Commit Graph

12 Commits

Author SHA1 Message Date
Tesfa Mael fbfc3ba8c2 Fix formatting 2026-05-08 18:50:44 +02:00
Tesfa Mael 4d94b8e8d5 [TA-100] Fix build/test regressions in non-TA100 builds 2026-05-08 18:50:44 +02:00
Tesfa Mae 00cca3e25b TA100: Microchip Trust Anchor support RSA/ECC 2026-05-08 18:50:43 +02:00
Tobias Frauenschläger 6c5de29758 Fix ECC validation regression 2026-04-23 11:26:33 +02:00
Tobias Frauenschläger 0fb2d2ec11 ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.

An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.

Four changes close the attack:

1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
   wc_ecc_point_is_on_curve() is compiled in all builds, not only
   those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
   builds in settings.h).

2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
   so that ECIES, PKCS#7 KARI, and EVP callers that go through the
   four-argument wrapper always validate the imported point.

3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
   helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
   (which additionally performs a full point*order scalar multiply).
   For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
   equation check y^2 = x^3 + ax + b is sufficient to defeat
   invalid-curve attacks — every non-identity point on a prime-order
   curve has the full group order, so the expensive order-multiply
   check is unnecessary. This avoids the ~50% ECDH performance
   regression caused by the redundant scalar multiplication.

4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
   validation via wolfSSL_EC_POINT_is_on_curve after import. The
   existing check was gated on !wolfSSL_BN_is_one(point->Z) and
   therefore dead code for all uncompressed-point imports. This closes
   the OpenSSL compat layer attack path (EC_POINT_oct2point followed
   by ECDH_compute_key).

Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-06 21:18:32 +02:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Hideki Miyazaki 8ad73d8ac1 Fix compile and crypt test failures when selftest is enabled 2026-01-16 08:55:06 +09:00
Sean Parkinson 6c30186168 ECC sign hash: only allow up to max digest size
Validate that the hash passed in is of an appropriate length - not
greater than the maximum digest size.
2025-11-13 11:53:51 +10:00
David Garske d79ca8a746 Improve some of the build cases around crypto callback only 2025-08-13 21:58:53 +01:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
Sean Parkinson 663ca29a5d Split out tests: random, wolfmath, public key
Improved testing of random APIs.
wolfmath tests moved out.
Public key algorithm testing moved out: RSA, DSA, DH, ECC, SM2,
Curve25519, Ed25519, Curve448, Ed448, ML-DSA.
Signature API tests moved out.

Fix for OCSP testing to ensure RSA is available.

Added group names to API test cases.
Can select groups to run with --group <name>. --groups lists all known
group names.

Added option to stop API testing on first failure: --stopOnFail.
2025-03-17 09:32:00 +10:00