Merge pull request #10080 from JeremiahM37/fenrir-issues

Fenrir fixes
This commit is contained in:
Daniel Pouzzner
2026-04-02 00:06:02 -05:00
committed by GitHub
11 changed files with 102 additions and 32 deletions
+9
View File
@@ -1180,6 +1180,8 @@ static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
word16 i, wordCount, wordAdj = 0;
/* do window */
if (idx + OPAQUE16_LEN > len)
return BUFFER_E;
ato16(exp + idx, &wordCount);
idx += OPAQUE16_LEN;
@@ -1188,6 +1190,8 @@ static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
wordCount = WOLFSSL_DTLS_WINDOW_WORDS;
}
if (idx + (wordCount * OPAQUE32_LEN) + wordAdj > len)
return BUFFER_E;
XMEMSET(keys->peerSeq[0].window, 0xFF, DTLS_SEQ_SZ);
for (i = 0; i < wordCount; i++) {
ato32(exp + idx, &keys->peerSeq[0].window[i]);
@@ -1196,6 +1200,9 @@ static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
idx += wordAdj;
/* do prevWindow */
wordAdj = 0;
if (idx + OPAQUE16_LEN > len)
return BUFFER_E;
ato16(exp + idx, &wordCount);
idx += OPAQUE16_LEN;
@@ -1204,6 +1211,8 @@ static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
wordCount = WOLFSSL_DTLS_WINDOW_WORDS;
}
if (idx + (wordCount * OPAQUE32_LEN) + wordAdj > len)
return BUFFER_E;
XMEMSET(keys->peerSeq[0].prevWindow, 0xFF, DTLS_SEQ_SZ);
for (i = 0; i < wordCount; i++) {
ato32(exp + idx, &keys->peerSeq[0].prevWindow[i]);
+22 -1
View File
@@ -87,6 +87,7 @@ static int wc_CAAM_DevEccSign(const byte* in, int inlen, byte* out,
/* private key */
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(key), pk, keySz) != MP_OKAY)
{
ForceZero(pk, sizeof(pk));
return MP_TO_E;
}
@@ -108,10 +109,12 @@ static int wc_CAAM_DevEccSign(const byte* in, int inlen, byte* out,
mp_free(&mps);
if (ret != 0) {
WOLFSSL_MSG("Issue converting to signature\n");
ForceZero(pk, sizeof(pk));
return -1;
}
}
ForceZero(pk, sizeof(pk));
return ret;
}
@@ -201,6 +204,7 @@ static int wc_CAAM_DevEcdh(ecc_key* private_key, ecc_key* public_key, byte* out,
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(private_key), pk, keySz) !=
MP_OKAY) {
WOLFSSL_MSG("error getting private key buffer");
ForceZero(pk, sizeof(pk));
return MP_TO_E;
}
@@ -209,6 +213,7 @@ static int wc_CAAM_DevEcdh(ecc_key* private_key, ecc_key* public_key, byte* out,
if (ret == 0) {
*outlen = keySz;
}
ForceZero(pk, sizeof(pk));
return ret;
}
@@ -237,10 +242,12 @@ static int wc_CAAM_DevMakeEccKey(WC_RNG* rng, int keySize, ecc_key* key,
ret = wc_DevCryptoEccKeyGen(curveId, blackKey, s, keySize, xy, keySize*2);
if (wc_ecc_import_unsigned(key, xy, xy + keySize, s, curveId) != 0) {
WOLFSSL_MSG("issue importing key");
ForceZero(s, sizeof(s));
return -1;
}
key->blackKey = blackKey;
ForceZero(s, sizeof(s));
(void)rng;
return ret;
}
@@ -340,6 +347,7 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
if (key->blackKey == CAAM_BLACK_KEY_CCM) {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(key), pk,
keySz + WC_CAAM_MAC_SZ) != MP_OKAY) {
ForceZero(pk, sizeof(pk));
return MP_TO_E;
}
buf[idx].Length = keySz + WC_CAAM_MAC_SZ;
@@ -347,6 +355,7 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
else {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(key), pk, keySz) !=
MP_OKAY) {
ForceZero(pk, sizeof(pk));
return MP_TO_E;
}
buf[idx].Length = keySz;
@@ -376,8 +385,10 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
args[3] = keySz;
ret = wc_caamAddAndWait(buf, idx, args, CAAM_ECDSA_SIGN);
if (ret != 0)
if (ret != 0) {
ForceZero(pk, sizeof(pk));
return -1;
}
/* convert signature from raw bytes to signature format */
{
@@ -394,10 +405,12 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
mp_free(&mps);
if (ret != 0) {
WOLFSSL_MSG("Issue converting to signature");
ForceZero(pk, sizeof(pk));
return -1;
}
}
ForceZero(pk, sizeof(pk));
(void)devId;
return MP_OKAY;
}
@@ -610,6 +623,7 @@ int wc_CAAM_Ecdh(ecc_key* private_key, ecc_key* public_key, byte* out,
if (private_key->blackKey == CAAM_BLACK_KEY_CCM) {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(private_key), pk,
keySz + WC_CAAM_MAC_SZ) != MP_OKAY) {
ForceZero(pk, sizeof(pk));
return MP_TO_E;
}
buf[idx].Length = keySz + WC_CAAM_MAC_SZ;
@@ -617,6 +631,7 @@ int wc_CAAM_Ecdh(ecc_key* private_key, ecc_key* public_key, byte* out,
else {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(private_key), pk,
keySz) != MP_OKAY) {
ForceZero(pk, sizeof(pk));
return MP_TO_E;
}
buf[idx].Length = keySz;
@@ -646,6 +661,7 @@ int wc_CAAM_Ecdh(ecc_key* private_key, ecc_key* public_key, byte* out,
args[2] = ecdsel;
args[3] = keySz;
ret = wc_caamAddAndWait(buf, idx, args, CAAM_ECDSA_ECDH);
ForceZero(pk, sizeof(pk));
(void)devId;
if (ret == 0) {
*outlen = keySz;
@@ -737,20 +753,25 @@ int wc_CAAM_MakeEccKey(WC_RNG* rng, int keySize, ecc_key* key, int curveId,
key->blackKey = (pt[0] << 24) | (pt[1] << 16) | (pt[2] << 8) | pt[3];
if (wc_ecc_import_unsigned(key, xy, xy + keySize, NULL, curveId) != 0) {
WOLFSSL_MSG("issue importing public key");
ForceZero(s, sizeof(s));
return -1;
}
key->partNum = args[2];
ForceZero(s, sizeof(s));
return MP_OKAY;
}
else if (ret == 0) {
if (wc_ecc_import_unsigned(key, xy, xy + keySize,
s, curveId) != 0) {
WOLFSSL_MSG("issue importing key");
ForceZero(s, sizeof(s));
return -1;
}
key->blackKey = args[0];
ForceZero(s, sizeof(s));
return MP_OKAY;
}
ForceZero(s, sizeof(s));
return -1;
}
#endif /* WOLFSSL_KEY_GEN */
+20 -4
View File
@@ -443,12 +443,14 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
if (key->blackKey == CAAM_BLACK_KEY_CCM) {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(key), k,
kSz + WC_CAAM_MAC_SZ) != MP_OKAY) {
ForceZero(k, sizeof(k));
return MP_TO_E;
}
}
else {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(key), k, kSz) !=
MP_OKAY) {
ForceZero(k, sizeof(k));
return MP_TO_E;
}
}
@@ -457,6 +459,7 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
ecdsel = GetECDSEL(dp->id);
if (ecdsel == 0) {
WOLFSSL_MSG("unknown key type or size");
ForceZero(k, sizeof(k));
return CRYPTOCB_UNAVAILABLE;
}
@@ -469,6 +472,7 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
break;
default:
WOLFSSL_MSG("unknown/unsupported key type");
ForceZero(k, sizeof(k));
return BAD_FUNC_ARG;
}
@@ -508,10 +512,12 @@ int wc_CAAM_EccSign(const byte* in, int inlen, byte* out, word32* outlen,
mp_free(&mps);
if (ret != 0) {
WOLFSSL_MSG("Issue converting to signature");
ForceZero(k, sizeof(k));
return -1;
}
}
ForceZero(k, sizeof(k));
return ret;
}
@@ -697,22 +703,26 @@ int wc_CAAM_Ecdh(ecc_key* private_key, ecc_key* public_key, byte* out,
if (private_key->blackKey == CAAM_BLACK_KEY_CCM) {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(private_key), k,
keySz + WC_CAAM_MAC_SZ) != MP_OKAY) {
ForceZero(k, sizeof(k));
return MP_TO_E;
}
}
else {
if (mp_to_unsigned_bin_len(wc_ecc_key_get_priv(private_key), k, keySz)
!= MP_OKAY) {
ForceZero(k, sizeof(k));
return MP_TO_E;
}
}
if (*outlen < (word32)keySz) {
ForceZero(k, sizeof(k));
return -1;
}
status = CAAM_ECC_ECDH(CAAM, &hndl, k, keySz, qxy, keySz*2, out, keySz,
ecdsel, enc);
ForceZero(k, sizeof(k));
if (status == kStatus_Success) {
*outlen = keySz;
return MP_OKAY;
@@ -762,17 +772,22 @@ int wc_CAAM_MakeEccKey(WC_RNG* rng, int keySize, ecc_key* key, int curveId,
return CRYPTOCB_UNAVAILABLE;
}
if (key->blackKey == CAAM_BLACK_KEY_ECB) {
switch (key->blackKey) {
case CAAM_BLACK_KEY_ECB:
enc = CAAM_PKHA_ENC_PRI_AESECB;
}
if (key->blackKey == 0) {
break;
case 0:
#ifdef WOLFSSL_CAAM_NO_BLACK_KEY
enc = 0;
#else
key->blackKey = CAAM_BLACK_KEY_ECB;
enc = CAAM_PKHA_ENC_PRI_AESECB;
#endif
break;
default:
WOLFSSL_MSG("unknown/unsupported key type");
ForceZero(k, sizeof(k));
return BAD_FUNC_ARG;
}
status = CAAM_ECC_Keygen(CAAM, &hndl, k, &kSz, xy, &xySz, ecdsel,
@@ -787,6 +802,7 @@ int wc_CAAM_MakeEccKey(WC_RNG* rng, int keySize, ecc_key* key, int curveId,
ret = -1;
}
ForceZero(k, sizeof(k));
return ret;
}
#endif /* WOLFSSL_KEY_GEN */
+15 -14
View File
@@ -156,9 +156,10 @@ static int _PrivateOperation(const byte* in, word32 inlen, byte* out,
byte* u = NULL;
byte* n = NULL;
word32 dSz, pSz, qSz, dpSz = 0, dqSz = 0, uSz = 0, nSz;
word32 dAllocSz;
dev = &key->ctx;
dSz = nSz = wc_RsaEncryptSize(key);
dAllocSz = dSz = nSz = wc_RsaEncryptSize(key);
pSz = qSz = nSz / 2;
if (outlen < dSz) {
WOLFSSL_MSG("Output buffer is too small");
@@ -196,7 +197,7 @@ static int _PrivateOperation(const byte* in, word32 inlen, byte* out,
if (!key->blackKey) { /* @TODO unexpected results with black key CRT form */
if (ret == 0 && dpSz > 0) {
dSz = 0; nSz = 0;
dq = (byte*)XMALLOC(dpSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
dq = (byte*)XMALLOC(dqSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
dp = (byte*)XMALLOC(dpSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
u = (byte*)XMALLOC(uSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (dq == NULL || dp == NULL || u == NULL) {
@@ -237,12 +238,12 @@ static int _PrivateOperation(const byte* in, word32 inlen, byte* out,
}
}
XFREE(d, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(q, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dq, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(u, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (d) { ForceZero(d, dAllocSz); XFREE(d, NULL, DYNAMIC_TYPE_TMP_BUFFER); }
if (p) { ForceZero(p, pSz); XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER); }
if (q) { ForceZero(q, qSz); XFREE(q, NULL, DYNAMIC_TYPE_TMP_BUFFER); }
if (dp) { ForceZero(dp, dpSz); XFREE(dp, NULL, DYNAMIC_TYPE_TMP_BUFFER); }
if (dq) { ForceZero(dq, dqSz); XFREE(dq, NULL, DYNAMIC_TYPE_TMP_BUFFER); }
if (u) { ForceZero(u, uSz); XFREE(u, NULL, DYNAMIC_TYPE_TMP_BUFFER); }
XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wc_DevCryptoFree(dev);
@@ -540,13 +541,13 @@ int wc_DevCrypto_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
#endif
}
XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dp, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dq, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(c, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (p) { ForceZero(p, pSz); XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER); }
if (q) { ForceZero(q, qSz); XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER); }
if (dp) { ForceZero(dp, dpSz); XFREE(dp, key->heap, DYNAMIC_TYPE_TMP_BUFFER); }
if (dq) { ForceZero(dq, dqSz); XFREE(dq, key->heap, DYNAMIC_TYPE_TMP_BUFFER); }
if (c) { ForceZero(c, cSz); XFREE(c, key->heap, DYNAMIC_TYPE_TMP_BUFFER); }
XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(d, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (d) { ForceZero(d, dSz); XFREE(d, key->heap, DYNAMIC_TYPE_TMP_BUFFER); }
(void)rng;
return ret;
+4 -1
View File
@@ -127,7 +127,10 @@ static int KcapiDh_SetPrivKey(DhKey* key)
}
}
XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (priv != NULL) {
ForceZero(priv, len);
XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
}
return ret;
}
#endif
+3
View File
@@ -120,6 +120,7 @@ int KcapiEcc_LoadKey(ecc_key* key, byte* pubkey_raw, word32* pubkey_sz,
if (ret == 0) {
ret = kcapi_kpp_setkey(key->handle, priv, keySz);
}
ForceZero(priv, sizeof(priv));
}
else {
/* generate new ephemeral key */
@@ -241,6 +242,7 @@ int KcapiEcc_SharedSecret(ecc_key* private_key, ecc_key* public_key, byte* out,
ret = 0;
}
}
ForceZero(priv, sizeof(priv));
}
if (ret == 0) {
#ifdef KCAPI_USE_XMALLOC
@@ -317,6 +319,7 @@ static int KcapiEcc_SetPrivKey(ecc_key* key)
}
}
ForceZero(priv, sizeof(priv));
return ret;
}
+4 -4
View File
@@ -488,7 +488,7 @@ int wc_Sha512_224Final(wc_Sha512* sha, byte* hash)
if (sha == NULL) {
return BAD_FUNC_ARG;
}
return KcapiHashFinal(&sha->kcapi, hash, WC_SHA512_DIGEST_SIZE,
return KcapiHashFinal(&sha->kcapi, hash, WC_SHA512_224_DIGEST_SIZE,
WC_NAME_SHA512_224);
}
int wc_Sha512_224GetHash(wc_Sha512* sha, byte* hash)
@@ -496,7 +496,7 @@ int wc_Sha512_224GetHash(wc_Sha512* sha, byte* hash)
if (sha == NULL) {
return BAD_FUNC_ARG;
}
return KcapiHashGet(&sha->kcapi, hash, WC_SHA512_DIGEST_SIZE);
return KcapiHashGet(&sha->kcapi, hash, WC_SHA512_224_DIGEST_SIZE);
}
@@ -527,7 +527,7 @@ int wc_Sha512_256Final(wc_Sha512* sha, byte* hash)
if (sha == NULL) {
return BAD_FUNC_ARG;
}
return KcapiHashFinal(&sha->kcapi, hash, WC_SHA512_DIGEST_SIZE,
return KcapiHashFinal(&sha->kcapi, hash, WC_SHA512_256_DIGEST_SIZE,
WC_NAME_SHA512_256);
}
int wc_Sha512_256GetHash(wc_Sha512* sha, byte* hash)
@@ -535,7 +535,7 @@ int wc_Sha512_256GetHash(wc_Sha512* sha, byte* hash)
if (sha == NULL) {
return BAD_FUNC_ARG;
}
return KcapiHashGet(&sha->kcapi, hash, WC_SHA512_DIGEST_SIZE);
return KcapiHashGet(&sha->kcapi, hash, WC_SHA512_256_DIGEST_SIZE);
}
+6 -1
View File
@@ -44,12 +44,14 @@ static int KcapiRsa_SetPrivKey(RsaKey* key)
int ret = 0;
unsigned char* priv = NULL;
int len;
int allocSz = 0;
len = wc_RsaKeyToDer(key, NULL, 0);
if (len < 0) {
ret = len;
}
if (ret == 0) {
allocSz = len;
priv = (unsigned char*)XMALLOC(len, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (priv == NULL) {
ret = MEMORY_E;
@@ -69,7 +71,10 @@ static int KcapiRsa_SetPrivKey(RsaKey* key)
}
}
XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (priv != NULL) {
ForceZero(priv, allocSz);
XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
}
return ret;
}
+9 -1
View File
@@ -344,6 +344,7 @@ int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen,
if (status == kStatus_SSS_Success) {
/* reset state */
XFREE(se050Ctx->msg, se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
ret = se050_hash_init(se050Ctx, se050Ctx->heap);
} else {
ret = WC_HW_E;
@@ -572,6 +573,7 @@ int wc_se050_insert_binary_object(word32 keyId, const byte* object,
/* Avoid key ID conflicts with temporary key storage */
if (keyId >= SE050_KEYID_START) {
wolfSSL_CryptHwMutexUnLock();
return BAD_FUNC_ARG;
}
@@ -636,10 +638,12 @@ int wc_se050_get_binary_object(word32 keyId, byte* out, word32* outSz)
else {
if (out == NULL) {
*outSz = ret;
wolfSSL_CryptHwMutexUnLock();
return WC_NO_ERR_TRACE(LENGTH_ONLY_E);
}
if ((word32)ret > *outSz) {
WOLFSSL_MSG("Output buffer not large enough for object");
wolfSSL_CryptHwMutexUnLock();
return BAD_LENGTH_E;
}
ret = 0;
@@ -931,6 +935,7 @@ static int se050_rsa_insert_key(word32 keyId, const byte* rsaDer,
/* Avoid key ID conflicts with temporary key storage */
if (keyId >= SE050_KEYID_START) {
wolfSSL_CryptHwMutexUnLock();
return BAD_FUNC_ARG;
}
@@ -1977,6 +1982,7 @@ static int se050_ecc_insert_key(word32 keyId, const byte* eccDer,
/* Avoid key ID conflicts with temporary key storage */
if (keyId >= SE050_KEYID_START) {
wolfSSL_CryptHwMutexUnLock();
return BAD_FUNC_ARG;
}
@@ -2008,7 +2014,9 @@ static int se050_ecc_insert_key(word32 keyId, const byte* eccDer,
status = kStatus_SSS_Fail;
}
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_init(&newKey, &host_keystore);
}
+8 -4
View File
@@ -108,10 +108,10 @@ int silabs_ecc_sign_hash(const byte* in, word32 inlen, byte* out,
return BAD_FUNC_ARG;
slkey = &key->key;
siglen = *outlen;
siglen = key->dp->size * 2;
if ((int)siglen >= key->dp->size * 2) {
siglen = key->dp->size * 2;
if (*outlen < siglen) {
return BUFFER_E;
}
#if (_SILICON_LABS_SECURITY_FEATURE == _SILICON_LABS_SECURITY_FEATURE_VAULT)
@@ -138,7 +138,11 @@ int silabs_ecc_sign_hash(const byte* in, word32 inlen, byte* out,
siglen
);
}
return (sl_stat == SL_STATUS_OK) ? 0 : WC_HW_E;
if (sl_stat == SL_STATUS_OK) {
*outlen = siglen;
return 0;
}
return WC_HW_E;
}
#ifdef HAVE_ECC_VERIFY
+2 -2
View File
@@ -592,7 +592,7 @@ static int AesAuthDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
ROM_AESDataProcess(AES_BASE, aes->reg, tmpTag, WC_AES_BLOCK_SIZE);
wolfSSL_TI_unlockCCM();
if (XMEMCMP(authTag, tmpTag, authTagSz) != 0) {
if (ConstantCompare(authTag, tmpTag, authTagSz) != 0) {
ret = AES_GCM_AUTH_E;
}
return ret;
@@ -645,7 +645,7 @@ static int AesAuthDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
(unsigned int*)tmpTag);
wolfSSL_TI_unlockCCM();
if ((ret == false) || (XMEMCMP(authTag, tmpTag, authTagSz) != 0)) {
if ((ret == false) || (ConstantCompare(authTag, tmpTag, authTagSz) != 0)) {
XMEMSET(out, 0, inSz);
ret = AES_GCM_AUTH_E;
}