Fenrir fixes#10632
Open
Frauschi wants to merge 7 commits into
Open
Conversation
Fixes F-5378
Fixes F-5379
Fixes F-4441 and F-4442
Fixes F-4443
Fixes F-5437 and F-5438
Fixes F-4891
|
Frauschi
force-pushed
the
fenrir
branch
2 times, most recently
from
34c2ae3 to
a85f497
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses a set of Fenrir-reported issues across wolfCrypt and the TLS layer. Each fix is accompanied by a regression test where applicable.
Fixes
Cipher key-state validation
wc_Arc4Process()now refuses to run unless a key was configured viawc_Arc4SetKey(), preventing ARC4 from silently copying plaintext to ciphertext with an all-zero keystream. preventing DES3 operations from running with uninitialized or zeroed key material.Sensitive-memory zeroization
eccToPKCS8()now zeroizes the temporary buffer holding the plaintext ECC private key on every exit path via a consolidatedgoto exitcleanup.ForceZero()the private vectors (s1, s2, t, y, …) before freeing, while skipping the public matrix A that need not be cleared.Post-quantum / hardware ports
wolfSSL_liboqsGetRandomData()to advance the output buffer between chunks and guard againstsize_t→word32truncation, avoiding overwritten output and a potential infinite loop on large requests.NitroxCheckRequests()and to pass the output-length argument with the expectedUint16*type in the RSA decrypt/verify paths, using a dedicatedUint16temporary so thentohs()conversion stays correct on big-endian hosts.TLS supported_groups / ec_point_formats handling
supported_groupsparsing so an empty named-group list is rejected as malformed and an all-unsupported-groups list still records a (now empty) restriction instead of being treated as absent.illegal_parameteralert when the client'sec_point_formatsextension omits the uncompressed format and an ECC cipher suite is actually negotiated; the check runs after suite selection (ssl->specs.kea) so a client that negotiates a non-ECC suite is not rejected.Testing
Added regression tests for ARC4, DES3, supported_groups parsing, and the
ec_point_formatsenforcement — covering both the abort path when an ECC suite is negotiated (driven through a full handshake via memio) and the complementary case where a non-ECC (DHE_RSA) suite is negotiated and the handshake proceeds.