From f00e5247bb0cef3a9b66d4b8c833b3acaf2d8031 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 17 Jun 2024 11:49:41 -0400 Subject: [PATCH 1/4] Add sanity for case id'd in optesting review --- wolfcrypt/src/aes.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 7edf08f9f..915b22dbb 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -10643,6 +10643,11 @@ static WARN_UNUSED_RESULT int roll_auth( word32 remainder; int ret; + /* Sanity check on authIn to prevent segfault in xorbuf() where + * variable 'in' is dereferenced as the mask 'm' in misc.c */ + if (in == NULL) + return BAD_FUNC_ARG; + /* encode the length in */ if (inSz <= 0xFEFF) { authLenSz = 2; From a1645d684afd6559a56de41bc417dde7354811fa Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Fri, 21 Jun 2024 15:38:03 -0400 Subject: [PATCH 2/4] 448 streaming base on ENABLED flag and below FIPS section --- configure.ac | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac index 8d5e0c8f6..8f1f08591 100644 --- a/configure.ac +++ b/configure.ac @@ -4103,18 +4103,6 @@ AC_ARG_ENABLE([ed448-stream], [ ENABLED_ED448_STREAM=no ] ) -if test "$ENABLED_ED448_STREAM" != "no" -then - if test "$ENABLED_ED448" = "no" - then - AC_MSG_ERROR([ED448 verify streaming enabled but ED448 is disabled]) - else - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY" - AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY" - fi -fi - - # FP ECC, Fixed Point cache ECC AC_ARG_ENABLE([fpecc], [AS_HELP_STRING([--enable-fpecc],[Enable Fixed Point cache ECC (default: disabled)])], @@ -5614,6 +5602,18 @@ then ENABLED_CERTS=yes fi +if test "$ENABLED_ED448_STREAM" != "no" +then + if test "$ENABLED_ED448" = "no" + then + AC_MSG_ERROR([ED448 verify streaming enabled but ED448 is disabled]) + else + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY" + AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_ED448_STREAMING_VERIFY" + fi +fi + + # SRTP-KDF if test "$ENABLED_SRTP" = "yes" then From 871dc9c19b3e7956c332231488e5cd6c4aff88d8 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Fri, 21 Jun 2024 15:53:18 -0400 Subject: [PATCH 3/4] Implement peer review feedback --- wolfcrypt/src/aes.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 915b22dbb..dc07259c6 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -10643,11 +10643,6 @@ static WARN_UNUSED_RESULT int roll_auth( word32 remainder; int ret; - /* Sanity check on authIn to prevent segfault in xorbuf() where - * variable 'in' is dereferenced as the mask 'm' in misc.c */ - if (in == NULL) - return BAD_FUNC_ARG; - /* encode the length in */ if (inSz <= 0xFEFF) { authLenSz = 2; @@ -10766,6 +10761,11 @@ int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz, authTagSz > AES_BLOCK_SIZE) return BAD_FUNC_ARG; + /* Sanity check on authIn to prevent segfault in xorbuf() where + * variable 'in' is dereferenced as the mask 'm' in misc.c */ + if (authIn == NULL && authInSz > 0) + return BAD_FUNC_ARG; + /* sanity check on tag size */ if (wc_AesCcmCheckTagSize((int)authTagSz) != 0) { return BAD_FUNC_ARG; @@ -10908,6 +10908,12 @@ int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, authTagSz > AES_BLOCK_SIZE) return BAD_FUNC_ARG; + /* Sanity check on authIn to prevent segfault in xorbuf() where + * variable 'in' is dereferenced as the mask 'm' in misc.c */ + if (authIn == NULL && authInSz > 0) + return BAD_FUNC_ARG; + + /* sanity check on tag size */ if (wc_AesCcmCheckTagSize((int)authTagSz) != 0) { return BAD_FUNC_ARG; From 23f796c0b4cb33de69a90e44d2fce7c7bcc1a5bc Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Fri, 21 Jun 2024 15:55:08 -0400 Subject: [PATCH 4/4] Cleanup excess line --- wolfcrypt/src/aes.c | 1 - 1 file changed, 1 deletion(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index dc07259c6..a4e4b4a36 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -10913,7 +10913,6 @@ int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, if (authIn == NULL && authInSz > 0) return BAD_FUNC_ARG; - /* sanity check on tag size */ if (wc_AesCcmCheckTagSize((int)authTagSz) != 0) { return BAD_FUNC_ARG;