Merge pull request #10340 from JeremiahM37/fenrir-3

harden falcon key handling
This commit is contained in:
David Garske
2026-05-05 11:57:41 -07:00
committed by GitHub
2 changed files with 14 additions and 5 deletions
+6 -5
View File
@@ -9815,8 +9815,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
return MEMORY_E;
if (wc_falcon_init(falcon) == 0) {
tmpIdx = 0;
if (wc_falcon_set_level(falcon, 1) == 0) {
if ((*algoID == 0) && (wc_falcon_set_level(falcon, 1) == 0)) {
tmpIdx = 0;
if (wc_Falcon_PrivateKeyDecode(key, &tmpIdx, falcon, keySz)
== 0) {
*algoID = FALCON_LEVEL1k;
@@ -9825,7 +9825,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
WOLFSSL_MSG("Not Falcon Level 1 DER key");
}
}
else if (wc_falcon_set_level(falcon, 5) == 0) {
if ((*algoID == 0) && (wc_falcon_set_level(falcon, 5) == 0)) {
tmpIdx = 0;
if (wc_Falcon_PrivateKeyDecode(key, &tmpIdx, falcon, keySz)
== 0) {
*algoID = FALCON_LEVEL5k;
@@ -9834,8 +9835,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
WOLFSSL_MSG("Not Falcon Level 5 DER key");
}
}
else {
WOLFSSL_MSG("GetKeyOID falcon initialization failed");
if (*algoID == 0) {
WOLFSSL_MSG("GetKeyOID could not match Falcon DER key");
}
wc_falcon_free(falcon);
}
+8
View File
@@ -662,6 +662,14 @@ int wc_falcon_check_key(falcon_key* key)
return BAD_FUNC_ARG;
}
if ((key->level != 1) && (key->level != 5)) {
return BAD_FUNC_ARG;
}
if (!key->pubKeySet || !key->prvKeySet) {
return PUBLIC_KEY_E;
}
/* The public key is also decoded and stored within the private key buffer
* behind the private key. Hence, we can compare both stored public keys. */
if (key->level == 1) {