When an EC_KEY is created via EC_KEY_new + EC_KEY_set_group +
EC_KEY_set_private_key (no public point set), SetECKeyInternal
incorrectly marks the internal ecc_key as ECC_PRIVATEKEY (instead of
ECC_PRIVATEKEY_ONLY) because pub_key is always non-NULL — EC_KEY_new
always allocates it as an empty, zero-initialised EC_POINT.
ECC_populate_EVP_PKEY only calls wc_ecc_make_pub for ECC_PRIVATEKEY_ONLY
keys, so the zero public-key point was serialised into the DER stored in
pkey->pkey.ptr. After commit 929dd9913 made wc_ecc_import_x963_ex always
pass untrusted=1, the re-decode inside wolfSSL_EVP_PKEY2PKCS8 →
wolfSSL_d2i_PrivateKey_EVP correctly rejected that zero point with an
on-curve failure, causing EVP_PKEY2PKCS8 to return NULL.
Fix: in ECC_populate_EVP_PKEY, also call wc_ecc_make_pub when the key
type is ECC_PRIVATEKEY but pubkey.x is zero (meaning the public key was
never actually populated). This reconstructs the public key from the
private scalar so that the encoded DER contains a valid on-curve point.
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.
An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.
Four changes close the attack:
1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
wc_ecc_point_is_on_curve() is compiled in all builds, not only
those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
builds in settings.h).
2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
so that ECIES, PKCS#7 KARI, and EVP callers that go through the
four-argument wrapper always validate the imported point.
3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
(which additionally performs a full point*order scalar multiply).
For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
equation check y^2 = x^3 + ax + b is sufficient to defeat
invalid-curve attacks — every non-identity point on a prime-order
curve has the full group order, so the expensive order-multiply
check is unnecessary. This avoids the ~50% ECDH performance
regression caused by the redundant scalar multiplication.
4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
validation via wolfSSL_EC_POINT_is_on_curve after import. The
existing check was gated on !wolfSSL_BN_is_one(point->Z) and
therefore dead code for all uncompressed-point imports. This closes
the OpenSSL compat layer attack path (EC_POINT_oct2point followed
by ECDH_compute_key).
Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.
Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
wolfcrypt/src/tfm.c and wolfssl/wolfcrypt/tfm.h: fix for -Wdiscarded-qualifiers in ecc_check_order_minus_1().
wolfssl/wolfcrypt/types.h: in WC_BARRIER(), use XFENCE() too, for best possible barrier. fixes an ARM32 -Ofast -Wmaybe-uninitialized in blake2s_init_key().
wolfcrypt/src/asn_orig.c: set Stored flag after each allocation of a member that needs it.
wolfcrypt/src/signature.c: in wc_SignatureGetSize(), provide for legacy FIPS non-const-arg wc_ecc_sig_size() and wc_RsaEncryptSize().
.github/workflows/wolfCrypt-Wconversion.yml: Add -Wcast-qual to all scenarios.
wolfssl/wolfcrypt/signature.h, wolfcrypt/src/signature.c, doc/dox_comments/header_files/signature.h:
Remove incorrect const qualifier on the key argument in
* wc_SignatureVerifyHash()
* wc_SignatureVerify()
* wc_SignatureGenerateHash()
* wc_SignatureGenerateHash_ex()
* wc_SignatureGenerate()
* wc_SignatureGenerate_ex()
This fixes UB code patterns throughout signature.c. key is inherently
accessed readwrite by the underlying low level crypto. Fortunately, wolfCrypt
has no APIs/methods to allow actual const MPI key objects, therefore these
seeming breaking API changes can't actually break any users.
globally:
* Add const qualifiers to all struct pointer members that are assigned values
computed from const pointers.
* Add const qualifiers to intermediate casts for accessors and read-only
dereference constructs, as needed for -Wcast-qual hygiene, e.g. for a macro
GET_U16(a), use (*(const word16*)(a)) rather than (*(word16*)(a)).
* Add const qualifiers to internal declarations, and remove illegal casts, as
needed for -Wcast-qual hygiene.
* Add missing const qualifiers to all casts for argument, operand, and
assignment type agreement, as needed for -Wcast-qual hygiene, e.g.
"*data = (const byte*)dataASN->data.ref.data" rather than
"*data = (byte*)dataASN->data.ref.data".
wolfssl/wolfcrypt/asn.h, wolfssl/wolfcrypt/asn_public.h, wolfcrypt/src/asn.c, wolfcrypt/src/asn_orig.c:
* Add additional lifecycle management for object members that are only sometimes locally allocated:
DNS_entry.nameStored
DNS_entry.ipStringStored
DNS_entry.ridStringStored
wolfssl/wolfcrypt/types.h: add WC_BARRIER() macro -- a portable construct that
prevents compiler optimizers from reordering operations across the barrier.
wolfssl/wolfcrypt/blake2-impl.h, wolfcrypt/src/blake2s.c, wolfcrypt/src/blake2b.c:
* In blake2b_init(), blake2b_init_key(), blake2s_init(), and
blake2s_init_key(), refactor blake2b_param initialization using WC_BARRIER()
(fixes volatile abuse that triggered -Wcast-qual).
* Remove the residual and unused WOLFSSL_BLAKE2[BS]_INIT_EACH_FIELD code.
wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h:
Remove incorrect const qualifier on curve arg to wc_ecc_free_curve() (internal function).
Ensure that the heap buffer used (among others) to store sensitive data
during ML-DSA signing is zeroized before freeing the memory.
Follow-up for zd21464
Reported by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
Make sure stack-allocated buffers containing potentially senstive
material are zeroized before function exit.
Identified by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
fixes and workarounds for clang-tidy complaints:
* clang-diagnostic-unknown-warning-option
* bugprone-sizeof-expression
* clang-diagnostic-error "address argument to atomic operation must be a pointer to a trivially-copyable type"
* bugprone-macro-parentheses
* clang-diagnostic-unused-but-set-variable
* readability-redundant-declaration