Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion tests/api/test_aes.c
Original file line number Diff line number Diff line change
Expand Up @@ -3727,7 +3727,8 @@ int test_wc_AesGcmNonStdNonce(void)
* and cannot exercise the GHASH-based counter derivation. */
#if !defined(NO_AES) && defined(HAVE_AESGCM) && \
!defined(HAVE_FIPS) && \
!defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
!defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI) && \
!defined(WOLFSSL_DEVCRYPTO_AES)

/* ------------------------------------------------------------------
* Section 1: 1-byte IV, AES-128
Expand Down
12 changes: 8 additions & 4 deletions wolfcrypt/src/des3.c
Original file line number Diff line number Diff line change
Expand Up @@ -1571,10 +1571,14 @@

/* rotate left and right halves independently */
for (j = 0; j < 48; j++) { /* select bits individually */
if (pcr[pc2[j] - 1]) { /* check bit that goes to ks[j] */
l= j % 6; /* mask it in if it's there */
ks[j/6] |= (byte)(bytebit[l] >> 2);
}
byte bit;
byte mask;
bit =
(byte)(pcr[pc2[j] - 1]); /* all pcr values are either 0 or 1 */
mask = (byte)(0 - bit); /* mask is either 0xFF or 0x00 */
/* only set to bytebit value if bit == 1*/
ks[j/6] |=
(byte)((bytebit[j % 6] >> 2) & mask);
}

/* Now convert to odd/even interleaved form for use in F */
Expand Down
3 changes: 3 additions & 0 deletions wolfcrypt/src/dsa.c
Original file line number Diff line number Diff line change
Expand Up @@ -1121,6 +1121,9 @@ int wc_DsaVerify_ex(const byte* digest, word32 digestSz, const byte* sig,
if (digest == NULL || sig == NULL || key == NULL || answer == NULL)
return BAD_FUNC_ARG;

/* assign default value so we return 0 on error */
*answer = 0;

/* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not
* WC_MIN_DIGEST_SIZE, to allow verify-only legacy DSA operations, as
* expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A.
Expand Down
10 changes: 3 additions & 7 deletions wolfcrypt/src/ecc.c
Original file line number Diff line number Diff line change
Expand Up @@ -256,10 +256,6 @@ ECC Curve Sizes:
#include <wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h>
#endif

#if defined(WOLFSSL_CAAM)
#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
#endif

#if defined(WOLFSSL_KCAPI_ECC)
#include <wolfssl/wolfcrypt/port/kcapi/kcapi_ecc.h>
#endif
Expand Down Expand Up @@ -10109,7 +10105,7 @@ static int _ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
/* store byte point type */
out[0] = ECC_POINT_UNCOMP;

if (caamReadPartition((CAAM_ADDRESS)key->securePubKey, out+1, keySz*2) != 0)
if (caamReadPartition(key->securePubKey, out+1, keySz*2) != 0)
return WC_HW_E;

*outLen = 1 + 2*keySz;
Expand Down Expand Up @@ -11732,15 +11728,15 @@ static int _ecc_import_private_key_ex(const byte* priv, word32 privSz,
}

key->partNum = part;
key->blackKey = (word32)vaddr;
key->blackKey = vaddr;
if (caamWriteToPartition(vaddr, priv, privSz) != 0)
return WC_HW_E;

if (pub != NULL) {
/* +1 to account for x963 compressed bit */
if (caamWriteToPartition(vaddr + privSz, pub + 1, pubSz - 1) != 0)
return WC_HW_E;
key->securePubKey = (word32)vaddr + privSz;
key->securePubKey = vaddr + privSz;
}
}
else {
Expand Down
8 changes: 3 additions & 5 deletions wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c
Original file line number Diff line number Diff line change
Expand Up @@ -983,14 +983,12 @@ static CB_INLINE int wolfssl_ssl_conf_verify_cb_no_signer(int preverify,
/* Clean up and exit */
if ((_crt_found == 0) && (bundle_cert != NULL)) {
ESP_LOGW(TAG, "Cert not found, free bundle_cert");
/* this_subject and this_issuer are apart of bundle_cert and will be
* freed here*/
wolfSSL_X509_free(bundle_cert);
bundle_cert = NULL;
/* this_subject and this_issuer are pointers into cert used.
* Don't free if the cert was found. */
wolfSSL_X509_NAME_free(this_subject);
this_subject = NULL;
wolfSSL_X509_NAME_free(this_issuer);
this_issuer = NULL;
this_subject = NULL;
}

/* We don't clean up the store_cert and x509 as we are in a callback,
Expand Down
20 changes: 13 additions & 7 deletions wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c
Original file line number Diff line number Diff line change
Expand Up @@ -410,10 +410,13 @@ int wc_fspsm_AesGcmEncrypt(struct Aes* aes, byte* out,
aes->heap, DYNAMIC_TYPE_AES);
key_server_aes = (FSPSM_AES_PWKEY)XMALLOC(sizeof(FSPSM_AES_WKEY),
aes->heap, DYNAMIC_TYPE_AES);
if (key_client_aes == NULL || key_server_aes == NULL) {
XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES);
if (key_server_aes == NULL || key_client_aes == NULL) {
XFREE(key_client_aes, aes->heap, DYNAMIC_TYPE_AES);
XFREE(key_server_aes, aes->heap, DYNAMIC_TYPE_AES);
XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES);
wc_fspsm_hw_unlock();

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [Med] Incomplete fix — the sibling wc_fspsm_AesGcmDecrypt still leaks the HW lock

This added wc_fspsm_hw_unlock() correctly closes finding 5418 here in wc_fspsm_AesGcmEncrypt, but the structurally identical alloc-failure branch in wc_fspsm_AesGcmDecrypt (line ~645) still does a bare return MEMORY_E; after wc_fspsm_hw_lock() succeeded — so it returns with the hardware lock held, which is the same leak/deadlock this PR is meant to eliminate.

Please apply the same wc_fspsm_hw_unlock() before the return MEMORY_E; in the Decrypt path.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed! I also checked the rest of the port directory for similar issues and one other missed unlock in renesas_tsip_util.c : 2462

return MEMORY_E;
}

Expand Down Expand Up @@ -638,9 +641,12 @@ int wc_fspsm_AesGcmDecrypt(struct Aes* aes, byte* out,
key_server_aes = (FSPSM_AES_PWKEY)XMALLOC(sizeof(FSPSM_AES_WKEY),
aes->heap, DYNAMIC_TYPE_AES);
if (key_client_aes == NULL || key_server_aes == NULL) {
XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(key_client_aes, aes->heap, DYNAMIC_TYPE_AES);
XFREE(key_server_aes, aes->heap, DYNAMIC_TYPE_AES);
XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES);
XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES);
wc_fspsm_hw_unlock();
return MEMORY_E;
}

Expand Down
2 changes: 1 addition & 1 deletion wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c
Original file line number Diff line number Diff line change
Expand Up @@ -418,7 +418,7 @@ static int FSPSM_HashFinal(wolfssl_FSPSM_Hash* hash, byte* out, word32 outSz)
#endif
wc_fspsm_hw_lock();

if (Init(&handle) == FSP_SUCCESS) {
if ((ret = Init(&handle)) == FSP_SUCCESS) {
ret = Update(&handle, (uint8_t*)hash->msg, hash->used);
if (ret == FSP_SUCCESS) {
ret = Final(&handle, out, (uint32_t*)&sz);
Expand Down
1 change: 1 addition & 0 deletions wolfcrypt/src/port/Renesas/renesas_tsip_util.c
Original file line number Diff line number Diff line change
Expand Up @@ -2459,6 +2459,7 @@ int tsip_ImportPublicKey(TsipUserCtx* tuc, int keyType)
sizeof(tsip_rsa2048_public_key_index_t), NULL,
DYNAMIC_TYPE_RSA_BUFFER);
if (tuc->rsa2048pub_keyIdx == NULL) {
tsip_hw_unlock();
return MEMORY_E;
}
#endif
Expand Down
2 changes: 1 addition & 1 deletion wolfcrypt/src/port/devcrypto/devcrypto_aes.c
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
const word32 max_key_len = (AES_MAX_KEY_SIZE / 8);
#endif

if (aes == NULL ||
if (aes == NULL || userKey == NULL ||
!((keylen == 16) || (keylen == 24) || (keylen == 32))) {
return BAD_FUNC_ARG;
}
Expand Down
55 changes: 36 additions & 19 deletions wolfcrypt/src/port/devcrypto/devcrypto_hash.c
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ int wc_InitSha256_ex(wc_Sha256* sha, void* heap, int devId)

(void)devId; /* no async for now */
XMEMSET(sha, 0, sizeof(wc_Sha256));
sha->ctx.cfd = -1; /* Sentinel value matching aes */
sha->heap = heap;

return HashInit((void*)sha, CRYPTO_SHA2_256, NULL, 0);
Expand All @@ -135,20 +136,14 @@ int wc_Sha256Update(wc_Sha256* sha, const byte* in, word32 sz)
#ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP
/* keep full message to hash at end instead of incremental updates */
if (sha->len < sha->used + sz) {
if (sha->msg == NULL) {
sha->msg = (byte*)XMALLOC(sha->used + sz, sha->heap,
DYNAMIC_TYPE_TMP_BUFFER);
} else {
byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (pt == NULL) {
return MEMORY_E;
}
sha->msg = pt;
}
if (sha->msg == NULL) {
byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (pt == NULL) {
return MEMORY_E;
}

sha->msg = pt;

sha->len = sha->used + sz;
}
XMEMCPY(sha->msg + sha->used, in, sz);
Expand All @@ -173,14 +168,16 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash)
#ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP
/* keep full message to hash at end instead of incremental updates */
if ((ret = HashUpdate(sha, CRYPTO_SHA2_256, sha->msg, sha->used)) < 0) {
wc_Sha256Free(sha);
return ret;
}
XFREE(sha->msg, sha->heap, DYNAMIC_TYPE_TMP_BUFFER);
sha->msg = NULL;
#endif
ret = GetDigest(sha, CRYPTO_SHA2_256, hash);
if (ret != 0) {
return ret;
wc_Sha256Free(sha);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 [Low] Adjacent error path in wc_Sha256Final still leaks the session

This wc_Sha256Free(sha) correctly closes the GetDigest error path (finding 4446), but the earlier HashUpdate error path a few lines up:

if ((ret = HashUpdate(sha, CRYPTO_SHA2_256, sha->msg, sha->used)) < 0) {
    return ret;   /* session + sha->msg still leaked */
}

returns without freeing the kernel session or sha->msg. Same leak class the PR targets — worth freeing there too.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

return ret;
}

wc_Sha256Free(sha);
Expand All @@ -198,9 +195,15 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash)
{
int ret;
wc_Sha256 cpy;
wc_Sha256Copy(sha, &cpy);

if ((ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) {
XMEMSET(&cpy, 0, sizeof(cpy)); /* ZII */
/* mark as having no /dev/crypto session yet so the wc_Sha256Free()
* in wc_Sha256Copy() does not close fd 0 (cfd == -1 is the
* "no session" sentinel, matching wc_AesInit()) */
cpy.ctx.cfd = -1;
ret = wc_Sha256Copy(sha, &cpy);

if (ret == 0 &&
(ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) {
/* help static analysis tools out */
XMEMSET(hash, 0, WC_SHA256_DIGEST_SIZE);
ret = GetDigest(&cpy, CRYPTO_SHA2_256, hash);
Expand All @@ -219,22 +222,36 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash)

int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
{
int ret = 0;

if (src == NULL || dst == NULL) {
return BAD_FUNC_ARG;
}

wc_InitSha256_ex(dst, src->heap, 0);
#ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP
/* Sha256Free checks that ctx.cfd is >= 0*/
wc_Sha256Free(dst);
if ((ret = wc_InitSha256_ex(dst, src->heap, 0)) != 0) {
return ret;
}
dst->len = src->len;
dst->used = src->used;
dst->msg = (byte*)XMALLOC(src->len, dst->heap, DYNAMIC_TYPE_TMP_BUFFER);
Comment thread
Frauschi marked this conversation as resolved.
if (dst->msg == NULL) {
wc_Sha256Free(dst);
return MEMORY_E;
}
XMEMCPY(dst->msg, src->msg, src->len);
#endif

return 0;
return ret;
#else
(void)src;
(void)dst;
(void)ret;

WOLFSSL_MSG("Compile with WOLFSSL_DEVCRYPTO_HASH_KEEP for this feature");
return NOT_COMPILED_IN;
#endif
}

#endif /* !NO_SHA256 */
Expand Down
24 changes: 19 additions & 5 deletions wolfcrypt/src/random.c
Original file line number Diff line number Diff line change
Expand Up @@ -382,19 +382,29 @@ static int sha512DrbgDisabled = 0;
static wolfSSL_Mutex drbgStateMutex
WOLFSSL_MUTEX_INITIALIZER_CLAUSE(drbgStateMutex);
#ifndef WOLFSSL_MUTEX_INITIALIZER
#ifdef WOLFSSL_ATOMIC_OPS
static wolfSSL_Atomic_Int drbgStateMutex_inited = WOLFSSL_ATOMIC_INITIALIZER(0);
#else
static int drbgStateMutex_inited = 0;
#endif
#endif
#endif /* !SINGLE_THREADED */

int wc_DrbgState_MutexInit(void)
{
#ifndef SINGLE_THREADED
#ifndef WOLFSSL_MUTEX_INITIALIZER
if (!drbgStateMutex_inited) {
int expected = 0;
/* Check if mutex is not inited and set it to true before init.
* This means that the mutex is marked as init before it actually is.
* Necessary to ensure that two threads don't init at the same time.*/
if (wolfSSL_Atomic_Int_CompareExchange(&drbgStateMutex_inited,
&expected, 1)) {
int ret = wc_InitMutex(&drbgStateMutex);
if (ret != 0)
if (ret != 0) {
(void)wolfSSL_Atomic_Int_Exchange(&drbgStateMutex_inited, 0);
return ret;
drbgStateMutex_inited = 1;
}
}
#endif
#endif
Expand Down Expand Up @@ -3718,9 +3728,13 @@ static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)

for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
output += sizeof(word64)) {
ret = IntelRDseed64_r((word64*)output);
if (ret != 0)
word64 rndTmpLocal;
ret = IntelRDseed64_r(&rndTmpLocal);
if (ret != 0) {
ForceZero(&rndTmp, sizeof(rndTmp));
return ret;
}
writeUnalignedWord64(output, rndTmpLocal);
}
if (sz == 0)
return 0;
Expand Down
8 changes: 4 additions & 4 deletions wolfcrypt/src/siphash.c
Original file line number Diff line number Diff line change
Expand Up @@ -411,8 +411,8 @@ int wc_SipHash(const unsigned char* key, const unsigned char* in, word32 inSz,
return BAD_FUNC_ARG;
}

k0 = ((const word64*)key)[0];
k1 = ((const word64*)key)[1];
k0 = GET_U64(key);
k1 = GET_U64(key + 8);
__asm__ __volatile__ (
"xorq %[k0], %[v0]\n\t"
"xorq %[k1], %[v1]\n\t"
Expand Down Expand Up @@ -640,8 +640,8 @@ int wc_SipHash(const unsigned char* key, const unsigned char* in, word32 inSz,
return BAD_FUNC_ARG;
}

k0 = ((word64*)key)[0];
k1 = ((word64*)key)[1];
k0 = GET_U64(key + 0);
k1 = GET_U64(key + 8);
__asm__ __volatile__ (
"eor %[v0], %[v0], %[k0]\n\t"
"eor %[v1], %[v1], %[k1]\n\t"
Expand Down
18 changes: 8 additions & 10 deletions wolfcrypt/src/wc_mlkem_poly.c
Original file line number Diff line number Diff line change
Expand Up @@ -4375,13 +4375,16 @@ static int mlkem_get_noise_k4_avx2(MLKEM_PRF_T* prf, sword16* vec1,
*/
static void mlkem_get_noise_x3_eta2_aarch64(byte* rand, byte* seed, byte o)
{
word64* state = (word64*)rand;
word64 state[3 * 25];

state[0*25 + 4] = 0x1f00 + 0 + o;
state[1*25 + 4] = 0x1f00 + 1 + o;
state[2*25 + 4] = 0x1f00 + 2 + o;

mlkem_shake256_blocksx3_seed_neon(state, seed);
XMEMCPY(rand + 0 * 25 * 8, state + 0*25, ETA2_RAND_SIZE);
XMEMCPY(rand + 1 * 25 * 8, state + 1*25, ETA2_RAND_SIZE);
XMEMCPY(rand + 2 * 25 * 8, state + 2*25, ETA2_RAND_SIZE);
}

#if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
Expand Down Expand Up @@ -4442,10 +4445,7 @@ static void mlkem_get_noise_eta3_aarch64(byte* rand, byte* seed, byte o)
{
word64 state[25];

state[0] = ((word64*)seed)[0];
state[1] = ((word64*)seed)[1];
state[2] = ((word64*)seed)[2];
state[3] = ((word64*)seed)[3];
readUnalignedWords64(state, seed, 4);
state[4] = 0x1f00 + o;
XMEMSET(state + 5, 0, sizeof(*state) * (25 - 5));
state[16] = W64LIT(0x8000000000000000);
Expand Down Expand Up @@ -4510,17 +4510,15 @@ static int mlkem_get_noise_k2_aarch64(sword16* vec1, sword16* vec2,
*/
static void mlkem_get_noise_eta2_aarch64(byte* rand, byte* seed, byte o)
{
word64* state = (word64*)rand;
word64 state[25];

state[0] = ((word64*)seed)[0];
state[1] = ((word64*)seed)[1];
state[2] = ((word64*)seed)[2];
state[3] = ((word64*)seed)[3];
readUnalignedWords64(state, seed, 4);
/* Transposed value same as not. */
state[4] = 0x1f00 + o;
XMEMSET(state + 5, 0, sizeof(*state) * (25 - 5));
state[16] = W64LIT(0x8000000000000000);
BlockSha3(state);
XMEMCPY(rand, state, ETA2_RAND_SIZE);
}

/* Get the noise/error by calculating random bytes and sampling to a binomial
Expand Down
Loading
Loading