Merge pull request #10413 from JeremiahM37/fenrir-7

zeroize sensitive memory and validate public API inputs

Author: dgarske

tests/api.c

@@ -12119,6 +12119,19 @@ static int test_wc_PemToDer(void)
             XFREE(cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
 #endif
+    /* NULL buff, zero size, and negative size must be rejected up front. The
+     * pre-fix code cast longSz to word32, so a negative value drove an
+     * over-read inside PemToDer. */
+    {
+        const byte stub[] = "x";
+        DerBuffer* badDer = NULL;
+        ExpectIntEQ(wc_PemToDer(NULL, 100, CERT_TYPE, &badDer, NULL, &info,
+            &eccKey), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+        ExpectIntEQ(wc_PemToDer(stub, 0, CERT_TYPE, &badDer, NULL, &info,
+            &eccKey), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+        ExpectIntEQ(wc_PemToDer(stub, -1, CERT_TYPE, &badDer, NULL, &info,
+            &eccKey), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    }
 #endif
     return EXPECT_RESULT();
 }

tests/api/test_camellia.c

@@ -107,6 +107,38 @@ int test_wc_CamelliaSetIV(void)
     return EXPECT_RESULT();
 } /* END test_wc_CamelliaSetIV*/
 
+/*
+ * Test wc_CamelliaFree zeroes the key schedule and is NULL safe.
+ */
+int test_wc_CamelliaFree(void)
+{
+    EXPECT_DECLS;
+#ifdef HAVE_CAMELLIA
+    wc_Camellia camellia;
+    static const byte key[] = {
+        0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+        0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
+    };
+    static const byte iv[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+    };
+    byte zero[sizeof(camellia)];
+
+    XMEMSET(zero, 0, sizeof(zero));
+
+    /* NULL is safe. */
+    wc_CamelliaFree(NULL);
+
+    /* After SetKey the schedule is populated; Free must wipe it. */
+    ExpectIntEQ(wc_CamelliaSetKey(&camellia, key, (word32)sizeof(key), iv), 0);
+    ExpectIntNE(XMEMCMP(&camellia, zero, sizeof(camellia)), 0);
+    wc_CamelliaFree(&camellia);
+    ExpectIntEQ(XMEMCMP(&camellia, zero, sizeof(camellia)), 0);
+#endif
+    return EXPECT_RESULT();
+} /* END test_wc_CamelliaFree */
+
 /*
  * Test wc_CamelliaEncryptDirect and wc_CamelliaDecryptDirect
  */

tests/api/test_camellia.h

@@ -26,13 +26,15 @@
 
 int test_wc_CamelliaSetKey(void);
 int test_wc_CamelliaSetIV(void);
+int test_wc_CamelliaFree(void);
 int test_wc_CamelliaEncryptDecryptDirect(void);
 int test_wc_CamelliaCbcEncryptDecrypt(void);
 int test_wc_CamelliaCbc_MonteCarlo(void);
 
 #define TEST_CAMELLIA_DECLS                                             \
     TEST_DECL_GROUP("camellia", test_wc_CamelliaSetKey),                \
     TEST_DECL_GROUP("camellia", test_wc_CamelliaSetIV),                 \
+    TEST_DECL_GROUP("camellia", test_wc_CamelliaFree),                  \
     TEST_DECL_GROUP("camellia", test_wc_CamelliaEncryptDecryptDirect),  \
     TEST_DECL_GROUP("camellia", test_wc_CamelliaCbcEncryptDecrypt),     \
     TEST_DECL_GROUP("camellia", test_wc_CamelliaCbc_MonteCarlo)

tests/api/test_pkcs7.c

@@ -5028,6 +5028,14 @@ int test_wc_PKCS7_DecodeCompressedData(void)
     ExpectNotNull(decompressed);
     ExpectIntEQ(XMEMCMP(decompressed, cert_buf, cert_sz), 0);
     XFREE(decompressed, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    decompressed = NULL;
+
+    /* inSz that would overflow on the initial 'tmpSz = inSz * 2' must be
+     * rejected up front rather than handed to XMALLOC. */
+    ExpectIntEQ(wc_DeCompressDynamic(&decompressed, -1, DYNAMIC_TYPE_TMP_BUFFER,
+        out, ((word32)INT_MAX / 2) + 1, 0, heap),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectNull(decompressed);
 
     if (cert_buf != NULL)
         XFREE(cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);

wolfcrypt/src/asn.c

@@ -24806,7 +24806,14 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
 int wc_PemToDer(const unsigned char* buff, long longSz, int type,
               DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat)
 {
-    int ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
+    int ret;
+
+    if (buff == NULL || longSz <= 0) {
+        WOLFSSL_MSG("Bad pem der args");
+        return BAD_FUNC_ARG;
+    }
+
+    ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
 #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
     if (ret == 0 && type == PRIVATEKEY_TYPE) {
         DerBuffer* der = *pDer;

wolfcrypt/src/camellia.c

@@ -1634,5 +1634,13 @@ int wc_CamelliaCbcDecrypt(wc_Camellia* cam, byte* out, const byte* in, word32 sz
 }
 
 
+void wc_CamelliaFree(wc_Camellia* cam)
+{
+    if (cam == NULL)
+        return;
+    ForceZero(cam, sizeof(wc_Camellia));
+}
+
+
 #endif /* HAVE_CAMELLIA */
 

wolfcrypt/src/compress.c

@@ -221,6 +221,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
     if (out == NULL || in == NULL) {
         return BAD_FUNC_ARG;
     }
+    /* Cap input so the initial doubling and additive growth in the loop
+     * cannot overflow word32 or the int return type. */
+    if (inSz > (word32)(INT_MAX / 2)) {
+        return BAD_FUNC_ARG;
+    }
     i = (maxSz == 1)? 1 : 2; /* start with output buffer twice the size of input
                               * unless max was set to 1 */
 
@@ -229,7 +234,7 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
     /* Check for source > 64K on 16-bit machine: */
     if ((uLong)stream.avail_in != inSz) return DECOMPRESS_INIT_E;
 
-    tmpSz = inSz * i;
+    tmpSz = inSz * (word32)i;
     tmp = (byte*)XMALLOC(tmpSz, heap, memoryType);
     if (tmp == NULL)
         return MEMORY_E;
@@ -278,6 +283,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
             }
             i++;
 
+            if (tmpSz > (word32)INT_MAX - inSz) {
+                WOLFSSL_MSG("Decompress buffer would exceed INT_MAX");
+                result = DECOMPRESS_E;
+                break;
+            }
             newSz = tmpSz + inSz;
             newTmp = (byte*)XMALLOC(newSz, heap, memoryType);
             if (newTmp == NULL) {
@@ -295,13 +305,18 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
     } while (result == Z_OK);
 
     if (result == Z_STREAM_END) {
-        result = (int)stream.total_out;
-        *out   = (byte*)XMALLOC(result, heap, memoryType);
-        if (*out != NULL) {
-            XMEMCPY(*out, tmp, result);
+        if (stream.total_out > (uLong)INT_MAX) {
+            result = DECOMPRESS_E;
         }
         else {
-            result = MEMORY_E;
+            result = (int)stream.total_out;
+            *out   = (byte*)XMALLOC(result, heap, memoryType);
+            if (*out != NULL) {
+                XMEMCPY(*out, tmp, result);
+            }
+            else {
+                result = MEMORY_E;
+            }
         }
     }
     else {

wolfcrypt/src/curve25519.c

@@ -250,7 +250,7 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
     for (cnt = 0; cnt < WOLFSSL_CURVE25519_BLINDING_RAND_CNT; cnt++) {
         ret = wc_RNG_GenerateBlock(rng, rz, sizeof(rz));
         if (ret < 0) {
-            return ret;
+            goto cleanup;
         }
         for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) {
             if (rz[i] != 0xff)
@@ -261,13 +261,14 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
         }
     }
     if (cnt == WOLFSSL_CURVE25519_BLINDING_RAND_CNT) {
-        return RNG_FAILURE_E;
+        ret = RNG_FAILURE_E;
+        goto cleanup;
     }
 
     /* Generate 253 random bits. */
     ret = wc_RNG_GenerateBlock(rng, a, sizeof(a));
     if (ret != 0)
-        return ret;
+        goto cleanup;
     a[CURVE25519_KEYSIZE-1] &= 0x7f;
     /* k' = k ^ 2k ^ a */
     n_a[0] = n[0] ^ (byte)(n[0] << 1) ^ a[0];
@@ -281,6 +282,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
     /* Scalar multiple blinded scalar with blinding value. */
     ret = curve25519_blind(rp, n_a, a, p, rz);
 
+cleanup:
+    ForceZero(a, sizeof(a));
+    ForceZero(n_a, sizeof(n_a));
+    ForceZero(rz, sizeof(rz));
+
     RESTORE_VECTOR_REGISTERS();
 
     return ret;

wolfcrypt/src/ed25519.c

@@ -548,6 +548,7 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
         }
         ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
     }
+    ForceZero(orig_k, sizeof(orig_k));
 #endif
 
     return ret;

wolfcrypt/src/ed448.c

@@ -505,6 +505,7 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
         }
         ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
     }
+    ForceZero(orig_k, sizeof(orig_k));
 #endif
 
     ForceZero(az, sizeof(az));