Merge pull request #9830 from aidangarske/fix-wolfcrypt-fenrir

Fix fenrir security findings for wolfcrypt
This commit is contained in:
JacobBarthelmeh
2026-02-26 14:20:31 -07:00
committed by GitHub
11 changed files with 55 additions and 16 deletions
+2 -2
View File
@@ -14808,7 +14808,7 @@ int wc_AesKeyUnWrap_ex(Aes *aes, const byte* in, word32 inSz, byte* out,
return ret;
/* verify IV */
if (XMEMCMP(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0)
if (ConstantCompare(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0)
return BAD_KEYWRAP_IV_E;
return (int)(inSz - KEYWRAP_BLOCK_SIZE);
@@ -16507,7 +16507,7 @@ static WARN_UNUSED_RESULT int AesSivCipher(
WOLFSSL_MSG("S2V failed.");
}
if (XMEMCMP(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {
if (ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {
WOLFSSL_MSG("Computed SIV doesn't match received SIV.");
ret = AES_SIV_AUTH_E;
}
+1 -1
View File
@@ -487,7 +487,7 @@ static word32 SizeASNLength(word32 length)
#define ALLOC_ASNSETDATA(name, cnt, err, heap) \
do { \
if ((err) == 0) { \
(name) = (ASNSetData*)XMALLOC(sizeof(ASNGetData) * (cnt), (heap), \
(name) = (ASNSetData*)XMALLOC(sizeof(ASNSetData) * (cnt), (heap), \
DYNAMIC_TYPE_TMP_BUFFER); \
if ((name) == NULL) { \
(err) = MEMORY_E; \
+12 -5
View File
@@ -187,6 +187,8 @@ int wc_ChaCha20Poly1305_Init(ChaChaPoly_Aead* aead,
aead->state = CHACHA20_POLY1305_STATE_READY;
}
ForceZero(authKey, sizeof(authKey));
return ret;
}
@@ -332,25 +334,30 @@ int wc_XChaCha20Poly1305_Init(
/* Create the Poly1305 key */
if ((ret = wc_Chacha_Process(&aead->chacha, authKey, authKey,
(word32)sizeof authKey)) < 0)
return ret;
goto out;
/* advance to start of the next ChaCha block. */
wc_Chacha_purge_current_block(&aead->chacha);
/* Initialize Poly1305 context */
if ((ret = wc_Poly1305SetKey(&aead->poly, authKey,
(word32)sizeof authKey)) < 0)
return ret;
goto out;
if ((ret = wc_Poly1305Update(&aead->poly, ad, (word32)ad_len)) < 0)
return ret;
goto out;
if ((ret = wc_Poly1305_Pad(&aead->poly, (word32)ad_len)) < 0)
return ret;
goto out;
aead->isEncrypt = isEncrypt ? 1 : 0;
aead->state = CHACHA20_POLY1305_STATE_AAD;
return 0;
ret = 0;
out:
ForceZero(authKey, sizeof(authKey));
return ret;
}
static WC_INLINE int wc_XChaCha20Poly1305_crypt_oneshot(
+6 -2
View File
@@ -14484,6 +14484,8 @@ int wc_ecc_encrypt_ex(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
RESTORE_VECTOR_REGISTERS();
ForceZero(sharedSecret, sharedSz);
ForceZero(keys, (word32)keysLen);
WC_FREE_VAR_EX(sharedSecret, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER);
WC_FREE_VAR_EX(keys, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER);
@@ -14778,8 +14780,8 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
if (ret == 0)
ret = wc_HmacFinal(hmac, verify);
if ((ret == 0) && (XMEMCMP(verify, msg + msgSz - digestSz,
digestSz) != 0)) {
if ((ret == 0) && (ConstantCompare(verify, msg + msgSz - digestSz,
(int)digestSz) != 0)) {
ret = HASH_TYPE_E;
WOLFSSL_MSG("ECC Decrypt HMAC Check failed!");
}
@@ -14882,6 +14884,8 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
if (pubKey == peerKey)
wc_ecc_free(peerKey);
#endif
ForceZero(sharedSecret, sharedSz);
ForceZero(keys, (word32)keysLen);
#ifdef WOLFSSL_SMALL_STACK
#ifndef WOLFSSL_ECIES_OLD
XFREE(peerKey, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER);
+2 -2
View File
@@ -4952,7 +4952,7 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSSL_EVP_MD_CTX *ctx,
hashLen = wolfssl_mac_len(ctx->hash.hmac.macType);
if (siglen > hashLen)
if (siglen > hashLen || siglen > INT_MAX)
return WOLFSSL_FAILURE;
/* May be a truncated signature. */
}
@@ -4962,7 +4962,7 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSSL_EVP_MD_CTX *ctx,
if (ctx->isHMAC) {
/* Check HMAC result matches the signature. */
if (XMEMCMP(sig, digest, (size_t)siglen) == 0)
if (ConstantCompare(sig, digest, (int)siglen) == 0)
return WOLFSSL_SUCCESS;
return WOLFSSL_FAILURE;
}
+11
View File
@@ -796,6 +796,8 @@ static int wc_HpkeEncap(Hpke* hpke, void* ephemeralKey, void* receiverKey,
hpke->Npk * 2, sharedSecret);
}
ForceZero(dh, hpke->Ndh);
ForceZero(kemContext, hpke->Npk * 2);
WC_FREE_VAR_EX(dh, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
WC_FREE_VAR_EX(kemContext, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -816,6 +818,9 @@ static int wc_HpkeSetupBaseSender(Hpke* hpke, HpkeBaseContext* context,
#ifdef WOLFSSL_SMALL_STACK
sharedSecret = (byte*)XMALLOC(hpke->Nsecret, hpke->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (sharedSecret == NULL) {
return MEMORY_E;
}
#endif
/* encap */
@@ -827,6 +832,7 @@ static int wc_HpkeSetupBaseSender(Hpke* hpke, HpkeBaseContext* context,
infoSz);
}
ForceZero(sharedSecret, hpke->Nsecret);
WC_FREE_VAR_EX(sharedSecret, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
@@ -914,6 +920,7 @@ int wc_HpkeSealBase(Hpke* hpke, void* ephemeralKey, void* receiverKey,
PRIVATE_KEY_LOCK();
ForceZero(context, sizeof(HpkeBaseContext));
WC_FREE_VAR_EX(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
@@ -1032,6 +1039,8 @@ static int wc_HpkeDecap(Hpke* hpke, void* receiverKey, const byte* pubKey,
hpke->Npk * 2, sharedSecret);
}
ForceZero(dh, hpke->Ndh);
ForceZero(kemContext, hpke->Npk * 2);
WC_FREE_VAR_EX(dh, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
WC_FREE_VAR_EX(kemContext, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -1058,6 +1067,7 @@ static int wc_HpkeSetupBaseReceiver(Hpke* hpke, HpkeBaseContext* context,
infoSz);
}
ForceZero(sharedSecret, hpke->Nsecret);
WC_FREE_VAR_EX(sharedSecret, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
@@ -1144,6 +1154,7 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey,
PRIVATE_KEY_LOCK();
ForceZero(context, sizeof(HpkeBaseContext));
WC_FREE_VAR_EX(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
+7 -1
View File
@@ -637,7 +637,13 @@ static int wc_PKCS12_verify(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
}
#endif
return XMEMCMP(digest, mac->digest, mac->digestSz);
if (ConstantCompare(digest, mac->digest, (int)mac->digestSz) != 0) {
ForceZero(digest, sizeof(digest));
return MAC_CMP_FAILED_E;
}
ForceZero(digest, sizeof(digest));
return 0;
}
int wc_PKCS12_verify_ex(WC_PKCS12* pkcs12, const byte* psw, word32 pswSz)
+3
View File
@@ -152,6 +152,8 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
WC_FREE_VAR_EX(hash, heap, DYNAMIC_TYPE_HASHCTX);
ForceZero(digest, sizeof(digest));
if (err != 0)
return err;
@@ -294,6 +296,7 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
wc_HmacFree(hmac);
}
ForceZero(buffer, (word32)hLen);
WC_FREE_VAR_EX(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);
WC_FREE_VAR_EX(hmac, heap, DYNAMIC_TYPE_HMAC);
+2 -1
View File
@@ -6941,7 +6941,8 @@ int wc_DeriveSakkeSSV(SakkeKey* key, enum wc_HashType hashType, byte* ssv,
err = sakke_compute_point_r(key, key->id, key->idSz, ri, n, test);
}
if ((err == 0) && (XMEMCMP(auth, test, (size_t)(2 * n + 1)) != 0)) {
/* n is word16, so 2*n+1 always fits in int */
if ((err == 0) && (ConstantCompare(auth, test, (int)(2 * n + 1)) != 0)) {
err = SAKKE_VERIFY_FAIL_E;
}
+4 -2
View File
@@ -982,7 +982,7 @@ int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
if (hashSize < 0)
return ALGO_ID_E;
if (size != (word32)hashSize)
if (size != (word32)hashSize || size > INT_MAX)
return BUFFER_E;
r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof
@@ -994,9 +994,11 @@ int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
}
if (!r && XMEMCMP(proof, digest, size) != 0)
if (!r && ConstantCompare(proof, digest, (int)size) != 0)
r = SRP_VERIFY_E;
ForceZero(digest, sizeof(digest));
return r;
}
+5
View File
@@ -1219,6 +1219,8 @@ int wc_MlKemKey_EncapsulateWithRandom(MlKemKey* key, unsigned char* c,
}
#endif
ForceZero(kr, sizeof(kr));
return ret;
}
#endif /* !WOLFSSL_MLKEM_NO_ENCAPSULATE */
@@ -1559,6 +1561,9 @@ int wc_MlKemKey_Decapsulate(MlKemKey* key, unsigned char* ss,
}
#endif
ForceZero(msg, sizeof(msg));
ForceZero(kr, sizeof(kr));
return ret;
}
#endif /* WOLFSSL_MLKEM_NO_DECAPSULATE */