Commit Graph

11274 Commits

Author SHA1 Message Date
Daniel Pouzzner 14dbba7b21 armasm: in prototypes for fe_cmov_table(), declare the base arg as const fe*. 2026-04-02 14:14:16 -07:00
Tobias Frauenschläger 22a2290972 Fix TOCTOU issues in SP math code 2026-04-02 15:06:35 +02:00
Tobias Frauenschläger 1faddd640e evp: verify Poly1305 tag on ChaCha20-Poly1305 decrypt
EVP_DecryptFinal_ex() called wc_ChaCha20Poly1305_Final() which only
computes the Poly1305 tag, writing it into ctx->authTag and
overwriting the expected tag stored there by EVP_CTRL_AEAD_SET_TAG.
No comparison was ever performed, so any forged tag was accepted.

Fix: save the expected tag before calling Final(), then verify with
wc_ChaCha20Poly1305_CheckTag() on the decrypt path, mirroring the
existing AES-GCM branch. Add a regression test that asserts
EVP_DecryptFinal_ex() rejects an all-zero forged tag.

Reported-by: Nicholas Carlini (Anthropic) & Bronson Yen (Calif.io)
2026-04-02 12:35:15 +02:00
Tobias Frauenschläger 13a016367f eccsi: fix universal signature forgery via r=0/s=0
wc_VerifyEccsiHash did not validate that r and s lie in [1, q-1]
after decoding them from the signature buffer.  With s=0 the scalar
multiplication [s](...) returns the point at infinity (J_x=0); with
r=0 the final mp_cmp(0,0)==MP_EQ check then accepts the forged
signature unconditionally against any message and any identity.

Add [1, q-1] range checks for r (in wc_VerifyEccsiHash, after params
are loaded) and for s (in eccsi_calc_j, after eccsi_decode_sig_s),
mirroring the checks already present in wc_ecc_check_r_s_range.
Add a defense-in-depth point-at-infinity guard on J before the final
comparison.

Reported-by: Nicholas Carlini (Anthropic) & Bronson Yen (Calif.io)
2026-04-02 12:35:15 +02:00
Tobias Frauenschläger 10953f021b CMAC: fix wraparound in streaming update.
The guard `if (cmac->totalSz != 0)` was used to skip XOR-chaining on
the first block (where digest is all-zeros and the XOR is a no-op).
However, totalSz is word32 and wraps to zero after 2^28 block flushes
(4 GiB), causing the guard to erroneously fire again and discard the
live CBC-MAC chain state.  Any two messages sharing a common suffix
beyond the 4 GiB mark then produce identical CMAC tags, enabling a
zero-work prefix-substitution forgery.  The fix removes the guard,
making the XOR unconditional; the no-op property on the first block is
preserved because digest is zero-initialized by wc_InitCmac_ex.

Identified by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 12:35:15 +02:00
Tobias Frauenschläger 8b2c0f7cd2 Make sure ASCON is unusable on big endian 2026-04-02 11:55:41 +02:00
Tobias Frauenschläger da597e30db Fix SECO AES GCM return value 2026-04-02 11:55:41 +02:00
Tobias Frauenschläger 6e0624065f Make sure ECB decrypt function is called in EVP
This only makes an actual difference when FREESCALE_MMCAU is defined (otherwise encrypt and decrypt are the same), but better for clarity still.
2026-04-02 11:55:41 +02:00
Tobias Frauenschläger b6b8de1f59 Add bounds checks for Blake2 digest size 2026-04-02 11:55:41 +02:00
Daniel Pouzzner 24f9981877 Merge pull request #10120 from douzzer/20260331-wolfcrypt-Wcast-qual
20260331-wolfcrypt-Wcast-qual

approved by @padelsbach
2026-04-02 00:25:13 -05:00
Daniel Pouzzner 49cbbab6b0 Merge pull request #10039 from anhu/pkcs7_oob
Add bounds check in PKCS7 streaming indefinite-length end-of-content parsing
2026-04-02 00:16:49 -05:00
Daniel Pouzzner 5701f5db32 Merge pull request #10083 from anhu/privkeyset
Add privKeySet checks to Ed25519, Ed448, ML-DSA, and ML-KEM
2026-04-02 00:15:12 -05:00
Daniel Pouzzner d6fa846615 Merge pull request #10096 from padelsbach/dilithium-oob-shift
Fix out of bounds shift in ML-DSA
2026-04-02 00:13:06 -05:00
Daniel Pouzzner 6a04c03e4c Merge pull request #10113 from Frauschi/zd21464
Zeroize heap buffer after ML-DSA signing
2026-04-02 00:06:43 -05:00
Daniel Pouzzner 0c67d7a844 Merge pull request #10080 from JeremiahM37/fenrir-issues
Fenrir fixes
2026-04-02 00:06:02 -05:00
Daniel Pouzzner 7fd41b13de Merge pull request #10104 from padelsbach/cast-shift-slhdsa.c
Cast to unsigned prior to shift to avoid UB in SLH-DSA
2026-04-02 00:03:42 -05:00
Daniel Pouzzner 27aac0ac60 Merge pull request #10007 from julek-wolfssl/zd/21376
DTLS 1.3: don't echo legacy_session_id in ServerHello
2026-04-02 00:03:06 -05:00
Daniel Pouzzner 6e8b3e0fcf wolfcrypt/src/blake2b.c and wolfcrypt/src/blake2s.c: restore volatile-based workaround for ARM32 gcc optimizer bug. 2026-04-01 17:14:30 -05:00
Daniel Pouzzner 4228bedbcf wolfcrypt/src/integer.c and wolfssl/wolfcrypt/integer.h: constify args to mp_cmp() and mp_cmp_mag(). 2026-04-01 16:32:15 -05:00
Daniel Pouzzner e6713372ee fixes from CI testing and peer review:
wolfcrypt/src/tfm.c and wolfssl/wolfcrypt/tfm.h: fix for -Wdiscarded-qualifiers in ecc_check_order_minus_1().

wolfssl/wolfcrypt/types.h: in WC_BARRIER(), use XFENCE() too, for best possible barrier.  fixes an ARM32 -Ofast -Wmaybe-uninitialized in blake2s_init_key().

wolfcrypt/src/asn_orig.c: set Stored flag after each allocation of a member that needs it.

wolfcrypt/src/signature.c: in wc_SignatureGetSize(), provide for legacy FIPS non-const-arg wc_ecc_sig_size() and wc_RsaEncryptSize().
2026-04-01 15:28:35 -05:00
Daniel Pouzzner 21c6568883 Fixes for -Wcast-qual hygiene in wolfCrypt.
.github/workflows/wolfCrypt-Wconversion.yml: Add -Wcast-qual to all scenarios.

wolfssl/wolfcrypt/signature.h, wolfcrypt/src/signature.c, doc/dox_comments/header_files/signature.h:

  Remove incorrect const qualifier on the key argument in

  * wc_SignatureVerifyHash()
  * wc_SignatureVerify()
  * wc_SignatureGenerateHash()
  * wc_SignatureGenerateHash_ex()
  * wc_SignatureGenerate()
  * wc_SignatureGenerate_ex()

  This fixes UB code patterns throughout signature.c.  key is inherently
  accessed readwrite by the underlying low level crypto.  Fortunately, wolfCrypt
  has no APIs/methods to allow actual const MPI key objects, therefore these
  seeming breaking API changes can't actually break any users.

globally:

  * Add const qualifiers to all struct pointer members that are assigned values
    computed from const pointers.

  * Add const qualifiers to intermediate casts for accessors and read-only
    dereference constructs, as needed for -Wcast-qual hygiene, e.g. for a macro
    GET_U16(a), use (*(const word16*)(a)) rather than (*(word16*)(a)).

  * Add const qualifiers to internal declarations, and remove illegal casts, as
    needed for -Wcast-qual hygiene.

  * Add missing const qualifiers to all casts for argument, operand, and
    assignment type agreement, as needed for -Wcast-qual hygiene, e.g.
    "*data = (const byte*)dataASN->data.ref.data" rather than
    "*data = (byte*)dataASN->data.ref.data".

wolfssl/wolfcrypt/asn.h, wolfssl/wolfcrypt/asn_public.h, wolfcrypt/src/asn.c, wolfcrypt/src/asn_orig.c:

  * Add additional lifecycle management for object members that are only sometimes locally allocated:

    DNS_entry.nameStored
    DNS_entry.ipStringStored
    DNS_entry.ridStringStored

wolfssl/wolfcrypt/types.h: add WC_BARRIER() macro -- a portable construct that
   prevents compiler optimizers from reordering operations across the barrier.

wolfssl/wolfcrypt/blake2-impl.h, wolfcrypt/src/blake2s.c, wolfcrypt/src/blake2b.c:

  * In blake2b_init(), blake2b_init_key(), blake2s_init(), and
    blake2s_init_key(), refactor blake2b_param initialization using WC_BARRIER()
    (fixes volatile abuse that triggered -Wcast-qual).

  * Remove the residual and unused WOLFSSL_BLAKE2[BS]_INIT_EACH_FIELD code.

wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h:

  Remove incorrect const qualifier on curve arg to wc_ecc_free_curve() (internal function).
2026-04-01 14:12:02 -05:00
Paul Adelsbach 2d8e853c74 Fix compile issue with --enable-crl and --disable-ecc 2026-04-01 10:10:35 -07:00
Juliusz Sosinowicz ed5eac1c7d wc_EncryptedInfoGet: add AES-CTR support 2026-04-01 14:00:27 +02:00
Juliusz Sosinowicz 6a1db27bae Fix type casting for psk_keySz in MakePSKPreMasterSecret and initialize newSz in PKCS12_ConcatenateContent 2026-04-01 14:00:27 +02:00
Thomas Cook 2ec08e5a25 Add support for rsa public crypt operations 2026-03-31 16:45:19 -04:00
Paul Adelsbach 4aac31bf09 Cast to unsigned prior to shift to avoid UB in SLH-DSA 2026-03-31 09:43:58 -07:00
Paul Adelsbach 73c6f2a91f Fix out of bounds shift in ML-DSA 2026-03-31 09:39:45 -07:00
Tobias Frauenschläger b7684c1bcc Zeroize heap buffer after ML-DSA signing
Ensure that the heap buffer used (among others) to store sensitive data
during ML-DSA signing is zeroized before freeing the memory.

Follow-up for zd21464

Reported by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
2026-03-31 16:44:49 +02:00
Jeremiah Mackey 9c3895332e fix lost error in SE050 ECC key insert 2026-03-31 14:34:49 +00:00
Juliusz Sosinowicz 9cbdf04359 fixup! Refactor: Use dynamic allocation for RSA test buffers 2026-03-31 12:42:16 +02:00
Juliusz Sosinowicz 362a374e73 fixup! Refactor: Use dynamic allocation for RSA test buffers 2026-03-31 12:42:16 +02:00
Juliusz Sosinowicz 1a4f327d11 Refactor: Use dynamic allocation for RSA test buffers 2026-03-31 12:42:15 +02:00
Daniel Pouzzner a2298dde9c Merge pull request #10105 from padelsbach/lms-sign-external
Add buffer size and callback checks to external wc_LmsKey_Sign
2026-03-30 23:01:00 -05:00
Daniel Pouzzner 1a3daf0148 Merge pull request #10087 from padelsbach/crl-num-negative
Reject negative CRL numbers when decoding
2026-03-30 22:58:34 -05:00
Daniel Pouzzner 8e54eb9364 Merge pull request #10048 from anhu/constraints
Enforce URI name constraints in ConfirmNameConstraints
2026-03-30 22:51:52 -05:00
Daniel Pouzzner c8415c407f Merge pull request #10100 from Frauschi/zd21464
Zeroize sensitive buffers for ML-DSA
2026-03-30 22:34:53 -05:00
Paul Adelsbach 18494e154f Reject negative CRL numbers when decoding 2026-03-30 16:09:32 -07:00
Paul Adelsbach 2ac3020bb6 Add buffer size and callback checks to external wc_LmsKey_Sign 2026-03-30 15:02:13 -07:00
Daniel Pouzzner 0a61997059 Merge pull request #10045 from embhorn/zd21385
Fix IAR warning about volatile access
2026-03-30 13:42:14 -05:00
Daniel Pouzzner edb4b2828f Merge pull request #10091 from rlm2002/gi10063Xchacha
GI issue fix use `size_t` instead of `long int`
2026-03-30 11:38:32 -05:00
Daniel Pouzzner df055976ed Merge pull request #10079 from rlm2002/ghi10063
Various GI and ZD fixes
2026-03-30 11:34:05 -05:00
Daniel Pouzzner 9c0a9a6ceb Merge pull request #10084 from holtrop-wolfssl/zd21439
Add buffer size and callback checks to wc_LmsKey_Sign
2026-03-30 11:32:38 -05:00
Tobias Frauenschläger 7bdf13a3a3 Zeroize sensitive buffers for ML-DSA
Make sure stack-allocated buffers containing potentially senstive
material are zeroized before function exit.

Identified by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
2026-03-30 11:21:32 +02:00
Daniel Pouzzner 76a498f7ea wolfcrypt/src/asn.c: fix invalid-pointer-pair "wild pointer" in CheckCertSignature_ex(). 2026-03-27 17:07:53 -05:00
Daniel Pouzzner e3d4d220c3 src/conf.c, src/ssl.c, wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h: fixes for invalid-pointer-pair memory errors reported by clang sanitizer with detect_invalid_pointer_pairs=2 in ASAN_OPTIONS. 2026-03-27 16:40:05 -05:00
Ruby Martin 88fdc3d92a remove casts that would cause truncation if long int is 32-bit but size_t is 64-bit 2026-03-27 12:09:53 -06:00
Josh Holtrop 048a03e8bf Add buffer size and callback checks to wc_LmsKey_Sign
Fixes ZD#21439
2026-03-27 08:49:43 -04:00
Ruby Martin 8b2fd34e95 free authInPadded if alloc'd on early return 2026-03-26 16:11:19 -06:00
Daniel Pouzzner 53f3ce635e wolfcrypt/src/asn.c: fix flub in wc_EccPublicKeyDecode() -- restore FREE_ASNGETDATA(dataASN, key->heap). 2026-03-26 16:54:19 -05:00
Daniel Pouzzner f0b711045c wolfssl/wolfcrypt/types.h: restore WC_ALLOC_DO_ON_FAILURE fallback definition from 760178c7dc -- reversion in part of 5f4d499df0. fixes optest build failures in all-crypto-only-intelasm-fips-v5-linuxkm-next-insmod-optest, all-crypto-only-intelasm-fips-v6-linuxkm-next-insmod-optest, and all-crypto-only-intelasm-fips-dev-linuxkm-next-insmod-optest. 2026-03-26 16:28:18 -05:00