES_OLD
24512     byte    out2[80];
24513 #else
24514     byte    out2[1 + ECC_KEYGEN_SIZE * 2 + 80];
24515 #endif
24516     word32  outSz2   = sizeof(out2);
24517     word32  plainSz2 = sizeof(plain2);
24518 
24519 #ifndef HAVE_FIPS
24520     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
24521 #else
24522     ret = wc_InitRng(&rng);
24523 #endif
24524     if (ret != 0)
24525         return -10400;
24526 
24527 #ifdef WOLFSSL_SMALL_STACK
24528     if ((userA == NULL) ||
24529         (userB == NULL))
24530         ERROR_OUT(MEMORY_E, done);
24531 #endif
24532 
24533     XMEMSET(userA, 0, sizeof *userA);
24534     XMEMSET(userB, 0, sizeof *userB);
24535 
24536     ret = wc_ecc_init_ex(userA, HEAP_HINT, devId);
24537     if (ret != 0)
24538         goto done;
24539     ret = wc_ecc_init_ex(userB, HEAP_HINT, devId);
24540     if (ret != 0)
24541         goto done;
24542     ret = wc_ecc_init_ex(tmpKey, HEAP_HINT, devId);
24543     if (ret != 0)
24544         goto done;
24545 
24546     ret  = wc_ecc_make_key(&rng, ECC_KEYGEN_SIZE, userA);
24547 #if defined(WOLFSSL_ASYNC_CRYPT)
24548     ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_NONE);
24549 #endif
24550     if (ret != 0){
24551         ret = -10401; goto done;
24552     }
24553 
24554     ret = wc_ecc_make_key(&rng, ECC_KEYGEN_SIZE, userB);
24555 #if defined(WOLFSSL_ASYNC_CRYPT)
24556     ret = wc_AsyncWait(ret, &userB->asyncDev, WC_ASYNC_FLAG_NONE);
24557 #endif
24558     if (ret != 0){
24559         ret = -10402; goto done;
24560     }
24561 
24562     /* set message to incrementing 0,1,2,etc... */
24563     for (i = 0; i < (int)sizeof(msg); i++)
24564         msg[i] = i;
24565 
24566 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
24567     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
24568     !defined(HAVE_SELFTEST)
24569     ret = wc_ecc_set_rng(userA, &rng);
24570     if (ret != 0) {
24571         ret = -10403; goto done;
24572     }
24573     ret = wc_ecc_set_rng(userB, &rng);
24574     if (ret != 0) {
24575         ret = -10404; goto done;
24576     }
24577 #endif
24578 
24579     /* encrypt msg to B */
24580     ret = wc_ecc_encrypt(userA, userB, msg, sizeof(msg), out, &outSz, NULL);
24581     if (ret != 0) {
24582         ret = -10405; goto done;
24583     }
24584 
24585 #ifdef WOLFSSL_ECIES_OLD
24586     tmpKey->dp = userA->dp;
24587     ret = wc_ecc_copy_point(&userA->pubkey, &tmpKey->pubkey);
24588     if (ret != 0) {
24589         ret = -10413; goto done;
24590     }
24591 #endif
24592 
24593     /* decrypt msg from A */
24594     ret = wc_ecc_decrypt(userB, tmpKey, out, outSz, plain, &plainSz, NULL);
24595     if (ret != 0) {
24596         ret = -10406; goto done;
24597     }
24598 
24599     if (XMEMCMP(plain, msg, sizeof(msg)) != 0) {
24600         ret = -10407; goto done;
24601     }
24602 
24603 #ifndef WOLFSSL_ECIES_OLD
24604     /* A decrypts msg (response) from B */
24605     ret = wc_ecc_decrypt(userB, NULL, out, outSz, plain2, &plainSz2, NULL);
24606     if (ret != 0)
24607         goto done;
24608 
24609     if (XMEMCMP(plain, msg, sizeof(msg)) != 0) {
24610         ret = -10415; goto done;
24611     }
24612 #endif
24613 
24614     /* let's verify message exchange works, A is client, B is server */
24615     cliCtx = wc_ecc_ctx_new(REQ_RESP_CLIENT, &rng);
24616     srvCtx = wc_ecc_ctx_new(REQ_RESP_SERVER, &rng);
24617     if (cliCtx == NULL || srvCtx == NULL) {
24618         ret = -10408; goto done;
24619     }
24620 
24621     /* get salt to send to peer */
24622     tmpSalt = wc_ecc_ctx_get_own_salt(cliCtx);
24623     if (tmpSalt == NULL) {
24624         ret = -10409; goto done;
24625     }
24626     XMEMCPY(cliSalt, tmpSalt, EXCHANGE_SALT_SZ);
24627 
24628     tmpSalt = wc_ecc_ctx_get_own_salt(srvCtx);
24629     if (tmpSalt == NULL) {
24630         ret = -10410; goto done;
24631     }
24632     XMEMCPY(srvSalt, tmpSalt, EXCHANGE_SALT_SZ);
24633 
24634     /* in actual use, we'd get the peer's salt over the transport */
24635     ret = wc_ecc_ctx_set_peer_salt(cliCtx, srvSalt);
24636     if (ret != 0)
24637         goto done;
24638     ret = wc_ecc_ctx_set_peer_salt(srvCtx, cliSalt);
24639     if (ret != 0)
24640         goto done;
24641 
24642     ret = wc_ecc_ctx_set_info(cliCtx, (byte*)"wolfSSL MSGE", 11);
24643     if (ret != 0)
24644         goto done;
24645     ret = wc_ecc_ctx_set_info(srvCtx, (byte*)"wolfSSL MSGE", 11);
24646     if (ret != 0)
24647         goto done;
24648 
24649     /* get encrypted msg (request) to send to B */
24650     outSz = sizeof(out);
24651     ret = wc_ecc_encrypt(userA, userB, msg, sizeof(msg), out, &outSz,cliCtx);
24652     if (ret != 0)
24653         goto done;
24654 
24655 #ifndef WOLFSSL_ECIES_OLD
24656     wc_ecc_free(tmpKey);
24657 #endif
24658     /* B decrypts msg (request) from A */
24659     plainSz = sizeof(plain);
24660     ret = wc_ecc_decrypt(userB, tmpKey, out, outSz, plain, &plainSz, srvCtx);
24661     if (ret != 0)
24662         goto done;
24663 
24664     if (XMEMCMP(plain, msg, sizeof(msg)) != 0) {
24665         ret = -10411; goto done;
24666     }
24667 
24668     /* msg2 (response) from B to A */
24669     for (i = 0; i < (int)sizeof(msg2); i++)
24670         msg2[i] = i + sizeof(msg2);
24671 
24672     /* get encrypted msg (response) to send to B */
24673     ret = wc_ecc_encrypt(userB, userA, msg2, sizeof(msg2), out2,
24674                       &outSz2, srvCtx);
24675     if (ret != 0)
24676         goto done;
24677 
24678 #ifdef WOLFSSL_ECIES_OLD
24679     tmpKey->dp = userB->dp;
24680     ret = wc_ecc_copy_point(&userB->pubkey, &tmpKey->pubkey);
24681     if (ret != 0) {
24682         ret = -10414; goto done;
24683     }
24684 #else
24685     wc_ecc_free(tmpKey);
24686 #endif
24687 
24688     /* A decrypts msg (response) from B */
24689     ret = wc_ecc_decrypt(userA, tmpKey, out2, outSz2, plain2, &plainSz2,
24690                      cliCtx);
24691     if (ret != 0)
24692         goto done;
24693 
24694     if (XMEMCMP(plain2, msg2, sizeof(msg2)) != 0) {
24695         ret = -10412; goto done;
24696     }
24697 
24698 #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
24699     ret = ecc_encrypt_kat(&rng);
24700 #endif
24701 
24702 done:
24703 
24704     /* cleanup */
24705     wc_ecc_ctx_free(srvCtx);
24706     wc_ecc_ctx_free(cliCtx);
24707 
24708 #ifdef WOLFSSL_SMALL_STACK
24709     if (userA != NULL) {
24710         wc_ecc_free(userA);
24711         XFREE(userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24712     }
24713     if (userB != NULL) {
24714         wc_ecc_free(userB);
24715         XFREE(userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24716     }
24717     if (tmpKey != NULL) {
24718         wc_ecc_free(tmpKey);
24719         XFREE(tmpKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24720     }
24721 #else
24722     wc_ecc_free(tmpKey);
24723     wc_ecc_free(userB);
24724     wc_ecc_free(userA);
24725 #endif
24726 
24727     wc_FreeRng(&rng);
24728 
24729     return ret;
24730 }
24731 
24732 #endif /* HAVE_ECC_ENCRYPT && HAVE_AES_CBC && WOLFSSL_AES_128 */
24733 
24734 #if defined(USE_CERT_BUFFERS_256) && !defined(WOLFSSL_ATECC508A) && \
24735     !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) && \
24736     defined(HAVE_ECC_VERIFY) && defined(HAVE_ECC_SIGN)
24737 WOLFSSL_TEST_SUBROUTINE int ecc_test_buffers(void)
24738 {
24739     size_t bytes;
24740 #ifdef WOLFSSL_SMALL_STACK
24741     ecc_key *cliKey = (ecc_key *)XMALLOC(sizeof *cliKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24742     ecc_key *servKey = (ecc_key *)XMALLOC(sizeof *servKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24743     ecc_key *tmpKey = (ecc_key *)XMALLOC(sizeof *tmpKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24744 #else
24745     ecc_key cliKey[1];
24746     ecc_key servKey[1];
24747     ecc_key tmpKey[1];
24748 #endif
24749     WC_RNG rng;
24750     word32 idx = 0;
24751     int    ret;
24752     /* pad our test message to 32 bytes so evenly divisible by AES_BLOCK_SZ */
24753     byte   in[] = "Everyone gets Friday off. ecc p";
24754     word32 inLen = (word32)XSTRLEN((char*)in);
24755     byte   out[256];
24756     byte   plain[256];
24757     int verify = 0;
24758     word32 x;
24759 
24760 #ifdef WOLFSSL_SMALL_STACK
24761     if ((cliKey == NULL) || (servKey == NULL) || (tmpKey == NULL))
24762         ERROR_OUT(MEMORY_E, done);
24763 #endif
24764 
24765     ret = wc_ecc_init_ex(cliKey, HEAP_HINT, devId);
24766     if (ret != 0)
24767         ERROR_OUT(-10420, done);
24768     ret = wc_ecc_init_ex(servKey, HEAP_HINT, devId);
24769     if (ret != 0)
24770         ERROR_OUT(-10421, done);
24771     ret = wc_ecc_init_ex(tmpKey, HEAP_HINT, devId);
24772     if (ret != 0)
24773         ERROR_OUT(-10421, done);
24774 
24775     bytes = (size_t)sizeof_ecc_clikey_der_256;
24776     /* place client key into ecc_key struct cliKey */
24777     ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx, cliKey,
24778                                                                 (word32)bytes);
24779     if (ret != 0)
24780         ERROR_OUT(-10422, done);
24781 
24782     idx = 0;
24783     bytes = (size_t)sizeof_ecc_key_der_256;
24784 
24785     /* place server key into ecc_key struct servKey */
24786     ret = wc_EccPrivateKeyDecode(ecc_key_der_256, &idx, servKey,
24787                                                                 (word32)bytes);
24788     if (ret != 0)
24789         ERROR_OUT(-10423, done);
24790 
24791 #ifndef WC_NO_RNG
24792 #ifndef HAVE_FIPS
24793     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
24794 #else
24795     ret = wc_InitRng(&rng);
24796 #endif
24797     if (ret != 0)
24798         ERROR_OUT(-10424, done);
24799 
24800 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
24801     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \
24802     !defined(HAVE_SELFTEST)
24803     ret = wc_ecc_set_rng(cliKey, &rng);
24804     if (ret != 0) {
24805         ERROR_OUT(-10425, done);
24806     }
24807     ret = wc_ecc_set_rng(servKey, &rng);
24808     if (ret != 0) {
24809         ERROR_OUT(-10425, done);
24810     }
24811 #endif
24812 #endif /* !WC_NO_RNG */
24813 
24814 #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_HKDF) && \
24815     defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
24816     {
24817         word32 y;
24818         /* test encrypt and decrypt if they're available */
24819         x = sizeof(out);
24820         ret = wc_ecc_encrypt(cliKey, servKey, in, sizeof(in), out, &x, NULL);
24821         if (ret < 0)
24822             ERROR_OUT(-10426, done);
24823 
24824     #ifdef WOLFSSL_ECIES_OLD
24825         tmpKey->dp = cliKey->dp;
24826         ret = wc_ecc_copy_point(&cliKey->pubkey, &tmpKey->pubkey);
24827         if (ret != 0) {
24828             ret = -10414; goto done;
24829         }
24830     #endif
24831 
24832         y = sizeof(plain);
24833         ret = wc_ecc_decrypt(servKey, tmpKey, out, x, plain, &y, NULL);
24834         if (ret < 0)
24835             ERROR_OUT(-10427, done);
24836 
24837         if (XMEMCMP(plain, in, inLen))
24838             ERROR_OUT(-10428, done);
24839     }
24840 #endif
24841 
24842     x = sizeof(out);
24843     do {
24844     #if defined(WOLFSSL_ASYNC_CRYPT)
24845         ret = wc_AsyncWait(ret, cliKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
24846     #endif
24847         if (ret == 0)
24848             ret = wc_ecc_sign_hash(in, inLen, out, &x, &rng, cliKey);
24849     } while (ret == WC_PENDING_E);
24850     if (ret < 0)
24851         ERROR_OUT(-10429, done);
24852     TEST_SLEEP();
24853 
24854     XMEMSET(plain, 0, sizeof(plain));
24855 
24856     do {
24857     #if defined(WOLFSSL_ASYNC_CRYPT)
24858         ret = wc_AsyncWait(ret, cliKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
24859     #endif
24860         if (ret == 0)
24861             ret = wc_ecc_verify_hash(out, x, in, inLen, &verify,
24862                 cliKey);
24863     } while (ret == WC_PENDING_E);
24864     if (ret < 0)
24865         ERROR_OUT(-10430, done);
24866 
24867     if (verify != 1)
24868         ERROR_OUT(-10431, done);
24869     TEST_SLEEP();
24870 
24871 #ifdef WOLFSSL_CERT_EXT
24872     idx = 0;
24873 
24874     bytes = sizeof_ecc_clikeypub_der_256;
24875 
24876     ret = wc_EccPublicKeyDecode(ecc_clikeypub_der_256, &idx, cliKey,
24877                                                                (word32) bytes);
24878     if (ret != 0)
24879         ERROR_OUT(-10432, done);
24880 #endif
24881 
24882     ret = 0;
24883 
24884   done:
24885 
24886 #ifdef WOLFSSL_SMALL_STACK
24887     if (cliKey != NULL) {
24888         wc_ecc_free(cliKey);
24889         XFREE(cliKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24890     }
24891     if (servKey != NULL) {
24892         wc_ecc_free(servKey);
24893         XFREE(servKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24894     }
24895     if (tmpKey != NULL) {
24896         wc_ecc_free(tmpKey);
24897         XFREE(tmpKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
24898     }
24899 #else
24900     wc_ecc_free(cliKey);
24901     wc_ecc_free(servKey);
24902     wc_ecc_free(tmpKey);
24903 #endif
24904 
24905     wc_FreeRng(&rng);
24906 
24907     return ret;
24908 }
24909 #endif /* USE_CERT_BUFFERS_256 && !WOLFSSL_ATECCX08A && !NO_ECC256 */
24910 #endif /* HAVE_ECC */
24911 
24912 
24913 #ifdef HAVE_CURVE25519
24914 #if defined(HAVE_CURVE25519_SHARED_SECRET) && \
24915                                              defined(HAVE_CURVE25519_KEY_IMPORT)
24916 #ifdef CURVE25519_OVERFLOW_ALL_TESTS
24917 #define X25519_TEST_CNT    5
24918 #else
24919 #define X25519_TEST_CNT    1
24920 #endif
24921 static int curve25519_overflow_test(void)
24922 {
24923     /* secret key for party a */
24924     byte sa[X25519_TEST_CNT][32] = {
24925         {
24926             0x8d,0xaf,0x6e,0x7a,0xc1,0xeb,0x8d,0x30,
24927             0x99,0x86,0xd3,0x90,0x47,0x96,0x21,0x3c,
24928             0x3a,0x75,0xc0,0x7b,0x75,0x01,0x75,0xa3,
24929             0x81,0x4b,0xff,0x5a,0xbc,0x96,0x87,0x28
24930         },
24931 #ifdef CURVE25519_OVERFLOW_ALL_TESTS
24932         {
24933             0x9d,0x63,0x5f,0xce,0xe2,0xe8,0xd7,0xfb,
24934             0x68,0x77,0x0e,0x44,0xd1,0xad,0x87,0x2b,
24935             0xf4,0x65,0x06,0xb7,0xbb,0xdb,0xbe,0x6e,
24936             0x02,0x43,0x24,0xc7,0x3d,0x7b,0x88,0x60
24937         },
24938         {
24939             0x63,0xbf,0x76,0xa9,0x73,0xa0,0x09,0xb9,
24940             0xcc,0xc9,0x4d,0x47,0x2d,0x14,0x0e,0x52,
24941             0xa3,0x84,0x55,0xb8,0x7c,0xdb,0xce,0xb1,
24942             0xe4,0x5b,0x8a,0xb9,0x30,0xf1,0xa4,0xa0
24943         },
24944         {
24945             0x63,0xbf,0x76,0xa9,0x73,0xa0,0x09,0xb9,
24946             0xcc,0xc9,0x4d,0x47,0x2d,0x14,0x0e,0x52,
24947             0xa3,0x84,0x55,0xb8,0x7c,0xdb,0xce,0xb1,
24948             0xe4,0x5b,0x8a,0xb9,0x30,0xf1,0xa4,0xa0
24949         },
24950         {
24951             0x63,0xbf,0x76,0xa9,0x73,0xa0,0x09,0xb9,
24952             0xcc,0xc9,0x4d,0x47,0x2d,0x14,0x0e,0x52,
24953             0xa3,0x84,0x55,0xb8,0x7c,0xdb,0xce,0xb1,
24954             0xe4,0x5b,0x8a,0xb9,0x30,0xf1,0xa4,0xa0
24955         }
24956 #endif
24957     };
24958 
24959     /* public key for party b */
24960     byte pb[X25519_TEST_CNT][32] = {
24961         {
24962             0x7f,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
24963             0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
24964             0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
24965             0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf0
24966         },
24967 #ifdef CURVE25519_OVERFLOW_ALL_TESTS
24968         {
24969             /* 0xff first byte in original - invalid! */
24970             0x7f,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
24971             0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
24972             0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
24973             0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf0
24974         },
24975         {
24976             0x36,0x1a,0x74,0x87,0x28,0x59,0xe0,0xb6,
24977             0xe4,0x2b,0x17,0x9b,0x16,0xb0,0x3b,0xf8,
24978             0xb8,0x9f,0x2a,0x8f,0xc5,0x33,0x68,0x4f,
24979             0xde,0x4d,0xd8,0x80,0x63,0xe7,0xb4,0x0a
24980         },
24981         {
24982             0x00,0x80,0x38,0x59,0x19,0x3a,0x66,0x12,
24983             0xfd,0xa1,0xec,0x1c,0x40,0x84,0x40,0xbd,
24984             0x64,0x10,0x8b,0x53,0x81,0x21,0x03,0x2d,
24985             0x7d,0x33,0xb4,0x01,0x57,0x0d,0xe1,0x89
24986         },
24987         {
24988             0x1d,0xf8,0xf8,0x33,0x89,0x6c,0xb7,0xba,
24989             0x94,0x73,0xfa,0xc2,0x36,0xac,0xbe,0x49,
24990             0xaf,0x85,0x3e,0x93,0x5f,0xae,0xb2,0xc0,
24991             0xc8,0x80,0x8f,0x4a,0xaa,0xd3,0x55,0x2b
24992         }
24993 #endif
24994     };
24995 
24996     /* expected shared key */
24997     byte ss[X25519_TEST_CNT][32] = {
24998         {
24999             0x5c,0x4c,0x85,0x5f,0xfb,0x20,0x38,0xcc,
25000             0x55,0x16,0x5b,0x8a,0xa7,0xed,0x57,0x6e,
25001             0x35,0xaa,0x71,0x67,0x85,0x1f,0xb6,0x28,
25002             0x17,0x07,0x7b,0xda,0x76,0xdd,0xe0,0xb4
25003         },
25004 #ifdef CURVE25519_OVERFLOW_ALL_TESTS
25005         {
25006             0x33,0xf6,0xc1,0x34,0x62,0x92,0x06,0x02,
25007             0x95,0xdb,0x91,0x4c,0x5d,0x52,0x54,0xc7,
25008             0xd2,0x5b,0x24,0xb5,0x4f,0x33,0x59,0x79,
25009             0x9f,0x6d,0x7e,0x4a,0x4c,0x30,0xd6,0x38
25010         },
25011         {
25012             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25013             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25014             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25015             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02
25016         },
25017         {
25018             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25019             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25020             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25021             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x09
25022         },
25023         {
25024             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25025             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25026             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25027             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10
25028         }
25029 #endif
25030     };
25031 
25032     int ret = 0;
25033     int            i;
25034     word32         y;
25035     byte           shared[32];
25036     curve25519_key userA;
25037 
25038     wc_curve25519_init_ex(&userA, HEAP_HINT, devId);
25039 
25040     for (i = 0; i < X25519_TEST_CNT; i++) {
25041         if (wc_curve25519_import_private_raw(sa[i], sizeof(sa[i]), pb[i],
25042                                                   sizeof(pb[i]), &userA) != 0) {
25043             ret = -10500 - i; break;
25044         }
25045 
25046         /* test against known test vector */
25047         XMEMSET(shared, 0, sizeof(shared));
25048         y = sizeof(shared);
25049         if (wc_curve25519_shared_secret(&userA, &userA, shared, &y) != 0) {
25050             ret = -10510 - i; break;
25051         }
25052 
25053         if (XMEMCMP(ss[i], shared, y)) {
25054             ret = -10520 - i; break;
25055         }
25056     }
25057 
25058     wc_curve25519_free(&userA);
25059 
25060     return ret;
25061 }
25062 
25063 /* Test the wc_curve25519_check_public API.
25064  *
25065  * returns 0 on success and -ve on failure.
25066  */
25067 static int curve25519_check_public_test(void)
25068 {
25069     /* Little-endian values that will fail */
25070     byte fail_le[][CURVE25519_KEYSIZE] = {
25071         {
25072             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25073             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25074             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25075             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
25076         },
25077         {
25078             0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25079             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25080             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25081             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
25082         },
25083         {
25084             0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25085             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25086             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25087             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x81
25088         },
25089     };
25090     /* Big-endian values that will fail */
25091     byte fail_be[][CURVE25519_KEYSIZE] = {
25092         {
25093             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25094             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25095             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25096             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
25097         },
25098         {
25099             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25100             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25101             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25102             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
25103         },
25104         {
25105             0x81,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25106             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25107             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25108             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
25109         },
25110     };
25111     /* Good or valid public value */
25112     byte good[CURVE25519_KEYSIZE] = {
25113         0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25114         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25115         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
25116         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
25117     };
25118     int i;
25119 
25120     /* Parameter checks */
25121     /* NULL pointer */
25122     if (wc_curve25519_check_public(NULL, 0, EC25519_LITTLE_ENDIAN) !=
25123                                                                  BAD_FUNC_ARG) {
25124         return -10600;
25125     }
25126     if (wc_curve25519_check_public(NULL, 0, EC25519_BIG_ENDIAN) !=
25127                                                                  BAD_FUNC_ARG) {
25128         return -10601;
25129     }
25130     /* Length of 0 treated differently to other invalid lengths for TLS */
25131     if (wc_curve25519_check_public(good, 0, EC25519_LITTLE_ENDIAN) != BUFFER_E)
25132         return -10602;
25133     if (wc_curve25519_check_public(good, 0, EC25519_BIG_ENDIAN) != BUFFER_E)
25134         return -10603;
25135 
25136     /* Length not CURVE25519_KEYSIZE */
25137     for (i = 1; i < CURVE25519_KEYSIZE + 2; i++) {
25138         if (i == CURVE25519_KEYSIZE)
25139             continue;
25140         if (wc_curve25519_check_public(good, i, EC25519_LITTLE_ENDIAN) !=
25141                                                                 ECC_BAD_ARG_E) {
25142             return -10604 - i;
25143         }
25144         if (wc_curve25519_check_public(good, i, EC25519_BIG_ENDIAN) !=
25145                                                                 ECC_BAD_ARG_E) {
25146             return -10614 - i;
25147         }
25148     }
25149 
25150     /* Little-endian fail cases */
25151     for (i = 0; i < (int)(sizeof(fail_le) / sizeof(*fail_le)); i++) {
25152         if (wc_curve25519_check_public(fail_le[i], CURVE25519_KEYSIZE,
25153                                                   EC25519_LITTLE_ENDIAN) == 0) {
25154             return -10624 - i;
25155         }
25156     }
25157     /* Big-endian fail cases */
25158     for (i = 0; i < (int)(sizeof(fail_be) / sizeof(*fail_be)); i++) {
25159         if (wc_curve25519_check_public(fail_be[i], CURVE25519_KEYSIZE,
25160                                                      EC25519_BIG_ENDIAN) == 0) {
25161             return -10634 - i;
25162         }
25163     }
25164 
25165     /* Check a valid public value works! */
25166     if (wc_curve25519_check_public(good, CURVE25519_KEYSIZE,
25167                                                   EC25519_LITTLE_ENDIAN) != 0) {
25168         return -10644;
25169     }
25170     if (wc_curve25519_check_public(good, CURVE25519_KEYSIZE,
25171                                                      EC25519_BIG_ENDIAN) != 0) {
25172         return -10645;
25173     }
25174 
25175     return 0;
25176 }
25177 
25178 #endif /* HAVE_CURVE25519_SHARED_SECRET && HAVE_CURVE25519_KEY_IMPORT */
25179 
25180 #if !defined(NO_ASN) && defined(HAVE_CURVE25519_KEY_EXPORT) && \
25181     defined(HAVE_CURVE25519_KEY_IMPORT)
25182 static int curve255519_der_test(void)
25183 {
25184     int ret = 0;
25185     /* certs/statickeys/x25519.der */
25186     const byte kCurve25519PrivDer[] = {
25187         0x30, 0x2E, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x6E,
25188         0x04, 0x22, 0x04, 0x20, 0x78, 0x8E, 0x31, 0x5C, 0x33, 0xA9, 0x19, 0xC0,
25189         0x5E, 0x36, 0x70, 0x1B, 0xA4, 0xE8, 0xEF, 0xC1, 0x89, 0x8C, 0xB3, 0x15,
25190         0xC6, 0x79, 0xD3, 0xAC, 0x22, 0x00, 0xAE, 0xFA, 0xB3, 0xB7, 0x0F, 0x78
25191     };
25192     /* certs/statickeys/x25519-pub.der */
25193     const byte kCurve25519PubDer[] = {
25194         0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x6E, 0x03, 0x21, 0x00,
25195         0x09, 0xBC, 0x8C, 0xC7, 0x45, 0x0D, 0xC1, 0xC2, 0x02, 0x57, 0x9A, 0x68,
25196         0x3A, 0xFD, 0x7A, 0xA8, 0xA5, 0x2F, 0xF0, 0x99, 0x39, 0x98, 0xEA, 0x26,
25197         0xA2, 0x5B, 0x38, 0xFD, 0x96, 0xDB, 0x2A, 0x26
25198     };
25199     curve25519_key key;
25200     byte output[128];
25201     word32 outputSz = 128;
25202     word32 idx;
25203 
25204     if (wc_curve25519_init_ex(&key, HEAP_HINT, devId) != 0) {
25205         return -10723;
25206     }
25207 
25208     /* Test decode / encode of Curve25519 private key only */
25209     if (ret == 0) {
25210         idx = 0;
25211         ret = wc_Curve25519PrivateKeyDecode(kCurve25519PrivDer, &idx, &key,
25212             (word32)sizeof(kCurve25519PrivDer));
25213     }
25214     if (ret == 0) {
25215         outputSz = (word32)sizeof(output);
25216         ret = wc_Curve25519PrivateKeyToDer(&key, output, outputSz);
25217         if (ret >= 0) {
25218             outputSz = ret;
25219             ret = 0;
25220         }
25221         else {
25222             ret = -10724;
25223         }
25224     }
25225     if (ret == 0 && (outputSz != (word32)sizeof(kCurve25519PrivDer) ||
25226                      XMEMCMP(output, kCurve25519PrivDer, outputSz) != 0)) {
25227         ret = -10725;
25228     }
25229 
25230     /* Test decode / encode of Curve25519 public key only */
25231     if (ret == 0) {
25232         idx = 0;
25233         ret = wc_Curve25519PublicKeyDecode(kCurve25519PubDer, &idx, &key,
25234             (word32)sizeof(kCurve25519PubDer));
25235     }
25236     if (ret == 0) {
25237         outputSz = (word32)sizeof(output);
25238         ret = wc_Curve25519PublicKeyToDer(&key, output, outputSz, 1);
25239         if (ret >= 0) {
25240             outputSz = ret;
25241             ret = 0;
25242         }
25243         else {
25244             ret = -10726;
25245         }
25246     }
25247     if (ret == 0 && (outputSz != (word32)sizeof(kCurve25519PubDer) ||
25248                      XMEMCMP(output, kCurve25519PubDer, outputSz) != 0)) {
25249         ret = -10727;
25250     }
25251 
25252     wc_curve25519_free(&key);
25253 
25254     return ret;
25255 }
25256 #endif /* !NO_ASN && HAVE_CURVE25519_KEY_EXPORT && HAVE_CURVE25519_KEY_IMPORT */
25257 
25258 WOLFSSL_TEST_SUBROUTINE int curve25519_test(void)
25259 {
25260     WC_RNG  rng;
25261     int ret;
25262 #ifdef HAVE_CURVE25519_SHARED_SECRET
25263     byte    sharedA[32];
25264     byte    sharedB[32];
25265     word32  y;
25266 #endif
25267 #ifdef HAVE_CURVE25519_KEY_EXPORT
25268     byte    exportBuf[32];
25269 #endif
25270     word32  x = 0;
25271     curve25519_key userA, userB, pubKey;
25272 
25273 #if defined(HAVE_CURVE25519_SHARED_SECRET) && \
25274                                              defined(HAVE_CURVE25519_KEY_IMPORT)
25275     /* test vectors from
25276        https://tools.ietf.org/html/draft-josefsson-tls-curve25519-03
25277      */
25278 
25279     /* secret key for party a */
25280     byte sa[] = {
25281         0x5A,0xC9,0x9F,0x33,0x63,0x2E,0x5A,0x76,
25282         0x8D,0xE7,0xE8,0x1B,0xF8,0x54,0xC2,0x7C,
25283         0x46,0xE3,0xFB,0xF2,0xAB,0xBA,0xCD,0x29,
25284         0xEC,0x4A,0xFF,0x51,0x73,0x69,0xC6,0x60
25285     };
25286 
25287     /* public key for party a */
25288     byte pa[] = {
25289         0x05,0x7E,0x23,0xEA,0x9F,0x1C,0xBE,0x8A,
25290         0x27,0x16,0x8F,0x6E,0x69,0x6A,0x79,0x1D,
25291         0xE6,0x1D,0xD3,0xAF,0x7A,0xCD,0x4E,0xEA,
25292         0xCC,0x6E,0x7B,0xA5,0x14,0xFD,0xA8,0x63
25293     };
25294 
25295     /* secret key for party b */
25296     byte sb[] = {
25297         0x47,0xDC,0x3D,0x21,0x41,0x74,0x82,0x0E,
25298         0x11,0x54,0xB4,0x9B,0xC6,0xCD,0xB2,0xAB,
25299         0xD4,0x5E,0xE9,0x58,0x17,0x05,0x5D,0x25,
25300         0x5A,0xA3,0x58,0x31,0xB7,0x0D,0x32,0x60
25301     };
25302 
25303     /* public key for party b */
25304     byte pb[] = {
25305         0x6E,0xB8,0x9D,0xA9,0x19,0x89,0xAE,0x37,
25306         0xC7,0xEA,0xC7,0x61,0x8D,0x9E,0x5C,0x49,
25307         0x51,0xDB,0xA1,0xD7,0x3C,0x28,0x5A,0xE1,
25308         0xCD,0x26,0xA8,0x55,0x02,0x0E,0xEF,0x04
25309     };
25310 
25311     /* expected shared key */
25312     byte ss[] = {
25313         0x61,0x45,0x0C,0xD9,0x8E,0x36,0x01,0x6B,
25314         0x58,0x77,0x6A,0x89,0x7A,0x9F,0x0A,0xEF,
25315         0x73,0x8B,0x99,0xF0,0x94,0x68,0xB8,0xD6,
25316         0xB8,0x51,0x11,0x84,0xD5,0x34,0x94,0xAB
25317     };
25318 #endif /* HAVE_CURVE25519_SHARED_SECRET */
25319 
25320     (void)x;
25321 
25322 #ifndef HAVE_FIPS
25323     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
25324 #else
25325     ret = wc_InitRng(&rng);
25326 #endif
25327     if (ret != 0)
25328         return -10700;
25329 
25330     wc_curve25519_init_ex(&userA, HEAP_HINT, devId);
25331     wc_curve25519_init_ex(&userB, HEAP_HINT, devId);
25332     wc_curve25519_init_ex(&pubKey, HEAP_HINT, devId);
25333 
25334     /* make curve25519 keys */
25335     if (wc_curve25519_make_key(&rng, 32, &userA) != 0)
25336         return -10701;
25337 
25338     if (wc_curve25519_make_key(&rng, 32, &userB) != 0)
25339         return -10702;
25340 
25341 #ifdef HAVE_CURVE25519_SHARED_SECRET
25342     /* find shared secret key */
25343     x = sizeof(sharedA);
25344     if ((ret = wc_curve25519_shared_secret(&userA, &userB, sharedA, &x)) != 0) {
25345         printf("wc_curve25519_shared_secret 1 %d\n", ret);
25346         return -10703;
25347     }
25348 
25349     y = sizeof(sharedB);
25350     if ((ret = wc_curve25519_shared_secret(&userB, &userA, sharedB, &y)) != 0) {
25351         printf("wc_curve25519_shared_secret 2 %d\n", ret);
25352         return -10704;
25353     }
25354 
25355     /* compare shared secret keys to test they are the same */
25356     if (y != x)
25357         return -10705;
25358 
25359     if (XMEMCMP(sharedA, sharedB, x))
25360         return -10706;
25361 #endif
25362 
25363 #ifdef HAVE_CURVE25519_KEY_EXPORT
25364     /* export a public key and import it for another user */
25365     x = sizeof(exportBuf);
25366     if (wc_curve25519_export_public(&userA, exportBuf, &x) != 0)
25367         return -10707;
25368 
25369 #ifdef HAVE_CURVE25519_KEY_IMPORT
25370     if (wc_curve25519_import_public(exportBuf, x, &pubKey) != 0)
25371         return -10708;
25372 #endif
25373 #endif
25374 
25375 #if defined(HAVE_CURVE25519_SHARED_SECRET) && \
25376                                              defined(HAVE_CURVE25519_KEY_IMPORT)
25377     /* test shared key after importing a public key */
25378     XMEMSET(sharedB, 0, sizeof(sharedB));
25379     y = sizeof(sharedB);
25380     if (wc_curve25519_shared_secret(&userB, &pubKey, sharedB, &y) != 0)
25381         return -10709;
25382 
25383     if (XMEMCMP(sharedA, sharedB, y))
25384         return -10710;
25385 
25386     /* import RFC test vectors and compare shared key */
25387     if (wc_curve25519_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
25388             != 0)
25389         return -10711;
25390 
25391     if (wc_curve25519_import_private_raw(sb, sizeof(sb), pb, sizeof(pb), &userB)
25392             != 0)
25393         return -10712;
25394 
25395     /* test against known test vector */
25396     XMEMSET(sharedB, 0, sizeof(sharedB));
25397     y = sizeof(sharedB);
25398     if (wc_curve25519_shared_secret(&userA, &userB, sharedB, &y) != 0)
25399         return -10713;
25400 
25401     if (XMEMCMP(ss, sharedB, y))
25402         return -10714;
25403 
25404     /* test swapping roles of keys and generating same shared key */
25405     XMEMSET(sharedB, 0, sizeof(sharedB));
25406     y = sizeof(sharedB);
25407     if (wc_curve25519_shared_secret(&userB, &userA, sharedB, &y) != 0)
25408         return -10715;
25409 
25410     if (XMEMCMP(ss, sharedB, y))
25411         return -10716;
25412 
25413     /* test with 1 generated key and 1 from known test vector */
25414     if (wc_curve25519_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
25415         != 0)
25416         return -10717;
25417 
25418     wc_curve25519_free(&userB);
25419     wc_curve25519_init_ex(&userB, HEAP_HINT, devId);
25420 
25421     if (wc_curve25519_make_key(&rng, 32, &userB) != 0)
25422         return -10718;
25423 
25424     x = sizeof(sharedA);
25425     if (wc_curve25519_shared_secret(&userA, &userB, sharedA, &x) != 0)
25426         return -10719;
25427 
25428     y = sizeof(sharedB);
25429     if (wc_curve25519_shared_secret(&userB, &userA, sharedB, &y) != 0)
25430         return -10720;
25431 
25432     /* compare shared secret keys to test they are the same */
25433     if (y != x)
25434         return -10721;
25435 
25436     if (XMEMCMP(sharedA, sharedB, x))
25437         return -10722;
25438 
25439     ret = curve25519_overflow_test();
25440     if (ret != 0)
25441         return ret;
25442     ret = curve25519_check_public_test();
25443     if (ret != 0)
25444         return ret;
25445 #endif /* HAVE_CURVE25519_SHARED_SECRET && HAVE_CURVE25519_KEY_IMPORT */
25446 
25447 #if !defined(NO_ASN) && defined(HAVE_CURVE25519_KEY_EXPORT) && \
25448     defined(HAVE_CURVE25519_KEY_IMPORT)
25449     ret = curve255519_der_test();
25450     if (ret != 0)
25451         return ret;
25452 #endif
25453 
25454     /* clean up keys when done */
25455     wc_curve25519_free(&pubKey);
25456     wc_curve25519_free(&userB);
25457     wc_curve25519_free(&userA);
25458 
25459     wc_FreeRng(&rng);
25460 
25461     return 0;
25462 }
25463 #endif /* HAVE_CURVE25519 */
25464 
25465 
25466 #ifdef HAVE_ED25519
25467 #ifdef WOLFSSL_TEST_CERT
25468 static int ed25519_test_cert(void)
25469 {
25470     DecodedCert  cert[2];
25471     DecodedCert* serverCert = NULL;
25472     DecodedCert* caCert = NULL;
25473 #ifdef HAVE_ED25519_VERIFY
25474     ed25519_key  key;
25475     ed25519_key* pubKey = NULL;
25476     int          verify;
25477 #endif /* HAVE_ED25519_VERIFY */
25478     int          ret;
25479     byte*        tmp;
25480     size_t       bytes;
25481     XFILE        file;
25482 
25483     tmp = (byte *)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
25484     if (tmp == NULL) {
25485         ERROR_OUT(-10730, done);
25486     }
25487 
25488 #ifdef USE_CERT_BUFFERS_256
25489     XMEMCPY(tmp, ca_ed25519_cert, sizeof_ca_ed25519_cert);
25490     bytes = sizeof_ca_ed25519_cert;
25491 #elif !defined(NO_FILESYSTEM)
25492     file = XFOPEN(caEd25519Cert, "rb");
25493     if (file == NULL) {
25494         ERROR_OUT(-10731, done);
25495     }
25496     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
25497     XFCLOSE(file);
25498 #else
25499     /* No certificate to use. */
25500     ERROR_OUT(-10732, done);
25501 #endif
25502 
25503     InitDecodedCert(&cert[0], tmp, (word32)bytes, 0);
25504     caCert = &cert[0];
25505     ret = ParseCert(caCert, CERT_TYPE, NO_VERIFY, NULL);
25506     if (ret != 0) {
25507         ERROR_OUT(-10733, done);
25508     }
25509 
25510 #ifdef USE_CERT_BUFFERS_256
25511     XMEMCPY(tmp, server_ed25519_cert, sizeof_server_ed25519_cert);
25512     bytes = sizeof_server_ed25519_cert;
25513 #elif !defined(NO_FILESYSTEM)
25514     file = XFOPEN(serverEd25519Cert, "rb");
25515     if (file == NULL) {
25516         ERROR_OUT(-10734, done);
25517     }
25518     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
25519     XFCLOSE(file);
25520 #else
25521     /* No certificate to use. */
25522     ERROR_OUT(-10735, done);
25523 #endif
25524 
25525     InitDecodedCert(&cert[1], tmp, (word32)bytes, 0);
25526     serverCert = &cert[1];
25527     ret = ParseCert(serverCert, CERT_TYPE, NO_VERIFY, NULL);
25528     if (ret != 0) {
25529         ERROR_OUT(-10736, done);
25530     }
25531 
25532 #ifdef HAVE_ED25519_VERIFY
25533     ret = wc_ed25519_init(&key);
25534     if (ret < 0) {
25535         ERROR_OUT(-10737, done);
25536     }
25537     pubKey = &key;
25538     ret = wc_ed25519_import_public(caCert->publicKey, caCert->pubKeySize,
25539                                                                         pubKey);
25540     if (ret < 0) {
25541         ERROR_OUT(-10738, done);
25542     }
25543 
25544     if (wc_ed25519_verify_msg(serverCert->signature, serverCert->sigLength,
25545                               serverCert->source + serverCert->certBegin,
25546                               serverCert->sigIndex - serverCert->certBegin,
25547                               &verify, pubKey) < 0 || verify != 1) {
25548         ERROR_OUT(-10739, done);
25549     }
25550 #endif /* HAVE_ED25519_VERIFY */
25551 
25552 done:
25553     if (tmp != NULL)
25554         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
25555 #ifdef HAVE_ED25519_VERIFY
25556     wc_ed25519_free(pubKey);
25557 #endif /* HAVE_ED25519_VERIFY */
25558     if (caCert != NULL)
25559         FreeDecodedCert(caCert);
25560     if (serverCert != NULL)
25561         FreeDecodedCert(serverCert);
25562 
25563     return ret;
25564 }
25565 
25566 static int ed25519_test_make_cert(void)
25567 {
25568     WC_RNG       rng;
25569     Cert         cert;
25570     DecodedCert  decode;
25571     ed25519_key  key;
25572     ed25519_key* privKey = NULL;
25573     int          ret = 0;
25574     byte*        tmp = NULL;
25575 
25576     wc_InitCert_ex(&cert, HEAP_HINT, devId);
25577 
25578 #ifndef HAVE_FIPS
25579     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
25580 #else
25581     ret = wc_InitRng(&rng);
25582 #endif
25583     if (ret != 0)
25584         return -10750;
25585 
25586     wc_ed25519_init(&key);
25587     privKey = &key;
25588     wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, privKey);
25589 
25590     cert.daysValid = 365 * 2;
25591     cert.selfSigned = 1;
25592     XMEMCPY(&cert.issuer, &certDefaultName, sizeof(CertName));
25593     XMEMCPY(&cert.subject, &certDefaultName, sizeof(CertName));
25594     cert.isCA = 0;
25595 #ifdef WOLFSSL_CERT_EXT
25596     ret = wc_SetKeyUsage(&cert, certKeyUsage);
25597     if (ret < 0) {
25598         ERROR_OUT(-10751, done);
25599     }
25600     ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, privKey);
25601     if (ret < 0) {
25602         ERROR_OUT(-10752, done);
25603     }
25604     ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, privKey);
25605     if (ret < 0) {
25606         ERROR_OUT(-10753, done);
25607     }
25608 #endif
25609     tmp = (byte *)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
25610     if (tmp == NULL) {
25611         ERROR_OUT(-10754, done);
25612     }
25613 
25614     cert.sigType = CTC_ED25519;
25615     ret = wc_MakeCert_ex(&cert, tmp, FOURK_BUF, ED25519_TYPE, privKey, &rng);
25616     if (ret < 0) {
25617         ERROR_OUT(-10755, done);
25618     }
25619     ret = wc_SignCert_ex(cert.bodySz, cert.sigType, tmp, FOURK_BUF,
25620                                                    ED25519_TYPE, privKey, &rng);
25621     if (ret < 0) {
25622         ERROR_OUT(-10756, done);
25623     }
25624 
25625     InitDecodedCert(&decode, tmp, ret, HEAP_HINT);
25626     ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
25627     FreeDecodedCert(&decode);
25628     if (ret != 0) {
25629         ERROR_OUT(-10757, done);
25630     }
25631 
25632 done:
25633     if (tmp != NULL)
25634         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
25635     wc_ed25519_free(privKey);
25636     wc_FreeRng(&rng);
25637     return ret;
25638 }
25639 #endif /* WOLFSSL_TEST_CERT */
25640 
25641 #if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) && \
25642     defined(HAVE_ED25519_KEY_IMPORT)
25643 static int ed25519ctx_test(void)
25644 {
25645     int ret;
25646     byte   out[ED25519_SIG_SIZE];
25647     word32 outlen;
25648 #ifdef HAVE_ED25519_VERIFY
25649     int    verify = 0;
25650 #endif /* HAVE_ED25519_VERIFY */
25651     ed25519_key key;
25652 
25653     WOLFSSL_SMALL_STACK_STATIC const byte sKeyCtx[] = {
25654         0x03,0x05,0x33,0x4e,0x38,0x1a,0xf7,0x8f,
25655         0x14,0x1c,0xb6,0x66,0xf6,0x19,0x9f,0x57,
25656         0xbc,0x34,0x95,0x33,0x5a,0x25,0x6a,0x95,
25657         0xbd,0x2a,0x55,0xbf,0x54,0x66,0x63,0xf6
25658     };
25659 
25660     WOLFSSL_SMALL_STACK_STATIC const byte pKeyCtx[] = {
25661         0xdf,0xc9,0x42,0x5e,0x4f,0x96,0x8f,0x7f,
25662         0x0c,0x29,0xf0,0x25,0x9c,0xf5,0xf9,0xae,
25663         0xd6,0x85,0x1c,0x2b,0xb4,0xad,0x8b,0xfb,
25664         0x86,0x0c,0xfe,0xe0,0xab,0x24,0x82,0x92
25665     };
25666 
25667     WOLFSSL_SMALL_STACK_STATIC const byte sigCtx1[] = {
25668         0x55,0xa4,0xcc,0x2f,0x70,0xa5,0x4e,0x04,
25669         0x28,0x8c,0x5f,0x4c,0xd1,0xe4,0x5a,0x7b,
25670         0xb5,0x20,0xb3,0x62,0x92,0x91,0x18,0x76,
25671         0xca,0xda,0x73,0x23,0x19,0x8d,0xd8,0x7a,
25672         0x8b,0x36,0x95,0x0b,0x95,0x13,0x00,0x22,
25673         0x90,0x7a,0x7f,0xb7,0xc4,0xe9,0xb2,0xd5,
25674         0xf6,0xcc,0xa6,0x85,0xa5,0x87,0xb4,0xb2,
25675         0x1f,0x4b,0x88,0x8e,0x4e,0x7e,0xdb,0x0d
25676     };
25677 
25678     WOLFSSL_SMALL_STACK_STATIC const byte sigCtx2[] = {
25679         0xcc,0x5e,0x63,0xa2,0x7e,0x94,0xaf,0xd3,
25680         0x41,0x83,0x38,0xd2,0x48,0x6f,0xa9,0x2a,
25681         0xf9,0x91,0x7c,0x2d,0x98,0x9e,0x06,0xe5,
25682         0x02,0x77,0x72,0x1c,0x34,0x38,0x18,0xb4,
25683         0x21,0x96,0xbc,0x29,0x2e,0x68,0xf3,0x4d,
25684         0x85,0x9b,0xbe,0xad,0x17,0x9f,0x54,0x54,
25685         0x2d,0x4b,0x04,0xdc,0xfb,0xfa,0x4a,0x68,
25686         0x4e,0x39,0x50,0xfb,0x1c,0xcd,0x8d,0x0d
25687     };
25688 
25689     WOLFSSL_SMALL_STACK_STATIC const byte msgCtx[] = {
25690         0xf7,0x26,0x93,0x6d,0x19,0xc8,0x00,0x49,
25691         0x4e,0x3f,0xda,0xff,0x20,0xb2,0x76,0xa8
25692     };
25693 
25694     WOLFSSL_SMALL_STACK_STATIC const byte contextCtx[] = {
25695         0x66,0x6f,0x6f
25696     };
25697 
25698     outlen = sizeof(out);
25699     XMEMSET(out, 0, sizeof(out));
25700 
25701     ret = wc_ed25519_init_ex(&key, HEAP_HINT, devId);
25702     if (ret != 0)
25703         return 10800;
25704 
25705     ret = wc_ed25519_import_private_key(sKeyCtx, ED25519_KEY_SIZE, pKeyCtx,
25706                                       sizeof(pKeyCtx), &key);
25707     if (ret == 0)
25708         ret = wc_ed25519ctx_sign_msg(msgCtx, sizeof(msgCtx), out, &outlen, &key,
25709                                contextCtx, sizeof(contextCtx));
25710     if (ret == 0 && XMEMCMP(out, sigCtx1, 64) != 0)
25711         ret = -10801;
25712 
25713 #if defined(HAVE_ED25519_VERIFY)
25714     /* test verify on good msg */
25715     if (ret == 0)
25716         ret = wc_ed25519ctx_verify_msg(out, outlen, msgCtx, sizeof(msgCtx),
25717             &verify, &key, contextCtx, sizeof(contextCtx));
25718     if (ret == 0 && verify != 1)
25719         ret = -10802;
25720 #endif
25721 
25722     if (ret == 0)
25723         ret = wc_ed25519ctx_sign_msg(msgCtx, sizeof(msgCtx), out, &outlen, &key,
25724             NULL, 0);
25725 
25726     if (ret == 0 && XMEMCMP(out, sigCtx2, 64) != 0)
25727         ret = -10803;
25728 
25729 #if defined(HAVE_ED25519_VERIFY)
25730     /* test verify on good msg */
25731     if (ret == 0)
25732         ret = wc_ed25519ctx_verify_msg(out, outlen, msgCtx, sizeof(msgCtx),
25733             &verify, &key, NULL, 0);
25734     if (ret == 0 && verify != 1)
25735         ret = -10804;
25736 #endif
25737 
25738     wc_ed25519_free(&key);
25739 
25740     return ret;
25741 }
25742 
25743 static int ed25519ph_test(void)
25744 {
25745     int ret = 0;
25746     byte   out[ED25519_SIG_SIZE];
25747     word32 outlen;
25748 #ifdef HAVE_ED25519_VERIFY
25749     int    verify = 0;
25750 #endif /* HAVE_ED25519_VERIFY */
25751     ed25519_key key;
25752 
25753     WOLFSSL_SMALL_STACK_STATIC const byte sKeyPh[] = {
25754         0x83,0x3f,0xe6,0x24,0x09,0x23,0x7b,0x9d,
25755         0x62,0xec,0x77,0x58,0x75,0x20,0x91,0x1e,
25756         0x9a,0x75,0x9c,0xec,0x1d,0x19,0x75,0x5b,
25757         0x7d,0xa9,0x01,0xb9,0x6d,0xca,0x3d,0x42
25758     };
25759 
25760     WOLFSSL_SMALL_STACK_STATIC const byte pKeyPh[] = {
25761         0xec,0x17,0x2b,0x93,0xad,0x5e,0x56,0x3b,
25762         0xf4,0x93,0x2c,0x70,0xe1,0x24,0x50,0x34,
25763         0xc3,0x54,0x67,0xef,0x2e,0xfd,0x4d,0x64,
25764         0xeb,0xf8,0x19,0x68,0x34,0x67,0xe2,0xbf
25765     };
25766 
25767     WOLFSSL_SMALL_STACK_STATIC const byte sigPh1[] = {
25768         0x98,0xa7,0x02,0x22,0xf0,0xb8,0x12,0x1a,
25769         0xa9,0xd3,0x0f,0x81,0x3d,0x68,0x3f,0x80,
25770         0x9e,0x46,0x2b,0x46,0x9c,0x7f,0xf8,0x76,
25771         0x39,0x49,0x9b,0xb9,0x4e,0x6d,0xae,0x41,
25772         0x31,0xf8,0x50,0x42,0x46,0x3c,0x2a,0x35,
25773         0x5a,0x20,0x03,0xd0,0x62,0xad,0xf5,0xaa,
25774         0xa1,0x0b,0x8c,0x61,0xe6,0x36,0x06,0x2a,
25775         0xaa,0xd1,0x1c,0x2a,0x26,0x08,0x34,0x06
25776     };
25777 
25778     WOLFSSL_SMALL_STACK_STATIC const byte sigPh2[] = {
25779         0xe0,0x39,0x70,0x2b,0x4c,0x25,0x95,0xa6,
25780         0xa5,0x41,0xac,0x85,0x09,0x23,0x6e,0x29,
25781         0x90,0x47,0x47,0x95,0x33,0x0c,0x9b,0x34,
25782         0xa7,0x5f,0x58,0xa6,0x60,0x12,0x9e,0x08,
25783         0xfd,0x73,0x69,0x43,0xfb,0x19,0x43,0xa5,
25784         0x57,0x20,0xb9,0xe0,0x95,0x7b,0x1e,0xd6,
25785         0x73,0x48,0x16,0x61,0x9f,0x13,0x88,0xf4,
25786         0x3f,0x73,0xe6,0xe3,0xba,0xa8,0x1c,0x0e
25787     };
25788 
25789     WOLFSSL_SMALL_STACK_STATIC const byte msgPh[] = {
25790         0x61,0x62,0x63
25791     };
25792 
25793     /* SHA-512 hash of msgPh */
25794     WOLFSSL_SMALL_STACK_STATIC const byte hashPh[] = {
25795         0xdd,0xaf,0x35,0xa1,0x93,0x61,0x7a,0xba,
25796         0xcc,0x41,0x73,0x49,0xae,0x20,0x41,0x31,
25797         0x12,0xe6,0xfa,0x4e,0x89,0xa9,0x7e,0xa2,
25798         0x0a,0x9e,0xee,0xe6,0x4b,0x55,0xd3,0x9a,
25799         0x21,0x92,0x99,0x2a,0x27,0x4f,0xc1,0xa8,
25800         0x36,0xba,0x3c,0x23,0xa3,0xfe,0xeb,0xbd,
25801         0x45,0x4d,0x44,0x23,0x64,0x3c,0xe8,0x0e,
25802         0x2a,0x9a,0xc9,0x4f,0xa5,0x4c,0xa4,0x9f
25803     };
25804 
25805     WOLFSSL_SMALL_STACK_STATIC const byte contextPh2[] = {
25806         0x66,0x6f,0x6f
25807     };
25808 
25809     outlen = sizeof(out);
25810     XMEMSET(out, 0, sizeof(out));
25811 
25812     ret = wc_ed25519_init_ex(&key, HEAP_HINT, devId);
25813     if (ret != 0)
25814         return -10900;
25815 
25816     ret = wc_ed25519_import_private_key(sKeyPh, ED25519_KEY_SIZE, pKeyPh,
25817                                       sizeof(pKeyPh), &key);
25818     if (ret == 0)
25819         ret = wc_ed25519ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key,
25820             NULL, 0);
25821 
25822     if (ret == 0 && XMEMCMP(out, sigPh1, 64) != 0)
25823         ret = -10901;
25824 
25825 #if defined(HAVE_ED25519_VERIFY)
25826     /* test verify on good msg */
25827     if (ret == 0)
25828         ret = wc_ed25519ph_verify_msg(out, outlen, msgPh, sizeof(msgPh),
25829             &verify, &key, NULL, 0);
25830     if (ret == 0 && verify != 1)
25831         ret = -10902;
25832 #endif
25833 
25834     if (ret == 0)
25835         ret = wc_ed25519ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key,
25836                               contextPh2, sizeof(contextPh2));
25837 
25838     if (ret == 0 && XMEMCMP(out, sigPh2, 64) != 0)
25839         ret = -10903;
25840 
25841 #if defined(HAVE_ED25519_VERIFY)
25842     /* test verify on good msg */
25843     if (ret == 0)
25844         ret = wc_ed25519ph_verify_msg(out, outlen, msgPh, sizeof(msgPh), &verify,
25845                                 &key, contextPh2, sizeof(contextPh2));
25846     if (ret == 0 && verify != 1)
25847         ret = -10904;
25848 #endif
25849 
25850     if (ret == 0)
25851         ret = wc_ed25519ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key,
25852         NULL, 0);
25853 
25854     if (ret == 0 && XMEMCMP(out, sigPh1, 64) != 0)
25855         ret = -10905;
25856 
25857 #if defined(HAVE_ED25519_VERIFY)
25858     if (ret == 0)
25859         ret = wc_ed25519ph_verify_hash(out, outlen, hashPh, sizeof(hashPh),
25860             &verify, &key, NULL, 0);
25861     if (ret == 0 && verify != 1)
25862         ret = -10906;
25863 #endif
25864 
25865     if (ret == 0)
25866         ret = wc_ed25519ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key,
25867                               contextPh2, sizeof(contextPh2));
25868     if (ret == 0 && XMEMCMP(out, sigPh2, 64) != 0)
25869         ret = -10907;
25870 
25871 #if defined(HAVE_ED25519_VERIFY)
25872     if (ret == 0)
25873         ret = wc_ed25519ph_verify_hash(out, outlen, hashPh, sizeof(hashPh), &verify,
25874                                 &key, contextPh2, sizeof(contextPh2));
25875     if (ret == 0 && verify != 1)
25876         ret = -10908;
25877 #endif
25878 
25879     wc_ed25519_free(&key);
25880 
25881     return ret;
25882 }
25883 #endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
25884 
25885 WOLFSSL_TEST_SUBROUTINE int ed25519_test(void)
25886 {
25887     int ret;
25888     WC_RNG rng;
25889 #if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) &&\
25890     defined(HAVE_ED25519_KEY_IMPORT)
25891     byte   out[ED25519_SIG_SIZE];
25892     byte   exportPKey[ED25519_KEY_SIZE];
25893     byte   exportSKey[ED25519_KEY_SIZE];
25894     word32 exportPSz;
25895     word32 exportSSz;
25896     int    i;
25897     word32 outlen;
25898 #ifdef HAVE_ED25519_VERIFY
25899 #ifdef WOLFSSL_ED25519_STREAMING_VERIFY
25900     int    j;
25901 #endif
25902     int    verify;
25903 #endif /* HAVE_ED25519_VERIFY */
25904 #endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
25905     word32 keySz, sigSz;
25906     ed25519_key key;
25907     ed25519_key key2;
25908 
25909 #if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) && \
25910     defined(HAVE_ED25519_KEY_IMPORT)
25911     /* test vectors from
25912        https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-02
25913      */
25914 
25915     WOLFSSL_SMALL_STACK_STATIC const byte sKey1[] = {
25916         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
25917         0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
25918         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
25919         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
25920     };
25921 
25922     WOLFSSL_SMALL_STACK_STATIC const byte sKey2[] = {
25923         0x4c,0xcd,0x08,0x9b,0x28,0xff,0x96,0xda,
25924         0x9d,0xb6,0xc3,0x46,0xec,0x11,0x4e,0x0f,
25925         0x5b,0x8a,0x31,0x9f,0x35,0xab,0xa6,0x24,
25926         0xda,0x8c,0xf6,0xed,0x4f,0xb8,0xa6,0xfb
25927     };
25928 
25929     WOLFSSL_SMALL_STACK_STATIC const byte sKey3[] = {
25930         0xc5,0xaa,0x8d,0xf4,0x3f,0x9f,0x83,0x7b,
25931         0xed,0xb7,0x44,0x2f,0x31,0xdc,0xb7,0xb1,
25932         0x66,0xd3,0x85,0x35,0x07,0x6f,0x09,0x4b,
25933         0x85,0xce,0x3a,0x2e,0x0b,0x44,0x58,0xf7
25934     };
25935 
25936     /* uncompressed test */
25937     WOLFSSL_SMALL_STACK_STATIC const byte sKey4[] = {
25938         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
25939         0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
25940         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
25941         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
25942     };
25943 
25944     /* compressed prefix test */
25945     WOLFSSL_SMALL_STACK_STATIC const byte sKey5[] = {
25946         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
25947         0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
25948         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
25949         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
25950     };
25951 
25952     WOLFSSL_SMALL_STACK_STATIC const byte sKey6[] = {
25953         0xf5,0xe5,0x76,0x7c,0xf1,0x53,0x31,0x95,
25954         0x17,0x63,0x0f,0x22,0x68,0x76,0xb8,0x6c,
25955         0x81,0x60,0xcc,0x58,0x3b,0xc0,0x13,0x74,
25956         0x4c,0x6b,0xf2,0x55,0xf5,0xcc,0x0e,0xe5
25957     };
25958 
25959     WOLFSSL_SMALL_STACK_STATIC const byte* sKeys[] = {sKey1, sKey2, sKey3, sKey4, sKey5, sKey6};
25960 
25961     WOLFSSL_SMALL_STACK_STATIC const byte pKey1[] = {
25962         0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
25963         0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
25964         0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
25965         0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
25966     };
25967 
25968     WOLFSSL_SMALL_STACK_STATIC const byte pKey2[] = {
25969         0x3d,0x40,0x17,0xc3,0xe8,0x43,0x89,0x5a,
25970         0x92,0xb7,0x0a,0xa7,0x4d,0x1b,0x7e,0xbc,
25971         0x9c,0x98,0x2c,0xcf,0x2e,0xc4,0x96,0x8c,
25972         0xc0,0xcd,0x55,0xf1,0x2a,0xf4,0x66,0x0c
25973     };
25974 
25975     WOLFSSL_SMALL_STACK_STATIC const byte pKey3[] = {
25976         0xfc,0x51,0xcd,0x8e,0x62,0x18,0xa1,0xa3,
25977         0x8d,0xa4,0x7e,0xd0,0x02,0x30,0xf0,0x58,
25978         0x08,0x16,0xed,0x13,0xba,0x33,0x03,0xac,
25979         0x5d,0xeb,0x91,0x15,0x48,0x90,0x80,0x25
25980     };
25981 
25982     /* uncompressed test */
25983     WOLFSSL_SMALL_STACK_STATIC const byte pKey4[] = {
25984         0x04,0x55,0xd0,0xe0,0x9a,0x2b,0x9d,0x34,
25985         0x29,0x22,0x97,0xe0,0x8d,0x60,0xd0,0xf6,
25986         0x20,0xc5,0x13,0xd4,0x72,0x53,0x18,0x7c,
25987         0x24,0xb1,0x27,0x86,0xbd,0x77,0x76,0x45,
25988         0xce,0x1a,0x51,0x07,0xf7,0x68,0x1a,0x02,
25989         0xaf,0x25,0x23,0xa6,0xda,0xf3,0x72,0xe1,
25990         0x0e,0x3a,0x07,0x64,0xc9,0xd3,0xfe,0x4b,
25991         0xd5,0xb7,0x0a,0xb1,0x82,0x01,0x98,0x5a,
25992         0xd7
25993     };
25994 
25995     /* compressed prefix */
25996     WOLFSSL_SMALL_STACK_STATIC const byte pKey5[] = {
25997         0x40,0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
25998         0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
25999         0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
26000         0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
26001     };
26002 
26003     WOLFSSL_SMALL_STACK_STATIC const byte pKey6[] = {
26004         0x27,0x81,0x17,0xfc,0x14,0x4c,0x72,0x34,
26005         0x0f,0x67,0xd0,0xf2,0x31,0x6e,0x83,0x86,
26006         0xce,0xff,0xbf,0x2b,0x24,0x28,0xc9,0xc5,
26007         0x1f,0xef,0x7c,0x59,0x7f,0x1d,0x42,0x6e
26008     };
26009 
26010     WOLFSSL_SMALL_STACK_STATIC const byte* pKeys[] = {pKey1, pKey2, pKey3, pKey4, pKey5, pKey6};
26011     WOLFSSL_SMALL_STACK_STATIC const byte  pKeySz[] = {sizeof(pKey1), sizeof(pKey2), sizeof(pKey3),
26012                             sizeof(pKey4), sizeof(pKey5), sizeof(pKey6)};
26013 
26014     WOLFSSL_SMALL_STACK_STATIC const byte sig1[] = {
26015         0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
26016         0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
26017         0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
26018         0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
26019         0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
26020         0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
26021         0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
26022         0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
26023     };
26024 
26025     WOLFSSL_SMALL_STACK_STATIC const byte sig2[] = {
26026         0x92,0xa0,0x09,0xa9,0xf0,0xd4,0xca,0xb8,
26027         0x72,0x0e,0x82,0x0b,0x5f,0x64,0x25,0x40,
26028         0xa2,0xb2,0x7b,0x54,0x16,0x50,0x3f,0x8f,
26029         0xb3,0x76,0x22,0x23,0xeb,0xdb,0x69,0xda,
26030         0x08,0x5a,0xc1,0xe4,0x3e,0x15,0x99,0x6e,
26031         0x45,0x8f,0x36,0x13,0xd0,0xf1,0x1d,0x8c,
26032         0x38,0x7b,0x2e,0xae,0xb4,0x30,0x2a,0xee,
26033         0xb0,0x0d,0x29,0x16,0x12,0xbb,0x0c,0x00
26034     };
26035 
26036     WOLFSSL_SMALL_STACK_STATIC const byte sig3[] = {
26037         0x62,0x91,0xd6,0x57,0xde,0xec,0x24,0x02,
26038         0x48,0x27,0xe6,0x9c,0x3a,0xbe,0x01,0xa3,
26039         0x0c,0xe5,0x48,0xa2,0x84,0x74,0x3a,0x44,
26040         0x5e,0x36,0x80,0xd7,0xdb,0x5a,0xc3,0xac,
26041         0x18,0xff,0x9b,0x53,0x8d,0x16,0xf2,0x90,
26042         0xae,0x67,0xf7,0x60,0x98,0x4d,0xc6,0x59,
26043         0x4a,0x7c,0x15,0xe9,0x71,0x6e,0xd2,0x8d,
26044         0xc0,0x27,0xbe,0xce,0xea,0x1e,0xc4,0x0a
26045     };
26046 
26047     /* uncompressed test */
26048     WOLFSSL_SMALL_STACK_STATIC const byte sig4[] = {
26049         0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
26050         0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
26051         0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
26052         0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
26053         0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
26054         0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
26055         0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
26056         0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
26057     };
26058 
26059     /* compressed prefix */
26060     WOLFSSL_SMALL_STACK_STATIC const byte sig5[] = {
26061         0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
26062         0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
26063         0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
26064         0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
26065         0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
26066         0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
26067         0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
26068         0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
26069     };
26070 
26071     WOLFSSL_SMALL_STACK_STATIC const byte sig6[] = {
26072         0x0a,0xab,0x4c,0x90,0x05,0x01,0xb3,0xe2,
26073         0x4d,0x7c,0xdf,0x46,0x63,0x32,0x6a,0x3a,
26074         0x87,0xdf,0x5e,0x48,0x43,0xb2,0xcb,0xdb,
26075         0x67,0xcb,0xf6,0xe4,0x60,0xfe,0xc3,0x50,
26076         0xaa,0x53,0x71,0xb1,0x50,0x8f,0x9f,0x45,
26077         0x28,0xec,0xea,0x23,0xc4,0x36,0xd9,0x4b,
26078         0x5e,0x8f,0xcd,0x4f,0x68,0x1e,0x30,0xa6,
26079         0xac,0x00,0xa9,0x70,0x4a,0x18,0x8a,0x03
26080     };
26081 
26082     WOLFSSL_SMALL_STACK_STATIC const byte* sigs[] = {sig1, sig2, sig3, sig4, sig5, sig6};
26083 
26084     WOLFSSL_SMALL_STACK_STATIC const byte msg1[]  = {0x0 };
26085     WOLFSSL_SMALL_STACK_STATIC const byte msg2[]  = {0x72};
26086     WOLFSSL_SMALL_STACK_STATIC const byte msg3[]  = {0xAF,0x82};
26087 
26088     /* test of a 1024 byte long message */
26089     WOLFSSL_SMALL_STACK_STATIC const byte msg4[]  = {
26090         0x08,0xb8,0xb2,0xb7,0x33,0x42,0x42,0x43,
26091         0x76,0x0f,0xe4,0x26,0xa4,0xb5,0x49,0x08,
26092         0x63,0x21,0x10,0xa6,0x6c,0x2f,0x65,0x91,
26093         0xea,0xbd,0x33,0x45,0xe3,0xe4,0xeb,0x98,
26094         0xfa,0x6e,0x26,0x4b,0xf0,0x9e,0xfe,0x12,
26095         0xee,0x50,0xf8,0xf5,0x4e,0x9f,0x77,0xb1,
26096         0xe3,0x55,0xf6,0xc5,0x05,0x44,0xe2,0x3f,
26097         0xb1,0x43,0x3d,0xdf,0x73,0xbe,0x84,0xd8,
26098         0x79,0xde,0x7c,0x00,0x46,0xdc,0x49,0x96,
26099         0xd9,0xe7,0x73,0xf4,0xbc,0x9e,0xfe,0x57,
26100         0x38,0x82,0x9a,0xdb,0x26,0xc8,0x1b,0x37,
26101         0xc9,0x3a,0x1b,0x27,0x0b,0x20,0x32,0x9d,
26102         0x65,0x86,0x75,0xfc,0x6e,0xa5,0x34,0xe0,
26103         0x81,0x0a,0x44,0x32,0x82,0x6b,0xf5,0x8c,
26104         0x94,0x1e,0xfb,0x65,0xd5,0x7a,0x33,0x8b,
26105         0xbd,0x2e,0x26,0x64,0x0f,0x89,0xff,0xbc,
26106         0x1a,0x85,0x8e,0xfc,0xb8,0x55,0x0e,0xe3,
26107         0xa5,0xe1,0x99,0x8b,0xd1,0x77,0xe9,0x3a,
26108         0x73,0x63,0xc3,0x44,0xfe,0x6b,0x19,0x9e,
26109         0xe5,0xd0,0x2e,0x82,0xd5,0x22,0xc4,0xfe,
26110         0xba,0x15,0x45,0x2f,0x80,0x28,0x8a,0x82,
26111         0x1a,0x57,0x91,0x16,0xec,0x6d,0xad,0x2b,
26112         0x3b,0x31,0x0d,0xa9,0x03,0x40,0x1a,0xa6,
26113         0x21,0x00,0xab,0x5d,0x1a,0x36,0x55,0x3e,
26114         0x06,0x20,0x3b,0x33,0x89,0x0c,0xc9,0xb8,
26115         0x32,0xf7,0x9e,0xf8,0x05,0x60,0xcc,0xb9,
26116         0xa3,0x9c,0xe7,0x67,0x96,0x7e,0xd6,0x28,
26117         0xc6,0xad,0x57,0x3c,0xb1,0x16,0xdb,0xef,
26118         0xef,0xd7,0x54,0x99,0xda,0x96,0xbd,0x68,
26119         0xa8,0xa9,0x7b,0x92,0x8a,0x8b,0xbc,0x10,
26120         0x3b,0x66,0x21,0xfc,0xde,0x2b,0xec,0xa1,
26121         0x23,0x1d,0x20,0x6b,0xe6,0xcd,0x9e,0xc7,
26122         0xaf,0xf6,0xf6,0xc9,0x4f,0xcd,0x72,0x04,
26123         0xed,0x34,0x55,0xc6,0x8c,0x83,0xf4,0xa4,
26124         0x1d,0xa4,0xaf,0x2b,0x74,0xef,0x5c,0x53,
26125         0xf1,0xd8,0xac,0x70,0xbd,0xcb,0x7e,0xd1,
26126         0x85,0xce,0x81,0xbd,0x84,0x35,0x9d,0x44,
26127         0x25,0x4d,0x95,0x62,0x9e,0x98,0x55,0xa9,
26128         0x4a,0x7c,0x19,0x58,0xd1,0xf8,0xad,0xa5,
26129         0xd0,0x53,0x2e,0xd8,0xa5,0xaa,0x3f,0xb2,
26130         0xd1,0x7b,0xa7,0x0e,0xb6,0x24,0x8e,0x59,
26131         0x4e,0x1a,0x22,0x97,0xac,0xbb,0xb3,0x9d,
26132         0x50,0x2f,0x1a,0x8c,0x6e,0xb6,0xf1,0xce,
26133         0x22,0xb3,0xde,0x1a,0x1f,0x40,0xcc,0x24,
26134         0x55,0x41,0x19,0xa8,0x31,0xa9,0xaa,0xd6,
26135         0x07,0x9c,0xad,0x88,0x42,0x5d,0xe6,0xbd,
26136         0xe1,0xa9,0x18,0x7e,0xbb,0x60,0x92,0xcf,
26137         0x67,0xbf,0x2b,0x13,0xfd,0x65,0xf2,0x70,
26138         0x88,0xd7,0x8b,0x7e,0x88,0x3c,0x87,0x59,
26139         0xd2,0xc4,0xf5,0xc6,0x5a,0xdb,0x75,0x53,
26140         0x87,0x8a,0xd5,0x75,0xf9,0xfa,0xd8,0x78,
26141         0xe8,0x0a,0x0c,0x9b,0xa6,0x3b,0xcb,0xcc,
26142         0x27,0x32,0xe6,0x94,0x85,0xbb,0xc9,0xc9,
26143         0x0b,0xfb,0xd6,0x24,0x81,0xd9,0x08,0x9b,
26144         0xec,0xcf,0x80,0xcf,0xe2,0xdf,0x16,0xa2,
26145         0xcf,0x65,0xbd,0x92,0xdd,0x59,0x7b,0x07,
26146         0x07,0xe0,0x91,0x7a,0xf4,0x8b,0xbb,0x75,
26147         0xfe,0xd4,0x13,0xd2,0x38,0xf5,0x55,0x5a,
26148         0x7a,0x56,0x9d,0x80,0xc3,0x41,0x4a,0x8d,
26149         0x08,0x59,0xdc,0x65,0xa4,0x61,0x28,0xba,
26150         0xb2,0x7a,0xf8,0x7a,0x71,0x31,0x4f,0x31,
26151         0x8c,0x78,0x2b,0x23,0xeb,0xfe,0x80,0x8b,
26152         0x82,0xb0,0xce,0x26,0x40,0x1d,0x2e,0x22,
26153         0xf0,0x4d,0x83,0xd1,0x25,0x5d,0xc5,0x1a,
26154         0xdd,0xd3,0xb7,0x5a,0x2b,0x1a,0xe0,0x78,
26155         0x45,0x04,0xdf,0x54,0x3a,0xf8,0x96,0x9b,
26156         0xe3,0xea,0x70,0x82,0xff,0x7f,0xc9,0x88,
26157         0x8c,0x14,0x4d,0xa2,0xaf,0x58,0x42,0x9e,
26158         0xc9,0x60,0x31,0xdb,0xca,0xd3,0xda,0xd9,
26159         0xaf,0x0d,0xcb,0xaa,0xaf,0x26,0x8c,0xb8,
26160         0xfc,0xff,0xea,0xd9,0x4f,0x3c,0x7c,0xa4,
26161         0x95,0xe0,0x56,0xa9,0xb4,0x7a,0xcd,0xb7,
26162         0x51,0xfb,0x73,0xe6,0x66,0xc6,0xc6,0x55,
26163         0xad,0xe8,0x29,0x72,0x97,0xd0,0x7a,0xd1,
26164         0xba,0x5e,0x43,0xf1,0xbc,0xa3,0x23,0x01,
26165         0x65,0x13,0x39,0xe2,0x29,0x04,0xcc,0x8c,
26166         0x42,0xf5,0x8c,0x30,0xc0,0x4a,0xaf,0xdb,
26167         0x03,0x8d,0xda,0x08,0x47,0xdd,0x98,0x8d,
26168         0xcd,0xa6,0xf3,0xbf,0xd1,0x5c,0x4b,0x4c,
26169         0x45,0x25,0x00,0x4a,0xa0,0x6e,0xef,0xf8,
26170         0xca,0x61,0x78,0x3a,0xac,0xec,0x57,0xfb,
26171         0x3d,0x1f,0x92,0xb0,0xfe,0x2f,0xd1,0xa8,
26172         0x5f,0x67,0x24,0x51,0x7b,0x65,0xe6,0x14,
26173         0xad,0x68,0x08,0xd6,0xf6,0xee,0x34,0xdf,
26174         0xf7,0x31,0x0f,0xdc,0x82,0xae,0xbf,0xd9,
26175         0x04,0xb0,0x1e,0x1d,0xc5,0x4b,0x29,0x27,
26176         0x09,0x4b,0x2d,0xb6,0x8d,0x6f,0x90,0x3b,
26177         0x68,0x40,0x1a,0xde,0xbf,0x5a,0x7e,0x08,
26178         0xd7,0x8f,0xf4,0xef,0x5d,0x63,0x65,0x3a,
26179         0x65,0x04,0x0c,0xf9,0xbf,0xd4,0xac,0xa7,
26180         0x98,0x4a,0x74,0xd3,0x71,0x45,0x98,0x67,
26181         0x80,0xfc,0x0b,0x16,0xac,0x45,0x16,0x49,
26182         0xde,0x61,0x88,0xa7,0xdb,0xdf,0x19,0x1f,
26183         0x64,0xb5,0xfc,0x5e,0x2a,0xb4,0x7b,0x57,
26184         0xf7,0xf7,0x27,0x6c,0xd4,0x19,0xc1,0x7a,
26185         0x3c,0xa8,0xe1,0xb9,0x39,0xae,0x49,0xe4,
26186         0x88,0xac,0xba,0x6b,0x96,0x56,0x10,0xb5,
26187         0x48,0x01,0x09,0xc8,0xb1,0x7b,0x80,0xe1,
26188         0xb7,0xb7,0x50,0xdf,0xc7,0x59,0x8d,0x5d,
26189         0x50,0x11,0xfd,0x2d,0xcc,0x56,0x00,0xa3,
26190         0x2e,0xf5,0xb5,0x2a,0x1e,0xcc,0x82,0x0e,
26191         0x30,0x8a,0xa3,0x42,0x72,0x1a,0xac,0x09,
26192         0x43,0xbf,0x66,0x86,0xb6,0x4b,0x25,0x79,
26193         0x37,0x65,0x04,0xcc,0xc4,0x93,0xd9,0x7e,
26194         0x6a,0xed,0x3f,0xb0,0xf9,0xcd,0x71,0xa4,
26195         0x3d,0xd4,0x97,0xf0,0x1f,0x17,0xc0,0xe2,
26196         0xcb,0x37,0x97,0xaa,0x2a,0x2f,0x25,0x66,
26197         0x56,0x16,0x8e,0x6c,0x49,0x6a,0xfc,0x5f,
26198         0xb9,0x32,0x46,0xf6,0xb1,0x11,0x63,0x98,
26199         0xa3,0x46,0xf1,0xa6,0x41,0xf3,0xb0,0x41,
26200         0xe9,0x89,0xf7,0x91,0x4f,0x90,0xcc,0x2c,
26201         0x7f,0xff,0x35,0x78,0x76,0xe5,0x06,0xb5,
26202         0x0d,0x33,0x4b,0xa7,0x7c,0x22,0x5b,0xc3,
26203         0x07,0xba,0x53,0x71,0x52,0xf3,0xf1,0x61,
26204         0x0e,0x4e,0xaf,0xe5,0x95,0xf6,0xd9,0xd9,
26205         0x0d,0x11,0xfa,0xa9,0x33,0xa1,0x5e,0xf1,
26206         0x36,0x95,0x46,0x86,0x8a,0x7f,0x3a,0x45,
26207         0xa9,0x67,0x68,0xd4,0x0f,0xd9,0xd0,0x34,
26208         0x12,0xc0,0x91,0xc6,0x31,0x5c,0xf4,0xfd,
26209         0xe7,0xcb,0x68,0x60,0x69,0x37,0x38,0x0d,
26210         0xb2,0xea,0xaa,0x70,0x7b,0x4c,0x41,0x85,
26211         0xc3,0x2e,0xdd,0xcd,0xd3,0x06,0x70,0x5e,
26212         0x4d,0xc1,0xff,0xc8,0x72,0xee,0xee,0x47,
26213         0x5a,0x64,0xdf,0xac,0x86,0xab,0xa4,0x1c,
26214         0x06,0x18,0x98,0x3f,0x87,0x41,0xc5,0xef,
26215         0x68,0xd3,0xa1,0x01,0xe8,0xa3,0xb8,0xca,
26216         0xc6,0x0c,0x90,0x5c,0x15,0xfc,0x91,0x08,
26217         0x40,0xb9,0x4c,0x00,0xa0,0xb9,0xd0
26218     };
26219 
26220     WOLFSSL_SMALL_STACK_STATIC const byte* msgs[] =   {msg1, msg2, msg3, msg1, msg1, msg4};
26221     WOLFSSL_SMALL_STACK_STATIC const word16 msgSz[] = {0 /*sizeof(msg1)*/,
26222                                    sizeof(msg2),
26223                                    sizeof(msg3),
26224                                    0 /*sizeof(msg1)*/,
26225                                    0 /*sizeof(msg1)*/,
26226                                    sizeof(msg4)
26227     };
26228 #ifndef NO_ASN
26229     static byte privateEd25519[] = {
26230         0x30,0x2e,0x02,0x01,0x00,0x30,0x05,0x06,
26231         0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
26232         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
26233         0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
26234         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
26235         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
26236     };
26237     static byte badPrivateEd25519[] = {
26238         0x30,0x52,0x02,0x01,0x00,0x30,0x05,0x06,
26239         0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
26240         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
26241         0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
26242         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
26243         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60,
26244         0xa1,0x22,0x04,0x21,0xd7,0x5a,0x98,0x01, /* octet len 0x20 -> 0x21 */
26245         0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
26246         0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
26247         0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
26248         0xf7,0x07,0x51,0x1a,
26249         0x00  /* add additional bytes to make the pubkey bigger  */
26250     };
26251     static byte publicEd25519[] = {
26252         0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65,
26253         0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01,
26254         0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
26255         0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
26256         0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
26257         0xf7,0x07,0x51,0x1a
26258     };
26259 
26260     /* size has been altered to catch if sanity check is done */
26261     static byte badPublicEd25519[] = {
26262         0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65,
26263         0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01,
26264         0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
26265         0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
26266         0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
26267         0xf7,0x07,0x51,0x1a,
26268         0x00 /* add an additional byte to make the pubkey appear bigger */
26269     };
26270     static byte privPubEd25519[] = {
26271         0x30,0x52,0x02,0x01,0x00,0x30,0x05,0x06,
26272         0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
26273         0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
26274         0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
26275         0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
26276         0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60,
26277         0xa1,0x22,0x04,0x20,0xd7,0x5a,0x98,0x01,
26278         0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
26279         0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
26280         0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
26281         0xf7,0x07,0x51,0x1a
26282     };
26283 
26284     word32 idx;
26285 #endif /* NO_ASN */
26286 #endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
26287 #if !defined(NO_ASN) && defined(HAVE_ED25519_SIGN)
26288     ed25519_key key3;
26289 #endif
26290 
26291     /* create ed25519 keys */
26292 #ifndef HAVE_FIPS
26293     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
26294 #else
26295     ret = wc_InitRng(&rng);
26296 #endif
26297     if (ret != 0)
26298         return -11000;
26299 
26300     wc_ed25519_init_ex(&key, HEAP_HINT, devId);
26301     wc_ed25519_init_ex(&key2, HEAP_HINT, devId);
26302 #if !defined(NO_ASN) && defined(HAVE_ED25519_SIGN)
26303     wc_ed25519_init_ex(&key3, HEAP_HINT, devId);
26304 #endif
26305     wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key);
26306     wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key2);
26307 
26308     /* helper functions for signature and key size */
26309     keySz = wc_ed25519_size(&key);
26310     sigSz = wc_ed25519_sig_size(&key);
26311 
26312 #if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) &&\
26313         defined(HAVE_ED25519_KEY_IMPORT)
26314     for (i = 0; i < 6; i++) {
26315         outlen = sizeof(out);
26316         XMEMSET(out, 0, sizeof(out));
26317 
26318         if (wc_ed25519_import_private_key(sKeys[i], ED25519_KEY_SIZE, pKeys[i],
26319                 pKeySz[i], &key) != 0)
26320             return -11001 - i;
26321 
26322         if (wc_ed25519_sign_msg(msgs[i], msgSz[i], out, &outlen, &key) != 0)
26323             return -11011 - i;
26324 
26325         if (XMEMCMP(out, sigs[i], 64))
26326             return -11021 - i;
26327 
26328 #if defined(HAVE_ED25519_VERIFY)
26329         /* test verify on good msg */
26330         if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
26331                     &key) != 0 || verify != 1)
26332             return -11031 - i;
26333 
26334 #ifdef WOLFSSL_ED25519_STREAMING_VERIFY
26335         /* test verify on good msg using streaming interface directly */
26336         if (wc_ed25519_verify_msg_init(out, outlen,
26337                                        &key, (byte)Ed25519, NULL, 0) != 0)
26338             return -11211 - i;
26339         for (j = 0; j < msgSz[i]; j += i) {
26340             if (wc_ed25519_verify_msg_update(msgs[i] + j, MIN(i, msgSz[i] - j), &key) != 0)
26341                 return -11221 - i;
26342         }
26343         if (wc_ed25519_verify_msg_final(out, outlen, &verify,
26344                                         &key) != 0 || verify != 1)
26345             return -11231 - i;
26346 #endif /* WOLFSSL_ED25519_STREAMING_VERIFY */
26347 
26348         /* test verify on bad msg */
26349         out[outlen-1] = out[outlen-1] + 1;
26350         if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
26351                     &key) == 0 || verify == 1)
26352             return -11041 - i;
26353 #endif /* HAVE_ED25519_VERIFY */
26354 
26355         /* test api for import/exporting keys */
26356         exportPSz = sizeof(exportPKey);
26357         exportSSz = sizeof(exportSKey);
26358         if (wc_ed25519_export_public(&key, exportPKey, &exportPSz) != 0)
26359             return -11051 - i;
26360 
26361         if (wc_ed25519_import_public(exportPKey, exportPSz, &key2) != 0)
26362             return -11061 - i;
26363 
26364         if (wc_ed25519_export_private_only(&key, exportSKey, &exportSSz) != 0)
26365             return -11071 - i;
26366 
26367         if (wc_ed25519_import_private_key(exportSKey, exportSSz,
26368                                           exportPKey, exportPSz, &key2) != 0)
26369             return -11081 - i;
26370 
26371         /* clear "out" buffer and test sign with imported keys */
26372         outlen = sizeof(out);
26373         XMEMSET(out, 0, sizeof(out));
26374         if (wc_ed25519_sign_msg(msgs[i], msgSz[i], out, &outlen, &key2) != 0)
26375             return -11091 - i;
26376 
26377 #if defined(HAVE_ED25519_VERIFY)
26378         if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
26379                                   &key2) != 0 || verify != 1)
26380             return -11101 - i;
26381 
26382         if (XMEMCMP(out, sigs[i], 64))
26383             return -11111 - i;
26384 #endif /* HAVE_ED25519_VERIFY */
26385     }
26386 
26387     ret = ed25519ctx_test();
26388     if (ret != 0)
26389         return ret;
26390 
26391     ret = ed25519ph_test();
26392     if (ret != 0)
26393         return ret;
26394 
26395 #ifndef NO_ASN
26396     /* Try ASN.1 encoded private-only key and public key. */
26397     idx = 0;
26398     if (wc_Ed25519PrivateKeyDecode(privateEd25519, &idx, &key3,
26399                                    sizeof(privateEd25519)) != 0)
26400         return -11121;
26401 
26402     idx = 0;
26403     if (wc_Ed25519PrivateKeyDecode(badPrivateEd25519, &idx, &key3,
26404                                    sizeof(badPrivateEd25519)) == 0)
26405         return -11122;
26406 
26407     if (wc_ed25519_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3)
26408                 != BAD_FUNC_ARG)
26409         return -11131;
26410 
26411 
26412     /* try with a buffer size that is too large */
26413     idx = 0;
26414     if (wc_Ed25519PublicKeyDecode(badPublicEd25519, &idx, &key3,
26415                                   sizeof(badPublicEd25519)) == 0)
26416         return -11140;
26417 
26418     idx = 0;
26419     if (wc_Ed25519PublicKeyDecode(publicEd25519, &idx, &key3,
26420                                   sizeof(publicEd25519)) != 0)
26421         return -11141;
26422 
26423     if (wc_ed25519_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3) != 0)
26424         return -11151;
26425 
26426     if (XMEMCMP(out, sigs[0], 64))
26427         return -11161;
26428 
26429 #if defined(HAVE_ED25519_VERIFY)
26430     /* test verify on good msg */
26431     if (wc_ed25519_verify_msg(out, outlen, msgs[0], msgSz[0], &verify, &key3)
26432                 != 0 || verify != 1)
26433         return -11171;
26434 #endif /* HAVE_ED25519_VERIFY */
26435 
26436     wc_ed25519_free(&key3);
26437     wc_ed25519_init(&key3);
26438 
26439     idx = 0;
26440     if (wc_Ed25519PrivateKeyDecode(privPubEd25519, &idx, &key3,
26441                                    sizeof(privPubEd25519)) != 0)
26442         return -11181;
26443 
26444     if (wc_ed25519_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3) != 0)
26445         return -11191;
26446 
26447     if (XMEMCMP(out, sigs[0], 64))
26448         return -11201;
26449 
26450     wc_ed25519_free(&key3);
26451 #endif /* NO_ASN */
26452 #endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
26453 
26454     /* clean up keys when done */
26455     wc_ed25519_free(&key);
26456     wc_ed25519_free(&key2);
26457 
26458 #if defined(HAVE_HASHDRBG) || defined(NO_RC4)
26459     wc_FreeRng(&rng);
26460 #endif
26461 
26462     /* hush warnings of unused keySz and sigSz */
26463     (void)keySz;
26464     (void)sigSz;
26465 
26466 #ifdef WOLFSSL_TEST_CERT
26467     ret = ed25519_test_cert();
26468     if (ret < 0)
26469         return ret;
26470 #ifdef WOLFSSL_CERT_GEN
26471     ret = ed25519_test_make_cert();
26472     if (ret < 0)
26473         return ret;
26474 #endif /* WOLFSSL_CERT_GEN */
26475 #endif /* WOLFSSL_TEST_CERT */
26476 
26477     return 0;
26478 }
26479 #endif /* HAVE_ED25519 */
26480 
26481 #ifdef HAVE_CURVE448
26482 #if defined(HAVE_CURVE448_SHARED_SECRET) && \
26483                                              defined(HAVE_CURVE448_KEY_IMPORT)
26484 /* Test the wc_curve448_check_public API.
26485  *
26486  * returns 0 on success and -ve on failure.
26487  */
26488 static int curve448_check_public_test(void)
26489 {
26490     /* Little-endian values that will fail */
26491     byte fail_le[][CURVE448_KEY_SIZE] = {
26492         {
26493             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26494             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26495             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26496             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26497             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26498             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26499             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
26500         },
26501         {
26502             0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26503             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26504             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26505             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26506             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26507             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26508             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
26509         },
26510     };
26511     /* Big-endian values that will fail */
26512     byte fail_be[][CURVE448_KEY_SIZE] = {
26513         {
26514             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26515             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26516             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26517             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26518             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26519             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26520             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
26521         },
26522         {
26523             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26524             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26525             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26526             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26527             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26528             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26529             0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
26530         },
26531     };
26532     /* Good or valid public value */
26533     byte good[CURVE448_KEY_SIZE] = {
26534         0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26535         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26536         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26537         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26538         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26539         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
26540         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
26541     };
26542     int i;
26543 
26544     /* Parameter checks */
26545     /* NULL pointer */
26546     if (wc_curve448_check_public(NULL, 0, EC448_LITTLE_ENDIAN) !=
26547                                                                  BAD_FUNC_ARG) {
26548         return -11300;
26549     }
26550     if (wc_curve448_check_public(NULL, 0, EC448_BIG_ENDIAN) != BAD_FUNC_ARG) {
26551         return -11301;
26552     }
26553     /* Length of 0 treated differently to other invalid lengths for TLS */
26554     if (wc_curve448_check_public(good, 0, EC448_LITTLE_ENDIAN) != BUFFER_E)
26555         return -11302;
26556     if (wc_curve448_check_public(good, 0, EC448_BIG_ENDIAN) != BUFFER_E)
26557         return -11303;
26558 
26559     /* Length not CURVE448_KEY_SIZE */
26560     for (i = 1; i < CURVE448_KEY_SIZE + 2; i++) {
26561         if (i == CURVE448_KEY_SIZE)
26562             continue;
26563         if (wc_curve448_check_public(good, i, EC448_LITTLE_ENDIAN) !=
26564                                                                 ECC_BAD_ARG_E) {
26565             return -11304 - i;
26566         }
26567         if (wc_curve448_check_public(good, i, EC448_BIG_ENDIAN) !=
26568                                                                 ECC_BAD_ARG_E) {
26569             return -11314 - i;
26570         }
26571     }
26572 
26573     /* Little-endian fail cases */
26574     for (i = 0; i < (int)(sizeof(fail_le) / sizeof(*fail_le)); i++) {
26575         if (wc_curve448_check_public(fail_le[i], CURVE448_KEY_SIZE,
26576                                                     EC448_LITTLE_ENDIAN) == 0) {
26577             return -11324 - i;
26578         }
26579     }
26580     /* Big-endian fail cases */
26581     for (i = 0; i < (int)(sizeof(fail_be) / sizeof(*fail_be)); i++) {
26582         if (wc_curve448_check_public(fail_be[i], CURVE448_KEY_SIZE,
26583                                                        EC448_BIG_ENDIAN) == 0) {
26584             return -11334 - i;
26585         }
26586     }
26587 
26588     /* Check a valid public value works! */
26589     if (wc_curve448_check_public(good, CURVE448_KEY_SIZE,
26590                                                     EC448_LITTLE_ENDIAN) != 0) {
26591         return -11344;
26592     }
26593     if (wc_curve448_check_public(good, CURVE448_KEY_SIZE,
26594                                                        EC448_BIG_ENDIAN) != 0) {
26595         return -11345;
26596     }
26597 
26598     return 0;
26599 }
26600 
26601 #endif /* HAVE_CURVE448_SHARED_SECRET && HAVE_CURVE448_KEY_IMPORT */
26602 
26603 WOLFSSL_TEST_SUBROUTINE int curve448_test(void)
26604 {
26605     WC_RNG  rng;
26606     int ret;
26607 #ifdef HAVE_CURVE448_SHARED_SECRET
26608     byte    sharedA[CURVE448_KEY_SIZE];
26609     byte    sharedB[CURVE448_KEY_SIZE];
26610     word32  y;
26611 #endif
26612 #ifdef HAVE_CURVE448_KEY_EXPORT
26613     byte    exportBuf[CURVE448_KEY_SIZE];
26614 #endif
26615     word32  x;
26616     curve448_key userA, userB, pubKey;
26617 
26618 #if defined(HAVE_CURVE448_SHARED_SECRET) && \
26619                                              defined(HAVE_CURVE448_KEY_IMPORT)
26620     /* test vectors from
26621        https://www.rfc-editor.org/rfc/rfc7748.html
26622      */
26623 
26624     /* secret key for party a */
26625     byte sa[] = {
26626         0x6b, 0x72, 0x98, 0xa5, 0xc0, 0xd8, 0xc2, 0x9a,
26627         0x1d, 0xab, 0x27, 0xf1, 0xa6, 0x82, 0x63, 0x00,
26628         0x91, 0x73, 0x89, 0x44, 0x97, 0x41, 0xa9, 0x74,
26629         0xf5, 0xba, 0xc9, 0xd9, 0x8d, 0xc2, 0x98, 0xd4,
26630         0x65, 0x55, 0xbc, 0xe8, 0xba, 0xe8, 0x9e, 0xee,
26631         0xd4, 0x00, 0x58, 0x4b, 0xb0, 0x46, 0xcf, 0x75,
26632         0x57, 0x9f, 0x51, 0xd1, 0x25, 0x49, 0x8f, 0x9a,
26633     };
26634 
26635     /* public key for party a */
26636     byte pa[] = {
26637         0xa0, 0x1f, 0xc4, 0x32, 0xe5, 0x80, 0x7f, 0x17,
26638         0x53, 0x0d, 0x12, 0x88, 0xda, 0x12, 0x5b, 0x0c,
26639         0xd4, 0x53, 0xd9, 0x41, 0x72, 0x64, 0x36, 0xc8,
26640         0xbb, 0xd9, 0xc5, 0x22, 0x2c, 0x3d, 0xa7, 0xfa,
26641         0x63, 0x9c, 0xe0, 0x3d, 0xb8, 0xd2, 0x3b, 0x27,
26642         0x4a, 0x07, 0x21, 0xa1, 0xae, 0xd5, 0x22, 0x7d,
26643         0xe6, 0xe3, 0xb7, 0x31, 0xcc, 0xf7, 0x08, 0x9b,
26644     };
26645 
26646     /* secret key for party b */
26647     byte sb[] = {
26648         0x2d, 0x99, 0x73, 0x51, 0xb6, 0x10, 0x6f, 0x36,
26649         0xb0, 0xd1, 0x09, 0x1b, 0x92, 0x9c, 0x4c, 0x37,
26650         0x21, 0x3e, 0x0d, 0x2b, 0x97, 0xe8, 0x5e, 0xbb,
26651         0x20, 0xc1, 0x27, 0x69, 0x1d, 0x0d, 0xad, 0x8f,
26652         0x1d, 0x81, 0x75, 0xb0, 0x72, 0x37, 0x45, 0xe6,
26653         0x39, 0xa3, 0xcb, 0x70, 0x44, 0x29, 0x0b, 0x99,
26654         0xe0, 0xe2, 0xa0, 0xc2, 0x7a, 0x6a, 0x30, 0x1c,
26655     };
26656 
26657     /* public key for party b */
26658     byte pb[] = {
26659         0x09, 0x36, 0xf3, 0x7b, 0xc6, 0xc1, 0xbd, 0x07,
26660         0xae, 0x3d, 0xec, 0x7a, 0xb5, 0xdc, 0x06, 0xa7,
26661         0x3c, 0xa1, 0x32, 0x42, 0xfb, 0x34, 0x3e, 0xfc,
26662         0x72, 0xb9, 0xd8, 0x27, 0x30, 0xb4, 0x45, 0xf3,
26663         0xd4, 0xb0, 0xbd, 0x07, 0x71, 0x62, 0xa4, 0x6d,
26664         0xcf, 0xec, 0x6f, 0x9b, 0x59, 0x0b, 0xfc, 0xbc,
26665         0xf5, 0x20, 0xcd, 0xb0, 0x29, 0xa8, 0xb7, 0x3e,
26666     };
26667 
26668     /* expected shared key */
26669     byte ss[] = {
26670         0x9d, 0x87, 0x4a, 0x51, 0x37, 0x50, 0x9a, 0x44,
26671         0x9a, 0xd5, 0x85, 0x30, 0x40, 0x24, 0x1c, 0x52,
26672         0x36, 0x39, 0x54, 0x35, 0xc3, 0x64, 0x24, 0xfd,
26673         0x56, 0x0b, 0x0c, 0xb6, 0x2b, 0x28, 0x1d, 0x28,
26674         0x52, 0x75, 0xa7, 0x40, 0xce, 0x32, 0xa2, 0x2d,
26675         0xd1, 0x74, 0x0f, 0x4a, 0xa9, 0x16, 0x1c, 0xec,
26676         0x95, 0xcc, 0xc6, 0x1a, 0x18, 0xf4, 0xff, 0x07,
26677     };
26678 #endif /* HAVE_CURVE448_SHARED_SECRET */
26679 
26680     (void)x;
26681 
26682 #ifndef HAVE_FIPS
26683     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
26684 #else
26685     ret = wc_InitRng(&rng);
26686 #endif
26687     if (ret != 0)
26688         return -11400;
26689 
26690     wc_curve448_init(&userA);
26691     wc_curve448_init(&userB);
26692     wc_curve448_init(&pubKey);
26693 
26694     /* make curve448 keys */
26695     if (wc_curve448_make_key(&rng, CURVE448_KEY_SIZE, &userA) != 0)
26696         return -11401;
26697 
26698     if (wc_curve448_make_key(&rng, CURVE448_KEY_SIZE, &userB) != 0)
26699         return -11402;
26700 
26701 #ifdef HAVE_CURVE448_SHARED_SECRET
26702     /* find shared secret key */
26703     x = sizeof(sharedA);
26704     if (wc_curve448_shared_secret(&userA, &userB, sharedA, &x) != 0)
26705         return -11403;
26706 
26707     y = sizeof(sharedB);
26708     if (wc_curve448_shared_secret(&userB, &userA, sharedB, &y) != 0)
26709         return -11404;
26710 
26711     /* compare shared secret keys to test they are the same */
26712     if (y != x)
26713         return -11405;
26714 
26715     if (XMEMCMP(sharedA, sharedB, x))
26716         return -11406;
26717 #endif
26718 
26719 #ifdef HAVE_CURVE448_KEY_EXPORT
26720     /* export a public key and import it for another user */
26721     x = sizeof(exportBuf);
26722     if (wc_curve448_export_public(&userA, exportBuf, &x) != 0)
26723         return -11407;
26724 
26725 #ifdef HAVE_CURVE448_KEY_IMPORT
26726     if (wc_curve448_import_public(exportBuf, x, &pubKey) != 0)
26727         return -11408;
26728 #endif
26729 #endif
26730 
26731 #if defined(HAVE_CURVE448_SHARED_SECRET) && \
26732                                              defined(HAVE_CURVE448_KEY_IMPORT)
26733     /* test shared key after importing a public key */
26734     XMEMSET(sharedB, 0, sizeof(sharedB));
26735     y = sizeof(sharedB);
26736     if (wc_curve448_shared_secret(&userB, &pubKey, sharedB, &y) != 0)
26737         return -11409;
26738 
26739     if (XMEMCMP(sharedA, sharedB, y))
26740         return -11410;
26741 
26742     /* import RFC test vectors and compare shared key */
26743     if (wc_curve448_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
26744             != 0)
26745         return -11411;
26746 
26747     if (wc_curve448_import_private_raw(sb, sizeof(sb), pb, sizeof(pb), &userB)
26748             != 0)
26749         return -11412;
26750 
26751     /* test against known test vector */
26752     XMEMSET(sharedB, 0, sizeof(sharedB));
26753     y = sizeof(sharedB);
26754     if (wc_curve448_shared_secret(&userA, &userB, sharedB, &y) != 0)
26755         return -11413;
26756 
26757     if (XMEMCMP(ss, sharedB, y))
26758         return -11414;
26759 
26760     /* test swapping roles of keys and generating same shared key */
26761     XMEMSET(sharedB, 0, sizeof(sharedB));
26762     y = sizeof(sharedB);
26763     if (wc_curve448_shared_secret(&userB, &userA, sharedB, &y) != 0)
26764         return -11415;
26765 
26766     if (XMEMCMP(ss, sharedB, y))
26767         return -11416;
26768 
26769     /* test with 1 generated key and 1 from known test vector */
26770     if (wc_curve448_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
26771         != 0)
26772         return -11417;
26773 
26774     if (wc_curve448_make_key(&rng, 56, &userB) != 0)
26775         return -11418;
26776 
26777     x = sizeof(sharedA);
26778     if (wc_curve448_shared_secret(&userA, &userB, sharedA, &x) != 0)
26779         return -11419;
26780 
26781     y = sizeof(sharedB);
26782     if (wc_curve448_shared_secret(&userB, &userA, sharedB, &y) != 0)
26783         return -11420;
26784 
26785     /* compare shared secret keys to test they are the same */
26786     if (y != x)
26787         return -11421;
26788 
26789     if (XMEMCMP(sharedA, sharedB, x))
26790         return -11422;
26791 
26792     ret = curve448_check_public_test();
26793     if (ret != 0)
26794         return ret;
26795 #endif /* HAVE_CURVE448_SHARED_SECRET && HAVE_CURVE448_KEY_IMPORT */
26796 
26797     /* clean up keys when done */
26798     wc_curve448_free(&pubKey);
26799     wc_curve448_free(&userB);
26800     wc_curve448_free(&userA);
26801 
26802     wc_FreeRng(&rng);
26803 
26804     return 0;
26805 }
26806 #endif /* HAVE_CURVE448 */
26807 
26808 #ifdef HAVE_ED448
26809 #ifdef WOLFSSL_TEST_CERT
26810 static int ed448_test_cert(void)
26811 {
26812     DecodedCert  cert[2];
26813     DecodedCert* serverCert = NULL;
26814     DecodedCert* caCert = NULL;
26815 #ifdef HAVE_ED448_VERIFY
26816     ed448_key  key;
26817     ed448_key* pubKey = NULL;
26818     int          verify;
26819 #endif /* HAVE_ED448_VERIFY */
26820     int          ret;
26821     byte*        tmp;
26822     size_t       bytes;
26823     XFILE        file;
26824 
26825     tmp = (byte *)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
26826     if (tmp == NULL) {
26827         ERROR_OUT(-11430, done);
26828     }
26829 
26830 #ifdef USE_CERT_BUFFERS_256
26831     XMEMCPY(tmp, ca_ed448_cert, sizeof_ca_ed448_cert);
26832     bytes = sizeof_ca_ed448_cert;
26833 #elif !defined(NO_FILESYSTEM)
26834     file = XFOPEN(caEd448Cert, "rb");
26835     if (file == NULL) {
26836         ERROR_OUT(-11431, done);
26837     }
26838     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
26839     XFCLOSE(file);
26840 #else
26841     /* No certificate to use. */
26842     ERROR_OUT(-11432, done);
26843 #endif
26844 
26845     InitDecodedCert(&cert[0], tmp, (word32)bytes, 0);
26846     caCert = &cert[0];
26847     ret = ParseCert(caCert, CERT_TYPE, NO_VERIFY, NULL);
26848     if (ret != 0) {
26849         ERROR_OUT(-11433, done);
26850     }
26851 
26852 #ifdef USE_CERT_BUFFERS_256
26853     XMEMCPY(tmp, server_ed448_cert, sizeof_server_ed448_cert);
26854     bytes = sizeof_server_ed448_cert;
26855 #elif !defined(NO_FILESYSTEM)
26856     file = XFOPEN(serverEd448Cert, "rb");
26857     if (file == NULL) {
26858         ERROR_OUT(-11434, done);
26859     }
26860     bytes = XFREAD(tmp, 1, FOURK_BUF, file);
26861     XFCLOSE(file);
26862 #else
26863     /* No certificate to use. */
26864     ERROR_OUT(-11435, done);
26865 #endif
26866 
26867     InitDecodedCert(&cert[1], tmp, (word32)bytes, 0);
26868     serverCert = &cert[1];
26869     ret = ParseCert(serverCert, CERT_TYPE, NO_VERIFY, NULL);
26870     if (ret != 0) {
26871         ERROR_OUT(-11436, done);
26872     }
26873 
26874 #ifdef HAVE_ED448_VERIFY
26875     ret = wc_ed448_init(&key);
26876     if (ret < 0) {
26877         ERROR_OUT(-11437, done);
26878     }
26879     pubKey = &key;
26880     ret = wc_ed448_import_public(caCert->publicKey, caCert->pubKeySize, pubKey);
26881     if (ret < 0) {
26882         ERROR_OUT(-11438, done);
26883     }
26884 
26885     if (wc_ed448_verify_msg(serverCert->signature, serverCert->sigLength,
26886                             serverCert->source + serverCert->certBegin,
26887                             serverCert->sigIndex - serverCert->certBegin,
26888                             &verify, pubKey, NULL, 0) < 0 || verify != 1) {
26889         ERROR_OUT(-11439, done);
26890     }
26891 #endif /* HAVE_ED448_VERIFY */
26892 
26893 done:
26894     if (tmp != NULL)
26895         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
26896 #ifdef HAVE_ED448_VERIFY
26897     wc_ed448_free(pubKey);
26898 #endif /* HAVE_ED448_VERIFY */
26899     if (caCert != NULL)
26900         FreeDecodedCert(caCert);
26901     if (serverCert != NULL)
26902         FreeDecodedCert(serverCert);
26903 
26904     return ret;
26905 }
26906 
26907 static int ed448_test_make_cert(void)
26908 {
26909     WC_RNG       rng;
26910     Cert         cert;
26911     DecodedCert  decode;
26912     ed448_key  key;
26913     ed448_key* privKey = NULL;
26914     int          ret = 0;
26915     byte*        tmp = NULL;
26916 
26917     wc_InitCert_ex(&cert, HEAP_HINT, devId);
26918 
26919 #ifndef HAVE_FIPS
26920     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
26921 #else
26922     ret = wc_InitRng(&rng);
26923 #endif
26924     if (ret != 0)
26925         return -11450;
26926 
26927     wc_ed448_init(&key);
26928     privKey = &key;
26929     wc_ed448_make_key(&rng, ED448_KEY_SIZE, privKey);
26930 
26931     cert.daysValid = 365 * 2;
26932     cert.selfSigned = 1;
26933     XMEMCPY(&cert.issuer, &certDefaultName, sizeof(CertName));
26934     XMEMCPY(&cert.subject, &certDefaultName, sizeof(CertName));
26935     cert.isCA = 0;
26936 #ifdef WOLFSSL_CERT_EXT
26937     ret = wc_SetKeyUsage(&cert, certKeyUsage);
26938     if (ret < 0) {
26939         ERROR_OUT(-11451, done);
26940     }
26941     ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED448_TYPE, privKey);
26942     if (ret < 0) {
26943         ERROR_OUT(-11452, done);
26944     }
26945     ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED448_TYPE, privKey);
26946     if (ret < 0) {
26947         ERROR_OUT(-11453, done);
26948     }
26949 #endif
26950     tmp = (byte *)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
26951     if (tmp == NULL) {
26952         ERROR_OUT(-11454, done);
26953     }
26954 
26955     cert.sigType = CTC_ED448;
26956     ret = wc_MakeCert_ex(&cert, tmp, FOURK_BUF, ED448_TYPE, privKey, &rng);
26957     if (ret < 0) {
26958         ERROR_OUT(-11455, done);
26959     }
26960     ret = wc_SignCert_ex(cert.bodySz, cert.sigType, tmp, FOURK_BUF, ED448_TYPE,
26961                                                                  privKey, &rng);
26962     if (ret < 0) {
26963         ERROR_OUT(-11456, done);
26964     }
26965 
26966     InitDecodedCert(&decode, tmp, ret, HEAP_HINT);
26967     ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
26968     FreeDecodedCert(&decode);
26969     if (ret != 0) {
26970         ERROR_OUT(-11457, done);
26971     }
26972 
26973 done:
26974     if (tmp != NULL)
26975         XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
26976     wc_ed448_free(privKey);
26977     wc_FreeRng(&rng);
26978     return ret;
26979 }
26980 #endif /* WOLFSSL_TEST_CERT */
26981 
26982 #if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) && \
26983     defined(HAVE_ED448_KEY_IMPORT)
26984 static int ed448_ctx_test(void)
26985 {
26986     byte   out[ED448_SIG_SIZE];
26987     word32 outlen;
26988 #ifdef HAVE_ED448_VERIFY
26989     int    verify;
26990 #endif /* HAVE_ED448_VERIFY */
26991     ed448_key key;
26992 
26993     WOLFSSL_SMALL_STACK_STATIC const byte sKeyCtx[] = {
26994         0xc4, 0xea, 0xb0, 0x5d, 0x35, 0x70, 0x07, 0xc6,
26995         0x32, 0xf3, 0xdb, 0xb4, 0x84, 0x89, 0x92, 0x4d,
26996         0x55, 0x2b, 0x08, 0xfe, 0x0c, 0x35, 0x3a, 0x0d,
26997         0x4a, 0x1f, 0x00, 0xac, 0xda, 0x2c, 0x46, 0x3a,
26998         0xfb, 0xea, 0x67, 0xc5, 0xe8, 0xd2, 0x87, 0x7c,
26999         0x5e, 0x3b, 0xc3, 0x97, 0xa6, 0x59, 0x94, 0x9e,
27000         0xf8, 0x02, 0x1e, 0x95, 0x4e, 0x0a, 0x12, 0x27,
27001         0x4e
27002     };
27003 
27004     WOLFSSL_SMALL_STACK_STATIC const byte pKeyCtx[] = {
27005         0x43, 0xba, 0x28, 0xf4, 0x30, 0xcd, 0xff, 0x45,
27006         0x6a, 0xe5, 0x31, 0x54, 0x5f, 0x7e, 0xcd, 0x0a,
27007         0xc8, 0x34, 0xa5, 0x5d, 0x93, 0x58, 0xc0, 0x37,
27008         0x2b, 0xfa, 0x0c, 0x6c, 0x67, 0x98, 0xc0, 0x86,
27009         0x6a, 0xea, 0x01, 0xeb, 0x00, 0x74, 0x28, 0x02,
27010         0xb8, 0x43, 0x8e, 0xa4, 0xcb, 0x82, 0x16, 0x9c,
27011         0x23, 0x51, 0x60, 0x62, 0x7b, 0x4c, 0x3a, 0x94,
27012         0x80
27013     };
27014 
27015     WOLFSSL_SMALL_STACK_STATIC const byte sigCtx[] = {
27016         0xd4, 0xf8, 0xf6, 0x13, 0x17, 0x70, 0xdd, 0x46,
27017         0xf4, 0x08, 0x67, 0xd6, 0xfd, 0x5d, 0x50, 0x55,
27018         0xde, 0x43, 0x54, 0x1f, 0x8c, 0x5e, 0x35, 0xab,
27019         0xbc, 0xd0, 0x01, 0xb3, 0x2a, 0x89, 0xf7, 0xd2,
27020         0x15, 0x1f, 0x76, 0x47, 0xf1, 0x1d, 0x8c, 0xa2,
27021         0xae, 0x27, 0x9f, 0xb8, 0x42, 0xd6, 0x07, 0x21,
27022         0x7f, 0xce, 0x6e, 0x04, 0x2f, 0x68, 0x15, 0xea,
27023         0x00, 0x0c, 0x85, 0x74, 0x1d, 0xe5, 0xc8, 0xda,
27024         0x11, 0x44, 0xa6, 0xa1, 0xab, 0xa7, 0xf9, 0x6d,
27025         0xe4, 0x25, 0x05, 0xd7, 0xa7, 0x29, 0x85, 0x24,
27026         0xfd, 0xa5, 0x38, 0xfc, 0xcb, 0xbb, 0x75, 0x4f,
27027         0x57, 0x8c, 0x1c, 0xad, 0x10, 0xd5, 0x4d, 0x0d,
27028         0x54, 0x28, 0x40, 0x7e, 0x85, 0xdc, 0xbc, 0x98,
27029         0xa4, 0x91, 0x55, 0xc1, 0x37, 0x64, 0xe6, 0x6c,
27030         0x3c, 0x00
27031     };
27032 
27033     WOLFSSL_SMALL_STACK_STATIC const byte msgCtx[] = {
27034         0x03
27035     };
27036 
27037     WOLFSSL_SMALL_STACK_STATIC const byte contextCtx[] = {
27038         0x66,0x6f,0x6f
27039     };
27040 
27041     outlen = sizeof(out);
27042     XMEMSET(out, 0, sizeof(out));
27043 
27044     if (wc_ed448_init_ex(&key, HEAP_HINT, devId) != 0)
27045         return -11500;
27046 
27047     if (wc_ed448_import_private_key(sKeyCtx, ED448_KEY_SIZE, pKeyCtx,
27048                                     sizeof(pKeyCtx), &key) != 0)
27049         return -11501;
27050 
27051     if (wc_ed448_sign_msg(msgCtx, sizeof(msgCtx), out, &outlen, &key,
27052                           contextCtx, sizeof(contextCtx)) != 0)
27053         return -11502;
27054 
27055     if (XMEMCMP(out, sigCtx, sizeof(sigCtx)))
27056         return -11503;
27057 
27058 #if defined(HAVE_ED448_VERIFY)
27059     /* test verify on good msg */
27060     if (wc_ed448_verify_msg(out, outlen, msgCtx, sizeof(msgCtx), &verify, &key,
27061                             contextCtx, sizeof(contextCtx)) != 0 || verify != 1)
27062         return -11504;
27063 #endif
27064 
27065     wc_ed448_free(&key);
27066 
27067     return 0;
27068 }
27069 
27070 static int ed448ph_test(void)
27071 {
27072     byte   out[ED448_SIG_SIZE];
27073     word32 outlen;
27074 #ifdef HAVE_ED448_VERIFY
27075     int    verify;
27076 #endif /* HAVE_ED448_VERIFY */
27077     ed448_key key;
27078 
27079     WOLFSSL_SMALL_STACK_STATIC const byte sKeyPh[] = {
27080         0x83, 0x3f, 0xe6, 0x24, 0x09, 0x23, 0x7b, 0x9d,
27081         0x62, 0xec, 0x77, 0x58, 0x75, 0x20, 0x91, 0x1e,
27082         0x9a, 0x75, 0x9c, 0xec, 0x1d, 0x19, 0x75, 0x5b,
27083         0x7d, 0xa9, 0x01, 0xb9, 0x6d, 0xca, 0x3d, 0x42,
27084         0xef, 0x78, 0x22, 0xe0, 0xd5, 0x10, 0x41, 0x27,
27085         0xdc, 0x05, 0xd6, 0xdb, 0xef, 0xde, 0x69, 0xe3,
27086         0xab, 0x2c, 0xec, 0x7c, 0x86, 0x7c, 0x6e, 0x2c,
27087         0x49
27088     };
27089 
27090     WOLFSSL_SMALL_STACK_STATIC const byte pKeyPh[] = {
27091         0x25, 0x9b, 0x71, 0xc1, 0x9f, 0x83, 0xef, 0x77,
27092         0xa7, 0xab, 0xd2, 0x65, 0x24, 0xcb, 0xdb, 0x31,
27093         0x61, 0xb5, 0x90, 0xa4, 0x8f, 0x7d, 0x17, 0xde,
27094         0x3e, 0xe0, 0xba, 0x9c, 0x52, 0xbe, 0xb7, 0x43,
27095         0xc0, 0x94, 0x28, 0xa1, 0x31, 0xd6, 0xb1, 0xb5,
27096         0x73, 0x03, 0xd9, 0x0d, 0x81, 0x32, 0xc2, 0x76,
27097         0xd5, 0xed, 0x3d, 0x5d, 0x01, 0xc0, 0xf5, 0x38,
27098         0x80
27099     };
27100 
27101     WOLFSSL_SMALL_STACK_STATIC const byte sigPh1[] = {
27102         0x82, 0x2f, 0x69, 0x01, 0xf7, 0x48, 0x0f, 0x3d,
27103         0x5f, 0x56, 0x2c, 0x59, 0x29, 0x94, 0xd9, 0x69,
27104         0x36, 0x02, 0x87, 0x56, 0x14, 0x48, 0x32, 0x56,
27105         0x50, 0x56, 0x00, 0xbb, 0xc2, 0x81, 0xae, 0x38,
27106         0x1f, 0x54, 0xd6, 0xbc, 0xe2, 0xea, 0x91, 0x15,
27107         0x74, 0x93, 0x2f, 0x52, 0xa4, 0xe6, 0xca, 0xdd,
27108         0x78, 0x76, 0x93, 0x75, 0xec, 0x3f, 0xfd, 0x1b,
27109         0x80, 0x1a, 0x0d, 0x9b, 0x3f, 0x40, 0x30, 0xcd,
27110         0x43, 0x39, 0x64, 0xb6, 0x45, 0x7e, 0xa3, 0x94,
27111         0x76, 0x51, 0x12, 0x14, 0xf9, 0x74, 0x69, 0xb5,
27112         0x7d, 0xd3, 0x2d, 0xbc, 0x56, 0x0a, 0x9a, 0x94,
27113         0xd0, 0x0b, 0xff, 0x07, 0x62, 0x04, 0x64, 0xa3,
27114         0xad, 0x20, 0x3d, 0xf7, 0xdc, 0x7c, 0xe3, 0x60,
27115         0xc3, 0xcd, 0x36, 0x96, 0xd9, 0xd9, 0xfa, 0xb9,
27116         0x0f, 0x00
27117     };
27118 
27119     WOLFSSL_SMALL_STACK_STATIC const byte sigPh2[] = {
27120         0xc3, 0x22, 0x99, 0xd4, 0x6e, 0xc8, 0xff, 0x02,
27121         0xb5, 0x45, 0x40, 0x98, 0x28, 0x14, 0xdc, 0xe9,
27122         0xa0, 0x58, 0x12, 0xf8, 0x19, 0x62, 0xb6, 0x49,
27123         0xd5, 0x28, 0x09, 0x59, 0x16, 0xa2, 0xaa, 0x48,
27124         0x10, 0x65, 0xb1, 0x58, 0x04, 0x23, 0xef, 0x92,
27125         0x7e, 0xcf, 0x0a, 0xf5, 0x88, 0x8f, 0x90, 0xda,
27126         0x0f, 0x6a, 0x9a, 0x85, 0xad, 0x5d, 0xc3, 0xf2,
27127         0x80, 0xd9, 0x12, 0x24, 0xba, 0x99, 0x11, 0xa3,
27128         0x65, 0x3d, 0x00, 0xe4, 0x84, 0xe2, 0xce, 0x23,
27129         0x25, 0x21, 0x48, 0x1c, 0x86, 0x58, 0xdf, 0x30,
27130         0x4b, 0xb7, 0x74, 0x5a, 0x73, 0x51, 0x4c, 0xdb,
27131         0x9b, 0xf3, 0xe1, 0x57, 0x84, 0xab, 0x71, 0x28,
27132         0x4f, 0x8d, 0x07, 0x04, 0xa6, 0x08, 0xc5, 0x4a,
27133         0x6b, 0x62, 0xd9, 0x7b, 0xeb, 0x51, 0x1d, 0x13,
27134         0x21, 0x00
27135     };
27136 
27137     WOLFSSL_SMALL_STACK_STATIC const byte msgPh[] = {
27138         0x61,0x62,0x63
27139     };
27140 
27141     /* SHA-512 hash of msgPh */
27142     WOLFSSL_SMALL_STACK_STATIC const byte hashPh[] = {
27143         0x48, 0x33, 0x66, 0x60, 0x13, 0x60, 0xa8, 0x77,
27144         0x1c, 0x68, 0x63, 0x08, 0x0c, 0xc4, 0x11, 0x4d,
27145         0x8d, 0xb4, 0x45, 0x30, 0xf8, 0xf1, 0xe1, 0xee,
27146         0x4f, 0x94, 0xea, 0x37, 0xe7, 0x8b, 0x57, 0x39,
27147         0xd5, 0xa1, 0x5b, 0xef, 0x18, 0x6a, 0x53, 0x86,
27148         0xc7, 0x57, 0x44, 0xc0, 0x52, 0x7e, 0x1f, 0xaa,
27149         0x9f, 0x87, 0x26, 0xe4, 0x62, 0xa1, 0x2a, 0x4f,
27150         0xeb, 0x06, 0xbd, 0x88, 0x01, 0xe7, 0x51, 0xe4
27151     };
27152 
27153     WOLFSSL_SMALL_STACK_STATIC const byte contextPh2[] = {
27154         0x66,0x6f,0x6f
27155     };
27156 
27157     outlen = sizeof(out);
27158     XMEMSET(out, 0, sizeof(out));
27159 
27160     if (wc_ed448_init_ex(&key, HEAP_HINT, devId) != 0)
27161         return -11600;
27162 
27163     if (wc_ed448_import_private_key(sKeyPh, ED448_KEY_SIZE, pKeyPh,
27164                                     sizeof(pKeyPh), &key) != 0) {
27165         return -11601;
27166     }
27167 
27168     if (wc_ed448ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key, NULL,
27169                             0) != 0) {
27170         return -11602;
27171     }
27172 
27173     if (XMEMCMP(out, sigPh1, sizeof(sigPh1)))
27174         return -11603;
27175 
27176 #if defined(HAVE_ED448_VERIFY)
27177     /* test verify on good msg */
27178     if (wc_ed448ph_verify_msg(out, outlen, msgPh, sizeof(msgPh), &verify, &key,
27179                               NULL, 0) != 0 || verify != 1) {
27180         return -11604;
27181     }
27182 #endif
27183 
27184     if (wc_ed448ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key,
27185                             contextPh2, sizeof(contextPh2)) != 0) {
27186         return -11605;
27187     }
27188 
27189     if (XMEMCMP(out, sigPh2, sizeof(sigPh2)))
27190         return -11606;
27191 
27192 #if defined(HAVE_ED448_VERIFY)
27193     /* test verify on good msg */
27194     if (wc_ed448ph_verify_msg(out, outlen, msgPh, sizeof(msgPh), &verify, &key,
27195                               contextPh2, sizeof(contextPh2)) != 0 ||
27196             verify != 1) {
27197         return -11607;
27198     }
27199 #endif
27200 
27201     if (wc_ed448ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key, NULL,
27202                              0) != 0) {
27203         return -11608;
27204     }
27205 
27206     if (XMEMCMP(out, sigPh1, sizeof(sigPh1)))
27207         return -11609;
27208 
27209 #if defined(HAVE_ED448_VERIFY)
27210     if (wc_ed448ph_verify_hash(out, outlen, hashPh, sizeof(hashPh), &verify,
27211                                &key, NULL, 0) != 0 || verify != 1) {
27212         return -11610;
27213     }
27214 #endif
27215 
27216     if (wc_ed448ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key,
27217                              contextPh2, sizeof(contextPh2)) != 0) {
27218         return -11611;
27219     }
27220 
27221     if (XMEMCMP(out, sigPh2, sizeof(sigPh2)))
27222         return -11612;
27223 
27224 #if defined(HAVE_ED448_VERIFY)
27225     if (wc_ed448ph_verify_hash(out, outlen, hashPh, sizeof(hashPh), &verify,
27226                                &key, contextPh2, sizeof(contextPh2)) != 0 ||
27227             verify != 1) {
27228         return -11613;
27229     }
27230 #endif
27231 
27232     wc_ed448_free(&key);
27233 
27234     return 0;
27235 }
27236 #endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
27237 
27238 WOLFSSL_TEST_SUBROUTINE int ed448_test(void)
27239 {
27240     int ret;
27241     WC_RNG rng;
27242 #if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) &&\
27243     defined(HAVE_ED448_KEY_IMPORT)
27244     byte   out[ED448_SIG_SIZE];
27245     int    i;
27246     word32 outlen;
27247 #ifdef HAVE_ED448_VERIFY
27248 #ifdef WOLFSSL_ED448_STREAMING_VERIFY
27249     int    j;
27250 #endif /* WOLFSSL_ED448_STREAMING_VERIFY */
27251     int    verify;
27252 #endif /* HAVE_ED448_VERIFY */
27253 #endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
27254     word32 keySz, sigSz;
27255 #ifdef WOLFSSL_SMALL_STACK
27256     ed448_key *key = NULL;
27257     ed448_key *key2 = NULL;
27258 #else
27259     ed448_key key[1];
27260     ed448_key key2[1];
27261 #endif
27262 
27263 #if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) && \
27264     defined(HAVE_ED448_KEY_IMPORT)
27265     /* test vectors from
27266        https://tools.ietf.org/html/rfc8032
27267      */
27268 
27269     WOLFSSL_SMALL_STACK_STATIC const byte sKey1[] = {
27270         0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
27271         0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
27272         0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
27273         0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
27274         0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
27275         0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
27276         0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
27277         0x5b
27278     };
27279 
27280     WOLFSSL_SMALL_STACK_STATIC const byte sKey2[] = {
27281         0xc4, 0xea, 0xb0, 0x5d, 0x35, 0x70, 0x07, 0xc6,
27282         0x32, 0xf3, 0xdb, 0xb4, 0x84, 0x89, 0x92, 0x4d,
27283         0x55, 0x2b, 0x08, 0xfe, 0x0c, 0x35, 0x3a, 0x0d,
27284         0x4a, 0x1f, 0x00, 0xac, 0xda, 0x2c, 0x46, 0x3a,
27285         0xfb, 0xea, 0x67, 0xc5, 0xe8, 0xd2, 0x87, 0x7c,
27286         0x5e, 0x3b, 0xc3, 0x97, 0xa6, 0x59, 0x94, 0x9e,
27287         0xf8, 0x02, 0x1e, 0x95, 0x4e, 0x0a, 0x12, 0x27,
27288         0x4e
27289     };
27290 
27291     WOLFSSL_SMALL_STACK_STATIC const byte sKey3[] = {
27292         0x25, 0x8c, 0xdd, 0x4a, 0xda, 0x32, 0xed, 0x9c,
27293         0x9f, 0xf5, 0x4e, 0x63, 0x75, 0x6a, 0xe5, 0x82,
27294         0xfb, 0x8f, 0xab, 0x2a, 0xc7, 0x21, 0xf2, 0xc8,
27295         0xe6, 0x76, 0xa7, 0x27, 0x68, 0x51, 0x3d, 0x93,
27296         0x9f, 0x63, 0xdd, 0xdb, 0x55, 0x60, 0x91, 0x33,
27297         0xf2, 0x9a, 0xdf, 0x86, 0xec, 0x99, 0x29, 0xdc,
27298         0xcb, 0x52, 0xc1, 0xc5, 0xfd, 0x2f, 0xf7, 0xe2,
27299         0x1b
27300     };
27301 
27302     /* uncompressed test */
27303     WOLFSSL_SMALL_STACK_STATIC const byte sKey4[] = {
27304         0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
27305         0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
27306         0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
27307         0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
27308         0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
27309         0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
27310         0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
27311         0x5b
27312     };
27313 
27314     /* compressed prefix test */
27315     WOLFSSL_SMALL_STACK_STATIC const byte sKey5[] = {
27316         0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
27317         0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
27318         0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
27319         0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
27320         0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
27321         0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
27322         0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
27323         0x5b
27324     };
27325 
27326     WOLFSSL_SMALL_STACK_STATIC const byte sKey6[] = {
27327         0x87, 0x2d, 0x09, 0x37, 0x80, 0xf5, 0xd3, 0x73,
27328         0x0d, 0xf7, 0xc2, 0x12, 0x66, 0x4b, 0x37, 0xb8,
27329         0xa0, 0xf2, 0x4f, 0x56, 0x81, 0x0d, 0xaa, 0x83,
27330         0x82, 0xcd, 0x4f, 0xa3, 0xf7, 0x76, 0x34, 0xec,
27331         0x44, 0xdc, 0x54, 0xf1, 0xc2, 0xed, 0x9b, 0xea,
27332         0x86, 0xfa, 0xfb, 0x76, 0x32, 0xd8, 0xbe, 0x19,
27333         0x9e, 0xa1, 0x65, 0xf5, 0xad, 0x55, 0xdd, 0x9c,
27334         0xe8
27335     };
27336 
27337     WOLFSSL_SMALL_STACK_STATIC const byte* sKeys[] = {sKey1, sKey2, sKey3, sKey4, sKey5, sKey6};
27338 
27339     WOLFSSL_SMALL_STACK_STATIC const byte pKey1[] = {
27340         0x5f, 0xd7, 0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd,
27341         0x2c, 0xe7, 0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a,
27342         0x1d, 0xa1, 0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f,
27343         0x8a, 0x0e, 0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78,
27344         0xed, 0xf1, 0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06,
27345         0x1b, 0xd6, 0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c,
27346         0xd1, 0xfa, 0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61,
27347         0x80
27348     };
27349 
27350     WOLFSSL_SMALL_STACK_STATIC const byte pKey2[] = {
27351         0x43, 0xba, 0x28, 0xf4, 0x30, 0xcd, 0xff, 0x45,
27352         0x6a, 0xe5, 0x31, 0x54, 0x5f, 0x7e, 0xcd, 0x0a,
27353         0xc8, 0x34, 0xa5, 0x5d, 0x93, 0x58, 0xc0, 0x37,
27354         0x2b, 0xfa, 0x0c, 0x6c, 0x67, 0x98, 0xc0, 0x86,
27355         0x6a, 0xea, 0x01, 0xeb, 0x00, 0x74, 0x28, 0x02,
27356         0xb8, 0x43, 0x8e, 0xa4, 0xcb, 0x82, 0x16, 0x9c,
27357         0x23, 0x51, 0x60, 0x62, 0x7b, 0x4c, 0x3a, 0x94,
27358         0x80
27359     };
27360 
27361     WOLFSSL_SMALL_STACK_STATIC const byte pKey3[] = {
27362         0x3b, 0xa1, 0x6d, 0xa0, 0xc6, 0xf2, 0xcc, 0x1f,
27363         0x30, 0x18, 0x77, 0x40, 0x75, 0x6f, 0x5e, 0x79,
27364         0x8d, 0x6b, 0xc5, 0xfc, 0x01, 0x5d, 0x7c, 0x63,
27365         0xcc, 0x95, 0x10, 0xee, 0x3f, 0xd4, 0x4a, 0xdc,
27366         0x24, 0xd8, 0xe9, 0x68, 0xb6, 0xe4, 0x6e, 0x6f,
27367         0x94, 0xd1, 0x9b, 0x94, 0x53, 0x61, 0x72, 0x6b,
27368         0xd7, 0x5e, 0x14, 0x9e, 0xf0, 0x98, 0x17, 0xf5,
27369         0x80
27370     };
27371 
27372     /* uncompressed test */
27373     WOLFSSL_SMALL_STACK_STATIC const byte pKey4[] = {
27374         0x5f, 0xd7, 0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd,
27375         0x2c, 0xe7, 0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a,
27376         0x1d, 0xa1, 0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f,
27377         0x8a, 0x0e, 0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78,
27378         0xed, 0xf1, 0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06,
27379         0x1b, 0xd6, 0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c,
27380         0xd1, 0xfa, 0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61,
27381         0x80
27382     };
27383 
27384     /* compressed prefix */
27385     WOLFSSL_SMALL_STACK_STATIC const byte pKey5[] = {
27386         0x5f, 0xd7, 0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd,
27387         0x2c, 0xe7, 0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a,
27388         0x1d, 0xa1, 0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f,
27389         0x8a, 0x0e, 0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78,
27390         0xed, 0xf1, 0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06,
27391         0x1b, 0xd6, 0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c,
27392         0xd1, 0xfa, 0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61,
27393         0x80
27394     };
27395 
27396     WOLFSSL_SMALL_STACK_STATIC const byte pKey6[] = {
27397         0xa8, 0x1b, 0x2e, 0x8a, 0x70, 0xa5, 0xac, 0x94,
27398         0xff, 0xdb, 0xcc, 0x9b, 0xad, 0xfc, 0x3f, 0xeb,
27399         0x08, 0x01, 0xf2, 0x58, 0x57, 0x8b, 0xb1, 0x14,
27400         0xad, 0x44, 0xec, 0xe1, 0xec, 0x0e, 0x79, 0x9d,
27401         0xa0, 0x8e, 0xff, 0xb8, 0x1c, 0x5d, 0x68, 0x5c,
27402         0x0c, 0x56, 0xf6, 0x4e, 0xec, 0xae, 0xf8, 0xcd,
27403         0xf1, 0x1c, 0xc3, 0x87, 0x37, 0x83, 0x8c, 0xf4,
27404         0x00
27405     };
27406 
27407     WOLFSSL_SMALL_STACK_STATIC const byte* pKeys[] = {pKey1, pKey2, pKey3, pKey4, pKey5, pKey6};
27408     WOLFSSL_SMALL_STACK_STATIC const byte  pKeySz[] = {sizeof(pKey1), sizeof(pKey2), sizeof(pKey3),
27409                             sizeof(pKey4), sizeof(pKey5), sizeof(pKey6)};
27410 
27411     WOLFSSL_SMALL_STACK_STATIC const byte sig1[] = {
27412         0x53, 0x3a, 0x37, 0xf6, 0xbb, 0xe4, 0x57, 0x25,
27413         0x1f, 0x02, 0x3c, 0x0d, 0x88, 0xf9, 0x76, 0xae,
27414         0x2d, 0xfb, 0x50, 0x4a, 0x84, 0x3e, 0x34, 0xd2,
27415         0x07, 0x4f, 0xd8, 0x23, 0xd4, 0x1a, 0x59, 0x1f,
27416         0x2b, 0x23, 0x3f, 0x03, 0x4f, 0x62, 0x82, 0x81,
27417         0xf2, 0xfd, 0x7a, 0x22, 0xdd, 0xd4, 0x7d, 0x78,
27418         0x28, 0xc5, 0x9b, 0xd0, 0xa2, 0x1b, 0xfd, 0x39,
27419         0x80, 0xff, 0x0d, 0x20, 0x28, 0xd4, 0xb1, 0x8a,
27420         0x9d, 0xf6, 0x3e, 0x00, 0x6c, 0x5d, 0x1c, 0x2d,
27421         0x34, 0x5b, 0x92, 0x5d, 0x8d, 0xc0, 0x0b, 0x41,
27422         0x04, 0x85, 0x2d, 0xb9, 0x9a, 0xc5, 0xc7, 0xcd,
27423         0xda, 0x85, 0x30, 0xa1, 0x13, 0xa0, 0xf4, 0xdb,
27424         0xb6, 0x11, 0x49, 0xf0, 0x5a, 0x73, 0x63, 0x26,
27425         0x8c, 0x71, 0xd9, 0x58, 0x08, 0xff, 0x2e, 0x65,
27426         0x26, 0x00
27427     };
27428 
27429     WOLFSSL_SMALL_STACK_STATIC const byte sig2[] = {
27430         0x26, 0xb8, 0xf9, 0x17, 0x27, 0xbd, 0x62, 0x89,
27431         0x7a, 0xf1, 0x5e, 0x41, 0xeb, 0x43, 0xc3, 0x77,
27432         0xef, 0xb9, 0xc6, 0x10, 0xd4, 0x8f, 0x23, 0x35,
27433         0xcb, 0x0b, 0xd0, 0x08, 0x78, 0x10, 0xf4, 0x35,
27434         0x25, 0x41, 0xb1, 0x43, 0xc4, 0xb9, 0x81, 0xb7,
27435         0xe1, 0x8f, 0x62, 0xde, 0x8c, 0xcd, 0xf6, 0x33,
27436         0xfc, 0x1b, 0xf0, 0x37, 0xab, 0x7c, 0xd7, 0x79,
27437         0x80, 0x5e, 0x0d, 0xbc, 0xc0, 0xaa, 0xe1, 0xcb,
27438         0xce, 0xe1, 0xaf, 0xb2, 0xe0, 0x27, 0xdf, 0x36,
27439         0xbc, 0x04, 0xdc, 0xec, 0xbf, 0x15, 0x43, 0x36,
27440         0xc1, 0x9f, 0x0a, 0xf7, 0xe0, 0xa6, 0x47, 0x29,
27441         0x05, 0xe7, 0x99, 0xf1, 0x95, 0x3d, 0x2a, 0x0f,
27442         0xf3, 0x34, 0x8a, 0xb2, 0x1a, 0xa4, 0xad, 0xaf,
27443         0xd1, 0xd2, 0x34, 0x44, 0x1c, 0xf8, 0x07, 0xc0,
27444         0x3a, 0x00
27445     };
27446 
27447     WOLFSSL_SMALL_STACK_STATIC const byte sig3[] = {
27448         0x7e, 0xee, 0xab, 0x7c, 0x4e, 0x50, 0xfb, 0x79,
27449         0x9b, 0x41, 0x8e, 0xe5, 0xe3, 0x19, 0x7f, 0xf6,
27450         0xbf, 0x15, 0xd4, 0x3a, 0x14, 0xc3, 0x43, 0x89,
27451         0xb5, 0x9d, 0xd1, 0xa7, 0xb1, 0xb8, 0x5b, 0x4a,
27452         0xe9, 0x04, 0x38, 0xac, 0xa6, 0x34, 0xbe, 0xa4,
27453         0x5e, 0x3a, 0x26, 0x95, 0xf1, 0x27, 0x0f, 0x07,
27454         0xfd, 0xcd, 0xf7, 0xc6, 0x2b, 0x8e, 0xfe, 0xaf,
27455         0x00, 0xb4, 0x5c, 0x2c, 0x96, 0xba, 0x45, 0x7e,
27456         0xb1, 0xa8, 0xbf, 0x07, 0x5a, 0x3d, 0xb2, 0x8e,
27457         0x5c, 0x24, 0xf6, 0xb9, 0x23, 0xed, 0x4a, 0xd7,
27458         0x47, 0xc3, 0xc9, 0xe0, 0x3c, 0x70, 0x79, 0xef,
27459         0xb8, 0x7c, 0xb1, 0x10, 0xd3, 0xa9, 0x98, 0x61,
27460         0xe7, 0x20, 0x03, 0xcb, 0xae, 0x6d, 0x6b, 0x8b,
27461         0x82, 0x7e, 0x4e, 0x6c, 0x14, 0x30, 0x64, 0xff,
27462         0x3c, 0x00
27463     };
27464 
27465     /* uncompressed test */
27466     WOLFSSL_SMALL_STACK_STATIC const byte sig4[] = {
27467         0x53, 0x3a, 0x37, 0xf6, 0xbb, 0xe4, 0x57, 0x25,
27468         0x1f, 0x02, 0x3c, 0x0d, 0x88, 0xf9, 0x76, 0xae,
27469         0x2d, 0xfb, 0x50, 0x4a, 0x84, 0x3e, 0x34, 0xd2,
27470         0x07, 0x4f, 0xd8, 0x23, 0xd4, 0x1a, 0x59, 0x1f,
27471         0x2b, 0x23, 0x3f, 0x03, 0x4f, 0x62, 0x82, 0x81,
27472         0xf2, 0xfd, 0x7a, 0x22, 0xdd, 0xd4, 0x7d, 0x78,
27473         0x28, 0xc5, 0x9b, 0xd0, 0xa2, 0x1b, 0xfd, 0x39,
27474         0x80, 0xff, 0x0d, 0x20, 0x28, 0xd4, 0xb1, 0x8a,
27475         0x9d, 0xf6, 0x3e, 0x00, 0x6c, 0x5d, 0x1c, 0x2d,
27476         0x34, 0x5b, 0x92, 0x5d, 0x8d, 0xc0, 0x0b, 0x41,
27477         0x04, 0x85, 0x2d, 0xb9, 0x9a, 0xc5, 0xc7, 0xcd,
27478         0xda, 0x85, 0x30, 0xa1, 0x13, 0xa0, 0xf4, 0xdb,
27479         0xb6, 0x11, 0x49, 0xf0, 0x5a, 0x73, 0x63, 0x26,
27480         0x8c, 0x71, 0xd9, 0x58, 0x08, 0xff, 0x2e, 0x65,
27481         0x26, 0x00
27482     };
27483 
27484     /* compressed prefix */
27485     WOLFSSL_SMALL_STACK_STATIC const byte sig5[] = {
27486         0x53, 0x3a, 0x37, 0xf6, 0xbb, 0xe4, 0x57, 0x25,
27487         0x1f, 0x02, 0x3c, 0x0d, 0x88, 0xf9, 0x76, 0xae,
27488         0x2d, 0xfb, 0x50, 0x4a, 0x84, 0x3e, 0x34, 0xd2,
27489         0x07, 0x4f, 0xd8, 0x23, 0xd4, 0x1a, 0x59, 0x1f,
27490         0x2b, 0x23, 0x3f, 0x03, 0x4f, 0x62, 0x82, 0x81,
27491         0xf2, 0xfd, 0x7a, 0x22, 0xdd, 0xd4, 0x7d, 0x78,
27492         0x28, 0xc5, 0x9b, 0xd0, 0xa2, 0x1b, 0xfd, 0x39,
27493         0x80, 0xff, 0x0d, 0x20, 0x28, 0xd4, 0xb1, 0x8a,
27494         0x9d, 0xf6, 0x3e, 0x00, 0x6c, 0x5d, 0x1c, 0x2d,
27495         0x34, 0x5b, 0x92, 0x5d, 0x8d, 0xc0, 0x0b, 0x41,
27496         0x04, 0x85, 0x2d, 0xb9, 0x9a, 0xc5, 0xc7, 0xcd,
27497         0xda, 0x85, 0x30, 0xa1, 0x13, 0xa0, 0xf4, 0xdb,
27498         0xb6, 0x11, 0x49, 0xf0, 0x5a, 0x73, 0x63, 0x26,
27499         0x8c, 0x71, 0xd9, 0x58, 0x08, 0xff, 0x2e, 0x65,
27500         0x26, 0x00
27501     };
27502 
27503     WOLFSSL_SMALL_STACK_STATIC const byte sig6[] = {
27504         0xe3, 0x01, 0x34, 0x5a, 0x41, 0xa3, 0x9a, 0x4d,
27505         0x72, 0xff, 0xf8, 0xdf, 0x69, 0xc9, 0x80, 0x75,
27506         0xa0, 0xcc, 0x08, 0x2b, 0x80, 0x2f, 0xc9, 0xb2,
27507         0xb6, 0xbc, 0x50, 0x3f, 0x92, 0x6b, 0x65, 0xbd,
27508         0xdf, 0x7f, 0x4c, 0x8f, 0x1c, 0xb4, 0x9f, 0x63,
27509         0x96, 0xaf, 0xc8, 0xa7, 0x0a, 0xbe, 0x6d, 0x8a,
27510         0xef, 0x0d, 0xb4, 0x78, 0xd4, 0xc6, 0xb2, 0x97,
27511         0x00, 0x76, 0xc6, 0xa0, 0x48, 0x4f, 0xe7, 0x6d,
27512         0x76, 0xb3, 0xa9, 0x76, 0x25, 0xd7, 0x9f, 0x1c,
27513         0xe2, 0x40, 0xe7, 0xc5, 0x76, 0x75, 0x0d, 0x29,
27514         0x55, 0x28, 0x28, 0x6f, 0x71, 0x9b, 0x41, 0x3d,
27515         0xe9, 0xad, 0xa3, 0xe8, 0xeb, 0x78, 0xed, 0x57,
27516         0x36, 0x03, 0xce, 0x30, 0xd8, 0xbb, 0x76, 0x17,
27517         0x85, 0xdc, 0x30, 0xdb, 0xc3, 0x20, 0x86, 0x9e,
27518         0x1a, 0x00
27519     };
27520 
27521     WOLFSSL_SMALL_STACK_STATIC const byte* sigs[] = {sig1, sig2, sig3, sig4, sig5, sig6};
27522     #define SIGSZ sizeof(sig1)
27523 
27524     PEDANTIC_EXTENSION WOLFSSL_SMALL_STACK_STATIC const byte msg1[]  = { };
27525     WOLFSSL_SMALL_STACK_STATIC const byte msg2[]  = { 0x03 };
27526     WOLFSSL_SMALL_STACK_STATIC const byte msg3[]  = { 0x64, 0xa6, 0x5f, 0x3c, 0xde, 0xdc, 0xdd,
27527                                   0x66, 0x81, 0x1e, 0x29, 0x15 };
27528 
27529     /* test of a 1023 byte long message */
27530     WOLFSSL_SMALL_STACK_STATIC const byte msg4[]  = {
27531         0x6d, 0xdf, 0x80, 0x2e, 0x1a, 0xae, 0x49, 0x86,
27532         0x93, 0x5f, 0x7f, 0x98, 0x1b, 0xa3, 0xf0, 0x35,
27533         0x1d, 0x62, 0x73, 0xc0, 0xa0, 0xc2, 0x2c, 0x9c,
27534         0x0e, 0x83, 0x39, 0x16, 0x8e, 0x67, 0x54, 0x12,
27535         0xa3, 0xde, 0xbf, 0xaf, 0x43, 0x5e, 0xd6, 0x51,
27536         0x55, 0x80, 0x07, 0xdb, 0x43, 0x84, 0xb6, 0x50,
27537         0xfc, 0xc0, 0x7e, 0x3b, 0x58, 0x6a, 0x27, 0xa4,
27538         0xf7, 0xa0, 0x0a, 0xc8, 0xa6, 0xfe, 0xc2, 0xcd,
27539         0x86, 0xae, 0x4b, 0xf1, 0x57, 0x0c, 0x41, 0xe6,
27540         0xa4, 0x0c, 0x93, 0x1d, 0xb2, 0x7b, 0x2f, 0xaa,
27541         0x15, 0xa8, 0xce, 0xdd, 0x52, 0xcf, 0xf7, 0x36,
27542         0x2c, 0x4e, 0x6e, 0x23, 0xda, 0xec, 0x0f, 0xbc,
27543         0x3a, 0x79, 0xb6, 0x80, 0x6e, 0x31, 0x6e, 0xfc,
27544         0xc7, 0xb6, 0x81, 0x19, 0xbf, 0x46, 0xbc, 0x76,
27545         0xa2, 0x60, 0x67, 0xa5, 0x3f, 0x29, 0x6d, 0xaf,
27546         0xdb, 0xdc, 0x11, 0xc7, 0x7f, 0x77, 0x77, 0xe9,
27547         0x72, 0x66, 0x0c, 0xf4, 0xb6, 0xa9, 0xb3, 0x69,
27548         0xa6, 0x66, 0x5f, 0x02, 0xe0, 0xcc, 0x9b, 0x6e,
27549         0xdf, 0xad, 0x13, 0x6b, 0x4f, 0xab, 0xe7, 0x23,
27550         0xd2, 0x81, 0x3d, 0xb3, 0x13, 0x6c, 0xfd, 0xe9,
27551         0xb6, 0xd0, 0x44, 0x32, 0x2f, 0xee, 0x29, 0x47,
27552         0x95, 0x2e, 0x03, 0x1b, 0x73, 0xab, 0x5c, 0x60,
27553         0x33, 0x49, 0xb3, 0x07, 0xbd, 0xc2, 0x7b, 0xc6,
27554         0xcb, 0x8b, 0x8b, 0xbd, 0x7b, 0xd3, 0x23, 0x21,
27555         0x9b, 0x80, 0x33, 0xa5, 0x81, 0xb5, 0x9e, 0xad,
27556         0xeb, 0xb0, 0x9b, 0x3c, 0x4f, 0x3d, 0x22, 0x77,
27557         0xd4, 0xf0, 0x34, 0x36, 0x24, 0xac, 0xc8, 0x17,
27558         0x80, 0x47, 0x28, 0xb2, 0x5a, 0xb7, 0x97, 0x17,
27559         0x2b, 0x4c, 0x5c, 0x21, 0xa2, 0x2f, 0x9c, 0x78,
27560         0x39, 0xd6, 0x43, 0x00, 0x23, 0x2e, 0xb6, 0x6e,
27561         0x53, 0xf3, 0x1c, 0x72, 0x3f, 0xa3, 0x7f, 0xe3,
27562         0x87, 0xc7, 0xd3, 0xe5, 0x0b, 0xdf, 0x98, 0x13,
27563         0xa3, 0x0e, 0x5b, 0xb1, 0x2c, 0xf4, 0xcd, 0x93,
27564         0x0c, 0x40, 0xcf, 0xb4, 0xe1, 0xfc, 0x62, 0x25,
27565         0x92, 0xa4, 0x95, 0x88, 0x79, 0x44, 0x94, 0xd5,
27566         0x6d, 0x24, 0xea, 0x4b, 0x40, 0xc8, 0x9f, 0xc0,
27567         0x59, 0x6c, 0xc9, 0xeb, 0xb9, 0x61, 0xc8, 0xcb,
27568         0x10, 0xad, 0xde, 0x97, 0x6a, 0x5d, 0x60, 0x2b,
27569         0x1c, 0x3f, 0x85, 0xb9, 0xb9, 0xa0, 0x01, 0xed,
27570         0x3c, 0x6a, 0x4d, 0x3b, 0x14, 0x37, 0xf5, 0x20,
27571         0x96, 0xcd, 0x19, 0x56, 0xd0, 0x42, 0xa5, 0x97,
27572         0xd5, 0x61, 0xa5, 0x96, 0xec, 0xd3, 0xd1, 0x73,
27573         0x5a, 0x8d, 0x57, 0x0e, 0xa0, 0xec, 0x27, 0x22,
27574         0x5a, 0x2c, 0x4a, 0xaf, 0xf2, 0x63, 0x06, 0xd1,
27575         0x52, 0x6c, 0x1a, 0xf3, 0xca, 0x6d, 0x9c, 0xf5,
27576         0xa2, 0xc9, 0x8f, 0x47, 0xe1, 0xc4, 0x6d, 0xb9,
27577         0xa3, 0x32, 0x34, 0xcf, 0xd4, 0xd8, 0x1f, 0x2c,
27578         0x98, 0x53, 0x8a, 0x09, 0xeb, 0xe7, 0x69, 0x98,
27579         0xd0, 0xd8, 0xfd, 0x25, 0x99, 0x7c, 0x7d, 0x25,
27580         0x5c, 0x6d, 0x66, 0xec, 0xe6, 0xfa, 0x56, 0xf1,
27581         0x11, 0x44, 0x95, 0x0f, 0x02, 0x77, 0x95, 0xe6,
27582         0x53, 0x00, 0x8f, 0x4b, 0xd7, 0xca, 0x2d, 0xee,
27583         0x85, 0xd8, 0xe9, 0x0f, 0x3d, 0xc3, 0x15, 0x13,
27584         0x0c, 0xe2, 0xa0, 0x03, 0x75, 0xa3, 0x18, 0xc7,
27585         0xc3, 0xd9, 0x7b, 0xe2, 0xc8, 0xce, 0x5b, 0x6d,
27586         0xb4, 0x1a, 0x62, 0x54, 0xff, 0x26, 0x4f, 0xa6,
27587         0x15, 0x5b, 0xae, 0xe3, 0xb0, 0x77, 0x3c, 0x0f,
27588         0x49, 0x7c, 0x57, 0x3f, 0x19, 0xbb, 0x4f, 0x42,
27589         0x40, 0x28, 0x1f, 0x0b, 0x1f, 0x4f, 0x7b, 0xe8,
27590         0x57, 0xa4, 0xe5, 0x9d, 0x41, 0x6c, 0x06, 0xb4,
27591         0xc5, 0x0f, 0xa0, 0x9e, 0x18, 0x10, 0xdd, 0xc6,
27592         0xb1, 0x46, 0x7b, 0xae, 0xac, 0x5a, 0x36, 0x68,
27593         0xd1, 0x1b, 0x6e, 0xca, 0xa9, 0x01, 0x44, 0x00,
27594         0x16, 0xf3, 0x89, 0xf8, 0x0a, 0xcc, 0x4d, 0xb9,
27595         0x77, 0x02, 0x5e, 0x7f, 0x59, 0x24, 0x38, 0x8c,
27596         0x7e, 0x34, 0x0a, 0x73, 0x2e, 0x55, 0x44, 0x40,
27597         0xe7, 0x65, 0x70, 0xf8, 0xdd, 0x71, 0xb7, 0xd6,
27598         0x40, 0xb3, 0x45, 0x0d, 0x1f, 0xd5, 0xf0, 0x41,
27599         0x0a, 0x18, 0xf9, 0xa3, 0x49, 0x4f, 0x70, 0x7c,
27600         0x71, 0x7b, 0x79, 0xb4, 0xbf, 0x75, 0xc9, 0x84,
27601         0x00, 0xb0, 0x96, 0xb2, 0x16, 0x53, 0xb5, 0xd2,
27602         0x17, 0xcf, 0x35, 0x65, 0xc9, 0x59, 0x74, 0x56,
27603         0xf7, 0x07, 0x03, 0x49, 0x7a, 0x07, 0x87, 0x63,
27604         0x82, 0x9b, 0xc0, 0x1b, 0xb1, 0xcb, 0xc8, 0xfa,
27605         0x04, 0xea, 0xdc, 0x9a, 0x6e, 0x3f, 0x66, 0x99,
27606         0x58, 0x7a, 0x9e, 0x75, 0xc9, 0x4e, 0x5b, 0xab,
27607         0x00, 0x36, 0xe0, 0xb2, 0xe7, 0x11, 0x39, 0x2c,
27608         0xff, 0x00, 0x47, 0xd0, 0xd6, 0xb0, 0x5b, 0xd2,
27609         0xa5, 0x88, 0xbc, 0x10, 0x97, 0x18, 0x95, 0x42,
27610         0x59, 0xf1, 0xd8, 0x66, 0x78, 0xa5, 0x79, 0xa3,
27611         0x12, 0x0f, 0x19, 0xcf, 0xb2, 0x96, 0x3f, 0x17,
27612         0x7a, 0xeb, 0x70, 0xf2, 0xd4, 0x84, 0x48, 0x26,
27613         0x26, 0x2e, 0x51, 0xb8, 0x02, 0x71, 0x27, 0x20,
27614         0x68, 0xef, 0x5b, 0x38, 0x56, 0xfa, 0x85, 0x35,
27615         0xaa, 0x2a, 0x88, 0xb2, 0xd4, 0x1f, 0x2a, 0x0e,
27616         0x2f, 0xda, 0x76, 0x24, 0xc2, 0x85, 0x02, 0x72,
27617         0xac, 0x4a, 0x2f, 0x56, 0x1f, 0x8f, 0x2f, 0x7a,
27618         0x31, 0x8b, 0xfd, 0x5c, 0xaf, 0x96, 0x96, 0x14,
27619         0x9e, 0x4a, 0xc8, 0x24, 0xad, 0x34, 0x60, 0x53,
27620         0x8f, 0xdc, 0x25, 0x42, 0x1b, 0xee, 0xc2, 0xcc,
27621         0x68, 0x18, 0x16, 0x2d, 0x06, 0xbb, 0xed, 0x0c,
27622         0x40, 0xa3, 0x87, 0x19, 0x23, 0x49, 0xdb, 0x67,
27623         0xa1, 0x18, 0xba, 0xda, 0x6c, 0xd5, 0xab, 0x01,
27624         0x40, 0xee, 0x27, 0x32, 0x04, 0xf6, 0x28, 0xaa,
27625         0xd1, 0xc1, 0x35, 0xf7, 0x70, 0x27, 0x9a, 0x65,
27626         0x1e, 0x24, 0xd8, 0xc1, 0x4d, 0x75, 0xa6, 0x05,
27627         0x9d, 0x76, 0xb9, 0x6a, 0x6f, 0xd8, 0x57, 0xde,
27628         0xf5, 0xe0, 0xb3, 0x54, 0xb2, 0x7a, 0xb9, 0x37,
27629         0xa5, 0x81, 0x5d, 0x16, 0xb5, 0xfa, 0xe4, 0x07,
27630         0xff, 0x18, 0x22, 0x2c, 0x6d, 0x1e, 0xd2, 0x63,
27631         0xbe, 0x68, 0xc9, 0x5f, 0x32, 0xd9, 0x08, 0xbd,
27632         0x89, 0x5c, 0xd7, 0x62, 0x07, 0xae, 0x72, 0x64,
27633         0x87, 0x56, 0x7f, 0x9a, 0x67, 0xda, 0xd7, 0x9a,
27634         0xbe, 0xc3, 0x16, 0xf6, 0x83, 0xb1, 0x7f, 0x2d,
27635         0x02, 0xbf, 0x07, 0xe0, 0xac, 0x8b, 0x5b, 0xc6,
27636         0x16, 0x2c, 0xf9, 0x46, 0x97, 0xb3, 0xc2, 0x7c,
27637         0xd1, 0xfe, 0xa4, 0x9b, 0x27, 0xf2, 0x3b, 0xa2,
27638         0x90, 0x18, 0x71, 0x96, 0x25, 0x06, 0x52, 0x0c,
27639         0x39, 0x2d, 0xa8, 0xb6, 0xad, 0x0d, 0x99, 0xf7,
27640         0x01, 0x3f, 0xbc, 0x06, 0xc2, 0xc1, 0x7a, 0x56,
27641         0x95, 0x00, 0xc8, 0xa7, 0x69, 0x64, 0x81, 0xc1,
27642         0xcd, 0x33, 0xe9, 0xb1, 0x4e, 0x40, 0xb8, 0x2e,
27643         0x79, 0xa5, 0xf5, 0xdb, 0x82, 0x57, 0x1b, 0xa9,
27644         0x7b, 0xae, 0x3a, 0xd3, 0xe0, 0x47, 0x95, 0x15,
27645         0xbb, 0x0e, 0x2b, 0x0f, 0x3b, 0xfc, 0xd1, 0xfd,
27646         0x33, 0x03, 0x4e, 0xfc, 0x62, 0x45, 0xed, 0xdd,
27647         0x7e, 0xe2, 0x08, 0x6d, 0xda, 0xe2, 0x60, 0x0d,
27648         0x8c, 0xa7, 0x3e, 0x21, 0x4e, 0x8c, 0x2b, 0x0b,
27649         0xdb, 0x2b, 0x04, 0x7c, 0x6a, 0x46, 0x4a, 0x56,
27650         0x2e, 0xd7, 0x7b, 0x73, 0xd2, 0xd8, 0x41, 0xc4,
27651         0xb3, 0x49, 0x73, 0x55, 0x12, 0x57, 0x71, 0x3b,
27652         0x75, 0x36, 0x32, 0xef, 0xba, 0x34, 0x81, 0x69,
27653         0xab, 0xc9, 0x0a, 0x68, 0xf4, 0x26, 0x11, 0xa4,
27654         0x01, 0x26, 0xd7, 0xcb, 0x21, 0xb5, 0x86, 0x95,
27655         0x56, 0x81, 0x86, 0xf7, 0xe5, 0x69, 0xd2, 0xff,
27656         0x0f, 0x9e, 0x74, 0x5d, 0x04, 0x87, 0xdd, 0x2e,
27657         0xb9, 0x97, 0xca, 0xfc, 0x5a, 0xbf, 0x9d, 0xd1,
27658         0x02, 0xe6, 0x2f, 0xf6, 0x6c, 0xba, 0x87
27659     };
27660 
27661     WOLFSSL_SMALL_STACK_STATIC const byte* msgs[] =   {msg1, msg2, msg3, msg1, msg1, msg4};
27662     WOLFSSL_SMALL_STACK_STATIC const word16 msgSz[] = {0 /*sizeof(msg1)*/,
27663                                    sizeof(msg2),
27664                                    sizeof(msg3),
27665                                    0 /*sizeof(msg1)*/,
27666                                    0 /*sizeof(msg1)*/,
27667                                    sizeof(msg4)
27668     };
27669 #ifndef NO_ASN
27670     static const byte privateEd448[] = {
27671         0x30, 0x47, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
27672         0x03, 0x2b, 0x65, 0x71, 0x04, 0x3b, 0x04, 0x39,
27673         0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
27674         0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
27675         0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
27676         0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
27677         0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
27678         0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
27679         0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
27680         0x5b
27681     };
27682     static const byte publicEd448[] = {
27683         0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
27684         0x71, 0x03, 0x3a, 0x00, 0x5f, 0xd7, 0x44, 0x9b,
27685         0x59, 0xb4, 0x61, 0xfd, 0x2c, 0xe7, 0x87, 0xec,
27686         0x61, 0x6a, 0xd4, 0x6a, 0x1d, 0xa1, 0x34, 0x24,
27687         0x85, 0xa7, 0x0e, 0x1f, 0x8a, 0x0e, 0xa7, 0x5d,
27688         0x80, 0xe9, 0x67, 0x78, 0xed, 0xf1, 0x24, 0x76,
27689         0x9b, 0x46, 0xc7, 0x06, 0x1b, 0xd6, 0x78, 0x3d,
27690         0xf1, 0xe5, 0x0f, 0x6c, 0xd1, 0xfa, 0x1a, 0xbe,
27691         0xaf, 0xe8, 0x25, 0x61, 0x80
27692     };
27693     static const byte privPubEd448[] = {
27694         0x30, 0x81, 0x84, 0x02, 0x01, 0x00, 0x30, 0x05,
27695         0x06, 0x03, 0x2b, 0x65, 0x71, 0x04, 0x3b, 0x04,
27696         0x39, 0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d,
27697         0x10, 0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e,
27698         0xbf, 0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c,
27699         0x9f, 0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48,
27700         0xa3, 0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04,
27701         0x4e, 0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f,
27702         0x8f, 0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98,
27703         0xf9, 0x5b, 0xa1, 0x3b, 0x04, 0x39, 0x5f, 0xd7,
27704         0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd, 0x2c, 0xe7,
27705         0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a, 0x1d, 0xa1,
27706         0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f, 0x8a, 0x0e,
27707         0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78, 0xed, 0xf1,
27708         0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06, 0x1b, 0xd6,
27709         0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c, 0xd1, 0xfa,
27710         0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61, 0x80
27711     };
27712 
27713     word32 idx;
27714 #endif /* NO_ASN */
27715 #endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
27716 #if !defined(NO_ASN) && defined(HAVE_ED448_SIGN)
27717 #ifdef WOLFSSL_SMALL_STACK
27718     ed448_key *key3 = NULL;
27719 #else
27720     ed448_key key3[1];
27721 #endif
27722 #endif
27723 
27724 #ifdef WOLFSSL_SMALL_STACK
27725     key = (ed448_key *)XMALLOC(sizeof(*key), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27726     key2 = (ed448_key *)XMALLOC(sizeof(*key2), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27727 #if !defined(NO_ASN) && defined(HAVE_ED448_SIGN)
27728     key3 = (ed448_key *)XMALLOC(sizeof(*key3), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27729 #endif
27730 #endif
27731 
27732     /* create ed448 keys */
27733 #ifndef HAVE_FIPS
27734     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
27735 #else
27736     ret = wc_InitRng(&rng);
27737 #endif
27738     if (ret != 0) {
27739         XMEMSET(&rng, 0, sizeof(rng));
27740         ERROR_OUT(-11700, out);
27741     }
27742 
27743     if (wc_ed448_init(key) < 0)
27744         ERROR_OUT(-11903, out);
27745     if (wc_ed448_init(key2) < 0)
27746         ERROR_OUT(-11904, out);
27747 #if !defined(NO_ASN) && defined(HAVE_ED448_SIGN)
27748     if (wc_ed448_init(key3) < 0)
27749         ERROR_OUT(-11905, out);
27750 #endif
27751     if (wc_ed448_make_key(&rng, ED448_KEY_SIZE, key) < 0)
27752         ERROR_OUT(-11906, out);
27753     if (wc_ed448_make_key(&rng, ED448_KEY_SIZE, key2) < 0)
27754         ERROR_OUT(-11907, out);
27755 
27756     /* helper functions for signature and key size */
27757     keySz = wc_ed448_size(key);
27758     sigSz = wc_ed448_sig_size(key);
27759 
27760 #if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) &&\
27761         defined(HAVE_ED448_KEY_IMPORT)
27762     for (i = 0; i < 6; i++) {
27763         outlen = sizeof(out);
27764         XMEMSET(out, 0, sizeof(out));
27765 
27766         if (wc_ed448_import_private_key(sKeys[i], ED448_KEY_SIZE, pKeys[i],
27767                 pKeySz[i], key) != 0)
27768             ERROR_OUT(-11701 - i, out);
27769 
27770         if (wc_ed448_sign_msg(msgs[i], msgSz[i], out, &outlen, key, NULL,
27771                                                                       0) != 0)
27772             ERROR_OUT(-11711 - i, out);
27773 
27774         if (XMEMCMP(out, sigs[i], 114))
27775             ERROR_OUT(-11721 - i, out);
27776 
27777 #if defined(HAVE_ED448_VERIFY)
27778         /* test verify on good msg */
27779         if (wc_ed448_verify_msg(out, outlen, msgs[i], msgSz[i], &verify, key,
27780                                                  NULL, 0) != 0 || verify != 1)
27781             ERROR_OUT(-11731 - i, out);
27782 
27783 #ifdef WOLFSSL_ED448_STREAMING_VERIFY
27784         /* test verify on good msg using streaming interface directly */
27785         if (wc_ed448_verify_msg_init(out, outlen,
27786                                        key, (byte)Ed448, NULL, 0) != 0)
27787             ERROR_OUT(-11911 - i, out);
27788         for (j = 0; j < msgSz[i]; j += i) {
27789             if (wc_ed448_verify_msg_update(msgs[i] + j, MIN(i, msgSz[i] - j), key) != 0)
27790                 ERROR_OUT(-11921 - i, out);
27791         }
27792         if (wc_ed448_verify_msg_final(out, outlen, &verify,
27793                                         key) != 0 || verify != 1)
27794             ERROR_OUT(-11931 - i, out);
27795 #endif /* WOLFSSL_ED448_STREAMING_VERIFY */
27796 
27797         /* test verify on bad msg */
27798         out[outlen-2] = out[outlen-2] + 1;
27799         if (wc_ed448_verify_msg(out, outlen, msgs[i], msgSz[i], &verify, key,
27800                                                  NULL, 0) == 0 || verify == 1)
27801             ERROR_OUT(-11741 - i, out);
27802 #endif /* HAVE_ED448_VERIFY */
27803 
27804         /* test api for import/exporting keys */
27805         {
27806             byte   *exportPKey = NULL;
27807             byte   *exportSKey = NULL;
27808             word32 exportPSz = ED448_KEY_SIZE;
27809             word32 exportSSz = ED448_KEY_SIZE;
27810 
27811             exportPKey = (byte *)XMALLOC(exportPSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27812             exportSKey = (byte *)XMALLOC(exportSSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27813             if ((exportPKey == NULL) || (exportSKey == NULL))
27814                 ERROR_OUT(-11902, out);
27815 
27816             ret = 0;
27817 
27818             do {
27819                 if (wc_ed448_export_public(key, exportPKey, &exportPSz) != 0) {
27820                     ret = -11751 - i;
27821                     break;
27822                 }
27823 
27824                 if (wc_ed448_import_public(exportPKey, exportPSz, key2) != 0) {
27825                     ret = -11761 - i;
27826                     break;
27827                 }
27828 
27829                 if (wc_ed448_export_private_only(key, exportSKey, &exportSSz) != 0) {
27830                     ret = -11771 - i;
27831                     break;
27832                 }
27833 
27834                 if (wc_ed448_import_private_key(exportSKey, exportSSz,
27835                                                 exportPKey, exportPSz, key2) != 0) {
27836                     ret = -11781 - i;
27837                     break;
27838                 }
27839 
27840                 /* clear "out" buffer and test sign with imported keys */
27841                 outlen = sizeof(out);
27842                 XMEMSET(out, 0, sizeof(out));
27843                 if (wc_ed448_sign_msg(msgs[i], msgSz[i], out, &outlen, key2, NULL,
27844                                       0) != 0) {
27845                     ret = -11791 - i;
27846                     break;
27847                 }
27848             } while(0);
27849 
27850             XFREE(exportPKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27851             XFREE(exportSKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27852 
27853             if (ret != 0)
27854                 goto out;
27855         }
27856 
27857 #if defined(HAVE_ED448_VERIFY)
27858         if (wc_ed448_verify_msg(out, outlen, msgs[i], msgSz[i], &verify, key2,
27859                                 NULL, 0) != 0 || verify != 1)
27860             ERROR_OUT(-11801 - i, out);
27861 
27862         if (XMEMCMP(out, sigs[i], SIGSZ))
27863             ERROR_OUT(-11811 - i, out);
27864 #endif /* HAVE_ED448_VERIFY */
27865     }
27866 
27867     ret = ed448_ctx_test();
27868     if (ret != 0)
27869         goto out;
27870 
27871     ret = ed448ph_test();
27872     if (ret != 0)
27873         goto out;
27874 
27875 #ifndef NO_ASN
27876     /* Try ASN.1 encoded private-only key and public key. */
27877     idx = 0;
27878     if (wc_Ed448PrivateKeyDecode(privateEd448, &idx, key3,
27879                                  sizeof(privateEd448)) != 0)
27880         ERROR_OUT(-11821, out);
27881 
27882     if (wc_ed448_sign_msg(msgs[0], msgSz[0], out, &outlen, key3, NULL, 0)
27883                 != BAD_FUNC_ARG)
27884         ERROR_OUT(-11831, out);
27885 
27886     idx = 0;
27887     if (wc_Ed448PublicKeyDecode(publicEd448, &idx, key3,
27888                                 sizeof(publicEd448)) != 0)
27889         ERROR_OUT(-11841, out);
27890 
27891     if (wc_ed448_sign_msg(msgs[0], msgSz[0], out, &outlen, key3, NULL, 0) != 0)
27892         ERROR_OUT(-11851, out);
27893 
27894     if (XMEMCMP(out, sigs[0], SIGSZ))
27895         ERROR_OUT(-11861, out);
27896 
27897 #if defined(HAVE_ED448_VERIFY)
27898     /* test verify on good msg */
27899     if (wc_ed448_verify_msg(out, outlen, msgs[0], msgSz[0], &verify, key3,
27900                 NULL, 0) != 0 || verify != 1)
27901         ERROR_OUT(-11871, out);
27902 #endif /* HAVE_ED448_VERIFY */
27903 
27904     wc_ed448_free(key3);
27905     if (wc_ed448_init(key3) < 0)
27906         ERROR_OUT(-11908, out);
27907 
27908     idx = 0;
27909     if (wc_Ed448PrivateKeyDecode(privPubEd448, &idx, key3,
27910                                  sizeof(privPubEd448)) != 0)
27911         ERROR_OUT(-11881, out);
27912 
27913     if (wc_ed448_sign_msg(msgs[0], msgSz[0], out, &outlen, key3, NULL, 0) != 0)
27914         ERROR_OUT(-11891, out);
27915 
27916     if (XMEMCMP(out, sigs[0], SIGSZ))
27917         ERROR_OUT(-11901, out);
27918 #endif /* NO_ASN */
27919 #endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
27920 
27921     ret = 0;
27922 
27923   out:
27924 
27925 #ifdef WOLFSSL_SMALL_STACK
27926     if (key) {
27927         wc_ed448_free(key);
27928         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27929     }
27930     if (key2) {
27931         wc_ed448_free(key2);
27932         XFREE(key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27933     }
27934 #if !defined(NO_ASN) && defined(HAVE_ED448_SIGN)
27935     if (key3) {
27936         wc_ed448_free(key3);
27937         XFREE(key3, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
27938     }
27939 #endif
27940 #else
27941     wc_ed448_free(key);
27942     wc_ed448_free(key2);
27943 #if !defined(NO_ASN) && defined(HAVE_ED448_SIGN)
27944     wc_ed448_free(key3);
27945 #endif
27946 #endif
27947 
27948 #if defined(HAVE_HASHDRBG) || defined(NO_RC4)
27949     wc_FreeRng(&rng);
27950 #endif
27951 
27952     if (ret < 0)
27953         return ret;
27954 
27955     /* hush warnings of unused keySz and sigSz */
27956     (void)keySz;
27957     (void)sigSz;
27958 
27959 #ifdef WOLFSSL_TEST_CERT
27960     ret = ed448_test_cert();
27961     if (ret < 0)
27962         return ret;
27963 #ifdef WOLFSSL_CERT_GEN
27964     ret = ed448_test_make_cert();
27965     if (ret < 0)
27966         return ret;
27967 #endif /* WOLFSSL_CERT_GEN */
27968 #endif /* WOLFSSL_TEST_CERT */
27969 
27970     return 0;
27971 }
27972 #endif /* HAVE_ED448 */
27973 
27974 #ifdef WOLFCRYPT_HAVE_ECCSI
27975 static int eccsi_api_test(WC_RNG* rng, EccsiKey* key, mp_int* ssk,
27976                           ecc_point* pvt)
27977 {
27978     int ret;
27979     byte id[1] = { 0x00 };
27980     int valid;
27981     word32 sz;
27982     byte data[256];
27983     byte hash[WC_MAX_DIGEST_SIZE];
27984     byte hashSz;
27985     byte sig[257];
27986     word32 sigSz;
27987 
27988     ret = wc_InitEccsiKey_ex(NULL, 32, ECC_SECP256R1, HEAP_HINT, INVALID_DEVID);
27989     if (ret != BAD_FUNC_ARG)
27990         return -10023;
27991     ret = wc_InitEccsiKey_ex(NULL, 32, ECC_SECP256R1, HEAP_HINT, INVALID_DEVID);
27992     if (ret != BAD_FUNC_ARG)
27993         return -10024;
27994 
27995     ret = wc_InitEccsiKey(NULL, NULL, INVALID_DEVID);
27996     if (ret != BAD_FUNC_ARG)
27997         return -10025;
27998     ret = wc_InitEccsiKey(NULL, HEAP_HINT, INVALID_DEVID);
27999     if (ret != BAD_FUNC_ARG)
28000         return -10026;
28001 
28002     wc_FreeEccsiKey(NULL);
28003 
28004     /* Create a valid key. */
28005     ret = wc_InitEccsiKey(key, NULL, INVALID_DEVID);
28006     if (ret != 0)
28007         return -10027;
28008 
28009     ret = wc_MakeEccsiKey(NULL, NULL);
28010     if (ret != BAD_FUNC_ARG)
28011         return -10028;
28012     ret = wc_MakeEccsiKey(key, NULL);
28013     if (ret != BAD_FUNC_ARG)
28014         return -10029;
28015     ret = wc_MakeEccsiKey(NULL, rng);
28016     if (ret != BAD_FUNC_ARG)
28017         return -10030;
28018 
28019     ret = wc_MakeEccsiPair(NULL, NULL, WC_HASH_TYPE_SHA256, NULL, 1, NULL,
28020             NULL);
28021     if (ret != BAD_FUNC_ARG)
28022         return -10031;
28023     ret = wc_MakeEccsiPair(key, rng, WC_HASH_TYPE_SHA256, id, 1, ssk, NULL);
28024     if (ret != BAD_FUNC_ARG)
28025         return -10032;
28026     ret = wc_MakeEccsiPair(key, rng, WC_HASH_TYPE_SHA256, id, 1, NULL, pvt);
28027     if (ret != BAD_FUNC_ARG)
28028         return -10033;
28029     ret = wc_MakeEccsiPair(key, rng, WC_HASH_TYPE_SHA256, NULL, 1, ssk, pvt);
28030     if (ret != BAD_FUNC_ARG)
28031         return -10034;
28032     ret = wc_MakeEccsiPair(key, NULL, WC_HASH_TYPE_SHA256, id, 1, ssk, pvt);
28033     if (ret != BAD_FUNC_ARG)
28034         return -10035;
28035     ret = wc_MakeEccsiPair(NULL, rng, WC_HASH_TYPE_SHA256, id, 1, ssk, pvt);
28036     if (ret != BAD_FUNC_ARG)
28037         return -10036;
28038     /* No key set */
28039     ret = wc_MakeEccsiPair(key, rng, WC_HASH_TYPE_SHA256, id, 1, ssk, pvt);
28040     if (ret != BAD_STATE_E)
28041         return -10037;
28042 
28043     ret = wc_ValidateEccsiPair(NULL, WC_HASH_TYPE_SHA256, NULL, 1, NULL, NULL,
28044             NULL);
28045     if (ret != BAD_FUNC_ARG)
28046         return -10038;
28047     ret = wc_ValidateEccsiPair(key, WC_HASH_TYPE_SHA256, id, 1, ssk, pvt,
28048             NULL);
28049     if (ret != BAD_FUNC_ARG)
28050         return -10039;
28051     ret = wc_ValidateEccsiPair(key, WC_HASH_TYPE_SHA256, id, 1, ssk, NULL,
28052             &valid);
28053     if (ret != BAD_FUNC_ARG)
28054         return -10040;
28055     ret = wc_ValidateEccsiPair(key, WC_HASH_TYPE_SHA256, id, 1, NULL, pvt,
28056             &valid);
28057     if (ret != BAD_FUNC_ARG)
28058         return -10041;
28059     ret = wc_ValidateEccsiPair(key, WC_HASH_TYPE_SHA256, NULL, 1, ssk, pvt,
28060             &valid);
28061     if (ret != BAD_FUNC_ARG)
28062         return -10042;
28063     ret = wc_ValidateEccsiPair(NULL, WC_HASH_TYPE_SHA256, id, 1, ssk, pvt,
28064             &valid);
28065     if (ret != BAD_FUNC_ARG)
28066         return -10043;
28067     /* No key set */
28068     ret = wc_ValidateEccsiPair(key, WC_HASH_TYPE_SHA256, id, 1, ssk, pvt,
28069             &valid);
28070     if (ret != BAD_STATE_E)
28071         return -10044;
28072 
28073     ret = wc_ValidateEccsiPvt(NULL, NULL, NULL);
28074     if (ret != BAD_FUNC_ARG)
28075         return -10045;
28076     ret = wc_ValidateEccsiPvt(key, NULL, NULL);
28077     if (ret != BAD_FUNC_ARG)
28078         return -10046;
28079     ret = wc_ValidateEccsiPvt(NULL, pvt, NULL);
28080     if (ret != BAD_FUNC_ARG)
28081         return -10047;
28082     ret = wc_ValidateEccsiPvt(NULL, NULL, &valid);
28083     if (ret != BAD_FUNC_ARG)
28084         return -10048;
28085     ret = wc_ValidateEccsiPvt(key, pvt, NULL);
28086     if (ret != BAD_FUNC_ARG)
28087         return -10049;
28088     ret = wc_ValidateEccsiPvt(key, NULL, &valid);
28089     if (ret != BAD_FUNC_ARG)
28090         return -10050;
28091     ret = wc_ValidateEccsiPvt(NULL, pvt, &valid);
28092     if (ret != BAD_FUNC_ARG)
28093         return -10051;
28094     ret = wc_EncodeEccsiPair(NULL, NULL, NULL, data, NULL);
28095     if (ret != BAD_FUNC_ARG)
28096         return -10052;
28097     ret = wc_EncodeEccsiPair(key, ssk, pvt, data, NULL);
28098     if (ret != BAD_FUNC_ARG)
28099         return -10053;
28100     ret = wc_EncodeEccsiPair(key, ssk, NULL, data, &sz);
28101     if (ret != BAD_FUNC_ARG)
28102         return -10054;
28103     ret = wc_EncodeEccsiPair(key, NULL, pvt, data, &sz);
28104     if (ret != BAD_FUNC_ARG)
28105         return -10055;
28106     ret = wc_EncodeEccsiPair(NULL, ssk, pvt, data, &sz);
28107     if (ret != BAD_FUNC_ARG)
28108         return -10056;
28109     /* No key created so no curve information. */
28110     ret = wc_EncodeEccsiPair(key, ssk, pvt, NULL, &sz);
28111     if (ret != LENGTH_ONLY_E)
28112         return -10057;
28113 
28114     ret = wc_EncodeEccsiSsk(NULL, NULL, data, NULL);
28115     if (ret != BAD_FUNC_ARG)
28116         return -10058;
28117     ret = wc_EncodeEccsiSsk(key, ssk, data, NULL);
28118     if (ret != BAD_FUNC_ARG)
28119         return -10059;
28120     ret = wc_EncodeEccsiSsk(key, NULL, data, &sz);
28121     if (ret != BAD_FUNC_ARG)
28122         return -10060;
28123     ret = wc_EncodeEccsiSsk(NULL, ssk, data, &sz);
28124     if (ret != BAD_FUNC_ARG)
28125         return -10061;
28126 
28127     ret = wc_EncodeEccsiPvt(NULL, NULL, data, NULL, 1);
28128     if (ret != BAD_FUNC_ARG)
28129         return -10058;
28130     ret = wc_EncodeEccsiPvt(key, pvt, data, NULL, 1);
28131     if (ret != BAD_FUNC_ARG)
28132         return -10059;
28133     ret = wc_EncodeEccsiPvt(key, NULL, data, &sz, 1);
28134     if (ret != BAD_FUNC_ARG)
28135         return -10060;
28136     ret = wc_EncodeEccsiPvt(NULL, pvt, data, &sz, 1);
28137     if (ret != BAD_FUNC_ARG)
28138         return -10061;
28139 
28140     ret = wc_DecodeEccsiPair(NULL, NULL, 0, NULL, NULL);
28141     if (ret != BAD_FUNC_ARG)
28142         return -10062;
28143     ret = wc_DecodeEccsiPair(key, data, 0, ssk, NULL);
28144     if (ret != BAD_FUNC_ARG)
28145         return -10063;
28146     ret = wc_DecodeEccsiPair(key, data, 0, NULL, pvt);
28147     if (ret != BAD_FUNC_ARG)
28148         return -10064;
28149     ret = wc_DecodeEccsiPair(key, NULL, 0, ssk, pvt);
28150     if (ret != BAD_FUNC_ARG)
28151         return -10065;
28152     ret = wc_DecodeEccsiPair(NULL, data, 0, ssk, pvt);
28153     if (ret != BAD_FUNC_ARG)
28154         return -10066;
28155 
28156     ret = wc_DecodeEccsiSsk(NULL, NULL, 0, NULL);
28157     if (ret != BAD_FUNC_ARG)
28158         return -10067;
28159     ret = wc_DecodeEccsiSsk(key, data, 0, NULL);
28160     if (ret != BAD_FUNC_ARG)
28161         return -10068;
28162     ret = wc_DecodeEccsiSsk(key, NULL, 0, ssk);
28163     if (ret != BAD_FUNC_ARG)
28164         return -10069;
28165     ret = wc_DecodeEccsiSsk(NULL, data, 0, ssk);
28166     if (ret != BAD_FUNC_ARG)
28167         return -10070;
28168     ret = wc_DecodeEccsiPvt(NULL, NULL, 0, NULL);
28169     if (ret != BAD_FUNC_ARG)
28170         return -10067;
28171     ret = wc_DecodeEccsiPvt(key, data, 0, NULL);
28172     if (ret != BAD_FUNC_ARG)
28173         return -10068;
28174     ret = wc_DecodeEccsiPvt(key, NULL, 0, pvt);
28175     if (ret != BAD_FUNC_ARG)
28176         return -10069;
28177     ret = wc_DecodeEccsiPvt(NULL, data, 0, pvt);
28178     if (ret != BAD_FUNC_ARG)
28179         return -10070;
28180 
28181     ret = wc_DecodeEccsiPvtFromSig(NULL, NULL, 0, NULL);
28182     if (ret != BAD_FUNC_ARG)
28183         return -10067;
28184     ret = wc_DecodeEccsiPvtFromSig(key, data, 0, NULL);
28185     if (ret != BAD_FUNC_ARG)
28186         return -10068;
28187     ret = wc_DecodeEccsiPvtFromSig(key, NULL, 0, pvt);
28188     if (ret != BAD_FUNC_ARG)
28189         return -10069;
28190     ret = wc_DecodeEccsiPvtFromSig(NULL, data, 0, pvt);
28191     if (ret != BAD_FUNC_ARG)
28192         return -10070;
28193 
28194     ret = wc_ExportEccsiKey(NULL, data, NULL);
28195     if (ret != BAD_FUNC_ARG)
28196         return -10071;
28197     ret = wc_ExportEccsiKey(key, data, NULL);
28198     if (ret != BAD_FUNC_ARG)
28199         return -10072;
28200     ret = wc_ExportEccsiKey(NULL, data, &sz);
28201     if (ret != BAD_FUNC_ARG)
28202         return -10073;
28203     /* No key to export */
28204     ret = wc_ExportEccsiKey(key, NULL, &sz);
28205     if (ret != BAD_STATE_E)
28206         return -10074;
28207 
28208     ret = wc_ImportEccsiKey(NULL, NULL, 0);
28209     if (ret != BAD_FUNC_ARG)
28210         return -10075;
28211     ret = wc_ImportEccsiKey(key, NULL, 0);
28212     if (ret != BAD_FUNC_ARG)
28213         return -10076;
28214     ret = wc_ImportEccsiKey(NULL, data, 0);
28215     if (ret != BAD_FUNC_ARG)
28216         return -10077;
28217 
28218     ret = wc_ExportEccsiPrivateKey(NULL, data, NULL);
28219     if (ret != BAD_FUNC_ARG)
28220         return -10071;
28221     ret = wc_ExportEccsiPrivateKey(key, data, NULL);
28222     if (ret != BAD_FUNC_ARG)
28223         return -10072;
28224     ret = wc_ExportEccsiPrivateKey(NULL, data, &sz);
28225     if (ret != BAD_FUNC_ARG)
28226         return -10073;
28227     /* No key to export */
28228     ret = wc_ExportEccsiPrivateKey(key, NULL, &sz);
28229     if (ret != BAD_STATE_E)
28230         return -10074;
28231 
28232     ret = wc_ImportEccsiPrivateKey(NULL, NULL, 0);
28233     if (ret != BAD_FUNC_ARG)
28234         return -10075;
28235     ret = wc_ImportEccsiPrivateKey(key, NULL, 0);
28236     if (ret != BAD_FUNC_ARG)
28237         return -10076;
28238     ret = wc_ImportEccsiPrivateKey(NULL, data, 0);
28239     if (ret != BAD_FUNC_ARG)
28240         return -10077;
28241     ret = wc_ExportEccsiPublicKey(NULL, data, NULL, 1);
28242     if (ret != BAD_FUNC_ARG)
28243         return -10078;
28244     ret = wc_ExportEccsiPublicKey(key, data, NULL, 1);
28245     if (ret != BAD_FUNC_ARG)
28246         return -10079;
28247     ret = wc_ExportEccsiPublicKey(NULL, data, &sz, 1);
28248     if (ret != BAD_FUNC_ARG)
28249         return -10080;
28250     /* No key to export */
28251     ret = wc_ExportEccsiPublicKey(key, data, &sz, 1);
28252     if (ret != BAD_STATE_E)
28253         return -10081;
28254 
28255     ret = wc_ImportEccsiPublicKey(NULL, NULL, 0, 1);
28256     if (ret != BAD_FUNC_ARG)
28257         return -10082;
28258     ret = wc_ImportEccsiPublicKey(key, NULL, 0, 1);
28259     if (ret != BAD_FUNC_ARG)
28260         return -10083;
28261     ret = wc_ImportEccsiPublicKey(NULL, data, 0, 1);
28262     if (ret != BAD_FUNC_ARG)
28263         return -10084;
28264 
28265     ret = wc_HashEccsiId(NULL, WC_HASH_TYPE_SHA256, NULL, 1, NULL, NULL, NULL);
28266     if (ret != BAD_FUNC_ARG)
28267         return -10085;
28268     ret = wc_HashEccsiId(key, WC_HASH_TYPE_SHA256, id, 1, pvt, hash, NULL);
28269     if (ret != BAD_FUNC_ARG)
28270         return -10086;
28271     ret = wc_HashEccsiId(key, WC_HASH_TYPE_SHA256, id, 1, pvt, NULL, &hashSz);
28272     if (ret != BAD_FUNC_ARG)
28273         return -10087;
28274     ret = wc_HashEccsiId(key, WC_HASH_TYPE_SHA256, id, 1, NULL, hash, &hashSz);
28275     if (ret != BAD_FUNC_ARG)
28276         return -10088;
28277     ret = wc_HashEccsiId(key, WC_HASH_TYPE_SHA256, NULL, 1, pvt, hash,
28278             &hashSz);
28279     if (ret != BAD_FUNC_ARG)
28280         return -10089;
28281     ret = wc_HashEccsiId(NULL, WC_HASH_TYPE_SHA256, id, 1, pvt, hash, &hashSz);
28282     if (ret != BAD_FUNC_ARG)
28283         return -10090;
28284     ret = wc_HashEccsiId(key, WC_HASH_TYPE_SHA256, id, 1, pvt, hash, &hashSz);
28285     if (ret != BAD_STATE_E)
28286         return -10091;
28287 
28288     ret = wc_SetEccsiHash(NULL, NULL, 1);
28289     if (ret != BAD_FUNC_ARG)
28290         return -10090;
28291     ret = wc_SetEccsiHash(key, NULL, 1);
28292     if (ret != BAD_FUNC_ARG)
28293         return -10090;
28294     ret = wc_SetEccsiHash(NULL, hash, 1);
28295     if (ret != BAD_FUNC_ARG)
28296         return -10090;
28297 
28298     ret = wc_SetEccsiPair(NULL, NULL, NULL);
28299     if (ret != BAD_FUNC_ARG)
28300         return -10090;
28301     ret = wc_SetEccsiPair(key, NULL, NULL);
28302     if (ret != BAD_FUNC_ARG)
28303         return -10090;
28304     ret = wc_SetEccsiPair(NULL, ssk, NULL);
28305     if (ret != BAD_FUNC_ARG)
28306         return -10090;
28307     ret = wc_SetEccsiPair(NULL, NULL, pvt);
28308     if (ret != BAD_FUNC_ARG)
28309         return -10090;
28310     ret = wc_SetEccsiPair(key, ssk, NULL);
28311     if (ret != BAD_FUNC_ARG)
28312         return -10090;
28313     ret = wc_SetEccsiPair(key, NULL, pvt);
28314     if (ret != BAD_FUNC_ARG)
28315         return -10090;
28316     ret = wc_SetEccsiPair(NULL, ssk, pvt);
28317     if (ret != BAD_FUNC_ARG)
28318         return -10090;
28319     ret = wc_SignEccsiHash(NULL, NULL, WC_HASH_TYPE_SHA256, NULL, 0, sig, NULL);
28320     if (ret != BAD_FUNC_ARG)
28321         return -10092;
28322     ret = wc_SignEccsiHash(key, rng, WC_HASH_TYPE_SHA256, data, 0, sig, NULL);
28323     if (ret != BAD_FUNC_ARG)
28324         return -10093;
28325     ret = wc_SignEccsiHash(key, rng, WC_HASH_TYPE_SHA256, NULL, 0, sig,
28326             &sigSz);
28327     if (ret != BAD_FUNC_ARG)
28328         return -10096;
28329     ret = wc_SignEccsiHash(key, NULL, WC_HASH_TYPE_SHA256, data, 0, sig,
28330             &sigSz);
28331     if (ret != BAD_FUNC_ARG)
28332         return -10098;
28333     ret = wc_SignEccsiHash(NULL, rng, WC_HASH_TYPE_SHA256, data, 0, sig,
28334             &sigSz);
28335     if (ret != BAD_FUNC_ARG)
28336         return -10099;
28337     /* Key not set. */
28338     ret = wc_SignEccsiHash(key, rng, WC_HASH_TYPE_SHA256, data, 0, NULL,
28339             &sigSz);
28340     if (ret != BAD_STATE_E)
28341         return -10100;
28342 
28343     ret = wc_VerifyEccsiHash(NULL, WC_HASH_TYPE_SHA256, NULL, 0, NULL, 0, NULL);
28344     if (ret != BAD_FUNC_ARG)
28345         return -10101;
28346     ret = wc_VerifyEccsiHash(key, WC_HASH_TYPE_SHA256, NULL, 0, NULL, 0, NULL);
28347     if (ret != BAD_FUNC_ARG)
28348         return -10101;
28349     ret = wc_VerifyEccsiHash(NULL, WC_HASH_TYPE_SHA256, data, 0, NULL, 0, NULL);
28350     if (ret != BAD_FUNC_ARG)
28351         return -10101;
28352     ret = wc_VerifyEccsiHash(NULL, WC_HASH_TYPE_SHA256, NULL, 0, sig, 0, NULL);
28353     if (ret != BAD_FUNC_ARG)
28354         return -10101;
28355     ret = wc_VerifyEccsiHash(NULL, WC_HASH_TYPE_SHA256, NULL, 0, NULL, 0,
28356             &valid);
28357     if (ret != BAD_FUNC_ARG)
28358         return -10101;
28359     ret = wc_VerifyEccsiHash(key, WC_HASH_TYPE_SHA256, data, 0, sig, 0, NULL);
28360     if (ret != BAD_FUNC_ARG)
28361         return -10102;
28362     ret = wc_VerifyEccsiHash(key, WC_HASH_TYPE_SHA256, data, 0, NULL, 0,
28363             &valid);
28364     if (ret != BAD_FUNC_ARG)
28365         return -10103;
28366     ret = wc_VerifyEccsiHash(key, WC_HASH_TYPE_SHA256, NULL, 0, sig, 0,
28367             &valid);
28368     if (ret != BAD_FUNC_ARG)
28369         return -10104;
28370     ret = wc_VerifyEccsiHash(NULL, WC_HASH_TYPE_SHA256, data, 0, sig, 0,
28371             &valid);
28372     if (ret != BAD_FUNC_ARG)
28373         return -10106;
28374     ret = wc_VerifyEccsiHash(key, WC_HASH_TYPE_SHA256, data, 0, sig, 0,
28375             &valid);
28376     if (ret != BAD_STATE_E)
28377         return -10106;
28378 
28379     ret = wc_SetEccsiPair(key, ssk, pvt);
28380     if (ret != 0)
28381         return -10107;
28382     /* Identity hash not set. */
28383     ret = wc_SignEccsiHash(key, rng, WC_HASH_TYPE_SHA256, data, 0, NULL,
28384             &sigSz);
28385     if (ret != BAD_STATE_E)
28386         return -10108;
28387 
28388     wc_FreeEccsiKey(key);
28389 
28390     return 0;
28391 }
28392 
28393 /* RFC 6507: Appendix A */
28394 static int eccsi_kat_verify_test(EccsiKey* key, ecc_point* pvt)
28395 {
28396     int ret;
28397     int verified;
28398     const byte msg[] = { 0x6D, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x00 };
28399     word32 msgSz = sizeof(msg);
28400     byte hash[WC_SHA256_DIGEST_SIZE];
28401     byte hashSz = WC_SHA256_DIGEST_SIZE;
28402     static const byte id[] = {
28403         0x32, 0x30, 0x31, 0x31, 0x2D, 0x30, 0x32, 0x00,
28404         0x74, 0x65, 0x6C, 0x3A, 0x2B, 0x34, 0x34, 0x37,
28405         0x37, 0x30, 0x30, 0x39, 0x30, 0x30, 0x31, 0x32,
28406         0x33, 0x00
28407     };
28408     word32 idSz = sizeof(id);
28409     static const byte sig[] = {
28410         0x26, 0x9D, 0x4C, 0x8F, 0xDE, 0xB6, 0x6A, 0x74,
28411         0xE4, 0xEF, 0x8C, 0x0D, 0x5D, 0xCC, 0x59, 0x7D,
28412         0xDF, 0xE6, 0x02, 0x9C, 0x2A, 0xFF, 0xC4, 0x93,
28413         0x60, 0x08, 0xCD, 0x2C, 0xC1, 0x04, 0x5D, 0x81,
28414         0xE0, 0x9B, 0x52, 0x8D, 0x0E, 0xF8, 0xD6, 0xDF,
28415         0x1A, 0xA3, 0xEC, 0xBF, 0x80, 0x11, 0x0C, 0xFC,
28416         0xEC, 0x9F, 0xC6, 0x82, 0x52, 0xCE, 0xBB, 0x67,
28417         0x9F, 0x41, 0x34, 0x84, 0x69, 0x40, 0xCC, 0xFD,
28418         0x04,
28419         0x75, 0x8A, 0x14, 0x27, 0x79, 0xBE, 0x89, 0xE8,
28420         0x29, 0xE7, 0x19, 0x84, 0xCB, 0x40, 0xEF, 0x75,
28421         0x8C, 0xC4, 0xAD, 0x77, 0x5F, 0xC5, 0xB9, 0xA3,
28422         0xE1, 0xC8, 0xED, 0x52, 0xF6, 0xFA, 0x36, 0xD9,
28423         0xA7, 0x9D, 0x24, 0x76, 0x92, 0xF4, 0xED, 0xA3,
28424         0xA6, 0xBD, 0xAB, 0x77, 0xD6, 0xAA, 0x64, 0x74,
28425         0xA4, 0x64, 0xAE, 0x49, 0x34, 0x66, 0x3C, 0x52,
28426         0x65, 0xBA, 0x70, 0x18, 0xBA, 0x09, 0x1F, 0x79
28427     };
28428     word32 sigSz = sizeof(sig);
28429     static const byte pubData[] = {
28430         0x50, 0xD4, 0x67, 0x0B, 0xDE, 0x75, 0x24, 0x4F,
28431         0x28, 0xD2, 0x83, 0x8A, 0x0D, 0x25, 0x55, 0x8A,
28432         0x7A, 0x72, 0x68, 0x6D, 0x45, 0x22, 0xD4, 0xC8,
28433         0x27, 0x3F, 0xB6, 0x44, 0x2A, 0xEB, 0xFA, 0x93,
28434         0xDB, 0xDD, 0x37, 0x55, 0x1A, 0xFD, 0x26, 0x3B,
28435         0x5D, 0xFD, 0x61, 0x7F, 0x39, 0x60, 0xC6, 0x5A,
28436         0x8C, 0x29, 0x88, 0x50, 0xFF, 0x99, 0xF2, 0x03,
28437         0x66, 0xDC, 0xE7, 0xD4, 0x36, 0x72, 0x17, 0xF4
28438     };
28439     static const byte expHash[] = {
28440         0x49, 0x0f, 0x3f, 0xeb, 0xbc, 0x1c, 0x90, 0x2f,
28441         0x62, 0x89, 0x72, 0x3d, 0x7f, 0x8c, 0xbf, 0x79,
28442         0xdb, 0x88, 0x93, 0x08, 0x49, 0xd1, 0x9f, 0x38,
28443         0xf0, 0x29, 0x5b, 0x5c, 0x27, 0x6c, 0x14, 0xd1
28444     };
28445 
28446     ret = wc_ImportEccsiPublicKey(key, pubData, sizeof(pubData), 0);
28447     if (ret != 0)
28448         return -10108;
28449 
28450     ret = wc_DecodeEccsiPvtFromSig(key, sig, sigSz, pvt);
28451     if (ret != 0)
28452         return -10109;
28453 
28454     ret = wc_HashEccsiId(key, WC_HASH_TYPE_SHA256, id, idSz, pvt, hash,
28455             &hashSz);
28456     if (ret != 0)
28457         return -10112;
28458     if (hashSz != sizeof(expHash))
28459         return -10113;
28460     if (XMEMCMP(hash, expHash, hashSz) != 0)
28461         return -10114;
28462 
28463     ret = wc_SetEccsiHash(key, hash, hashSz);
28464     if (ret != 0)
28465         return -10112;
28466 
28467     ret = wc_VerifyEccsiHash(key, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28468             &verified);
28469     if (ret != 0)
28470         return -10115;
28471     if (!verified)
28472         return -10116;
28473 
28474     return 0;
28475 }
28476 static int eccsi_enc_dec_pair_test(EccsiKey* priv, mp_int* ssk, ecc_point* pvt)
28477 {
28478     int ret;
28479     byte data[32 * 3];
28480     word32 sz;
28481     mp_int decSsk;
28482     ecc_point* decPvt = NULL;
28483 
28484     ret = mp_init(&decSsk);
28485     if (ret != 0)
28486         return -10117;
28487 
28488     decPvt = wc_ecc_new_point();
28489     if (decPvt == NULL)
28490         return -10118;
28491 
28492     ret = wc_EncodeEccsiPair(priv, ssk, pvt, NULL, &sz);
28493     if (ret != LENGTH_ONLY_E)
28494         return -10119;
28495     if (sz != 32 * 3)
28496         return -10120;
28497     ret = wc_EncodeEccsiPair(priv, ssk, pvt, data, &sz);
28498     if (ret != 0)
28499         return -10121;
28500     if (sz != 32* 3)
28501         return -10122;
28502     ret = wc_DecodeEccsiPair(priv, data, sz, &decSsk, decPvt);
28503     if (ret != 0)
28504         return -10123;
28505     if (mp_cmp(ssk, &decSsk) != MP_EQ)
28506         return -10124;
28507     if (wc_ecc_cmp_point(pvt, decPvt) != MP_EQ)
28508         return -10125;
28509 
28510     ret = wc_EncodeEccsiSsk(priv, ssk, NULL, &sz);
28511     if (ret != LENGTH_ONLY_E)
28512         return -10119;
28513     if (sz != 32)
28514         return -10120;
28515     ret = wc_EncodeEccsiSsk(priv, ssk, data, &sz);
28516     if (ret != 0)
28517         return -10121;
28518     if (sz != 32)
28519         return -10122;
28520     ret = wc_DecodeEccsiSsk(priv, data, sz, &decSsk);
28521     if (ret != 0)
28522         return -10123;
28523     if (mp_cmp(ssk, &decSsk) != MP_EQ)
28524         return -10124;
28525 
28526     ret = wc_EncodeEccsiPvt(priv, pvt, NULL, &sz, 1);
28527     if (ret != LENGTH_ONLY_E)
28528         return -10126;
28529     if (sz != 32 * 2)
28530         return -10127;
28531     ret = wc_EncodeEccsiPvt(priv, pvt, data, &sz, 1);
28532     if (ret != 0)
28533         return -10128;
28534     if (sz != 32 * 2)
28535         return -10129;
28536     ret = wc_DecodeEccsiPvt(priv, data, sz, decPvt);
28537     if (ret != 0)
28538         return -10130;
28539     if (wc_ecc_cmp_point(pvt, decPvt) != MP_EQ)
28540         return -10131;
28541     sz = sizeof(data);
28542     ret = wc_EncodeEccsiPvt(priv, pvt, data, &sz, 0);
28543     if (ret != 0)
28544         return -10128;
28545     if (sz != 32 * 2 + 1)
28546         return -10129;
28547     ret = wc_DecodeEccsiPvt(priv, data, sz, decPvt);
28548     if (ret != 0)
28549         return -10130;
28550     if (wc_ecc_cmp_point(pvt, decPvt) != MP_EQ)
28551         return -10131;
28552 
28553     wc_ecc_del_point(decPvt);
28554     mp_free(&decSsk);
28555 
28556     return 0;
28557 }
28558 
28559 static int eccsi_imp_exp_key_test(EccsiKey* priv)
28560 {
28561     int ret;
28562     byte data[32 * 3];
28563     byte out[32 * 3];
28564     word32 sz;
28565 
28566     ret = wc_ExportEccsiKey(priv, NULL, &sz);
28567     if (ret != LENGTH_ONLY_E)
28568         return -10132;
28569     if (sz != 32 * 3)
28570         return -10133;
28571     ret = wc_ExportEccsiKey(priv, data, &sz);
28572     if (ret != 0)
28573         return -10134;
28574     ret = wc_ImportEccsiKey(priv, data, sz);
28575     if (ret != 0)
28576         return -10135;
28577     ret = wc_ExportEccsiKey(priv, NULL, &sz);
28578     if (ret != LENGTH_ONLY_E)
28579         return -10132;
28580     if (sz != 32 * 3)
28581         return -10143;
28582     ret = wc_ExportEccsiKey(priv, out, &sz);
28583     if (ret != 0)
28584         return -10144;
28585     if (sz != 32 * 3)
28586         return -10145;
28587     if (XMEMCMP(data, out, sz) != 0)
28588         return -10146;
28589 
28590     ret = wc_ExportEccsiPrivateKey(priv, NULL, &sz);
28591     if (ret != LENGTH_ONLY_E)
28592         return -10156;
28593     if (sz != 32)
28594         return -10157;
28595     ret = wc_ExportEccsiPrivateKey(priv, data, &sz);
28596     if (ret != 0)
28597         return -10158;
28598     ret = wc_ImportEccsiPrivateKey(priv, data, sz);
28599     if (ret != 0)
28600         return -10159;
28601     ret = wc_ExportEccsiPrivateKey(priv, NULL, &sz);
28602     if (ret != LENGTH_ONLY_E)
28603         return -10152;
28604     if (sz != 32)
28605         return -10163;
28606     ret = wc_ExportEccsiPrivateKey(priv, out, &sz);
28607     if (ret != 0)
28608         return -10164;
28609     if (sz != 32)
28610         return -10165;
28611     if (XMEMCMP(data, out, sz) != 0)
28612         return -10166;
28613 
28614     return 0;
28615 }
28616 
28617 static int eccsi_imp_exp_pubkey_test(EccsiKey* key1, EccsiKey* key2)
28618 {
28619     int ret;
28620     byte data[32 * 2 + 1];
28621     byte pubData[32 * 2 + 1];
28622     word32 sz;
28623 
28624     ret = wc_ExportEccsiPublicKey(key1, NULL, &sz, 1);
28625     if (ret != LENGTH_ONLY_E)
28626         return -10136;
28627     if (sz != 32 * 2)
28628         return -10137;
28629 
28630     ret = wc_ExportEccsiPublicKey(key1, data, &sz, 1);
28631     if (ret != 0)
28632         return -10138;
28633 
28634     ret = wc_ImportEccsiPublicKey(key2, data, sz, 1);
28635     if (ret != 0)
28636         return -10139;
28637     sz = sizeof(pubData);
28638     ret = wc_ExportEccsiPublicKey(key2, pubData, &sz, 1);
28639     if (ret != 0)
28640         return -10140;
28641     if (sz != 32 * 2)
28642         return -10141;
28643     if (XMEMCMP(data, pubData, sz) != 0)
28644         return -10142;
28645 
28646     sz = sizeof(pubData);
28647     ret = wc_ExportEccsiPublicKey(key2, pubData, &sz, 0);
28648     if (ret != 0)
28649         return -10140;
28650     if (sz != 32 * 2 + 1)
28651         return -10141;
28652     if (pubData[0] != 0x04)
28653         return -10140;
28654     if (XMEMCMP(pubData + 1, data, sz - 1) != 0)
28655         return -10142;
28656     ret = wc_ImportEccsiPublicKey(key2, pubData, sz, 0);
28657     if (ret != 0)
28658         return -10139;
28659 
28660     return 0;
28661 }
28662 
28663 static int eccsi_make_key_test(EccsiKey* priv, EccsiKey* pub, WC_RNG* rng,
28664                                mp_int* ssk, ecc_point* pvt)
28665 {
28666     int ret;
28667     char mail[] = "test@wolfssl.com";
28668     byte* id = (byte*)mail;
28669     word32 idSz = (word32) XSTRLEN(mail);
28670     int valid;
28671 
28672     ret = wc_MakeEccsiKey(priv, rng);
28673     if (ret != 0)
28674         return -10143;
28675 
28676     ret = eccsi_imp_exp_key_test(priv);
28677     if (ret < 0)
28678         return ret;
28679 
28680     ret = eccsi_imp_exp_pubkey_test(priv, pub);
28681     if (ret < 0)
28682         return ret;
28683 
28684     ret = wc_MakeEccsiPair(priv, rng, WC_HASH_TYPE_SHA256, id, idSz, ssk, pvt);
28685     if (ret != 0)
28686         return -10144;
28687 
28688     ret = wc_ValidateEccsiPair(pub, WC_HASH_TYPE_SHA256, id, idSz, ssk, pvt,
28689             &valid);
28690     if (ret != 0)
28691         return -10145;
28692     if (!valid)
28693         return -10146;
28694 
28695     ret = eccsi_enc_dec_pair_test(priv, ssk, pvt);
28696     if (ret != 0)
28697         return ret;
28698 
28699     return 0;
28700 }
28701 
28702 static int eccsi_sign_verify_test(EccsiKey* priv, EccsiKey* pub, WC_RNG* rng,
28703                                   mp_int* ssk, ecc_point* pvt)
28704 {
28705     int ret;
28706     byte hashPriv[WC_MAX_DIGEST_SIZE];
28707     byte hashPub[WC_MAX_DIGEST_SIZE];
28708     byte hashSz;
28709     byte sig[144];
28710     word32 sigSz;
28711     int verified, valid;
28712     char mail[] = "test@wolfssl.com";
28713     byte* id = (byte*)mail;
28714     word32 idSz = (word32) XSTRLEN(mail);
28715     byte msg[] = { 0x00 };
28716     word32 msgSz = sizeof(msg);
28717 
28718     ret = wc_HashEccsiId(priv, WC_HASH_TYPE_SHA256, id, idSz, pvt, hashPriv,
28719             &hashSz);
28720     if (ret != 0)
28721         return -10147;
28722     if (hashSz != 32)
28723         return -10148;
28724     ret = wc_HashEccsiId(priv, WC_HASH_TYPE_SHA256, id, idSz, pvt, hashPub,
28725             &hashSz);
28726     if (ret != 0)
28727         return -10149;
28728     if (hashSz != 32)
28729         return -10150;
28730 
28731     if (XMEMCMP(hashPriv, hashPub, hashSz) != 0)
28732         return -10151;
28733 
28734     ret = wc_SetEccsiHash(priv, hashPriv, hashSz);
28735     if (ret != 0)
28736         return -10149;
28737     ret = wc_SetEccsiPair(priv, ssk, pvt);
28738     if (ret != 0)
28739         return -10149;
28740 
28741     ret = wc_SignEccsiHash(priv, rng, WC_HASH_TYPE_SHA256, msg, msgSz, NULL,
28742             &sigSz);
28743     if (ret != LENGTH_ONLY_E)
28744         return -10152;
28745     if (sigSz != 129)
28746         return -10153;
28747     ret = wc_SignEccsiHash(priv, rng, WC_HASH_TYPE_SHA256, msg, msgSz, sig,
28748             &sigSz);
28749     if (ret != 0)
28750         return -10154;
28751 
28752     ret = wc_SetEccsiHash(pub, hashPub, hashSz);
28753     if (ret != 0)
28754         return -10149;
28755 
28756     ret = wc_VerifyEccsiHash(pub, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28757              &verified);
28758     if (ret != 0)
28759         return -10155;
28760     if (!verified)
28761         return -10156;
28762 
28763     /* Check that changing HS results in verification failure. */
28764     hashPub[0] ^= 0x80;
28765     ret = wc_SetEccsiHash(pub, hashPub, hashSz);
28766     if (ret != 0)
28767         return -10149;
28768     ret = wc_VerifyEccsiHash(pub, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28769             &verified);
28770     if (ret != 0)
28771         return -10157;
28772     if (verified)
28773         return -10158;
28774     hashPub[0] ^= 0x80;
28775     ret = wc_SetEccsiHash(pub, hashPub, hashSz);
28776     if (ret != 0)
28777         return -10149;
28778 
28779     /* Check that changing msg results in verification failure. */
28780     msg[0] ^= 0x80;
28781     ret = wc_VerifyEccsiHash(pub, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28782            &verified);
28783     if (ret != 0)
28784         return -10159;
28785     if (verified)
28786         return -10160;
28787     msg[0] ^= 0x80;
28788     /* Check that changing signature results in verification failure. */
28789     sig[0] ^= 0x80;
28790     ret = wc_VerifyEccsiHash(pub, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28791             &verified);
28792     if (ret != 0)
28793         return -10161;
28794     if (verified)
28795         return -10162;
28796     sig[0] ^= 0x80;
28797 
28798     /* Check that key state hasn't been invalidated. */
28799     ret = wc_VerifyEccsiHash(pub, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28800             &verified);
28801     if (ret != 0)
28802         return -10163;
28803     if (!verified)
28804         return -10164;
28805 
28806     /* Check that verifying with the private key works. */
28807     ret = wc_VerifyEccsiHash(priv, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28808             &verified);
28809     if (ret != 0)
28810         return -10165;
28811     if (!verified)
28812         return -10166;
28813 
28814     /* Check that the KPAK is converted from montgomery form. */
28815     ret = eccsi_imp_exp_key_test(priv);
28816     if (ret != 0)
28817         return ret;
28818 
28819     /* Check that KPAK can converted to Montgomery form again. */
28820     ret = wc_VerifyEccsiHash(priv, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28821             &verified);
28822     if (ret != 0)
28823         return -10167;
28824     if (!verified)
28825         return -10168;
28826 
28827     /* Check that the KPAK is converted from montgomery form. */
28828     ret = wc_ValidateEccsiPair(pub, WC_HASH_TYPE_SHA256, id, idSz, ssk, pvt,
28829             &valid);
28830     if (ret != 0)
28831         return -10169;
28832     if (!valid)
28833         return -10170;
28834 
28835     /* Check that KPAK can converted to Montgomery form again. */
28836     ret = wc_VerifyEccsiHash(priv, WC_HASH_TYPE_SHA256, msg, msgSz, sig, sigSz,
28837             &verified);
28838     if (ret != 0)
28839         return -10171;
28840     if (!verified)
28841         return -10172;
28842 
28843     /* Check that the KPAK is converted from montgomery form. */
28844     ret = eccsi_imp_exp_pubkey_test(priv, pub);
28845     if (ret != 0)
28846         return ret;
28847 
28848     return 0;
28849 }
28850 
28851 int eccsi_test(void)
28852 {
28853     int ret = 0;
28854     WC_RNG rng;
28855     EccsiKey* priv = NULL;
28856     EccsiKey* pub  = NULL;
28857     mp_int* ssk    = NULL;
28858     ecc_point* pvt = NULL;
28859 
28860     priv = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT,
28861             DYNAMIC_TYPE_TMP_BUFFER);
28862     if (priv == NULL) {
28863         ret = -10205;
28864     }
28865 
28866     if (ret == 0) {
28867         pub = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT,
28868             DYNAMIC_TYPE_TMP_BUFFER);
28869         if (pub == NULL) {
28870         ret = -10206;
28871         }
28872     }
28873 
28874     if (ret == 0) {
28875         ssk = (mp_int*)XMALLOC(sizeof(mp_int), HEAP_HINT,
28876                 DYNAMIC_TYPE_TMP_BUFFER);
28877         if (ssk == NULL) {
28878             ret = -10207;
28879         }
28880     }
28881 
28882     if (ret == 0) {
28883     #ifndef HAVE_FIPS
28884         ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
28885     #else
28886         ret = wc_InitRng(&rng);
28887     #endif
28888         if (ret != 0)
28889             ret = -10200;
28890     }
28891 
28892     if (ret == 0) {
28893         pvt = wc_ecc_new_point();
28894         if (pvt == NULL)
28895             ret = -10201;
28896     }
28897 
28898     if (ret == 0) {
28899         ret = mp_init(ssk);
28900         if (ret != 0)
28901             ret = -10202;
28902     }
28903 
28904     if (ret == 0) {
28905         ret = eccsi_api_test(&rng, priv, ssk, pvt);
28906     }
28907 
28908     if (ret == 0) {
28909         ret = wc_InitEccsiKey(pub, HEAP_HINT, INVALID_DEVID);
28910         if (ret != 0)
28911             ret = -10203;
28912     }
28913 
28914     if (ret == 0) {
28915         ret = wc_InitEccsiKey(priv, HEAP_HINT, INVALID_DEVID);
28916         if (ret != 0)
28917             ret = -10204;
28918     }
28919 
28920     if (ret == 0) {
28921         ret = eccsi_kat_verify_test(pub, pvt);
28922     }
28923 
28924     if (ret == 0) {
28925         ret = eccsi_make_key_test(priv, pub, &rng, ssk, pvt);
28926     }
28927 
28928     if (ret == 0) {
28929         ret = eccsi_sign_verify_test(priv, pub, &rng, ssk, pvt);
28930     }
28931 
28932     wc_FreeEccsiKey(priv);
28933     wc_FreeEccsiKey(pub);
28934     mp_free(ssk);
28935     wc_ecc_del_point(pvt);
28936 
28937     if (ret != -10200)
28938         wc_FreeRng(&rng);
28939     if (ssk != NULL)
28940         XFREE(ssk, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
28941     if (pub != NULL)
28942         XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
28943     if (priv != NULL)
28944         XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
28945 
28946     return ret;
28947 }
28948 #endif /* WOLFCRYPT_HAVE_ECCSI */
28949 
28950 #ifdef WOLFCRYPT_HAVE_SAKKE
28951 static int sakke_api_test(WC_RNG* rng, SakkeKey* key, ecc_point* rsk)
28952 {
28953     int ret;
28954     byte id[1] = { 0x00 };
28955     int valid;
28956     byte data[256];
28957     word32 sz;
28958     byte auth[257];
28959     word16 authSz;
28960     byte ssv[256];
28961     word16 ssvSz;
28962     word32 len;
28963 
28964     ret = wc_InitSakkeKey_ex(NULL, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
28965     if (ret != BAD_FUNC_ARG)
28966         return -10205;
28967     ret = wc_InitSakkeKey_ex(NULL, 128, ECC_SAKKE_1, HEAP_HINT, INVALID_DEVID);
28968     if (ret != BAD_FUNC_ARG)
28969         return -10206;
28970 
28971     wc_FreeSakkeKey(NULL);
28972 
28973     XMEMSET(key, 0, sizeof(*key));
28974     wc_FreeSakkeKey(key);
28975 
28976     ret = wc_InitSakkeKey_ex(key, 128, ECC_SAKKE_1, HEAP_HINT, INVALID_DEVID);
28977     if (ret != 0)
28978         return -10207;
28979 
28980     ret = wc_MakeSakkeKey(NULL, NULL);
28981     if (ret != BAD_FUNC_ARG)
28982         return -10208;
28983     ret = wc_MakeSakkeKey(key, NULL);
28984     if (ret != BAD_FUNC_ARG)
28985         return -10209;
28986     ret = wc_MakeSakkeKey(NULL, rng);
28987     if (ret != BAD_FUNC_ARG)
28988         return -10210;
28989 
28990     ret = wc_MakeSakkePublicKey(NULL, NULL);
28991     if (ret != BAD_FUNC_ARG)
28992         return -10211;
28993     ret = wc_MakeSakkePublicKey(key, NULL);
28994     if (ret != BAD_FUNC_ARG)
28995         return -10212;
28996     ret = wc_MakeSakkePublicKey(NULL, rsk);
28997     if (ret != BAD_FUNC_ARG)
28998         return -10213;
28999 
29000     ret = wc_MakeSakkeRsk(NULL, NULL, 1, NULL);
29001     if (ret != BAD_FUNC_ARG)
29002         return -10214;
29003     ret = wc_MakeSakkeRsk(key, id, 1, NULL);
29004     if (ret != BAD_FUNC_ARG)
29005         return -10215;
29006     ret = wc_MakeSakkeRsk(key, NULL, 1, rsk);
29007     if (ret != BAD_FUNC_ARG)
29008         return -10216;
29009     ret = wc_MakeSakkeRsk(NULL, id, 1, rsk);
29010     if (ret != BAD_FUNC_ARG)
29011         return -10217;
29012 
29013     ret = wc_ValidateSakkeRsk(NULL, NULL, 1, NULL, NULL);
29014     if (ret != BAD_FUNC_ARG)
29015         return -10218;
29016     ret = wc_ValidateSakkeRsk(key, id, 1, rsk, NULL);
29017     if (ret != BAD_FUNC_ARG)
29018         return -10219;
29019     ret = wc_ValidateSakkeRsk(NULL, id, 1, rsk, &valid);
29020     if (ret != BAD_FUNC_ARG)
29021         return -10220;
29022 
29023     ret = wc_ExportSakkeKey(NULL, NULL, NULL);
29024     if (ret != BAD_FUNC_ARG)
29025         return -10221;
29026     ret = wc_ExportSakkeKey(key, data, NULL);
29027     if (ret != BAD_FUNC_ARG)
29028         return -10222;
29029     ret = wc_ExportSakkeKey(NULL, data, &sz);
29030     if (ret != BAD_FUNC_ARG)
29031         return -10223;
29032 
29033     ret = wc_ImportSakkeKey(NULL, NULL, 1);
29034     if (ret != BAD_FUNC_ARG)
29035         return -10224;
29036     ret = wc_ImportSakkeKey(key, NULL, 1);
29037     if (ret != BAD_FUNC_ARG)
29038         return -10225;
29039     ret = wc_ImportSakkeKey(NULL, data, 1);
29040     if (ret != BAD_FUNC_ARG)
29041         return -10226;
29042 
29043     ret = wc_ExportSakkePrivateKey(NULL, NULL, NULL);
29044     if (ret != BAD_FUNC_ARG)
29045         return -10227;
29046     ret = wc_ExportSakkePrivateKey(key, data, NULL);
29047     if (ret != BAD_FUNC_ARG)
29048         return -10228;
29049     ret = wc_ExportSakkePrivateKey(NULL, data, &sz);
29050     if (ret != BAD_FUNC_ARG)
29051         return -10229;
29052 
29053     ret = wc_ImportSakkePrivateKey(NULL, NULL, 1);
29054     if (ret != BAD_FUNC_ARG)
29055         return -10230;
29056     ret = wc_ImportSakkePrivateKey(key, NULL, 1);
29057     if (ret != BAD_FUNC_ARG)
29058         return -10231;
29059     ret = wc_ImportSakkePrivateKey(NULL, data, 1);
29060     if (ret != BAD_FUNC_ARG)
29061         return -10232;
29062 
29063     sz = sizeof(data);
29064     ret = wc_EncodeSakkeRsk(NULL, NULL, data, NULL, 1);
29065     if (ret != BAD_FUNC_ARG)
29066         return -10233;
29067     ret = wc_EncodeSakkeRsk(key, rsk, data, NULL, 1);
29068     if (ret != BAD_FUNC_ARG)
29069         return -10234;
29070     ret = wc_EncodeSakkeRsk(key, NULL, data, &sz, 1);
29071     if (ret != BAD_FUNC_ARG)
29072         return -10235;
29073     ret = wc_EncodeSakkeRsk(NULL, rsk, data, &sz, 1);
29074     if (ret != BAD_FUNC_ARG)
29075         return -10236;
29076 
29077     ret = wc_DecodeSakkeRsk(NULL, NULL, sz, NULL);
29078     if (ret != BAD_FUNC_ARG)
29079         return -10237;
29080     ret = wc_DecodeSakkeRsk(key, data, sz, NULL);
29081     if (ret != BAD_FUNC_ARG)
29082         return -10238;
29083     ret = wc_DecodeSakkeRsk(key, NULL, sz, rsk);
29084     if (ret != BAD_FUNC_ARG)
29085         return -10239;
29086     ret = wc_DecodeSakkeRsk(NULL, data, sz, rsk);
29087     if (ret != BAD_FUNC_ARG)
29088         return -10240;
29089 
29090     ret = wc_ImportSakkeRsk(NULL, NULL, sz);
29091     if (ret != BAD_FUNC_ARG)
29092         return -10237;
29093     ret = wc_ImportSakkeRsk(key, NULL, sz);
29094     if (ret != BAD_FUNC_ARG)
29095         return -10237;
29096     ret = wc_ImportSakkeRsk(NULL, data, sz);
29097     if (ret != BAD_FUNC_ARG)
29098         return -10237;
29099     ret = wc_ImportSakkeRsk(key, data, 1);
29100     if (ret != BUFFER_E)
29101         return -10237;
29102 
29103     ret = wc_GenerateSakkeRskTable(NULL, NULL, data, NULL);
29104     if (ret != BAD_FUNC_ARG)
29105         return -10241;
29106     ret = wc_GenerateSakkeRskTable(key, NULL, data, NULL);
29107     if (ret != BAD_FUNC_ARG)
29108         return -10242;
29109     ret = wc_GenerateSakkeRskTable(NULL, rsk, data, NULL);
29110     if (ret != BAD_FUNC_ARG)
29111         return -10243;
29112     ret = wc_GenerateSakkeRskTable(NULL, NULL, data, &len);
29113     if (ret != BAD_FUNC_ARG)
29114         return -10244;
29115     ret = wc_GenerateSakkeRskTable(key, rsk, data, NULL);
29116     if (ret != BAD_FUNC_ARG)
29117         return -10245;
29118     ret = wc_GenerateSakkeRskTable(key, NULL, data, &len);
29119     if (ret != BAD_FUNC_ARG)
29120         return -10246;
29121     ret = wc_GenerateSakkeRskTable(NULL, rsk, data, &len);
29122     if (ret != BAD_FUNC_ARG)
29123         return -10247;
29124     ret = wc_GenerateSakkeRskTable(key, rsk, NULL, &len);
29125     if (ret != LENGTH_ONLY_E)
29126         return -10248;
29127     len--;
29128     ret = wc_GenerateSakkeRskTable(key, rsk, data, &len);
29129     if (ret != BUFFER_E)
29130         return -10249;
29131 
29132     ret = wc_ExportSakkePublicKey(NULL, data, NULL, 1);
29133     if (ret != BAD_FUNC_ARG)
29134         return -10250;
29135     ret = wc_ExportSakkePublicKey(key, data, NULL, 1);
29136     if (ret != BAD_FUNC_ARG)
29137         return -10251;
29138     ret = wc_ExportSakkePublicKey(NULL, data, &sz, 1);
29139     if (ret != BAD_FUNC_ARG)
29140         return -10252;
29141 
29142     ret = wc_ImportSakkePublicKey(NULL, NULL, sz, 1);
29143     if (ret != BAD_FUNC_ARG)
29144         return -10253;
29145     ret = wc_ImportSakkePublicKey(key, NULL, sz, 1);
29146     if (ret != BAD_FUNC_ARG)
29147         return -10254;
29148     ret = wc_ImportSakkePublicKey(NULL, data, sz, 1);
29149     if (ret != BAD_FUNC_ARG)
29150         return -10255;
29151 
29152     ret = wc_GetSakkeAuthSize(NULL, NULL);
29153     if (ret != BAD_FUNC_ARG)
29154         return -10256;
29155     ret = wc_GetSakkeAuthSize(key, NULL);
29156     if (ret != BAD_FUNC_ARG)
29157         return -10257;
29158     ret = wc_GetSakkeAuthSize(NULL, &authSz);
29159     if (ret != BAD_FUNC_ARG)
29160         return -10258;
29161 
29162     ret = wc_MakeSakkePointI(NULL, NULL, SAKKE_ID_MAX_SIZE + 1);
29163     if (ret != BAD_FUNC_ARG)
29164         return -10259;
29165     ret = wc_MakeSakkePointI(key, NULL, SAKKE_ID_MAX_SIZE + 1);
29166     if (ret != BAD_FUNC_ARG)
29167         return -10260;
29168     ret = wc_MakeSakkePointI(NULL, id, 1);
29169     if (ret != BAD_FUNC_ARG)
29170         return -10261;
29171     ret = wc_MakeSakkePointI(NULL, NULL, 1);
29172     if (ret != BAD_FUNC_ARG)
29173         return -10262;
29174     ret = wc_MakeSakkePointI(key, id, SAKKE_ID_MAX_SIZE + 1);
29175     if (ret != BAD_FUNC_ARG)
29176         return -10263;
29177     ret = wc_MakeSakkePointI(key, NULL, 1);
29178     if (ret != BAD_FUNC_ARG)
29179         return -10264;
29180     ret = wc_MakeSakkePointI(NULL, id, 1);
29181     if (ret != BAD_FUNC_ARG)
29182         return -10265;
29183 
29184     ret = wc_GenerateSakkePointITable(NULL, data, NULL);
29185     if (ret != BAD_FUNC_ARG)
29186         return -10266;
29187     ret = wc_GenerateSakkePointITable(key, data, NULL);
29188     if (ret != BAD_FUNC_ARG)
29189         return -10267;
29190     ret = wc_GenerateSakkePointITable(NULL, data, &len);
29191     if (ret != BAD_FUNC_ARG)
29192         return -10268;
29193     ret = wc_GenerateSakkePointITable(key, NULL, &len);
29194     if (ret != LENGTH_ONLY_E)
29195         return -10269;
29196     len--;
29197     ret = wc_GenerateSakkePointITable(key, data, &len);
29198     if (ret != BUFFER_E)
29199         return -10270;
29200 
29201     ret = wc_SetSakkePointITable(NULL, NULL, 1);
29202     if (ret != BAD_FUNC_ARG)
29203         return -10271;
29204     ret = wc_SetSakkePointITable(key, NULL, 1);
29205     if (ret != BAD_FUNC_ARG)
29206         return -10272;
29207     ret = wc_SetSakkePointITable(NULL, data, 1);
29208     if (ret != BAD_FUNC_ARG)
29209         return -10273;
29210     ret = wc_SetSakkePointITable(key, data, 1);
29211     if (ret != BUFFER_E)
29212         return -10274;
29213 
29214     ret = wc_ClearSakkePointITable(NULL);
29215     if (ret != BAD_FUNC_ARG)
29216         return -10275;
29217 
29218     ret = wc_GetSakkePointI(NULL, data, NULL);
29219     if (ret != BAD_FUNC_ARG)
29220         return -10276;
29221     ret = wc_GetSakkePointI(key, data, NULL);
29222     if (ret != BAD_FUNC_ARG)
29223         return -10277;
29224     ret = wc_GetSakkePointI(NULL, data, &sz);
29225     if (ret != BAD_FUNC_ARG)
29226         return -10278;
29227     sz = 1;
29228     ret = wc_GetSakkePointI(key, data, &sz);
29229     if (ret != BUFFER_E)
29230         return -10279;
29231 
29232     sz = 256;
29233     ret = wc_SetSakkePointI(NULL, NULL, 1, NULL, sz);
29234     if (ret != BAD_FUNC_ARG)
29235         return -10280;
29236     ret = wc_SetSakkePointI(key, NULL, 1, NULL, sz);
29237     if (ret != BAD_FUNC_ARG)
29238         return -10281;
29239     ret = wc_SetSakkePointI(NULL, id, 1, NULL, sz);
29240     if (ret != BAD_FUNC_ARG)
29241         return -10282;
29242     ret = wc_SetSakkePointI(NULL, NULL, 1, data, sz);
29243     if (ret != BAD_FUNC_ARG)
29244         return -10283;
29245     ret = wc_SetSakkePointI(key, id, 1, NULL, sz);
29246     if (ret != BAD_FUNC_ARG)
29247         return -10284;
29248     ret = wc_SetSakkePointI(key, NULL, 1, data, sz);
29249     if (ret != BAD_FUNC_ARG)
29250         return -10285;
29251     ret = wc_SetSakkePointI(NULL, id, 1, data, sz);
29252     if (ret != BAD_FUNC_ARG)
29253         return -10286;
29254     ret = wc_SetSakkePointI(key, id, SAKKE_ID_MAX_SIZE + 1, data, sz);
29255     if (ret != BUFFER_E)
29256         return -10287;
29257     ret = wc_SetSakkePointI(key, id, 1, data, sz - 1);
29258     if (ret != BUFFER_E)
29259         return -10288;
29260 
29261     ret = wc_SetSakkeIdentity(NULL, NULL, 1);
29262     if (ret != BAD_FUNC_ARG)
29263         return -10286;
29264     ret = wc_SetSakkeIdentity(key, NULL, 1);
29265     if (ret != BAD_FUNC_ARG)
29266         return -10286;
29267     ret = wc_SetSakkeIdentity(NULL, id, 1);
29268     if (ret != BAD_FUNC_ARG)
29269         return -10286;
29270 
29271     ssvSz = sizeof(ssv);
29272     ret = wc_MakeSakkeEncapsulatedSSV(NULL, WC_HASH_TYPE_SHA256, NULL, ssvSz,
29273             auth, NULL);
29274     if (ret != BAD_FUNC_ARG)
29275         return -10289;
29276     ret = wc_MakeSakkeEncapsulatedSSV(key, WC_HASH_TYPE_SHA256, NULL, ssvSz,
29277             auth, NULL);
29278     if (ret != BAD_FUNC_ARG)
29279         return -10290;
29280     ret = wc_MakeSakkeEncapsulatedSSV(NULL, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29281             auth, NULL);
29282     if (ret != BAD_FUNC_ARG)
29283         return -10291;
29284     ret = wc_MakeSakkeEncapsulatedSSV(NULL, WC_HASH_TYPE_SHA256, NULL, ssvSz,
29285             auth, &authSz);
29286     if (ret != BAD_FUNC_ARG)
29287         return -10292;
29288     ret = wc_MakeSakkeEncapsulatedSSV(key, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29289             auth, NULL);
29290     if (ret != BAD_FUNC_ARG)
29291         return -10293;
29292     ret = wc_MakeSakkeEncapsulatedSSV(key, WC_HASH_TYPE_SHA256, NULL, ssvSz,
29293             auth, &authSz);
29294     if (ret != BAD_FUNC_ARG)
29295         return -10294;
29296     ret = wc_MakeSakkeEncapsulatedSSV(NULL, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29297             auth, &authSz);
29298     if (ret != BAD_FUNC_ARG)
29299         return -10295;
29300     ret = wc_MakeSakkeEncapsulatedSSV(key, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29301             auth, &authSz);
29302     if (ret != BAD_STATE_E)
29303         return -10295;
29304 
29305     ret = wc_GenerateSakkeSSV(NULL, NULL, data, NULL);
29306     if (ret != BAD_FUNC_ARG)
29307         return -10296;
29308     ret = wc_GenerateSakkeSSV(key, rng, data, NULL);
29309     if (ret != BAD_FUNC_ARG)
29310         return -10297;
29311     ret = wc_GenerateSakkeSSV(key, NULL, data, &ssvSz);
29312     if (ret != BAD_FUNC_ARG)
29313         return -10298;
29314     ret = wc_GenerateSakkeSSV(NULL, rng, data, &ssvSz);
29315     if (ret != BAD_FUNC_ARG)
29316         return -10299;
29317 
29318     ret = wc_SetSakkeRsk(NULL, NULL, data, 1);
29319     if (ret != BAD_FUNC_ARG)
29320         return -10286;
29321     ret = wc_SetSakkeRsk(key, NULL, data, 1);
29322     if (ret != BAD_FUNC_ARG)
29323         return -10286;
29324     ret = wc_SetSakkeRsk(NULL, rsk, data, 1);
29325     if (ret != BAD_FUNC_ARG)
29326         return -10286;
29327 
29328     ssvSz = sizeof(ssv);
29329     authSz = sizeof(auth);
29330     ret = wc_DeriveSakkeSSV(NULL, WC_HASH_TYPE_SHA256, NULL, ssvSz, NULL,
29331             authSz);
29332     if (ret != BAD_FUNC_ARG)
29333         return -10300;
29334     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, NULL, ssvSz, NULL,
29335             authSz);
29336     if (ret != BAD_FUNC_ARG)
29337         return -10300;
29338     ret = wc_DeriveSakkeSSV(NULL, WC_HASH_TYPE_SHA256, ssv, ssvSz, NULL,
29339             authSz);
29340     if (ret != BAD_FUNC_ARG)
29341         return -10300;
29342     ret = wc_DeriveSakkeSSV(NULL, WC_HASH_TYPE_SHA256, NULL, ssvSz, auth,
29343             authSz);
29344     if (ret != BAD_FUNC_ARG)
29345         return -10300;
29346     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, ssv, ssvSz, NULL,
29347             authSz);
29348     if (ret != BAD_FUNC_ARG)
29349         return -10300;
29350     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, NULL, ssvSz, auth,
29351             authSz);
29352     if (ret != BAD_FUNC_ARG)
29353         return -10300;
29354     ret = wc_DeriveSakkeSSV(NULL, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29355             authSz);
29356     if (ret != BAD_FUNC_ARG)
29357         return -10300;
29358     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29359             authSz);
29360     if (ret != BAD_STATE_E)
29361         return -10300;
29362 
29363     ret = wc_SetSakkeIdentity(key, id, 1);
29364     if (ret != 0)
29365         return -10286;
29366     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29367             authSz);
29368     if (ret != BAD_STATE_E)
29369         return -10300;
29370     ret = wc_SetSakkeIdentity(key, id, 0);
29371     if (ret != 0)
29372         return -10286;
29373 
29374     ret = wc_SetSakkeRsk(key, rsk, data, 1);
29375     if (ret != 0)
29376         return -10286;
29377     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29378             authSz);
29379     if (ret != BAD_STATE_E)
29380         return -10300;
29381 
29382     wc_FreeSakkeKey(key);
29383 
29384     return 0;
29385 }
29386 
29387 static int sakke_kat_derive_test(SakkeKey* key, ecc_point* rsk)
29388 {
29389     static const byte pubData[] = {
29390         0x59, 0x58, 0xEF, 0x1B, 0x16, 0x79, 0xBF, 0x09,
29391         0x9B, 0x3A, 0x03, 0x0D, 0xF2, 0x55, 0xAA, 0x6A,
29392         0x23, 0xC1, 0xD8, 0xF1, 0x43, 0xD4, 0xD2, 0x3F,
29393         0x75, 0x3E, 0x69, 0xBD, 0x27, 0xA8, 0x32, 0xF3,
29394         0x8C, 0xB4, 0xAD, 0x53, 0xDD, 0xEF, 0x42, 0x60,
29395         0xB0, 0xFE, 0x8B, 0xB4, 0x5C, 0x4C, 0x1F, 0xF5,
29396         0x10, 0xEF, 0xFE, 0x30, 0x03, 0x67, 0xA3, 0x7B,
29397         0x61, 0xF7, 0x01, 0xD9, 0x14, 0xAE, 0xF0, 0x97,
29398         0x24, 0x82, 0x5F, 0xA0, 0x70, 0x7D, 0x61, 0xA6,
29399         0xDF, 0xF4, 0xFB, 0xD7, 0x27, 0x35, 0x66, 0xCD,
29400         0xDE, 0x35, 0x2A, 0x0B, 0x04, 0xB7, 0xC1, 0x6A,
29401         0x78, 0x30, 0x9B, 0xE6, 0x40, 0x69, 0x7D, 0xE7,
29402         0x47, 0x61, 0x3A, 0x5F, 0xC1, 0x95, 0xE8, 0xB9,
29403         0xF3, 0x28, 0x85, 0x2A, 0x57, 0x9D, 0xB8, 0xF9,
29404         0x9B, 0x1D, 0x00, 0x34, 0x47, 0x9E, 0xA9, 0xC5,
29405         0x59, 0x5F, 0x47, 0xC4, 0xB2, 0xF5, 0x4F, 0xF2,
29406         0x15, 0x08, 0xD3, 0x75, 0x14, 0xDC, 0xF7, 0xA8,
29407         0xE1, 0x43, 0xA6, 0x05, 0x8C, 0x09, 0xA6, 0xBF,
29408         0x2C, 0x98, 0x58, 0xCA, 0x37, 0xC2, 0x58, 0x06,
29409         0x5A, 0xE6, 0xBF, 0x75, 0x32, 0xBC, 0x8B, 0x5B,
29410         0x63, 0x38, 0x38, 0x66, 0xE0, 0x75, 0x3C, 0x5A,
29411         0xC0, 0xE7, 0x27, 0x09, 0xF8, 0x44, 0x5F, 0x2E,
29412         0x61, 0x78, 0xE0, 0x65, 0x85, 0x7E, 0x0E, 0xDA,
29413         0x10, 0xF6, 0x82, 0x06, 0xB6, 0x35, 0x05, 0xED,
29414         0x87, 0xE5, 0x34, 0xFB, 0x28, 0x31, 0xFF, 0x95,
29415         0x7F, 0xB7, 0xDC, 0x61, 0x9D, 0xAE, 0x61, 0x30,
29416         0x1E, 0xEA, 0xCC, 0x2F, 0xDA, 0x36, 0x80, 0xEA,
29417         0x49, 0x99, 0x25, 0x8A, 0x83, 0x3C, 0xEA, 0x8F,
29418         0xC6, 0x7C, 0x6D, 0x19, 0x48, 0x7F, 0xB4, 0x49,
29419         0x05, 0x9F, 0x26, 0xCC, 0x8A, 0xAB, 0x65, 0x5A,
29420         0xB5, 0x8B, 0x7C, 0xC7, 0x96, 0xE2, 0x4E, 0x9A,
29421         0x39, 0x40, 0x95, 0x75, 0x4F, 0x5F, 0x8B, 0xAE
29422     };
29423     static const byte rskData[] = {
29424         0x93, 0xAF, 0x67, 0xE5, 0x00, 0x7B, 0xA6, 0xE6,
29425         0xA8, 0x0D, 0xA7, 0x93, 0xDA, 0x30, 0x0F, 0xA4,
29426         0xB5, 0x2D, 0x0A, 0x74, 0xE2, 0x5E, 0x6E, 0x7B,
29427         0x2B, 0x3D, 0x6E, 0xE9, 0xD1, 0x8A, 0x9B, 0x5C,
29428         0x50, 0x23, 0x59, 0x7B, 0xD8, 0x2D, 0x80, 0x62,
29429         0xD3, 0x40, 0x19, 0x56, 0x3B, 0xA1, 0xD2, 0x5C,
29430         0x0D, 0xC5, 0x6B, 0x7B, 0x97, 0x9D, 0x74, 0xAA,
29431         0x50, 0xF2, 0x9F, 0xBF, 0x11, 0xCC, 0x2C, 0x93,
29432         0xF5, 0xDF, 0xCA, 0x61, 0x5E, 0x60, 0x92, 0x79,
29433         0xF6, 0x17, 0x5C, 0xEA, 0xDB, 0x00, 0xB5, 0x8C,
29434         0x6B, 0xEE, 0x1E, 0x7A, 0x2A, 0x47, 0xC4, 0xF0,
29435         0xC4, 0x56, 0xF0, 0x52, 0x59, 0xA6, 0xFA, 0x94,
29436         0xA6, 0x34, 0xA4, 0x0D, 0xAE, 0x1D, 0xF5, 0x93,
29437         0xD4, 0xFE, 0xCF, 0x68, 0x8D, 0x5F, 0xC6, 0x78,
29438         0xBE, 0x7E, 0xFC, 0x6D, 0xF3, 0xD6, 0x83, 0x53,
29439         0x25, 0xB8, 0x3B, 0x2C, 0x6E, 0x69, 0x03, 0x6B,
29440         0x15, 0x5F, 0x0A, 0x27, 0x24, 0x10, 0x94, 0xB0,
29441         0x4B, 0xFB, 0x0B, 0xDF, 0xAC, 0x6C, 0x67, 0x0A,
29442         0x65, 0xC3, 0x25, 0xD3, 0x9A, 0x06, 0x9F, 0x03,
29443         0x65, 0x9D, 0x44, 0xCA, 0x27, 0xD3, 0xBE, 0x8D,
29444         0xF3, 0x11, 0x17, 0x2B, 0x55, 0x41, 0x60, 0x18,
29445         0x1C, 0xBE, 0x94, 0xA2, 0xA7, 0x83, 0x32, 0x0C,
29446         0xED, 0x59, 0x0B, 0xC4, 0x26, 0x44, 0x70, 0x2C,
29447         0xF3, 0x71, 0x27, 0x1E, 0x49, 0x6B, 0xF2, 0x0F,
29448         0x58, 0x8B, 0x78, 0xA1, 0xBC, 0x01, 0xEC, 0xBB,
29449         0x65, 0x59, 0x93, 0x4B, 0xDD, 0x2F, 0xB6, 0x5D,
29450         0x28, 0x84, 0x31, 0x8A, 0x33, 0xD1, 0xA4, 0x2A,
29451         0xDF, 0x5E, 0x33, 0xCC, 0x58, 0x00, 0x28, 0x0B,
29452         0x28, 0x35, 0x64, 0x97, 0xF8, 0x71, 0x35, 0xBA,
29453         0xB9, 0x61, 0x2A, 0x17, 0x26, 0x04, 0x24, 0x40,
29454         0x9A, 0xC1, 0x5F, 0xEE, 0x99, 0x6B, 0x74, 0x4C,
29455         0x33, 0x21, 0x51, 0x23, 0x5D, 0xEC, 0xB0, 0xF5
29456 
29457     };
29458     static const byte id[] = {
29459         0x32, 0x30, 0x31, 0x31, 0x2D, 0x30, 0x32, 0x00,
29460         0x74, 0x65, 0x6C, 0x3A, 0x2B, 0x34, 0x34, 0x37,
29461         0x37, 0x30, 0x30, 0x39, 0x30, 0x30, 0x31, 0x32,
29462         0x33, 0x00
29463     };
29464     static const byte ssv[] = {
29465         0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,
29466         0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0
29467     };
29468     static const byte auth[] = {
29469         0x04,
29470         0x44, 0xE8, 0xAD, 0x44, 0xAB, 0x85, 0x92, 0xA6,
29471         0xA5, 0xA3, 0xDD, 0xCA, 0x5C, 0xF8, 0x96, 0xC7,
29472         0x18, 0x04, 0x36, 0x06, 0xA0, 0x1D, 0x65, 0x0D,
29473         0xEF, 0x37, 0xA0, 0x1F, 0x37, 0xC2, 0x28, 0xC3,
29474         0x32, 0xFC, 0x31, 0x73, 0x54, 0xE2, 0xC2, 0x74,
29475         0xD4, 0xDA, 0xF8, 0xAD, 0x00, 0x10, 0x54, 0xC7,
29476         0x6C, 0xE5, 0x79, 0x71, 0xC6, 0xF4, 0x48, 0x6D,
29477         0x57, 0x23, 0x04, 0x32, 0x61, 0xC5, 0x06, 0xEB,
29478         0xF5, 0xBE, 0x43, 0x8F, 0x53, 0xDE, 0x04, 0xF0,
29479         0x67, 0xC7, 0x76, 0xE0, 0xDD, 0x3B, 0x71, 0xA6,
29480         0x29, 0x01, 0x33, 0x28, 0x37, 0x25, 0xA5, 0x32,
29481         0xF2, 0x1A, 0xF1, 0x45, 0x12, 0x6D, 0xC1, 0xD7,
29482         0x77, 0xEC, 0xC2, 0x7B, 0xE5, 0x08, 0x35, 0xBD,
29483         0x28, 0x09, 0x8B, 0x8A, 0x73, 0xD9, 0xF8, 0x01,
29484         0xD8, 0x93, 0x79, 0x3A, 0x41, 0xFF, 0x5C, 0x49,
29485         0xB8, 0x7E, 0x79, 0xF2, 0xBE, 0x4D, 0x56, 0xCE,
29486         0x55, 0x7E, 0x13, 0x4A, 0xD8, 0x5B, 0xB1, 0xD4,
29487         0xB9, 0xCE, 0x4F, 0x8B, 0xE4, 0xB0, 0x8A, 0x12,
29488         0xBA, 0xBF, 0x55, 0xB1, 0xD6, 0xF1, 0xD7, 0xA6,
29489         0x38, 0x01, 0x9E, 0xA2, 0x8E, 0x15, 0xAB, 0x1C,
29490         0x9F, 0x76, 0x37, 0x5F, 0xDD, 0x12, 0x10, 0xD4,
29491         0xF4, 0x35, 0x1B, 0x9A, 0x00, 0x94, 0x86, 0xB7,
29492         0xF3, 0xED, 0x46, 0xC9, 0x65, 0xDE, 0xD2, 0xD8,
29493         0x0D, 0xAD, 0xE4, 0xF3, 0x8C, 0x67, 0x21, 0xD5,
29494         0x2C, 0x3A, 0xD1, 0x03, 0xA1, 0x0E, 0xBD, 0x29,
29495         0x59, 0x24, 0x8B, 0x4E, 0xF0, 0x06, 0x83, 0x6B,
29496         0xF0, 0x97, 0x44, 0x8E, 0x61, 0x07, 0xC9, 0xED,
29497         0xEE, 0x9F, 0xB7, 0x04, 0x82, 0x3D, 0xF1, 0x99,
29498         0xF8, 0x32, 0xC9, 0x05, 0xAE, 0x45, 0xF8, 0xA2,
29499         0x47, 0xA0, 0x72, 0xD8, 0xEF, 0x72, 0x9E, 0xAB,
29500         0xC5, 0xE2, 0x75, 0x74, 0xB0, 0x77, 0x39, 0xB3,
29501         0x4B, 0xE7, 0x4A, 0x53, 0x2F, 0x74, 0x7B, 0x86
29502     };
29503     byte encSsv[] = {
29504         0x89, 0xE0, 0xBC, 0x66, 0x1A, 0xA1, 0xE9, 0x16,
29505         0x38, 0xE6, 0xAC, 0xC8, 0x4E, 0x49, 0x65, 0x07
29506     };
29507     int ret;
29508     int valid;
29509     byte pubKey[sizeof(pubData) + 1];
29510     word32 sz = sizeof(pubKey);
29511     byte tmpSsv[sizeof(encSsv)];
29512     byte* iTable = NULL;
29513     word32 iTableLen;
29514     byte* table = NULL;
29515     word32 len;
29516 
29517     ret = wc_ImportSakkePublicKey(key, pubData, sizeof(pubData), 0);
29518     if (ret != 0)
29519         return -10315;
29520 
29521     ret = wc_DecodeSakkeRsk(key, rskData, sizeof(rskData), rsk);
29522     if (ret != 0)
29523         return -10316;
29524 
29525     ret = wc_ValidateSakkeRsk(key, id, sizeof(id), rsk, &valid);
29526     if (ret != 0)
29527         return -10317;
29528     if (valid != 1)
29529         return -10318;
29530 
29531     ret = wc_SetSakkeRsk(key, rsk, NULL, 0);
29532     if (ret != 0)
29533         return -10319;
29534     ret = wc_SetSakkeIdentity(key, id, sizeof(id));
29535     if (ret != 0)
29536         return -10319;
29537 
29538     XMEMCPY(tmpSsv, encSsv, sizeof(encSsv));
29539     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, tmpSsv, sizeof(tmpSsv),
29540             auth, sizeof(auth));
29541     if (ret != 0)
29542         return -10322;
29543     if (XMEMCMP(tmpSsv, ssv, sizeof(ssv)) != 0)
29544         return -10320;
29545 
29546     ret = wc_MakeSakkePointI(key, id, sizeof(id));
29547     if (ret != 0)
29548         return -10321;
29549     iTableLen = 0;
29550     ret = wc_GenerateSakkePointITable(key, NULL, &iTableLen);
29551     if (ret != LENGTH_ONLY_E)
29552         return -10322;
29553     if (iTableLen != 0) {
29554         iTable = (byte*)XMALLOC(iTableLen, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
29555         if (iTable == NULL)
29556             return -10323;
29557         ret = wc_GenerateSakkePointITable(key, iTable, &iTableLen);
29558         if (ret != 0)
29559             return -10324;
29560     }
29561     len = 0;
29562     ret = wc_GenerateSakkeRskTable(key, rsk, NULL, &len);
29563     if (ret != LENGTH_ONLY_E)
29564         return -10325;
29565     if (len > 0) {
29566         table = (byte*)XMALLOC(len, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
29567         if (table == NULL)
29568             return -10326;
29569         ret = wc_GenerateSakkeRskTable(key, rsk, table, &len);
29570         if (ret != 0)
29571             return -10327;
29572     }
29573 
29574     ret = wc_SetSakkeRsk(key, rsk, table, len);
29575     if (ret != 0)
29576         return -10319;
29577 
29578     XMEMCPY(tmpSsv, encSsv, sizeof(encSsv));
29579     ret = wc_DeriveSakkeSSV(key, WC_HASH_TYPE_SHA256, tmpSsv, sizeof(tmpSsv),
29580             auth, sizeof(auth));
29581     if (ret != 0)
29582         return -10328;
29583     if (XMEMCMP(tmpSsv, ssv, sizeof(ssv)) != 0)
29584         return -10329;
29585 
29586     /* Don't reference table that is about to be freed. */
29587     ret = wc_ClearSakkePointITable(key);
29588     if (ret != 0)
29589         return -10330;
29590     /* Dispose of tables */
29591     if (iTable != NULL)
29592         XFREE(iTable, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
29593     if (table != NULL)
29594         XFREE(table, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
29595 
29596     /* Make sure the key public key is exportable - convert to Montgomery form
29597      * in Validation.
29598      */
29599     ret = wc_ExportSakkePublicKey(key, pubKey, &sz, 1);
29600     if (ret != 0)
29601         return -10331;
29602     if (sz != sizeof(pubData))
29603         return -10332;
29604     if (XMEMCMP(pubKey, pubData, sizeof(pubData)) != 0)
29605         return -10333;
29606 
29607     sz = sizeof(pubData) + 1;
29608     ret = wc_ExportSakkePublicKey(key, pubKey, &sz, 0);
29609     if (ret != 0)
29610         return -10334;
29611     if (sz != sizeof(pubData) + 1)
29612         return -10335;
29613     if (pubKey[0] != 0x04)
29614         return -10336;
29615     if (XMEMCMP(pubKey + 1, pubData, sizeof(pubData)) != 0)
29616         return -10337;
29617 
29618     return 0;
29619 }
29620 
29621 static int sakke_kat_encapsulate_test(SakkeKey* key)
29622 {
29623     static const byte pubData[] = {
29624         0x59, 0x58, 0xEF, 0x1B, 0x16, 0x79, 0xBF, 0x09,
29625         0x9B, 0x3A, 0x03, 0x0D, 0xF2, 0x55, 0xAA, 0x6A,
29626         0x23, 0xC1, 0xD8, 0xF1, 0x43, 0xD4, 0xD2, 0x3F,
29627         0x75, 0x3E, 0x69, 0xBD, 0x27, 0xA8, 0x32, 0xF3,
29628         0x8C, 0xB4, 0xAD, 0x53, 0xDD, 0xEF, 0x42, 0x60,
29629         0xB0, 0xFE, 0x8B, 0xB4, 0x5C, 0x4C, 0x1F, 0xF5,
29630         0x10, 0xEF, 0xFE, 0x30, 0x03, 0x67, 0xA3, 0x7B,
29631         0x61, 0xF7, 0x01, 0xD9, 0x14, 0xAE, 0xF0, 0x97,
29632         0x24, 0x82, 0x5F, 0xA0, 0x70, 0x7D, 0x61, 0xA6,
29633         0xDF, 0xF4, 0xFB, 0xD7, 0x27, 0x35, 0x66, 0xCD,
29634         0xDE, 0x35, 0x2A, 0x0B, 0x04, 0xB7, 0xC1, 0x6A,
29635         0x78, 0x30, 0x9B, 0xE6, 0x40, 0x69, 0x7D, 0xE7,
29636         0x47, 0x61, 0x3A, 0x5F, 0xC1, 0x95, 0xE8, 0xB9,
29637         0xF3, 0x28, 0x85, 0x2A, 0x57, 0x9D, 0xB8, 0xF9,
29638         0x9B, 0x1D, 0x00, 0x34, 0x47, 0x9E, 0xA9, 0xC5,
29639         0x59, 0x5F, 0x47, 0xC4, 0xB2, 0xF5, 0x4F, 0xF2,
29640         0x15, 0x08, 0xD3, 0x75, 0x14, 0xDC, 0xF7, 0xA8,
29641         0xE1, 0x43, 0xA6, 0x05, 0x8C, 0x09, 0xA6, 0xBF,
29642         0x2C, 0x98, 0x58, 0xCA, 0x37, 0xC2, 0x58, 0x06,
29643         0x5A, 0xE6, 0xBF, 0x75, 0x32, 0xBC, 0x8B, 0x5B,
29644         0x63, 0x38, 0x38, 0x66, 0xE0, 0x75, 0x3C, 0x5A,
29645         0xC0, 0xE7, 0x27, 0x09, 0xF8, 0x44, 0x5F, 0x2E,
29646         0x61, 0x78, 0xE0, 0x65, 0x85, 0x7E, 0x0E, 0xDA,
29647         0x10, 0xF6, 0x82, 0x06, 0xB6, 0x35, 0x05, 0xED,
29648         0x87, 0xE5, 0x34, 0xFB, 0x28, 0x31, 0xFF, 0x95,
29649         0x7F, 0xB7, 0xDC, 0x61, 0x9D, 0xAE, 0x61, 0x30,
29650         0x1E, 0xEA, 0xCC, 0x2F, 0xDA, 0x36, 0x80, 0xEA,
29651         0x49, 0x99, 0x25, 0x8A, 0x83, 0x3C, 0xEA, 0x8F,
29652         0xC6, 0x7C, 0x6D, 0x19, 0x48, 0x7F, 0xB4, 0x49,
29653         0x05, 0x9F, 0x26, 0xCC, 0x8A, 0xAB, 0x65, 0x5A,
29654         0xB5, 0x8B, 0x7C, 0xC7, 0x96, 0xE2, 0x4E, 0x9A,
29655         0x39, 0x40, 0x95, 0x75, 0x4F, 0x5F, 0x8B, 0xAE
29656     };
29657     static const byte id[] = {
29658         0x32, 0x30, 0x31, 0x31, 0x2D, 0x30, 0x32, 0x00,
29659         0x74, 0x65, 0x6C, 0x3A, 0x2B, 0x34, 0x34, 0x37,
29660         0x37, 0x30, 0x30, 0x39, 0x30, 0x30, 0x31, 0x32,
29661         0x33, 0x00
29662     };
29663     static word32 idSz = sizeof(id);
29664     byte ssv[] = {
29665         0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,
29666         0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0
29667     };
29668     static word16 ssvSz = sizeof(ssv);
29669     static const byte expAuth[] = {
29670         0x04,
29671         0x44, 0xE8, 0xAD, 0x44, 0xAB, 0x85, 0x92, 0xA6,
29672         0xA5, 0xA3, 0xDD, 0xCA, 0x5C, 0xF8, 0x96, 0xC7,
29673         0x18, 0x04, 0x36, 0x06, 0xA0, 0x1D, 0x65, 0x0D,
29674         0xEF, 0x37, 0xA0, 0x1F, 0x37, 0xC2, 0x28, 0xC3,
29675         0x32, 0xFC, 0x31, 0x73, 0x54, 0xE2, 0xC2, 0x74,
29676         0xD4, 0xDA, 0xF8, 0xAD, 0x00, 0x10, 0x54, 0xC7,
29677         0x6C, 0xE5, 0x79, 0x71, 0xC6, 0xF4, 0x48, 0x6D,
29678         0x57, 0x23, 0x04, 0x32, 0x61, 0xC5, 0x06, 0xEB,
29679         0xF5, 0xBE, 0x43, 0x8F, 0x53, 0xDE, 0x04, 0xF0,
29680         0x67, 0xC7, 0x76, 0xE0, 0xDD, 0x3B, 0x71, 0xA6,
29681         0x29, 0x01, 0x33, 0x28, 0x37, 0x25, 0xA5, 0x32,
29682         0xF2, 0x1A, 0xF1, 0x45, 0x12, 0x6D, 0xC1, 0xD7,
29683         0x77, 0xEC, 0xC2, 0x7B, 0xE5, 0x08, 0x35, 0xBD,
29684         0x28, 0x09, 0x8B, 0x8A, 0x73, 0xD9, 0xF8, 0x01,
29685         0xD8, 0x93, 0x79, 0x3A, 0x41, 0xFF, 0x5C, 0x49,
29686         0xB8, 0x7E, 0x79, 0xF2, 0xBE, 0x4D, 0x56, 0xCE,
29687         0x55, 0x7E, 0x13, 0x4A, 0xD8, 0x5B, 0xB1, 0xD4,
29688         0xB9, 0xCE, 0x4F, 0x8B, 0xE4, 0xB0, 0x8A, 0x12,
29689         0xBA, 0xBF, 0x55, 0xB1, 0xD6, 0xF1, 0xD7, 0xA6,
29690         0x38, 0x01, 0x9E, 0xA2, 0x8E, 0x15, 0xAB, 0x1C,
29691         0x9F, 0x76, 0x37, 0x5F, 0xDD, 0x12, 0x10, 0xD4,
29692         0xF4, 0x35, 0x1B, 0x9A, 0x00, 0x94, 0x86, 0xB7,
29693         0xF3, 0xED, 0x46, 0xC9, 0x65, 0xDE, 0xD2, 0xD8,
29694         0x0D, 0xAD, 0xE4, 0xF3, 0x8C, 0x67, 0x21, 0xD5,
29695         0x2C, 0x3A, 0xD1, 0x03, 0xA1, 0x0E, 0xBD, 0x29,
29696         0x59, 0x24, 0x8B, 0x4E, 0xF0, 0x06, 0x83, 0x6B,
29697         0xF0, 0x97, 0x44, 0x8E, 0x61, 0x07, 0xC9, 0xED,
29698         0xEE, 0x9F, 0xB7, 0x04, 0x82, 0x3D, 0xF1, 0x99,
29699         0xF8, 0x32, 0xC9, 0x05, 0xAE, 0x45, 0xF8, 0xA2,
29700         0x47, 0xA0, 0x72, 0xD8, 0xEF, 0x72, 0x9E, 0xAB,
29701         0xC5, 0xE2, 0x75, 0x74, 0xB0, 0x77, 0x39, 0xB3,
29702         0x4B, 0xE7, 0x4A, 0x53, 0x2F, 0x74, 0x7B, 0x86
29703     };
29704     static const byte encSsv[] = {
29705         0x89, 0xE0, 0xBC, 0x66, 0x1A, 0xA1, 0xE9, 0x16,
29706         0x38, 0xE6, 0xAC, 0xC8, 0x4E, 0x49, 0x65, 0x07
29707     };
29708     int ret;
29709     byte auth[257];
29710     word16 authSz = sizeof(auth);
29711 
29712     ret = wc_ImportSakkePublicKey(key, pubData, sizeof(pubData), 0);
29713     if (ret != 0)
29714         return -10334;
29715 
29716     ret = wc_SetSakkeIdentity(key, id, idSz);
29717     if (ret != 0)
29718         return -10335;
29719 
29720     ret = wc_MakeSakkeEncapsulatedSSV(key, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29721             auth, &authSz);
29722     if (ret != 0)
29723         return -10336;
29724     if (authSz != 257)
29725         return -10337;
29726 
29727     if (XMEMCMP(ssv, encSsv, ssvSz) != 0)
29728         return -10338;
29729     if (XMEMCMP(auth, expAuth, authSz) != 0)
29730         return -10339;
29731 
29732     return 0;
29733 }
29734 
29735 static int sakke_make_key_test(SakkeKey* priv, SakkeKey* pub, SakkeKey* key,
29736     WC_RNG* rng, ecc_point* rsk)
29737 {
29738     int ret;
29739     byte data[440];
29740     byte pubData[257];
29741     word32 sz;
29742     char mail[] = "test@wolfssl.com";
29743     byte* id = (byte*)mail;
29744     word32 idSz = (word32)XSTRLEN(mail);
29745     int valid;
29746     ecc_point* pubKey = rsk;
29747 
29748     ret = wc_InitSakkeKey_ex(key, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
29749     if (ret != 0)
29750         return -10339;
29751 
29752     ret = wc_MakeSakkeKey(priv, rng);
29753     if (ret != 0)
29754         return -10340;
29755 
29756     ret = wc_ExportSakkeKey(priv, NULL, &sz);
29757     if (ret != LENGTH_ONLY_E)
29758         return -10341;
29759     if (sz != 384)
29760         return -10342;
29761     sz--;
29762     ret = wc_ExportSakkeKey(priv, data, &sz);
29763     if (ret == 0)
29764         return -10343;
29765     sz++;
29766     ret = wc_ExportSakkeKey(priv, data, &sz);
29767     if (ret != 0)
29768         return -10344;
29769     if (sz != 384)
29770         return -10345;
29771 
29772     ret = wc_ImportSakkeKey(key, data, sz - 1);
29773     if (ret == 0)
29774         return -10346;
29775     ret = wc_ImportSakkeKey(key, data, sz);
29776     if (ret != 0)
29777         return -10347;
29778     wc_FreeSakkeKey(key);
29779     ret = wc_InitSakkeKey_ex(key, 128, ECC_SAKKE_1, NULL, INVALID_DEVID);
29780     if (ret != 0)
29781         return -10348;
29782 
29783     ret = wc_ExportSakkePrivateKey(priv, NULL, &sz);
29784     if (ret != LENGTH_ONLY_E)
29785         return -10349;
29786     if (sz != 128)
29787         return -10350;
29788     sz--;
29789     ret = wc_ExportSakkePrivateKey(priv, data, &sz);
29790     if (ret == 0)
29791         return -10351;
29792     sz++;
29793     ret = wc_ExportSakkePrivateKey(priv, data, &sz);
29794     if (ret != 0)
29795         return -10352;
29796     if (sz != 128)
29797         return -10353;
29798 
29799     ret = wc_ImportSakkePrivateKey(key, data, sz - 1);
29800     if (ret == 0)
29801         return -10354;
29802     ret = wc_ImportSakkePrivateKey(key, data, sz);
29803     if (ret != 0)
29804         return -10355;
29805     ret = wc_MakeSakkePublicKey(key, pubKey);
29806     if (ret != 0)
29807         return -10356;
29808 
29809     ret = wc_ExportSakkePublicKey(priv, NULL, &sz, 1);
29810     if (ret != LENGTH_ONLY_E)
29811         return -10357;
29812     if (sz != 256)
29813         return -10358;
29814     sz--;
29815     ret = wc_ExportSakkePublicKey(priv, data, &sz, 1);
29816     if (ret == 0)
29817         return -10359;
29818     sz++;
29819     ret = wc_ExportSakkePublicKey(priv, data, &sz, 1);
29820     if (ret != 0)
29821         return -10360;
29822     if (sz != 256)
29823         return -10361;
29824 
29825     ret = wc_ImportSakkePublicKey(pub, data, sz - 1, 1);
29826     if (ret == 0)
29827         return -10362;
29828     ret = wc_ImportSakkePublicKey(pub, data, sz, 1);
29829     if (ret != 0)
29830         return -10363;
29831 
29832     ret = wc_ExportSakkePublicKey(pub, pubData, &sz, 1);
29833     if (ret != 0)
29834         return -10364;
29835     if (sz != 256)
29836         return -10365;
29837     if (XMEMCMP(data, pubData, sz) != 0)
29838         return -10366;
29839 
29840     ret = wc_MakeSakkeRsk(priv, id, idSz, rsk);
29841     if (ret != 0)
29842         return -10367;
29843 
29844     ret = wc_ValidateSakkeRsk(priv, id, idSz, rsk, &valid);
29845     if (ret != 0)
29846         return -10368;
29847     if (valid != 1)
29848         return -10369;
29849 
29850     ret = wc_ValidateSakkeRsk(pub, id, idSz, rsk, &valid);
29851     if (ret != 0)
29852         return -10370;
29853     if (valid != 1)
29854         return -10371;
29855 
29856     sz = sizeof(data);
29857     ret = wc_EncodeSakkeRsk(priv, rsk, data, &sz, 1);
29858     if (ret != 0)
29859         return -10372;
29860     if (sz != 256)
29861         return -10373;
29862     ret = wc_DecodeSakkeRsk(priv, data, sz, rsk);
29863     if (ret != 0)
29864         return -10374;
29865 
29866     sz = sizeof(pubData);
29867     ret = wc_EncodeSakkeRsk(priv, rsk, pubData, &sz, 0);
29868     if (ret != 0)
29869         return -10375;
29870     if (sz != sizeof(pubData))
29871         return -10376;
29872     ret = wc_DecodeSakkeRsk(priv, pubData, sz, rsk);
29873     if (ret != 0)
29874         return -10377;
29875 
29876     wc_FreeSakkeKey(key);
29877 
29878     return 0;
29879 }
29880 
29881 static int sakke_op_test(SakkeKey* priv, SakkeKey* pub, WC_RNG* rng,
29882                          ecc_point* rsk)
29883 {
29884     int ret;
29885     byte ssv[16];
29886     word16 ssvSz;
29887     byte auth[257];
29888     word16 authSz;
29889     char mail[] = "test@wolfssl.com";
29890     byte* id = (byte*)mail;
29891     word32 idSz = (word32)XSTRLEN(mail);
29892     byte pointI[256];
29893     word32 sz;
29894 
29895     ret = wc_GenerateSakkeSSV(pub, rng, NULL, &ssvSz);
29896     if (ret != LENGTH_ONLY_E)
29897         return -10375;
29898     if (ssvSz != 16)
29899         return -10376;
29900 
29901     ssvSz += 128;
29902     ret = wc_GenerateSakkeSSV(pub, rng, ssv, &ssvSz);
29903     if (ret == 0)
29904         return -10377;
29905     ssvSz -= 128;
29906     ret = wc_GenerateSakkeSSV(pub, rng, ssv, &ssvSz);
29907      if (ret != 0)
29908         return -10378;
29909     if (ssvSz != 16)
29910         return -10379;
29911 
29912     ret = wc_GetSakkeAuthSize(pub, &authSz);
29913     if (ret != 0)
29914         return -10380;
29915 
29916     ret = wc_SetSakkeIdentity(pub, id, idSz);
29917     if (ret != 0)
29918         return -10380;
29919 
29920     ret = wc_MakeSakkeEncapsulatedSSV(pub, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29921             NULL, &authSz);
29922     if (ret != LENGTH_ONLY_E)
29923         return -10381;
29924     if (authSz != 257)
29925         return -10382;
29926 
29927     authSz--;
29928     ret = wc_MakeSakkeEncapsulatedSSV(pub, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29929             auth, &authSz);
29930     if (ret == 0)
29931         return -10383;
29932     authSz++;
29933     ret = wc_MakeSakkeEncapsulatedSSV(pub, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29934             auth, &authSz);
29935     if (ret != 0)
29936         return -10384;
29937     if (authSz != 257)
29938         return -10385;
29939 
29940     ret = wc_GetSakkePointI(pub, NULL, &sz);
29941     if (ret != LENGTH_ONLY_E)
29942         return -10386;
29943     if (sz != 256)
29944         return -10387;
29945     ret = wc_GetSakkePointI(pub, pointI, &sz);
29946     if (ret != 0)
29947         return -10388;
29948     if (sz != 256)
29949         return -10389;
29950 
29951     /* Bogus identity - make it check and regenerate I. */
29952     ret = wc_MakeSakkePointI(pub, ssv, ssvSz);
29953     if (ret != 0)
29954         return -10391;
29955     ret = wc_MakeSakkeEncapsulatedSSV(pub, WC_HASH_TYPE_SHA256, ssv, ssvSz,
29956             auth, &authSz);
29957     if (ret != 0)
29958         return -10392;
29959     if (authSz != 257)
29960         return -10393;
29961 
29962     ret = wc_SetSakkeRsk(priv, rsk, NULL, 0);
29963     if (ret != 0)
29964         return -10392;
29965     ret = wc_SetSakkeIdentity(priv, id, idSz);
29966     if (ret != 0)
29967         return -10392;
29968 
29969     authSz--;
29970     ret = wc_DeriveSakkeSSV(priv, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29971             authSz);
29972     if (ret == 0)
29973         return -10394;
29974     authSz++;
29975     ret = wc_DeriveSakkeSSV(priv, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29976             authSz);
29977     if (ret != 0)
29978         return -10395;
29979     ssv[0] ^= 0x80;
29980     ret = wc_DeriveSakkeSSV(priv, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29981             authSz);
29982     if (ret != SAKKE_VERIFY_FAIL_E)
29983         return -10396;
29984     ssv[0] ^= 0x80;
29985 
29986     /* Bogus identity - make it check and regenerate I. */
29987     ret = wc_MakeSakkePointI(pub, ssv, idSz);
29988     if (ret != 0)
29989         return -10397;
29990     ret = wc_DeriveSakkeSSV(priv, WC_HASH_TYPE_SHA256, ssv, ssvSz, auth,
29991             authSz);
29992     if (ret != 0)
29993         return -10398;
29994     return 0;
29995 }
29996 
29997 int sakke_test(void)
29998 {
29999     int ret = 0;
30000     WC_RNG rng;
30001     SakkeKey* priv = NULL;
30002     SakkeKey* pub  = NULL;
30003     SakkeKey* key  = NULL;
30004     ecc_point* rsk = NULL;
30005 
30006     priv = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT,
30007             DYNAMIC_TYPE_TMP_BUFFER);
30008     if (priv == NULL) {
30009         ret = -10404;
30010     }
30011 
30012     if (ret == 0) {
30013         pub = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT,
30014             DYNAMIC_TYPE_TMP_BUFFER);
30015         if (pub == NULL) {
30016             ret = -10405;
30017         }
30018     }
30019 
30020     if (ret == 0) {
30021         key = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT,
30022             DYNAMIC_TYPE_TMP_BUFFER);
30023         if (key == NULL) {
30024             ret = -10406;
30025         }
30026     }
30027 
30028     if (ret == 0) {
30029     #ifndef HAVE_FIPS
30030         ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
30031     #else
30032         ret = wc_InitRng(&rng);
30033     #endif
30034         if (ret != 0)
30035             ret = -10400;
30036     }
30037 
30038     if (ret == 0) {
30039         rsk = wc_ecc_new_point();
30040         if (rsk == NULL)
30041             ret = -10401;
30042     }
30043 
30044     if (ret == 0) {
30045         ret = wc_InitSakkeKey(pub, HEAP_HINT, INVALID_DEVID);
30046         if (ret != 0)
30047             ret = -10402;
30048     }
30049 
30050     if (ret == 0) {
30051         ret = wc_InitSakkeKey(priv, HEAP_HINT, INVALID_DEVID);
30052         if (ret != 0)
30053             ret = -10403;
30054     }
30055 
30056     if (ret == 0) {
30057         ret = sakke_api_test(&rng, key, rsk);
30058     }
30059 
30060     if (ret == 0) {
30061         ret = sakke_kat_derive_test(pub, rsk);
30062     }
30063 
30064     if (ret == 0) {
30065         ret = sakke_kat_encapsulate_test(pub);
30066     }
30067 
30068     if (ret == 0) {
30069         ret = sakke_make_key_test(priv, pub, key, &rng, rsk);
30070     }
30071 
30072     if (ret == 0) {
30073         ret = sakke_op_test(priv, pub, &rng, rsk);
30074     }
30075 
30076     wc_FreeSakkeKey(priv);
30077     wc_FreeSakkeKey(pub);
30078     wc_ecc_forcezero_point(rsk);
30079     wc_ecc_del_point(rsk);
30080 
30081     if (ret != -10400)
30082         wc_FreeRng(&rng);
30083 
30084     if (key != NULL)
30085         XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
30086     if (pub != NULL)
30087         XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
30088     if (priv != NULL)
30089         XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
30090 
30091     return ret;
30092 }
30093 #endif /* WOLFCRYPT_HAVE_SAKKE */
30094 
30095 
30096 #if defined(WOLFSSL_CMAC) && !defined(NO_AES)
30097 
30098 typedef struct CMAC_Test_Case {
30099     int type;
30100     int partial;
30101     const byte* m;
30102     word32 mSz;
30103     const byte* k;
30104     word32 kSz;
30105     const byte* t;
30106     word32 tSz;
30107 } CMAC_Test_Case;
30108 
30109 WOLFSSL_TEST_SUBROUTINE int cmac_test(void)
30110 {
30111 #ifdef WOLFSSL_AES_128
30112     WOLFSSL_SMALL_STACK_STATIC const byte k128[] =
30113     {
30114         0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
30115         0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
30116     };
30117     #define KLEN_128 (sizeof(k128))
30118 #endif
30119 #ifdef WOLFSSL_AES_192
30120     WOLFSSL_SMALL_STACK_STATIC const byte k192[] =
30121     {
30122         0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
30123         0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
30124         0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
30125     };
30126     #define KLEN_192 (sizeof(k192))
30127 #endif
30128 #ifdef WOLFSSL_AES_256
30129     WOLFSSL_SMALL_STACK_STATIC const byte k256[] =
30130     {
30131         0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
30132         0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
30133         0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
30134         0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
30135     };
30136     #define KLEN_256 (sizeof(k256))
30137 #endif
30138 
30139     WOLFSSL_SMALL_STACK_STATIC const byte m[] =
30140     {
30141         0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
30142         0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
30143         0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
30144         0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
30145         0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
30146         0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
30147         0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
30148         0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
30149     };
30150     #define MLEN_0 (0)
30151     #define MLEN_128 (128/8)
30152     #define MLEN_320 (320/8)
30153     #define MLEN_319 (MLEN_320 - 1)
30154     #define MLEN_512 (512/8)
30155 
30156 #ifdef WOLFSSL_AES_128
30157     WOLFSSL_SMALL_STACK_STATIC const byte t128_0[] =
30158     {
30159         0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
30160         0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
30161     };
30162     WOLFSSL_SMALL_STACK_STATIC const byte t128_128[] =
30163     {
30164         0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
30165         0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
30166     };
30167     WOLFSSL_SMALL_STACK_STATIC const byte t128_319[] =
30168     {
30169         0x2c, 0x17, 0x84, 0x4c, 0x93, 0x1c, 0x07, 0x95,
30170         0x15, 0x92, 0x73, 0x0a, 0x34, 0xd0, 0xd9, 0xd2
30171     };
30172     WOLFSSL_SMALL_STACK_STATIC const byte t128_320[] =
30173     {
30174         0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
30175         0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27
30176     };
30177     WOLFSSL_SMALL_STACK_STATIC const byte t128_512[] =
30178     {
30179         0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
30180         0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
30181     };
30182 #endif
30183 #ifdef WOLFSSL_AES_192
30184     WOLFSSL_SMALL_STACK_STATIC const byte t192_0[] =
30185     {
30186         0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
30187         0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
30188     };
30189     WOLFSSL_SMALL_STACK_STATIC const byte t192_128[] =
30190     {
30191         0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
30192         0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
30193     };
30194     WOLFSSL_SMALL_STACK_STATIC const byte t192_320[] =
30195     {
30196         0x8a, 0x1d, 0xe5, 0xbe, 0x2e, 0xb3, 0x1a, 0xad,
30197         0x08, 0x9a, 0x82, 0xe6, 0xee, 0x90, 0x8b, 0x0e
30198     };
30199     WOLFSSL_SMALL_STACK_STATIC const byte t192_512[] =
30200     {
30201         0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
30202         0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
30203     };
30204 #endif
30205 #ifdef WOLFSSL_AES_256
30206     WOLFSSL_SMALL_STACK_STATIC const byte t256_0[] =
30207     {
30208         0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
30209         0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
30210     };
30211     WOLFSSL_SMALL_STACK_STATIC const byte t256_128[] =
30212     {
30213         0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
30214         0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
30215     };
30216     WOLFSSL_SMALL_STACK_STATIC const byte t256_320[] =
30217     {
30218         0xaa, 0xf3, 0xd8, 0xf1, 0xde, 0x56, 0x40, 0xc2,
30219         0x32, 0xf5, 0xb1, 0x69, 0xb9, 0xc9, 0x11, 0xe6
30220     };
30221     WOLFSSL_SMALL_STACK_STATIC const byte t256_512[] =
30222     {
30223         0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
30224         0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
30225     };
30226 #endif
30227     const CMAC_Test_Case testCases[] =
30228     {
30229 #ifdef WOLFSSL_AES_128
30230         {WC_CMAC_AES, 0, m, MLEN_0, k128, KLEN_128, t128_0, AES_BLOCK_SIZE},
30231         {WC_CMAC_AES, 0, m, MLEN_128, k128, KLEN_128, t128_128, AES_BLOCK_SIZE},
30232         {WC_CMAC_AES, 0, m, MLEN_320, k128, KLEN_128, t128_320, AES_BLOCK_SIZE},
30233         {WC_CMAC_AES, 0, m, MLEN_512, k128, KLEN_128, t128_512, AES_BLOCK_SIZE},
30234         {WC_CMAC_AES, 5, m, MLEN_512, k128, KLEN_128, t128_512, AES_BLOCK_SIZE},
30235 #endif
30236 #ifdef WOLFSSL_AES_192
30237         {WC_CMAC_AES, 0, m, MLEN_0, k192, KLEN_192, t192_0, AES_BLOCK_SIZE},
30238         {WC_CMAC_AES, 0, m, MLEN_128, k192, KLEN_192, t192_128, AES_BLOCK_SIZE},
30239         {WC_CMAC_AES, 0, m, MLEN_320, k192, KLEN_192, t192_320, AES_BLOCK_SIZE},
30240         {WC_CMAC_AES, 0, m, MLEN_512, k192, KLEN_192, t192_512, AES_BLOCK_SIZE},
30241 #endif
30242 #ifdef WOLFSSL_AES_256
30243         {WC_CMAC_AES, 0, m, MLEN_0, k256, KLEN_256, t256_0, AES_BLOCK_SIZE},
30244         {WC_CMAC_AES, 0, m, MLEN_128, k256, KLEN_256, t256_128, AES_BLOCK_SIZE},
30245         {WC_CMAC_AES, 0, m, MLEN_320, k256, KLEN_256, t256_320, AES_BLOCK_SIZE},
30246         {WC_CMAC_AES, 0, m, MLEN_512, k256, KLEN_256, t256_512, AES_BLOCK_SIZE},
30247 #endif
30248 #ifdef WOLFSSL_AES_128
30249         {WC_CMAC_AES, 0, m, MLEN_319, k128, KLEN_128, t128_319, AES_BLOCK_SIZE}
30250 #endif
30251     };
30252 
30253 #ifdef WOLFSSL_SMALL_STACK
30254     Cmac *cmac;
30255 #else
30256     Cmac cmac[1];
30257 #endif
30258     byte tag[AES_BLOCK_SIZE];
30259     const CMAC_Test_Case* tc;
30260     word32 i, tagSz;
30261     int ret;
30262 
30263 #ifdef WOLFSSL_SMALL_STACK
30264     if ((cmac = (Cmac *)XMALLOC(sizeof *cmac, HEAP_HINT, DYNAMIC_TYPE_CMAC)) == NULL)
30265         ERROR_OUT(-12009, out);
30266 #endif
30267 
30268     for (i = 0, tc = testCases;
30269          i < sizeof(testCases)/sizeof(CMAC_Test_Case);
30270          i++, tc++) {
30271 
30272         XMEMSET(tag, 0, sizeof(tag));
30273         tagSz = AES_BLOCK_SIZE;
30274 
30275 #if !defined(HAVE_FIPS) || \
30276     defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 3)
30277         if (wc_InitCmac_ex(cmac, tc->k, tc->kSz, tc->type, NULL, HEAP_HINT, devId) != 0)
30278 #else
30279         if (wc_InitCmac(cmac, tc->k, tc->kSz, tc->type, NULL) != 0)
30280 #endif
30281         {
30282             ERROR_OUT(-12000, out);
30283         }
30284         if (tc->partial) {
30285             if (wc_CmacUpdate(cmac, tc->m,
30286                                  tc->mSz/2 - tc->partial) != 0)
30287                 ERROR_OUT(-12001, out);
30288             if (wc_CmacUpdate(cmac, tc->m + tc->mSz/2 - tc->partial,
30289                                  tc->mSz/2 + tc->partial) != 0)
30290                 ERROR_OUT(-12002, out);
30291         }
30292         else {
30293             if (wc_CmacUpdate(cmac, tc->m, tc->mSz) != 0)
30294                 ERROR_OUT(-12003, out);
30295         }
30296         if (wc_CmacFinal(cmac, tag, &tagSz) != 0)
30297             ERROR_OUT(-12004, out);
30298         if (XMEMCMP(tag, tc->t, AES_BLOCK_SIZE) != 0)
30299             ERROR_OUT(-12005, out);
30300 
30301         XMEMSET(tag, 0, sizeof(tag));
30302         tagSz = sizeof(tag);
30303         if (wc_AesCmacGenerate(tag, &tagSz, tc->m, tc->mSz,
30304                                tc->k, tc->kSz) != 0)
30305             ERROR_OUT(-12006, out);
30306         if (XMEMCMP(tag, tc->t, AES_BLOCK_SIZE) != 0)
30307             ERROR_OUT(-12007, out);
30308         if (wc_AesCmacVerify(tc->t, tc->tSz, tc->m, tc->mSz,
30309                              tc->k, tc->kSz) != 0)
30310             ERROR_OUT(-12008, out);
30311     }
30312 
30313     ret = 0;
30314 
30315   out:
30316 
30317 #ifdef WOLFSSL_SMALL_STACK
30318     if (cmac)
30319         XFREE(cmac, HEAP_HINT, DYNAMIC_TYPE_CMAC);
30320 #endif
30321 
30322     return ret;
30323 }
30324 
30325 #endif /* NO_AES && WOLFSSL_CMAC */
30326 
30327 #ifdef HAVE_LIBZ
30328 
30329 static const byte sample_text[] =
30330     "Biodiesel cupidatat marfa, cliche aute put a bird on it incididunt elit\n"
30331     "polaroid. Sunt tattooed bespoke reprehenderit. Sint twee organic id\n"
30332     "marfa. Commodo veniam ad esse gastropub. 3 wolf moon sartorial vero,\n"
30333     "plaid delectus biodiesel squid +1 vice. Post-ironic keffiyeh leggings\n"
30334     "selfies cray fap hoodie, forage anim. Carles cupidatat shoreditch, VHS\n"
30335     "small batch meggings kogi dolore food truck bespoke gastropub.\n"
30336     "\n"
30337     "Terry richardson adipisicing actually typewriter tumblr, twee whatever\n"
30338     "four loko you probably haven't heard of them high life. Messenger bag\n"
30339     "whatever tattooed deep v mlkshk. Brooklyn pinterest assumenda chillwave\n"
30340     "et, banksy ullamco messenger bag umami pariatur direct trade forage.\n"
30341     "Typewriter culpa try-hard, pariatur sint brooklyn meggings. Gentrify\n"
30342     "food truck next level, tousled irony non semiotics PBR ethical anim cred\n"
30343     "readymade. Mumblecore brunch lomo odd future, portland organic terry\n"
30344     "richardson elit leggings adipisicing ennui raw denim banjo hella. Godard\n"
30345     "mixtape polaroid, pork belly readymade organic cray typewriter helvetica\n"
30346     "four loko whatever street art yr farm-to-table.\n"
30347     "\n"
30348     "Vinyl keytar vice tofu. Locavore you probably haven't heard of them pug\n"
30349     "pickled, hella tonx labore truffaut DIY mlkshk elit cosby sweater sint\n"
30350     "et mumblecore. Elit swag semiotics, reprehenderit DIY sartorial nisi ugh\n"
30351     "nesciunt pug pork belly wayfarers selfies delectus. Ethical hoodie\n"
30352     "seitan fingerstache kale chips. Terry richardson artisan williamsburg,\n"
30353     "eiusmod fanny pack irony tonx ennui lo-fi incididunt tofu YOLO\n"
30354     "readymade. 8-bit sed ethnic beard officia. Pour-over iphone DIY butcher,\n"
30355     "ethnic art party qui letterpress nisi proident jean shorts mlkshk\n"
30356     "locavore.\n"
30357     "\n"
30358     "Narwhal flexitarian letterpress, do gluten-free voluptate next level\n"
30359     "banh mi tonx incididunt carles DIY. Odd future nulla 8-bit beard ut\n"
30360     "cillum pickled velit, YOLO officia you probably haven't heard of them\n"
30361     "trust fund gastropub. Nisi adipisicing tattooed, Austin mlkshk 90's\n"
30362     "small batch american apparel. Put a bird on it cosby sweater before they\n"
30363     "sold out pork belly kogi hella. Street art mollit sustainable polaroid,\n"
30364     "DIY ethnic ea pug beard dreamcatcher cosby sweater magna scenester nisi.\n"
30365     "Sed pork belly skateboard mollit, labore proident eiusmod. Sriracha\n"
30366     "excepteur cosby sweater, anim deserunt laborum eu aliquip ethical et\n"
30367     "neutra PBR selvage.\n"
30368     "\n"
30369     "Raw denim pork belly truffaut, irony plaid sustainable put a bird on it\n"
30370     "next level jean shorts exercitation. Hashtag keytar whatever, nihil\n"
30371     "authentic aliquip disrupt laborum. Tattooed selfies deserunt trust fund\n"
30372     "wayfarers. 3 wolf moon synth church-key sartorial, gastropub leggings\n"
30373     "tattooed. Labore high life commodo, meggings raw denim fingerstache pug\n"
30374     "trust fund leggings seitan forage. Nostrud ullamco duis, reprehenderit\n"
30375     "incididunt flannel sustainable helvetica pork belly pug banksy you\n"
30376     "probably haven't heard of them nesciunt farm-to-table. Disrupt nostrud\n"
30377     "mollit magna, sriracha sartorial helvetica.\n"
30378     "\n"
30379     "Nulla kogi reprehenderit, skateboard sustainable duis adipisicing viral\n"
30380     "ad fanny pack salvia. Fanny pack trust fund you probably haven't heard\n"
30381     "of them YOLO vice nihil. Keffiyeh cray lo-fi pinterest cardigan aliqua,\n"
30382     "reprehenderit aute. Culpa tousled williamsburg, marfa lomo actually anim\n"
30383     "skateboard. Iphone aliqua ugh, semiotics pariatur vero readymade\n"
30384     "organic. Marfa squid nulla, in laborum disrupt laboris irure gastropub.\n"
30385     "Veniam sunt food truck leggings, sint vinyl fap.\n"
30386     "\n"
30387     "Hella dolore pork belly, truffaut carles you probably haven't heard of\n"
30388     "them PBR helvetica in sapiente. Fashion axe ugh bushwick american\n"
30389     "apparel. Fingerstache sed iphone, jean shorts blue bottle nisi bushwick\n"
30390     "flexitarian officia veniam plaid bespoke fap YOLO lo-fi. Blog\n"
30391     "letterpress mumblecore, food truck id cray brooklyn cillum ad sed.\n"
30392     "Assumenda chambray wayfarers vinyl mixtape sustainable. VHS vinyl\n"
30393     "delectus, culpa williamsburg polaroid cliche swag church-key synth kogi\n"
30394     "magna pop-up literally. Swag thundercats ennui shoreditch vegan\n"
30395     "pitchfork neutra truffaut etsy, sed single-origin coffee craft beer.\n"
30396     "\n"
30397     "Odio letterpress brooklyn elit. Nulla single-origin coffee in occaecat\n"
30398     "meggings. Irony meggings 8-bit, chillwave lo-fi adipisicing cred\n"
30399     "dreamcatcher veniam. Put a bird on it irony umami, trust fund bushwick\n"
30400     "locavore kale chips. Sriracha swag thundercats, chillwave disrupt\n"
30401     "tousled beard mollit mustache leggings portland next level. Nihil esse\n"
30402     "est, skateboard art party etsy thundercats sed dreamcatcher ut iphone\n"
30403     "swag consectetur et. Irure skateboard banjo, nulla deserunt messenger\n"
30404     "bag dolor terry richardson sapiente.\n";
30405 
30406 static const byte sample_text_gz[] = {
30407     0x1F, 0x8B, 0x08, 0x08, 0xC5, 0x49, 0xB5, 0x5B, 0x00, 0x03, 0x63, 0x69, 0x70,
30408     0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x2E, 0x74, 0x78, 0x74, 0x00, 0x8D,
30409     0x58, 0xCB, 0x92, 0xE4, 0xB6, 0x11, 0xBC, 0xE3, 0x2B, 0xEA, 0xA6, 0x83, 0xD9,
30410     0x1D, 0x72, 0xF8, 0x22, 0x1F, 0xB5, 0x96, 0xA5, 0xDD, 0x90, 0xBC, 0xAB, 0xD0,
30411     0x28, 0x36, 0x42, 0x47, 0x90, 0x2C, 0x36, 0xA1, 0x06, 0x09, 0x0A, 0x8F, 0xEE,
30412     0xE1, 0xDF, 0x3B, 0x0B, 0xE0, 0x73, 0x2C, 0x4B, 0xBA, 0xCD, 0xCE, 0x80, 0x78,
30413     0x64, 0x65, 0x65, 0x66, 0xED, 0x3B, 0xE3, 0x5A, 0xC3, 0x81, 0x2D, 0x35, 0x69,
30414     0x32, 0xAD, 0x8E, 0x3A, 0xD2, 0xA0, 0x7D, 0xA7, 0x2B, 0x6A, 0xAC, 0x69, 0x7A,
30415     0x26, 0x9D, 0x22, 0xD3, 0x94, 0x22, 0x69, 0xAA, 0x8D, 0x6F, 0xC9, 0x8D, 0x64,
30416     0x22, 0x99, 0xB1, 0x31, 0xAD, 0x69, 0xD3, 0x18, 0x89, 0xAD, 0x89, 0x6A, 0x72,
30417     0x56, 0x7B, 0x67, 0xDA, 0x2B, 0xBD, 0xC8, 0xEF, 0xB0, 0x4D, 0x74, 0x8E, 0x5B,
30418     0xAA, 0x39, 0x4C, 0xEE, 0xCE, 0xE4, 0x79, 0xF2, 0xDC, 0xF3, 0xD8, 0xB2, 0x37,
30419     0x11, 0x8B, 0x8C, 0x2C, 0x7A, 0x32, 0x93, 0xF3, 0x37, 0x3D, 0x9A, 0x86, 0x4C,
30420     0xAB, 0xF2, 0xB9, 0x57, 0xFA, 0x97, 0x1B, 0x06, 0xD7, 0x3A, 0x7A, 0xF0, 0x68,
30421     0xF4, 0x40, 0xBA, 0x25, 0x0E, 0x81, 0xE9, 0xA6, 0x43, 0xF4, 0x6E, 0x4A, 0xF5,
30422     0x95, 0xFE, 0x41, 0x4F, 0x67, 0x3B, 0x1A, 0x1C, 0xEE, 0x12, 0xB4, 0x8F, 0xCE,
30423     0x1B, 0x6D, 0xB1, 0xDE, 0xBB, 0x4A, 0x4D, 0x56, 0x9B, 0x96, 0x5A, 0xB6, 0xDC,
30424     0xC4, 0x14, 0x70, 0xE5, 0xF5, 0x7D, 0xE1, 0xB7, 0x84, 0x3F, 0xFC, 0xED, 0xEF,
30425     0xF4, 0x30, 0x0D, 0x5F, 0xE9, 0x47, 0x17, 0xE2, 0xC5, 0x78, 0x27, 0x67, 0xDF,
30426     0xB9, 0xEB, 0xCC, 0xCC, 0x3D, 0x59, 0xBE, 0xDD, 0xCC, 0x78, 0x0B, 0x0A, 0x1F,
30427     0x74, 0xF8, 0x8C, 0x1A, 0xAF, 0x67, 0xEA, 0xF4, 0x44, 0xBD, 0x93, 0x7D, 0x2A,
30428     0xEA, 0x9C, 0xD7, 0x37, 0x80, 0x32, 0x9A, 0x01, 0x37, 0xD5, 0xDE, 0xCA, 0xA2,
30429     0x0D, 0xB9, 0xD0, 0x3B, 0xCF, 0xAD, 0x89, 0x4D, 0x5F, 0xD1, 0xE7, 0xF7, 0x2F,
30430     0x2A, 0x0C, 0xDA, 0x5A, 0xAA, 0x35, 0x7E, 0x41, 0xC3, 0xB2, 0x37, 0xDD, 0xDD,
30431     0xCD, 0x50, 0xEB, 0x2C, 0x96, 0x62, 0x3B, 0xD7, 0x52, 0xF4, 0xA9, 0xB9, 0x6F,
30432     0x48, 0xED, 0xEF, 0x54, 0xEA, 0x67, 0xF6, 0x7E, 0x26, 0x8F, 0x3A, 0x68, 0xDF,
30433     0x06, 0xBC, 0x56, 0xB7, 0x66, 0x32, 0xC1, 0x34, 0xD8, 0x88, 0x34, 0x1E, 0x88,
30434     0xED, 0x67, 0x8A, 0xF3, 0xC4, 0x4F, 0xC0, 0xCA, 0x9E, 0x62, 0x1A, 0x6A, 0xEB,
30435     0xAB, 0x02, 0xED, 0xB3, 0xD7, 0x91, 0x81, 0x8A, 0xEA, 0x5C, 0xF2, 0x64, 0xDD,
30436     0xDD, 0xD1, 0xEC, 0x12, 0x4D, 0xDE, 0xD5, 0xBA, 0xC6, 0x77, 0xBD, 0x06, 0xC4,
30437     0x5F, 0x44, 0xEA, 0x59, 0x4B, 0x5D, 0x3B, 0x8A, 0x3D, 0x0F, 0xD4, 0x9B, 0x1B,
30438     0x80, 0x30, 0x1D, 0x30, 0xFA, 0x8F, 0x00, 0x3F, 0xDE, 0xB0, 0x6F, 0xAD, 0x6F,
30439     0x6A, 0xDD, 0x6E, 0x2F, 0x6E, 0xCB, 0x3C, 0xD1, 0x83, 0x06, 0x7B, 0x0F, 0xFD,
30440     0xFD, 0x4A, 0xEF, 0xBC, 0x73, 0x77, 0x3B, 0x8F, 0x34, 0xA1, 0xBA, 0xEC, 0x39,
30441     0x80, 0x33, 0x21, 0xA4, 0x01, 0x55, 0xD7, 0xD4, 0xF4, 0xC6, 0xDA, 0x27, 0x4E,
30442     0x54, 0x1C, 0x2B, 0xEC, 0x37, 0xDE, 0xC3, 0x4C, 0xC9, 0x5A, 0x3D, 0x34, 0x0E,
30443     0xD8, 0x1C, 0x0E, 0xA2, 0x34, 0xE8, 0xC1, 0xD0, 0xA4, 0x51, 0xD5, 0x88, 0x8B,
30444     0xB7, 0xC6, 0xA3, 0x96, 0x40, 0x49, 0xB7, 0xBC, 0xE0, 0x7F, 0x55, 0x3F, 0xEF,
30445     0x6F, 0x6E, 0x92, 0x9D, 0x34, 0xFE, 0x3C, 0x5F, 0x04, 0xA5, 0x6A, 0xFF, 0x30,
30446     0x08, 0xC9, 0xEA, 0xF5, 0x52, 0x2B, 0xFE, 0x57, 0xFA, 0x8E, 0xC7, 0xE8, 0x4D,
30447     0x37, 0xAB, 0x03, 0xFA, 0x23, 0xBF, 0x46, 0x94, 0xFF, 0xC1, 0x16, 0xE0, 0xB9,
30448     0x14, 0x2C, 0x9E, 0x27, 0xEC, 0x98, 0x69, 0x14, 0x92, 0xF1, 0x60, 0x5C, 0x34,
30449     0x4D, 0xA0, 0x1F, 0xDF, 0xFD, 0x44, 0x1C, 0x7B, 0xD3, 0x80, 0x70, 0x42, 0x02,
30450     0x30, 0x84, 0x5B, 0xE5, 0x59, 0xB7, 0xF3, 0x80, 0xFB, 0x01, 0x33, 0xA9, 0x00,
30451     0x37, 0x52, 0xDC, 0xDA, 0xA7, 0x11, 0x85, 0xB7, 0x6E, 0x70, 0xE4, 0xDA, 0x96,
30452     0xBA, 0x84, 0x5B, 0x81, 0x43, 0x93, 0xF3, 0xD1, 0xEA, 0xB1, 0xDD, 0xB8, 0x1F,
30453     0xA5, 0xCC, 0xEA, 0x50, 0x66, 0x69, 0xA9, 0x8D, 0x8C, 0xA7, 0xA2, 0xF3, 0x38,
30454     0x26, 0x43, 0x5E, 0x3F, 0x01, 0xBE, 0x1C, 0x0F, 0x20, 0x7F, 0x75, 0xA8, 0x20,
30455     0x80, 0xC4, 0xC3, 0x5C, 0x8B, 0x0D, 0xD4, 0x60, 0x5E, 0xA3, 0x9E, 0xD0, 0xB4,
30456     0x4B, 0x4F, 0xE6, 0x13, 0x85, 0x60, 0x42, 0x96, 0xED, 0xAA, 0xDB, 0xE9, 0x99,
30457     0xE3, 0x07, 0x0E, 0x61, 0xB3, 0x07, 0xE3, 0xB1, 0xFA, 0xC0, 0x9B, 0xAD, 0xF6,
30458     0xE0, 0x26, 0x33, 0xEA, 0xEA, 0x23, 0xCD, 0x1E, 0x9D, 0xE1, 0x87, 0x4B, 0x74,
30459     0x97, 0x08, 0x3E, 0xA1, 0x28, 0xEA, 0xB3, 0x19, 0x67, 0x8B, 0x76, 0x9A, 0xA3,
30460     0xF6, 0xB9, 0xCF, 0x80, 0x65, 0x97, 0xAE, 0xF4, 0x83, 0x6B, 0xF4, 0x43, 0x20,
30461     0xF9, 0x0B, 0xFC, 0x9B, 0xD2, 0x4D, 0x4D, 0xA6, 0xB9, 0xA3, 0x02, 0x55, 0x79,
30462     0x18, 0x36, 0x19, 0x5F, 0xC9, 0xEA, 0x5A, 0x76, 0x40, 0xB9, 0xBA, 0x0E, 0x9A,
30463     0x44, 0xDF, 0x7C, 0xF8, 0x65, 0x61, 0x5E, 0x81, 0xAB, 0x71, 0xA1, 0x9E, 0x29,
30464     0x3C, 0x59, 0xCB, 0x23, 0xA4, 0xF6, 0x60, 0x1A, 0x0D, 0x5B, 0x39, 0xAE, 0xF4,
30465     0x6F, 0x59, 0x16, 0x9E, 0x60, 0xD8, 0x56, 0xCF, 0xEA, 0x2C, 0x4C, 0x79, 0xD3,
30466     0x5D, 0x51, 0x46, 0xA0, 0x4E, 0xE9, 0xD6, 0xAB, 0x91, 0x43, 0x63, 0x44, 0xD7,
30467     0x70, 0xB9, 0x23, 0x98, 0x4F, 0x3D, 0x03, 0x02, 0xF6, 0x81, 0x56, 0xC1, 0x58,
30468     0x85, 0x07, 0xA7, 0x2D, 0x2C, 0x29, 0xCA, 0x01, 0x45, 0x31, 0x51, 0x8F, 0xD4,
30469     0x19, 0xA1, 0x79, 0x88, 0x5A, 0xA4, 0xF5, 0xAE, 0x2D, 0x4B, 0x63, 0x4C, 0x58,
30470     0xFE, 0xBF, 0xAD, 0xEE, 0xA3, 0x09, 0xF8, 0xE2, 0x89, 0xBE, 0x81, 0x0E, 0x86,
30471     0x3A, 0xF9, 0x5B, 0xA5, 0xD8, 0xA4, 0x00, 0x75, 0x04, 0xF2, 0x23, 0xB8, 0x39,
30472     0x69, 0x50, 0xB7, 0xD0, 0x34, 0x63, 0x54, 0xD8, 0x61, 0xDD, 0xA5, 0x33, 0x47,
30473     0x85, 0x96, 0x22, 0xD0, 0x2F, 0x9F, 0x7E, 0xF8, 0x74, 0x24, 0xEA, 0x57, 0x97,
30474     0x5A, 0xE0, 0x00, 0xCF, 0xC1, 0x67, 0xE1, 0x41, 0xBD, 0x94, 0xA1, 0x03, 0xD3,
30475     0xB4, 0x08, 0x64, 0xF2, 0x17, 0x27, 0x35, 0x37, 0x53, 0xEF, 0x46, 0xCE, 0xD8,
30476     0xD4, 0x09, 0x52, 0xC6, 0x1E, 0xF7, 0x28, 0xDF, 0x08, 0x0F, 0xD0, 0x6F, 0x71,
30477     0xA6, 0xDF, 0xE4, 0x60, 0x8E, 0xC0, 0x1E, 0x78, 0x86, 0x50, 0xB0, 0x9B, 0x84,
30478     0x7E, 0xE8, 0x36, 0xFA, 0x95, 0xF1, 0x12, 0x51, 0xC7, 0x18, 0x96, 0xA2, 0x29,
30479     0xBB, 0x70, 0x02, 0xB4, 0xF9, 0xA8, 0x3D, 0x08, 0x66, 0xA9, 0xB3, 0xFC, 0x0A,
30480     0x94, 0x80, 0xFD, 0x78, 0xDC, 0xAB, 0x82, 0x5A, 0xD2, 0xCD, 0xC2, 0x87, 0xC6,
30481     0x4B, 0x07, 0xFA, 0xD1, 0xC3, 0xD9, 0x34, 0x41, 0x85, 0xF8, 0xD0, 0xB6, 0x0A,
30482     0x9D, 0x00, 0x91, 0x35, 0x05, 0x88, 0xC3, 0xE3, 0x9B, 0x22, 0xD2, 0xB8, 0xFD,
30483     0x95, 0x3E, 0x6D, 0x5D, 0x48, 0xA3, 0x68, 0xCF, 0x02, 0x42, 0x79, 0x79, 0x8A,
30484     0xAA, 0x01, 0xD6, 0x09, 0x14, 0x2C, 0xF4, 0x83, 0xA3, 0x80, 0x31, 0x55, 0x46,
30485     0x6E, 0xC5, 0xE5, 0x2F, 0x30, 0x58, 0x81, 0xA2, 0x90, 0xBE, 0x2E, 0xA1, 0xC3,
30486     0x0F, 0xA6, 0xF5, 0x51, 0x00, 0x39, 0xB6, 0xF2, 0x2A, 0xA3, 0x15, 0x7D, 0x8D,
30487     0xF5, 0x66, 0x5C, 0xD9, 0xFC, 0xCF, 0x2F, 0xBF, 0x08, 0x27, 0xE7, 0xD0, 0x03,
30488     0xB8, 0xD9, 0x00, 0x13, 0x3D, 0x01, 0x6B, 0xB6, 0xA8, 0xCD, 0x5B, 0x3B, 0x3E,
30489     0x93, 0xBF, 0xE6, 0x2E, 0xB7, 0x4A, 0xCF, 0xB3, 0x0A, 0xCE, 0x62, 0x11, 0xD6,
30490     0x1F, 0x68, 0x9B, 0x1D, 0x68, 0xD1, 0x8C, 0x97, 0xBD, 0xA1, 0x07, 0x67, 0x73,
30491     0x87, 0xE0, 0x36, 0xDA, 0x8C, 0xD2, 0xD2, 0xBB, 0x84, 0x28, 0xA9, 0xFE, 0x52,
30492     0x74, 0xD6, 0xB9, 0x0F, 0x0A, 0x6A, 0x2D, 0x28, 0x35, 0x34, 0x3A, 0xD3, 0xE2,
30493     0xCD, 0x35, 0x06, 0x7D, 0x1B, 0x35, 0x85, 0x86, 0xD1, 0x3E, 0xF2, 0x6F, 0xA1,
30494     0xC4, 0x55, 0xBD, 0x00, 0xD8, 0xC3, 0x5D, 0xC2, 0x1D, 0x6B, 0x6B, 0x27, 0x5B,
30495     0x95, 0xF3, 0xAB, 0xB5, 0xD3, 0x37, 0xF2, 0x2C, 0x9C, 0xC7, 0x5D, 0xBD, 0xF1,
30496     0x68, 0x1C, 0xAD, 0xF8, 0xB5, 0xE1, 0x29, 0x72, 0x7A, 0x73, 0x62, 0x55, 0x24,
30497     0xB9, 0x85, 0xDF, 0x7B, 0x29, 0x7D, 0xDE, 0x08, 0xF5, 0xE4, 0x44, 0xDA, 0x1A,
30498     0x30, 0x74, 0xDA, 0xB4, 0x9B, 0x23, 0x9A, 0x3A, 0xC1, 0x53, 0xB2, 0xA2, 0xA3,
30499     0x7B, 0x1F, 0xD9, 0x56, 0xD4, 0x4F, 0x9B, 0xB2, 0x1E, 0xEE, 0xB8, 0x6A, 0x4E,
30500     0xB5, 0xF4, 0x5A, 0xC9, 0x18, 0x27, 0x9C, 0xDE, 0x14, 0x44, 0xED, 0xC4, 0x3C,
30501     0x71, 0x9F, 0x5F, 0xD9, 0x37, 0xA0, 0x78, 0x34, 0x6E, 0xBC, 0xD2, 0x7B, 0x1D,
30502     0xFA, 0x08, 0x39, 0x5A, 0x04, 0x73, 0x15, 0xD9, 0x0A, 0x48, 0xC1, 0x2D, 0x15,
30503     0x4E, 0x84, 0x30, 0x45, 0x69, 0xB3, 0xE5, 0xF6, 0xAD, 0x09, 0x1E, 0xCC, 0x5F,
30504     0x1F, 0x06, 0xD5, 0x58, 0xAD, 0x78, 0xD7, 0x9F, 0xE5, 0xED, 0x3B, 0x09, 0xD5,
30505     0xA6, 0x52, 0x6F, 0x92, 0xD3, 0x3C, 0xC6, 0x1E, 0xF2, 0x93, 0x7C, 0xD3, 0x5F,
30506     0x70, 0x85, 0x5D, 0xF8, 0xAA, 0x9D, 0xB7, 0x7B, 0x24, 0x5A, 0xE9, 0x0A, 0x35,
30507     0x2F, 0xF5, 0xD9, 0x82, 0x02, 0x8A, 0x90, 0x13, 0x5B, 0xB5, 0x67, 0x9C, 0xDD,
30508     0xA0, 0x4E, 0x82, 0x27, 0xDA, 0x7E, 0xE8, 0x8E, 0xCD, 0xE1, 0x56, 0x71, 0x2C,
30509     0xE6, 0x4E, 0x1F, 0x91, 0xCD, 0x7C, 0x6A, 0xB7, 0x78, 0xD0, 0x26, 0xF3, 0x56,
30510     0xA9, 0xD5, 0xA1, 0xC3, 0x3B, 0x98, 0xE9, 0x28, 0x09, 0xEF, 0x50, 0x90, 0xCD,
30511     0xC4, 0x8E, 0x75, 0xCC, 0xAC, 0x2D, 0xC9, 0x03, 0x6D, 0xAC, 0xFE, 0xC4, 0x88,
30512     0x36, 0xD1, 0x3F, 0xBB, 0x1C, 0x7D, 0xB3, 0x14, 0x61, 0x2C, 0xB7, 0x54, 0x4B,
30513     0xDB, 0x64, 0xB6, 0x57, 0x14, 0x16, 0x8E, 0x1E, 0x6C, 0x64, 0xBB, 0x8B, 0x48,
30514     0x5D, 0x96, 0x9D, 0xDC, 0x80, 0xA7, 0xF7, 0x54, 0xC7, 0x46, 0x38, 0x3E, 0x44,
30515     0xDE, 0x7E, 0x92, 0x8D, 0x07, 0xF6, 0x07, 0x37, 0x4E, 0x16, 0x10, 0xB4, 0x7D,
30516     0x88, 0x66, 0x7F, 0xBB, 0xFF, 0xEA, 0x00, 0xF3, 0xFF, 0x97, 0x2C, 0xB5, 0xBE,
30517     0x35, 0x4B, 0x5C, 0x36, 0xEC, 0x4C, 0xBD, 0x2B, 0x7D, 0xBF, 0x46, 0xE2, 0x9C,
30518     0x0E, 0x8A, 0xA3, 0xEC, 0xB1, 0x0E, 0x9A, 0xDA, 0x9A, 0x9B, 0x28, 0x92, 0x10,
30519     0x53, 0x57, 0xEA, 0xEC, 0xA2, 0x32, 0x32, 0x20, 0x1D, 0x97, 0x5C, 0xB6, 0x84,
30520     0xA9, 0x93, 0x8D, 0x95, 0x11, 0xA3, 0x24, 0xA3, 0x2D, 0xC6, 0x4A, 0xEF, 0xAA,
30521     0x1D, 0x85, 0x2B, 0x7D, 0x28, 0xBE, 0x53, 0xCE, 0x10, 0x1F, 0xAE, 0x0E, 0x41,
30522     0x6C, 0x4B, 0x79, 0x12, 0xFB, 0xF7, 0x54, 0xA3, 0x96, 0x54, 0x83, 0x20, 0x96,
30523     0x8F, 0x28, 0xA9, 0x3F, 0x8B, 0x3D, 0xBA, 0x77, 0xDC, 0x24, 0xE1, 0xD4, 0x49,
30524     0x40, 0xD8, 0x78, 0x31, 0x85, 0x43, 0xF6, 0xFE, 0x5C, 0xA6, 0x8F, 0x90, 0x09,
30525     0xB0, 0xE7, 0xC4, 0x95, 0xB2, 0x55, 0x49, 0x97, 0x8F, 0x1C, 0x78, 0x30, 0x20,
30526     0xA0, 0xB4, 0xEF, 0x73, 0x56, 0x59, 0x82, 0xFD, 0xCE, 0xBA, 0x6A, 0x8F, 0x2C,
30527     0x8B, 0x15, 0xFD, 0xA1, 0x85, 0xA8, 0x5C, 0x0F, 0x11, 0xA5, 0x9D, 0xC2, 0x46,
30528     0xC6, 0x9C, 0xC9, 0x40, 0x0B, 0x58, 0x6A, 0x1C, 0x7A, 0x23, 0xF9, 0xE0, 0x95,
30529     0x05, 0x13, 0x58, 0x72, 0xE8, 0x9F, 0x30, 0xAC, 0xCD, 0x26, 0xD4, 0x66, 0x13,
30530     0xDF, 0x1E, 0x7B, 0x4F, 0x9C, 0xBE, 0x38, 0x79, 0x75, 0x92, 0xA4, 0xDA, 0x26,
30531     0x44, 0x55, 0x17, 0xA3, 0xE5, 0x62, 0xDA, 0xEB, 0x86, 0xEA, 0x68, 0xC7, 0xAB,
30532     0xFD, 0x2D, 0x43, 0x59, 0x51, 0xC0, 0x75, 0x64, 0x91, 0x01, 0x29, 0x33, 0x28,
30533     0xF3, 0x04, 0x83, 0x80, 0x75, 0x37, 0x75, 0x0C, 0x03, 0x7B, 0x0A, 0xAB, 0x8E,
30534     0x60, 0x62, 0x8B, 0x4C, 0xAF, 0x2D, 0xA3, 0x2F, 0xFE, 0xAB, 0x45, 0xCF, 0xDA,
30535     0xAB, 0xFA, 0xFA, 0x30, 0x3D, 0xE8, 0xA1, 0x96, 0xA5, 0x7B, 0xE2, 0x2A, 0xD0,
30536     0xAF, 0x59, 0xF7, 0xD0, 0x32, 0x57, 0x19, 0xBD, 0xCA, 0x9F, 0xD5, 0x1A, 0xC7,
30537     0xAA, 0x65, 0x4A, 0x38, 0xB2, 0x70, 0x33, 0xB7, 0x75, 0xD2, 0xCD, 0xD1, 0xF0,
30538     0xA8, 0x87, 0x59, 0x20, 0xA5, 0x57, 0x55, 0xB1, 0xB2, 0xC9, 0x4D, 0x97, 0x34,
30539     0x41, 0xF3, 0xF0, 0x30, 0xA1, 0x2C, 0x1C, 0x49, 0x3E, 0x89, 0x7D, 0x12, 0xE2,
30540     0xC3, 0x04, 0xC3, 0x92, 0xC0, 0xF6, 0x39, 0x10, 0x80, 0x81, 0x8F, 0x08, 0xB4,
30541     0xF8, 0xB9, 0x13, 0x4E, 0x2C, 0xAE, 0xB3, 0x71, 0x82, 0x63, 0x98, 0xAB, 0x5C,
30542     0x1C, 0x10, 0xEA, 0x66, 0xF9, 0x02, 0x3A, 0x82, 0x61, 0xD0, 0xD4, 0xAE, 0x43,
30543     0xD4, 0x01, 0x3E, 0x9D, 0x04, 0x14, 0xF6, 0x60, 0xD8, 0xA7, 0xD6, 0xB8, 0x53,
30544     0xC8, 0xDA, 0x80, 0x93, 0xA0, 0x02, 0xDD, 0xCC, 0xE2, 0xF2, 0xBB, 0xFB, 0xE0,
30545     0x27, 0xD7, 0x34, 0x9A, 0x71, 0x49, 0xB5, 0x4F, 0x42, 0x1F, 0xB2, 0x9D, 0x6D,
30546     0xAA, 0x9D, 0xD3, 0x50, 0xB5, 0x8F, 0x6A, 0x4B, 0xDF, 0x1F, 0xD5, 0x27, 0x8F,
30547     0x3B, 0x27, 0xCF, 0x2F, 0x8C, 0xF8, 0x9D, 0x4C, 0x52, 0xBC, 0x32, 0x0F, 0x73,
30548     0xD5, 0x51, 0x8E, 0x36, 0x7E, 0xAD, 0x09, 0xF0, 0x94, 0x83, 0x5F, 0x36, 0xFD,
30549     0x7C, 0x03, 0xED, 0xF1, 0x5E, 0x4B, 0xF7, 0xAA, 0x55, 0x5C, 0x4A, 0x14, 0x59,
30550     0x85, 0x38, 0x2D, 0x8C, 0xDF, 0xEC, 0x65, 0x1B, 0xB8, 0x76, 0x57, 0x96, 0x3C,
30551     0x86, 0xED, 0xF2, 0x7F, 0x2D, 0x28, 0x48, 0xDA, 0x49, 0x7F, 0xF7, 0x54, 0x2B,
30552     0xD5, 0x39, 0xD5, 0x57, 0x0A, 0x75, 0x7A, 0x3E, 0x5E, 0x5D, 0xBA, 0x4A, 0x15,
30553     0xFA, 0xB8, 0x31, 0x80, 0x71, 0x2C, 0xCA, 0xC4, 0x51, 0x10, 0x16, 0x5D, 0x39,
30554     0xEC, 0x9D, 0x07, 0xB6, 0x6A, 0x89, 0x9F, 0x9B, 0x5B, 0x6F, 0x03, 0xB0, 0x92,
30555     0x01, 0x38, 0x6B, 0x48, 0x99, 0x0A, 0x8F, 0x13, 0xC1, 0xA6, 0x01, 0xEA, 0xBF,
30556     0x6F, 0x86, 0x43, 0x51, 0xB6, 0x11, 0x00, 0x00
30557 };
30558 
30559 WOLFSSL_TEST_SUBROUTINE int compress_test(void)
30560 {
30561     int ret = 0;
30562     word32 dSz = sizeof(sample_text);
30563     word32 cSz = (dSz + (word32)(dSz * 0.001) + 12);
30564     byte *c;
30565     byte *d;
30566 
30567     c = (byte *)XMALLOC(cSz * sizeof(byte), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
30568     d = (byte *)XMALLOC(dSz * sizeof(byte), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
30569     if (c == NULL || d == NULL) {
30570         ERROR_OUT(-12100, exit);
30571     }
30572 
30573     /* follow calloc and initialize to 0 */
30574     XMEMSET(c, 0, cSz);
30575     XMEMSET(d, 0, dSz);
30576 
30577     if ((ret = wc_Compress(c, cSz, sample_text, dSz, 0)) < 0) {
30578         ERROR_OUT(-12101, exit);
30579     }
30580     cSz = (word32)ret;
30581 
30582     if ((ret = wc_DeCompress(d, dSz, c, cSz)) != (int)dSz) {
30583         ERROR_OUT(-12102, exit);
30584     }
30585 
30586     if (XMEMCMP(d, sample_text, dSz) != 0) {
30587         ERROR_OUT(-12103, exit);
30588     }
30589 
30590     /* GZIP tests */
30591     cSz = (dSz + (word32)(dSz * 0.001) + 12); /* reset cSz */
30592     XMEMSET(c, 0, cSz);
30593     XMEMSET(d, 0, dSz);
30594 
30595     ret = wc_Compress_ex(c, cSz, sample_text, dSz, 0, LIBZ_WINBITS_GZIP);
30596     if (ret < 0) {
30597         ERROR_OUT(-12104, exit);
30598     }
30599     cSz = (word32)ret;
30600 
30601     ret = wc_DeCompress_ex(d, dSz, c, cSz, LIBZ_WINBITS_GZIP);
30602     if (ret < 0) {
30603         ERROR_OUT(-12105, exit);
30604     }
30605 
30606     if (XMEMCMP(d, sample_text, dSz) != 0) {
30607         ERROR_OUT(-12106, exit);
30608     }
30609 
30610     /* Try with gzip generated output */
30611     XMEMSET(d, 0, dSz);
30612     ret = wc_DeCompress_ex(d, dSz, sample_text_gz, sizeof(sample_text_gz),
30613         LIBZ_WINBITS_GZIP);
30614     if (ret < 0) {
30615         ERROR_OUT(-12107, exit);
30616     }
30617     dSz = (word32)ret;
30618 
30619     if (XMEMCMP(d, sample_text, dSz) != 0) {
30620         ERROR_OUT(-12108, exit);
30621     }
30622 
30623     ret = 0; /* success */
30624 
30625 exit:
30626     if (c) XFREE(c, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
30627     if (d) XFREE(d, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
30628 
30629     return ret;
30630 }
30631 
30632 #endif /* HAVE_LIBZ */
30633 
30634 #ifdef HAVE_PKCS7
30635 
30636 /* External Debugging/Testing Note:
30637  *
30638  * PKCS#7 test functions can output generated PKCS#7/CMS bundles for
30639  * additional testing. To dump bundles to files DER encoded files, please
30640  * define:
30641  *
30642  * #define PKCS7_OUTPUT_TEST_BUNDLES
30643  */
30644 
30645 
30646 /* Loads certs and keys for use with PKCS7 tests, from either files
30647  * or buffers.
30648  *
30649  * rsaClientCertBuf      - output buffer for RSA client cert
30650  * rsaClientCertBufSz    - IN/OUT size of output buffer, size of RSA client cert
30651  * rsaClientPrivKeyBuf   - output buffer for RSA client private key
30652  * rsaClientPrivKeyBufSz - IN/OUT size of output buffer, size of RSA client key
30653  *
30654  * rsaServerCertBuf      - output buffer for RSA server cert
30655  * rsaServerCertBufSz    - IN/OUT size of output buffer, size of RSA server cert
30656  * rsaServerPrivKeyBuf   - output buffer for RSA server private key
30657  * rsaServerPrivKeyBufSz - IN/OUT size of output buffer, size of RSA server key
30658  *
30659  * rsaCaCertBuf          - output buffer for RSA CA cert
30660  * rsaCaCertBufSz        - IN/OUT size of output buffer, size of RSA ca cert
30661  * rsaCaPrivKeyBuf       - output buffer for RSA CA private key
30662  * rsaCaPrivKeyBufSz     - IN/OUT size of output buffer, size of RSA CA key
30663  *
30664  * eccClientCertBuf      - output buffer for ECC cert
30665  * eccClientCertBufSz    - IN/OUT size of output buffer, size of ECC cert
30666  * eccClientPrivKeyBuf   - output buffer for ECC private key
30667  * eccClientPrivKeyBufSz - IN/OUT size of output buffer, size of ECC private key
30668  *
30669  * Returns 0 on success, negative on error
30670  */
30671 static int pkcs7_load_certs_keys(
30672                        byte* rsaClientCertBuf,    word32* rsaClientCertBufSz,
30673                        byte* rsaClientPrivKeyBuf, word32* rsaClientPrivKeyBufSz,
30674                        byte* rsaServerCertBuf,    word32* rsaServerCertBufSz,
30675                        byte* rsaServerPrivKeyBuf, word32* rsaServerPrivKeyBufSz,
30676                        byte* rsaCaCertBuf,        word32* rsaCaCertBufSz,
30677                        byte* rsaCaPrivKeyBuf,     word32* rsaCaPrivKeyBufSz,
30678                        byte* eccClientCertBuf,    word32* eccClientCertBufSz,
30679                        byte* eccClientPrivKeyBuf, word32* eccClientPrivKeyBufSz)
30680 {
30681 #ifndef NO_FILESYSTEM
30682     XFILE  certFile;
30683     XFILE  keyFile;
30684 
30685     (void)certFile;
30686     (void)keyFile;
30687 #endif
30688 
30689 #ifndef NO_RSA
30690     if (rsaClientCertBuf == NULL || rsaClientCertBufSz == NULL ||
30691         rsaClientPrivKeyBuf == NULL || rsaClientPrivKeyBufSz == NULL)
30692         return BAD_FUNC_ARG;
30693 #endif
30694 
30695 #ifdef HAVE_ECC
30696     if (eccClientCertBuf == NULL || eccClientCertBufSz == NULL ||
30697         eccClientPrivKeyBuf == NULL || eccClientPrivKeyBufSz == NULL)
30698         return BAD_FUNC_ARG;
30699 #endif
30700 
30701 /* RSA */
30702 #ifndef NO_RSA
30703 
30704 #ifdef USE_CERT_BUFFERS_1024
30705     if (*rsaClientCertBufSz < (word32)sizeof_client_cert_der_1024)
30706         return -12110;
30707 
30708     XMEMCPY(rsaClientCertBuf, client_cert_der_1024,
30709             sizeof_client_cert_der_1024);
30710     *rsaClientCertBufSz = sizeof_client_cert_der_1024;
30711 
30712     if (rsaServerCertBuf != NULL) {
30713         if (*rsaServerCertBufSz < (word32)sizeof_server_cert_der_1024)
30714             return -12111;
30715 
30716         XMEMCPY(rsaServerCertBuf, server_cert_der_1024,
30717                 sizeof_server_cert_der_1024);
30718         *rsaServerCertBufSz = sizeof_server_cert_der_1024;
30719     }
30720 
30721     if (rsaCaCertBuf != NULL) {
30722         if (*rsaCaCertBufSz < (word32)sizeof_ca_cert_der_1024)
30723             return -12112;
30724 
30725         XMEMCPY(rsaCaCertBuf, ca_cert_der_1024, sizeof_ca_cert_der_1024);
30726         *rsaCaCertBufSz = sizeof_ca_cert_der_1024;
30727     }
30728 #elif defined(USE_CERT_BUFFERS_2048)
30729     if (*rsaClientCertBufSz < (word32)sizeof_client_cert_der_2048)
30730         return -12113;
30731 
30732     XMEMCPY(rsaClientCertBuf, client_cert_der_2048,
30733             sizeof_client_cert_der_2048);
30734     *rsaClientCertBufSz = sizeof_client_cert_der_2048;
30735 
30736     if (rsaServerCertBuf != NULL) {
30737         if (*rsaServerCertBufSz < (word32)sizeof_server_cert_der_2048)
30738             return -12114;
30739 
30740         XMEMCPY(rsaServerCertBuf, server_cert_der_2048,
30741                 sizeof_server_cert_der_2048);
30742         *rsaServerCertBufSz = sizeof_server_cert_der_2048;
30743     }
30744 
30745     if (rsaCaCertBuf != NULL) {
30746         if (*rsaCaCertBufSz < (word32)sizeof_ca_cert_der_2048)
30747             return -12115;
30748 
30749         XMEMCPY(rsaCaCertBuf, ca_cert_der_2048, sizeof_ca_cert_der_2048);
30750         *rsaCaCertBufSz = sizeof_ca_cert_der_2048;
30751     }
30752 #else
30753     certFile = XFOPEN(clientCert, "rb");
30754     if (!certFile)
30755         return -12116;
30756 
30757     *rsaClientCertBufSz = (word32)XFREAD(rsaClientCertBuf, 1,
30758                                         *rsaClientCertBufSz, certFile);
30759     XFCLOSE(certFile);
30760 
30761     if (rsaServerCertBuf != NULL) {
30762         certFile = XFOPEN(rsaServerCertDerFile, "rb");
30763         if (!certFile)
30764             return -12117;
30765 
30766         *rsaServerCertBufSz = (word32)XFREAD(rsaServerCertBuf, 1,
30767                                             *rsaServerCertBufSz, certFile);
30768         XFCLOSE(certFile);
30769     }
30770 
30771     if (rsaCaCertBuf != NULL) {
30772         certFile = XFOPEN(rsaCaCertDerFile, "rb");
30773         if (!certFile)
30774             return -12118;
30775 
30776         *rsaCaCertBufSz = (word32)XFREAD(rsaCaCertBuf, 1, *rsaCaCertBufSz,
30777                                         certFile);
30778         XFCLOSE(certFile);
30779     }
30780 #endif
30781 
30782 #ifdef USE_CERT_BUFFERS_1024
30783     if (*rsaClientPrivKeyBufSz < (word32)sizeof_client_key_der_1024)
30784         return -12119;
30785 
30786     XMEMCPY(rsaClientPrivKeyBuf, client_key_der_1024,
30787             sizeof_client_key_der_1024);
30788     *rsaClientPrivKeyBufSz = sizeof_client_key_der_1024;
30789 
30790     if (rsaServerPrivKeyBuf != NULL) {
30791         if (*rsaServerPrivKeyBufSz < (word32)sizeof_server_key_der_1024)
30792             return -12120;
30793 
30794         XMEMCPY(rsaServerPrivKeyBuf, server_key_der_1024,
30795                 sizeof_server_key_der_1024);
30796         *rsaServerPrivKeyBufSz = sizeof_server_key_der_1024;
30797     }
30798 
30799     if (rsaCaPrivKeyBuf != NULL) {
30800         if (*rsaCaPrivKeyBufSz < (word32)sizeof_ca_key_der_1024)
30801             return -12121;
30802 
30803         XMEMCPY(rsaCaPrivKeyBuf, ca_key_der_1024, sizeof_ca_key_der_1024);
30804         *rsaCaPrivKeyBufSz = sizeof_ca_key_der_1024;
30805     }
30806 #elif defined(USE_CERT_BUFFERS_2048)
30807     if (*rsaClientPrivKeyBufSz < (word32)sizeof_client_key_der_2048)
30808         return -12122;
30809 
30810     XMEMCPY(rsaClientPrivKeyBuf, client_key_der_2048,
30811             sizeof_client_key_der_2048);
30812     *rsaClientPrivKeyBufSz = sizeof_client_key_der_2048;
30813 
30814     if (rsaServerPrivKeyBuf != NULL) {
30815         if (*rsaServerPrivKeyBufSz < (word32)sizeof_server_key_der_2048)
30816             return -12123;
30817 
30818         XMEMCPY(rsaServerPrivKeyBuf, server_key_der_2048,
30819                 sizeof_server_key_der_2048);
30820         *rsaServerPrivKeyBufSz = sizeof_server_key_der_2048;
30821     }
30822 
30823     if (rsaCaPrivKeyBuf != NULL) {
30824         if (*rsaCaPrivKeyBufSz < (word32)sizeof_ca_key_der_2048)
30825             return -12124;
30826 
30827         XMEMCPY(rsaCaPrivKeyBuf, ca_key_der_2048, sizeof_ca_key_der_2048);
30828         *rsaCaPrivKeyBufSz = sizeof_ca_key_der_2048;
30829     }
30830 #else
30831     keyFile = XFOPEN(clientKey, "rb");
30832     if (!keyFile)
30833         return -12125;
30834 
30835     *rsaClientPrivKeyBufSz = (word32)XFREAD(rsaClientPrivKeyBuf, 1,
30836                                            *rsaClientPrivKeyBufSz, keyFile);
30837     XFCLOSE(keyFile);
30838 
30839     if (rsaServerPrivKeyBuf != NULL) {
30840         keyFile = XFOPEN(rsaServerKeyDerFile, "rb");
30841         if (!keyFile)
30842             return -12126;
30843 
30844         *rsaServerPrivKeyBufSz = (word32)XFREAD(rsaServerPrivKeyBuf, 1,
30845                                                *rsaServerPrivKeyBufSz, keyFile);
30846         XFCLOSE(keyFile);
30847     }
30848 
30849     if (rsaCaPrivKeyBuf != NULL) {
30850         keyFile = XFOPEN(rsaCaKeyFile, "rb");
30851         if (!keyFile)
30852             return -12127;
30853 
30854         *rsaCaPrivKeyBufSz = (word32)XFREAD(rsaCaPrivKeyBuf, 1,
30855                                            *rsaCaPrivKeyBufSz, keyFile);
30856         XFCLOSE(keyFile);
30857     }
30858 #endif /* USE_CERT_BUFFERS */
30859 
30860 #endif /* NO_RSA */
30861 
30862 /* ECC */
30863 #ifdef HAVE_ECC
30864 
30865 #ifdef USE_CERT_BUFFERS_256
30866     if (*eccClientCertBufSz < (word32)sizeof_cliecc_cert_der_256)
30867         return -12128;
30868 
30869     XMEMCPY(eccClientCertBuf, cliecc_cert_der_256, sizeof_cliecc_cert_der_256);
30870     *eccClientCertBufSz = sizeof_cliecc_cert_der_256;
30871 #else
30872     certFile = XFOPEN(eccClientCert, "rb");
30873     if (!certFile)
30874         return -12129;
30875 
30876     *eccClientCertBufSz = (word32)XFREAD(eccClientCertBuf, 1,
30877                                         *eccClientCertBufSz, certFile);
30878     XFCLOSE(certFile);
30879 #endif /* USE_CERT_BUFFERS_256 */
30880 
30881 #ifdef USE_CERT_BUFFERS_256
30882     if (*eccClientPrivKeyBufSz < (word32)sizeof_ecc_clikey_der_256)
30883         return -12130;
30884 
30885     XMEMCPY(eccClientPrivKeyBuf, ecc_clikey_der_256, sizeof_ecc_clikey_der_256);
30886     *eccClientPrivKeyBufSz = sizeof_ecc_clikey_der_256;
30887 #else
30888     keyFile = XFOPEN(eccClientKey, "rb");
30889     if (!keyFile)
30890         return -12131;
30891 
30892     *eccClientPrivKeyBufSz = (word32)XFREAD(eccClientPrivKeyBuf, 1,
30893                                            *eccClientPrivKeyBufSz, keyFile);
30894     XFCLOSE(keyFile);
30895 #endif /* USE_CERT_BUFFERS_256 */
30896 #endif /* HAVE_ECC */
30897 
30898 #ifdef NO_RSA
30899     (void)rsaClientCertBuf;
30900     (void)rsaClientCertBufSz;
30901     (void)rsaClientPrivKeyBuf;
30902     (void)rsaClientPrivKeyBufSz;
30903     (void)rsaServerCertBuf;
30904     (void)rsaServerCertBufSz;
30905     (void)rsaServerPrivKeyBuf;
30906     (void)rsaServerPrivKeyBufSz;
30907     (void)rsaCaCertBuf;
30908     (void)rsaCaCertBufSz;
30909     (void)rsaCaPrivKeyBuf;
30910     (void)rsaCaPrivKeyBufSz;
30911 #endif
30912 #ifndef HAVE_ECC
30913     (void)eccClientCertBuf;
30914     (void)eccClientCertBufSz;
30915     (void)eccClientPrivKeyBuf;
30916     (void)eccClientPrivKeyBufSz;
30917 #endif
30918 #ifndef NO_FILESYSTEM
30919     (void)certFile;
30920     (void)keyFile;
30921 #endif
30922     return 0;
30923 }
30924 
30925 
30926 typedef struct {
30927     const byte*  content;
30928     word32       contentSz;
30929     int          contentOID;
30930     int          encryptOID;
30931     int          keyWrapOID;
30932     int          keyAgreeOID;
30933     byte*        cert;
30934     size_t       certSz;
30935     byte*        privateKey;
30936     word32       privateKeySz;
30937     byte*        optionalUkm;
30938     word32       optionalUkmSz;
30939     int          ktriOptions;    /* KTRI options flags */
30940     int          kariOptions;    /* KARI options flags */
30941 
30942     /* KEKRI specific */
30943     const byte*  secretKey;      /* key, only for kekri RecipientInfo types */
30944     word32       secretKeySz;    /* size of secretKey, bytes */
30945     const byte*  secretKeyId;    /* key identifier */
30946     word32       secretKeyIdSz;  /* size of key identifier, bytes */
30947     void*        timePtr;        /* time_t pointer */
30948     byte*        otherAttrOID;   /* OPTIONAL, other attribute OID */
30949     word32       otherAttrOIDSz; /* size of otherAttrOID, bytes */
30950     byte*        otherAttr;      /* OPTIONAL, other attribute, ASN.1 encoded */
30951     word32       otherAttrSz;    /* size of otherAttr, bytes */
30952     int          kekriOptions;   /* KEKRI options flags */
30953 
30954     /* PWRI specific */
30955     const char*  password;
30956     word32       passwordSz;
30957     const byte*  salt;
30958     word32       saltSz;
30959     int          kdfOID;
30960     int          hashOID;
30961     int          kdfIterations;
30962     int          pwriOptions;    /* PWRI options flags */
30963 
30964     /* ORI specific */
30965     int          isOri;
30966     int          oriOptions;     /* ORI options flags */
30967 
30968     const char*  outFileName;
30969 } pkcs7EnvelopedVector;
30970 
30971 
30972 static const byte asnDataOid[] = {
30973     0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
30974 };
30975 
30976 /* ORI encrypt callback, responsible for encrypting content-encryption key (CEK)
30977  * and giving wolfCrypt the value for oriOID and oriValue to place in
30978  * OtherRecipientInfo.
30979  *
30980  * Returns 0 on success, negative upon error. */
30981 static int myOriEncryptCb(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* oriType,
30982                           word32* oriTypeSz, byte* oriValue, word32* oriValueSz,
30983                           void* ctx)
30984 {
30985     int i;
30986 
30987     /* make sure buffers are large enough */
30988     if ((*oriValueSz < (2 + cekSz)) || (*oriTypeSz < sizeof(oriType)))
30989         return -12140;
30990 
30991     /* our simple encryption algorithm will be take the bitwise complement */
30992     oriValue[0] = 0x04;         /*ASN OCTET STRING */
30993     oriValue[1] = (byte)cekSz;  /* length */
30994     for (i = 0; i < (int)cekSz; i++) {
30995         oriValue[2 + i] = ~cek[i];
30996     }
30997     *oriValueSz = 2 + cekSz;
30998 
30999     /* set oriType to ASN.1 encoded data OID */
31000     XMEMCPY(oriType, asnDataOid, sizeof(asnDataOid));
31001     *oriTypeSz = sizeof(asnDataOid);
31002 
31003     (void)pkcs7;
31004     (void)ctx;
31005 
31006     return 0;
31007 }
31008 
31009 
31010 /* ORI decrypt callback, responsible for providing a decrypted content
31011  * encryption key (CEK) placed into decryptedKey and size placed into
31012  * decryptedKeySz. oriOID and oriValue are given to the callback to help
31013  * in decrypting the encrypted CEK.
31014  *
31015  * Returns 0 on success, negative upon error. */
31016 static int myOriDecryptCb(PKCS7* pkcs7, byte* oriType, word32 oriTypeSz,
31017                           byte* oriValue, word32 oriValueSz, byte* decryptedKey,
31018                           word32* decryptedKeySz, void* ctx)
31019 {
31020     int i;
31021 
31022     /* make sure oriType matches what we expect */
31023     if (oriTypeSz != sizeof(asnDataOid))
31024         return -12150;
31025 
31026     if (XMEMCMP(oriType, asnDataOid, sizeof(asnDataOid)) != 0)
31027         return -12151;
31028 
31029     /* make sure decrypted buffer is large enough */
31030     if (*decryptedKeySz < oriValueSz)
31031         return -12152;
31032 
31033     /* decrypt encrypted CEK using simple bitwise complement,
31034        only for example */
31035     for (i = 0; i < (int)oriValueSz - 2; i++) {
31036         decryptedKey[i] = ~oriValue[2 + i];
31037     }
31038 
31039     *decryptedKeySz = oriValueSz - 2;
31040 
31041     (void)pkcs7;
31042     (void)ctx;
31043 
31044     return 0;
31045 }
31046 
31047 
31048 #if !defined(NO_AES) && defined(HAVE_AES_CBC)
31049 /* returns 0 on success */
31050 static int myDecryptionFunc(PKCS7* pkcs7, int encryptOID, byte* iv, int ivSz,
31051         byte* aad, word32 aadSz, byte* authTag, word32 authTagSz,
31052         byte* in, int inSz, byte* out, void* usrCtx)
31053 {
31054     int keyId = -1, ret, keySz;
31055     word32 keyIdSz = 8;
31056     const byte*  key;
31057     byte   keyIdRaw[8];
31058 #ifdef WOLFSSL_SMALL_STACK
31059     Aes    *aes;
31060 #else
31061     Aes    aes[1];
31062 #endif
31063 
31064     /* looking for KEY ID
31065      * fwDecryptKeyID OID "1.2.840.113549.1.9.16.2.37
31066      */
31067     WOLFSSL_SMALL_STACK_STATIC const unsigned char OID[] = {
31068         /* 0x06, 0x0B do not pass in tag and length */
31069         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
31070         0x01, 0x09, 0x10, 0x02, 0x25
31071     };
31072 
31073     WOLFSSL_SMALL_STACK_STATIC const byte defKey[] = {
31074         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
31075         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
31076         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
31077         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
31078     };
31079 
31080     WOLFSSL_SMALL_STACK_STATIC const byte altKey[] = {
31081         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
31082         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
31083     };
31084 
31085     /* test user context passed in */
31086     if (usrCtx == NULL || *(int*)usrCtx != 1) {
31087         return -12160;
31088     }
31089 
31090 #ifdef WOLFSSL_SMALL_STACK
31091     if ((aes = (Aes *)XMALLOC(sizeof *aes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
31092         return -12164;
31093 #endif
31094 
31095     /* if needing to find keyIdSz can call with NULL */
31096     ret = wc_PKCS7_GetAttributeValue(pkcs7, OID, sizeof(OID), NULL,
31097             &keyIdSz);
31098     if (ret != LENGTH_ONLY_E) {
31099         printf("Unexpected error %d when getting keyIdSz\n", ret);
31100         printf("Possibly no KEY ID attribute set\n");
31101         ERROR_OUT(-12161, out);
31102     }
31103     else {
31104         XMEMSET(keyIdRaw, 0, sizeof(keyIdRaw));
31105         ret = wc_PKCS7_GetAttributeValue(pkcs7, OID, sizeof(OID), keyIdRaw,
31106                 &keyIdSz);
31107         if (ret < 0) {
31108             goto out;
31109         }
31110 
31111         if (keyIdSz < 3) {
31112             printf("keyIdSz is smaller than expected\n");
31113             ERROR_OUT(-12162, out);
31114         }
31115         if (keyIdSz > 2 + sizeof(int)) {
31116             printf("example case was only expecting a keyId of int size\n");
31117             ERROR_OUT(-12163, out);
31118         }
31119 
31120         /* keyIdRaw[0] OCTET TAG */
31121         /* keyIdRaw[1] Length */
31122 #ifdef BIG_ENDIAN_ORDER
31123         if (keyIdRaw[1] == 0x01) {
31124             keyId = 1;
31125         }
31126 #else
31127         XMEMCPY(&keyId, keyIdRaw + 2, sizeof(keyId));
31128 #endif
31129     }
31130 
31131 
31132     /* Use keyID here if found to select key and decrypt in HSM or in this
31133      * example just select key and do software decryption */
31134     if (keyId == 1) {
31135         key = altKey;
31136         keySz = sizeof(altKey);
31137     }
31138     else {
31139         key = defKey;
31140         keySz = sizeof(defKey);
31141     }
31142 
31143     switch (encryptOID) {
31144     #ifdef WOLFSSL_AES_256
31145         case AES256CBCb:
31146             if ((keySz != 32 ) || (ivSz  != AES_BLOCK_SIZE))
31147                 ERROR_OUT(BAD_FUNC_ARG, out);
31148             break;
31149     #endif
31150     #ifdef WOLFSSL_AES_128
31151         case AES128CBCb:
31152             if ((keySz != 16 ) || (ivSz  != AES_BLOCK_SIZE))
31153                 ERROR_OUT(BAD_FUNC_ARG, out);
31154             break;
31155     #endif
31156 
31157         default:
31158             printf("Unsupported content cipher type for example");
31159             ERROR_OUT(ALGO_ID_E, out);
31160     };
31161 
31162     ret = wc_AesInit(aes, HEAP_HINT, INVALID_DEVID);
31163     if (ret == 0) {
31164         ret = wc_AesSetKey(aes, key, keySz, iv, AES_DECRYPTION);
31165         if (ret == 0)
31166             ret = wc_AesCbcDecrypt(aes, out, in, inSz);
31167         wc_AesFree(aes);
31168     }
31169 
31170   out:
31171 
31172 #ifdef WOLFSSL_SMALL_STACK
31173     XFREE(aes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31174 #endif
31175 
31176     (void)aad;
31177     (void)aadSz;
31178     (void)authTag;
31179     (void)authTagSz;
31180     return ret;
31181 }
31182 #endif /* !NO_AES && HAVE_AES_CBC */
31183 
31184 
31185 #define PKCS7_BUF_SIZE 2048
31186 
31187 static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
31188                                       byte* rsaPrivKey,  word32 rsaPrivKeySz,
31189                                       byte* eccCert, word32 eccCertSz,
31190                                       byte* eccPrivKey,  word32 eccPrivKeySz)
31191 {
31192     int ret = 0, testSz = 0, i;
31193     int envelopedSz, decodedSz;
31194 
31195     byte   *enveloped = NULL;
31196     byte   *decoded = NULL;
31197     PKCS7* pkcs7 = NULL;
31198 #ifdef ECC_TIMING_RESISTANT
31199     WC_RNG rng;
31200 #endif
31201 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
31202     XFILE  pkcs7File;
31203 #endif
31204 
31205     WOLFSSL_SMALL_STACK_STATIC const byte data[] = { /* Hello World */
31206         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
31207         0x72,0x6c,0x64
31208     };
31209 
31210 #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) && \
31211     defined(HAVE_ECC) && defined(WOLFSSL_SHA512)
31212     byte optionalUkm[] = {
31213         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
31214     };
31215 #endif /* NO_AES */
31216 
31217 #if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) && \
31218     !defined(NO_SHA)
31219     /* encryption key for kekri recipient types */
31220     WOLFSSL_SMALL_STACK_STATIC const byte secretKey[] = {
31221         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
31222         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
31223     };
31224 
31225     /* encryption key identifier */
31226     WOLFSSL_SMALL_STACK_STATIC const byte secretKeyId[] = {
31227         0x02,0x02,0x03,0x04
31228     };
31229 #endif
31230 
31231 #if !defined(NO_PWDBASED) && !defined(NO_SHA) && \
31232     !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
31233 
31234     #ifndef HAVE_FIPS
31235     WOLFSSL_SMALL_STACK_STATIC const char password[] = "password"; /* NOTE: Password is too short for FIPS */
31236     #else
31237     WOLFSSL_SMALL_STACK_STATIC const char password[] = "passwordFIPS_MODE";
31238     #endif
31239 
31240     WOLFSSL_SMALL_STACK_STATIC const byte salt[] = {
31241         0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12
31242     };
31243 #endif
31244 
31245     #define MAX_TESTVECTORS_LEN 13
31246     #define ADD_PKCS7ENVELOPEDVECTOR(...) {                                 \
31247             pkcs7EnvelopedVector _this_vector = { __VA_ARGS__ };            \
31248             if (testSz == MAX_TESTVECTORS_LEN) {                                \
31249                 ret = -12534;                                                   \
31250                 goto out;                                                       \
31251             }                                                                   \
31252             XMEMCPY(&testVectors[testSz++], &_this_vector, sizeof _this_vector);\
31253         }
31254 
31255     pkcs7EnvelopedVector *testVectors = NULL;
31256 
31257 #ifdef ECC_TIMING_RESISTANT
31258     XMEMSET(&rng, 0, sizeof(rng));
31259 #endif
31260 
31261     testVectors = (pkcs7EnvelopedVector *)XMALLOC(MAX_TESTVECTORS_LEN * sizeof(*testVectors),
31262                                      HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31263     if (testVectors == NULL) {
31264         ret = -12534;
31265         goto out;
31266     }
31267 
31268     {
31269         /* key transport key encryption technique */
31270 #ifndef NO_RSA
31271     #ifndef NO_DES3
31272         ADD_PKCS7ENVELOPEDVECTOR(
31273          data, (word32)sizeof(data), DATA, DES3b, 0, 0, rsaCert, rsaCertSz,
31274          rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
31275          0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31276          "pkcs7envelopedDataDES3.der");
31277     #endif
31278 
31279     #if !defined(NO_AES) && defined(HAVE_AES_CBC)
31280         #ifdef WOLFSSL_AES_128
31281         ADD_PKCS7ENVELOPEDVECTOR(
31282          data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0, rsaCert, rsaCertSz,
31283          rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
31284          0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31285          "pkcs7envelopedDataAES128CBC.der");
31286         #endif
31287         #ifdef WOLFSSL_AES_192
31288         ADD_PKCS7ENVELOPEDVECTOR(
31289          data, (word32)sizeof(data), DATA, AES192CBCb, 0, 0, rsaCert, rsaCertSz,
31290          rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
31291          0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31292          "pkcs7envelopedDataAES192CBC.der");
31293         #endif
31294         #ifdef WOLFSSL_AES_256
31295         ADD_PKCS7ENVELOPEDVECTOR(
31296          data, (word32)sizeof(data), DATA, AES256CBCb, 0, 0, rsaCert, rsaCertSz,
31297          rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
31298          0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31299          "pkcs7envelopedDataAES256CBC.der");
31300 
31301         /* explicitly using SKID for SubjectKeyIdentifier */
31302         ADD_PKCS7ENVELOPEDVECTOR(
31303          data, (word32)sizeof(data), DATA, AES256CBCb, 0, 0, rsaCert, rsaCertSz,
31304          rsaPrivKey, rsaPrivKeySz, NULL, 0, CMS_SKID, 0, NULL, 0, NULL, 0, NULL,
31305          NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31306          "pkcs7envelopedDataAES256CBC_SKID.der");
31307 
31308         /* explicitly using IssuerAndSerialNumber for SubjectKeyIdentifier */
31309         ADD_PKCS7ENVELOPEDVECTOR(
31310          data, (word32)sizeof(data), DATA, AES256CBCb, 0, 0, rsaCert, rsaCertSz,
31311          rsaPrivKey, rsaPrivKeySz, NULL, 0, CMS_ISSUER_AND_SERIAL_NUMBER, 0,
31312          NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0,
31313          0, 0, 0, 0, "pkcs7envelopedDataAES256CBC_IANDS.der");
31314         #endif
31315     #endif /* !NO_AES && HAVE_AES_CBC */
31316 #endif
31317 
31318         /* key agreement key encryption technique*/
31319 #ifdef HAVE_ECC
31320     #if !defined(NO_AES) && defined(HAVE_AES_CBC)
31321         #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
31322         ADD_PKCS7ENVELOPEDVECTOR(
31323          data, (word32)sizeof(data), DATA, AES128CBCb, AES128_WRAP,
31324          dhSinglePass_stdDH_sha1kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31325          eccPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0,
31326          0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31327          "pkcs7envelopedDataAES128CBC_ECDH_SHA1KDF.der");
31328         #endif
31329 
31330         #if !defined(NO_SHA256) && defined(WOLFSSL_AES_256)
31331         ADD_PKCS7ENVELOPEDVECTOR(
31332          data, (word32)sizeof(data), DATA, AES256CBCb, AES256_WRAP,
31333          dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31334          eccPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0,
31335          0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31336          "pkcs7envelopedDataAES256CBC_ECDH_SHA256KDF.der");
31337         #endif /* NO_SHA256 && WOLFSSL_AES_256 */
31338 
31339         #if defined(WOLFSSL_SHA512) && defined(WOLFSSL_AES_256)
31340         ADD_PKCS7ENVELOPEDVECTOR(
31341          data, (word32)sizeof(data), DATA, AES256CBCb, AES256_WRAP,
31342          dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31343          eccPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0,
31344          0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31345          "pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF.der");
31346 
31347         /* with optional user keying material (ukm) */
31348         ADD_PKCS7ENVELOPEDVECTOR(
31349          data, (word32)sizeof(data), DATA, AES256CBCb, AES256_WRAP,
31350          dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31351          eccPrivKeySz, optionalUkm, sizeof(optionalUkm), 0, 0, NULL, 0,
31352          NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31353          "pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF_ukm.der");
31354         #endif /* WOLFSSL_SHA512 && WOLFSSL_AES_256 */
31355     #endif /* !NO_AES && HAVE_AES_CBC */
31356 #endif
31357 
31358         /* kekri (KEKRecipientInfo) recipient types */
31359 #if !defined(NO_AES) && defined(HAVE_AES_CBC)
31360         #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
31361         ADD_PKCS7ENVELOPEDVECTOR(
31362          data, (word32)sizeof(data), DATA, AES128CBCb, AES128_WRAP, 0,
31363          NULL, 0, NULL, 0, NULL, 0, 0, 0, secretKey, sizeof(secretKey),
31364          secretKeyId, sizeof(secretKeyId), NULL, NULL, 0, NULL, 0,
31365          0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
31366          "pkcs7envelopedDataAES128CBC_KEKRI.der");
31367         #endif
31368 #endif /* !NO_AES && HAVE_AES_CBC */
31369 
31370         /* pwri (PasswordRecipientInfo) recipient types */
31371 #if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AES_CBC)
31372         #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
31373         ADD_PKCS7ENVELOPEDVECTOR(
31374          data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0,
31375          NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
31376          NULL, 0, NULL, NULL, 0, NULL, 0, 0, password,
31377          (word32)XSTRLEN(password), salt, sizeof(salt), PBKDF2_OID, WC_SHA, 5,
31378          0, 0, 0, "pkcs7envelopedDataAES128CBC_PWRI.der");
31379         #endif
31380 #endif
31381 
31382 #if !defined(NO_AES) && defined(HAVE_AES_CBC) && !defined(NO_AES_128)
31383         /* ori (OtherRecipientInfo) recipient types */
31384         ADD_PKCS7ENVELOPEDVECTOR(
31385          data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0, NULL, 0, NULL, 0,
31386          NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0,
31387          NULL, 0, 0, 0, 0, 0, 1, 0, "pkcs7envelopedDataAES128CBC_ORI.der");
31388 #endif
31389     };
31390 
31391     #undef MAX_TESTVECTORS_LEN
31392     #undef ADD_PKCS7ENVELOPEDVECTOR
31393 
31394     enveloped = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31395     decoded = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31396     if ((! enveloped) || (! decoded)) {
31397         ERROR_OUT(-12170, out);
31398     }
31399 
31400 #ifdef ECC_TIMING_RESISTANT
31401 #ifndef HAVE_FIPS
31402         ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
31403 #else
31404         ret = wc_InitRng(&rng);
31405 #endif
31406         if (ret != 0) {
31407             ERROR_OUT(-12171, out);
31408         }
31409 #endif
31410 
31411     for (i = 0; i < testSz; i++) {
31412         pkcs7 = wc_PKCS7_New(HEAP_HINT,
31413         #ifdef WOLFSSL_ASYNC_CRYPT
31414             INVALID_DEVID /* async PKCS7 is not supported */
31415         #else
31416             devId
31417         #endif
31418         );
31419         if (pkcs7 == NULL) {
31420             ERROR_OUT(-12172, out);
31421         }
31422 
31423         if (testVectors[i].secretKey != NULL) {
31424             /* KEKRI recipient type */
31425 
31426             ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
31427             if (ret != 0) {
31428                 ERROR_OUT(-12173, out);
31429             }
31430 
31431             pkcs7->content      = (byte*)testVectors[i].content;
31432             pkcs7->contentSz    = testVectors[i].contentSz;
31433             pkcs7->contentOID   = testVectors[i].contentOID;
31434             pkcs7->encryptOID   = testVectors[i].encryptOID;
31435             pkcs7->ukm          = testVectors[i].optionalUkm;
31436             pkcs7->ukmSz        = testVectors[i].optionalUkmSz;
31437 
31438             ret = wc_PKCS7_AddRecipient_KEKRI(pkcs7, testVectors[i].keyWrapOID,
31439                     (byte *)testVectors[i].secretKey, testVectors[i].secretKeySz,
31440                     (byte *)testVectors[i].secretKeyId, testVectors[i].secretKeyIdSz,
31441                     testVectors[i].timePtr, testVectors[i].otherAttrOID,
31442                     testVectors[i].otherAttrOIDSz, testVectors[i].otherAttr,
31443                     testVectors[i].otherAttrSz, testVectors[i].kekriOptions);
31444 
31445             if (ret < 0) {
31446                 wc_PKCS7_Free(pkcs7);
31447                 ERROR_OUT(-12174, out);
31448             }
31449 
31450             /* set key, for decryption */
31451             ret = wc_PKCS7_SetKey(pkcs7, (byte *)testVectors[i].secretKey,
31452                                   testVectors[i].secretKeySz);
31453 
31454             if (ret != 0) {
31455                 wc_PKCS7_Free(pkcs7);
31456                 ERROR_OUT(-12175, out);
31457             }
31458 
31459         } else if (testVectors[i].password != NULL) {
31460         #ifndef NO_PWDBASED
31461             /* PWRI recipient type */
31462 
31463             ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
31464             if (ret != 0) {
31465                 ERROR_OUT(-12176, out);
31466             }
31467 
31468             pkcs7->content      = (byte*)testVectors[i].content;
31469             pkcs7->contentSz    = testVectors[i].contentSz;
31470             pkcs7->contentOID   = testVectors[i].contentOID;
31471             pkcs7->encryptOID   = testVectors[i].encryptOID;
31472             pkcs7->ukm          = testVectors[i].optionalUkm;
31473             pkcs7->ukmSz        = testVectors[i].optionalUkmSz;
31474 
31475             ret = wc_PKCS7_AddRecipient_PWRI(pkcs7,
31476                     (byte *)testVectors[i].password, testVectors[i].passwordSz,
31477                     (byte *)testVectors[i].salt, testVectors[i].saltSz,
31478                     testVectors[i].kdfOID,
31479                     testVectors[i].hashOID, testVectors[i].kdfIterations,
31480                     testVectors[i].encryptOID, testVectors[i].pwriOptions);
31481 
31482             if (ret < 0) {
31483                 wc_PKCS7_Free(pkcs7);
31484                 ERROR_OUT(-12177, out);
31485             }
31486 
31487             /* set password, for decryption */
31488             ret = wc_PKCS7_SetPassword(pkcs7, (byte*)testVectors[i].password,
31489                     testVectors[i].passwordSz);
31490 
31491             if (ret < 0) {
31492                 wc_PKCS7_Free(pkcs7);
31493                 ERROR_OUT(-12178, out);
31494             }
31495         #endif /* NO_PWDBASED */
31496 
31497         } else if (testVectors[i].isOri == 1) {
31498             /* ORI recipient type */
31499 
31500             ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
31501             if (ret != 0) {
31502                 ERROR_OUT(-12179, out);
31503             }
31504 
31505             pkcs7->content      = (byte*)testVectors[i].content;
31506             pkcs7->contentSz    = testVectors[i].contentSz;
31507             pkcs7->contentOID   = testVectors[i].contentOID;
31508             pkcs7->encryptOID   = testVectors[i].encryptOID;
31509 
31510             ret = wc_PKCS7_AddRecipient_ORI(pkcs7, myOriEncryptCb,
31511                                             testVectors[i].oriOptions);
31512 
31513             if (ret < 0) {
31514                 wc_PKCS7_Free(pkcs7);
31515                 ERROR_OUT(-12180, out);
31516             }
31517 
31518             /* set decrypt callback for decryption */
31519             ret = wc_PKCS7_SetOriDecryptCb(pkcs7, myOriDecryptCb);
31520 
31521             if (ret < 0) {
31522                 wc_PKCS7_Free(pkcs7);
31523                 ERROR_OUT(-12181, out);
31524             }
31525 
31526         } else {
31527             /* KTRI or KARI recipient types */
31528 
31529             ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
31530             if (ret != 0) {
31531                 ERROR_OUT(-12182, out);
31532             }
31533 
31534             ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
31535                                         (word32)testVectors[i].certSz);
31536             if (ret != 0) {
31537                 wc_PKCS7_Free(pkcs7);
31538                 ERROR_OUT(-12183, out);
31539             }
31540 
31541             pkcs7->keyWrapOID   = testVectors[i].keyWrapOID;
31542             pkcs7->keyAgreeOID  = testVectors[i].keyAgreeOID;
31543             pkcs7->privateKey   = testVectors[i].privateKey;
31544             pkcs7->privateKeySz = testVectors[i].privateKeySz;
31545             pkcs7->content      = (byte*)testVectors[i].content;
31546             pkcs7->contentSz    = testVectors[i].contentSz;
31547             pkcs7->contentOID   = testVectors[i].contentOID;
31548             pkcs7->encryptOID   = testVectors[i].encryptOID;
31549             pkcs7->ukm          = testVectors[i].optionalUkm;
31550             pkcs7->ukmSz        = testVectors[i].optionalUkmSz;
31551 
31552             /* set SubjectIdentifier type for KTRI types */
31553             if (testVectors[i].ktriOptions & CMS_SKID) {
31554 
31555                 ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
31556                 if (ret != 0) {
31557                     wc_PKCS7_Free(pkcs7);
31558                     ERROR_OUT(-12184, out);
31559                 }
31560             } else if (testVectors[i].ktriOptions &
31561                        CMS_ISSUER_AND_SERIAL_NUMBER) {
31562 
31563                 ret = wc_PKCS7_SetSignerIdentifierType(pkcs7,
31564                         CMS_ISSUER_AND_SERIAL_NUMBER);
31565                 if (ret != 0) {
31566                     wc_PKCS7_Free(pkcs7);
31567                     ERROR_OUT(-12185, out);
31568                 }
31569             }
31570         }
31571 
31572 #ifdef ECC_TIMING_RESISTANT
31573         pkcs7->rng = &rng;
31574 #endif
31575         /* encode envelopedData */
31576         envelopedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, enveloped,
31577                                                    PKCS7_BUF_SIZE);
31578         if (envelopedSz <= 0) {
31579             wc_PKCS7_Free(pkcs7);
31580             ERROR_OUT(-12186, out);
31581         }
31582 
31583         /* decode envelopedData */
31584         pkcs7->contentOID = 0;
31585         decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, enveloped, envelopedSz,
31586                                                  decoded, PKCS7_BUF_SIZE);
31587         if (pkcs7->contentOID != testVectors[i].contentOID ||
31588             decodedSz <= 0) {
31589             wc_PKCS7_Free(pkcs7);
31590             ERROR_OUT(-12187, out);
31591         }
31592 
31593         /* test decode result */
31594         if (XMEMCMP(decoded, data, sizeof(data)) != 0){
31595             wc_PKCS7_Free(pkcs7);
31596             ERROR_OUT(-12188, out);
31597         }
31598 
31599 #ifndef NO_PKCS7_STREAM
31600         { /* test reading byte by byte */
31601             int z;
31602             for (z = 0; z < envelopedSz; z++) {
31603                 decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, enveloped + z, 1,
31604                                                  decoded, PKCS7_BUF_SIZE);
31605                 if (decodedSz <= 0 && decodedSz != WC_PKCS7_WANT_READ_E) {
31606                     printf("unexpected error %d\n", decodedSz);
31607                     ERROR_OUT(-12189, out);
31608                 }
31609             }
31610             /* test decode result */
31611             if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
31612                 printf("stream read compare failed\n");
31613                 wc_PKCS7_Free(pkcs7);
31614                 ERROR_OUT(-12190, out);
31615             }
31616         }
31617 #endif
31618 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
31619         /* output pkcs7 envelopedData for external testing */
31620         pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
31621         if (!pkcs7File) {
31622             wc_PKCS7_Free(pkcs7);
31623             ERROR_OUT(-12191, out);
31624         }
31625 
31626         ret = (int)XFWRITE(enveloped, 1, envelopedSz, pkcs7File);
31627         XFCLOSE(pkcs7File);
31628         if (ret != envelopedSz) {
31629             wc_PKCS7_Free(pkcs7);
31630             ERROR_OUT(-12192, out);
31631         } else {
31632             /* reset ret to 0 for success */
31633             ret = 0;
31634         }
31635 #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
31636 
31637         wc_PKCS7_Free(pkcs7);
31638         pkcs7 = NULL;
31639     }
31640 
31641 #ifdef ECC_TIMING_RESISTANT
31642     wc_FreeRng(&rng);
31643 #endif
31644 
31645     (void)eccCert;
31646     (void)eccCertSz;
31647     (void)eccPrivKey;
31648     (void)eccPrivKeySz;
31649     (void)rsaCert;
31650     (void)rsaCertSz;
31651     (void)rsaPrivKey;
31652     (void)rsaPrivKeySz;
31653 
31654   out:
31655     if (testVectors)
31656         XFREE(testVectors, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31657     if (enveloped)
31658         XFREE(enveloped, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31659     if (decoded)
31660         XFREE(decoded, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31661 
31662     return ret;
31663 }
31664 
31665 
31666 WOLFSSL_TEST_SUBROUTINE int pkcs7enveloped_test(void)
31667 {
31668     int ret = 0;
31669 
31670     byte* rsaCert    = NULL;
31671     byte* rsaPrivKey = NULL;
31672     word32 rsaCertSz    = 0;
31673     word32 rsaPrivKeySz = 0;
31674 
31675     byte* eccCert    = NULL;
31676     byte* eccPrivKey = NULL;
31677     word32 eccCertSz    = 0;
31678     word32 eccPrivKeySz = 0;
31679 
31680 #ifndef NO_RSA
31681     /* read client RSA cert and key in DER format */
31682     rsaCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31683     if (rsaCert == NULL)
31684         return -12200;
31685 
31686     rsaPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31687     if (rsaPrivKey == NULL) {
31688         XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31689         return -12201;
31690     }
31691 
31692     rsaCertSz = FOURK_BUF;
31693     rsaPrivKeySz = FOURK_BUF;
31694 #endif /* NO_RSA */
31695 
31696 #ifdef HAVE_ECC
31697     /* read client ECC cert and key in DER format */
31698     eccCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31699     if (eccCert == NULL) {
31700     #ifndef NO_RSA
31701         XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31702         XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31703     #endif
31704         return -12202;
31705     }
31706 
31707     eccPrivKey =(byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31708     if (eccPrivKey == NULL) {
31709     #ifndef NO_RSA
31710         XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31711         XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31712     #endif
31713         XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31714         return -12203;
31715     }
31716 
31717     eccCertSz = FOURK_BUF;
31718     eccPrivKeySz = FOURK_BUF;
31719 #endif /* HAVE_ECC */
31720 
31721     ret = pkcs7_load_certs_keys(rsaCert, &rsaCertSz, rsaPrivKey,
31722                                 &rsaPrivKeySz, NULL, NULL, NULL, NULL,
31723                                 NULL, NULL, NULL, NULL, eccCert, &eccCertSz,
31724                                 eccPrivKey, &eccPrivKeySz);
31725     if (ret < 0) {
31726     #ifndef NO_RSA
31727         XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31728         XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31729     #endif
31730     #ifdef HAVE_ECC
31731         XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31732         XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31733     #endif
31734         return -12204;
31735     }
31736 
31737     ret = pkcs7enveloped_run_vectors(rsaCert, (word32)rsaCertSz,
31738                                      rsaPrivKey, (word32)rsaPrivKeySz,
31739                                      eccCert, (word32)eccCertSz,
31740                                      eccPrivKey, (word32)eccPrivKeySz);
31741 
31742 #ifndef NO_RSA
31743     XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31744     XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31745 #endif
31746 #ifdef HAVE_ECC
31747     XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31748     XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31749 #endif
31750 
31751     return ret;
31752 }
31753 
31754 
31755 #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
31756 
31757 typedef struct {
31758     const byte*  content;
31759     word32       contentSz;
31760     int          contentOID;
31761     int          encryptOID;
31762     int          keyWrapOID;
31763     int          keyAgreeOID;
31764     byte*        cert;
31765     size_t       certSz;
31766     byte*        privateKey;
31767     word32       privateKeySz;
31768     PKCS7Attrib* authAttribs;
31769     word32       authAttribsSz;
31770     PKCS7Attrib* unauthAttribs;
31771     word32       unauthAttribsSz;
31772 
31773     /* KARI / KTRI specific */
31774     byte*        optionalUkm;
31775     word32       optionalUkmSz;
31776     int          ktriOptions;    /* KTRI options flags */
31777     int          kariOptions;    /* KARI options flags */
31778 
31779     /* KEKRI specific */
31780     byte*        secretKey;      /* key, only for kekri RecipientInfo types */
31781     word32       secretKeySz;    /* size of secretKey, bytes */
31782     byte*        secretKeyId;    /* key identifier */
31783     word32       secretKeyIdSz;  /* size of key identifier, bytes */
31784     void*        timePtr;        /* time_t pointer */
31785     byte*        otherAttrOID;   /* OPTIONAL, other attribute OID */
31786     word32       otherAttrOIDSz; /* size of otherAttrOID, bytes */
31787     byte*        otherAttr;      /* OPTIONAL, other attribute, ASN.1 encoded */
31788     word32       otherAttrSz;    /* size of otherAttr, bytes */
31789     int          kekriOptions;   /* KEKRI options flags */
31790 
31791     /* PWRI specific */
31792     char*        password;       /* password */
31793     word32       passwordSz;     /* password size, bytes */
31794     byte*        salt;           /* KDF salt */
31795     word32       saltSz;         /* KDF salt size, bytes */
31796     int          kdfOID;         /* KDF OID */
31797     int          hashOID;        /* KDF hash algorithm OID */
31798     int          kdfIterations;  /* KDF iterations */
31799     int          kekEncryptOID;  /* KEK encryption algorithm OID */
31800     int          pwriOptions;    /* PWRI options flags */
31801 
31802     /* ORI specific */
31803     int          isOri;
31804     int          oriOptions;     /* ORI options flags */
31805 
31806     const char*  outFileName;
31807 } pkcs7AuthEnvelopedVector;
31808 
31809 
31810 static int pkcs7authenveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
31811                                           byte* rsaPrivKey,  word32 rsaPrivKeySz,
31812                                           byte* eccCert, word32 eccCertSz,
31813                                           byte* eccPrivKey,  word32 eccPrivKeySz)
31814 {
31815     int ret = 0, testSz = 0, i;
31816     int envelopedSz, decodedSz;
31817 
31818     byte   *enveloped = NULL;
31819     byte   *decoded = NULL;
31820     WC_RNG rng;
31821     PKCS7* pkcs7;
31822 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
31823     XFILE  pkcs7File;
31824 #endif
31825 
31826     WOLFSSL_SMALL_STACK_STATIC const byte data[] = { /* Hello World */
31827         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
31828         0x72,0x6c,0x64
31829     };
31830     byte senderNonce[PKCS7_NONCE_SZ + 2];
31831 #ifdef HAVE_ECC
31832     #if !defined(NO_AES) && defined(HAVE_AESGCM)
31833     #if !defined(NO_SHA256) && defined(WOLFSSL_AES_256)
31834     WOLFSSL_SMALL_STACK_STATIC const byte senderNonceOid[] =
31835                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
31836                  0x09, 0x05 };
31837 
31838     PKCS7Attrib attribs[] =
31839     {
31840         { senderNonceOid, sizeof(senderNonceOid), senderNonce,
31841                                        sizeof(senderNonce) }
31842     };
31843     #endif
31844     #endif
31845 #endif
31846 
31847 #if !defined(NO_AES) && defined(WOLFSSL_AES_256) && defined(HAVE_ECC) && \
31848     defined(WOLFSSL_SHA512)
31849     WOLFSSL_SMALL_STACK_STATIC const byte optionalUkm[] = {
31850         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
31851     };
31852 #endif /* NO_AES */
31853 
31854 #if !defined(NO_AES) && !defined(NO_SHA) && defined(WOLFSSL_AES_128)
31855     /* encryption key for kekri recipient types */
31856     WOLFSSL_SMALL_STACK_STATIC const byte secretKey[] = {
31857         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
31858         0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
31859     };
31860 
31861     /* encryption key identifier */
31862     WOLFSSL_SMALL_STACK_STATIC const byte secretKeyId[] = {
31863         0x02,0x02,0x03,0x04
31864     };
31865 #endif
31866 
31867 #if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AESGCM) && \
31868     !defined(NO_SHA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
31869 
31870     #ifndef HAVE_FIPS
31871     WOLFSSL_SMALL_STACK_STATIC const char password[] = "password";
31872     #else
31873     WOLFSSL_SMALL_STACK_STATIC const char password[] = "passwordFIPS_MODE";
31874     #endif
31875 
31876     WOLFSSL_SMALL_STACK_STATIC const byte salt[] = {
31877         0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12
31878     };
31879 #endif
31880 
31881     #define MAX_TESTVECTORS_LEN 20
31882     #define ADD_PKCS7AUTHENVELOPEDVECTOR(...) {                                 \
31883             pkcs7AuthEnvelopedVector _this_vector = { __VA_ARGS__ };            \
31884             if (testSz == MAX_TESTVECTORS_LEN) {                                \
31885                 ret = -12534;                                                   \
31886                 goto out;                                                       \
31887             }                                                                   \
31888             XMEMCPY(&testVectors[testSz++], &_this_vector, sizeof _this_vector);\
31889         }
31890 
31891     pkcs7AuthEnvelopedVector *testVectors = NULL;
31892 
31893     XMEMSET(&rng, 0, sizeof(rng));
31894 
31895     testVectors = (pkcs7AuthEnvelopedVector *)XMALLOC(MAX_TESTVECTORS_LEN * sizeof(*testVectors),
31896                                      HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
31897     if (testVectors == NULL) {
31898         ret = -12534;
31899         goto out;
31900     }
31901 
31902     {
31903         /* key transport key encryption technique */
31904 #ifndef NO_RSA
31905     #if !defined(NO_AES) && defined(HAVE_AESGCM)
31906         #ifdef WOLFSSL_AES_128
31907         ADD_PKCS7AUTHENVELOPEDVECTOR(
31908          data, (word32)sizeof(data), DATA, AES128GCMb, 0, 0, rsaCert, rsaCertSz,
31909          rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
31910          NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0,
31911          0, 0, "pkcs7authEnvelopedDataAES128GCM.der");
31912         #endif
31913         #ifdef WOLFSSL_AES_192
31914         ADD_PKCS7AUTHENVELOPEDVECTOR(
31915          data, (word32)sizeof(data), DATA, AES192GCMb, 0, 0, rsaCert, rsaCertSz,
31916          rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
31917          NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0,
31918          0, 0, "pkcs7authEnvelopedDataAES192GCM.der");
31919         #endif
31920         #ifdef WOLFSSL_AES_256
31921         ADD_PKCS7AUTHENVELOPEDVECTOR(
31922          data, (word32)sizeof(data), DATA, AES256GCMb, 0, 0, rsaCert, rsaCertSz,
31923          rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
31924          NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0,
31925          0, 0, "pkcs7authEnvelopedDataAES256GCM.der");
31926 
31927         /* test with contentType set to FirmwarePkgData */
31928         ADD_PKCS7AUTHENVELOPEDVECTOR(
31929          data, (word32)sizeof(data), FIRMWARE_PKG_DATA, AES256GCMb, 0, 0,
31930          rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL,
31931          0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL,
31932          0, 0, 0, 0, 0, 0, 0, 0,
31933          "pkcs7authEnvelopedDataAES256GCM_firmwarePkgData.der");
31934 
31935         /* explicitly using SKID for SubjectKeyIdentifier */
31936         ADD_PKCS7AUTHENVELOPEDVECTOR(
31937          data, (word32)sizeof(data), DATA, AES256GCMb, 0, 0, rsaCert, rsaCertSz,
31938          rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, CMS_SKID, 0,
31939          NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0,
31940          0, 0, 0, 0, 0, "pkcs7authEnvelopedDataAES256GCM_SKID.der");
31941 
31942         /* explicitly using IssuerAndSerialNumber for SubjectKeyIdentifier */
31943         ADD_PKCS7AUTHENVELOPEDVECTOR(
31944          data, (word32)sizeof(data), DATA, AES256GCMb, 0, 0, rsaCert, rsaCertSz,
31945          rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0,
31946          CMS_ISSUER_AND_SERIAL_NUMBER, 0, NULL, 0, NULL, 0, NULL, NULL, 0,
31947          NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
31948          "pkcs7authEnvelopedDataAES256GCM_IANDS.der");
31949         #endif
31950     #endif /* NO_AES */
31951 #endif
31952 
31953         /* key agreement key encryption technique*/
31954 #ifdef HAVE_ECC
31955     #if !defined(NO_AES) && defined(HAVE_AESGCM)
31956         #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
31957         ADD_PKCS7AUTHENVELOPEDVECTOR(
31958          data, (word32)sizeof(data), DATA, AES128GCMb, AES128_WRAP,
31959          dhSinglePass_stdDH_sha1kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31960          eccPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0,
31961          NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
31962          "pkcs7authEnvelopedDataAES128GCM_ECDH_SHA1KDF.der");
31963         #endif
31964 
31965         #if !defined(NO_SHA256) && defined(WOLFSSL_AES_256)
31966         ADD_PKCS7AUTHENVELOPEDVECTOR(
31967          data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
31968          dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31969          eccPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0,
31970          NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
31971          "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF.der");
31972 
31973         /* with authenticated attributes */
31974         ADD_PKCS7AUTHENVELOPEDVECTOR(
31975          data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
31976          dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31977          eccPrivKeySz, attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)),
31978          NULL, 0, NULL, 0, 0, 0, NULL, 0,
31979          NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0,
31980          0, 0, 0,
31981          "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_authAttribs.der");
31982 
31983         /* with unauthenticated attributes */
31984         ADD_PKCS7AUTHENVELOPEDVECTOR(
31985          data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
31986          dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31987          eccPrivKeySz, NULL, 0, attribs,
31988          (sizeof(attribs) / sizeof(PKCS7Attrib)), NULL, 0, 0, 0, NULL, 0,
31989          NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0,
31990          0, 0, 0,
31991          "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_unauthAttribs.der");
31992 
31993         /* with authenticated AND unauthenticated attributes */
31994         ADD_PKCS7AUTHENVELOPEDVECTOR(
31995          data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
31996          dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
31997          eccPrivKeySz, attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)),
31998          attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)), NULL, 0, 0, 0,
31999          NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0,
32000          0, 0, 0, 0, 0, 0,
32001          "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_bothAttribs.der");
32002 
32003         /* with authenticated AND unauthenticated attributes AND
32004          * contentType of FirmwarePkgData */
32005         ADD_PKCS7AUTHENVELOPEDVECTOR(
32006          data, (word32)sizeof(data), FIRMWARE_PKG_DATA, AES256GCMb, AES256_WRAP,
32007          dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
32008          eccPrivKeySz, attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)),
32009          attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)), NULL, 0, 0, 0,
32010          NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0,
32011          0, 0, 0, 0, 0, 0,
32012          "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_fw_bothAttribs.der");
32013         #endif /* NO_SHA256 && WOLFSSL_AES_256 */
32014 
32015         #if defined(WOLFSSL_SHA512) && defined(WOLFSSL_AES_256)
32016         ADD_PKCS7AUTHENVELOPEDVECTOR(
32017          data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
32018          dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
32019          eccPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL,
32020          NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
32021          "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF.der");
32022 
32023         /* with optional user keying material (ukm) */
32024         ADD_PKCS7AUTHENVELOPEDVECTOR(
32025          data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
32026          dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
32027          eccPrivKeySz, NULL, 0, NULL, 0, (byte *)optionalUkm, sizeof(optionalUkm), 0,
32028          0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0,
32029          0, 0, 0, 0, 0, 0,
32030          "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF_ukm.der");
32031         #endif /* WOLFSSL_SHA512 && WOLFSSL_AES_256 */
32032     #endif /* NO_AES */
32033 #endif
32034 
32035         /* kekri (KEKRecipientInfo) recipient types */
32036 #if !defined(NO_AES) && defined(HAVE_AESGCM)
32037         #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
32038         ADD_PKCS7AUTHENVELOPEDVECTOR(
32039          data, (word32)sizeof(data), DATA, AES128GCMb, AES128_WRAP, 0,
32040          NULL, 0, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 0, 0,
32041          (byte *)secretKey, sizeof(secretKey), (byte *)secretKeyId, sizeof(secretKeyId),
32042          NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
32043          "pkcs7authEnvelopedDataAES128GCM_KEKRI.der");
32044         #endif
32045 #endif
32046 
32047         /* pwri (PasswordRecipientInfo) recipient types */
32048 #if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AESGCM)
32049         #if !defined(NO_SHA) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
32050         ADD_PKCS7AUTHENVELOPEDVECTOR(
32051          data, (word32)sizeof(data), DATA, AES128GCMb, 0, 0,
32052          NULL, 0, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
32053          NULL, 0, NULL, NULL, 0, NULL, 0, 0, (char *)password,
32054          (word32)XSTRLEN(password), (byte *)salt, sizeof(salt), PBKDF2_OID, WC_SHA, 5,
32055          AES128CBCb, 0, 0, 0, "pkcs7authEnvelopedDataAES128GCM_PWRI.der");
32056         #endif
32057 #endif
32058 
32059 #if !defined(NO_AES) && defined(HAVE_AESGCM)
32060         #ifdef WOLFSSL_AES_128
32061         /* ori (OtherRecipientInfo) recipient types */
32062         ADD_PKCS7AUTHENVELOPEDVECTOR(
32063          data, (word32)sizeof(data), DATA, AES128GCMb, 0, 0, NULL, 0, NULL, 0,
32064          NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0,
32065          NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 1, 0,
32066          "pkcs7authEnvelopedDataAES128GCM_ORI.der");
32067         #endif
32068 #endif
32069     }
32070 
32071     #undef MAX_TESTVECTORS_LEN
32072     #undef ADD_PKCS7AUTHENVELOPEDVECTOR
32073 
32074     enveloped = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32075     decoded = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32076     if ((! enveloped) || (! decoded)) {
32077         ERROR_OUT(-12210, out);
32078     }
32079 
32080     /* generate senderNonce */
32081     {
32082 #ifndef HAVE_FIPS
32083         ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
32084 #else
32085         ret = wc_InitRng(&rng);
32086 #endif
32087         if (ret != 0) {
32088             ERROR_OUT(-12211, out);
32089         }
32090 
32091         senderNonce[0] = 0x04;
32092         senderNonce[1] = PKCS7_NONCE_SZ;
32093 
32094         ret = wc_RNG_GenerateBlock(&rng, &senderNonce[2], PKCS7_NONCE_SZ);
32095         if (ret != 0) {
32096             wc_FreeRng(&rng);
32097             ERROR_OUT(-12212, out);
32098         }
32099     }
32100 
32101     for (i = 0; i < testSz; i++) {
32102         pkcs7 = wc_PKCS7_New(HEAP_HINT,
32103         #ifdef WOLFSSL_ASYNC_CRYPT
32104             INVALID_DEVID /* async PKCS7 is not supported */
32105         #else
32106             devId
32107         #endif
32108         );
32109         if (pkcs7 == NULL) {
32110             ERROR_OUT(-12213, out);
32111         }
32112 
32113         if (testVectors[i].secretKey != NULL) {
32114             /* KEKRI recipient type */
32115 
32116             ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
32117             if (ret != 0) {
32118                 ERROR_OUT(-12214, out);
32119             }
32120 
32121             pkcs7->content         = (byte*)testVectors[i].content;
32122             pkcs7->contentSz       = testVectors[i].contentSz;
32123             pkcs7->contentOID      = testVectors[i].contentOID;
32124             pkcs7->encryptOID      = testVectors[i].encryptOID;
32125             pkcs7->ukm             = testVectors[i].optionalUkm;
32126             pkcs7->ukmSz           = testVectors[i].optionalUkmSz;
32127             pkcs7->authAttribs     = testVectors[i].authAttribs;
32128             pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
32129             pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
32130             pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
32131 
32132             ret = wc_PKCS7_AddRecipient_KEKRI(pkcs7, testVectors[i].keyWrapOID,
32133                     testVectors[i].secretKey, testVectors[i].secretKeySz,
32134                     testVectors[i].secretKeyId, testVectors[i].secretKeyIdSz,
32135                     testVectors[i].timePtr, testVectors[i].otherAttrOID,
32136                     testVectors[i].otherAttrOIDSz, testVectors[i].otherAttr,
32137                     testVectors[i].otherAttrSz, testVectors[i].kekriOptions);
32138 
32139             if (ret < 0) {
32140                 wc_PKCS7_Free(pkcs7);
32141                 ERROR_OUT(-12215, out);
32142             }
32143 
32144             /* set key, for decryption */
32145             ret = wc_PKCS7_SetKey(pkcs7, testVectors[i].secretKey,
32146                                   testVectors[i].secretKeySz);
32147 
32148             if (ret != 0) {
32149                 wc_PKCS7_Free(pkcs7);
32150                 ERROR_OUT(-12216, out);
32151             }
32152 
32153         } else if (testVectors[i].password != NULL) {
32154         #ifndef NO_PWDBASED
32155             /* PWRI recipient type */
32156 
32157             ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
32158             if (ret != 0) {
32159                 ERROR_OUT(-12217, out);
32160             }
32161 
32162             pkcs7->content         = (byte*)testVectors[i].content;
32163             pkcs7->contentSz       = testVectors[i].contentSz;
32164             pkcs7->contentOID      = testVectors[i].contentOID;
32165             pkcs7->encryptOID      = testVectors[i].encryptOID;
32166             pkcs7->ukm             = testVectors[i].optionalUkm;
32167             pkcs7->ukmSz           = testVectors[i].optionalUkmSz;
32168             pkcs7->authAttribs     = testVectors[i].authAttribs;
32169             pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
32170             pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
32171             pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
32172 
32173             ret = wc_PKCS7_AddRecipient_PWRI(pkcs7,
32174                     (byte*)testVectors[i].password,
32175                     testVectors[i].passwordSz, testVectors[i].salt,
32176                     testVectors[i].saltSz, testVectors[i].kdfOID,
32177                     testVectors[i].hashOID, testVectors[i].kdfIterations,
32178                     testVectors[i].kekEncryptOID, testVectors[i].pwriOptions);
32179 
32180             if (ret < 0) {
32181                 wc_PKCS7_Free(pkcs7);
32182                 ERROR_OUT(-12218, out);
32183             }
32184 
32185             /* set password, for decryption */
32186             ret = wc_PKCS7_SetPassword(pkcs7, (byte*)testVectors[i].password,
32187                     testVectors[i].passwordSz);
32188 
32189             if (ret < 0) {
32190                 wc_PKCS7_Free(pkcs7);
32191                 ERROR_OUT(-12219, out);
32192             }
32193 
32194         #endif /* NO_PWDBASED */
32195         } else if (testVectors[i].isOri == 1) {
32196             /* ORI recipient type */
32197 
32198             ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
32199             if (ret != 0) {
32200                 ERROR_OUT(-12220, out);
32201             }
32202 
32203             pkcs7->content         = (byte*)testVectors[i].content;
32204             pkcs7->contentSz       = testVectors[i].contentSz;
32205             pkcs7->contentOID      = testVectors[i].contentOID;
32206             pkcs7->encryptOID      = testVectors[i].encryptOID;
32207             pkcs7->authAttribs     = testVectors[i].authAttribs;
32208             pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
32209             pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
32210             pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
32211 
32212             ret = wc_PKCS7_AddRecipient_ORI(pkcs7, myOriEncryptCb,
32213                                             testVectors[i].oriOptions);
32214 
32215             if (ret < 0) {
32216                 wc_PKCS7_Free(pkcs7);
32217                 ERROR_OUT(-12221, out);
32218             }
32219 
32220             /* set decrypt callback for decryption */
32221             ret = wc_PKCS7_SetOriDecryptCb(pkcs7, myOriDecryptCb);
32222 
32223             if (ret < 0) {
32224                 wc_PKCS7_Free(pkcs7);
32225                 ERROR_OUT(-12222, out);
32226             }
32227 
32228         } else {
32229             /* KTRI or KARI recipient types */
32230 
32231             ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
32232                                         (word32)testVectors[i].certSz);
32233             if (ret != 0) {
32234                 wc_PKCS7_Free(pkcs7);
32235                 ERROR_OUT(-12223, out);
32236             }
32237 
32238             pkcs7->keyWrapOID      = testVectors[i].keyWrapOID;
32239             pkcs7->keyAgreeOID     = testVectors[i].keyAgreeOID;
32240             pkcs7->privateKey      = testVectors[i].privateKey;
32241             pkcs7->privateKeySz    = testVectors[i].privateKeySz;
32242             pkcs7->content         = (byte*)testVectors[i].content;
32243             pkcs7->contentSz       = testVectors[i].contentSz;
32244             pkcs7->contentOID      = testVectors[i].contentOID;
32245             pkcs7->encryptOID      = testVectors[i].encryptOID;
32246             pkcs7->ukm             = testVectors[i].optionalUkm;
32247             pkcs7->ukmSz           = testVectors[i].optionalUkmSz;
32248             pkcs7->authAttribs     = testVectors[i].authAttribs;
32249             pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
32250             pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
32251             pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
32252 
32253             /* set SubjectIdentifier type for KTRI types */
32254             if (testVectors[i].ktriOptions & CMS_SKID) {
32255 
32256                 ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
32257                 if (ret != 0) {
32258                     wc_PKCS7_Free(pkcs7);
32259                     ERROR_OUT(-12224, out);
32260                 }
32261             } else if (testVectors[i].ktriOptions &
32262                        CMS_ISSUER_AND_SERIAL_NUMBER) {
32263 
32264                 ret = wc_PKCS7_SetSignerIdentifierType(pkcs7,
32265                         CMS_ISSUER_AND_SERIAL_NUMBER);
32266                 if (ret != 0) {
32267                     wc_PKCS7_Free(pkcs7);
32268                     ERROR_OUT(-12225, out);
32269                 }
32270             }
32271         }
32272 
32273 #ifdef ECC_TIMING_RESISTANT
32274         pkcs7->rng = &rng;
32275 #endif
32276 
32277         /* encode envelopedData */
32278         envelopedSz = wc_PKCS7_EncodeAuthEnvelopedData(pkcs7, enveloped,
32279                                                        PKCS7_BUF_SIZE);
32280         if (envelopedSz <= 0) {
32281             wc_PKCS7_Free(pkcs7);
32282             ERROR_OUT(-12226, out);
32283         }
32284 #ifndef NO_PKCS7_STREAM
32285         { /* test reading byte by byte */
32286             int z;
32287             for (z = 0; z < envelopedSz; z++) {
32288                 decodedSz = wc_PKCS7_DecodeAuthEnvelopedData(pkcs7,
32289                         enveloped + z, 1, decoded, PKCS7_BUF_SIZE);
32290                 if (decodedSz <= 0 && decodedSz != WC_PKCS7_WANT_READ_E) {
32291                     printf("unexpected error %d\n", decodedSz);
32292                     ERROR_OUT(-12227, out);
32293                 }
32294             }
32295             /* test decode result */
32296             if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
32297                 printf("stream read compare failed\n");
32298                 wc_PKCS7_Free(pkcs7);
32299                 ERROR_OUT(-12228, out);
32300             }
32301         }
32302 #endif
32303         /* decode envelopedData */
32304         decodedSz = wc_PKCS7_DecodeAuthEnvelopedData(pkcs7, enveloped,
32305                                                      envelopedSz, decoded,
32306                                                      PKCS7_BUF_SIZE);
32307         if (decodedSz <= 0) {
32308             wc_PKCS7_Free(pkcs7);
32309             ERROR_OUT(-12229, out);
32310         }
32311 
32312         /* test decode result */
32313         if (XMEMCMP(decoded, data, sizeof(data)) != 0){
32314             wc_PKCS7_Free(pkcs7);
32315             ERROR_OUT(-12230, out);
32316         }
32317 
32318 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
32319         /* output pkcs7 envelopedData for external testing */
32320         pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
32321         if (!pkcs7File) {
32322             wc_PKCS7_Free(pkcs7);
32323             ERROR_OUT(-12231, out);
32324         }
32325 
32326         ret = (int)XFWRITE(enveloped, 1, envelopedSz, pkcs7File);
32327         XFCLOSE(pkcs7File);
32328         if (ret != envelopedSz) {
32329             wc_PKCS7_Free(pkcs7);
32330             ERROR_OUT(-12232, out);
32331         } else {
32332             /* reset ret to 0 for success */
32333             ret = 0;
32334         }
32335 #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
32336 
32337         wc_PKCS7_Free(pkcs7);
32338         pkcs7 = NULL;
32339     }
32340 
32341     wc_FreeRng(&rng);
32342 
32343     (void)eccCert;
32344     (void)eccCertSz;
32345     (void)eccPrivKey;
32346     (void)eccPrivKeySz;
32347 #if !defined(NO_AES) && !defined(NO_SHA) && defined(WOLFSSL_AES_128)
32348     (void)secretKey;
32349     (void)secretKeyId;
32350 #endif
32351 #ifdef NO_RSA
32352     (void)rsaCert;
32353     (void)rsaCertSz;
32354     (void)rsaPrivKey;
32355     (void)rsaPrivKeySz;
32356 #endif
32357 
32358   out:
32359     if (testVectors)
32360         XFREE(testVectors, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32361     if (enveloped)
32362         XFREE(enveloped, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32363     if (decoded)
32364         XFREE(decoded, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32365 
32366     return ret;
32367 }
32368 
32369 WOLFSSL_TEST_SUBROUTINE int pkcs7authenveloped_test(void)
32370 {
32371     int ret = 0;
32372 
32373     byte* rsaCert    = NULL;
32374     byte* rsaPrivKey = NULL;
32375     word32 rsaCertSz    = 0;
32376     word32 rsaPrivKeySz = 0;
32377 
32378     byte* eccCert    = NULL;
32379     byte* eccPrivKey = NULL;
32380     word32 eccCertSz    = 0;
32381     word32 eccPrivKeySz = 0;
32382 
32383 #ifndef NO_RSA
32384     /* read client RSA cert and key in DER format */
32385     rsaCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32386     if (rsaCert == NULL)
32387         return -12300;
32388 
32389     rsaPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32390     if (rsaPrivKey == NULL) {
32391         XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32392         return -12301;
32393     }
32394 
32395     rsaCertSz = FOURK_BUF;
32396     rsaPrivKeySz = FOURK_BUF;
32397 #endif /* NO_RSA */
32398 
32399 #ifdef HAVE_ECC
32400     /* read client ECC cert and key in DER format */
32401     eccCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32402     if (eccCert == NULL) {
32403     #ifndef NO_RSA
32404         XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32405         XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32406     #endif
32407         return -12302;
32408     }
32409 
32410     eccPrivKey =(byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32411     if (eccPrivKey == NULL) {
32412     #ifndef NO_RSA
32413         XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32414         XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32415     #endif
32416         XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32417         return -12303;
32418     }
32419 
32420     eccCertSz = FOURK_BUF;
32421     eccPrivKeySz = FOURK_BUF;
32422 #endif /* HAVE_ECC */
32423 
32424     ret = pkcs7_load_certs_keys(rsaCert, &rsaCertSz, rsaPrivKey,
32425                                 &rsaPrivKeySz, NULL, NULL, NULL, NULL,
32426                                 NULL, NULL, NULL, NULL, eccCert, &eccCertSz,
32427                                 eccPrivKey, &eccPrivKeySz);
32428     if (ret < 0) {
32429     #ifndef NO_RSA
32430         XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32431         XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32432     #endif
32433     #ifdef HAVE_ECC
32434         XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32435         XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32436     #endif
32437         return -12304;
32438     }
32439 
32440     ret = pkcs7authenveloped_run_vectors(rsaCert, (word32)rsaCertSz,
32441                                          rsaPrivKey, (word32)rsaPrivKeySz,
32442                                          eccCert, (word32)eccCertSz,
32443                                          eccPrivKey, (word32)eccPrivKeySz);
32444 
32445 #ifndef NO_RSA
32446     XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32447     XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32448 #endif
32449 #ifdef HAVE_ECC
32450     XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32451     XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32452 #endif
32453 
32454     return ret;
32455 }
32456 
32457 #endif /* HAVE_AESGCM || HAVE_AESCCM */
32458 
32459 #if !defined(NO_AES) && defined(HAVE_AES_CBC)
32460 static const byte p7DefKey[] = {
32461     0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32462     0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32463     0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32464     0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
32465 };
32466 
32467 static const byte p7AltKey[] = {
32468     0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32469     0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
32470 };
32471 
32472 static int myCEKwrapFunc(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* keyId,
32473         word32 keyIdSz, byte* orginKey, word32 orginKeySz,
32474         byte* out, word32 outSz, int keyWrapAlgo, int type, int direction)
32475 {
32476     int ret;
32477 
32478     if (cek == NULL || out == NULL)
32479         return BAD_FUNC_ARG;
32480 
32481     /* test case sanity checks */
32482     if (keyIdSz != 1) {
32483         return -12310;
32484     }
32485 
32486     if (keyId[0] != 0x00) {
32487         return -12311;
32488     }
32489 
32490     if (type != (int)PKCS7_KEKRI) {
32491         return -12312;
32492     }
32493 
32494     switch (keyWrapAlgo) {
32495         case AES256_WRAP:
32496             ret = wc_AesKeyUnWrap(p7DefKey, sizeof(p7DefKey), cek, cekSz,
32497                                       out, outSz, NULL);
32498             if (ret <= 0)
32499                 return ret;
32500             break;
32501 
32502         default:
32503             WOLFSSL_MSG("Unsupported key wrap algorithm in example");
32504             return BAD_KEYWRAP_ALG_E;
32505     };
32506 
32507     (void)pkcs7;
32508     (void)direction;
32509     (void)orginKey; /* used with KAKRI */
32510     (void)orginKeySz;
32511     return ret;
32512 }
32513 
32514 
32515 /* returns key size on success */
32516 static int getFirmwareKey(PKCS7* pkcs7, byte* key, word32 keySz)
32517 {
32518     int    ret;
32519     word32 atrSz;
32520     byte   atr[256];
32521 
32522     /* Additionally can look for fwWrappedFirmwareKey
32523      * 1.2.840.113529.1.9.16.1.16 */
32524     const unsigned char fwWrappedFirmwareKey[] = {
32525         /* 0x06, 0x0B */
32526         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
32527         0x01, 0x09, 0x10, 0x02, 0x27
32528     };
32529 
32530     /* find keyID in fwWrappedFirmwareKey */
32531     ret = wc_PKCS7_GetAttributeValue(pkcs7, fwWrappedFirmwareKey,
32532             sizeof(fwWrappedFirmwareKey), NULL, &atrSz);
32533     if (ret == LENGTH_ONLY_E) {
32534         XMEMSET(atr, 0, sizeof(atr));
32535         ret = wc_PKCS7_GetAttributeValue(pkcs7, fwWrappedFirmwareKey,
32536                 sizeof(fwWrappedFirmwareKey), atr, &atrSz);
32537 
32538         /* keyIdRaw[0] OCTET TAG */
32539         /* keyIdRaw[1] Length */
32540 
32541         if (ret > 0) {
32542             PKCS7* envPkcs7;
32543 
32544             envPkcs7 = wc_PKCS7_New(NULL, 0);
32545             if (envPkcs7 == NULL) {
32546                 return MEMORY_E;
32547             }
32548 
32549             wc_PKCS7_Init(envPkcs7, NULL, 0);
32550             ret = wc_PKCS7_SetWrapCEKCb(envPkcs7, myCEKwrapFunc);
32551             if (ret == 0) {
32552                 /* expecting FIRMWARE_PKG_DATA content */
32553                 envPkcs7->contentOID = FIRMWARE_PKG_DATA;
32554                 ret = wc_PKCS7_DecodeEnvelopedData(envPkcs7, atr, atrSz,
32555                     key, keySz);
32556                 if (envPkcs7->contentOID != FIRMWARE_PKG_DATA) {
32557                     /* the contentOID should have been set to the inner
32558                      * FIRMWARE_PKG_DATA content */
32559                     ret = BAD_STATE_E;
32560                 }
32561             }
32562             wc_PKCS7_Free(envPkcs7);
32563         }
32564     }
32565 
32566     return ret;
32567 }
32568 
32569 /* create a KEKRI enveloped data
32570  * return size on success */
32571 static int envelopedData_encrypt(byte* in, word32 inSz, byte* out,
32572         word32 outSz)
32573 {
32574     int ret;
32575     PKCS7* pkcs7;
32576     WOLFSSL_SMALL_STACK_STATIC const byte keyId[] = { 0x00 };
32577 
32578     pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
32579     if (pkcs7 == NULL)
32580         return -12330;
32581 
32582     pkcs7->content     = in;
32583     pkcs7->contentSz   = inSz;
32584     pkcs7->contentOID  = FIRMWARE_PKG_DATA;
32585     pkcs7->encryptOID  = AES256CBCb;
32586     pkcs7->ukm         = NULL;
32587     pkcs7->ukmSz       = 0;
32588 
32589     /* add recipient (KEKRI type) */
32590     ret = wc_PKCS7_AddRecipient_KEKRI(pkcs7, AES256_WRAP, (byte*)p7DefKey,
32591                                       sizeof(p7DefKey), (byte*)keyId,
32592                                       sizeof(keyId), NULL, NULL, 0, NULL, 0, 0);
32593     if (ret < 0) {
32594         printf("wc_PKCS7_AddRecipient_KEKRI() failed, ret = %d\n", ret);
32595         wc_PKCS7_Free(pkcs7);
32596         return -12331;
32597     }
32598 
32599     /* encode envelopedData, returns size */
32600     ret = wc_PKCS7_EncodeEnvelopedData(pkcs7, out, outSz);
32601     if (ret <= 0) {
32602         printf("wc_PKCS7_EncodeEnvelopedData() failed, ret = %d\n", ret);
32603         wc_PKCS7_Free(pkcs7);
32604         return -12332;
32605 
32606     }
32607 
32608     wc_PKCS7_Free(pkcs7);
32609 
32610     return ret;
32611 }
32612 
32613 
32614 /*
32615  * keyHint is the KeyID to be set in the fwDecryptKeyID attribute
32616  * returns size of buffer output on success
32617  */
32618 static int generateBundle(byte* out, word32 *outSz, const byte* encryptKey,
32619         word32 encryptKeySz, byte keyHint, byte* cert, word32 certSz,
32620         byte* key, word32 keySz)
32621 {
32622     int ret, attribNum = 1;
32623     PKCS7* pkcs7;
32624 
32625     /* KEY ID
32626      * fwDecryptKeyID OID 1.2.840.113549.1.9.16.2.37
32627      */
32628     const unsigned char fwDecryptKeyID[] = {
32629         0x06, 0x0B,
32630         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
32631         0x01, 0x09, 0x10, 0x02, 0x25
32632     };
32633 
32634     /* fwWrappedFirmwareKey 1.2.840.113529.1.9.16.1.16 */
32635     const unsigned char fwWrappedFirmwareKey[] = {
32636         0x06, 0x0B, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
32637         0x01, 0x09, 0x10, 0x02, 0x27
32638     };
32639 
32640     byte keyID[] = { 0x04, 0x01, 0x00 };
32641     byte env[256];
32642     char data[] = "Test of wolfSSL PKCS7 decrypt callback";
32643 
32644     PKCS7Attrib attribs[] =
32645     {
32646         { fwDecryptKeyID, sizeof(fwDecryptKeyID), keyID, sizeof(keyID) },
32647         { fwWrappedFirmwareKey, sizeof(fwWrappedFirmwareKey), env, 0 }
32648     };
32649 
32650     keyID[2] = keyHint;
32651 
32652     /* If using keyHint 0 then create a bundle with fwWrappedFirmwareKey */
32653     if (keyHint == 0) {
32654         ret = envelopedData_encrypt((byte*)p7DefKey, sizeof(p7DefKey), env,
32655                 sizeof(env));
32656         if (ret <= 0) {
32657             return ret;
32658         }
32659         attribs[1].valueSz = ret;
32660         attribNum++;
32661     }
32662 
32663     /* init PKCS7 */
32664     pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
32665     if (pkcs7 == NULL)
32666         return -12340;
32667 
32668     ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz);
32669     if (ret != 0) {
32670         printf("ERROR: wc_PKCS7_InitWithCert() failed, ret = %d\n", ret);
32671         wc_PKCS7_Free(pkcs7);
32672         return -12341;
32673     }
32674 
32675     ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
32676     if (ret != 0) {
32677         wc_PKCS7_Free(pkcs7);
32678         return -12342;
32679     }
32680 
32681     /* encode Signed Encrypted FirmwarePkgData */
32682     if (encryptKeySz == 16) {
32683         ret = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7, (byte*)encryptKey,
32684                 encryptKeySz, key, keySz, AES128CBCb, RSAk, SHA256h,
32685                 (byte*)data, sizeof(data), NULL, 0,
32686                 attribs, attribNum, out, *outSz);
32687     }
32688     else {
32689         ret = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7, (byte*)encryptKey,
32690                 encryptKeySz, key, keySz, AES256CBCb, RSAk, SHA256h,
32691                 (byte*)data, sizeof(data), NULL, 0,
32692                 attribs, attribNum, out, *outSz);
32693     }
32694     if (ret <= 0) {
32695         printf("ERROR: wc_PKCS7_EncodeSignedEncryptedFPD() failed, "
32696                 "ret = %d\n", ret);
32697         wc_PKCS7_Free(pkcs7);
32698         return -12343;
32699 
32700     } else {
32701         *outSz = ret;
32702     }
32703 
32704     wc_PKCS7_Free(pkcs7);
32705 
32706     return ret;
32707 }
32708 
32709 
32710 /* test verification and decryption of PKCS7 bundle
32711  * return 0 on success
32712  */
32713 static int verifyBundle(byte* derBuf, word32 derSz, int keyHint)
32714 {
32715     int ret = 0;
32716     int usrCtx = 1; /* test value to pass as user context to callback */
32717     PKCS7* pkcs7 = NULL;
32718     byte*  sid = NULL;
32719     word32 sidSz;
32720     byte key[256];
32721     word32 keySz = sizeof(key);
32722 
32723     byte *decoded = NULL;
32724     int  decodedSz = FOURK_BUF/2;
32725 
32726     WOLFSSL_SMALL_STACK_STATIC const byte expectedSid[] = {
32727 #ifdef USE_CERT_BUFFERS_1024
32728         0x81, 0x69, 0x0f, 0xf8, 0xdf, 0xdd, 0xcf, 0x34,
32729         0x29, 0xd5, 0x67, 0x75, 0x71, 0x85, 0xc7, 0x75,
32730         0x10, 0x69, 0x59, 0xec,
32731 #else
32732         0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18,
32733         0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26,
32734         0xD7, 0x85, 0x65, 0xC0
32735 #endif
32736     };
32737 
32738     decoded = (byte *)XMALLOC(decodedSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32739     if (decoded == NULL) {
32740         ret = MEMORY_E;
32741         goto out;
32742     }
32743 
32744     pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
32745     if (pkcs7 == NULL) {
32746         ret = MEMORY_E;
32747         goto out;
32748     }
32749 
32750     /* Test verify */
32751     ret = wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID);
32752     if (ret != 0)
32753         goto out;
32754     ret = wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
32755     if (ret != 0)
32756         goto out;
32757     ret = wc_PKCS7_VerifySignedData(pkcs7, derBuf, derSz);
32758     if (ret != 0)
32759         goto out;
32760 
32761     /* Get size of SID and print it out */
32762     ret = wc_PKCS7_GetSignerSID(pkcs7, NULL, &sidSz);
32763     if (ret != LENGTH_ONLY_E)
32764         goto out;
32765 
32766     sid = (byte*)XMALLOC(sidSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32767     if (sid == NULL) {
32768         ret = MEMORY_E;
32769         goto out;
32770     }
32771 
32772     ret = wc_PKCS7_GetSignerSID(pkcs7, sid, &sidSz);
32773     if (ret != 0)
32774         goto out;
32775     ret = XMEMCMP(sid, expectedSid, sidSz);
32776     if (ret != 0) {
32777         ret = PKCS7_NO_SIGNER_E; /* close enough */
32778         goto out;
32779     }
32780 
32781     /* get expected fwWrappedFirmwareKey */
32782     if (keyHint == 0) {
32783         ret = getFirmwareKey(pkcs7, key, keySz);
32784         if (ret < 0)
32785             goto out;
32786         pkcs7->encryptionKey = key;
32787         pkcs7->encryptionKeySz = ret;
32788     }
32789     else {
32790         decodedSz = PKCS7_BUF_SIZE;
32791         ret = wc_PKCS7_SetDecodeEncryptedCb(pkcs7, myDecryptionFunc);
32792         if (ret != 0)
32793             goto out;
32794 
32795         ret = wc_PKCS7_SetDecodeEncryptedCtx(pkcs7, (void*)&usrCtx);
32796         if (ret != 0)
32797             goto out;
32798     }
32799 
32800     decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
32801             pkcs7->contentSz, decoded, decodedSz);
32802     if (decodedSz < 0) {
32803         ret = decodedSz;
32804         goto out;
32805     }
32806 
32807     ret = 0;
32808 
32809   out:
32810 
32811     if (decoded)
32812         XFREE(decoded, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32813     if (pkcs7)
32814         wc_PKCS7_Free(pkcs7);
32815     if (sid)
32816         XFREE(sid, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32817 
32818     return ret;
32819 }
32820 
32821 
32822 WOLFSSL_TEST_SUBROUTINE int pkcs7callback_test(byte* cert, word32 certSz, byte* key, word32 keySz)
32823 {
32824 
32825     int ret = 0;
32826     word32 derSz;
32827     byte *derBuf = (byte *)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32828 
32829     if (! derBuf)
32830         ERROR_OUT(-12360, out);
32831 
32832     /* Doing default generation and verify */
32833     derSz = FOURK_BUF;
32834     ret = generateBundle(derBuf, &derSz, p7DefKey, sizeof(p7DefKey), 0, cert,
32835             certSz, key, keySz);
32836     if (ret <= 0) {
32837         ERROR_OUT(-12361, out);
32838     }
32839 
32840     ret = verifyBundle(derBuf, derSz, 0);
32841     if (ret != 0) {
32842         ERROR_OUT(-12362, out);
32843     }
32844 
32845     /* test choosing other key with keyID */
32846     derSz = FOURK_BUF;
32847     ret = generateBundle(derBuf, &derSz, p7AltKey, sizeof(p7AltKey), 1,
32848             cert, certSz, key, keySz);
32849     if (ret <= 0) {
32850         ERROR_OUT(-12363, out);
32851     }
32852 
32853     ret = verifyBundle(derBuf, derSz, 1);
32854     if (ret != 0) {
32855         ERROR_OUT(-12364, out);
32856     }
32857 
32858     /* test fail case with wrong keyID */
32859     derSz = FOURK_BUF;
32860     ret = generateBundle(derBuf, &derSz, p7DefKey, sizeof(p7DefKey), 1,
32861             cert, certSz, key, keySz);
32862     if (ret <= 0) {
32863         ERROR_OUT(-12365, out);
32864     }
32865 
32866     ret = verifyBundle(derBuf, derSz, 1);
32867     if (ret == 0) {
32868         ERROR_OUT(-12366, out);
32869     }
32870 
32871     ret = 0;
32872 
32873   out:
32874     if (derBuf)
32875         XFREE(derBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
32876 
32877     return ret;
32878 }
32879 #endif /* !NO_AES && HAVE_AES_CBC */
32880 
32881 #ifndef NO_PKCS7_ENCRYPTED_DATA
32882 
32883 typedef struct {
32884     const byte*  content;
32885     word32       contentSz;
32886     int          contentOID;
32887     int          encryptOID;
32888     byte*        encryptionKey;
32889     word32       encryptionKeySz;
32890     PKCS7Attrib* attribs;
32891     word32       attribsSz;
32892     const char*  outFileName;
32893 } pkcs7EncryptedVector;
32894 
32895 
32896 WOLFSSL_TEST_SUBROUTINE int pkcs7encrypted_test(void)
32897 {
32898     int ret = 0;
32899     int i, testSz;
32900     int encryptedSz, decodedSz, attribIdx;
32901     PKCS7* pkcs7;
32902     byte  *encrypted;
32903     byte  *decoded;
32904 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
32905     XFILE pkcs7File;
32906 #endif
32907 
32908     PKCS7Attrib* expectedAttrib;
32909     PKCS7DecodedAttrib* decodedAttrib;
32910 
32911     WOLFSSL_SMALL_STACK_STATIC const byte data[] = { /* Hello World */
32912         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
32913         0x72,0x6c,0x64
32914     };
32915 
32916 #ifndef NO_DES3
32917     byte desKey[] = {
32918         0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef
32919     };
32920     byte des3Key[] = {
32921         0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
32922         0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
32923         0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
32924     };
32925 #endif
32926 
32927 #if !defined(NO_AES) && defined(HAVE_AES_CBC)
32928 #ifdef WOLFSSL_AES_128
32929     byte aes128Key[] = {
32930         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32931         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
32932     };
32933 #endif
32934 #ifdef WOLFSSL_AES_192
32935     byte aes192Key[] = {
32936         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32937         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32938         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
32939     };
32940 #endif
32941 #ifdef WOLFSSL_AES_256
32942     byte aes256Key[] = {
32943         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32944         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32945         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
32946         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
32947     };
32948 #endif
32949 
32950 #ifdef WOLFSSL_AES_256
32951     /* Attribute example from RFC 4134, Section 7.2
32952      * OID = 1.2.5555
32953      * OCTET STRING = 'This is a test General ASN Attribute, number 1.' */
32954     static byte genAttrOid[] = { 0x06, 0x03, 0x2a, 0xab, 0x33 };
32955     static byte genAttr[] = { 0x04, 47,
32956                               0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
32957                               0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x47,
32958                               0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x20, 0x41,
32959                               0x53, 0x4e, 0x20, 0x41, 0x74, 0x74, 0x72, 0x69,
32960                               0x62, 0x75, 0x74, 0x65, 0x2c, 0x20, 0x6e, 0x75,
32961                               0x6d, 0x62, 0x65, 0x72, 0x20, 0x31, 0x2e };
32962 
32963     static byte genAttrOid2[] = { 0x06, 0x03, 0x2a, 0xab, 0x34 };
32964     static byte genAttr2[] = { 0x04, 47,
32965                               0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
32966                               0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x47,
32967                               0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x20, 0x41,
32968                               0x53, 0x4e, 0x20, 0x41, 0x74, 0x74, 0x72, 0x69,
32969                               0x62, 0x75, 0x74, 0x65, 0x2c, 0x20, 0x6e, 0x75,
32970                               0x6d, 0x62, 0x65, 0x72, 0x20, 0x32, 0x2e };
32971 
32972     PKCS7Attrib attribs[] =
32973     {
32974         { genAttrOid, sizeof(genAttrOid), genAttr, sizeof(genAttr) }
32975     };
32976 
32977     PKCS7Attrib multiAttribs[] =
32978     {
32979         { genAttrOid, sizeof(genAttrOid), genAttr, sizeof(genAttr) },
32980         { genAttrOid2, sizeof(genAttrOid2), genAttr2, sizeof(genAttr2) }
32981     };
32982 #endif
32983 #endif /* NO_AES */
32984 
32985     const pkcs7EncryptedVector testVectors[] =
32986     {
32987 #ifndef NO_DES3
32988         {data, (word32)sizeof(data), DATA, DES3b, des3Key, sizeof(des3Key),
32989          NULL, 0, "pkcs7encryptedDataDES3.der"},
32990 
32991         {data, (word32)sizeof(data), DATA, DESb, desKey, sizeof(desKey),
32992          NULL, 0, "pkcs7encryptedDataDES.der"},
32993 #endif /* NO_DES3 */
32994 
32995 #if !defined(NO_AES) && defined(HAVE_AES_CBC)
32996     #ifdef WOLFSSL_AES_128
32997         {data, (word32)sizeof(data), DATA, AES128CBCb, aes128Key,
32998          sizeof(aes128Key), NULL, 0, "pkcs7encryptedDataAES128CBC.der"},
32999     #endif
33000     #ifdef WOLFSSL_AES_192
33001         {data, (word32)sizeof(data), DATA, AES192CBCb, aes192Key,
33002          sizeof(aes192Key), NULL, 0, "pkcs7encryptedDataAES192CBC.der"},
33003     #endif
33004     #ifdef WOLFSSL_AES_256
33005         {data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key,
33006          sizeof(aes256Key), NULL, 0, "pkcs7encryptedDataAES256CBC.der"},
33007 
33008         /* test with optional unprotected attributes */
33009         {data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key,
33010          sizeof(aes256Key), attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33011          "pkcs7encryptedDataAES256CBC_attribs.der"},
33012 
33013         /* test with multiple optional unprotected attributes */
33014         {data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key,
33015          sizeof(aes256Key), multiAttribs,
33016          (sizeof(multiAttribs)/sizeof(PKCS7Attrib)),
33017          "pkcs7encryptedDataAES256CBC_multi_attribs.der"},
33018 
33019         /* test with contentType set to FirmwarePkgData */
33020         {data, (word32)sizeof(data), FIRMWARE_PKG_DATA, AES256CBCb, aes256Key,
33021          sizeof(aes256Key), NULL, 0,
33022          "pkcs7encryptedDataAES256CBC_firmwarePkgData.der"},
33023     #endif
33024 #endif /* !NO_AES && HAVE_AES_CBC */
33025     };
33026 
33027     encrypted = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33028     decoded = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33029     if ((! encrypted) || (! decoded)) {
33030         ERROR_OUT(MEMORY_E, out);
33031     }
33032 
33033     testSz = sizeof(testVectors) / sizeof(pkcs7EncryptedVector);
33034 
33035     for (i = 0; i < testSz; i++) {
33036         pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
33037         if (pkcs7 == NULL) {
33038             ERROR_OUT(-12400, out);
33039         }
33040 
33041         pkcs7->content              = (byte*)testVectors[i].content;
33042         pkcs7->contentSz            = testVectors[i].contentSz;
33043         pkcs7->contentOID           = testVectors[i].contentOID;
33044         pkcs7->encryptOID           = testVectors[i].encryptOID;
33045         pkcs7->encryptionKey        = testVectors[i].encryptionKey;
33046         pkcs7->encryptionKeySz      = testVectors[i].encryptionKeySz;
33047         pkcs7->unprotectedAttribs   = testVectors[i].attribs;
33048         pkcs7->unprotectedAttribsSz = testVectors[i].attribsSz;
33049 
33050         /* encode encryptedData */
33051         encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
33052                                                    PKCS7_BUF_SIZE);
33053         if (encryptedSz <= 0) {
33054             wc_PKCS7_Free(pkcs7);
33055             ERROR_OUT(-12401, out);
33056         }
33057 
33058         /* decode encryptedData */
33059 #ifndef NO_PKCS7_STREAM
33060         { /* test reading byte by byte */
33061             int z;
33062             for (z = 0; z < encryptedSz; z++) {
33063                 decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted + z, 1,
33064                                                  decoded, PKCS7_BUF_SIZE);
33065                 if (decodedSz <= 0 && decodedSz != WC_PKCS7_WANT_READ_E) {
33066                     printf("unexpected error %d\n", decodedSz);
33067                     ERROR_OUT(-12402, out);
33068                 }
33069             }
33070             /* test decode result */
33071             if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
33072                 printf("stream read failed\n");
33073                 wc_PKCS7_Free(pkcs7);
33074                 ERROR_OUT(-12403, out);
33075             }
33076         }
33077 #endif
33078         decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz,
33079                                                  decoded, PKCS7_BUF_SIZE);
33080         if (decodedSz <= 0){
33081             wc_PKCS7_Free(pkcs7);
33082             ERROR_OUT(-12404, out);
33083         }
33084 
33085         /* test decode result */
33086         if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
33087             wc_PKCS7_Free(pkcs7);
33088             ERROR_OUT(-12405, out);
33089         }
33090 
33091         /* verify decoded unprotected attributes */
33092         if (pkcs7->decodedAttrib != NULL) {
33093             decodedAttrib = pkcs7->decodedAttrib;
33094             attribIdx = 1;
33095 
33096             while (decodedAttrib != NULL) {
33097 
33098                 /* expected attribute, stored list is reversed */
33099                 expectedAttrib = &(pkcs7->unprotectedAttribs
33100                         [pkcs7->unprotectedAttribsSz - attribIdx]);
33101 
33102                 /* verify oid */
33103                 if (XMEMCMP(decodedAttrib->oid, expectedAttrib->oid,
33104                             decodedAttrib->oidSz) != 0) {
33105                     wc_PKCS7_Free(pkcs7);
33106                     ERROR_OUT(-12406, out);
33107                 }
33108 
33109                 /* verify value */
33110                 if (XMEMCMP(decodedAttrib->value, expectedAttrib->value,
33111                             decodedAttrib->valueSz) != 0) {
33112                     wc_PKCS7_Free(pkcs7);
33113                     ERROR_OUT(-12407, out);
33114                 }
33115 
33116                 decodedAttrib = decodedAttrib->next;
33117                 attribIdx++;
33118             }
33119         }
33120 
33121 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
33122         /* output pkcs7 envelopedData for external testing */
33123         pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
33124         if (!pkcs7File) {
33125             wc_PKCS7_Free(pkcs7);
33126             ERROR_OUT(-12408, out);
33127         }
33128 
33129         ret = (int)XFWRITE(encrypted, encryptedSz, 1, pkcs7File);
33130         XFCLOSE(pkcs7File);
33131 
33132         if (ret > 0)
33133             ret = 0;
33134 #endif
33135 
33136         wc_PKCS7_Free(pkcs7);
33137     }
33138 
33139   out:
33140     if (encrypted)
33141         XFREE(encrypted, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33142     if (decoded)
33143         XFREE(decoded, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33144 
33145     return ret;
33146 }
33147 
33148 #endif /* NO_PKCS7_ENCRYPTED_DATA */
33149 
33150 
33151 #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
33152 
33153 typedef struct {
33154     const byte*  content;
33155     word32       contentSz;
33156     int          contentOID;
33157     const char*  outFileName;
33158 } pkcs7CompressedVector;
33159 
33160 
33161 WOLFSSL_TEST_SUBROUTINE int pkcs7compressed_test(void)
33162 {
33163     int ret = 0;
33164     int i, testSz;
33165     int compressedSz, decodedSz;
33166     PKCS7* pkcs7;
33167 #ifdef WOLFSSL_SMALL_STACK
33168     byte  *compressed;
33169     byte  *decoded;
33170 #else
33171     byte  compressed[PKCS7_BUF_SIZE];
33172     byte  decoded[PKCS7_BUF_SIZE];
33173 #endif
33174 
33175 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
33176     XFILE pkcs7File;
33177 #endif
33178 
33179     WOLFSSL_SMALL_STACK_STATIC const byte data[] = { /* Hello World */
33180         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
33181         0x72,0x6c,0x64
33182     };
33183 
33184     const pkcs7CompressedVector testVectors[] =
33185     {
33186         {data, (word32)sizeof(data), DATA,
33187             "pkcs7compressedData_data_zlib.der"},
33188         {data, (word32)sizeof(data), FIRMWARE_PKG_DATA,
33189             "pkcs7compressedData_firmwarePkgData_zlib.der"},
33190     };
33191 
33192 #ifdef WOLFSSL_SMALL_STACK
33193     compressed = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33194     decoded = (byte *)XMALLOC(PKCS7_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33195     if ((! compressed) || (! decoded)) {
33196         ERROR_OUT(MEMORY_E, out);
33197     }
33198 #endif
33199 
33200     testSz = sizeof(testVectors) / sizeof(pkcs7CompressedVector);
33201 
33202     for (i = 0; i < testSz; i++) {
33203         pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
33204         if (pkcs7 == NULL) {
33205             ERROR_OUT(-12500, out);
33206         }
33207 
33208         pkcs7->content              = (byte*)testVectors[i].content;
33209         pkcs7->contentSz            = testVectors[i].contentSz;
33210         pkcs7->contentOID           = testVectors[i].contentOID;
33211 
33212         /* encode compressedData */
33213         compressedSz = wc_PKCS7_EncodeCompressedData(pkcs7, compressed,
33214                                                    PKCS7_BUF_SIZE);
33215         if (compressedSz <= 0) {
33216             wc_PKCS7_Free(pkcs7);
33217             ERROR_OUT(-12501, out);
33218         }
33219 
33220         /* decode compressedData */
33221         decodedSz = wc_PKCS7_DecodeCompressedData(pkcs7, compressed,
33222                                                   compressedSz, decoded,
33223                                                   PKCS7_BUF_SIZE);
33224         if (decodedSz <= 0){
33225             wc_PKCS7_Free(pkcs7);
33226             ERROR_OUT(-12502, out);
33227         }
33228 
33229         /* test decode result */
33230         if (XMEMCMP(decoded, testVectors[i].content,
33231                     testVectors[i].contentSz) != 0) {
33232             wc_PKCS7_Free(pkcs7);
33233             ERROR_OUT(-12503, out);
33234         }
33235 
33236         /* make sure content type is the same */
33237         if (testVectors[i].contentOID != pkcs7->contentOID) {
33238             ERROR_OUT(-12504, out);
33239         }
33240 
33241 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
33242         /* output pkcs7 compressedData for external testing */
33243         pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
33244         if (!pkcs7File) {
33245             wc_PKCS7_Free(pkcs7);
33246             ERROR_OUT(-12505, out);
33247         }
33248 
33249         ret = (int)XFWRITE(compressed, compressedSz, 1, pkcs7File);
33250         XFCLOSE(pkcs7File);
33251 
33252         if (ret > 0)
33253             ret = 0;
33254 #endif
33255 
33256         wc_PKCS7_Free(pkcs7);
33257     }
33258 
33259   out:
33260 
33261 #ifdef WOLFSSL_SMALL_STACK
33262     if (compressed)
33263         XFREE(compressed, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33264     if (decoded)
33265         XFREE(decoded, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33266 #endif
33267 
33268     return ret;
33269 } /* pkcs7compressed_test() */
33270 
33271 #undef PKCS7_BUF_SIZE
33272 
33273 #endif /* HAVE_LIBZ */
33274 
33275 
33276 typedef struct {
33277     const byte*  content;
33278     word32       contentSz;
33279     int          hashOID;
33280     int          signOID;
33281     byte*        privateKey;
33282     word32       privateKeySz;
33283     byte*        cert;
33284     size_t       certSz;
33285     byte*        caCert;
33286     size_t       caCertSz;
33287     PKCS7Attrib* signedAttribs;
33288     word32       signedAttribsSz;
33289     const char*  outFileName;
33290     int          contentOID;
33291     byte*        contentType;
33292     word32       contentTypeSz;
33293     int          sidType;
33294     int          encryptOID;   /* for single-shot encrypt alg OID */
33295     int          encCompFlag;  /* for single-shot. 1 = enc, 2 = comp, 3 = both*/
33296     byte*        encryptKey;   /* for single-shot, encryptedData */
33297     word32       encryptKeySz; /* for single-shot, encryptedData */
33298     PKCS7Attrib* unprotectedAttribs;   /* for single-shot, encryptedData */
33299     word32       unprotectedAttribsSz; /* for single-shot, encryptedData */
33300     word16       detachedSignature;    /* generate detached signature (0:1) */
33301 } pkcs7SignedVector;
33302 
33303 
33304 static int pkcs7signed_run_vectors(
33305                         byte* rsaClientCertBuf, word32 rsaClientCertBufSz,
33306                         byte* rsaClientPrivKeyBuf, word32 rsaClientPrivKeyBufSz,
33307                         byte* rsaServerCertBuf, word32 rsaServerCertBufSz,
33308                         byte* rsaServerPrivKeyBuf, word32 rsaServerPrivKeyBufSz,
33309                         byte* rsaCaCertBuf, word32 rsaCaCertBufSz,
33310                         byte* rsaCaPrivKeyBuf, word32 rsaCaPrivKeyBufSz,
33311                         byte* eccClientCertBuf, word32 eccClientCertBufSz,
33312                         byte* eccClientPrivKeyBuf, word32 eccClientPrivKeyBufSz)
33313 {
33314     int ret, testSz = 0, i;
33315     int encodedSz;
33316     byte*  out = NULL;
33317     word32 outSz;
33318     WC_RNG rng;
33319     PKCS7* pkcs7 = NULL;
33320 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
33321     XFILE  file;
33322 #endif
33323 
33324     WOLFSSL_SMALL_STACK_STATIC const byte data[] = { /* Hello World */
33325         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
33326         0x72,0x6c,0x64
33327     };
33328 
33329     static byte transIdOid[] =
33330                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
33331                  0x09, 0x07 };
33332     static byte messageTypeOid[] =
33333                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
33334                  0x09, 0x02 };
33335     static byte senderNonceOid[] =
33336                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
33337                  0x09, 0x05 };
33338 #ifndef NO_SHA
33339     static byte transId[(WC_SHA_DIGEST_SIZE + 1) * 2 + 1];
33340 #else
33341     static byte transId[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1];
33342 #endif
33343     static byte messageType[] = { 0x13, 2, '1', '9' };
33344     static byte senderNonce[PKCS7_NONCE_SZ + 2];
33345 
33346     static PKCS7Attrib attribs[] =
33347     {
33348         { transIdOid, sizeof(transIdOid), transId,
33349                                sizeof(transId) - 1 }, /* take off the null */
33350         { messageTypeOid, sizeof(messageTypeOid), messageType,
33351                                        sizeof(messageType) },
33352         { senderNonceOid, sizeof(senderNonceOid), senderNonce,
33353                                        sizeof(senderNonce) }
33354     };
33355 
33356     /* for testing custom contentType, FirmwarePkgData */
33357     static byte customContentType[] = { 0x06, 0x0B, 0x2A, 0x86,
33358                                         0x48, 0x86, 0xF7, 0x0D,
33359                                         0x01, 0x09, 0x10, 0x01, 0x10 };
33360 
33361     #define MAX_TESTVECTORS_LEN 20
33362     #define ADD_PKCS7SIGNEDVECTOR(...) {                                        \
33363             pkcs7SignedVector _this_vector = { __VA_ARGS__ };                   \
33364             if (testSz == MAX_TESTVECTORS_LEN) {                                \
33365                 ret = -12534;                                                   \
33366                 goto out;                                                       \
33367             }                                                                   \
33368             XMEMCPY(&testVectors[testSz++], &_this_vector, sizeof _this_vector);\
33369         }
33370 
33371     pkcs7SignedVector *testVectors = NULL;
33372 
33373     XMEMSET(&rng, 0, sizeof(rng));
33374 
33375     testVectors = (pkcs7SignedVector *)XMALLOC(MAX_TESTVECTORS_LEN * sizeof(*testVectors),
33376                                      HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33377     if (testVectors == NULL) {
33378         ret = -12567;
33379         goto out;
33380     }
33381 
33382     {
33383 #ifndef NO_RSA
33384     #ifndef NO_SHA
33385         /* RSA with SHA */
33386         ADD_PKCS7SIGNEDVECTOR(
33387          data, (word32)sizeof(data), SHAh, RSAk, rsaClientPrivKeyBuf,
33388          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33389          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33390          "pkcs7signedData_RSA_SHA.der", 0, NULL, 0, 0, 0, 0, NULL, 0, NULL,
33391          0, 0);
33392 
33393         /* RSA with SHA, no signed attributes */
33394         ADD_PKCS7SIGNEDVECTOR(
33395          data, (word32)sizeof(data), SHAh, RSAk, rsaClientPrivKeyBuf,
33396          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz,
33397          NULL, 0, NULL, 0,
33398          "pkcs7signedData_RSA_SHA_noattr.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33399          NULL, 0, 0);
33400     #endif
33401     #ifdef WOLFSSL_SHA224
33402         /* RSA with SHA224 */
33403         ADD_PKCS7SIGNEDVECTOR(
33404          data, (word32)sizeof(data), SHA224h, RSAk, rsaClientPrivKeyBuf,
33405          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33406          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33407          "pkcs7signedData_RSA_SHA224.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33408          NULL, 0, 0);
33409     #endif
33410     #ifndef NO_SHA256
33411         /* RSA with SHA256 */
33412         ADD_PKCS7SIGNEDVECTOR(
33413          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33414          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33415          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33416          "pkcs7signedData_RSA_SHA256.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33417          NULL, 0, 0);
33418 
33419         /* RSA with SHA256, detached signature */
33420         ADD_PKCS7SIGNEDVECTOR(
33421          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33422          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33423          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33424          "pkcs7signedData_RSA_SHA256_detachedSig.der", 0, NULL, 0, 0, 0, 0,
33425          NULL, 0, NULL, 0, 1);
33426 
33427         /* RSA with SHA256 and SubjectKeyIdentifier in SignerIdentifier */
33428         ADD_PKCS7SIGNEDVECTOR(
33429          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33430          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33431          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33432          "pkcs7signedData_RSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0,
33433          NULL, 0, NULL, 0, 0);
33434 
33435         /* RSA with SHA256 and custom contentType */
33436         ADD_PKCS7SIGNEDVECTOR(
33437          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33438          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33439          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33440          "pkcs7signedData_RSA_SHA256_custom_contentType.der", 0,
33441          customContentType, sizeof(customContentType), 0, 0, 0, NULL, 0,
33442          NULL, 0, 0);
33443 
33444         /* RSA with SHA256 and FirmwarePkgData contentType */
33445         ADD_PKCS7SIGNEDVECTOR(
33446          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33447          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33448          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33449          "pkcs7signedData_RSA_SHA256_firmwarePkgData.der",
33450          FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0, 0);
33451 
33452         /* RSA with SHA256 using server cert and ca cert */
33453         ADD_PKCS7SIGNEDVECTOR(
33454          data, (word32)sizeof(data), SHA256h, RSAk, rsaServerPrivKeyBuf,
33455          rsaServerPrivKeyBufSz, rsaServerCertBuf, rsaServerCertBufSz,
33456          rsaCaCertBuf, rsaCaCertBufSz,
33457          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33458          "pkcs7signedData_RSA_SHA256_with_ca_cert.der", 0, NULL, 0, 0, 0, 0,
33459          NULL, 0, NULL, 0, 0);
33460     #endif
33461     #if defined(WOLFSSL_SHA384)
33462         /* RSA with SHA384 */
33463         ADD_PKCS7SIGNEDVECTOR(
33464          data, (word32)sizeof(data), SHA384h, RSAk, rsaClientPrivKeyBuf,
33465          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33466          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33467          "pkcs7signedData_RSA_SHA384.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33468          NULL, 0, 0);
33469     #endif
33470     #if defined(WOLFSSL_SHA512)
33471         /* RSA with SHA512 */
33472         ADD_PKCS7SIGNEDVECTOR(
33473          data, (word32)sizeof(data), SHA512h, RSAk, rsaClientPrivKeyBuf,
33474          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33475          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33476          "pkcs7signedData_RSA_SHA512.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33477          NULL, 0, 0);
33478     #endif
33479 #endif /* NO_RSA */
33480 
33481 #ifdef HAVE_ECC
33482     #ifndef NO_SHA
33483         /* ECDSA with SHA */
33484         ADD_PKCS7SIGNEDVECTOR(
33485          data, (word32)sizeof(data), SHAh, ECDSAk, eccClientPrivKeyBuf,
33486          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33487          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33488          "pkcs7signedData_ECDSA_SHA.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33489          NULL, 0, 0);
33490 
33491         /* ECDSA with SHA, no signed attributes */
33492         ADD_PKCS7SIGNEDVECTOR(
33493          data, (word32)sizeof(data), SHAh, ECDSAk, eccClientPrivKeyBuf,
33494          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz,
33495          NULL, 0, NULL, 0,
33496          "pkcs7signedData_ECDSA_SHA_noattr.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33497          NULL, 0, 0);
33498     #endif
33499     #ifdef WOLFSSL_SHA224
33500         /* ECDSA with SHA224 */
33501         ADD_PKCS7SIGNEDVECTOR(
33502          data, (word32)sizeof(data), SHA224h, ECDSAk, eccClientPrivKeyBuf,
33503          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33504          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33505          "pkcs7signedData_ECDSA_SHA224.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33506          NULL, 0, 0);
33507     #endif
33508     #ifndef NO_SHA256
33509         /* ECDSA with SHA256 */
33510         ADD_PKCS7SIGNEDVECTOR(
33511          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
33512          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33513          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33514          "pkcs7signedData_ECDSA_SHA256.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33515          NULL, 0, 0);
33516 
33517         /* ECDSA with SHA256 and SubjectKeyIdentifier in SigherIdentifier */
33518         ADD_PKCS7SIGNEDVECTOR(
33519          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
33520          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33521          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33522          "pkcs7signedData_ECDSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0,
33523          NULL, 0, NULL, 0, 0);
33524 
33525         /* ECDSA with SHA256 and custom contentType */
33526         ADD_PKCS7SIGNEDVECTOR(
33527          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
33528          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33529          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33530          "pkcs7signedData_ECDSA_SHA256_custom_contentType.der", 0,
33531          customContentType, sizeof(customContentType), 0, 0, 0, NULL, 0,
33532          NULL, 0, 0);
33533 
33534         /* ECDSA with SHA256 and FirmwarePkgData contentType */
33535         ADD_PKCS7SIGNEDVECTOR(
33536          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
33537          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33538          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33539          "pkcs7signedData_ECDSA_SHA256_firmwarePkgData.der",
33540          FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0, 0);
33541     #endif
33542     #ifdef WOLFSSL_SHA384
33543         /* ECDSA with SHA384 */
33544         ADD_PKCS7SIGNEDVECTOR(
33545          data, (word32)sizeof(data), SHA384h, ECDSAk, eccClientPrivKeyBuf,
33546          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33547          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33548          "pkcs7signedData_ECDSA_SHA384.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33549          NULL, 0, 0);
33550     #endif
33551     #ifdef WOLFSSL_SHA512
33552         /* ECDSA with SHA512 */
33553         ADD_PKCS7SIGNEDVECTOR(
33554          data, (word32)sizeof(data), SHA512h, ECDSAk, eccClientPrivKeyBuf,
33555          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33556          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33557          "pkcs7signedData_ECDSA_SHA512.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
33558          NULL, 0, 0);
33559     #endif
33560 #endif /* HAVE_ECC */
33561     };
33562 
33563     #undef MAX_TESTVECTORS_LEN
33564     #undef ADD_PKCS7SIGNEDVECTOR
33565 
33566     outSz = FOURK_BUF;
33567     out = (byte*)XMALLOC(outSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33568     if (out == NULL)
33569         ERROR_OUT(-12510, out);
33570 
33571     XMEMSET(out, 0, outSz);
33572 
33573     ret = wc_PKCS7_PadData((byte*)data, sizeof(data), out, outSz, 16);
33574     if (ret < 0)
33575         ERROR_OUT(-12511, out);
33576 
33577 #ifndef HAVE_FIPS
33578     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
33579 #else
33580     ret = wc_InitRng(&rng);
33581 #endif
33582     if (ret != 0)
33583         ERROR_OUT(-12512, out);
33584 
33585     for (i = 0; i < testSz; i++) {
33586         if (pkcs7)
33587             wc_PKCS7_Free(pkcs7);
33588         pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
33589         if (pkcs7 == NULL)
33590             ERROR_OUT(-12513, out);
33591 
33592         ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
33593                                     (word32)testVectors[i].certSz);
33594 
33595         if (ret != 0)
33596             ERROR_OUT(-12514, out);
33597 
33598         /* load CA certificate, if present */
33599         if (testVectors[i].caCert != NULL) {
33600             ret = wc_PKCS7_AddCertificate(pkcs7, testVectors[i].caCert,
33601                                           (word32)testVectors[i].caCertSz);
33602             if (ret != 0)
33603                 ERROR_OUT(-12515, out);
33604         }
33605 
33606         pkcs7->rng             = &rng;
33607         pkcs7->content         = (byte*)testVectors[i].content;
33608         pkcs7->contentSz       = testVectors[i].contentSz;
33609         pkcs7->contentOID      = testVectors[i].contentOID;
33610         pkcs7->hashOID         = testVectors[i].hashOID;
33611         pkcs7->encryptOID      = testVectors[i].signOID;
33612         pkcs7->privateKey      = testVectors[i].privateKey;
33613         pkcs7->privateKeySz    = testVectors[i].privateKeySz;
33614         pkcs7->signedAttribs   = testVectors[i].signedAttribs;
33615         pkcs7->signedAttribsSz = testVectors[i].signedAttribsSz;
33616 
33617         /* optional custom contentType, default is DATA,
33618            overrides contentOID if set */
33619         if (testVectors[i].contentType != NULL) {
33620             ret = wc_PKCS7_SetContentType(pkcs7, testVectors[i].contentType,
33621                                           testVectors[i].contentTypeSz);
33622             if (ret != 0)
33623                 ERROR_OUT(-12516, out);
33624         }
33625 
33626         /* set SignerIdentifier to use SubjectKeyIdentifier if desired,
33627            default is IssuerAndSerialNumber */
33628         if (testVectors[i].sidType == CMS_SKID) {
33629             ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
33630             if (ret != 0)
33631                 ERROR_OUT(-12517, out);
33632         }
33633 
33634         /* generate senderNonce */
33635         {
33636             senderNonce[0] = 0x04;
33637             senderNonce[1] = PKCS7_NONCE_SZ;
33638 
33639             ret = wc_RNG_GenerateBlock(&rng, &senderNonce[2], PKCS7_NONCE_SZ);
33640             if (ret != 0)
33641                 ERROR_OUT(-12518, out);
33642         }
33643 
33644         /* generate transactionID (used with SCEP) */
33645         {
33646         #ifndef NO_SHA
33647             wc_Sha sha;
33648             byte digest[WC_SHA_DIGEST_SIZE];
33649         #else
33650             wc_Sha256 sha;
33651             byte digest[WC_SHA256_DIGEST_SIZE];
33652         #endif
33653             int j,k;
33654 
33655             transId[0] = 0x13;
33656             transId[1] = sizeof(digest) * 2;
33657 
33658         #ifndef NO_SHA
33659             ret = wc_InitSha_ex(&sha, HEAP_HINT, devId);
33660             if (ret != 0)
33661                 ERROR_OUT(-12519, out);
33662             wc_ShaUpdate(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
33663             wc_ShaFinal(&sha, digest);
33664             wc_ShaFree(&sha);
33665         #else
33666             ret = wc_InitSha256_ex(&sha, HEAP_HINT, devId);
33667             if (ret != 0)
33668                 ERROR_OUT(-12520, out);
33669             wc_Sha256Update(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
33670             wc_Sha256Final(&sha, digest);
33671             wc_Sha256Free(&sha);
33672         #endif
33673 
33674             for (j = 0, k = 2; j < (int)sizeof(digest); j++, k += 2) {
33675                 XSNPRINTF((char*)&transId[k], 3, "%02x", digest[j]);
33676             }
33677         }
33678 
33679         /* enable detached signature generation, if set */
33680         if (testVectors[i].detachedSignature == 1) {
33681             ret = wc_PKCS7_SetDetached(pkcs7, 1);
33682             if (ret != 0)
33683                 ERROR_OUT(-12521, out);
33684         }
33685 
33686         encodedSz = wc_PKCS7_EncodeSignedData(pkcs7, out, outSz);
33687         if (encodedSz < 0)
33688             ERROR_OUT(-12522, out);
33689 
33690     #ifdef PKCS7_OUTPUT_TEST_BUNDLES
33691         /* write PKCS#7 to output file for more testing */
33692         file = XFOPEN(testVectors[i].outFileName, "wb");
33693         if (!file) {
33694             ERROR_OUT(-12523, out);
33695         ret = (int)XFWRITE(out, 1, encodedSz, file);
33696         XFCLOSE(file);
33697         if (ret != (int)encodedSz)
33698             ERROR_OUT(-12524, out);
33699     #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
33700 
33701         wc_PKCS7_Free(pkcs7);
33702 
33703         pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
33704         if (pkcs7 == NULL)
33705             ERROR_OUT(-12525, out);
33706         wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
33707 
33708         if (testVectors[i].detachedSignature == 1) {
33709             /* set content for verifying detached signatures */
33710             pkcs7->content         = (byte*)testVectors[i].content;
33711             pkcs7->contentSz       = testVectors[i].contentSz;
33712         }
33713 
33714         ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
33715         if (ret < 0)
33716             ERROR_OUT(-12526, out);
33717 
33718         /* verify contentType extracted successfully for custom content types */
33719         if (testVectors[i].contentTypeSz > 0) {
33720             if (pkcs7->contentTypeSz != testVectors[i].contentTypeSz) {
33721                 ERROR_OUT(-12527, out);
33722             } else if (XMEMCMP(pkcs7->contentType, testVectors[i].contentType,
33723                        pkcs7->contentTypeSz) != 0) {
33724                 ERROR_OUT(-12528, out);
33725             }
33726         }
33727 
33728         if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0)
33729             ERROR_OUT(-12529, out);
33730 
33731         {
33732             /* check getting signed attributes */
33733         #ifndef NO_SHA
33734             byte buf[(WC_SHA_DIGEST_SIZE + 1) * 2 + 1];
33735         #else
33736             byte buf[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1];
33737         #endif
33738             byte* oidPt = transIdOid + 2;  /* skip object id tag and size */
33739             int oidSz = (int)sizeof(transIdOid) - 2;
33740             int bufSz = 0;
33741 
33742             if (testVectors[i].signedAttribs != NULL &&
33743                     wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz,
33744                     NULL, (word32*)&bufSz) != LENGTH_ONLY_E)
33745                 ERROR_OUT(-12530, out);
33746 
33747             if (bufSz > (int)sizeof(buf))
33748                 ERROR_OUT(-12531, out);
33749 
33750             bufSz = wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz,
33751                     buf, (word32*)&bufSz);
33752             if ((testVectors[i].signedAttribs != NULL && bufSz < 0) ||
33753                 (testVectors[i].signedAttribs == NULL && bufSz > 0))
33754                 ERROR_OUT(-12532, out);
33755         }
33756 
33757     #ifdef PKCS7_OUTPUT_TEST_BUNDLES
33758         file = XFOPEN("./pkcs7cert.der", "wb");
33759         if (!file)
33760             ERROR_OUT(-12533, out);
33761         ret = (int)XFWRITE(pkcs7->singleCert, 1, pkcs7->singleCertSz, file);
33762         XFCLOSE(file);
33763     #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
33764 
33765     }
33766 
33767   out:
33768 
33769     if (pkcs7 != NULL)
33770         wc_PKCS7_Free(pkcs7);
33771     if (out != NULL)
33772         XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33773     if (testVectors != NULL)
33774         XFREE(testVectors, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33775     wc_FreeRng(&rng);
33776 
33777     if (ret > 0)
33778         return 0;
33779 
33780     (void)rsaClientCertBuf;
33781     (void)rsaClientCertBufSz;
33782     (void)rsaClientPrivKeyBuf;
33783     (void)rsaClientPrivKeyBufSz;
33784     (void)rsaServerCertBuf;
33785     (void)rsaServerCertBufSz;
33786     (void)rsaServerPrivKeyBuf;
33787     (void)rsaServerPrivKeyBufSz;
33788     (void)rsaCaCertBuf;
33789     (void)rsaCaCertBufSz;
33790     (void)rsaCaPrivKeyBuf;
33791     (void)rsaCaPrivKeyBufSz;
33792     (void)eccClientCertBuf;
33793     (void)eccClientCertBufSz;
33794     (void)eccClientPrivKeyBuf;
33795     (void)eccClientPrivKeyBufSz;
33796 
33797     return ret;
33798 }
33799 
33800 
33801 static int pkcs7signed_run_SingleShotVectors(
33802                         byte* rsaClientCertBuf, word32 rsaClientCertBufSz,
33803                         byte* rsaClientPrivKeyBuf, word32 rsaClientPrivKeyBufSz,
33804                         byte* rsaServerCertBuf, word32 rsaServerCertBufSz,
33805                         byte* rsaServerPrivKeyBuf, word32 rsaServerPrivKeyBufSz,
33806                         byte* rsaCaCertBuf, word32 rsaCaCertBufSz,
33807                         byte* rsaCaPrivKeyBuf, word32 rsaCaPrivKeyBufSz,
33808                         byte* eccClientCertBuf, word32 eccClientCertBufSz,
33809                         byte* eccClientPrivKeyBuf, word32 eccClientPrivKeyBufSz)
33810 {
33811     int ret, testSz = 0, i;
33812     int encodedSz;
33813     byte*  out = NULL;
33814     word32 outSz;
33815     WC_RNG rng;
33816     PKCS7* pkcs7 = NULL;
33817 #ifdef PKCS7_OUTPUT_TEST_BUNDLES
33818     XFILE  file;
33819 #endif
33820     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA) && \
33821         !defined(NO_PKCS7_ENCRYPTED_DATA)
33822     byte* encryptedTmp = NULL;
33823     int encryptedTmpSz;
33824     #endif
33825 
33826     WOLFSSL_SMALL_STACK_STATIC const byte data[] = { /* Hello World */
33827         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
33828         0x72,0x6c,0x64
33829     };
33830 
33831 #if !defined(NO_PKCS7_ENCRYPTED_DATA) && \
33832      defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256)
33833     static byte aes256Key[] = {
33834         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
33835         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
33836         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
33837         0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
33838     };
33839 #endif
33840 
33841     static byte messageTypeOid[] =
33842                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
33843                  0x09, 0x02 };
33844     static byte messageType[] = { 0x13, 2, '1', '9' };
33845 
33846     PKCS7Attrib attribs[] =
33847     {
33848         { messageTypeOid, sizeof(messageTypeOid), messageType,
33849                                        sizeof(messageType) },
33850     };
33851 
33852     #define MAX_TESTVECTORS_LEN 19
33853     #define ADD_PKCS7SIGNEDVECTOR(...) {                                        \
33854             pkcs7SignedVector _this_vector = { __VA_ARGS__ };                   \
33855             if (testSz == MAX_TESTVECTORS_LEN) {                                \
33856                 ret = -12568;                                                   \
33857                 goto out;                                                       \
33858             }                                                                   \
33859             XMEMCPY(&testVectors[testSz++], &_this_vector, sizeof _this_vector);\
33860         }
33861 
33862     pkcs7SignedVector *testVectors = NULL;
33863 
33864     XMEMSET(&rng, 0, sizeof(rng));
33865 
33866     testVectors = (pkcs7SignedVector *)XMALLOC(MAX_TESTVECTORS_LEN * sizeof(*testVectors),
33867                                      HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
33868     if (testVectors == NULL) {
33869         ret = -12567;
33870         goto out;
33871     }
33872 
33873     {
33874 #ifndef NO_RSA
33875     #ifndef NO_SHA256
33876         /* Signed FirmwarePkgData, RSA, SHA256, no attribs */
33877         ADD_PKCS7SIGNEDVECTOR(
33878          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33879          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33880          NULL, 0,
33881          "pkcs7signedFirmwarePkgData_RSA_SHA256_noattr.der", 0, NULL, 0, 0,
33882          0, 0, NULL, 0, NULL, 0, 0);
33883 
33884         /* Signed FirmwarePkgData, RSA, SHA256, attrs */
33885         ADD_PKCS7SIGNEDVECTOR(
33886          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33887          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33888          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33889          "pkcs7signedFirmwarePkgData_RSA_SHA256.der", 0, NULL, 0, 0, 0, 0,
33890          NULL, 0, NULL, 0, 0);
33891 
33892         /* Signed FirmwarePkgData, RSA, SHA256, SubjectKeyIdentifier, attrs */
33893         ADD_PKCS7SIGNEDVECTOR(
33894          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33895          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33896          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33897          "pkcs7signedFirmwarePkgData_RSA_SHA256_SKID.der", 0, NULL,
33898          0, CMS_SKID, 0, 0, NULL, 0, NULL, 0, 0);
33899 
33900         /* Signed FirmwraePkgData, RSA, SHA256, server cert and ca cert, attr */
33901         ADD_PKCS7SIGNEDVECTOR(
33902          data, (word32)sizeof(data), SHA256h, RSAk, rsaServerPrivKeyBuf,
33903          rsaServerPrivKeyBufSz, rsaServerCertBuf, rsaServerCertBufSz,
33904          rsaCaCertBuf, rsaCaCertBufSz,
33905          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33906          "pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der", 0, NULL,
33907          0, 0, 0, 0, NULL, 0, NULL, 0, 0);
33908 
33909     #if !defined(NO_PKCS7_ENCRYPTED_DATA) && \
33910          defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256)
33911         /* Signed Encrypted FirmwarePkgData, RSA, SHA256, no attribs */
33912         ADD_PKCS7SIGNEDVECTOR(
33913          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33914          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33915          NULL, 0,
33916          "pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256_noattr.der", 0,
33917          NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0, 0);
33918 
33919         /* Signed Encrypted FirmwarePkgData, RSA, SHA256, attribs */
33920         ADD_PKCS7SIGNEDVECTOR(
33921          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33922          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33923          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33924          "pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der", 0,
33925          NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
33926          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0);
33927     #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
33928 
33929     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
33930         /* Signed Compressed FirmwarePkgData, RSA, SHA256, no attribs */
33931         ADD_PKCS7SIGNEDVECTOR(
33932          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33933          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33934          NULL, 0,
33935          "pkcs7signedCompressedFirmwarePkgData_RSA_SHA256_noattr.der", 0,
33936          NULL, 0, 0, 0, 2, NULL, 0, NULL, 0, 0);
33937 
33938         /* Signed Compressed FirmwarePkgData, RSA, SHA256, attribs */
33939         ADD_PKCS7SIGNEDVECTOR(
33940          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33941          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33942          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33943          "pkcs7signedCompressedFirmwarePkgData_RSA_SHA256.der", 0,
33944          NULL, 0, 0, 0, 2, NULL, 0, NULL, 0, 0);
33945 
33946     #ifndef NO_PKCS7_ENCRYPTED_DATA
33947         /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
33948            no attribs */
33949         ADD_PKCS7SIGNEDVECTOR(
33950          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33951          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33952          NULL, 0,
33953          "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der",
33954          0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL,
33955          0, 0);
33956 
33957         /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
33958            attribs */
33959         ADD_PKCS7SIGNEDVECTOR(
33960          data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
33961          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
33962          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33963          "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der",
33964          0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
33965          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0);
33966     #endif /* !NO_PKCS7_ENCRYPTED_DATA */
33967 
33968     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
33969 
33970     #endif /* NO_SHA256 */
33971 #endif /* NO_RSA */
33972 
33973 #ifdef HAVE_ECC
33974     #ifndef NO_SHA256
33975         /* Signed FirmwarePkgData, ECDSA, SHA256, no attribs */
33976         ADD_PKCS7SIGNEDVECTOR(
33977          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
33978          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33979          NULL, 0,
33980          "pkcs7signedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
33981          0, 0, 0, 0, NULL, 0, NULL, 0, 0);
33982 
33983         /* Signed FirmwarePkgData, ECDSA, SHA256, attribs */
33984         ADD_PKCS7SIGNEDVECTOR(
33985          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
33986          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33987          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33988          "pkcs7signedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
33989          0, 0, 0, 0, NULL, 0, NULL, 0, 0);
33990 
33991         /* Signed FirmwarePkgData, ECDSA, SHA256, SubjectKeyIdentifier, attr */
33992         ADD_PKCS7SIGNEDVECTOR(
33993          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
33994          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
33995          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
33996          "pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der", 0, NULL,
33997          0, CMS_SKID, 0, 0, NULL, 0, NULL, 0, 0);
33998 
33999     #if !defined(NO_PKCS7_ENCRYPTED_DATA) && \
34000          defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256)
34001         /* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, no attribs */
34002         ADD_PKCS7SIGNEDVECTOR(
34003          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
34004          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
34005          NULL, 0,
34006          "pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
34007          0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0, 0);
34008 
34009         /* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, attribs */
34010         ADD_PKCS7SIGNEDVECTOR(
34011          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
34012          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
34013          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
34014          "pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
34015          0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
34016          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0);
34017     #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
34018 
34019     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
34020         /* Signed Compressed FirmwarePkgData, ECDSA, SHA256, no attribs */
34021         ADD_PKCS7SIGNEDVECTOR(
34022          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
34023          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
34024          NULL, 0,
34025          "pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
34026          0, 0, 0, 2, NULL, 0, NULL, 0, 0);
34027 
34028         /* Signed Compressed FirmwarePkgData, ECDSA, SHA256, attrib */
34029         ADD_PKCS7SIGNEDVECTOR(
34030          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
34031          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
34032          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
34033          "pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
34034          0, 0, 0, 2, NULL, 0, NULL, 0, 0);
34035 
34036     #ifndef NO_PKCS7_ENCRYPTED_DATA
34037         /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
34038            no attribs */
34039         ADD_PKCS7SIGNEDVECTOR(
34040          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
34041          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
34042          NULL, 0,
34043         "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der",
34044          0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL,
34045          0, 0);
34046 
34047         /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
34048            attribs */
34049         ADD_PKCS7SIGNEDVECTOR(
34050          data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
34051          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
34052          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
34053         "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der",
34054          0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
34055          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0);
34056     #endif /* !NO_PKCS7_ENCRYPTED_DATA */
34057 
34058     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
34059 
34060     #endif /* NO_SHA256 */
34061 #endif /* HAVE_ECC */
34062     };
34063 
34064     #undef MAX_TESTVECTORS_LEN
34065     #undef ADD_PKCS7SIGNEDVECTOR
34066 
34067     outSz = FOURK_BUF;
34068     out = (byte*)XMALLOC(outSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34069     if (out == NULL)
34070         ERROR_OUT(-12540, out);
34071 
34072     XMEMSET(out, 0, outSz);
34073 
34074     ret = wc_PKCS7_PadData((byte*)data, sizeof(data), out, outSz, 16);
34075     if (ret < 0)
34076         ERROR_OUT(-12541, out);
34077 
34078 #ifndef HAVE_FIPS
34079     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
34080 #else
34081     ret = wc_InitRng(&rng);
34082 #endif
34083     if (ret != 0)
34084         ERROR_OUT(-12542, out);
34085 
34086     for (i = 0; i < testSz; i++) {
34087         if (pkcs7)
34088             wc_PKCS7_Free(pkcs7);
34089         pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
34090         if (pkcs7 == NULL)
34091             ERROR_OUT(-12543, out);
34092 
34093         ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
34094                                     (word32)testVectors[i].certSz);
34095 
34096         if (ret != 0)
34097             ERROR_OUT(-12544, out);
34098 
34099         /* load CA certificate, if present */
34100         if (testVectors[i].caCert != NULL) {
34101             ret = wc_PKCS7_AddCertificate(pkcs7, testVectors[i].caCert,
34102                                           (word32)testVectors[i].caCertSz);
34103             if (ret != 0)
34104                 ERROR_OUT(-12545, out);
34105         }
34106 
34107         /* set SignerIdentifier to use SubjectKeyIdentifier if desired,
34108            default is IssuerAndSerialNumber */
34109         if (testVectors[i].sidType == CMS_SKID) {
34110             ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
34111             if (ret != 0)
34112                 ERROR_OUT(-12546, out);
34113         }
34114 
34115         if (testVectors[i].encCompFlag == 0) {
34116 
34117             /* encode Signed FirmwarePkgData */
34118             encodedSz = wc_PKCS7_EncodeSignedFPD(pkcs7,
34119                     testVectors[i].privateKey, testVectors[i].privateKeySz,
34120                     testVectors[i].signOID, testVectors[i].hashOID,
34121                     (byte*)testVectors[i].content, testVectors[i].contentSz,
34122                     testVectors[i].signedAttribs,
34123                     testVectors[i].signedAttribsSz, out, outSz);
34124 
34125             if (encodedSz < 0)
34126                 ERROR_OUT(-12547, out);
34127 
34128     #ifndef NO_PKCS7_ENCRYPTED_DATA
34129 
34130         } else if (testVectors[i].encCompFlag == 1) {
34131 
34132             /* encode Signed Encrypted FirmwarePkgData */
34133             encodedSz = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7,
34134                     testVectors[i].encryptKey, testVectors[i].encryptKeySz,
34135                     testVectors[i].privateKey, testVectors[i].privateKeySz,
34136                     testVectors[i].encryptOID, testVectors[i].signOID,
34137                     testVectors[i].hashOID, (byte*)testVectors[i].content,
34138                     testVectors[i].contentSz, testVectors[i].unprotectedAttribs,
34139                     testVectors[i].unprotectedAttribsSz,
34140                     testVectors[i].signedAttribs,
34141                     testVectors[i].signedAttribsSz, out, outSz);
34142 
34143             if (encodedSz <= 0)
34144                 ERROR_OUT(-12548, out);
34145     #endif
34146 
34147     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
34148         } else if (testVectors[i].encCompFlag == 2) {
34149 
34150             /* encode Signed Compressed FirmwarePkgData */
34151             encodedSz = wc_PKCS7_EncodeSignedCompressedFPD(pkcs7,
34152                     testVectors[i].privateKey, testVectors[i].privateKeySz,
34153                     testVectors[i].signOID, testVectors[i].hashOID,
34154                     (byte*)testVectors[i].content, testVectors[i].contentSz,
34155                     testVectors[i].signedAttribs,
34156                     testVectors[i].signedAttribsSz, out, outSz);
34157 
34158             if (encodedSz <= 0)
34159                 ERROR_OUT(-12549, out);
34160 
34161         #ifndef NO_PKCS7_ENCRYPTED_DATA
34162         } else if (testVectors[i].encCompFlag == 3) {
34163 
34164             /* encode Signed Encrypted Compressed FirmwarePkgData */
34165             encodedSz = wc_PKCS7_EncodeSignedEncryptedCompressedFPD(pkcs7,
34166                     testVectors[i].encryptKey, testVectors[i].encryptKeySz,
34167                     testVectors[i].privateKey, testVectors[i].privateKeySz,
34168                     testVectors[i].encryptOID, testVectors[i].signOID,
34169                     testVectors[i].hashOID, (byte*)testVectors[i].content,
34170                     testVectors[i].contentSz, testVectors[i].unprotectedAttribs,
34171                     testVectors[i].unprotectedAttribsSz,
34172                     testVectors[i].signedAttribs,
34173                     testVectors[i].signedAttribsSz, out, outSz);
34174 
34175             if (encodedSz <= 0)
34176                 ERROR_OUT(-12550, out);
34177 
34178         #endif /* NO_PKCS7_ENCRYPTED_DATA */
34179     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
34180 
34181         } else {
34182             /* unsupported SignedData single-shot combination */
34183             ERROR_OUT(-12551, out);
34184         }
34185 
34186     #ifdef PKCS7_OUTPUT_TEST_BUNDLES
34187         /* write PKCS#7 to output file for more testing */
34188         file = XFOPEN(testVectors[i].outFileName, "wb");
34189         if (!file)
34190             ERROR_OUT(-12552, out);
34191         ret = (int)XFWRITE(out, 1, encodedSz, file);
34192         XFCLOSE(file);
34193         file = NULL;
34194         if (ret != (int)encodedSz)
34195             ERROR_OUT(-12553);
34196     #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
34197 
34198         wc_PKCS7_Free(pkcs7);
34199 
34200         pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
34201         if (pkcs7 == NULL)
34202             ERROR_OUT(-12554, out);
34203         wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
34204 
34205         ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
34206         if (ret < 0)
34207             ERROR_OUT(-12555, out);
34208 #ifndef NO_PKCS7_STREAM
34209         {
34210             word32 z;
34211             for (z = 0; z < outSz && ret != 0; z++) {
34212                 ret = wc_PKCS7_VerifySignedData(pkcs7, out + z, 1);
34213                 if (ret < 0 && ret != WC_PKCS7_WANT_READ_E) {
34214                     printf("unexpected error %d\n", ret);
34215                     ERROR_OUT(-12556, out);
34216                 }
34217             }
34218         }
34219 #endif
34220 
34221         if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0)
34222             ERROR_OUT(-12557, out);
34223 
34224         if (testVectors[i].encCompFlag == 0) {
34225             /* verify decoded content matches expected */
34226             if ((pkcs7->contentSz != testVectors[i].contentSz) ||
34227                 XMEMCMP(pkcs7->content, testVectors[i].content,
34228                         pkcs7->contentSz)) {
34229                 ERROR_OUT(-12558, out);
34230             }
34231 
34232         }
34233     #ifndef NO_PKCS7_ENCRYPTED_DATA
34234         else if (testVectors[i].encCompFlag == 1) {
34235 
34236             /* decrypt inner encryptedData */
34237             pkcs7->encryptionKey = testVectors[i].encryptKey;
34238             pkcs7->encryptionKeySz = testVectors[i].encryptKeySz;
34239 
34240             ret = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
34241                                                pkcs7->contentSz, out, outSz);
34242             if (ret < 0)
34243                 ERROR_OUT(-12559, out);
34244 
34245             /* compare decrypted to expected */
34246             if (((word32)ret != testVectors[i].contentSz) ||
34247                 XMEMCMP(out, testVectors[i].content, ret))
34248                 ERROR_OUT(-12560, out);
34249         }
34250     #endif
34251     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
34252         else if (testVectors[i].encCompFlag == 2) {
34253 
34254             /* decompress inner compressedData */
34255             ret = wc_PKCS7_DecodeCompressedData(pkcs7, pkcs7->content,
34256                                                 pkcs7->contentSz, out, outSz);
34257             if (ret < 0)
34258                 ERROR_OUT(-12561, out);
34259 
34260             /* compare decompressed to expected */
34261             if (((word32)ret != testVectors[i].contentSz) ||
34262                 XMEMCMP(out, testVectors[i].content, ret))
34263                 ERROR_OUT(-12562, out);
34264         }
34265     #ifndef NO_PKCS7_ENCRYPTED_DATA
34266         else if (testVectors[i].encCompFlag == 3) {
34267 
34268             encryptedTmpSz = FOURK_BUF;
34269             encryptedTmp = (byte*)XMALLOC(encryptedTmpSz, HEAP_HINT,
34270                                           DYNAMIC_TYPE_TMP_BUFFER);
34271             if (encryptedTmp == NULL)
34272                 ERROR_OUT(-12563, out);
34273 
34274             XMEMSET(encryptedTmp, 0, encryptedTmpSz);
34275 
34276             /* decrypt inner encryptedData */
34277             pkcs7->encryptionKey = testVectors[i].encryptKey;
34278             pkcs7->encryptionKeySz = testVectors[i].encryptKeySz;
34279 
34280             encryptedTmpSz = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
34281                                                pkcs7->contentSz, encryptedTmp,
34282                                                encryptedTmpSz);
34283 
34284             if (encryptedTmpSz < 0 || pkcs7->contentOID != COMPRESSED_DATA)
34285                 ERROR_OUT(-12564, out);
34286 
34287             /* decompress inner compressedData */
34288             ret = wc_PKCS7_DecodeCompressedData(pkcs7, encryptedTmp,
34289                                                 encryptedTmpSz, out, outSz);
34290             if (ret < 0)
34291                 ERROR_OUT(-12565, out);
34292 
34293             /* compare decompressed to expected */
34294             if (((word32)ret != testVectors[i].contentSz) ||
34295                 XMEMCMP(out, testVectors[i].content, ret))
34296                 ERROR_OUT(-12566, out);
34297         }
34298     #endif /* NO_PKCS7_ENCRYPTED_DATA */
34299     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
34300 
34301     }
34302 
34303   out:
34304 
34305     if (pkcs7 != NULL)
34306         wc_PKCS7_Free(pkcs7);
34307     if (out != NULL)
34308         XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34309     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA) && \
34310         !defined(NO_PKCS7_ENCRYPTED_DATA)
34311     if (encryptedTmp != NULL)
34312         XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34313     #endif
34314     if (testVectors != NULL)
34315         XFREE(testVectors, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34316     wc_FreeRng(&rng);
34317 
34318     if (ret > 0)
34319         return 0;
34320 
34321     (void)eccClientCertBuf;
34322     (void)eccClientCertBufSz;
34323     (void)eccClientPrivKeyBuf;
34324     (void)eccClientPrivKeyBufSz;
34325 
34326     (void)rsaClientCertBuf;
34327     (void)rsaClientCertBufSz;
34328     (void)rsaClientPrivKeyBuf;
34329     (void)rsaClientPrivKeyBufSz;
34330     (void)rsaServerCertBuf;
34331     (void)rsaServerCertBufSz;
34332     (void)rsaServerPrivKeyBuf;
34333     (void)rsaServerPrivKeyBufSz;
34334     (void)rsaCaCertBuf;
34335     (void)rsaCaCertBufSz;
34336     (void)rsaCaPrivKeyBuf;
34337     (void)rsaCaPrivKeyBufSz;
34338 
34339     return ret;
34340 }
34341 
34342 
34343 WOLFSSL_TEST_SUBROUTINE int pkcs7signed_test(void)
34344 {
34345     int ret = 0;
34346 
34347     byte* rsaClientCertBuf    = NULL;
34348     byte* rsaServerCertBuf    = NULL;
34349     byte* rsaCaCertBuf        = NULL;
34350     byte* eccClientCertBuf    = NULL;
34351     byte* rsaClientPrivKeyBuf = NULL;
34352     byte* rsaServerPrivKeyBuf = NULL;
34353     byte* rsaCaPrivKeyBuf     = NULL;
34354     byte* eccClientPrivKeyBuf = NULL;
34355 
34356     word32 rsaClientCertBufSz    = 0;
34357     word32 rsaServerCertBufSz    = 0;
34358     word32 rsaCaCertBufSz        = 0;
34359     word32 eccClientCertBufSz    = 0;
34360     word32 rsaClientPrivKeyBufSz = 0;
34361     word32 rsaServerPrivKeyBufSz = 0;
34362     word32 rsaCaPrivKeyBufSz     = 0;
34363     word32 eccClientPrivKeyBufSz = 0;
34364 
34365 #ifndef NO_RSA
34366     /* read client RSA cert and key in DER format */
34367     rsaClientCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34368                                       DYNAMIC_TYPE_TMP_BUFFER);
34369     if (rsaClientCertBuf == NULL)
34370         ret = -12600;
34371 
34372     rsaClientPrivKeyBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34373                                          DYNAMIC_TYPE_TMP_BUFFER);
34374     if (ret == 0 && rsaClientPrivKeyBuf == NULL) {
34375         ret = -12601;
34376     }
34377 
34378     rsaClientCertBufSz = FOURK_BUF;
34379     rsaClientPrivKeyBufSz = FOURK_BUF;
34380 
34381     /* read server RSA cert and key in DER format */
34382     rsaServerCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34383                                       DYNAMIC_TYPE_TMP_BUFFER);
34384     if (ret == 0 && rsaServerCertBuf == NULL)
34385         ret = -12602;
34386 
34387     rsaServerPrivKeyBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34388                                          DYNAMIC_TYPE_TMP_BUFFER);
34389     if (ret == 0 && rsaServerPrivKeyBuf == NULL) {
34390         ret = -12603;
34391     }
34392 
34393     rsaServerCertBufSz = FOURK_BUF;
34394     rsaServerPrivKeyBufSz = FOURK_BUF;
34395 
34396     /* read CA RSA cert and key in DER format, for use with server cert */
34397     rsaCaCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34398                                   DYNAMIC_TYPE_TMP_BUFFER);
34399     if (ret == 0 && rsaCaCertBuf == NULL)
34400         ret = -12604;
34401 
34402     rsaCaPrivKeyBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34403                                      DYNAMIC_TYPE_TMP_BUFFER);
34404     if (ret == 0 && rsaCaPrivKeyBuf == NULL) {
34405         ret = -12605;
34406     }
34407 
34408     rsaCaCertBufSz = FOURK_BUF;
34409     rsaCaPrivKeyBufSz = FOURK_BUF;
34410 #endif /* NO_RSA */
34411 
34412 #ifdef HAVE_ECC
34413     /* read client ECC cert and key in DER format */
34414     eccClientCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34415                                       DYNAMIC_TYPE_TMP_BUFFER);
34416     if (ret == 0 && eccClientCertBuf == NULL) {
34417         ret = -12606;
34418     }
34419 
34420     eccClientPrivKeyBuf =(byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
34421                                         DYNAMIC_TYPE_TMP_BUFFER);
34422     if (ret == 0 && eccClientPrivKeyBuf == NULL) {
34423         ret = -12607;
34424     }
34425 
34426     eccClientCertBufSz = FOURK_BUF;
34427     eccClientPrivKeyBufSz = FOURK_BUF;
34428 #endif /* HAVE_ECC */
34429 
34430     if (ret >= 0)
34431         ret = pkcs7_load_certs_keys(rsaClientCertBuf, &rsaClientCertBufSz,
34432                                 rsaClientPrivKeyBuf, &rsaClientPrivKeyBufSz,
34433                                 rsaServerCertBuf, &rsaServerCertBufSz,
34434                                 rsaServerPrivKeyBuf, &rsaServerPrivKeyBufSz,
34435                                 rsaCaCertBuf, &rsaCaCertBufSz,
34436                                 rsaCaPrivKeyBuf, &rsaCaPrivKeyBufSz,
34437                                 eccClientCertBuf, &eccClientCertBufSz,
34438                                 eccClientPrivKeyBuf, &eccClientPrivKeyBufSz);
34439     if (ret < 0) {
34440         ret = -12608;
34441     }
34442 
34443     if (ret >= 0)
34444         ret = pkcs7signed_run_vectors(rsaClientCertBuf, (word32)rsaClientCertBufSz,
34445                             rsaClientPrivKeyBuf, (word32)rsaClientPrivKeyBufSz,
34446                             rsaServerCertBuf, (word32)rsaServerCertBufSz,
34447                             rsaServerPrivKeyBuf, (word32)rsaServerPrivKeyBufSz,
34448                             rsaCaCertBuf, (word32)rsaCaCertBufSz,
34449                             rsaCaPrivKeyBuf, (word32)rsaCaPrivKeyBufSz,
34450                             eccClientCertBuf, (word32)eccClientCertBufSz,
34451                             eccClientPrivKeyBuf, (word32)eccClientPrivKeyBufSz);
34452 
34453     if (ret >= 0)
34454         ret = pkcs7signed_run_SingleShotVectors(
34455                             rsaClientCertBuf, (word32)rsaClientCertBufSz,
34456                             rsaClientPrivKeyBuf, (word32)rsaClientPrivKeyBufSz,
34457                             rsaServerCertBuf, (word32)rsaServerCertBufSz,
34458                             rsaServerPrivKeyBuf, (word32)rsaServerPrivKeyBufSz,
34459                             rsaCaCertBuf, (word32)rsaCaCertBufSz,
34460                             rsaCaPrivKeyBuf, (word32)rsaCaPrivKeyBufSz,
34461                             eccClientCertBuf, (word32)eccClientCertBufSz,
34462                             eccClientPrivKeyBuf, (word32)eccClientPrivKeyBufSz);
34463 
34464 #if !defined(NO_RSA) && !defined(NO_AES) && defined(HAVE_AES_CBC)
34465     if (ret >= 0)
34466         ret = pkcs7callback_test(
34467                             rsaClientCertBuf, (word32)rsaClientCertBufSz,
34468                             rsaClientPrivKeyBuf, (word32)rsaClientPrivKeyBufSz);
34469 #endif
34470 
34471     XFREE(rsaClientCertBuf,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34472     XFREE(rsaClientPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34473     XFREE(rsaServerCertBuf,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34474     XFREE(rsaServerPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34475     XFREE(rsaCaCertBuf,        HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34476     XFREE(rsaCaPrivKeyBuf,     HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34477     XFREE(eccClientCertBuf,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34478     XFREE(eccClientPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
34479 
34480     return ret;
34481 }
34482 
34483 #endif /* HAVE_PKCS7 */
34484 
34485 #ifdef HAVE_VALGRIND
34486 /* Need a static build to have access to symbols. */
34487 
34488 /* Maximum number of bytes in a number to test. */
34489 #define MP_MAX_TEST_BYTE_LEN      32
34490 
34491 static int randNum(mp_int* n, int len, WC_RNG* rng, void* heap)
34492 {
34493     byte d[MP_MAX_TEST_BYTE_LEN];
34494     int  ret;
34495 
34496     (void)heap;
34497 
34498     do {
34499         ret = wc_RNG_GenerateBlock(rng, d, len);
34500         if (ret != 0)
34501             return ret;
34502         ret = mp_read_unsigned_bin(n, d, len);
34503         if (ret != 0)
34504             return ret;
34505     } while (mp_iszero(n));
34506 
34507     return 0;
34508 }
34509 
34510 #if defined(WOLFSSL_SP_MATH_ALL) || !defined(USE_FAST_MATH)
34511 static int mp_test_div_3(mp_int* a, mp_int* r, WC_RNG* rng)
34512 {
34513     int i, j;
34514     mp_digit rem;
34515     mp_digit rem2;
34516 
34517 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
34518     defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)
34519     for (i = 0; i < 10; i++) {
34520         for (j = 1; j < 10; j++) {
34521             if (randNum(a, j, rng, NULL) != 0)
34522                 return -12620;
34523             if (mp_div_3(a, r, &rem) != 0)
34524                 return -12621;
34525             if (mp_mul_d(r, 3, r) != 0)
34526                 return -12622;
34527             if (mp_add_d(r, rem, r) != 0)
34528                 return -12623;
34529             if (mp_cmp(r, a) != MP_EQ)
34530                 return -12624;
34531         }
34532     }
34533 
34534     if (mp_div_3(a, r, &rem) != 0)
34535         return -12625;
34536     if (mp_div_3(a, a, NULL) != 0)
34537         return -12626;
34538     if (mp_cmp(r, a) != MP_EQ)
34539         return -12627;
34540 #endif
34541 
34542 #if defined(WOLFSSL_SP_MATH_ALL)
34543     if (mp_div_d(a, 10, r, &rem) != 0)
34544         return -12628;
34545     if (mp_div_d(a, 10, a, NULL) != 0)
34546         return -12629;
34547     if (mp_cmp(r, a) != MP_EQ)
34548         return -12630;
34549 
34550     if (mp_div_d(a, 12, r, &rem) != 0)
34551         return -12631;
34552     if (mp_div_d(a, 12, a, NULL) != 0)
34553         return -12632;
34554     if (mp_cmp(r, a) != MP_EQ)
34555         return -12633;
34556 
34557     if (mp_div_d(a, (mp_digit)1 << (DIGIT_BIT / 2), r, &rem) != 0)
34558         return -12634;
34559     if (mp_div_d(a, (mp_digit)1 << (DIGIT_BIT / 2), NULL, &rem2) != 0)
34560         return -12635;
34561     if (mp_div_d(a, (mp_digit)1 << (DIGIT_BIT / 2), a, NULL) != 0)
34562         return -12636;
34563     if (mp_cmp(r, a) != MP_EQ)
34564         return -12637;
34565     if (rem != rem2)
34566         return -12638;
34567 #endif
34568 
34569     (void)a;
34570     (void)r;
34571     (void)rng;
34572     (void)i;
34573     (void)j;
34574     (void)rem;
34575     (void)rem2;
34576 
34577     return 0;
34578 }
34579 #endif /* WOLFSSL_SP_MATH || !USE_FAST_MATH */
34580 
34581 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \
34582     !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
34583     (!defined WOLFSSL_SP_MATH && !defined(WOLFSSL_SP_MATH_ALL) && \
34584     (defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)))
34585 static int mp_test_radix_10(mp_int* a, mp_int* r, WC_RNG* rng)
34586 {
34587     int ret;
34588     int i, j;
34589     int size;
34590     char str[30];
34591     WOLFSSL_SMALL_STACK_STATIC const char* badStr1 = "A";
34592     WOLFSSL_SMALL_STACK_STATIC const char* badStr2 = "a";
34593     WOLFSSL_SMALL_STACK_STATIC const char* badStr3 = " ";
34594     WOLFSSL_SMALL_STACK_STATIC const char* zeros = "000";
34595     WOLFSSL_SMALL_STACK_STATIC const char* empty = "";
34596 
34597     for (i = 0; i < 10; i++) {
34598         for (j = 2; j < 12; j++) {
34599             if (randNum(a, j, rng, NULL) != 0)
34600                 return -12640;
34601             if (mp_radix_size(a, MP_RADIX_DEC, &size) != MP_OKAY)
34602                 return -12641;
34603             if (mp_toradix(a, str, MP_RADIX_DEC) != MP_OKAY)
34604                 return -12660;
34605             if ((int)XSTRLEN(str) != size - 1)
34606                 return -12642;
34607             if (mp_read_radix(r, str, MP_RADIX_DEC) != MP_OKAY)
34608                 return -12661;
34609             if (mp_cmp(a, r) != MP_EQ)
34610                 return -12643;
34611         }
34612     }
34613 
34614     if (mp_read_radix(r, badStr1, MP_RADIX_DEC) != MP_VAL)
34615         return -12644;
34616     if (mp_read_radix(r, badStr2, MP_RADIX_DEC) != MP_VAL)
34617         return -12645;
34618     if (mp_read_radix(r, badStr3, MP_RADIX_DEC) != MP_VAL)
34619         return -12646;
34620 
34621     if (mp_read_radix(r, zeros, MP_RADIX_DEC) != MP_OKAY)
34622         return -12647;
34623     if (!mp_iszero(r))
34624         return -12648;
34625     mp_set(r, 1);
34626     if (mp_read_radix(r, empty, MP_RADIX_DEC) != MP_OKAY)
34627         return -12649;
34628     if (!mp_iszero(r))
34629         return -12650;
34630 
34631     mp_zero(a);
34632     ret = mp_radix_size(a, MP_RADIX_DEC, &size);
34633     if (ret != 0)
34634         return -12651;
34635     if (size != 2)
34636         return -12652;
34637     ret = mp_toradix(a, str, MP_RADIX_DEC);
34638     if (ret != 0)
34639         return -12653;
34640     if ((int)XSTRLEN(str) != size - 1)
34641         return -12654;
34642     ret = mp_read_radix(r, str, MP_RADIX_DEC);
34643     if (ret != 0)
34644         return -12655;
34645     if (!mp_iszero(r))
34646         return -12656;
34647 
34648     return 0;
34649 }
34650 #endif
34651 
34652 #if defined(WOLFSSL_SP_MATH_ALL) || (!defined WOLFSSL_SP_MATH && \
34653                                                               defined(HAVE_ECC))
34654 static int mp_test_radix_16(mp_int* a, mp_int* r, WC_RNG* rng)
34655 {
34656     int ret;
34657     int i, j;
34658     int size;
34659     char str[30];
34660 #if defined(WOLFSSL_SP_MATH) || defined(USE_FAST_MATH)
34661     static char longStr[2 * sizeof(a->dp) + 2];
34662 #endif
34663     WOLFSSL_SMALL_STACK_STATIC const char* badStr1 = " ";
34664     WOLFSSL_SMALL_STACK_STATIC const char* badStr2 = "}";
34665     WOLFSSL_SMALL_STACK_STATIC const char* empty = "";
34666 
34667     for (i = 0; i < 10; i++) {
34668         for (j = 2; j < 12; j++) {
34669             if (randNum(a, j, rng, NULL) != 0)
34670                     return -12660;
34671             mp_radix_size(a, MP_RADIX_HEX, &size);
34672             mp_toradix(a, str, MP_RADIX_HEX);
34673             if ((int)XSTRLEN(str) != size - 1)
34674                 return -12661;
34675             mp_read_radix(r, str, MP_RADIX_HEX);
34676             if (mp_cmp(a, r) != MP_EQ)
34677                 return -12662;
34678         }
34679     }
34680 
34681     if (mp_read_radix(r, badStr1, MP_RADIX_HEX) != MP_VAL)
34682         return -12663;
34683     if (mp_read_radix(r, badStr2, MP_RADIX_HEX) != MP_VAL)
34684         return -12664;
34685 
34686     mp_set(r, 1);
34687     if (mp_read_radix(r, empty, MP_RADIX_HEX) != MP_OKAY)
34688         return -12665;
34689     if (!mp_iszero(r))
34690         return -12666;
34691 
34692 #if defined(WOLFSSL_SP_MATH) || defined(USE_FAST_MATH)
34693     /* Fixed MP data size - string can be too long. */
34694     longStr[0] = '8';
34695     XMEMSET(longStr+1, '0', sizeof(longStr) - 2);
34696     longStr[sizeof(longStr)-1] = '\0';
34697     if (mp_read_radix(r, longStr, MP_RADIX_HEX) != MP_VAL)
34698         return -12667;
34699 #endif
34700 
34701     mp_zero(a);
34702     ret = mp_radix_size(a, MP_RADIX_HEX, &size);
34703     if (ret != 0)
34704         return -12668;
34705 #ifndef WC_DISABLE_RADIX_ZERO_PAD
34706     if (size != 3)
34707 #else
34708     if (size != 2)
34709 #endif
34710         return -12669;
34711     ret = mp_toradix(a, str, MP_RADIX_HEX);
34712     if (ret != 0)
34713         return -12670;
34714     if ((int)XSTRLEN(str) != size - 1)
34715         return -12671;
34716     ret = mp_read_radix(r, str, MP_RADIX_HEX);
34717     if (ret != 0)
34718         return -12672;
34719     if (!mp_iszero(r))
34720         return -12673;
34721 
34722 #ifdef WOLFSSL_SP_MATH
34723     ret = mp_toradix(a, str, 8);
34724     if (ret != MP_VAL)
34725         return -12674;
34726     ret = mp_radix_size(a, 8, &size);
34727     if (ret != MP_VAL)
34728         return -12675;
34729 #endif
34730 
34731     return 0;
34732 }
34733 #endif
34734 
34735 static int mp_test_shift(mp_int* a, mp_int* r1, WC_RNG* rng)
34736 {
34737     int i;
34738 
34739     if (randNum(a, 4, rng, NULL) != 0)
34740         return -12680;
34741     for (i = 0; i < 4; i++) {
34742         mp_copy(r1, a);
34743         if (mp_lshd(r1, i) != MP_OKAY)
34744             return -12681;
34745         mp_rshd(r1, i);
34746         if (mp_cmp(a, r1) != MP_EQ)
34747             return -12682;
34748     }
34749 #ifndef WOLFSSL_SP_MATH
34750     for (i = 0; i < DIGIT_BIT+1; i++) {
34751         if (mp_mul_2d(a, i, r1) != MP_OKAY)
34752             return -12683;
34753         mp_rshb(r1, i);
34754         if (mp_cmp(a, r1) != MP_EQ)
34755             return -12684;
34756     }
34757 #endif
34758 
34759     return 0;
34760 }
34761 
34762 static int mp_test_add_sub_d(mp_int* a, mp_int* r1)
34763 {
34764     int i, j;
34765 
34766     for (i = 0; i <= DIGIT_BIT * 2; i++) {
34767         mp_zero(a);
34768         mp_set_bit(a, i);
34769         if (a->used != (i + DIGIT_BIT) / DIGIT_BIT)
34770             return -12690;
34771         for (j = 0; j < i && j < DIGIT_BIT; j++) {
34772             mp_zero(r1);
34773             mp_set_bit(r1, i);
34774             if (mp_sub_d(r1, (mp_digit)1 << j, r1) != MP_OKAY)
34775                 return -12691;
34776             if (mp_add_d(r1, (mp_digit)1 << j, r1) != MP_OKAY)
34777                 return -12692;
34778             if (mp_cmp(a, r1) != MP_EQ)
34779                 return -12693;
34780         }
34781     }
34782 
34783     mp_zero(r1);
34784     if (mp_add_d(r1, 1, r1) != MP_OKAY)
34785         return -12694;
34786     if (r1->used != 1)
34787         return -12695;
34788     if (mp_sub_d(r1, 1, r1) != MP_OKAY)
34789         return -12696;
34790     if (r1->used != 0)
34791         return -12697;
34792 
34793     return 0;
34794 }
34795 
34796 static int mp_test_read_to_bin(mp_int* a)
34797 {
34798     WOLFSSL_SMALL_STACK_STATIC const byte in[16] = {
34799         0x91, 0xa2, 0xb3, 0xc4, 0xd5, 0xe6, 0xf7, 0x08,
34800         0x93, 0xa4, 0xb4, 0xc5, 0xd6, 0xe7, 0xf8, 0x09
34801     };
34802     byte out[24];
34803     int i, j, k;
34804     const byte* p;
34805     int ret;
34806 
34807     for (i = 0; i < (int)sizeof(in); i++) {
34808         p = in + sizeof(in) - i;
34809         ret = mp_read_unsigned_bin(a, p, i);
34810         if (ret != 0)
34811             return -12710;
34812         for (j = i; j < (int)sizeof(out); j++) {
34813             XMEMSET(out, 0xff, sizeof(out));
34814             ret = mp_to_unsigned_bin_len(a, out, j);
34815             if (ret != 0)
34816                 return -12711;
34817             for (k = 0; k < j - i; k++) {
34818                 if (out[k] != 0)
34819                     return -12712;
34820             }
34821             for (; k < j; k++) {
34822                 if (out[k] != p[k - (j - i)])
34823                     return -12713;
34824             }
34825         }
34826     }
34827 
34828     ret = mp_read_unsigned_bin(a, NULL, 0);
34829     if (ret != 0)
34830         return -12714;
34831     if (!mp_iszero(a))
34832         return -12715;
34833 
34834     return 0;
34835 }
34836 
34837 #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
34838 static int mp_test_set_int(mp_int* a)
34839 {
34840 #if SP_ULONG_BITS == 64
34841     unsigned long n = 0xfedcba9876543210UL;
34842     byte exp[8] = { 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 };
34843     byte out[8] = { 0 };
34844 #elif SP_ULONG_BITS == 32
34845     unsigned long n = 0xfedcba98UL;
34846     byte exp[4] = { 0xfe, 0xdc, 0xba, 0x98 };
34847     byte out[4] = { 0 };
34848 #elif SP_ULONG_BITS == 16
34849     unsigned long n = 0xfedc;
34850     byte exp[2] = { 0xfe, 0xdc };
34851     byte out[2] = { 0 };
34852 #elif SP_ULONG_BITS == 8
34853     unsigned long n = 0xfe;
34854     byte exp[1] = { 0xfe };
34855     byte out[1] = { 0 };
34856 #endif
34857     int ret;
34858 
34859     ret = mp_set_int(a, n);
34860     if (ret != 0)
34861         return -12720;
34862 
34863     ret = mp_unsigned_bin_size(a);
34864     if (ret != sizeof(exp))
34865         return -12721;
34866     ret = mp_to_unsigned_bin(a, out);
34867     if (ret != 0)
34868         return -12722;
34869     if (XMEMCMP(exp, out, sizeof(exp)) != 0)
34870         return -12723;
34871 
34872     return 0;
34873 }
34874 #endif
34875 
34876 #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
34877 static int mp_test_param(mp_int* a, mp_int* b, mp_int* r, WC_RNG* rng)
34878 {
34879     byte buffer[16];
34880 #if defined(HAVE_ECC) || defined(WOLFSSL_SP_MATH_ALL)
34881     char hexStr[] = "abcdef0123456789";
34882 #ifndef WOLFSSL_SP_INT_NEGATIVE
34883     char negStr[] = "-1234";
34884 #endif
34885 #endif
34886 #if !defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_KEY_GEN) || \
34887                                                           defined(HAVE_COMP_KEY)
34888     char decStr[] = "0987654321";
34889 #endif
34890     int ret;
34891 #ifdef WOLFSSL_SP_MATH_ALL
34892     mp_digit rho;
34893     int size;
34894 #endif
34895 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH)
34896     int result;
34897 #endif
34898 #if (defined(HAVE_ECC) && defined(HAVE_COMP_KEY)) || \
34899                             (defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN))
34900     mp_digit rd;
34901 #endif
34902 
34903     (void)rng;
34904     (void)r;
34905 
34906     ret = mp_init(NULL);
34907     if (ret != MP_VAL)
34908         return -12730;
34909 
34910 #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || (!defined(NO_DH) || defined(HAVE_ECC))
34911     ret = mp_init_multi(NULL, NULL, NULL, NULL, NULL, NULL);
34912     if (ret != MP_OKAY)
34913         return -12731;
34914 #endif
34915 
34916     mp_free(NULL);
34917 
34918 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) || !defined(NO_DH) || defined(HAVE_ECC)
34919     ret = mp_grow(NULL, 1);
34920     if (ret != MP_VAL)
34921         return -12732;
34922 #ifdef WOLFSSL_SP_MATH
34923     ret = mp_grow(a, SP_INT_DIGITS + 1);
34924     if (ret != MP_MEM)
34925         return -12733;
34926 #endif
34927 #endif
34928 
34929     mp_clear(NULL);
34930 
34931     ret = mp_abs(NULL, NULL);
34932     if (ret != MP_VAL)
34933         return -12734;
34934     ret = mp_abs(a, NULL);
34935     if (ret != MP_VAL)
34936         return -12735;
34937     ret = mp_abs(NULL, b);
34938     if (ret != MP_VAL)
34939         return -12736;
34940 
34941     ret = mp_unsigned_bin_size(NULL);
34942     if (ret != 0)
34943         return -12737;
34944 
34945     ret = mp_read_unsigned_bin(NULL, NULL, sizeof(buffer));
34946     if (ret != MP_VAL)
34947         return -12738;
34948     ret = mp_read_unsigned_bin(NULL, buffer, sizeof(buffer));
34949     if (ret != MP_VAL)
34950         return -12739;
34951     ret = mp_read_unsigned_bin(a, NULL, sizeof(buffer));
34952     if (ret != MP_VAL)
34953         return -12740;
34954     ret = mp_read_unsigned_bin(a, buffer, SP_INT_DIGITS * SP_WORD_SIZEOF + 1);
34955     if (ret != MP_VAL)
34956         return -12741;
34957 
34958 #if defined(HAVE_ECC) || defined(WOLFSSL_SP_MATH_ALL)
34959     ret = mp_read_radix(NULL, NULL, 16);
34960     if (ret != MP_VAL)
34961         return -12742;
34962     ret = mp_read_radix(a, NULL, 16);
34963     if (ret != MP_VAL)
34964         return -12743;
34965     ret = mp_read_radix(NULL, hexStr, 16);
34966     if (ret != MP_VAL)
34967         return -12744;
34968 #ifndef WOLFSSL_SP_INT_NEGATIVE
34969     ret = mp_read_radix(a, negStr, 16);
34970     if (ret != MP_VAL)
34971         return -12745;
34972 #ifdef WOLFSSL_SP_MATH_ALL
34973     ret = mp_read_radix(a, negStr, 10);
34974     if (ret != MP_VAL)
34975         return -12746;
34976 #endif /* WOLFSSL_SP_MATH_ALL */
34977 #endif /* WOLFSSL_SP_INT_NEGATIVE */
34978 #endif
34979 #ifndef WOLFSSL_SP_MATH_ALL
34980     /* Radix 10 only supported with ALL. */
34981     ret = mp_read_radix(a, decStr, 10);
34982     if (ret != MP_VAL)
34983         return -12747;
34984 #endif
34985     /* Radix 8 not supported SP_INT. */
34986     ret = mp_read_radix(a, "0123", 8);
34987     if (ret != MP_VAL)
34988         return -12748;
34989 
34990     ret = mp_count_bits(NULL);
34991     if (ret != 0)
34992         return -12749;
34993 
34994     ret = mp_is_bit_set(NULL, 0);
34995     if (ret != 0)
34996         return -12750;
34997 
34998     ret = mp_leading_bit(NULL);
34999     if (ret != 0)
35000         return -12751;
35001     mp_zero(a);
35002     ret = mp_leading_bit(a);
35003     if (ret != 0)
35004         return -12752;
35005 
35006 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
35007     defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || \
35008     !defined(NO_RSA)
35009     ret = mp_set_bit(NULL, 1);
35010     if (ret != MP_VAL)
35011         return -12753;
35012 #endif
35013 
35014 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(WC_RSA_BLINDING) || \
35015     !defined(WOLFSSL_RSA_VERIFY_ONLY)
35016     ret = mp_to_unsigned_bin(NULL, NULL);
35017     if (ret != MP_VAL)
35018         return -12754;
35019     ret = mp_to_unsigned_bin(a, NULL);
35020     if (ret != MP_VAL)
35021         return -12755;
35022     ret = mp_to_unsigned_bin(NULL, buffer);
35023     if (ret != MP_VAL)
35024         return -12756;
35025 #endif
35026 
35027     ret = mp_to_unsigned_bin_len(NULL, NULL, 1);
35028     if (ret != MP_VAL)
35029         return -12757;
35030     ret = mp_to_unsigned_bin_len(a, NULL, 1);
35031     if (ret != MP_VAL)
35032         return -12758;
35033     ret = mp_to_unsigned_bin_len(NULL, buffer, 1);
35034     if (ret != MP_VAL)
35035         return -12759;
35036 
35037 #if defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \
35038     !defined(WOLFSSL_RSA_VERIFY_ONLY)
35039     ret = mp_to_unsigned_bin_at_pos(0, NULL, NULL);
35040     if (ret != MP_VAL)
35041         return -12760;
35042     ret = mp_to_unsigned_bin_at_pos(0, a, NULL);
35043     if (ret != MP_VAL)
35044         return -12761;
35045     ret = mp_to_unsigned_bin_at_pos(0, NULL, buffer);
35046     if (ret != MP_VAL)
35047         return -12762;
35048     ret = mp_to_unsigned_bin_at_pos(0, a, buffer);
35049     if (ret != MP_OKAY)
35050         return -12763;
35051 #endif
35052 
35053 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) || (!defined(NO_DH) || defined(HAVE_ECC))
35054     ret = mp_copy(NULL, NULL);
35055     if (ret != MP_VAL)
35056         return -12764;
35057     ret = mp_copy(a, NULL);
35058     if (ret != MP_VAL)
35059         return -12765;
35060     ret = mp_copy(NULL, b);
35061     if (ret != MP_VAL)
35062         return -12766;
35063 #endif
35064 
35065 #if defined(WOLFSSL_KEY_GEN) || !defined(NO_DH)
35066     ret = sp_2expt(NULL, 1);
35067     if (ret != MP_VAL)
35068         return -12767;
35069 #endif
35070 
35071     ret = mp_set(NULL, 0);
35072     if (ret != MP_VAL)
35073         return -12768;
35074 
35075     ret = mp_cmp_d(NULL, 0);
35076     if (ret != MP_LT)
35077         return -12769;
35078 
35079     ret = mp_cmp(NULL, NULL);
35080     if (ret != MP_EQ)
35081         return -12770;
35082     ret = mp_cmp(a, NULL);
35083     if (ret != MP_GT)
35084         return -12771;
35085     ret = mp_cmp(NULL, b);
35086     if (ret != MP_LT)
35087         return -12772;
35088 
35089 #if !defined(NO_DH) || defined(HAVE_ECC) || !defined(WOLFSSL_RSA_VERIFY_ONLY)
35090     mp_rshd(NULL, 1);
35091 #endif
35092 
35093     mp_zero(NULL);
35094 
35095 #if !defined(NO_DH) || defined(HAVE_ECC) || defined(WC_RSA_BLINDING) || \
35096     !defined(WOLFSSL_RSA_VERIFY_ONLY)
35097     ret = mp_lshd(NULL, 0);
35098     if (ret != MP_VAL)
35099         return -12773;
35100     ret = mp_lshd(a, SP_INT_DIGITS + 1);
35101     if (ret != MP_VAL)
35102         return -12774;
35103 #endif
35104 
35105 #if defined(WOLFSSL_SP_MATH_ALL)
35106     ret = mp_div(NULL, NULL, a, b);
35107     if (ret != MP_VAL)
35108         return -12775;
35109     ret = mp_div(a, NULL, a, b);
35110     if (ret != MP_VAL)
35111         return -12776;
35112     ret = mp_div(NULL, b, a, b);
35113     if (ret != MP_VAL)
35114         return -12777;
35115     ret = mp_div(a, b, NULL, NULL);
35116     if (ret != MP_VAL)
35117         return -12778;
35118 #endif
35119 
35120 #if defined(WOLFSSL_SP_MATH_ALL) || !defined(NO_DH) || defined(HAVE_ECC) || \
35121     (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
35122     ret = mp_mod(NULL, NULL, NULL);
35123     if (ret != MP_VAL)
35124         return -12779;
35125     ret = mp_mod(a, NULL, NULL);
35126     if (ret != MP_VAL)
35127         return -12780;
35128     ret = mp_mod(NULL, b, NULL);
35129     if (ret != MP_VAL)
35130         return -12781;
35131     ret = mp_mod(NULL, NULL, r);
35132     if (ret != MP_VAL)
35133         return -12782;
35134     ret = mp_mod(a, b, NULL);
35135     if (ret != MP_VAL)
35136         return -12783;
35137     ret = mp_mod(a, NULL, r);
35138     if (ret != MP_VAL)
35139         return -12784;
35140     ret = mp_mod(NULL, b, r);
35141     if (ret != MP_VAL)
35142         return -12785;
35143 #endif
35144 
35145 #if !defined(NO_RSA) || defined(WOLFSSL_SP_MATH_ALL)
35146     ret = mp_set_int(NULL, 0);
35147     if (ret != MP_VAL)
35148         return -12786;
35149 #endif
35150 
35151 #if !defined(NO_RSA) || !defined(NO_DSA) || !defined(NO_DH) || \
35152     (defined(HAVE_ECC) && defined(HAVE_COMP_KEY)) || defined(OPENSSL_EXTRA)
35153     ret = mp_exptmod_ex(NULL, NULL, 1, NULL, NULL);
35154     if (ret != MP_VAL)
35155         return 9950;
35156     ret = mp_exptmod_ex(a, NULL, 1, NULL, NULL);
35157     if (ret != MP_VAL)
35158         return 9951;
35159     ret = mp_exptmod_ex(NULL, a, 1, NULL, NULL);
35160     if (ret != MP_VAL)
35161         return 9952;
35162     ret = mp_exptmod_ex(NULL, NULL, 1, a, NULL);
35163     if (ret != MP_VAL)
35164         return 9953;
35165     ret = mp_exptmod_ex(NULL, NULL, 1, NULL, a);
35166     if (ret != MP_VAL)
35167         return 9954;
35168     ret = mp_exptmod_ex(a, a, 1, a, NULL);
35169     if (ret != MP_VAL)
35170         return 9955;
35171     ret = mp_exptmod_ex(a, a, 1, NULL, a);
35172     if (ret != MP_VAL)
35173         return 9956;
35174     ret = mp_exptmod_ex(a, NULL, 1, a, a);
35175     if (ret != MP_VAL)
35176         return 9957;
35177     ret = mp_exptmod_ex(NULL, a, 1, a, a);
35178     if (ret != MP_VAL)
35179         return 9958;
35180 
35181     ret = mp_exptmod_nct(NULL, NULL, NULL, NULL);
35182     if (ret != MP_VAL)
35183         return 9960;
35184     ret = mp_exptmod_nct(a, NULL, NULL, NULL);
35185     if (ret != MP_VAL)
35186         return 9961;
35187     ret = mp_exptmod_nct(NULL, a, NULL, NULL);
35188     if (ret != MP_VAL)
35189         return 9962;
35190     ret = mp_exptmod_nct(NULL, NULL, a, NULL);
35191     if (ret != MP_VAL)
35192         return 9963;
35193     ret = mp_exptmod_nct(NULL, NULL, NULL, a);
35194     if (ret != MP_VAL)
35195         return 9964;
35196     ret = mp_exptmod_nct(a, a, a, NULL);
35197     if (ret != MP_VAL)
35198         return 9965;
35199     ret = mp_exptmod_nct(a, a, NULL, a);
35200     if (ret != MP_VAL)
35201         return 9966;
35202     ret = mp_exptmod_nct(a, NULL, a, a);
35203     if (ret != MP_VAL)
35204         return 9967;
35205     ret = mp_exptmod_nct(NULL, a, a, a);
35206     if (ret != MP_VAL)
35207         return 9968;
35208 #endif
35209 
35210 #if defined(WOLFSSL_KEY_GEN) && (!defined(NO_DH) || !defined(NO_DSA)) && \
35211     !defined(WC_NO_RNG)
35212     ret = mp_rand_prime(NULL, 32, NULL, NULL);
35213     if (ret != MP_VAL)
35214         return -12787;
35215     ret = mp_rand_prime(a, 32, NULL, NULL);
35216     if (ret != MP_VAL)
35217         return -12788;
35218     ret = mp_rand_prime(NULL, 32, rng, NULL);
35219     if (ret != MP_VAL)
35220         return -12789;
35221     ret = mp_rand_prime(a, 0, rng, NULL);
35222     if (ret != MP_VAL)
35223         return -9969;
35224 #endif
35225 
35226 #if defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
35227     ret = mp_mul(NULL, NULL, NULL);
35228     if (ret != MP_VAL)
35229         return -12790;
35230     ret = mp_mul(a, NULL, NULL);
35231     if (ret != MP_VAL)
35232         return -12791;
35233     ret = mp_mul(NULL, b, NULL);
35234     if (ret != MP_VAL)
35235         return -12792;
35236     ret = mp_mul(NULL, NULL, r);
35237     if (ret != MP_VAL)
35238         return -12793;
35239     ret = mp_mul(a, b, NULL);
35240     if (ret != MP_VAL)
35241         return -12794;
35242     ret = mp_mul(a, NULL, r);
35243     if (ret != MP_VAL)
35244         return -12795;
35245     ret = mp_mul(NULL, b, r);
35246     if (ret != MP_VAL)
35247         return -12796;
35248 #endif
35249 
35250 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
35251     defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
35252     ret = mp_sqr(NULL, NULL);
35253     if (ret != MP_VAL)
35254         return -12797;
35255     ret = mp_sqr(a, NULL);
35256     if (ret != MP_VAL)
35257         return -12798;
35258     ret = mp_sqr(NULL, r);
35259     if (ret != MP_VAL)
35260         return -12799;
35261 #endif
35262 
35263 #if !defined(WOLFSSL_RSA_VERIFY_ONLY)
35264     ret = mp_sqrmod(NULL, NULL, NULL);
35265     if (ret != MP_VAL)
35266         return -12800;
35267     ret = mp_sqrmod(a, NULL, NULL);
35268     if (ret != MP_VAL)
35269         return -12801;
35270     ret = mp_sqrmod(NULL, a, NULL);
35271     if (ret != MP_VAL)
35272         return -12802;
35273     ret = mp_sqrmod(NULL, NULL, a);
35274     if (ret != MP_VAL)
35275         return -12803;
35276     ret = mp_sqrmod(a, b, NULL);
35277     if (ret != MP_VAL)
35278         return -12804;
35279     ret = mp_sqrmod(a, NULL, b);
35280     if (ret != MP_VAL)
35281         return -12805;
35282     ret = mp_sqrmod(NULL, a, b);
35283     if (ret != MP_VAL)
35284         return -12806;
35285 
35286     ret = mp_mulmod(NULL, NULL, NULL, NULL);
35287     if (ret != MP_VAL)
35288         return -12807;
35289     ret = mp_mulmod(a, NULL, NULL, NULL);
35290     if (ret != MP_VAL)
35291         return -12808;
35292     ret = mp_mulmod(NULL, a, NULL, NULL);
35293     if (ret != MP_VAL)
35294         return -12809;
35295     ret = mp_mulmod(NULL, NULL, a, NULL);
35296     if (ret != MP_VAL)
35297         return -12810;
35298     ret = mp_mulmod(NULL, NULL, NULL, a);
35299     if (ret != MP_VAL)
35300         return -12811;
35301     ret = mp_mulmod(a, b, b, NULL);
35302     if (ret != MP_VAL)
35303         return -12812;
35304     ret = mp_mulmod(a, b, NULL, a);
35305     if (ret != MP_VAL)
35306         return -12813;
35307     ret = mp_mulmod(a, NULL, b, a);
35308     if (ret != MP_VAL)
35309         return -12814;
35310     ret = mp_mulmod(NULL, b, b, a);
35311     if (ret != MP_VAL)
35312         return -12815;
35313 #endif
35314 
35315 #if !defined(NO_PWDBASED) || defined(WOLFSSL_KEY_GEN) || !defined(NO_DH) || \
35316     !defined(NO_RSA) || !defined(NO_DSA)
35317     ret = mp_add_d(NULL, 1, NULL);
35318     if (ret != MP_VAL)
35319         return -12816;
35320     ret = mp_add_d(a, 1, NULL);
35321     if (ret != MP_VAL)
35322         return -12817;
35323     ret = mp_add_d(NULL, 1, b);
35324     if (ret != MP_VAL)
35325         return -12818;
35326 #endif
35327 
35328 #if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
35329     !defined(NO_DH) || defined(HAVE_ECC) || !defined(NO_DSA)
35330     ret = mp_sub_d(NULL, 1, NULL);
35331     if (ret != MP_VAL)
35332         return -12819;
35333     ret = mp_sub_d(a, 1, NULL);
35334     if (ret != MP_VAL)
35335         return -12820;
35336     ret = mp_sub_d(NULL, 1, b);
35337     if (ret != MP_VAL)
35338         return -12821;
35339 #endif
35340 
35341 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
35342     defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)
35343     ret = mp_div_d(NULL, 0, NULL, NULL);
35344     if (ret != MP_VAL)
35345         return -12822;
35346     ret = mp_div_d(a, 0, NULL, NULL);
35347     if (ret != MP_VAL)
35348         return -12823;
35349     ret = mp_div_d(NULL, 1, NULL, NULL);
35350     if (ret != MP_VAL)
35351         return -12824;
35352 #endif
35353 
35354 #if (defined(HAVE_ECC) && defined(HAVE_COMP_KEY)) || \
35355                             (defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN))
35356     ret = mp_mod_d(NULL, 0, NULL);
35357     if (ret != MP_VAL)
35358         return -12825;
35359     ret = mp_mod_d(a, 0, NULL);
35360     if (ret != MP_VAL)
35361         return -12826;
35362     ret = mp_mod_d(NULL, 0, &rd);
35363     if (ret != MP_VAL)
35364         return -12827;
35365 #endif
35366 
35367 #if defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
35368     ret = mp_gcd(NULL, NULL, NULL);
35369     if (ret != MP_VAL)
35370         return -12828;
35371     ret = mp_gcd(a, NULL, NULL);
35372     if (ret != MP_VAL)
35373         return -12829;
35374     ret = mp_gcd(NULL, a, NULL);
35375     if (ret != MP_VAL)
35376         return -12830;
35377     ret = mp_gcd(NULL, NULL, a);
35378     if (ret != MP_VAL)
35379         return -12831;
35380     ret = mp_gcd(a, b, NULL);
35381     if (ret != MP_VAL)
35382         return -12832;
35383     ret = mp_gcd(a, NULL, b);
35384     if (ret != MP_VAL)
35385         return -12833;
35386     ret = mp_gcd(NULL, a, b);
35387     if (ret != MP_VAL)
35388         return -12834;
35389 #endif
35390 
35391 #if !defined(WOLFSSL_SP_MATH) && defined(HAVE_ECC)
35392     ret = mp_div_2_mod_ct(NULL, NULL, NULL);
35393     if (ret != MP_VAL)
35394         return -12835;
35395     ret = mp_div_2_mod_ct(a, NULL, NULL);
35396     if (ret != MP_VAL)
35397         return -12836;
35398     ret = mp_div_2_mod_ct(NULL, b, NULL);
35399     if (ret != MP_VAL)
35400         return -12837;
35401     ret = mp_div_2_mod_ct(NULL, NULL, a);
35402     if (ret != MP_VAL)
35403         return -12838;
35404     ret = mp_div_2_mod_ct(a, b, NULL);
35405     if (ret != MP_VAL)
35406         return -12839;
35407     ret = mp_div_2_mod_ct(a, b, NULL);
35408     if (ret != MP_VAL)
35409         return -12840;
35410     ret = mp_div_2_mod_ct(NULL, b, a);
35411     if (ret != MP_VAL)
35412         return -12841;
35413 
35414     ret = mp_div_2(NULL, NULL);
35415     if (ret != MP_VAL)
35416         return -12842;
35417     ret = mp_div_2(a, NULL);
35418     if (ret != MP_VAL)
35419         return -12843;
35420     ret = mp_div_2(NULL, a);
35421     if (ret != MP_VAL)
35422         return -12844;
35423 #endif
35424 
35425 #if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
35426     defined(HAVE_ECC) || !defined(NO_DSA) || defined(OPENSSL_EXTRA)
35427     ret = mp_invmod(NULL, NULL, NULL);
35428     if (ret != MP_VAL)
35429         return -12845;
35430     ret = mp_invmod(a, NULL, NULL);
35431     if (ret != MP_VAL)
35432         return -12846;
35433     ret = mp_invmod(NULL, b, NULL);
35434     if (ret != MP_VAL)
35435         return -12847;
35436     ret = mp_invmod(NULL, NULL, a);
35437     if (ret != MP_VAL)
35438         return -12848;
35439     ret = mp_invmod(a, b, NULL);
35440     if (ret != MP_VAL)
35441         return -12849;
35442     ret = mp_invmod(a, NULL, a);
35443     if (ret != MP_VAL)
35444         return -12850;
35445     ret = mp_invmod(NULL, b, a);
35446     if (ret != MP_VAL)
35447         return -12851;
35448 #endif
35449 
35450 #if !defined(WOLFSSL_SP_MATH) && defined(HAVE_ECC)
35451     ret = mp_invmod_mont_ct(NULL, NULL, NULL, 1);
35452     if (ret != MP_VAL)
35453         return -12852;
35454     ret = mp_invmod_mont_ct(a, NULL, NULL, 1);
35455     if (ret != MP_VAL)
35456         return -12853;
35457     ret = mp_invmod_mont_ct(NULL, b, NULL, 1);
35458     if (ret != MP_VAL)
35459         return -12854;
35460     ret = mp_invmod_mont_ct(NULL, NULL, a, 1);
35461     if (ret != MP_VAL)
35462         return -12855;
35463     ret = mp_invmod_mont_ct(a, b, NULL, 1);
35464     if (ret != MP_VAL)
35465         return -12856;
35466     ret = mp_invmod_mont_ct(a, NULL, a, 1);
35467     if (ret != MP_VAL)
35468         return -12857;
35469     ret = mp_invmod_mont_ct(NULL, b, a, 1);
35470     if (ret != MP_VAL)
35471         return -12858;
35472 #endif
35473 
35474 #if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && !defined(WC_RSA_BLINDING)
35475     ret = mp_lcm(NULL, NULL, NULL);
35476     if (ret != MP_VAL)
35477         return -12859;
35478     ret = mp_lcm(a, NULL, NULL);
35479     if (ret != MP_VAL)
35480         return -12860;
35481     ret = mp_lcm(NULL, b, NULL);
35482     if (ret != MP_VAL)
35483         return -12861;
35484     ret = mp_lcm(NULL, NULL, a);
35485     if (ret != MP_VAL)
35486         return -12862;
35487     ret = mp_lcm(a, b, NULL);
35488     if (ret != MP_VAL)
35489         return -12863;
35490     ret = mp_lcm(a, NULL, a);
35491     if (ret != MP_VAL)
35492         return -12864;
35493     ret = mp_lcm(NULL, b, a);
35494     if (ret != MP_VAL)
35495         return -12865;
35496 #endif
35497 
35498 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH)
35499     ret = mp_exptmod_ex(NULL, NULL, 1, NULL, NULL);
35500     if (ret != MP_VAL)
35501         return -12866;
35502     ret = mp_exptmod_ex(a, NULL, 1, NULL, NULL);
35503     if (ret != MP_VAL)
35504         return -12867;
35505     ret = mp_exptmod_ex(NULL, b, 1, NULL, NULL);
35506     if (ret != MP_VAL)
35507         return -12868;
35508     ret = mp_exptmod_ex(NULL, NULL, 1, b, NULL);
35509     if (ret != MP_VAL)
35510         return -12869;
35511     ret = mp_exptmod_ex(NULL, NULL, 1, NULL, a);
35512     if (ret != MP_VAL)
35513         return -12870;
35514     ret = mp_exptmod_ex(a, b, 1, b, NULL);
35515     if (ret != MP_VAL)
35516         return -12871;
35517     ret = mp_exptmod_ex(a, b, 1, NULL, a);
35518     if (ret != MP_VAL)
35519         return -12872;
35520     ret = mp_exptmod_ex(a, NULL, 1, b, a);
35521     if (ret != MP_VAL)
35522         return -12873;
35523     ret = mp_exptmod_ex(NULL, b, 1, b, a);
35524     if (ret != MP_VAL)
35525         return -12874;
35526 
35527     ret = mp_exptmod(NULL, NULL, NULL, NULL);
35528     if (ret != MP_VAL)
35529         return -12875;
35530     ret = mp_exptmod(a, NULL, NULL, NULL);
35531     if (ret != MP_VAL)
35532         return -12876;
35533     ret = mp_exptmod(NULL, b, NULL, NULL);
35534     if (ret != MP_VAL)
35535         return -12877;
35536     ret = mp_exptmod(NULL, NULL, b, NULL);
35537     if (ret != MP_VAL)
35538         return -12878;
35539     ret = mp_exptmod(NULL, NULL, NULL, a);
35540     if (ret != MP_VAL)
35541         return -12879;
35542     ret = mp_exptmod(a, b, b, NULL);
35543     if (ret != MP_VAL)
35544         return -12880;
35545     ret = mp_exptmod(a, b, NULL, a);
35546     if (ret != MP_VAL)
35547         return -12881;
35548     ret = mp_exptmod(a, NULL, b, a);
35549     if (ret != MP_VAL)
35550         return -12882;
35551     ret = mp_exptmod(NULL, b, b, a);
35552     if (ret != MP_VAL)
35553         return -12883;
35554 
35555     ret = mp_exptmod_nct(NULL, NULL, NULL, NULL);
35556     if (ret != MP_VAL)
35557         return -12884;
35558     ret = mp_exptmod_nct(a, NULL, NULL, NULL);
35559     if (ret != MP_VAL)
35560         return -12885;
35561     ret = mp_exptmod_nct(NULL, b, NULL, NULL);
35562     if (ret != MP_VAL)
35563         return -12886;
35564     ret = mp_exptmod_nct(NULL, NULL, b, NULL);
35565     if (ret != MP_VAL)
35566         return -12887;
35567     ret = mp_exptmod_nct(NULL, NULL, NULL, a);
35568     if (ret != MP_VAL)
35569         return -12888;
35570     ret = mp_exptmod_nct(a, b, b, NULL);
35571     if (ret != MP_VAL)
35572         return -12889;
35573     ret = mp_exptmod_nct(a, b, NULL, a);
35574     if (ret != MP_VAL)
35575         return -12890;
35576     ret = mp_exptmod_nct(a, NULL, b, a);
35577     if (ret != MP_VAL)
35578         return -12891;
35579     ret = mp_exptmod_nct(NULL, b, b, a);
35580     if (ret != MP_VAL)
35581         return -12892;
35582 #endif
35583 
35584 #if defined(HAVE_ECC) && defined(HAVE_COMP_KEY)
35585     ret = mp_cnt_lsb(NULL);
35586     if (ret != 0)
35587         return -12893;
35588 #endif
35589 
35590 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH)
35591     ret = mp_prime_is_prime(NULL, 1, NULL);
35592     if (ret != MP_VAL)
35593         return -12894;
35594     ret = mp_prime_is_prime(a, 1, NULL);
35595     if (ret != MP_VAL)
35596         return -12895;
35597     ret = mp_prime_is_prime(NULL, 1, &result);
35598     if (ret != MP_VAL)
35599         return -12896;
35600     ret = mp_prime_is_prime(a, 0, &result);
35601     if (ret != MP_VAL)
35602         return -12897;
35603     ret = mp_prime_is_prime(a, 1024, &result);
35604     if (ret != MP_VAL)
35605         return -12898;
35606 
35607     ret = mp_prime_is_prime_ex(NULL, 1, NULL, NULL);
35608     if (ret != MP_VAL)
35609         return -12899;
35610     ret = mp_prime_is_prime_ex(a, 1, NULL, NULL);
35611     if (ret != MP_VAL)
35612         return -12900;
35613     ret = mp_prime_is_prime_ex(NULL, 1, &result, NULL);
35614     if (ret != MP_VAL)
35615         return -12901;
35616     ret = mp_prime_is_prime_ex(NULL, 1, NULL, rng);
35617     if (ret != MP_VAL)
35618         return -12902;
35619     ret = mp_prime_is_prime_ex(a, 1, &result, NULL);
35620     if (ret != MP_VAL)
35621         return -12903;
35622     ret = mp_prime_is_prime_ex(a, 1, NULL, rng);
35623     if (ret != MP_VAL)
35624         return -12904;
35625     ret = mp_prime_is_prime_ex(NULL, 1, &result, rng);
35626     if (ret != MP_VAL)
35627         return -12905;
35628 #endif
35629 
35630 #if defined(WOLFSSL_SP_MATH_ALL) || !defined(NO_DH) || !defined(NO_DSA)
35631     ret = mp_exch(NULL, NULL);
35632     if (ret != MP_VAL)
35633         return -12906;
35634     ret = mp_exch(a, NULL);
35635     if (ret != MP_VAL)
35636         return -12907;
35637     ret = mp_exch(NULL, b);
35638     if (ret != MP_VAL)
35639         return -12908;
35640 #endif
35641 
35642 #if (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)) || \
35643                                                     defined(WOLFSSL_SP_MATH_ALL)
35644     ret = mp_mul_d(NULL, 1, NULL);
35645     if (ret != MP_VAL)
35646         return -12909;
35647     ret = mp_mul_d(a, 1, NULL);
35648     if (ret != MP_VAL)
35649         return -12910;
35650     ret = mp_mul_d(NULL, 1, b);
35651     if (ret != MP_VAL)
35652         return -12911;
35653 #endif
35654 
35655 #if !defined(WOLFSSL_RSA_VERIFY_ONLY)
35656     ret = mp_add(NULL, NULL, NULL);
35657     if (ret != MP_VAL)
35658         return -12912;
35659     ret = mp_add(a, NULL, NULL);
35660     if (ret != MP_VAL)
35661         return -12913;
35662     ret = mp_add(NULL, b, NULL);
35663     if (ret != MP_VAL)
35664         return -12914;
35665     ret = mp_add(NULL, NULL, r);
35666     if (ret != MP_VAL)
35667         return -12915;
35668     ret = mp_add(a, b, NULL);
35669     if (ret != MP_VAL)
35670         return -12916;
35671     ret = mp_add(a, NULL, r);
35672     if (ret != MP_VAL)
35673         return -12917;
35674     ret = mp_add(NULL, b, r);
35675     if (ret != MP_VAL)
35676         return -12918;
35677 #endif
35678 
35679 #if defined(WOLFSSL_SP_MATH_ALL) || !defined(NO_DH) || defined(HAVE_ECC) || \
35680     (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
35681     ret = mp_sub(NULL, NULL, NULL);
35682     if (ret != MP_VAL)
35683         return -12919;
35684     ret = mp_sub(a, NULL, NULL);
35685     if (ret != MP_VAL)
35686         return -12920;
35687     ret = mp_sub(NULL, b, NULL);
35688     if (ret != MP_VAL)
35689         return -12921;
35690     ret = mp_sub(NULL, NULL, r);
35691     if (ret != MP_VAL)
35692         return -12922;
35693     ret = mp_sub(a, b, NULL);
35694     if (ret != MP_VAL)
35695         return -12923;
35696     ret = mp_sub(a, NULL, r);
35697     if (ret != MP_VAL)
35698         return -12924;
35699     ret = mp_sub(NULL, b, r);
35700     if (ret != MP_VAL)
35701         return -12925;
35702 #endif
35703 
35704 
35705 #if defined(WOLFSSL_SP_MATH_ALL) || (!defined(WOLFSSL_SP_MATH) && \
35706                                      defined(WOLFSSL_CUSTOM_CURVES))
35707     ret = mp_addmod(NULL, NULL, NULL, NULL);
35708     if (ret != MP_VAL)
35709         return -12926;
35710     ret = mp_addmod(a, NULL, NULL, NULL);
35711     if (ret != MP_VAL)
35712         return -12927;
35713     ret = mp_addmod(NULL, b, NULL, NULL);
35714     if (ret != MP_VAL)
35715         return -12928;
35716     ret = mp_addmod(NULL, NULL, b, NULL);
35717     if (ret != MP_VAL)
35718         return -12929;
35719     ret = mp_addmod(NULL, NULL, NULL, a);
35720     if (ret != MP_VAL)
35721         return -12930;
35722     ret = mp_addmod(a, b, b, NULL);
35723     if (ret != MP_VAL)
35724         return -12931;
35725     ret = mp_addmod(a, b, NULL, a);
35726     if (ret != MP_VAL)
35727         return -12932;
35728     ret = mp_addmod(a, NULL, b, a);
35729     if (ret != MP_VAL)
35730         return -12933;
35731     ret = mp_addmod(NULL, b, b, a);
35732     if (ret != MP_VAL)
35733         return -12934;
35734 #endif
35735 
35736 #ifdef WOLFSSL_SP_MATH_ALL
35737     ret = mp_submod(NULL, NULL, NULL, NULL);
35738     if (ret != MP_VAL)
35739         return -12935;
35740     ret = mp_submod(a, NULL, NULL, NULL);
35741     if (ret != MP_VAL)
35742         return -12936;
35743     ret = mp_submod(NULL, b, NULL, NULL);
35744     if (ret != MP_VAL)
35745         return -12937;
35746     ret = mp_submod(NULL, NULL, b, NULL);
35747     if (ret != MP_VAL)
35748         return -12938;
35749     ret = mp_submod(NULL, NULL, NULL, a);
35750     if (ret != MP_VAL)
35751         return -12939;
35752     ret = mp_submod(a, b, b, NULL);
35753     if (ret != MP_VAL)
35754         return -12940;
35755     ret = mp_submod(a, b, NULL, a);
35756     if (ret != MP_VAL)
35757         return -12941;
35758     ret = mp_submod(a, NULL, b, a);
35759     if (ret != MP_VAL)
35760         return -12942;
35761     ret = mp_submod(NULL, b, b, a);
35762     if (ret != MP_VAL)
35763         return -12943;
35764 #endif
35765 
35766 #ifdef WOLFSSL_SP_MATH_ALL
35767     ret = mp_div_2d(NULL, 1, a, b);
35768     if (ret != MP_VAL)
35769         return -12944;
35770 
35771     ret = mp_mod_2d(NULL, 1, NULL);
35772     if (ret != MP_VAL)
35773         return -12945;
35774     ret = mp_mod_2d(a, 1, NULL);
35775     if (ret != MP_VAL)
35776         return -12946;
35777     ret = mp_mod_2d(NULL, 1, b);
35778     if (ret != MP_VAL)
35779         return -12947;
35780 
35781     ret = mp_mul_2d(NULL, 1, NULL);
35782     if (ret != MP_VAL)
35783         return -12948;
35784     ret = mp_mul_2d(a, 1, NULL);
35785     if (ret != MP_VAL)
35786         return -12949;
35787     ret = mp_mul_2d(NULL, 1, b);
35788     if (ret != MP_VAL)
35789         return -12950;
35790 #endif
35791 
35792 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
35793     defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
35794     ret = mp_montgomery_reduce(NULL, NULL, 1);
35795     if (ret != MP_VAL)
35796         return -12951;
35797     ret = mp_montgomery_reduce(a, NULL, 1);
35798     if (ret != MP_VAL)
35799         return -12952;
35800     ret = mp_montgomery_reduce(NULL, b, 1);
35801     if (ret != MP_VAL)
35802         return -12953;
35803     mp_zero(b);
35804     ret = mp_montgomery_reduce(a, b, 1);
35805     if (ret != MP_VAL)
35806         return -12954;
35807 #endif
35808 
35809 #ifdef WOLFSSL_SP_MATH_ALL
35810     ret = mp_montgomery_setup(NULL, NULL);
35811     if (ret != MP_VAL)
35812         return -12955;
35813     ret = mp_montgomery_setup(a, NULL);
35814     if (ret != MP_VAL)
35815         return -12956;
35816     ret = mp_montgomery_setup(NULL, &rho);
35817     if (ret != MP_VAL)
35818         return -12957;
35819 
35820     ret = mp_montgomery_calc_normalization(NULL, NULL);
35821     if (ret != MP_VAL)
35822         return -12958;
35823     ret = mp_montgomery_calc_normalization(a, NULL);
35824     if (ret != MP_VAL)
35825         return -12959;
35826     ret = mp_montgomery_calc_normalization(NULL, b);
35827     if (ret != MP_VAL)
35828         return -12960;
35829 #endif
35830 
35831     ret = mp_unsigned_bin_size(NULL);
35832     if (ret != 0)
35833         return -12961;
35834 
35835 #if defined(WC_MP_TO_RADIX) || defined(WOLFSSL_SP_MATH_ALL)
35836     ret = mp_tohex(NULL, NULL);
35837     if (ret != MP_VAL)
35838         return -12962;
35839     ret = mp_tohex(a, NULL);
35840     if (ret != MP_VAL)
35841         return -12963;
35842     ret = mp_tohex(NULL, hexStr);
35843     if (ret != MP_VAL)
35844         return -12964;
35845 #endif
35846 
35847 #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)
35848     ret = mp_todecimal(NULL, NULL);
35849     if (ret != MP_VAL)
35850         return -12965;
35851     ret = mp_todecimal(a, NULL);
35852     if (ret != MP_VAL)
35853         return -12966;
35854     ret = mp_todecimal(NULL, decStr);
35855     if (ret != MP_VAL)
35856         return -12967;
35857 #endif
35858 
35859 #ifdef WOLFSSL_SP_MATH_ALL
35860     ret = mp_toradix(NULL, NULL, MP_RADIX_HEX);
35861     if (ret != MP_VAL)
35862         return -12968;
35863     ret = mp_toradix(a, NULL, MP_RADIX_HEX);
35864     if (ret != MP_VAL)
35865         return -12969;
35866     ret = mp_toradix(NULL, hexStr, MP_RADIX_HEX);
35867     if (ret != MP_VAL)
35868         return -12970;
35869     ret = mp_toradix(a, hexStr, 3);
35870     if (ret != MP_VAL)
35871         return -12971;
35872 
35873     ret = mp_radix_size(NULL, MP_RADIX_HEX, NULL);
35874     if (ret != MP_VAL)
35875         return -12972;
35876     ret = mp_radix_size(a, MP_RADIX_HEX, NULL);
35877     if (ret != MP_VAL)
35878         return -12973;
35879     ret = mp_radix_size(NULL, MP_RADIX_HEX, &size);
35880     if (ret != MP_VAL)
35881         return -12974;
35882     ret = mp_radix_size(a, 3, &size);
35883     if (ret != MP_VAL)
35884         return -12975;
35885 #endif
35886 
35887     return 0;
35888 }
35889 #endif
35890 
35891 #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
35892 static int mp_test_set_is_bit(mp_int* a)
35893 {
35894     int i, j;
35895 
35896     mp_zero(a);
35897     for (i = 0; i <= DIGIT_BIT * 2; i++) {
35898         if (mp_is_bit_set(a, i))
35899             return -12980;
35900         for (j = 0; j < i; j++) {
35901             if (!mp_is_bit_set(a, j))
35902                 return -12981;
35903         }
35904         if (mp_set_bit(a, i) != 0)
35905             return -12982;
35906         if (!mp_is_bit_set(a, i))
35907             return -12983;
35908     }
35909 
35910     mp_zero(a);
35911     for (i = 0; i <= DIGIT_BIT * 2; i++) {
35912         if (mp_is_bit_set(a, i))
35913             return -12984;
35914     }
35915 
35916     for (i = 0; i <= DIGIT_BIT * 2; i++) {
35917         mp_zero(a);
35918         if (mp_set_bit(a, i) != 0)
35919             return -12985;
35920         for (j = 0; j < i; j++) {
35921             if (mp_is_bit_set(a, j))
35922                 return -12986;
35923         }
35924         if (!mp_is_bit_set(a, i))
35925             return -12987;
35926     }
35927 
35928 #ifdef WOLFSSL_KEY_GEN
35929     for (i = 0; i < DIGIT_BIT * 2; i++) {
35930         mp_set(a, 1);
35931         if (mp_2expt(a, i) != 0)
35932             return -12988;
35933         for (j = 0; j < i; j++) {
35934             if (mp_is_bit_set(a, j))
35935                 return -12989;
35936         }
35937         if (!mp_is_bit_set(a, i))
35938             return -12990;
35939     }
35940 #endif
35941 
35942 #ifdef WOLFSSL_SP_MATH
35943     mp_zero(a);
35944     for (j = 1; j <= 3; j++) {
35945         i = SP_INT_MAX_BITS - j;
35946         if (mp_is_bit_set(a, i))
35947             return -12991;
35948         if (mp_set_bit(a, i) != 0)
35949             return -12992;
35950         if (!mp_is_bit_set(a, i))
35951             return -12993;
35952     #ifdef WOLFSSL_KEY_GEN
35953         if (mp_2expt(a, i) != 0)
35954             return -12994;
35955         if (!mp_is_bit_set(a, i))
35956             return -12995;
35957     #endif
35958     }
35959 
35960     mp_zero(a);
35961     for (j = 0; j <= 3; j++) {
35962         i = SP_INT_MAX_BITS + j;
35963         if (mp_is_bit_set(a, i))
35964             return -12996;
35965         if (mp_set_bit(a, i) != MP_VAL)
35966             return -12997;
35967     #ifdef WOLFSSL_KEY_GEN
35968         if (mp_2expt(a, i) != MP_VAL)
35969             return -12998;
35970     #endif
35971     }
35972 #endif
35973 
35974     return 0;
35975 }
35976 #endif /* !WOLFSSL_SP_MATH || WOLFSSL_SP_MATH_ALL */
35977 
35978 static int mp_test_cmp(mp_int* a, mp_int* b)
35979 {
35980     int ret;
35981 
35982     mp_zero(a);
35983     mp_zero(b);
35984 
35985     ret = mp_cmp_d(a, 0);
35986     if (ret != MP_EQ)
35987         return -13000;
35988     ret = mp_cmp_d(a, 1);
35989     if (ret != MP_LT)
35990         return -13001;
35991 
35992     ret = mp_cmp(a, b);
35993     if (ret != MP_EQ)
35994         return -13002;
35995 
35996     mp_set(a, 1);
35997     ret = mp_cmp_d(a, 0);
35998     if (ret != MP_GT)
35999         return -13003;
36000     ret = mp_cmp_d(a, 1);
36001     if (ret != MP_EQ)
36002         return -13004;
36003     ret = mp_cmp_d(a, 2);
36004     if (ret != MP_LT)
36005         return -13005;
36006 
36007     ret = mp_cmp(a, b);
36008     if (ret != MP_GT)
36009         return -13006;
36010 
36011     mp_read_radix(b, "1234567890123456789", MP_RADIX_HEX);
36012     ret = mp_cmp_d(b, -1);
36013     if (ret != MP_GT)
36014         return -13007;
36015 
36016     ret = mp_cmp(a, b);
36017     if (ret != MP_LT)
36018         return -13008;
36019     ret = mp_cmp(b, a);
36020     if (ret != MP_GT)
36021         return -13009;
36022     ret = mp_cmp(b, b);
36023     if (ret != MP_EQ)
36024         return -13010;
36025 
36026 #if (!defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_SP_MATH_ALL)) || \
36027     defined(WOLFSSL_SP_INT_NEGATIVE)
36028     mp_read_radix(a, "-1", MP_RADIX_HEX);
36029     mp_read_radix(a, "1", MP_RADIX_HEX);
36030     ret = mp_cmp(a, b);
36031     if (ret != MP_LT)
36032         return -13011;
36033     ret = mp_cmp(b, a);
36034     if (ret != MP_GT)
36035         return -13012;
36036 
36037     mp_read_radix(b, "-2", MP_RADIX_HEX);
36038     ret = mp_cmp(a, b);
36039     if (ret != MP_GT)
36040         return -13013;
36041     ret = mp_cmp(b, a);
36042     if (ret != MP_LT)
36043         return -13014;
36044 
36045     mp_read_radix(a, "-2", MP_RADIX_HEX);
36046     ret = mp_cmp(a, b);
36047     if (ret != MP_EQ)
36048         return -13015;
36049 #endif
36050 
36051     return 0;
36052 }
36053 
36054 #if !defined(NO_DH) || defined(HAVE_ECC) || !defined(WOLFSSL_RSA_VERIFY_ONLY)
36055 static int mp_test_shbd(mp_int* a, mp_int* b, WC_RNG* rng)
36056 {
36057     int ret;
36058     int i, j, k;
36059 
36060 #ifndef WOLFSSL_SP_MATH
36061     for (i = 0; i < 10; i++) {
36062         for (j = 1; j < (DIGIT_BIT + 7) / 8 * 3; j++) {
36063             ret = randNum(a, j, rng, NULL);
36064             if (ret != MP_OKAY)
36065                 return -13020;
36066             mp_copy(a, b);
36067             for (k = 0; k <= DIGIT_BIT * 2; k++) {
36068                 ret = mp_mul_2d(a, k, a);
36069                 if (ret != MP_OKAY)
36070                     return -13021;
36071                 mp_rshb(a, k);
36072                 if (mp_cmp(a, b) != MP_EQ)
36073                     return -13022;
36074             }
36075         }
36076     }
36077 #endif
36078 
36079     for (i = 0; i < 10; i++) {
36080         for (j = 1; j < (DIGIT_BIT + 7) / 8 * 3; j++) {
36081             ret = randNum(a, j, rng, NULL);
36082             if (ret != MP_OKAY)
36083                 return -13023;
36084             mp_copy(a, b);
36085             for (k = 0; k < 10; k++) {
36086                 ret = mp_lshd(a, k);
36087                 if (ret != MP_OKAY)
36088                     return -13024;
36089                 mp_rshd(a, k);
36090                 if (mp_cmp(a, b) != MP_EQ)
36091                     return -13025;
36092             }
36093         }
36094     }
36095 
36096     mp_zero(a);
36097     mp_rshd(a, 1);
36098     if (!mp_iszero(a))
36099         return -13026;
36100 
36101     mp_set(a, 1);
36102     mp_rshd(a, 1);
36103     if (!mp_iszero(a))
36104         return -13027;
36105 
36106     mp_set(a, 1);
36107     mp_rshd(a, 2);
36108     if (!mp_iszero(a))
36109         return -13028;
36110 
36111     return 0;
36112 }
36113 #endif
36114 
36115 #ifndef WOLFSSL_SP_MATH
36116 static int mp_test_div(mp_int* a, mp_int* d, mp_int* r, mp_int* rem,
36117                        WC_RNG* rng)
36118 {
36119     int ret;
36120     int i, j, k;
36121 
36122     mp_zero(a);
36123     mp_zero(d);
36124 
36125     ret = mp_div(a, d, r, rem);
36126     if (ret != MP_VAL)
36127         return -13030;
36128 
36129     mp_set(d, 1);
36130     ret = mp_div(a, d, r, rem);
36131     if (ret != MP_OKAY)
36132         return -13031;
36133     if (!mp_iszero(r))
36134         return -13032;
36135     if (!mp_iszero(rem))
36136         return -13033;
36137 
36138     mp_set(a, 1);
36139     ret = mp_div(a, d, r, rem);
36140     if (ret != MP_OKAY)
36141         return -13034;
36142     if (!mp_isone(r))
36143         return -13035;
36144     if (!mp_iszero(rem))
36145         return -13036;
36146 
36147     for (i = 0; i < 100; i++) {
36148         for (j = 1; j < (DIGIT_BIT + 7) / 8 * 2; j++) {
36149             ret = randNum(d, j, rng, NULL);
36150             if (ret != MP_OKAY)
36151                 return -13037;
36152             for (k = 1; k < (DIGIT_BIT + 7) / 8 * 2 + 1; k++) {
36153                 ret = randNum(a, k, rng, NULL);
36154                 if (ret != MP_OKAY)
36155                     return -13038;
36156 
36157                 ret = mp_div(a, d, NULL, rem);
36158                 if (ret != MP_OKAY)
36159                     return -13039;
36160                 ret = mp_div(a, d, r, NULL);
36161                 if (ret != MP_OKAY)
36162                     return -13040;
36163                 ret = mp_div(a, d, r, rem);
36164                 if (ret != MP_OKAY)
36165                     return -13041;
36166 
36167                 mp_mul(r, d, r);
36168                 mp_add(r, rem, r);
36169 
36170                 if (mp_cmp(r, a) != MP_EQ)
36171                     return -13042;
36172             }
36173         }
36174     }
36175 
36176     ret = randNum(d, (DIGIT_BIT + 7) / 8 * 2, rng, NULL);
36177     if (ret != MP_OKAY)
36178         return -13043;
36179     mp_add(d, d, a);
36180 
36181     mp_set(rem, 1);
36182     mp_div(a, d, NULL, rem);
36183     if (ret != MP_OKAY)
36184         return -13044;
36185     if (!mp_iszero(rem))
36186         return -13045;
36187 
36188     mp_set(r, 1);
36189     mp_div(a, d, r, NULL);
36190     if (ret != MP_OKAY)
36191         return -13046;
36192     if (mp_cmp_d(r, 2) != MP_EQ)
36193         return -13047;
36194 
36195     mp_set(r, 1);
36196     mp_set(rem, 1);
36197     mp_div(a, d, r, rem);
36198     if (ret != MP_OKAY)
36199         return -13048;
36200     if (mp_cmp_d(r, 2) != MP_EQ)
36201         return -13049;
36202     if (!mp_iszero(rem))
36203         return -13050;
36204 
36205     mp_set(a, 0xfe);
36206     mp_lshd(a, 3);
36207     mp_add_d(a, 0xff, a);
36208     mp_set(d, 0xfe);
36209     mp_lshd(d, 2);
36210     ret = mp_div(a, d, r, rem);
36211     if (ret != MP_OKAY)
36212         return -13051;
36213     mp_mul(r, d, d);
36214     mp_add(rem, d, d);
36215     if (mp_cmp(a, d) != MP_EQ)
36216         return -13052;
36217 
36218     /* Force (hi | lo) / d to be (d | 0) / d which will would not fit in
36219      * a digit. So mp_div must detect and handle.
36220      * For example: 0x800000 / 0x8001, DIGIT_BIT = 8
36221      */
36222     mp_set(a, 1);
36223     mp_mul_2d(a, DIGIT_BIT * 3 - 1, a);
36224     mp_set(d, 1);
36225     mp_mul_2d(d, DIGIT_BIT * 2 - 1, d);
36226     mp_add_d(d, 1, d);
36227     ret = mp_div(a, d, r, rem);
36228     if (ret != MP_OKAY)
36229         return -13053;
36230 
36231     return 0;
36232 }
36233 #endif
36234 
36235 #if defined(WOLFSSL_KEY_GEN) && (!defined(NO_DH) || !defined(NO_DSA)) && \
36236     !defined(WC_NO_RNG)
36237 static int mp_test_prime(mp_int* a, WC_RNG* rng)
36238 {
36239     int ret;
36240     int res;
36241 
36242     ret = mp_rand_prime(a, 1, rng, NULL);
36243 #if defined(WOLFSSL_SP_MATH_ALL)
36244     if (ret != 0)
36245         return -13060;
36246 #else
36247     if (ret != MP_VAL)
36248         return -13060;
36249 #endif
36250 #ifndef WOLFSSL_SP_MATH
36251     ret = mp_rand_prime(a, -5, rng, NULL);
36252     if (ret != 0)
36253         return -13061;
36254 #endif
36255     ret = mp_prime_is_prime(a, 1, &res);
36256     if (ret != MP_OKAY)
36257         return -13062;
36258 #ifndef WOLFSSL_SP_MATH
36259     if (res != MP_YES)
36260         return -13063;
36261 #else
36262     if (res != MP_NO)
36263         return -13063;
36264 #endif
36265 
36266     ret = mp_prime_is_prime(a, 0, &res);
36267     if (ret != MP_VAL)
36268         return -13064;
36269     ret = mp_prime_is_prime(a, -1, &res);
36270     if (ret != MP_VAL)
36271         return -13065;
36272     ret = mp_prime_is_prime(a, 257, &res);
36273     if (ret != MP_VAL)
36274         return -13066;
36275 
36276     mp_set(a, 1);
36277     ret = mp_prime_is_prime(a, 1, &res);
36278     if (ret != MP_OKAY)
36279         return -13067;
36280     if (res != MP_NO)
36281         return -13068;
36282     ret = mp_prime_is_prime_ex(a, 1, &res, rng);
36283     if (ret != MP_OKAY)
36284         return -13069;
36285     if (res != MP_NO)
36286         return -13070;
36287 
36288     mp_set(a, 2);
36289     ret = mp_prime_is_prime(a, 1, &res);
36290     if (ret != MP_OKAY)
36291         return -13071;
36292     if (res != MP_YES)
36293         return -13072;
36294     ret = mp_prime_is_prime_ex(a, 1, &res, rng);
36295     if (ret != MP_OKAY)
36296         return -13073;
36297     if (res != MP_YES)
36298         return -13074;
36299 
36300     mp_set(a, 0xfb);
36301     ret = mp_prime_is_prime(a, 1, &res);
36302     if (ret != MP_OKAY)
36303         return -13075;
36304     if (res != MP_YES)
36305         return -13076;
36306     ret = mp_prime_is_prime_ex(a, 1, &res, rng);
36307     if (ret != MP_OKAY)
36308         return -13077;
36309     if (res != MP_YES)
36310         return -13078;
36311 
36312     mp_set(a, 0x6);
36313     ret = mp_prime_is_prime(a, 1, &res);
36314     if (ret != MP_OKAY)
36315         return -13079;
36316     if (res != MP_NO)
36317         return -13080;
36318     ret = mp_prime_is_prime_ex(a, 1, &res, rng);
36319     if (ret != MP_OKAY)
36320         return -13081;
36321     if (res != MP_NO)
36322         return -13082;
36323 
36324     mp_set_int(a, 0x655 * 0x65b);
36325     ret = mp_prime_is_prime(a, 10, &res);
36326     if (ret != MP_OKAY)
36327         return -13083;
36328     if (res != MP_NO)
36329         return -13084;
36330     ret = mp_prime_is_prime_ex(a, 10, &res, rng);
36331     if (ret != MP_OKAY)
36332         return -13085;
36333     if (res != MP_NO)
36334         return -13086;
36335 
36336     return 0;
36337 }
36338 #endif
36339 
36340 #if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && !defined(WC_RSA_BLINDING)
36341 static int mp_test_lcm_gcd(mp_int* a, mp_int* b, mp_int* r, mp_int* exp,
36342                            WC_RNG* rng)
36343 {
36344     int ret;
36345     int i;
36346     WOLFSSL_SMALL_STACK_STATIC const int kat[][3] = {
36347       { 1, 1, 1 }, { 2, 1, 2 }, { 1, 2, 2 }, { 2, 4, 4 }, { 4, 2, 4 },
36348       { 12, 56, 168 }, { 56, 12, 168 }
36349     };
36350 
36351     (void)exp;
36352 
36353     mp_set(a, 0);
36354     mp_set(b, 1);
36355     ret = mp_lcm(a, a, r);
36356     if (ret != MP_VAL)
36357         return -13090;
36358     ret = mp_lcm(a, b, r);
36359     if (ret != MP_VAL)
36360         return -13091;
36361     ret = mp_lcm(b, a, r);
36362     if (ret != MP_VAL)
36363         return -13092;
36364 
36365     for (i = 0; i < (int)(sizeof(kat) / sizeof(*kat)); i++) {
36366         mp_set(a, kat[i][0]);
36367         mp_set(b, kat[i][1]);
36368         ret = mp_lcm(a, b, r);
36369         if (ret != MP_OKAY)
36370             return -13093;
36371         mp_set(exp, kat[i][2]);
36372         if (mp_cmp(r, exp) != MP_EQ)
36373             return -13094;
36374     }
36375 
36376     (void)rng;
36377 #if defined(WOLFSSL_KEY_GEN) && (!defined(NO_DH) || !defined(NO_DSA)) && \
36378     !defined(WC_NO_RNG)
36379     if (mp_rand_prime(a, 20, rng, NULL) != MP_OKAY)
36380         return -13095;
36381     if (mp_rand_prime(b, 20, rng, NULL) != MP_OKAY)
36382         return -13096;
36383     if (mp_mul(a, b, exp) != MP_OKAY)
36384         return -13097;
36385     ret = mp_lcm(a, b, r);
36386     if (ret != MP_OKAY)
36387         return -13098;
36388     if (mp_cmp(r, exp) != MP_EQ)
36389         return -13099;
36390     ret = mp_lcm(b, a, r);
36391     if (ret != MP_OKAY)
36392         return -13100;
36393     if (mp_cmp(r, exp) != MP_EQ)
36394         return -13101;
36395 #endif
36396 
36397     mp_set(a, 11);
36398     mp_zero(b);
36399     ret = mp_gcd(a, b, r);
36400     if (ret != MP_OKAY)
36401         return -13102;
36402     if (mp_cmp_d(r, 11) != MP_EQ)
36403         return -13103;
36404     ret = mp_gcd(b, a, r);
36405     if (ret != MP_OKAY)
36406         return -13104;
36407     if (mp_cmp_d(r, 11) != MP_EQ)
36408         return -13105;
36409     ret = mp_gcd(b, b, r);
36410     if (ret != MP_VAL)
36411         return -13106;
36412 
36413     return 0;
36414 }
36415 #endif
36416 
36417 #if (!defined(WOLFSSL_SP_MATH) && !defined(USE_FAST_MATH)) || \
36418     defined(WOLFSSL_SP_MATH_ALL)
36419 static int mp_test_mod_2d(mp_int* a, mp_int* r, mp_int* t, WC_RNG* rng)
36420 {
36421     int ret;
36422     int i;
36423     int j;
36424 
36425     mp_set(a, 10);
36426     ret = mp_mod_2d(a, 0, r);
36427     if (ret != MP_OKAY)
36428         return -13110;
36429     if (!mp_iszero(r))
36430         return -13111;
36431 
36432     ret = mp_mod_2d(a, 1, r);
36433     if (ret != MP_OKAY)
36434         return -13112;
36435     if (!mp_iszero(r))
36436         return -13113;
36437 
36438     ret = mp_mod_2d(a, 2, r);
36439     if (ret != MP_OKAY)
36440         return -13114;
36441     if (mp_cmp_d(r, 2))
36442         return -13115;
36443 
36444     for (i = 2; i < 20; i++) {
36445         ret = randNum(a, i, rng, NULL);
36446         if (ret != 0)
36447             return -13116;
36448         for (j = 1; j <= mp_count_bits(a); j++) {
36449             /* Get top part */
36450             ret = mp_div_2d(a, j, t, NULL);
36451             if (ret != 0)
36452                 return -13117;
36453             ret = mp_mul_2d(t, j, t);
36454             if (ret != 0)
36455                 return -13118;
36456 
36457             /* Get bottom part */
36458             ret = mp_mod_2d(a, j, r);
36459             if (ret != 0)
36460                 return -13119;
36461 
36462             /* Reassemble */
36463             ret = mp_add(t, r, r);
36464             if (ret != 0)
36465                 return -13120;
36466             if (mp_cmp(a, r) != MP_EQ)
36467                 return -13121;
36468         }
36469     }
36470 
36471 #if !defined(WOLFSSL_SP_MATH) && defined(WOLFSSL_SP_INT_NEGATIVE)
36472     /* Test negative value being moded. */
36473     for (j = 0; j < 20; j++) {
36474         ret = randNum(a, 2, rng, NULL);
36475         if (ret != 0)
36476             return -13122;
36477         a->sign = MP_NEG;
36478         for (i = 1; i < DIGIT_BIT * 3 + 1; i++) {
36479             ret = mp_mod_2d(a, i, r);
36480             if (ret != 0)
36481                 return -13124;
36482             mp_zero(t);
36483             ret = mp_set_bit(t, i);
36484             if (ret != 0)
36485                 return -13125;
36486             ret = mp_mod(a, t, t);
36487             if (ret != 0)
36488                 return -13126;
36489             if (mp_cmp(r, t) != MP_EQ)
36490                 return -13127;
36491         }
36492     }
36493 #endif
36494 
36495     return 0;
36496 }
36497 #endif
36498 
36499 #if (defined(HAVE_ECC) && defined(HAVE_COMP_KEY)) || \
36500                             (defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN))
36501 static int mp_test_mod_d(mp_int* a)
36502 {
36503     int ret;
36504     mp_digit r;
36505 
36506     if (mp_set(a, 1) != MP_OKAY)
36507         return -13130;
36508     ret = mp_mod_d(a, 0, &r);
36509     if (ret != MP_VAL)
36510         return -13131;
36511 
36512     mp_zero(a);
36513     ret = mp_mod_d(a, 1, &r);
36514     if (ret != MP_OKAY)
36515         return -13132;
36516     ret = mp_mod_d(a, 3, &r);
36517     if (ret != MP_OKAY)
36518         return -13133;
36519     ret = mp_mod_d(a, 5, &r);
36520     if (ret != MP_OKAY)
36521         return -13134;
36522 
36523     return 0;
36524 }
36525 #endif
36526 
36527 static int mp_test_mul_sqr(mp_int* a, mp_int* b, mp_int* r1, mp_int* r2,
36528                            WC_RNG* rng)
36529 {
36530     int ret;
36531     int i;
36532 
36533     for (i = 1; i < 16; i++) {
36534         ret = randNum(a, i, rng, NULL);
36535         if (ret != 0)
36536             return -13140;
36537 
36538         ret = mp_mul(a, a, r1);
36539         if (ret != 0)
36540             return -13141;
36541         ret = mp_sqr(a, r2);
36542         if (ret != 0)
36543             return -13142;
36544 
36545         if (mp_cmp(r1, r2) != MP_EQ)
36546             return -13143;
36547     }
36548 
36549     ret = mp_set(b, 0);
36550     if (ret != MP_OKAY)
36551         return -13144;
36552     ret = mp_mul(a, b, r1);
36553     if (ret != MP_OKAY)
36554         return -13145;
36555     if (!mp_iszero(r1))
36556         return -13146;
36557     ret = mp_sqr(b, r1);
36558     if (ret != MP_OKAY)
36559         return -13147;
36560     if (!mp_iszero(r1))
36561         return -13148;
36562 
36563 #ifdef WOLFSSL_SP_MATH_ALL
36564     ret = mp_set(a, 1);
36565     if (ret != MP_OKAY)
36566         return -13149;
36567     i = (SP_INT_DIGITS / 2) + 1;
36568     ret = mp_mul_2d(a,  i * SP_WORD_SIZE - 1, a);
36569     if (ret != MP_OKAY)
36570         return -13150;
36571     ret = mp_set(b, 1);
36572     if (ret != MP_OKAY)
36573         return -13151;
36574     ret = mp_mul_2d(b, (SP_INT_DIGITS - 1 - i) * SP_WORD_SIZE - 1, b);
36575     if (ret != MP_OKAY)
36576         return -13152;
36577 
36578     ret = mp_mul(a, b, r1);
36579     if (ret != MP_OKAY)
36580         return -13153;
36581     ret = mp_mul(a, a, r1);
36582     if (ret == MP_OKAY)
36583         return -13154;
36584     ret = mp_sqr(a, r1);
36585     if (ret == MP_OKAY)
36586         return -13155;
36587     ret = mp_sqr(b, r1);
36588     if (ret != MP_OKAY)
36589         return -13156;
36590 
36591 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
36592     (defined(HAVE_ECC) && defined(FP_ECC))
36593     ret = mp_mulmod(a, b, b, r1);
36594     if (ret != MP_OKAY)
36595         return -13157;
36596     ret = mp_mulmod(a, a, b, r1);
36597     if (ret == MP_OKAY)
36598         return -13158;
36599 #if defined(HAVE_ECC) && (defined(ECC_SHAMIR) || defined(FP_ECC))
36600     ret = mp_sqrmod(a, b, r1);
36601     if (ret == MP_OKAY)
36602         return -13159;
36603     ret = mp_sqrmod(b, a, r1);
36604     if (ret != MP_OKAY)
36605         return -13160;
36606 #endif /* HAVE_ECC && (ECC_SHAMIR || FP_ECC) */
36607 #endif /* WOLFSSL_SP_MATH_ALL || WOLFSSL_HAVE_SP_DH || (HAVE_ECC && FP_ECC) */
36608 #endif /* WOLFSSL_SP_MATH_ALL */
36609 
36610     return 0;
36611 }
36612 
36613 #if !defined(NO_RSA) || defined(HAVE_ECC) || !defined(NO_DSA) || \
36614     defined(OPENSSL_EXTRA)
36615 static int mp_test_invmod(mp_int* a, mp_int* m, mp_int* r)
36616 {
36617     int ret;
36618 
36619     mp_set(a, 0);
36620     mp_set(m, 1);
36621     ret = mp_invmod(a, m, r);
36622     if (ret != MP_VAL)
36623         return -13170;
36624     ret = mp_invmod(m, a, r);
36625     if (ret != MP_VAL)
36626         return -13171;
36627     mp_set(a, 2);
36628     mp_set(m, 4);
36629     ret = mp_invmod(a, m, r);
36630     if (ret != MP_VAL)
36631         return -13172;
36632     mp_set(a, 1);
36633     mp_set(m, 4);
36634     ret = mp_invmod(a, m, r);
36635     if (ret != MP_OKAY)
36636         return -13173;
36637     if (!mp_isone(r))
36638         return -13174;
36639 
36640     mp_set(a, 3);
36641     mp_set(m, 4);
36642     ret = mp_invmod(a, m, r);
36643     if (ret != MP_OKAY)
36644         return -13175;
36645 
36646     mp_set(a, 3);
36647     mp_set(m, 5);
36648     ret = mp_invmod(a, m, r);
36649     if (ret != MP_OKAY)
36650         return -13176;
36651 
36652 #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_INT_NEGATIVE)
36653     mp_read_radix(a, "-3", 16);
36654     ret = mp_invmod(a, m, r);
36655     if (ret != MP_OKAY)
36656         return -13177;
36657 #endif
36658 
36659 #if defined(WOLFSSL_SP_MATH_ALL) && defined(HAVE_ECC)
36660     mp_set(a, 0);
36661     mp_set(m, 3);
36662     ret = mp_invmod_mont_ct(a, m, r, 1);
36663     if (ret != MP_VAL)
36664         return -13178;
36665     mp_set(a, 1);
36666     mp_set(m, 0);
36667     ret = mp_invmod_mont_ct(a, m, r, 1);
36668     if (ret != MP_VAL)
36669         return -13179;
36670     mp_set(a, 1);
36671     mp_set(m, 1);
36672     ret = mp_invmod_mont_ct(a, m, r, 1);
36673     if (ret != MP_VAL)
36674         return -13180;
36675     mp_set(a, 1);
36676     mp_set(m, 2);
36677     ret = mp_invmod_mont_ct(a, m, r, 1);
36678     if (ret != MP_VAL)
36679         return -13181;
36680 
36681     mp_set(a, 1);
36682     mp_set(m, 3);
36683     ret = mp_invmod_mont_ct(a, m, r, 1);
36684     if (ret != MP_OKAY)
36685         return -13182;
36686 #endif
36687 
36688     return 0;
36689 }
36690 #endif /* !NO_RSA || HAVE_ECC || !NO_DSA || OPENSSL_EXTRA */
36691 
36692 #if !defined(NO_RSA) || !defined(NO_DSA) || !defined(NO_DH) || \
36693     (defined(HAVE_ECC) && defined(HAVE_COMP_KEY)) || defined(OPENSSL_EXTRA)
36694 static int mp_test_exptmod(mp_int* b, mp_int* e, mp_int* m, mp_int* r)
36695 {
36696     int ret;
36697 
36698     mp_set(b, 0x2);
36699     mp_set(e, 0x3);
36700     mp_set(m, 0x0);
36701     ret = mp_exptmod_ex(b, e, 1, m, r);
36702     if (ret != MP_VAL)
36703         return -13190;
36704     ret = mp_exptmod_nct(b, e, m, r);
36705     if (ret != MP_VAL)
36706         return -13191;
36707 
36708 
36709     mp_set(b, 0x2);
36710     mp_set(e, 0x3);
36711     mp_set(m, 0x1);
36712     ret = mp_exptmod_ex(b, e, 1, m, r);
36713     if (ret != MP_OKAY)
36714         return -13192;
36715     if (!mp_iszero(r))
36716         return -13193;
36717     ret = mp_exptmod_nct(b, e, m, r);
36718     if (ret != MP_OKAY)
36719         return -13194;
36720     if (!mp_iszero(r))
36721         return -13195;
36722 
36723     mp_set(b, 0x2);
36724     mp_set(e, 0x0);
36725     mp_set(m, 0x7);
36726     ret = mp_exptmod_ex(b, e, 1, m, r);
36727     if (ret != MP_OKAY)
36728         return -13196;
36729     if (!mp_isone(r))
36730         return -13197;
36731     ret = mp_exptmod_nct(b, e, m, r);
36732     if (ret != MP_OKAY)
36733         return -13198;
36734     if (!mp_isone(r))
36735         return -13199;
36736 
36737     mp_set(b, 0x0);
36738     mp_set(e, 0x3);
36739     mp_set(m, 0x7);
36740     ret = mp_exptmod_ex(b, e, 1, m, r);
36741     if (ret != MP_OKAY)
36742         return -13200;
36743     if (!mp_iszero(r))
36744         return -13201;
36745     ret = mp_exptmod_nct(b, e, m, r);
36746     if (ret != MP_OKAY)
36747         return -13202;
36748     if (!mp_iszero(r))
36749         return -13203;
36750 
36751     mp_set(b, 0x10);
36752     mp_set(e, 0x3);
36753     mp_set(m, 0x7);
36754     ret = mp_exptmod_ex(b, e, 1, m, r);
36755     if (ret != MP_OKAY)
36756         return -13204;
36757     ret = mp_exptmod_nct(b, e, m, r);
36758     if (ret != MP_OKAY)
36759         return -13205;
36760 
36761     mp_set(b, 0x7);
36762     mp_set(e, 0x3);
36763     mp_set(m, 0x7);
36764     ret = mp_exptmod_ex(b, e, 1, m, r);
36765     if (ret != MP_OKAY)
36766         return -13206;
36767     if (!mp_iszero(r))
36768         return -13207;
36769     ret = mp_exptmod_nct(b, e, m, r);
36770     if (ret != MP_OKAY)
36771         return -13208;
36772     if (!mp_iszero(r))
36773         return -13209;
36774 
36775 #ifndef WOLFSSL_SP_MATH
36776     mp_set(b, 0x01);
36777     mp_mul_2d(b, DIGIT_BIT, b);
36778     mp_add_d(b, 1, b);
36779     mp_set(e, 0x3);
36780     mp_copy(b, m);
36781     ret = mp_exptmod_ex(b, e, 1, m, r);
36782     if (ret != MP_OKAY)
36783         return -13210;
36784     if (!mp_iszero(r))
36785         return -13211;
36786     ret = mp_exptmod_nct(b, e, m, r);
36787     if (ret != MP_OKAY)
36788         return -13212;
36789     if (!mp_iszero(r))
36790         return -13213;
36791 #endif
36792 
36793     mp_set(b, 0x2);
36794     mp_set(e, 0x3);
36795     mp_set(m, 0x7);
36796     ret = mp_exptmod_ex(b, e, 1, m, r);
36797     if (ret != MP_OKAY)
36798         return -13214;
36799     ret = mp_exptmod_nct(b, e, m, r);
36800     if (ret != MP_OKAY)
36801         return -13215;
36802 
36803 #ifdef WOLFSSL_SP_MATH_ALL
36804     mp_set(b, 0x2);
36805     mp_set(e, 0x3);
36806     mp_set(m, 0x01);
36807     mp_mul_2d(m, SP_WORD_SIZE * SP_INT_DIGITS / 2, m);
36808     mp_add_d(m, 0x01, m);
36809     ret = mp_exptmod_ex(b, e, 1, m, r);
36810     if (ret != MP_VAL)
36811         return -13216;
36812     ret = mp_exptmod_nct(b, e, m, r);
36813     if (ret != MP_VAL)
36814         return -13217;
36815 #endif
36816 
36817     return 0;
36818 }
36819 #endif /* !NO_RSA || !NO_DSA || !NO_DH || (HAVE_ECC && HAVE_COMP_KEY) ||
36820         * OPENSSL_EXTRA */
36821 
36822 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
36823     defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
36824 static int mp_test_mont(mp_int* a, mp_int* m, mp_int* n, mp_int* r, WC_RNG* rng)
36825 {
36826     int ret;
36827     mp_digit mp;
36828     static int      exp[] = {     7,     8,    16,    27,    32,    64,
36829                                 127,   128,   255,   256,
36830 #if defined(SP_WORD_SIZE) && SP_WORD_SIZE > 8
36831                                 383,   384,  2033,  2048
36832 #endif
36833                              };
36834     static mp_digit sub[] = {  0x01,  0x05,  0x0f,  0x27,  0x05,  0x3b,
36835                                0x01,  0x9f,  0x13,  0xbd,
36836 #if defined(SP_WORD_SIZE) && SP_WORD_SIZE > 8
36837                                0x1f, 0x13d,  0x45, 0x615
36838 #endif
36839                             };
36840     int bits[] = { 256, 384, 2048,
36841 #if defined(SP_INT_MAX_BITS) && SP_INT_MAX_BITS > 6144
36842                    3072
36843 #endif
36844                  };
36845     int i;
36846     int j;
36847 
36848     for (i = 0; i < (int)(sizeof(exp) / sizeof(*exp)); i++) {
36849         if (exp[i] >= DIGIT_BIT)
36850             continue;
36851 
36852         mp_zero(m);
36853         ret = mp_set_bit(m, exp[i]);
36854         if (ret != MP_OKAY)
36855             return -13220;
36856         ret = mp_sub_d(m, sub[i], m);
36857         if (ret != MP_OKAY)
36858             return -13221;
36859 
36860         ret = mp_montgomery_setup(m, &mp);
36861         if (ret != MP_OKAY)
36862             return -13222;
36863         ret = mp_montgomery_calc_normalization(n, m);
36864         if (ret != MP_OKAY)
36865             return -13223;
36866 
36867         for (j = 0; j < 10; j++) {
36868             ret = randNum(a, (exp[i] + DIGIT_BIT - 1) / DIGIT_BIT, rng, NULL);
36869             if (ret != 0)
36870                 return -13224;
36871 
36872             ret = mp_mod(a, m, a);
36873             if (ret != 0)
36874                 return -13225;
36875 
36876             /* r = a * a */
36877             ret = mp_sqrmod(a, m, r);
36878             if (ret != MP_OKAY)
36879                 return -13226;
36880 
36881             /* Convert to Montgomery form = a*n */
36882             ret = mp_mulmod(a, n, m, a);
36883             if (ret != MP_OKAY)
36884                 return -13227;
36885 
36886             /* a*a mod m == ((a*n) * (a*n)) / n / n */
36887             ret = mp_sqr(a, a);
36888             if (ret != MP_OKAY)
36889                 return -13228;
36890             ret = mp_montgomery_reduce(a, m, mp);
36891             if (ret != MP_OKAY)
36892                 return -13229;
36893             ret = mp_montgomery_reduce(a, m, mp);
36894             if (ret != MP_OKAY)
36895                 return -13230;
36896 
36897             if (mp_cmp(a, r) != MP_EQ)
36898                 return -13231;
36899         }
36900     }
36901 
36902     /* Force carries. */
36903     for (i = 0; i < (int)(sizeof(bits) / sizeof(*bits)); i++) {
36904         /* a = 2^(bits*2) - 1 */
36905         mp_zero(a);
36906         mp_set_bit(a, bits[i] * 2);
36907         mp_sub_d(a, 1, a);
36908         /* m = 2^(bits) - 1 */
36909         mp_zero(m);
36910         mp_set_bit(m, bits[i]);
36911         mp_sub_d(m, 1, m);
36912         mp = 1;
36913         /* result = r = 2^(bits) - 1 */
36914         mp_zero(r);
36915         mp_set_bit(r, bits[i]);
36916         mp_sub_d(r, 1, r);
36917 
36918         ret = mp_montgomery_reduce(a, m, mp);
36919         if (ret != MP_OKAY)
36920             return -13240;
36921 
36922         /* Result is m or 0 if reduced to range of modulus. */
36923         if (mp_cmp(a, r) != MP_EQ && mp_iszero(a) != MP_YES)
36924             return -13241;
36925     }
36926 
36927     return 0;
36928 }
36929 #endif
36930 
36931 WOLFSSL_TEST_SUBROUTINE int mp_test(void)
36932 {
36933     WC_RNG rng;
36934     int    ret;
36935 #if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN)
36936     int    i, j;
36937 #ifndef WOLFSSL_SP_MATH
36938     int    k;
36939 #endif
36940     mp_digit d;
36941 #endif
36942     mp_int a, b, r1, r2, p;
36943 
36944     ret = mp_init_multi(&a, &b, &r1, &r2, NULL, NULL);
36945     if (ret != 0)
36946         return -13300;
36947 
36948 #ifdef WOLFSSL_SP_MATH_ALL
36949     mp_init_copy(&p, &a);
36950 #else
36951     ret = mp_init(&p);
36952     if (ret != 0)
36953         return -13301;
36954 #endif
36955 
36956 #ifndef HAVE_FIPS
36957     ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
36958 #else
36959     ret = wc_InitRng(&rng);
36960 #endif
36961     if (ret != 0)
36962         goto done;
36963 
36964 #if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN)
36965     mp_set_int(&a, 0);
36966     if (a.used != 0 || a.dp[0] != 0)
36967         return -13302;
36968 
36969     for (j = 1; j <= MP_MAX_TEST_BYTE_LEN; j++) {
36970         for (i = 0; i < 4 * j; i++) {
36971             /* New values to use. */
36972             ret = randNum(&p, j, &rng, NULL);
36973             if (ret != 0)
36974                 return -13303;
36975             ret = randNum(&a, j, &rng, NULL);
36976             if (ret != 0)
36977                 return -13304;
36978             ret = randNum(&b, j, &rng, NULL);
36979             if (ret != 0)
36980                 return -13305;
36981             ret = wc_RNG_GenerateBlock(&rng, (byte*)&d, sizeof(d));
36982             if (ret != 0)
36983                 return -13306;
36984             d &= MP_MASK;
36985 
36986          #if !defined(WOLFSSL_SP_MATH) || (defined(HAVE_ECC) && \
36987                                        (defined(ECC_SHAMIR) || defined(FP_ECC)))
36988             /* Ensure sqrmod produce same result as mulmod. */
36989             ret = mp_sqrmod(&a, &p, &r1);
36990             if (ret != 0)
36991                 return -13307;
36992             ret = mp_mulmod(&a, &a, &p, &r2);
36993             if (ret != 0)
36994                 return -13308;
36995             if (mp_cmp(&r1, &r2) != 0)
36996                 return -13309;
36997          #endif
36998 
36999      #if defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
37000          #if defined(WOLFSSL_SP_MATH) || (defined(WOLFSSL_SP_MATH_ALL) && \
37001                                               !defined(WOLFSSL_SP_INT_NEGATIVE))
37002             ret = mp_addmod(&a, &b, &p, &r1);
37003             if (ret != 0)
37004                 return -13310;
37005             ret = mp_submod(&r1, &b, &p, &r2);
37006             if (ret != 0)
37007                 return -13311;
37008             ret = mp_mod(&a, &p, &r1);
37009             if (ret != 0)
37010                 return -13312;
37011             if (mp_cmp(&r1, &r2) != MP_EQ)
37012                 return -13313;
37013          #else
37014             /* Ensure add with mod produce same result as sub with mod. */
37015             ret = mp_addmod(&a, &b, &p, &r1);
37016             if (ret != 0)
37017                 return -13314;
37018             b.sign ^= 1;
37019             ret = mp_submod(&a, &b, &p, &r2);
37020             if (ret != 0)
37021                 return -13315;
37022             if (mp_cmp(&r1, &r2) != 0)
37023                 return -13316;
37024          #endif
37025     #endif
37026 
37027             /* Ensure add digit produce same result as sub digit. */
37028             ret = mp_add_d(&a, d, &r1);
37029             if (ret != 0)
37030                 return -13317;
37031             ret = mp_sub_d(&r1, d, &r2);
37032             if (ret != 0)
37033                 return -13318;
37034             if (mp_cmp(&a, &r2) != 0)
37035                 return -13319;
37036 
37037             /* Invert - if p is even it will use the slow impl.
37038              *        - if p and a are even it will fail.
37039              */
37040             ret = mp_invmod(&a, &p, &r1);
37041             if (ret != 0 && ret != MP_VAL)
37042                 return -13320;
37043             ret = 0;
37044 
37045         #ifndef WOLFSSL_SP_MATH
37046             /* Shift up and down number all bits in a digit. */
37047             for (k = 0; k < DIGIT_BIT; k++) {
37048                 mp_mul_2d(&a, k, &r1);
37049                 mp_div_2d(&r1, k, &r2, &p);
37050                 if (mp_cmp(&a, &r2) != 0)
37051                     return -13321;
37052                 if (!mp_iszero(&p))
37053                     return -13322;
37054                 mp_rshb(&r1, k);
37055                 if (mp_cmp(&a, &r1) != 0)
37056                     return -13323;
37057             }
37058         #endif
37059         }
37060     }
37061 
37062 #if DIGIT_BIT >= 32
37063     /* Check that setting a 32-bit digit works. */
37064     d &= 0xffffffffU;
37065     mp_set_int(&a, d);
37066     if (a.used != 1 || a.dp[0] != d)
37067         return -13324;
37068 #endif
37069 
37070     /* Check setting a bit and testing a bit works. */
37071     for (i = 0; i < MP_MAX_TEST_BYTE_LEN * 8; i++) {
37072         mp_zero(&a);
37073         mp_set_bit(&a, i);
37074         if (!mp_is_bit_set(&a, i))
37075             return -13325;
37076     }
37077 #endif
37078 
37079 #if defined(HAVE_ECC) && defined(HAVE_COMP_KEY)
37080     mp_zero(&a);
37081     i = mp_cnt_lsb(&a);
37082     if (i != 0)
37083         return -13326;
37084     mp_set(&a, 1);
37085     i = mp_cnt_lsb(&a);
37086     if (i != 0)
37087         return -13327;
37088 #endif
37089 
37090 #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
37091     if ((ret = mp_test_param(&a, &b, &r1, &rng)) != 0)
37092         return ret;
37093 #endif
37094 
37095 #if defined(WOLFSSL_SP_MATH_ALL) || !defined(USE_FAST_MATH)
37096     if ((ret = mp_test_div_3(&a, &r1, &rng)) != 0)
37097         return ret;
37098 #endif
37099 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \
37100     !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
37101     (!defined WOLFSSL_SP_MATH && !defined(WOLFSSL_SP_MATH_ALL) && \
37102     (defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)))
37103     if ((ret = mp_test_radix_10(&a, &r1, &rng)) != 0)
37104         return ret;
37105 #endif
37106 #if defined(WOLFSSL_SP_MATH_ALL) || (!defined WOLFSSL_SP_MATH && \
37107                                                               defined(HAVE_ECC))
37108     if ((ret = mp_test_radix_16(&a, &r1, &rng)) != 0)
37109         return ret;
37110 #endif
37111 
37112     if ((ret = mp_test_shift(&a, &r1, &rng)) != 0)
37113         return ret;
37114     if ((ret = mp_test_add_sub_d(&a, &r1)) != 0)
37115         return ret;
37116     if ((ret = mp_test_read_to_bin(&a)) != 0)
37117         return ret;
37118 #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
37119     if ((ret = mp_test_set_int(&a)) != 0)
37120         return ret;
37121 #endif
37122     if ((ret = mp_test_cmp(&a, &r1)) != 0)
37123         return ret;
37124 #if !defined(NO_DH) || defined(HAVE_ECC) || !defined(WOLFSSL_RSA_VERIFY_ONLY)
37125     if ((ret = mp_test_shbd(&a, &b, &rng))  != 0)
37126         return ret;
37127 #endif
37128 #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
37129     if ((ret = mp_test_set_is_bit(&a)) != 0)
37130         return ret;
37131 #endif
37132 #ifdef WOLFSSL_SP_MATH_ALL
37133     if ((ret = mp_test_div(&a, &b, &r1, &r2, &rng)) != 0)
37134         return ret;
37135 #endif
37136 #if defined(WOLFSSL_KEY_GEN) && (!defined(NO_DH) || !defined(NO_DSA)) && \
37137     !defined(WC_NO_RNG)
37138     if ((ret = mp_test_prime(&a, &rng)) != 0)
37139         return ret;
37140 #endif
37141 #if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && !defined(WC_RSA_BLINDING)
37142     if ((ret = mp_test_lcm_gcd(&a, &b, &r1, &r2, &rng)) != 0)
37143         return ret;
37144 #endif
37145 #if (!defined(WOLFSSL_SP_MATH) && !defined(USE_FAST_MATH)) || \
37146     defined(WOLFSSL_SP_MATH_ALL)
37147     if ((ret = mp_test_mod_2d(&a, &r1, &p, &rng)) != 0)
37148         return ret;
37149 #endif
37150 #if (defined(HAVE_ECC) && defined(HAVE_COMP_KEY)) || \
37151                             (defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN))
37152     if ((ret = mp_test_mod_d(&a)) != 0)
37153         return ret;
37154 #endif
37155     if ((ret = mp_test_mul_sqr(&a, &b, &r1, &r2, &rng)) != 0)
37156         return ret;
37157 #if !defined(NO_RSA) || defined(HAVE_ECC) || !defined(NO_DSA) || \
37158     defined(OPENSSL_EXTRA)
37159     if ((ret = mp_test_invmod(&a, &b, &r1)) != 0)
37160         return ret;
37161 #endif
37162 #if !defined(NO_RSA) || !defined(NO_DSA) || !defined(NO_DH) || \
37163     (defined(HAVE_ECC) && defined(HAVE_COMP_KEY)) || defined(OPENSSL_EXTRA)
37164     if ((ret = mp_test_exptmod(&a, &b, &r1, &r2)) != 0)
37165         return ret;
37166 #endif
37167 #if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
37168     defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
37169     if ((ret = mp_test_mont(&a, &b, &r1, &r2, &rng)) != 0)
37170         return ret;
37171 #endif
37172 
37173 done:
37174     mp_clear(&p);
37175     mp_clear(&r2);
37176     mp_clear(&r1);
37177     mp_clear(&b);
37178     mp_clear(&a);
37179     wc_FreeRng(&rng);
37180     return ret;
37181 }
37182 #endif
37183 
37184 
37185 #if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
37186 
37187 typedef struct pairs_t {
37188     const unsigned char* coeff;
37189     int coeffSz;
37190     int exp;
37191 } pairs_t;
37192 
37193 
37194 /*
37195 n =p1p2p3, where pi = ki(p1-1)+1 with (k2,k3) = (173,293)
37196 p1 = 2^192 * 0x000000000000e24fd4f6d6363200bf2323ec46285cac1d3a
37197    + 2^0   * 0x0b2488b0c29d96c5e67f8bec15b54b189ae5636efe89b45b
37198 */
37199 
37200 static const unsigned char c192a[] =
37201 {
37202     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe2, 0x4f,
37203     0xd4, 0xf6, 0xd6, 0x36, 0x32, 0x00, 0xbf, 0x23,
37204     0x23, 0xec, 0x46, 0x28, 0x5c, 0xac, 0x1d, 0x3a
37205 };
37206 static const unsigned char c0a[] =
37207 {
37208     0x0b, 0x24, 0x88, 0xb0, 0xc2, 0x9d, 0x96, 0xc5,
37209     0xe6, 0x7f, 0x8b, 0xec, 0x15, 0xb5, 0x4b, 0x18,
37210     0x9a, 0xe5, 0x63, 0x6e, 0xfe, 0x89, 0xb4, 0x5b
37211 };
37212 
37213 static const pairs_t ecPairsA[] =
37214 {
37215     {c192a, sizeof(c192a), 192},
37216     {c0a, sizeof(c0a), 0}
37217 };
37218 
37219 static const int kA[] = {173, 293};
37220 
37221 static const unsigned char controlPrime[] = {
37222     0xe1, 0x76, 0x45, 0x80, 0x59, 0xb6, 0xd3, 0x49,
37223     0xdf, 0x0a, 0xef, 0x12, 0xd6, 0x0f, 0xf0, 0xb7,
37224     0xcb, 0x2a, 0x37, 0xbf, 0xa7, 0xf8, 0xb5, 0x4d,
37225     0xf5, 0x31, 0x35, 0xad, 0xe4, 0xa3, 0x94, 0xa1,
37226     0xdb, 0xf1, 0x96, 0xad, 0xb5, 0x05, 0x64, 0x85,
37227     0x83, 0xfc, 0x1b, 0x5b, 0x29, 0xaa, 0xbe, 0xf8,
37228     0x26, 0x3f, 0x76, 0x7e, 0xad, 0x1c, 0xf0, 0xcb,
37229     0xd7, 0x26, 0xb4, 0x1b, 0x05, 0x8e, 0x56, 0x86,
37230     0x7e, 0x08, 0x62, 0x21, 0xc1, 0x86, 0xd6, 0x47,
37231     0x79, 0x3e, 0xb7, 0x5d, 0xa4, 0xc6, 0x3a, 0xd7,
37232     0xb1, 0x74, 0x20, 0xf6, 0x50, 0x97, 0x41, 0x04,
37233     0x53, 0xed, 0x3f, 0x26, 0xd6, 0x6f, 0x91, 0xfa,
37234     0x68, 0x26, 0xec, 0x2a, 0xdc, 0x9a, 0xf1, 0xe7,
37235     0xdc, 0xfb, 0x73, 0xf0, 0x79, 0x43, 0x1b, 0x21,
37236     0xa3, 0x59, 0x04, 0x63, 0x52, 0x07, 0xc9, 0xd7,
37237     0xe6, 0xd1, 0x1b, 0x5d, 0x5e, 0x96, 0xfa, 0x53
37238 };
37239 
37240 static const unsigned char testOne[] = { 1 };
37241 
37242 
37243 static int GenerateNextP(mp_int* p1, mp_int* p2, int k)
37244 {
37245     int ret;
37246 #ifdef WOLFSSL_SMALL_STACK
37247     mp_int *ki = (mp_int *)XMALLOC(sizeof(*ki), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37248 
37249     if (ki == NULL)
37250         return MEMORY_E;
37251 #else
37252     mp_int ki[1];
37253 #endif
37254 
37255     ret = mp_init(ki);
37256     if (ret == 0)
37257         ret = mp_set(ki, k);
37258     if (ret == 0)
37259         ret = mp_sub_d(p1, 1, p2);
37260     if (ret == 0)
37261         ret = mp_mul(p2, ki, p2);
37262     if (ret == 0)
37263         ret = mp_add_d(p2, 1, p2);
37264     mp_clear(ki);
37265 
37266 #ifdef WOLFSSL_SMALL_STACK
37267     XFREE(ki, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37268 #endif
37269 
37270     return ret;
37271 }
37272 
37273 
37274 static int GenerateP(mp_int* p1, mp_int* p2, mp_int* p3,
37275                 const pairs_t* ecPairs, int ecPairsSz,
37276                 const int* k)
37277 {
37278 #ifdef WOLFSSL_SMALL_STACK
37279     mp_int *x = NULL, *y = NULL;
37280 #else
37281     mp_int x[1], y[1];
37282 #endif
37283     int ret, i;
37284 
37285 #ifdef WOLFSSL_SMALL_STACK
37286     if (((x = (mp_int *)XMALLOC(sizeof(*x), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) ||
37287         ((y = (mp_int *)XMALLOC(sizeof(*x), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)) {
37288         ret = MEMORY_E;
37289         goto out;
37290     }
37291 #endif
37292 
37293     ret = mp_init_multi(x, y, NULL, NULL, NULL, NULL);
37294     if (ret != 0) {
37295         ret = MP_MEM;
37296         goto out;
37297     }
37298     for (i = 0; ret == 0 && i < ecPairsSz; i++) {
37299         ret = mp_read_unsigned_bin(x, ecPairs[i].coeff, ecPairs[i].coeffSz);
37300         /* p1 = 2^exp */
37301         if (ret == 0)
37302             ret = mp_2expt(y, ecPairs[i].exp);
37303         /* p1 = p1 * m */
37304         if (ret == 0)
37305             ret = mp_mul(x, y, x);
37306         /* p1 +=  */
37307         if (ret == 0)
37308             ret = mp_add(p1, x, p1);
37309         mp_zero(x);
37310         mp_zero(y);
37311     }
37312 
37313     if (ret == 0)
37314         ret = GenerateNextP(p1, p2, k[0]);
37315     if (ret == 0)
37316         ret = GenerateNextP(p1, p3, k[1]);
37317 
37318   out:
37319 
37320 #ifdef WOLFSSL_SMALL_STACK
37321     if (x != NULL) {
37322         mp_clear(x);
37323         XFREE(x, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37324     }
37325     if (y != NULL) {
37326         mp_clear(y);
37327         XFREE(y, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37328     }
37329 #else
37330     mp_clear(x);
37331     mp_clear(y);
37332 #endif
37333 
37334     return ret;
37335 }
37336 
37337 WOLFSSL_TEST_SUBROUTINE int prime_test(void)
37338 {
37339 #ifdef WOLFSSL_SMALL_STACK
37340     mp_int *n = (mp_int *)XMALLOC(sizeof *n, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER),
37341         *p1 = (mp_int *)XMALLOC(sizeof *p1, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER),
37342         *p2 = (mp_int *)XMALLOC(sizeof *p2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER),
37343         *p3 = (mp_int *)XMALLOC(sizeof *p3, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37344 #else
37345     mp_int n[1],
37346         p1[1],
37347         p2[1],
37348         p3[1];
37349 #endif
37350     int ret, isPrime = 0;
37351     WC_RNG rng;
37352 
37353 #ifdef WOLFSSL_SMALL_STACK
37354     if ((n == NULL) ||
37355         (p1 == NULL) ||
37356         (p2 == NULL) ||
37357         (p3 == NULL))
37358         ERROR_OUT(MEMORY_E, out);
37359 #endif
37360 
37361     ret = wc_InitRng(&rng);
37362     if (ret == 0)
37363         ret = mp_init_multi(n, p1, p2, p3, NULL, NULL);
37364     if (ret == 0)
37365         ret = GenerateP(p1, p2, p3,
37366                 ecPairsA, sizeof(ecPairsA) / sizeof(ecPairsA[0]), kA);
37367     if (ret == 0)
37368         ret = mp_mul(p1, p2, n);
37369     if (ret == 0)
37370         ret = mp_mul(n, p3, n);
37371     if (ret != 0)
37372         ERROR_OUT(-13400, out);
37373 
37374     /* Check the old prime test using the number that false positives.
37375      * This test result should indicate as not prime. */
37376     ret = mp_prime_is_prime(n, 40, &isPrime);
37377     if (ret != 0)
37378         ERROR_OUT(-13401, out);
37379     if (isPrime)
37380         ERROR_OUT(-13402, out);
37381 
37382     /* This test result should fail. It should indicate the value as prime. */
37383     ret = mp_prime_is_prime(n, 8, &isPrime);
37384     if (ret != 0)
37385         ERROR_OUT(-13403, out);
37386     if (!isPrime)
37387         ERROR_OUT(-13404, out);
37388 
37389     /* This test result should indicate the value as not prime. */
37390     ret = mp_prime_is_prime_ex(n, 8, &isPrime, &rng);
37391     if (ret != 0)
37392         ERROR_OUT(-13405, out);
37393     if (isPrime)
37394         ERROR_OUT(-13406, out);
37395 
37396     ret = mp_read_unsigned_bin(n, controlPrime, sizeof(controlPrime));
37397     if (ret != 0)
37398         ERROR_OUT(-13407, out);
37399 
37400     /* This test result should indicate the value as prime. */
37401     ret = mp_prime_is_prime_ex(n, 8, &isPrime, &rng);
37402     if (ret != 0)
37403         ERROR_OUT(-13408, out);
37404     if (!isPrime)
37405         ERROR_OUT(-13409, out);
37406 
37407     /* This test result should indicate the value as prime. */
37408     isPrime = -1;
37409     ret = mp_prime_is_prime(n, 8, &isPrime);
37410     if (ret != 0)
37411         ERROR_OUT(-13410, out);
37412     if (!isPrime)
37413         ERROR_OUT(-13411, out);
37414 
37415     ret = mp_read_unsigned_bin(n, testOne, sizeof(testOne));
37416     if (ret != 0)
37417         ERROR_OUT(-13412, out);
37418 
37419     /* This test result should indicate the value as not prime. */
37420     ret = mp_prime_is_prime_ex(n, 8, &isPrime, &rng);
37421     if (ret != 0)
37422         ERROR_OUT(-13413, out);
37423     if (isPrime)
37424         ERROR_OUT(-13414, out);
37425 
37426     ret = mp_prime_is_prime(n, 8, &isPrime);
37427     if (ret != 0)
37428         ERROR_OUT(-13415, out);
37429     if (isPrime)
37430         ERROR_OUT(-13416, out);
37431 
37432     ret = 0;
37433 
37434   out:
37435 
37436 #ifdef WOLFSSL_SMALL_STACK
37437     if (n != NULL) {
37438         mp_clear(n);
37439         XFREE(n, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37440     }
37441     if (p1 != NULL) {
37442         mp_clear(p1);
37443         XFREE(p1, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37444     }
37445     if (p2 != NULL) {
37446         mp_clear(p2);
37447         XFREE(p2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37448     }
37449     if (p3 != NULL) {
37450         mp_clear(p3);
37451         XFREE(p3, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37452     }
37453 #else
37454     mp_clear(p3);
37455     mp_clear(p2);
37456     mp_clear(p1);
37457     mp_clear(n);
37458 #endif
37459 
37460     wc_FreeRng(&rng);
37461 
37462     return ret;
37463 }
37464 
37465 #endif /* WOLFSSL_PUBLIC_MP */
37466 
37467 
37468 #if defined(ASN_BER_TO_DER) && \
37469     (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
37470      defined(OPENSSL_EXTRA_X509_SMALL))
37471 /* wc_BerToDer is only public facing in the case of test cert or opensslextra */
37472 typedef struct berDerTestData {
37473     const byte *in;
37474     word32 inSz;
37475     const byte *out;
37476     word32 outSz;
37477 } berDerTestData;
37478 
37479 WOLFSSL_TEST_SUBROUTINE int berder_test(void)
37480 {
37481     int ret;
37482     int i;
37483     word32 len = 0, l;
37484     byte out[32];
37485     WOLFSSL_SMALL_STACK_STATIC const byte good1_in[] = { 0x30, 0x80, 0x00, 0x00 };
37486     WOLFSSL_SMALL_STACK_STATIC const byte good1_out[] = { 0x30, 0x00 };
37487     WOLFSSL_SMALL_STACK_STATIC const byte good2_in[] = { 0x30, 0x80, 0x02, 0x01, 0x01, 0x00, 0x00 };
37488     WOLFSSL_SMALL_STACK_STATIC const byte good2_out[] = { 0x30, 0x03, 0x02, 0x01, 0x01 };
37489     WOLFSSL_SMALL_STACK_STATIC const byte good3_in[] = {
37490         0x24, 0x80, 0x04, 0x01, 0x01, 0x00, 0x00
37491     };
37492     WOLFSSL_SMALL_STACK_STATIC const byte good3_out[] = { 0x04, 0x1, 0x01 };
37493     WOLFSSL_SMALL_STACK_STATIC const byte good4_in[] = {
37494         0x30, 0x80,
37495           0x02, 0x01, 0x01,
37496           0x30, 0x80,
37497             0x24, 0x80,
37498               0x04, 0x01, 0x01,
37499               0x04, 0x02, 0x02, 0x03,
37500               0x00, 0x00,
37501             0x06, 0x01, 0x01,
37502             0x00, 0x00,
37503           0x31, 0x80,
37504             0x06, 0x01, 0x01,
37505             0x00, 0x00,
37506           0x00, 0x00,
37507     };
37508     WOLFSSL_SMALL_STACK_STATIC const byte good4_out[] = {
37509         0x30, 0x12,
37510           0x02, 0x01, 0x01,
37511           0x30, 0x08,
37512             0x04, 0x03, 0x01, 0x02, 0x03,
37513             0x06, 0x01, 0x01,
37514           0x31, 0x03,
37515             0x06, 0x01, 0x01
37516     };
37517     WOLFSSL_SMALL_STACK_STATIC const byte good5_in[] = { 0x30, 0x03, 0x02, 0x01, 0x01 };
37518 
37519     berDerTestData testData[] = {
37520         { good1_in, sizeof(good1_in), good1_out, sizeof(good1_out) },
37521         { good2_in, sizeof(good2_in), good2_out, sizeof(good2_out) },
37522         { good3_in, sizeof(good3_in), good3_out, sizeof(good3_out) },
37523         { good4_in, sizeof(good4_in), good4_out, sizeof(good4_out) },
37524         { good5_in, sizeof(good5_in), good5_in , sizeof(good5_in ) },
37525     };
37526 
37527     for (i = 0; i < (int)(sizeof(testData) / sizeof(*testData)); i++) {
37528         ret = wc_BerToDer(testData[i].in, testData[i].inSz, NULL, &len);
37529         if (ret != LENGTH_ONLY_E)
37530             return -13500 - i;
37531         if (len != testData[i].outSz)
37532             return -13510 - i;
37533         len = testData[i].outSz;
37534         ret = wc_BerToDer(testData[i].in, testData[i].inSz, out, &len);
37535         if (ret != 0)
37536             return -13520 - i;
37537         if (XMEMCMP(out, testData[i].out, len) != 0)
37538             return -13530 - i;
37539 
37540         for (l = 1; l < testData[i].inSz; l++) {
37541             ret = wc_BerToDer(testData[i].in, l, NULL, &len);
37542             if (ret != ASN_PARSE_E)
37543                  return -13540;
37544             len = testData[i].outSz;
37545             ret = wc_BerToDer(testData[i].in, l, out, &len);
37546             if (ret != ASN_PARSE_E)
37547                  return -13541;
37548         }
37549 
37550         for (l = 0; l < testData[i].outSz-1; l++) {
37551             ret = wc_BerToDer(testData[i].in, testData[i].inSz, out, &l);
37552             if (ret != BUFFER_E)
37553                  return -13542;
37554         }
37555     }
37556 
37557     ret = wc_BerToDer(NULL, 4, NULL, NULL);
37558     if (ret != BAD_FUNC_ARG)
37559         return -13543;
37560     ret = wc_BerToDer(out, 4, NULL, NULL);
37561     if (ret != BAD_FUNC_ARG)
37562         return -13544;
37563     ret = wc_BerToDer(NULL, 4, NULL, &len);
37564     if (ret != BAD_FUNC_ARG)
37565         return -13545;
37566     ret = wc_BerToDer(NULL, 4, out, NULL);
37567     if (ret != BAD_FUNC_ARG)
37568         return -13546;
37569     ret = wc_BerToDer(out, 4, out, NULL);
37570     if (ret != BAD_FUNC_ARG)
37571         return -13547;
37572     ret = wc_BerToDer(NULL, 4, out, &len);
37573     if (ret != BAD_FUNC_ARG)
37574         return -13548;
37575 
37576     for (l = 1; l < sizeof(good4_out); l++) {
37577         len = l;
37578         ret = wc_BerToDer(good4_in, sizeof(good4_in), out, &len);
37579         if (ret != BUFFER_E)
37580             return -13549;
37581     }
37582 
37583     return 0;
37584 }
37585 #endif
37586 
37587 #ifdef DEBUG_WOLFSSL
37588 static THREAD_LS_T int log_cnt = 0;
37589 static void my_Logging_cb(const int logLevel, const char *const logMessage)
37590 {
37591     (void)logLevel;
37592     (void)logMessage;
37593     log_cnt++;
37594 }
37595 #endif /* DEBUG_WOLFSSL */
37596 
37597 WOLFSSL_TEST_SUBROUTINE int logging_test(void)
37598 {
37599 #ifdef DEBUG_WOLFSSL
37600     const char* msg = "Testing, testing. 1, 2, 3, 4 ...";
37601     byte        a[8] = { 1, 2, 3, 4, 5, 6, 7, 8 };
37602     byte        b[256];
37603     int         i;
37604 
37605     for (i = 0; i < (int)sizeof(b); i++)
37606         b[i] = i;
37607 
37608     if (wolfSSL_Debugging_ON() != 0)
37609         return -13600;
37610 
37611     if (wolfSSL_SetLoggingCb(my_Logging_cb) != 0)
37612         return -13601;
37613 
37614     WOLFSSL_MSG(msg);
37615     WOLFSSL_BUFFER(a, sizeof(a));
37616     WOLFSSL_BUFFER(b, sizeof(b));
37617     WOLFSSL_BUFFER(NULL, 0);
37618     WOLFSSL_ERROR(MEMORY_E);
37619     WOLFSSL_ERROR_MSG(msg);
37620 
37621     /* turn off logs */
37622     wolfSSL_Debugging_OFF();
37623 
37624     /* capture log count */
37625     i = log_cnt;
37626 
37627     /* validate no logs are output when disabled */
37628     WOLFSSL_MSG(msg);
37629     WOLFSSL_BUFFER(a, sizeof(a));
37630     WOLFSSL_BUFFER(b, sizeof(b));
37631     WOLFSSL_BUFFER(NULL, 0);
37632     WOLFSSL_ERROR(MEMORY_E);
37633     WOLFSSL_ERROR_MSG(msg);
37634 
37635     /* check the logs were disabled */
37636     if (i != log_cnt)
37637         return -13602;
37638 
37639     /* restore callback and leave logging enabled */
37640     wolfSSL_SetLoggingCb(NULL);
37641     wolfSSL_Debugging_ON();
37642 
37643     /* suppress unused args */
37644     (void)a;
37645     (void)b;
37646 
37647 #else
37648     if (wolfSSL_Debugging_ON() != NOT_COMPILED_IN)
37649         return -13603;
37650     wolfSSL_Debugging_OFF();
37651     if (wolfSSL_SetLoggingCb(NULL) != NOT_COMPILED_IN)
37652         return -13604;
37653 #endif /* DEBUG_WOLFSSL */
37654     return 0;
37655 }
37656 
37657 
37658 WOLFSSL_TEST_SUBROUTINE int mutex_test(void)
37659 {
37660 #ifdef WOLFSSL_PTHREADS
37661     wolfSSL_Mutex m;
37662 #endif
37663 #if !defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_USER_MUTEX)
37664     wolfSSL_Mutex *mm = wc_InitAndAllocMutex();
37665     if (mm == NULL)
37666         return -13700;
37667     wc_FreeMutex(mm);
37668     XFREE(mm, HEAP_HINT, DYNAMIC_TYPE_MUTEX);
37669 #endif
37670 
37671     /* Can optionally enable advanced pthread tests using "ENABLE_PTHREAD_LOCKFREE_TESTS" */
37672 #ifdef WOLFSSL_PTHREADS
37673     if (wc_InitMutex(&m) != 0)
37674         return -13701;
37675     if (wc_LockMutex(&m) != 0)
37676         return -13702;
37677 #if !defined(WOLFSSL_SOLARIS) && defined(ENABLE_PTHREAD_LOCKFREE_TESTS)
37678     /* trying to free a locked mutex is not portable behavior with pthread */
37679     /* Attempting to destroy a locked mutex results in undefined behavior */
37680     if (wc_FreeMutex(&m) != BAD_MUTEX_E)
37681         return -13703;
37682 #endif
37683     if (wc_UnLockMutex(&m) != 0)
37684         return -13704;
37685     if (wc_FreeMutex(&m) != 0)
37686         return -13705;
37687 #if !defined(WOLFSSL_SOLARIS) && defined(ENABLE_PTHREAD_LOCKFREE_TESTS)
37688     /* Trying to use a pthread after free'ing is not portable behavior */
37689     if (wc_LockMutex(&m) != BAD_MUTEX_E)
37690         return -13706;
37691     if (wc_UnLockMutex(&m) != BAD_MUTEX_E)
37692         return -13707;
37693 #endif
37694 #endif
37695 
37696     return 0;
37697 }
37698 
37699 #if defined(USE_WOLFSSL_MEMORY) && !defined(FREERTOS)
37700 
37701 #if !defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_LINUXKM) && !defined(WOLFSSL_STATIC_MEMORY)
37702 static int malloc_cnt = 0;
37703 static int realloc_cnt = 0;
37704 static int free_cnt = 0;
37705 
37706 #ifdef WOLFSSL_DEBUG_MEMORY
37707 static void *my_Malloc_cb(size_t size, const char* func, unsigned int line)
37708 {
37709   (void) func;
37710   (void) line;
37711 #else
37712 static void *my_Malloc_cb(size_t size)
37713 {
37714 #endif
37715     malloc_cnt++;
37716     #ifndef WOLFSSL_NO_MALLOC
37717         return malloc(size);
37718     #else
37719         WOLFSSL_MSG("No malloc available");
37720         (void)size;
37721         return NULL;
37722     #endif
37723 }
37724 
37725 #ifdef WOLFSSL_DEBUG_MEMORY
37726 static void my_Free_cb(void *ptr, const char* func, unsigned int line)
37727 {
37728   (void) func;
37729   (void) line;
37730 #else
37731 static void my_Free_cb(void *ptr)
37732 {
37733 #endif
37734     free_cnt++;
37735     #ifndef WOLFSSL_NO_MALLOC
37736         free(ptr);
37737     #else
37738         WOLFSSL_MSG("No free available");
37739         (void)ptr;
37740     #endif
37741 }
37742 
37743 #ifdef WOLFSSL_DEBUG_MEMORY
37744 static void *my_Realloc_cb(void *ptr, size_t size, const char* func, unsigned int line)
37745 {
37746   (void) func;
37747   (void) line;
37748 #else
37749 static void *my_Realloc_cb(void *ptr, size_t size)
37750 {
37751 #endif
37752     realloc_cnt++;
37753     #ifndef WOLFSSL_NO_MALLOC
37754         return realloc(ptr, size);
37755     #else
37756         WOLFSSL_MSG("No realloc available");
37757         (void)ptr;
37758         (void)size;
37759         return NULL;
37760     #endif
37761 }
37762 #endif /* !WOLFSSL_NO_MALLOC */
37763 
37764 WOLFSSL_TEST_SUBROUTINE int memcb_test(void)
37765 {
37766     int ret = 0;
37767 #if !defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_LINUXKM) && !defined(WOLFSSL_STATIC_MEMORY)
37768     byte* b = NULL;
37769 #endif
37770     wolfSSL_Malloc_cb  mc;
37771     wolfSSL_Free_cb    fc;
37772     wolfSSL_Realloc_cb rc;
37773 
37774     /* Save existing memory callbacks */
37775     if (wolfSSL_GetAllocators(&mc, &fc, &rc) != 0)
37776         return -13800;
37777 
37778 #if !defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_LINUXKM) && !defined(WOLFSSL_STATIC_MEMORY)
37779 
37780     /* test realloc */
37781     b = (byte*)XREALLOC(b, 1024, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37782     if (b == NULL) {
37783         ERROR_OUT(-13801, exit_memcb);
37784     }
37785     XFREE(b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37786     b = NULL;
37787 
37788     /* Use API. */
37789     if (wolfSSL_SetAllocators((wolfSSL_Malloc_cb)my_Malloc_cb,
37790                               (wolfSSL_Free_cb)my_Free_cb,
37791                               (wolfSSL_Realloc_cb)my_Realloc_cb) != 0) {
37792         ERROR_OUT(-13802, exit_memcb);
37793     }
37794 
37795     b = (byte*)XMALLOC(1024, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37796     b = (byte*)XREALLOC(b, 1024, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37797     XFREE(b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
37798 
37799 #ifndef WOLFSSL_STATIC_MEMORY
37800     if (malloc_cnt != 1 || free_cnt != 1 || realloc_cnt != 1)
37801 #else
37802     if (malloc_cnt != 0 || free_cnt != 0 || realloc_cnt != 0)
37803 #endif
37804         ret = -13803;
37805 #endif /* !WOLFSSL_NO_MALLOC */
37806 
37807 #if !defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_LINUXKM) && !defined(WOLFSSL_STATIC_MEMORY)
37808 exit_memcb:
37809 #endif
37810 
37811     /* restore memory callbacks */
37812     wolfSSL_SetAllocators(mc, fc, rc);
37813 
37814     return ret;
37815 }
37816 #endif /* USE_WOLFSSL_MEMORY && !WOLFSSL_NO_MALLOC */
37817 
37818 
37819 #ifdef WOLFSSL_IMX6_CAAM_BLOB
37820 WOLFSSL_TEST_SUBROUTINE int blob_test(void)
37821 {
37822     int ret = 0;
37823     byte out[112];
37824     byte blob[112];
37825     word32 outSz;
37826 
37827     WOLFSSL_SMALL_STACK_STATIC const byte iv[] =
37828         {
37829             0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
37830             0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
37831         };
37832 
37833     WOLFSSL_SMALL_STACK_STATIC const byte text[] =
37834         {
37835             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
37836             0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
37837             0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
37838             0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
37839             0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
37840             0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
37841             0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
37842             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
37843         };
37844 
37845 
37846     XMEMSET(blob, 0, sizeof(blob));
37847     XMEMSET(out, 0, sizeof(out));
37848     outSz = sizeof(blob);
37849     ret = wc_caamCreateBlob((byte*)iv, sizeof(iv), blob, &outSz);
37850     if (ret != 0) {
37851         ERROR_OUT(-13900, exit_blob);
37852     }
37853 
37854     blob[outSz - 2] += 1;
37855     ret = wc_caamOpenBlob(blob, outSz, out, &outSz);
37856     if (ret == 0) { /* should fail with altered blob */
37857         ERROR_OUT(-13901, exit_blob);
37858     }
37859 
37860     XMEMSET(blob, 0, sizeof(blob));
37861     outSz = sizeof(blob);
37862     ret = wc_caamCreateBlob((byte*)iv, sizeof(iv), blob, &outSz);
37863     if (ret != 0) {
37864         ERROR_OUT(-13902, exit_blob);
37865     }
37866 
37867     ret = wc_caamOpenBlob(blob, outSz, out, &outSz);
37868     if (ret != 0) {
37869         ERROR_OUT(-13903, exit_blob);
37870     }
37871 
37872     if (XMEMCMP(out, iv, sizeof(iv))) {
37873         ERROR_OUT(-13904, exit_blob);
37874     }
37875 
37876     XMEMSET(blob, 0, sizeof(blob));
37877     outSz = sizeof(blob);
37878     ret = wc_caamCreateBlob((byte*)text, sizeof(text), blob, &outSz);
37879     if (ret != 0) {
37880         ERROR_OUT(-13905, exit_blob);
37881     }
37882 
37883     ret = wc_caamOpenBlob(blob, outSz, out, &outSz);
37884     if (ret != 0) {
37885         ERROR_OUT(-13906, exit_blob);
37886     }
37887 
37888     if (XMEMCMP(out, text, sizeof(text))) {
37889         ERROR_OUT(-13907, exit_blob);
37890     }
37891 
37892     exit_blob:
37893 
37894     return ret;
37895 }
37896 #endif /* WOLFSSL_IMX6_CAAM_BLOB */
37897 
37898 #ifdef WOLF_CRYPTO_CB
37899 
37900 /* Example custom context for crypto callback */
37901 typedef struct {
37902     int exampleVar; /* example, not used */
37903 } myCryptoDevCtx;
37904 
37905 
37906 /* Example crypto dev callback function that calls software version */
37907 static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
37908 {
37909     int ret = NOT_COMPILED_IN; /* return this to bypass HW and use SW */
37910     myCryptoDevCtx* myCtx = (myCryptoDevCtx*)ctx;
37911 
37912     if (info == NULL)
37913         return BAD_FUNC_ARG;
37914 
37915 #ifdef DEBUG_WOLFSSL
37916     printf("CryptoDevCb: Algo Type %d\n", info->algo_type);
37917 #endif
37918 
37919     if (info->algo_type == WC_ALGO_TYPE_RNG) {
37920     #ifndef WC_NO_RNG
37921         /* set devId to invalid, so software is used */
37922         info->rng.rng->devId = INVALID_DEVID;
37923 
37924         ret = wc_RNG_GenerateBlock(info->rng.rng,
37925             info->rng.out, info->rng.sz);
37926 
37927         /* reset devId */
37928         info->rng.rng->devId = devIdArg;
37929     #endif
37930     }
37931     else if (info->algo_type == WC_ALGO_TYPE_SEED) {
37932     #ifndef WC_NO_RNG
37933         ALIGN32 static byte seed[sizeof(word32)] = { 0x00, 0x00, 0x00, 0x01 };
37934         word32* seedWord32 = (word32*)seed;
37935         word32 len;
37936 
37937         /* wc_GenerateSeed is a local symbol so we need to fake the entropy. */
37938         while (info->seed.sz > 0) {
37939             len = (word32)sizeof(seed);
37940             if (info->seed.sz < len)
37941                 len = info->seed.sz;
37942             XMEMCPY(info->seed.seed, seed, sizeof(seed));
37943             info->seed.seed += len;
37944             info->seed.sz -= len;
37945             (*seedWord32)++;
37946         }
37947 
37948         ret = 0;
37949     #endif
37950     }
37951     else if (info->algo_type == WC_ALGO_TYPE_PK) {
37952     #ifdef DEBUG_WOLFSSL
37953         printf("CryptoDevCb: Pk Type %d\n", info->pk.type);
37954     #endif
37955 
37956     #ifndef NO_RSA
37957         if (info->pk.type == WC_PK_TYPE_RSA) {
37958             /* set devId to invalid, so software is used */
37959             info->pk.rsa.key->devId = INVALID_DEVID;
37960 
37961             switch (info->pk.rsa.type) {
37962                 case RSA_PUBLIC_ENCRYPT:
37963                 case RSA_PUBLIC_DECRYPT:
37964                     /* perform software based RSA public op */
37965                     ret = wc_RsaFunction(
37966                         info->pk.rsa.in, info->pk.rsa.inLen,
37967                         info->pk.rsa.out, info->pk.rsa.outLen,
37968                         info->pk.rsa.type, info->pk.rsa.key, info->pk.rsa.rng);
37969                     break;
37970                 case RSA_PRIVATE_ENCRYPT:
37971                 case RSA_PRIVATE_DECRYPT:
37972                     /* perform software based RSA private op */
37973                     ret = wc_RsaFunction(
37974                         info->pk.rsa.in, info->pk.rsa.inLen,
37975                         info->pk.rsa.out, info->pk.rsa.outLen,
37976                         info->pk.rsa.type, info->pk.rsa.key, info->pk.rsa.rng);
37977                     break;
37978             }
37979 
37980             /* reset devId */
37981             info->pk.rsa.key->devId = devIdArg;
37982         }
37983     #ifdef WOLFSSL_KEY_GEN
37984         else if (info->pk.type == WC_PK_TYPE_RSA_KEYGEN) {
37985             info->pk.rsakg.key->devId = INVALID_DEVID;
37986 
37987 #ifdef HAVE_FIPS
37988             for (;;) {
37989 #endif
37990                 ret = wc_MakeRsaKey(info->pk.rsakg.key, info->pk.rsakg.size,
37991                     info->pk.rsakg.e, info->pk.rsakg.rng);
37992 #ifdef HAVE_FIPS
37993                 if (ret == PRIME_GEN_E)
37994                     continue;
37995                 break;
37996             }
37997 #endif
37998 
37999             /* reset devId */
38000             info->pk.rsakg.key->devId = devIdArg;
38001         }
38002     #endif
38003     #endif /* !NO_RSA */
38004     #ifdef HAVE_ECC
38005         if (info->pk.type == WC_PK_TYPE_EC_KEYGEN) {
38006             /* set devId to invalid, so software is used */
38007             info->pk.eckg.key->devId = INVALID_DEVID;
38008 
38009             ret = wc_ecc_make_key_ex(info->pk.eckg.rng, info->pk.eckg.size,
38010                 info->pk.eckg.key, info->pk.eckg.curveId);
38011 
38012             /* reset devId */
38013             info->pk.eckg.key->devId = devIdArg;
38014         }
38015         else if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) {
38016             /* set devId to invalid, so software is used */
38017             info->pk.eccsign.key->devId = INVALID_DEVID;
38018 
38019             ret = wc_ecc_sign_hash(
38020                 info->pk.eccsign.in, info->pk.eccsign.inlen,
38021                 info->pk.eccsign.out, info->pk.eccsign.outlen,
38022                 info->pk.eccsign.rng, info->pk.eccsign.key);
38023 
38024             /* reset devId */
38025             info->pk.eccsign.key->devId = devIdArg;
38026         }
38027         else if (info->pk.type == WC_PK_TYPE_ECDSA_VERIFY) {
38028             /* set devId to invalid, so software is used */
38029             info->pk.eccverify.key->devId = INVALID_DEVID;
38030 
38031             ret = wc_ecc_verify_hash(
38032                 info->pk.eccverify.sig, info->pk.eccverify.siglen,
38033                 info->pk.eccverify.hash, info->pk.eccverify.hashlen,
38034                 info->pk.eccverify.res, info->pk.eccverify.key);
38035 
38036             /* reset devId */
38037             info->pk.eccverify.key->devId = devIdArg;
38038         }
38039         else if (info->pk.type == WC_PK_TYPE_ECDH) {
38040             /* set devId to invalid, so software is used */
38041             info->pk.ecdh.private_key->devId = INVALID_DEVID;
38042 
38043             ret = wc_ecc_shared_secret(
38044                 info->pk.ecdh.private_key, info->pk.ecdh.public_key,
38045                 info->pk.ecdh.out, info->pk.ecdh.outlen);
38046 
38047             /* reset devId */
38048             info->pk.ecdh.private_key->devId = devIdArg;
38049         }
38050     #endif /* HAVE_ECC */
38051     #ifdef HAVE_CURVE25519
38052         if (info->pk.type == WC_PK_TYPE_CURVE25519_KEYGEN) {
38053             /* set devId to invalid, so software is used */
38054             info->pk.curve25519kg.key->devId = INVALID_DEVID;
38055 
38056             ret = wc_curve25519_make_key(info->pk.curve25519kg.rng,
38057                 info->pk.curve25519kg.size, info->pk.curve25519kg.key);
38058 
38059             /* reset devId */
38060             info->pk.curve25519kg.key->devId = devIdArg;
38061         }
38062         else if (info->pk.type == WC_PK_TYPE_CURVE25519) {
38063             /* set devId to invalid, so software is used */
38064             info->pk.curve25519.private_key->devId = INVALID_DEVID;
38065 
38066             ret = wc_curve25519_shared_secret_ex(
38067                 info->pk.curve25519.private_key, info->pk.curve25519.public_key,
38068                 info->pk.curve25519.out, info->pk.curve25519.outlen,
38069                 info->pk.curve25519.endian);
38070 
38071             /* reset devId */
38072             info->pk.curve25519.private_key->devId = devIdArg;
38073         }
38074     #endif /* HAVE_CURVE25519 */
38075     #ifdef HAVE_ED25519
38076         if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) {
38077             /* set devId to invalid, so software is used */
38078             info->pk.ed25519kg.key->devId = INVALID_DEVID;
38079 
38080             ret = wc_ed25519_make_key(info->pk.ed25519kg.rng,
38081                 info->pk.ed25519kg.size, info->pk.ed25519kg.key);
38082 
38083             /* reset devId */
38084             info->pk.ed25519kg.key->devId = devIdArg;
38085         }
38086         #ifdef HAVE_ED25519_SIGN
38087         else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) {
38088             /* set devId to invalid, so software is used */
38089             info->pk.ed25519sign.key->devId = INVALID_DEVID;
38090 
38091             ret = wc_ed25519_sign_msg_ex(
38092                 info->pk.ed25519sign.in, info->pk.ed25519sign.inLen,
38093                 info->pk.ed25519sign.out, info->pk.ed25519sign.outLen,
38094                 info->pk.ed25519sign.key, info->pk.ed25519sign.type,
38095                 info->pk.ed25519sign.context, info->pk.ed25519sign.contextLen);
38096 
38097             /* reset devId */
38098             info->pk.ed25519sign.key->devId = devIdArg;
38099         }
38100         #endif
38101         #ifdef HAVE_ED25519_VERIFY
38102         else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) {
38103             /* set devId to invalid, so software is used */
38104             info->pk.ed25519verify.key->devId = INVALID_DEVID;
38105 
38106             ret = wc_ed25519_verify_msg_ex(
38107                 info->pk.ed25519verify.sig, info->pk.ed25519verify.sigLen,
38108                 info->pk.ed25519verify.msg, info->pk.ed25519verify.msgLen,
38109                 info->pk.ed25519verify.res, info->pk.ed25519verify.key,
38110                 info->pk.ed25519verify.type, info->pk.ed25519verify.context,
38111                 info->pk.ed25519verify.contextLen);
38112 
38113             /* reset devId */
38114             info->pk.ed25519verify.key->devId = devIdArg;
38115         }
38116         #endif
38117     #endif /* HAVE_ED25519 */
38118     }
38119     else if (info->algo_type == WC_ALGO_TYPE_CIPHER) {
38120 #if !defined(NO_AES) || !defined(NO_DES3)
38121     #ifdef HAVE_AESGCM
38122         if (info->cipher.type == WC_CIPHER_AES_GCM) {
38123             if (info->cipher.enc) {
38124                 /* set devId to invalid, so software is used */
38125                 info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID;
38126 
38127                 ret = wc_AesGcmEncrypt(
38128                     info->cipher.aesgcm_enc.aes,
38129                     info->cipher.aesgcm_enc.out,
38130                     info->cipher.aesgcm_enc.in,
38131                     info->cipher.aesgcm_enc.sz,
38132                     info->cipher.aesgcm_enc.iv,
38133                     info->cipher.aesgcm_enc.ivSz,
38134                     info->cipher.aesgcm_enc.authTag,
38135                     info->cipher.aesgcm_enc.authTagSz,
38136                     info->cipher.aesgcm_enc.authIn,
38137                     info->cipher.aesgcm_enc.authInSz);
38138 
38139                 /* reset devId */
38140                 info->cipher.aesgcm_enc.aes->devId = devIdArg;
38141             }
38142             else {
38143                 /* set devId to invalid, so software is used */
38144                 info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID;
38145 
38146                 ret = wc_AesGcmDecrypt(
38147                     info->cipher.aesgcm_dec.aes,
38148                     info->cipher.aesgcm_dec.out,
38149                     info->cipher.aesgcm_dec.in,
38150                     info->cipher.aesgcm_dec.sz,
38151                     info->cipher.aesgcm_dec.iv,
38152                     info->cipher.aesgcm_dec.ivSz,
38153                     info->cipher.aesgcm_dec.authTag,
38154                     info->cipher.aesgcm_dec.authTagSz,
38155                     info->cipher.aesgcm_dec.authIn,
38156                     info->cipher.aesgcm_dec.authInSz);
38157 
38158                 /* reset devId */
38159                 info->cipher.aesgcm_dec.aes->devId = devIdArg;
38160             }
38161         }
38162     #endif /* HAVE_AESGCM */
38163     #ifdef HAVE_AES_CBC
38164         if (info->cipher.type == WC_CIPHER_AES_CBC) {
38165             if (info->cipher.enc) {
38166                 /* set devId to invalid, so software is used */
38167                 info->cipher.aescbc.aes->devId = INVALID_DEVID;
38168 
38169                 ret = wc_AesCbcEncrypt(
38170                     info->cipher.aescbc.aes,
38171                     info->cipher.aescbc.out,
38172                     info->cipher.aescbc.in,
38173                     info->cipher.aescbc.sz);
38174 
38175                 /* reset devId */
38176                 info->cipher.aescbc.aes->devId = devIdArg;
38177             }
38178             else {
38179                 /* set devId to invalid, so software is used */
38180                 info->cipher.aescbc.aes->devId = INVALID_DEVID;
38181 
38182                 ret = wc_AesCbcDecrypt(
38183                     info->cipher.aescbc.aes,
38184                     info->cipher.aescbc.out,
38185                     info->cipher.aescbc.in,
38186                     info->cipher.aescbc.sz);
38187 
38188                 /* reset devId */
38189                 info->cipher.aescbc.aes->devId = devIdArg;
38190             }
38191         }
38192     #endif /* HAVE_AES_CBC */
38193     #if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
38194         if (info->cipher.type == WC_CIPHER_AES_CCM) {
38195             if (info->cipher.enc) {
38196                 /* set devId to invalid, so software is used */
38197                 info->cipher.aesccm_enc.aes->devId = INVALID_DEVID;
38198 
38199                 ret = wc_AesCcmEncrypt(
38200                     info->cipher.aesccm_enc.aes,
38201                     info->cipher.aesccm_enc.out,
38202                     info->cipher.aesccm_enc.in,
38203                     info->cipher.aesccm_enc.sz,
38204                     info->cipher.aesccm_enc.nonce,
38205                     info->cipher.aesccm_enc.nonceSz,
38206                     info->cipher.aesccm_enc.authTag,
38207                     info->cipher.aesccm_enc.authTagSz,
38208                     info->cipher.aesccm_enc.authIn,
38209                     info->cipher.aesccm_enc.authInSz);
38210 
38211                 /* reset devId */
38212                 info->cipher.aesccm_enc.aes->devId = devIdArg;
38213             }
38214             else {
38215                 /* set devId to invalid, so software is used */
38216                 info->cipher.aesccm_dec.aes->devId = INVALID_DEVID;
38217 
38218                 ret = wc_AesCcmDecrypt(
38219                     info->cipher.aesccm_dec.aes,
38220                     info->cipher.aesccm_dec.out,
38221                     info->cipher.aesccm_dec.in,
38222                     info->cipher.aesccm_dec.sz,
38223                     info->cipher.aesccm_dec.nonce,
38224                     info->cipher.aesccm_dec.nonceSz,
38225                     info->cipher.aesccm_dec.authTag,
38226                     info->cipher.aesccm_dec.authTagSz,
38227                     info->cipher.aesccm_dec.authIn,
38228                     info->cipher.aesccm_dec.authInSz);
38229 
38230                 /* reset devId */
38231                 info->cipher.aesccm_dec.aes->devId = devIdArg;
38232             }
38233         }
38234     #endif
38235     #ifndef NO_DES3
38236         if (info->cipher.type == WC_CIPHER_DES3) {
38237             if (info->cipher.enc) {
38238                 /* set devId to invalid, so software is used */
38239                 info->cipher.des3.des->devId = INVALID_DEVID;
38240 
38241                 ret = wc_Des3_CbcEncrypt(
38242                     info->cipher.des3.des,
38243                     info->cipher.des3.out,
38244                     info->cipher.des3.in,
38245                     info->cipher.des3.sz);
38246 
38247                 /* reset devId */
38248                 info->cipher.des3.des->devId = devIdArg;
38249             }
38250             else {
38251                 /* set devId to invalid, so software is used */
38252                 info->cipher.des3.des->devId = INVALID_DEVID;
38253 
38254                 ret = wc_Des3_CbcDecrypt(
38255                     info->cipher.des3.des,
38256                     info->cipher.des3.out,
38257                     info->cipher.des3.in,
38258                     info->cipher.des3.sz);
38259 
38260                 /* reset devId */
38261                 info->cipher.des3.des->devId = devIdArg;
38262             }
38263         }
38264     #endif /* !NO_DES3 */
38265 #endif /* !NO_AES || !NO_DES3 */
38266     }
38267 #if !defined(NO_SHA) || !defined(NO_SHA256) || \
38268     defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
38269     else if (info->algo_type == WC_ALGO_TYPE_HASH) {
38270     #if !defined(NO_SHA)
38271         if (info->hash.type == WC_HASH_TYPE_SHA) {
38272             if (info->hash.sha1 == NULL)
38273                 return NOT_COMPILED_IN;
38274 
38275             /* set devId to invalid, so software is used */
38276             info->hash.sha1->devId = INVALID_DEVID;
38277 
38278             if (info->hash.in != NULL) {
38279                 ret = wc_ShaUpdate(
38280                     info->hash.sha1,
38281                     info->hash.in,
38282                     info->hash.inSz);
38283             }
38284             if (info->hash.digest != NULL) {
38285                 ret = wc_ShaFinal(
38286                     info->hash.sha1,
38287                     info->hash.digest);
38288             }
38289 
38290             /* reset devId */
38291             info->hash.sha1->devId = devIdArg;
38292         }
38293         else
38294     #endif
38295     #if !defined(NO_SHA256)
38296         if (info->hash.type == WC_HASH_TYPE_SHA256) {
38297             if (info->hash.sha256 == NULL)
38298                 return NOT_COMPILED_IN;
38299 
38300             /* set devId to invalid, so software is used */
38301             info->hash.sha256->devId = INVALID_DEVID;
38302 
38303             if (info->hash.in != NULL) {
38304                 ret = wc_Sha256Update(
38305                     info->hash.sha256,
38306                     info->hash.in,
38307                     info->hash.inSz);
38308             }
38309             if (info->hash.digest != NULL) {
38310                 ret = wc_Sha256Final(
38311                     info->hash.sha256,
38312                     info->hash.digest);
38313             }
38314 
38315             /* reset devId */
38316             info->hash.sha256->devId = devIdArg;
38317         }
38318         else
38319     #endif
38320     #ifdef WOLFSSL_SHA384
38321         if (info->hash.type == WC_HASH_TYPE_SHA384) {
38322             if (info->hash.sha384 == NULL)
38323                 return NOT_COMPILED_IN;
38324 
38325             #ifndef NO_SHA2_CRYPTO_CB
38326             /* set devId to invalid, so software is used */
38327             info->hash.sha384->devId = INVALID_DEVID;
38328             #endif
38329 
38330             if (info->hash.in != NULL) {
38331                 ret = wc_Sha384Update(
38332                     info->hash.sha384,
38333                     info->hash.in,
38334                     info->hash.inSz);
38335             }
38336             if (info->hash.digest != NULL) {
38337                 ret = wc_Sha384Final(
38338                     info->hash.sha384,
38339                     info->hash.digest);
38340             }
38341 
38342             #ifndef NO_SHA2_CRYPTO_CB
38343             /* reset devId */
38344             info->hash.sha384->devId = devIdArg;
38345             #endif
38346         }
38347         else
38348     #endif
38349     #ifdef WOLFSSL_SHA512
38350         if (info->hash.type == WC_HASH_TYPE_SHA512) {
38351             if (info->hash.sha512 == NULL)
38352                 return NOT_COMPILED_IN;
38353 
38354             #ifndef NO_SHA2_CRYPTO_CB
38355             /* set devId to invalid, so software is used */
38356             info->hash.sha512->devId = INVALID_DEVID;
38357             #endif
38358 
38359             if (info->hash.in != NULL) {
38360                 ret = wc_Sha512Update(
38361                     info->hash.sha512,
38362                     info->hash.in,
38363                     info->hash.inSz);
38364             }
38365             if (info->hash.digest != NULL) {
38366                 ret = wc_Sha512Final(
38367                     info->hash.sha512,
38368                     info->hash.digest);
38369             }
38370 
38371             #ifndef NO_SHA2_CRYPTO_CB
38372             /* reset devId */
38373             info->hash.sha512->devId = devIdArg;
38374             #endif
38375         }
38376         else
38377     #endif
38378         {
38379         }
38380     }
38381 #endif /* !NO_SHA || !NO_SHA256 */
38382 #ifndef NO_HMAC
38383     else if (info->algo_type == WC_ALGO_TYPE_HMAC) {
38384         if (info->hmac.hmac == NULL)
38385             return NOT_COMPILED_IN;
38386 
38387         /* set devId to invalid, so software is used */
38388         info->hmac.hmac->devId = INVALID_DEVID;
38389 
38390         if (info->hash.in != NULL) {
38391             ret = wc_HmacUpdate(
38392                 info->hmac.hmac,
38393                 info->hmac.in,
38394                 info->hmac.inSz);
38395         }
38396         else if (info->hash.digest != NULL) {
38397             ret = wc_HmacFinal(
38398                 info->hmac.hmac,
38399                 info->hmac.digest);
38400         }
38401 
38402         /* reset devId */
38403         info->hmac.hmac->devId = devIdArg;
38404     }
38405 #endif
38406 
38407     (void)devIdArg;
38408     (void)myCtx;
38409 
38410     return ret;
38411 }
38412 
38413 WOLFSSL_TEST_SUBROUTINE int cryptocb_test(void)
38414 {
38415     int ret = 0;
38416     myCryptoDevCtx myCtx;
38417 
38418     /* example data for callback */
38419     myCtx.exampleVar = 1;
38420 
38421     /* set devId to something other than INVALID_DEVID */
38422     devId = 1;
38423     ret = wc_CryptoCb_RegisterDevice(devId, myCryptoDevCb, &myCtx);
38424 
38425 #ifndef WC_NO_RNG
38426     if (ret == 0)
38427         ret = random_test();
38428 #endif /* WC_NO_RNG */
38429 #ifndef NO_RSA
38430     PRIVATE_KEY_UNLOCK();
38431     if (ret == 0)
38432         ret = rsa_test();
38433     PRIVATE_KEY_LOCK();
38434 #endif
38435 #ifdef HAVE_ECC
38436     PRIVATE_KEY_UNLOCK();
38437     if (ret == 0)
38438         ret = ecc_test();
38439     PRIVATE_KEY_LOCK();
38440 #endif
38441 #ifdef HAVE_ED25519
38442     if (ret == 0)
38443         ret = ed25519_test();
38444 #endif
38445 #ifdef HAVE_CURVE25519
38446     if (ret == 0)
38447         ret = curve25519_test();
38448 #endif
38449 #ifndef NO_AES
38450     #ifdef HAVE_AESGCM
38451     if (ret == 0)
38452         ret = aesgcm_test();
38453     #endif
38454     #ifdef HAVE_AES_CBC
38455     if (ret == 0)
38456         ret = aes_test();
38457     #endif
38458     #if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
38459     if (ret == 0)
38460         ret = aesccm_test();
38461     #endif
38462 #endif /* !NO_AES */
38463 #ifndef NO_DES3
38464     if (ret == 0)
38465         ret = des3_test();
38466 #endif /* !NO_DES3 */
38467 #ifndef NO_SHA
38468     if (ret == 0)
38469         ret = sha_test();
38470 #endif
38471 #ifndef NO_SHA256
38472     if (ret == 0)
38473         ret = sha256_test();
38474 #endif
38475 #ifdef WOLFSSL_SHA384
38476     if (ret == 0)
38477         ret = sha384_test();
38478 #endif
38479 #ifdef WOLFSSL_SHA512
38480     if (ret == 0)
38481         ret = sha512_test();
38482 #endif
38483 #ifndef NO_HMAC
38484     #ifndef NO_SHA
38485     if (ret == 0)
38486         ret = hmac_sha_test();
38487     #endif
38488     #ifndef NO_SHA256
38489     if (ret == 0)
38490         ret = hmac_sha256_test();
38491     #endif
38492 #endif
38493 #ifndef NO_PWDBASED
38494     #if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
38495     if (ret == 0)
38496         ret = pbkdf2_test();
38497     #endif
38498 #endif
38499 #if defined(WOLFSSL_CMAC) && !defined(NO_AES)
38500     if (ret == 0)
38501         ret = cmac_test();
38502 #endif
38503 
38504     /* reset devId */
38505     devId = INVALID_DEVID;
38506 
38507     return ret;
38508 }
38509 #endif /* WOLF_CRYPTO_CB */
38510 
38511 #ifdef WOLFSSL_CERT_PIV
38512 WOLFSSL_TEST_SUBROUTINE int certpiv_test(void)
38513 {
38514     int ret;
38515     wc_CertPIV piv;
38516 
38517     /* Template for Identiv PIV cert, nonce and signature */
38518     WOLFSSL_SMALL_STACK_STATIC const byte pivCertIdentiv[] = {
38519         0x0A, 0x0B,
38520           0x53, 0x09,         /* NIST PIV Cert */
38521             0x70, 0x02,       /* Certificate */
38522               0x30, 0x00,
38523             0x71, 0x01, 0x05, /* Cert Info */
38524             0xFE, 0x00,       /* Error Detection */
38525         0x0B, 0x01, 0x00,     /* Nonce */
38526         0x0C, 0x01, 0x00,     /* Signed Nonce */
38527     };
38528     /* PIV certificate data including certificate, info and error dectection. */
38529     WOLFSSL_SMALL_STACK_STATIC const byte pivCert[] = {
38530         0x53, 0x09,         /* NIST PIV Cert */
38531           0x70, 0x02,       /* Certificate */
38532             0x30, 0x00,
38533           0x71, 0x01, 0x04, /* Cert Info */
38534           0xFE, 0x00,       /* Error Detection */
38535     };
38536 
38537     XMEMSET(&piv, 0, sizeof(piv));
38538     /* Test with Identiv 0x0A, 0x0B and 0x0C markers */
38539     ret = wc_ParseCertPIV(&piv, pivCertIdentiv, sizeof(pivCertIdentiv));
38540     if (ret != 0) {
38541         return -14000;
38542     }
38543     if (!piv.isIdentiv) {
38544         return -14001;
38545     }
38546     if ((piv.cert == NULL) || (piv.certSz != 2)) {
38547         return -14002;
38548     }
38549     if ((piv.certErrDet == NULL) || (piv.certErrDetSz != 0)) {
38550         return -14003;
38551     }
38552     if ((piv.compression != ASN_PIV_CERT_INFO_GZIP)) {
38553         return -14004;
38554     }
38555     if (!piv.isX509) {
38556         return -14005;
38557     }
38558     if ((piv.nonce == NULL) || (piv.nonceSz != 1)) {
38559         return -14006;
38560     }
38561     if ((piv.signedNonce == NULL) || (piv.signedNonceSz != 1)) {
38562         return -14007;
38563     }
38564 
38565     XMEMSET(&piv, 0, sizeof(piv));
38566     /* Test with NIST PIV format */
38567     ret = wc_ParseCertPIV(&piv, pivCert, sizeof(pivCert));
38568     if (ret != 0) {
38569         return -14010;
38570     }
38571     if (piv.isIdentiv) {
38572         return -14011;
38573     }
38574     if ((piv.cert == NULL) || (piv.certSz != 2)) {
38575         return -14012;
38576     }
38577     if ((piv.certErrDet == NULL) || (piv.certErrDetSz != 0)) {
38578         return -14013;
38579     }
38580     if ((piv.compression != 0)) {
38581         return -14014;
38582     }
38583     if (!piv.isX509) {
38584         return -14015;
38585     }
38586 
38587     return ret;
38588 }
38589 #endif /* WOLFSSL_CERT_PIV */
38590 
38591 
38592 #undef ERROR_OUT
38593 
38594 #else
38595     #ifndef NO_MAIN_DRIVER
38596         int main() { return 0; }
38597     #endif
38598 #endif /* NO_CRYPT_TEST */
38599