From 6ac6e5065ee6ed75dcc18dc2743ea153cf9f033e Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 12 May 2026 13:54:38 -0600 Subject: [PATCH 1/2] fix for tropic port AES key length used --- wolfcrypt/src/port/tropicsquare/tropic01.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 8fa96906b4..33748543e9 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -314,10 +314,13 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #if !defined(NO_AES) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { + word32 keyLen = info->cipher.enc + ? info->cipher.aesgcm_enc.aes->keylen + : info->cipher.aesgcm_dec.aes->keylen; ret = Tropic01_GetKeyAES( lt_key, TROPIC01_AES_KEY_RMEM_SLOT, - TROPIC01_AES_MAX_KEY_SIZE); + keyLen); if (ret != 0) { WOLFSSL_MSG_EX( "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", @@ -339,7 +342,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } if (info->cipher.enc) { ret = wc_AesSetKey(info->cipher.aesgcm_enc.aes, lt_key, - WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION); + keyLen, lt_iv, AES_ENCRYPTION); ForceZero(lt_key, sizeof(lt_key)); ForceZero(lt_iv, sizeof(lt_iv)); if (ret != 0) { @@ -367,7 +370,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } else { ret = wc_AesSetKey(info->cipher.aesgcm_dec.aes, lt_key, - WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION); + keyLen, lt_iv, AES_DECRYPTION); ForceZero(lt_key, sizeof(lt_key)); ForceZero(lt_iv, sizeof(lt_iv)); if (ret != 0) { @@ -397,10 +400,11 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #endif /* HAVE_AESGCM */ #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { + word32 keyLen = info->cipher.aescbc.aes->keylen; ret = Tropic01_GetKeyAES( lt_key, TROPIC01_AES_KEY_RMEM_SLOT, - TROPIC01_AES_MAX_KEY_SIZE); + keyLen); if (ret != 0) { WOLFSSL_MSG_EX( "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", ret); @@ -420,7 +424,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } if (info->cipher.enc) { ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key, - WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION); + keyLen, lt_iv, AES_ENCRYPTION); ForceZero(lt_key, sizeof(lt_key)); ForceZero(lt_iv, sizeof(lt_iv)); if (ret != 0) { @@ -443,7 +447,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key, - WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION); + keyLen, lt_iv, AES_DECRYPTION); ForceZero(lt_key, sizeof(lt_key)); ForceZero(lt_iv, sizeof(lt_iv)); if (ret != 0) { From 70288b017fb98aafbca0eac92191b2236586dfb0 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 12 May 2026 14:23:59 -0600 Subject: [PATCH 2/2] add sanity check on AES key length --- wolfcrypt/src/port/tropicsquare/tropic01.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 33748543e9..e77ca2d6aa 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -317,10 +317,18 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) word32 keyLen = info->cipher.enc ? info->cipher.aesgcm_enc.aes->keylen : info->cipher.aesgcm_dec.aes->keylen; + if (keyLen != AES_128_KEY_SIZE && + keyLen != AES_192_KEY_SIZE && + keyLen != AES_256_KEY_SIZE) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: invalid AES key length %u", + keyLen); + return BAD_FUNC_ARG; + } ret = Tropic01_GetKeyAES( lt_key, TROPIC01_AES_KEY_RMEM_SLOT, - keyLen); + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX( "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", @@ -401,10 +409,17 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { word32 keyLen = info->cipher.aescbc.aes->keylen; + if (keyLen != AES_128_KEY_SIZE && + keyLen != AES_192_KEY_SIZE && + keyLen != AES_256_KEY_SIZE) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: invalid AES key length %u", keyLen); + return BAD_FUNC_ARG; + } ret = Tropic01_GetKeyAES( lt_key, TROPIC01_AES_KEY_RMEM_SLOT, - keyLen); + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX( "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", ret);