Commit Graph

9616 Commits

Author SHA1 Message Date
Tobias Frauenschläger e32e926f4e evp: fix EVP_PKEY2PKCS8 returning NULL for private-key-only EC keys
When an EC_KEY is created via EC_KEY_new + EC_KEY_set_group +
EC_KEY_set_private_key (no public point set), SetECKeyInternal
incorrectly marks the internal ecc_key as ECC_PRIVATEKEY (instead of
ECC_PRIVATEKEY_ONLY) because pub_key is always non-NULL — EC_KEY_new
always allocates it as an empty, zero-initialised EC_POINT.

ECC_populate_EVP_PKEY only calls wc_ecc_make_pub for ECC_PRIVATEKEY_ONLY
keys, so the zero public-key point was serialised into the DER stored in
pkey->pkey.ptr.  After commit 929dd9913 made wc_ecc_import_x963_ex always
pass untrusted=1, the re-decode inside wolfSSL_EVP_PKEY2PKCS8 →
wolfSSL_d2i_PrivateKey_EVP correctly rejected that zero point with an
on-curve failure, causing EVP_PKEY2PKCS8 to return NULL.

Fix: in ECC_populate_EVP_PKEY, also call wc_ecc_make_pub when the key
type is ECC_PRIVATEKEY but pubkey.x is zero (meaning the public key was
never actually populated).  This reconstructs the public key from the
private scalar so that the encoded DER contains a valid on-curve point.
2026-04-06 21:18:32 +02:00
Tobias Frauenschläger 0fb2d2ec11 ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.

An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.

Four changes close the attack:

1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
   wc_ecc_point_is_on_curve() is compiled in all builds, not only
   those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
   builds in settings.h).

2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
   so that ECIES, PKCS#7 KARI, and EVP callers that go through the
   four-argument wrapper always validate the imported point.

3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
   helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
   (which additionally performs a full point*order scalar multiply).
   For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
   equation check y^2 = x^3 + ax + b is sufficient to defeat
   invalid-curve attacks — every non-identity point on a prime-order
   curve has the full group order, so the expensive order-multiply
   check is unnecessary. This avoids the ~50% ECDH performance
   regression caused by the redundant scalar multiplication.

4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
   validation via wolfSSL_EC_POINT_is_on_curve after import. The
   existing check was gated on !wolfSSL_BN_is_one(point->Z) and
   therefore dead code for all uncompressed-point imports. This closes
   the OpenSSL compat layer attack path (EC_POINT_oct2point followed
   by ECDH_compute_key).

Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-06 21:18:32 +02:00
Daniel Pouzzner 7a6e37d697 Merge pull request #10064 from julek-wolfssl/master
Fixes for wolfclu
2026-04-02 22:54:10 -05:00
Daniel Pouzzner b6d8829ba9 Merge pull request #10114 from Frauschi/fenrir
Fenrir fixes
2026-04-02 22:52:48 -05:00
Daniel Pouzzner 14dbba7b21 armasm: in prototypes for fe_cmov_table(), declare the base arg as const fe*. 2026-04-02 14:14:16 -07:00
Tobias Frauenschläger 22a2290972 Fix TOCTOU issues in SP math code 2026-04-02 15:06:35 +02:00
Tobias Frauenschläger 8b2c0f7cd2 Make sure ASCON is unusable on big endian 2026-04-02 11:55:41 +02:00
Tobias Frauenschläger da597e30db Fix SECO AES GCM return value 2026-04-02 11:55:41 +02:00
Tobias Frauenschläger 6e0624065f Make sure ECB decrypt function is called in EVP
This only makes an actual difference when FREESCALE_MMCAU is defined (otherwise encrypt and decrypt are the same), but better for clarity still.
2026-04-02 11:55:41 +02:00
Tobias Frauenschläger b6b8de1f59 Add bounds checks for Blake2 digest size 2026-04-02 11:55:41 +02:00
Daniel Pouzzner 24f9981877 Merge pull request #10120 from douzzer/20260331-wolfcrypt-Wcast-qual
20260331-wolfcrypt-Wcast-qual

approved by @padelsbach
2026-04-02 00:25:13 -05:00
Daniel Pouzzner 49cbbab6b0 Merge pull request #10039 from anhu/pkcs7_oob
Add bounds check in PKCS7 streaming indefinite-length end-of-content parsing
2026-04-02 00:16:49 -05:00
Daniel Pouzzner 5701f5db32 Merge pull request #10083 from anhu/privkeyset
Add privKeySet checks to Ed25519, Ed448, ML-DSA, and ML-KEM
2026-04-02 00:15:12 -05:00
Daniel Pouzzner d6fa846615 Merge pull request #10096 from padelsbach/dilithium-oob-shift
Fix out of bounds shift in ML-DSA
2026-04-02 00:13:06 -05:00
Daniel Pouzzner 6a04c03e4c Merge pull request #10113 from Frauschi/zd21464
Zeroize heap buffer after ML-DSA signing
2026-04-02 00:06:43 -05:00
Daniel Pouzzner 0c67d7a844 Merge pull request #10080 from JeremiahM37/fenrir-issues
Fenrir fixes
2026-04-02 00:06:02 -05:00
Daniel Pouzzner 7fd41b13de Merge pull request #10104 from padelsbach/cast-shift-slhdsa.c
Cast to unsigned prior to shift to avoid UB in SLH-DSA
2026-04-02 00:03:42 -05:00
Daniel Pouzzner 6e8b3e0fcf wolfcrypt/src/blake2b.c and wolfcrypt/src/blake2s.c: restore volatile-based workaround for ARM32 gcc optimizer bug. 2026-04-01 17:14:30 -05:00
Daniel Pouzzner 4228bedbcf wolfcrypt/src/integer.c and wolfssl/wolfcrypt/integer.h: constify args to mp_cmp() and mp_cmp_mag(). 2026-04-01 16:32:15 -05:00
Daniel Pouzzner e6713372ee fixes from CI testing and peer review:
wolfcrypt/src/tfm.c and wolfssl/wolfcrypt/tfm.h: fix for -Wdiscarded-qualifiers in ecc_check_order_minus_1().

wolfssl/wolfcrypt/types.h: in WC_BARRIER(), use XFENCE() too, for best possible barrier.  fixes an ARM32 -Ofast -Wmaybe-uninitialized in blake2s_init_key().

wolfcrypt/src/asn_orig.c: set Stored flag after each allocation of a member that needs it.

wolfcrypt/src/signature.c: in wc_SignatureGetSize(), provide for legacy FIPS non-const-arg wc_ecc_sig_size() and wc_RsaEncryptSize().
2026-04-01 15:28:35 -05:00
Daniel Pouzzner 21c6568883 Fixes for -Wcast-qual hygiene in wolfCrypt.
.github/workflows/wolfCrypt-Wconversion.yml: Add -Wcast-qual to all scenarios.

wolfssl/wolfcrypt/signature.h, wolfcrypt/src/signature.c, doc/dox_comments/header_files/signature.h:

  Remove incorrect const qualifier on the key argument in

  * wc_SignatureVerifyHash()
  * wc_SignatureVerify()
  * wc_SignatureGenerateHash()
  * wc_SignatureGenerateHash_ex()
  * wc_SignatureGenerate()
  * wc_SignatureGenerate_ex()

  This fixes UB code patterns throughout signature.c.  key is inherently
  accessed readwrite by the underlying low level crypto.  Fortunately, wolfCrypt
  has no APIs/methods to allow actual const MPI key objects, therefore these
  seeming breaking API changes can't actually break any users.

globally:

  * Add const qualifiers to all struct pointer members that are assigned values
    computed from const pointers.

  * Add const qualifiers to intermediate casts for accessors and read-only
    dereference constructs, as needed for -Wcast-qual hygiene, e.g. for a macro
    GET_U16(a), use (*(const word16*)(a)) rather than (*(word16*)(a)).

  * Add const qualifiers to internal declarations, and remove illegal casts, as
    needed for -Wcast-qual hygiene.

  * Add missing const qualifiers to all casts for argument, operand, and
    assignment type agreement, as needed for -Wcast-qual hygiene, e.g.
    "*data = (const byte*)dataASN->data.ref.data" rather than
    "*data = (byte*)dataASN->data.ref.data".

wolfssl/wolfcrypt/asn.h, wolfssl/wolfcrypt/asn_public.h, wolfcrypt/src/asn.c, wolfcrypt/src/asn_orig.c:

  * Add additional lifecycle management for object members that are only sometimes locally allocated:

    DNS_entry.nameStored
    DNS_entry.ipStringStored
    DNS_entry.ridStringStored

wolfssl/wolfcrypt/types.h: add WC_BARRIER() macro -- a portable construct that
   prevents compiler optimizers from reordering operations across the barrier.

wolfssl/wolfcrypt/blake2-impl.h, wolfcrypt/src/blake2s.c, wolfcrypt/src/blake2b.c:

  * In blake2b_init(), blake2b_init_key(), blake2s_init(), and
    blake2s_init_key(), refactor blake2b_param initialization using WC_BARRIER()
    (fixes volatile abuse that triggered -Wcast-qual).

  * Remove the residual and unused WOLFSSL_BLAKE2[BS]_INIT_EACH_FIELD code.

wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h:

  Remove incorrect const qualifier on curve arg to wc_ecc_free_curve() (internal function).
2026-04-01 14:12:02 -05:00
Paul Adelsbach 2d8e853c74 Fix compile issue with --enable-crl and --disable-ecc 2026-04-01 10:10:35 -07:00
Juliusz Sosinowicz ed5eac1c7d wc_EncryptedInfoGet: add AES-CTR support 2026-04-01 14:00:27 +02:00
Juliusz Sosinowicz 6a1db27bae Fix type casting for psk_keySz in MakePSKPreMasterSecret and initialize newSz in PKCS12_ConcatenateContent 2026-04-01 14:00:27 +02:00
Paul Adelsbach 4aac31bf09 Cast to unsigned prior to shift to avoid UB in SLH-DSA 2026-03-31 09:43:58 -07:00
Paul Adelsbach 73c6f2a91f Fix out of bounds shift in ML-DSA 2026-03-31 09:39:45 -07:00
Tobias Frauenschläger b7684c1bcc Zeroize heap buffer after ML-DSA signing
Ensure that the heap buffer used (among others) to store sensitive data
during ML-DSA signing is zeroized before freeing the memory.

Follow-up for zd21464

Reported by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
2026-03-31 16:44:49 +02:00
Jeremiah Mackey 9c3895332e fix lost error in SE050 ECC key insert 2026-03-31 14:34:49 +00:00
Daniel Pouzzner a2298dde9c Merge pull request #10105 from padelsbach/lms-sign-external
Add buffer size and callback checks to external wc_LmsKey_Sign
2026-03-30 23:01:00 -05:00
Daniel Pouzzner 1a3daf0148 Merge pull request #10087 from padelsbach/crl-num-negative
Reject negative CRL numbers when decoding
2026-03-30 22:58:34 -05:00
Daniel Pouzzner 8e54eb9364 Merge pull request #10048 from anhu/constraints
Enforce URI name constraints in ConfirmNameConstraints
2026-03-30 22:51:52 -05:00
Daniel Pouzzner c8415c407f Merge pull request #10100 from Frauschi/zd21464
Zeroize sensitive buffers for ML-DSA
2026-03-30 22:34:53 -05:00
Paul Adelsbach 18494e154f Reject negative CRL numbers when decoding 2026-03-30 16:09:32 -07:00
Paul Adelsbach 2ac3020bb6 Add buffer size and callback checks to external wc_LmsKey_Sign 2026-03-30 15:02:13 -07:00
Daniel Pouzzner 0a61997059 Merge pull request #10045 from embhorn/zd21385
Fix IAR warning about volatile access
2026-03-30 13:42:14 -05:00
Daniel Pouzzner edb4b2828f Merge pull request #10091 from rlm2002/gi10063Xchacha
GI issue fix use `size_t` instead of `long int`
2026-03-30 11:38:32 -05:00
Daniel Pouzzner df055976ed Merge pull request #10079 from rlm2002/ghi10063
Various GI and ZD fixes
2026-03-30 11:34:05 -05:00
Daniel Pouzzner 9c0a9a6ceb Merge pull request #10084 from holtrop-wolfssl/zd21439
Add buffer size and callback checks to wc_LmsKey_Sign
2026-03-30 11:32:38 -05:00
Tobias Frauenschläger 7bdf13a3a3 Zeroize sensitive buffers for ML-DSA
Make sure stack-allocated buffers containing potentially senstive
material are zeroized before function exit.

Identified by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
2026-03-30 11:21:32 +02:00
Daniel Pouzzner 76a498f7ea wolfcrypt/src/asn.c: fix invalid-pointer-pair "wild pointer" in CheckCertSignature_ex(). 2026-03-27 17:07:53 -05:00
Daniel Pouzzner e3d4d220c3 src/conf.c, src/ssl.c, wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h: fixes for invalid-pointer-pair memory errors reported by clang sanitizer with detect_invalid_pointer_pairs=2 in ASAN_OPTIONS. 2026-03-27 16:40:05 -05:00
Ruby Martin 88fdc3d92a remove casts that would cause truncation if long int is 32-bit but size_t is 64-bit 2026-03-27 12:09:53 -06:00
Josh Holtrop 048a03e8bf Add buffer size and callback checks to wc_LmsKey_Sign
Fixes ZD#21439
2026-03-27 08:49:43 -04:00
Ruby Martin 8b2fd34e95 free authInPadded if alloc'd on early return 2026-03-26 16:11:19 -06:00
Daniel Pouzzner 53f3ce635e wolfcrypt/src/asn.c: fix flub in wc_EccPublicKeyDecode() -- restore FREE_ASNGETDATA(dataASN, key->heap). 2026-03-26 16:54:19 -05:00
Daniel Pouzzner 292ea549cc wolfcrypt/src/asn.c: fixes for invalid memory access in wc_DsaPublicKeyDecode() and wc_EccPublicKeyDecode(), detected by cppcheck-force-source, lms-xmss-wolfssl-all-clang-sanitizer, and sanitizer-clang-all-noasm. 2026-03-26 16:07:37 -05:00
Daniel Pouzzner 52d5d0a940 linuxkm/, wolfcrypt/src/dh.c, wolfcrypt/test/test.c, wolfcrypt/test/test.h, wolfssl/wolfcrypt/wc_port.h:
fixes and workarounds for clang-tidy complaints:
  * clang-diagnostic-unknown-warning-option
  * bugprone-sizeof-expression
  * clang-diagnostic-error "address argument to atomic operation must be a pointer to a trivially-copyable type"
  * bugprone-macro-parentheses
  * clang-diagnostic-unused-but-set-variable
  * readability-redundant-declaration
2026-03-26 15:41:47 -05:00
Anthony Hu 30b196471b Add privKeySet checks to Ed25519, Ed448, ML-DSA, and ML-KEM 2026-03-26 14:56:00 -04:00
Jeremiah Mackey dcbb5539f1 fix SE050 hash msg buffer leak 2026-03-26 17:30:14 +00:00
Jeremiah Mackey 079e7c5692 fix SE050 mutex leaks on early returns 2026-03-26 17:30:14 +00:00