add signature negative verify tests

Author: JeremiahM37

tests/api/test_dsa.c

@@ -117,6 +117,19 @@ int test_wc_DsaSignVerify(void)
     ExpectIntEQ(wc_DsaVerify(hash, signature, NULL, &answer), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_DsaVerify(hash, signature, &key, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
+    /* Negative: tampered hash deterministically reaches the
+     * mp_cmp(r, v) == MP_EQ check — r and s are unmodified so the
+     * sanity-range gate is passed and verify math produces v != r. */
+    {
+        byte badHash[WC_SHA_DIGEST_SIZE];
+
+        XMEMCPY(badHash, hash, sizeof(badHash));
+        badHash[0] ^= 0x01;
+        answer = 1;
+        ExpectIntEQ(wc_DsaVerify(badHash, signature, &key, &answer), 0);
+        ExpectIntEQ(answer, 0);
+    }
+
 #if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) && defined(WOLFSSL_PUBLIC_MP)
     /* hard set q to 0 and test fail case */
     mp_free(&key.q);

tests/api/test_rsa.c

@@ -491,6 +491,91 @@ int test_wc_RsaPSS_Verify(void)
     return EXPECT_RESULT();
 } /* END  test_wc_RsaPSS_Verify */
 
+/*
+ * Negative test for the 0xbc terminator check in RsaUnPad_PSS.
+ *
+ * Positive KAT tests catch a constant change (0xbc -> 0xbd), but a subtle
+ * mutation of the returned error code would survive tests that only check
+ * for any nonzero return. Here we construct a signature whose recovered
+ * encoded message has a wrong terminator byte and assert the exact return
+ * value is BAD_PADDING_E.
+ *
+ * Method: sign a message, use wc_RsaDirect with RSA_PUBLIC_DECRYPT to
+ * recover the encoded message, flip the terminator byte, then use
+ * wc_RsaDirect with RSA_PRIVATE_ENCRYPT to re-sign. wc_RsaPSS_Verify on
+ * the re-signed block must return BAD_PADDING_E from the terminator check
+ * (which runs before the MGF/salt consistency checks).
+ */
+int test_wc_RsaPSS_BadTerminator(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && !defined(HAVE_SELFTEST) && \
+    !defined(HAVE_FIPS) && defined(WC_RSA_BLINDING) && defined(WC_RSA_PSS) && \
+    (defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING) || \
+     defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
+    RsaKey        key;
+    WC_RNG        rng;
+    const char*   msg = "This is the string to be signed";
+    unsigned char sig[2048/8];
+    unsigned char em[2048/8];
+    unsigned char badSig[2048/8];
+    unsigned char verifyOut[2048/8];
+    int           sigLen = 0;
+    word32        emSz = sizeof(em);
+    word32        badSigSz = sizeof(badSig);
+
+    XMEMSET(&key, 0, sizeof(RsaKey));
+    XMEMSET(&rng, 0, sizeof(WC_RNG));
+    XMEMSET(em, 0, sizeof(em));
+    XMEMSET(sig, 0, sizeof(sig));
+    XMEMSET(badSig, 0, sizeof(badSig));
+
+    ExpectIntEQ(wc_InitRsaKey(&key, HEAP_HINT), 0);
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+    ExpectIntEQ(wc_RsaSetRNG(&key, &rng), 0);
+    ExpectIntEQ(wc_MakeRsaKey(&key, 2048, WC_RSA_EXPONENT, &rng), 0);
+
+    ExpectIntGT(sigLen = wc_RsaPSS_Sign((const byte*)msg,
+        (word32)XSTRLEN(msg) + 1, sig, sizeof(sig),
+        WC_HASH_TYPE_SHA256, WC_MGF1SHA256, &key, &rng), 0);
+
+    /* Recover encoded message from signature using public key. */
+    ExpectIntGT(wc_RsaDirect(sig, (word32)sigLen, em, &emSz, &key,
+        RSA_PUBLIC_DECRYPT, NULL), 0);
+
+    /* Assert that RSA_PUBLIC_DECRYPT recovered a well-formed PSS block
+     * terminated with 0xbc - a failure here indicates a layout change in
+     * PSS encoding or in wc_RsaDirect, and the whole premise of this
+     * negative test would be wrong. */
+    ExpectTrue(emSz > 0);
+    if (emSz > 0) {
+        ExpectIntEQ((int)em[emSz - 1], 0xbc);
+    }
+
+    /* Gate the tamper+verify path on the recovered byte matching 0xbc so
+     * a failure of the sanity check above surfaces once rather than
+     * cascading into the verify assertion. */
+    if (emSz > 0 && em[emSz - 1] == 0xbc) {
+        /* Flip the terminator byte from 0xbc to 0xbd. */
+        em[emSz - 1] = 0xbd;
+
+        /* Re-sign the tampered encoded message. */
+        ExpectIntGT(wc_RsaDirect(em, emSz, badSig, &badSigSz, &key,
+            RSA_PRIVATE_ENCRYPT, &rng), 0);
+
+        /* Verify must fail with BAD_PADDING_E from the terminator check. */
+        ExpectIntEQ(wc_RsaPSS_Verify(badSig, badSigSz, verifyOut,
+            sizeof(verifyOut),
+            WC_HASH_TYPE_SHA256, WC_MGF1SHA256, &key),
+            WC_NO_ERR_TRACE(BAD_PADDING_E));
+    }
+
+    DoExpectIntEQ(wc_FreeRsaKey(&key), 0);
+    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+#endif
+    return EXPECT_RESULT();
+} /* END test_wc_RsaPSS_BadTerminator */
+
 /*
  * Testing wc_RsaPSS_VerifyCheck()
  */

tests/api/test_rsa.h

@@ -32,6 +32,7 @@ int test_wc_RsaPrivateKeyDecodeRaw(void);
 int test_wc_MakeRsaKey(void);
 int test_wc_CheckProbablePrime(void);
 int test_wc_RsaPSS_Verify(void);
+int test_wc_RsaPSS_BadTerminator(void);
 int test_wc_RsaPSS_VerifyCheck(void);
 int test_wc_RsaPSS_VerifyCheckInline(void);
 int test_wc_RsaKeyToDer(void);
@@ -52,6 +53,7 @@ int test_wc_RsaDecrypt_BoundsCheck(void);
     TEST_DECL_GROUP("rsa", test_wc_MakeRsaKey),                 \
     TEST_DECL_GROUP("rsa", test_wc_CheckProbablePrime),         \
     TEST_DECL_GROUP("rsa", test_wc_RsaPSS_Verify),              \
+    TEST_DECL_GROUP("rsa", test_wc_RsaPSS_BadTerminator),       \
     TEST_DECL_GROUP("rsa", test_wc_RsaPSS_VerifyCheck),         \
     TEST_DECL_GROUP("rsa", test_wc_RsaPSS_VerifyCheckInline),   \
     TEST_DECL_GROUP("rsa", test_wc_RsaKeyToDer),                \