From 95c177b44176daeedae0d5ea734b65e3007a53bf Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Wed, 15 Apr 2026 04:43:08 +0200 Subject: [PATCH 1/2] Set MAX_ENCODED_SIG_SZ to FP_MAX_BITS / 16 rather than / 8 FP_MAX_BITS is the largest possible size of any intermediate operand. RSA requires multiplying together integers with the size of signatures (N), resulting in a size of 2N. So we must assume FP_MAX_BITS is 2N, not N (in bits: 16N, not 8N). --- wolfssl/wolfcrypt/types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index ec1e87a00b4..6de84227c14 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -2315,7 +2315,7 @@ enum Max_ASN { MAX_ENCODED_SIG_SZ = 5120, #elif !defined(NO_RSA) #if defined(USE_FAST_MATH) && defined(FP_MAX_BITS) - MAX_ENCODED_SIG_SZ = FP_MAX_BITS / 8, + MAX_ENCODED_SIG_SZ = FP_MAX_BITS / 16, #elif (defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) && \ defined(SP_INT_BITS) MAX_ENCODED_SIG_SZ = WC_BITS_TO_BYTES(SP_INT_BITS), From bd3cf10270cf68ded80e0555f798961edffc7008 Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Wed, 15 Apr 2026 12:39:49 +0200 Subject: [PATCH 2/2] DTLS export: cap IV size at buffer size ExportKeyState was writing ssl->specs.iv_size bytes from keys->aead_enc_imp_IV (always sized AEAD_MAX_IMP_SZ). ssl->specs.iv_size carries a different meaning depending on the cipher suite: in AEAD suites it's the implicit IV / nonce size, but in CBC it's the block cipher's IV size (16). In CBC this overran the size of aead_enc_imp_IV (12). --- src/internal.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index a0618516694..7b2ee5c528c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1000,7 +1000,9 @@ static int ExportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver, XMEMCPY(exp + idx, keys->aead_exp_IV, AEAD_MAX_EXP_SZ); idx += AEAD_MAX_EXP_SZ; - sz = (small)? 0: ssl->specs.iv_size; + sz = (small) ? 0 : + (ssl->specs.iv_size > AEAD_MAX_IMP_SZ ? AEAD_MAX_IMP_SZ + : ssl->specs.iv_size); if (idx + (sz * 2) + OPAQUE8_LEN > len) { WOLFSSL_MSG("Buffer not large enough for imp IVs"); return BUFFER_E;