Merge pull request #10126 from julek-wolfssl/fenrir/20260302

Fenrir fixes
This commit is contained in:
Daniel Pouzzner
2026-04-06 18:40:11 -05:00
committed by GitHub
5 changed files with 73 additions and 53 deletions
+3 -7
View File
@@ -23017,9 +23017,7 @@ default:
}
if (IsEncryptionOn(ssl, 0)) {
#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
int tooLong = 0;
#endif
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) {
@@ -23029,18 +23027,16 @@ default:
MAX_TLS13_PLAIN_SZ;
}
}
else
#endif
#ifdef WOLFSSL_EXTRA_ALERTS
if (!IsAtLeastTLSv1_3(ssl->version))
{
tooLong = ssl->curSize > MAX_TLS_CIPHER_SZ;
#endif
#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
}
if (tooLong) {
WOLFSSL_MSG("Encrypted data too long");
SendAlert(ssl, alert_fatal, record_overflow);
return BUFFER_ERROR;
}
#endif
}
ssl->keys.padSz = 0;
+57 -44
View File
@@ -2968,6 +2968,7 @@ static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
/* Copy the input to output if not the same buffer */
if (ret == 0 && output != input)
XMEMCPY(output, input, sz);
ForceZero(hmac, sizeof(hmac));
return ret;
}
#endif
@@ -6143,7 +6144,8 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
if (ext == NULL) {
WOLFSSL_MSG("No pre shared extension keys found");
return BAD_FUNC_ARG;
ret = BAD_FUNC_ARG;
goto cleanup;
}
/* Look through all client's pre-shared keys for a match. */
@@ -6151,7 +6153,8 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
current = current->next) {
#ifndef NO_PSK
if (current->identityLen > MAX_PSK_ID_LEN) {
return BUFFER_ERROR;
ret = BUFFER_ERROR;
goto cleanup;
}
XMEMCPY(ssl->arrays->client_identity, current->identity,
current->identityLen);
@@ -6178,7 +6181,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
return ret;
goto cleanup;
#endif
if (ret != WOLFSSL_TICKET_RET_OK && current->sess_free_cb != NULL) {
@@ -6213,45 +6216,45 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
ssl->options.cipherSuite = ssl->session->cipherSuite;
ret = SetCipherSpecs(ssl);
if (ret != 0)
return ret;
goto cleanup;
/* Resumption PSK is resumption master secret. */
ssl->arrays->psk_keySz = ssl->specs.hash_size;
if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
return ret;
goto cleanup;
}
/* Derive the early secret using the PSK. */
ret = DeriveEarlySecret(ssl);
if (ret != 0)
return ret;
goto cleanup;
/* Hash data up to binders for deriving binders in PSK extension. */
ret = HashInput(ssl, input, (int)inputSz);
if (ret < 0)
return ret;
goto cleanup;
/* Derive the binder key to use with HMAC. */
ret = DeriveBinderKeyResume(ssl, binderKey);
if (ret != 0)
return ret;
goto cleanup;
}
else
#endif /* HAVE_SESSION_TICKET */
#ifndef NO_PSK
if (FindPsk(ssl, current, suite, &ret)) {
if (ret != 0)
return ret;
goto cleanup;
ret = HashInput(ssl, input, (int)inputSz);
if (ret < 0)
return ret;
goto cleanup;
/* Derive the binder key to use with HMAC. */
ret = DeriveBinderKey(ssl, binderKey);
if (ret != 0)
return ret;
goto cleanup;
}
else
#endif
@@ -6266,18 +6269,19 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
ssl->keys.client_write_MAC_secret,
0 /* neither end */);
if (ret != 0)
return ret;
goto cleanup;
/* Derive the binder and compare with the one in the extension. */
ret = BuildTls13HandshakeHmac(ssl,
ssl->keys.client_write_MAC_secret, binder, &binderLen);
if (ret != 0)
return ret;
goto cleanup;
if (binderLen != current->binderLen ||
ConstantCompare(binder, current->binder,
binderLen) != 0) {
WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
return BAD_BINDER;
ret = BAD_BINDER;
goto cleanup;
}
/* This PSK works, no need to try any more. */
@@ -6289,19 +6293,26 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
if (current == NULL) {
#ifdef WOLFSSL_PSK_ID_PROTECTION
#ifndef NO_CERTS
if (ssl->buffers.certChainCnt != 0)
return 0;
if (ssl->buffers.certChainCnt != 0) {
ret = 0;
goto cleanup;
}
#endif
WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
return BAD_BINDER;
ret = BAD_BINDER;
goto cleanup;
#else
return 0;
ret = 0;
goto cleanup;
#endif
}
*first = (current == ext->data);
*usingPSK = 1;
cleanup:
ForceZero(binderKey, sizeof(binderKey));
ForceZero(binder, sizeof(binder));
WOLFSSL_LEAVE("DoPreSharedKeys", ret);
return ret;
@@ -11339,28 +11350,30 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ret = NO_PEER_CERT; /* NO_PEER_VERIFY */
WOLFSSL_MSG("TLS v1.3 client did not present peer cert");
DoCertFatalAlert(ssl, ret);
return ret;
goto cleanup;
}
}
#endif
/* check against totalSz */
if (*inOutIdx + size > totalSz)
return BUFFER_E;
if (*inOutIdx + size > totalSz) {
ret = BUFFER_E;
goto cleanup;
}
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
ret = tsip_Tls13HandleFinished(ssl, input, inOutIdx, size, totalSz);
if (ret == 0) {
ssl->options.serverState = SERVER_FINISHED_COMPLETE;
return ret;
goto cleanup;
}
if (ret == WC_NO_ERR_TRACE(VERIFY_FINISHED_ERROR)) {
SendAlert(ssl, alert_fatal, decrypt_error);
return ret;
goto cleanup;
}
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
/* other errors */
return ret;
goto cleanup;
}
ret = 0;
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
@@ -11370,7 +11383,7 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->keys.client_write_MAC_secret,
WOLFSSL_CLIENT_END);
if (ret != 0)
return ret;
goto cleanup;
secret = ssl->keys.client_write_MAC_secret;
}
@@ -11382,13 +11395,13 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->keys.client_write_MAC_secret,
WOLFSSL_CLIENT_END);
if (ret != 0)
return ret;
goto cleanup;
ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
ssl->keys.server_write_MAC_secret,
WOLFSSL_SERVER_END);
if (ret != 0)
return ret;
goto cleanup;
secret = ssl->keys.server_write_MAC_secret;
}
@@ -11401,7 +11414,8 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
if (finishedSz > TLS_FINISHED_SZ_MAX) {
return BUFFER_ERROR;
ret = BUFFER_ERROR;
goto cleanup;
}
if (ssl->options.side == WOLFSSL_CLIENT_END) {
XMEMCPY(ssl->serverFinished, mac, finishedSz);
@@ -11413,9 +11427,11 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */
if (ret != 0)
return ret;
if (size != finishedSz)
return BUFFER_ERROR;
goto cleanup;
if (size != finishedSz) {
ret = BUFFER_ERROR;
goto cleanup;
}
}
#ifdef WOLFSSL_CALLBACKS
@@ -11430,7 +11446,8 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_MSG("Verify finished error on hashes");
SendAlert(ssl, alert_fatal, decrypt_error);
WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR);
return VERIFY_FINISHED_ERROR;
ret = VERIFY_FINISHED_ERROR;
goto cleanup;
}
}
@@ -11443,12 +11460,12 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData != no_early_data) {
if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
return ret;
goto cleanup;
}
#endif
/* Setup keys for application data messages from client. */
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
return ret;
goto cleanup;
}
#endif
@@ -11479,10 +11496,13 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
#endif /* WOLFSSL_QUIC && WOLFSSL_EARLY_DATA */
WOLFSSL_LEAVE("DoTls13Finished", 0);
ret = 0;
cleanup:
ForceZero(mac, sizeof(mac));
WOLFSSL_LEAVE("DoTls13Finished", ret);
WOLFSSL_END(WC_FUNC_FINISHED_DO);
return 0;
return ret;
}
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
@@ -12307,8 +12327,6 @@ restore:
wc_Sha256Free(&ssl->hsHashes->hashSha256);
ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
wc_Sha256Free(&digest.sha256);
if (ret != 0)
return ret;
break;
#endif
#ifdef WOLFSSL_SHA384
@@ -12316,8 +12334,6 @@ restore:
wc_Sha384Free(&ssl->hsHashes->hashSha384);
ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
wc_Sha384Free(&digest.sha384);
if (ret != 0)
return ret;
break;
#endif
#ifdef WOLFSSL_TLS13_SHA512
@@ -12325,8 +12341,6 @@ restore:
wc_Sha512Free(&ssl->hsHashes->hashSha512);
ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha512);
wc_Sha512Free(&digest.sha512);
if (ret != 0)
return ret;
break;
#endif
#ifdef WOLFSSL_SM3
@@ -12334,12 +12348,11 @@ restore:
wc_Sm3Free(&ssl->hsHashes->hashSm3);
ret = wc_Sm3Copy(&digest.sm3, &ssl->hsHashes->hashSm3);
wc_Sm3Free(&digest.sm3);
if (ret != 0)
return ret;
break;
#endif
}
ForceZero(mac, sizeof(mac));
return ret;
}
#endif
+1 -1
View File
@@ -1175,7 +1175,7 @@ int wc_HpkeContextOpenBase(Hpke* hpke, HpkeBaseContext* context, byte* aad,
int ret;
byte nonce[HPKE_Nn_MAX];
WC_DECLARE_VAR(aes, Aes, 1, 0);
if (hpke == NULL) {
if (hpke == NULL || context == NULL || ciphertext == NULL || out == NULL) {
return BAD_FUNC_ARG;
}
+11
View File
@@ -100,6 +100,10 @@ int wc_Des_CbcEncryptWithKey(byte* out, const byte* in, word32 sz,
int ret = 0;
WC_DECLARE_VAR(des, Des, 1, 0);
if (out == NULL || in == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
WC_ALLOC_VAR_EX(des, Des, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER,
return MEMORY_E);
@@ -118,6 +122,10 @@ int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
int ret = 0;
WC_DECLARE_VAR(des, Des, 1, 0);
if (out == NULL || in == NULL || key == NULL) {
return BAD_FUNC_ARG;
}
WC_ALLOC_VAR_EX(des, Des, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER,
return MEMORY_E);
@@ -330,6 +338,9 @@ int wc_CryptKey(const char* password, int passwordSz, const byte* salt,
WOLFSSL_ENTER("wc_CryptKey");
if (password == NULL || salt == NULL || input == NULL)
return BAD_FUNC_ARG;
if (length < 0)
return BAD_LENGTH_E;
+1 -1
View File
@@ -1019,7 +1019,7 @@ WOLFSSL_API void wolfSSL_SetIOWriteFlags(WOLFSSL* ssl, int flags);
#if (defined(__MINGW32__) || defined(__MINGW64__)) && !defined(UNICODE)
#define XINET_PTON(a,b,c) InetPton((a),(b),(c))
#else
#define XINET_PTON(a,b,c) InetPton((a),(PCWSTR)(b),(c))
#define XINET_PTON(a,b,c) InetPtonA((a),(b),(c))
#endif
#elif defined(FREESCALE_MQX)
#define XINET_PTON(a,b,c,d) inet_pton((a),(b),(c),(d))