Merge pull request #10340 from JeremiahM37/fenrir-3

dgarske · web-flow · commit 15b10454bc13 · 2026-05-05T11:57:41.000-07:00
harden falcon key handling
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -9815,8 +9815,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
             return MEMORY_E;
 
         if (wc_falcon_init(falcon) == 0) {
-            tmpIdx = 0;
-            if (wc_falcon_set_level(falcon, 1) == 0) {
+            if ((*algoID == 0) && (wc_falcon_set_level(falcon, 1) == 0)) {
+                tmpIdx = 0;
                 if (wc_Falcon_PrivateKeyDecode(key, &tmpIdx, falcon, keySz)
                     == 0) {
                     *algoID = FALCON_LEVEL1k;
@@ -9825,7 +9825,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
                     WOLFSSL_MSG("Not Falcon Level 1 DER key");
                 }
             }
-            else if (wc_falcon_set_level(falcon, 5) == 0) {
+            if ((*algoID == 0) && (wc_falcon_set_level(falcon, 5) == 0)) {
+                tmpIdx = 0;
                 if (wc_Falcon_PrivateKeyDecode(key, &tmpIdx, falcon, keySz)
                     == 0) {
                     *algoID = FALCON_LEVEL5k;
@@ -9834,8 +9835,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
                     WOLFSSL_MSG("Not Falcon Level 5 DER key");
                 }
             }
-            else {
-                WOLFSSL_MSG("GetKeyOID falcon initialization failed");
+            if (*algoID == 0) {
+                WOLFSSL_MSG("GetKeyOID could not match Falcon DER key");
             }
             wc_falcon_free(falcon);
         }
diff --git a/wolfcrypt/src/falcon.c b/wolfcrypt/src/falcon.c
@@ -662,6 +662,14 @@ int wc_falcon_check_key(falcon_key* key)
         return BAD_FUNC_ARG;
     }
 
+    if ((key->level != 1) && (key->level != 5)) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (!key->pubKeySet || !key->prvKeySet) {
+        return PUBLIC_KEY_E;
+    }
+
     /* The public key is also decoded and stored within the private key buffer
      * behind the private key. Hence, we can compare both stored public keys. */
     if (key->level == 1) {

Original file line number	Diff line number	Diff line change
`@@ -9815,8 +9815,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,`
`9815`	`9815`	`return MEMORY_E;`
`9816`	`9816`
`9817`	`9817`	`if (wc_falcon_init(falcon) == 0) {`
`9818`		`- tmpIdx = 0;`
`9819`		`- if (wc_falcon_set_level(falcon, 1) == 0) {`
	`9818`	`+ if ((*algoID == 0) && (wc_falcon_set_level(falcon, 1) == 0)) {`
	`9819`	`+ tmpIdx = 0;`
`9820`	`9820`	`if (wc_Falcon_PrivateKeyDecode(key, &tmpIdx, falcon, keySz)`
`9821`	`9821`	`== 0) {`
`9822`	`9822`	`*algoID = FALCON_LEVEL1k;`
`@@ -9825,7 +9825,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,`
`9825`	`9825`	`WOLFSSL_MSG("Not Falcon Level 1 DER key");`
`9826`	`9826`	`}`
`9827`	`9827`	`}`
`9828`		`- else if (wc_falcon_set_level(falcon, 5) == 0) {`
	`9828`	`+ if ((*algoID == 0) && (wc_falcon_set_level(falcon, 5) == 0)) {`
	`9829`	`+ tmpIdx = 0;`
`9829`	`9830`	`if (wc_Falcon_PrivateKeyDecode(key, &tmpIdx, falcon, keySz)`
`9830`	`9831`	`== 0) {`
`9831`	`9832`	`*algoID = FALCON_LEVEL5k;`
`@@ -9834,8 +9835,8 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,`
`9834`	`9835`	`WOLFSSL_MSG("Not Falcon Level 5 DER key");`
`9835`	`9836`	`}`
`9836`	`9837`	`}`
`9837`		`- else {`
`9838`		`- WOLFSSL_MSG("GetKeyOID falcon initialization failed");`
	`9838`	`+ if (*algoID == 0) {`
	`9839`	`+ WOLFSSL_MSG("GetKeyOID could not match Falcon DER key");`
`9839`	`9840`	`}`
`9840`	`9841`	`wc_falcon_free(falcon);`
`9841`	`9842`	`}`