diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 29911ccfa20..6f951bc6763 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -14643,7 +14643,7 @@ int wc_AesKeyUnWrap_ex(Aes *aes, const byte* in, word32 inSz, byte* out, return ret; /* verify IV */ - if (XMEMCMP(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0) + if (ConstantCompare(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0) return BAD_KEYWRAP_IV_E; return (int)(inSz - KEYWRAP_BLOCK_SIZE); @@ -16303,7 +16303,7 @@ static WARN_UNUSED_RESULT int AesSivCipher( WOLFSSL_MSG("S2V failed."); } - if (XMEMCMP(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) { + if (ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) { WOLFSSL_MSG("Computed SIV doesn't match received SIV."); ret = AES_SIV_AUTH_E; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3be5e33fb07..a0744e6ca8d 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -487,7 +487,7 @@ static word32 SizeASNLength(word32 length) #define ALLOC_ASNSETDATA(name, cnt, err, heap) \ do { \ if ((err) == 0) { \ - (name) = (ASNSetData*)XMALLOC(sizeof(ASNGetData) * (cnt), (heap), \ + (name) = (ASNSetData*)XMALLOC(sizeof(ASNSetData) * (cnt), (heap), \ DYNAMIC_TYPE_TMP_BUFFER); \ if ((name) == NULL) { \ (err) = MEMORY_E; \ diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c index f788c2ed643..8911b4d53d3 100644 --- a/wolfcrypt/src/chacha20_poly1305.c +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -187,6 +187,8 @@ int wc_ChaCha20Poly1305_Init(ChaChaPoly_Aead* aead, aead->state = CHACHA20_POLY1305_STATE_READY; } + ForceZero(authKey, sizeof(authKey)); + return ret; } @@ -332,25 +334,30 @@ int wc_XChaCha20Poly1305_Init( /* Create the Poly1305 key */ if ((ret = wc_Chacha_Process(&aead->chacha, authKey, authKey, (word32)sizeof authKey)) < 0) - return ret; + goto out; /* advance to start of the next ChaCha block. */ wc_Chacha_purge_current_block(&aead->chacha); /* Initialize Poly1305 context */ if ((ret = wc_Poly1305SetKey(&aead->poly, authKey, (word32)sizeof authKey)) < 0) - return ret; + goto out; if ((ret = wc_Poly1305Update(&aead->poly, ad, (word32)ad_len)) < 0) - return ret; + goto out; if ((ret = wc_Poly1305_Pad(&aead->poly, (word32)ad_len)) < 0) - return ret; + goto out; aead->isEncrypt = isEncrypt ? 1 : 0; aead->state = CHACHA20_POLY1305_STATE_AAD; - return 0; + ret = 0; + +out: + ForceZero(authKey, sizeof(authKey)); + + return ret; } static WC_INLINE int wc_XChaCha20Poly1305_crypt_oneshot( diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index d7acd0bdaff..721c52a1d5e 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -14484,6 +14484,8 @@ int wc_ecc_encrypt_ex(ecc_key* privKey, ecc_key* pubKey, const byte* msg, RESTORE_VECTOR_REGISTERS(); + ForceZero(sharedSecret, sharedSz); + ForceZero(keys, (word32)keysLen); WC_FREE_VAR_EX(sharedSecret, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER); WC_FREE_VAR_EX(keys, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER); @@ -14778,8 +14780,8 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg, if (ret == 0) ret = wc_HmacFinal(hmac, verify); - if ((ret == 0) && (XMEMCMP(verify, msg + msgSz - digestSz, - digestSz) != 0)) { + if ((ret == 0) && (ConstantCompare(verify, msg + msgSz - digestSz, + (int)digestSz) != 0)) { ret = HASH_TYPE_E; WOLFSSL_MSG("ECC Decrypt HMAC Check failed!"); } @@ -14882,6 +14884,8 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg, if (pubKey == peerKey) wc_ecc_free(peerKey); #endif + ForceZero(sharedSecret, sharedSz); + ForceZero(keys, (word32)keysLen); #ifdef WOLFSSL_SMALL_STACK #ifndef WOLFSSL_ECIES_OLD XFREE(peerKey, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER); diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index dc14d4fe66f..cc2bb3a73b1 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -4952,7 +4952,7 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSSL_EVP_MD_CTX *ctx, hashLen = wolfssl_mac_len(ctx->hash.hmac.macType); - if (siglen > hashLen) + if (siglen > hashLen || siglen > INT_MAX) return WOLFSSL_FAILURE; /* May be a truncated signature. */ } @@ -4962,7 +4962,7 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSSL_EVP_MD_CTX *ctx, if (ctx->isHMAC) { /* Check HMAC result matches the signature. */ - if (XMEMCMP(sig, digest, (size_t)siglen) == 0) + if (ConstantCompare(sig, digest, (int)siglen) == 0) return WOLFSSL_SUCCESS; return WOLFSSL_FAILURE; } diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c index 9f99f190ba9..e7b15db0a44 100644 --- a/wolfcrypt/src/hpke.c +++ b/wolfcrypt/src/hpke.c @@ -796,6 +796,8 @@ static int wc_HpkeEncap(Hpke* hpke, void* ephemeralKey, void* receiverKey, hpke->Npk * 2, sharedSecret); } + ForceZero(dh, hpke->Ndh); + ForceZero(kemContext, hpke->Npk * 2); WC_FREE_VAR_EX(dh, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(kemContext, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); @@ -816,6 +818,9 @@ static int wc_HpkeSetupBaseSender(Hpke* hpke, HpkeBaseContext* context, #ifdef WOLFSSL_SMALL_STACK sharedSecret = (byte*)XMALLOC(hpke->Nsecret, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (sharedSecret == NULL) { + return MEMORY_E; + } #endif /* encap */ @@ -827,6 +832,7 @@ static int wc_HpkeSetupBaseSender(Hpke* hpke, HpkeBaseContext* context, infoSz); } + ForceZero(sharedSecret, hpke->Nsecret); WC_FREE_VAR_EX(sharedSecret, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); return ret; @@ -914,6 +920,7 @@ int wc_HpkeSealBase(Hpke* hpke, void* ephemeralKey, void* receiverKey, PRIVATE_KEY_LOCK(); + ForceZero(context, sizeof(HpkeBaseContext)); WC_FREE_VAR_EX(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); return ret; @@ -1032,6 +1039,8 @@ static int wc_HpkeDecap(Hpke* hpke, void* receiverKey, const byte* pubKey, hpke->Npk * 2, sharedSecret); } + ForceZero(dh, hpke->Ndh); + ForceZero(kemContext, hpke->Npk * 2); WC_FREE_VAR_EX(dh, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(kemContext, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); @@ -1058,6 +1067,7 @@ static int wc_HpkeSetupBaseReceiver(Hpke* hpke, HpkeBaseContext* context, infoSz); } + ForceZero(sharedSecret, hpke->Nsecret); WC_FREE_VAR_EX(sharedSecret, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); return ret; @@ -1144,6 +1154,7 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey, PRIVATE_KEY_LOCK(); + ForceZero(context, sizeof(HpkeBaseContext)); WC_FREE_VAR_EX(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); return ret; diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 93066a5e3fb..3edfd36830a 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -637,7 +637,13 @@ static int wc_PKCS12_verify(WC_PKCS12* pkcs12, byte* data, word32 dataSz, } #endif - return XMEMCMP(digest, mac->digest, mac->digestSz); + if (ConstantCompare(digest, mac->digest, (int)mac->digestSz) != 0) { + ForceZero(digest, sizeof(digest)); + return MAC_CMP_FAILED_E; + } + + ForceZero(digest, sizeof(digest)); + return 0; } int wc_PKCS12_verify_ex(WC_PKCS12* pkcs12, const byte* psw, word32 pswSz) diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index d575eaa362d..5e212b5d6cc 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -152,6 +152,8 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen, WC_FREE_VAR_EX(hash, heap, DYNAMIC_TYPE_HASHCTX); + ForceZero(digest, sizeof(digest)); + if (err != 0) return err; @@ -294,6 +296,7 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt, wc_HmacFree(hmac); } + ForceZero(buffer, (word32)hLen); WC_FREE_VAR_EX(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER); WC_FREE_VAR_EX(hmac, heap, DYNAMIC_TYPE_HMAC); diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c index e59943506b7..97de612b8ec 100644 --- a/wolfcrypt/src/sakke.c +++ b/wolfcrypt/src/sakke.c @@ -6941,7 +6941,8 @@ int wc_DeriveSakkeSSV(SakkeKey* key, enum wc_HashType hashType, byte* ssv, err = sakke_compute_point_r(key, key->id, key->idSz, ri, n, test); } - if ((err == 0) && (XMEMCMP(auth, test, (size_t)(2 * n + 1)) != 0)) { + /* n is word16, so 2*n+1 always fits in int */ + if ((err == 0) && (ConstantCompare(auth, test, (int)(2 * n + 1)) != 0)) { err = SAKKE_VERIFY_FAIL_E; } diff --git a/wolfcrypt/src/srp.c b/wolfcrypt/src/srp.c index 9f2b416f13c..5f51d4f5eec 100644 --- a/wolfcrypt/src/srp.c +++ b/wolfcrypt/src/srp.c @@ -982,7 +982,7 @@ int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size) if (hashSize < 0) return ALGO_ID_E; - if (size != (word32)hashSize) + if (size != (word32)hashSize || size > INT_MAX) return BUFFER_E; r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof @@ -994,9 +994,11 @@ int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size) if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz); } - if (!r && XMEMCMP(proof, digest, size) != 0) + if (!r && ConstantCompare(proof, digest, (int)size) != 0) r = SRP_VERIFY_E; + ForceZero(digest, sizeof(digest)); + return r; } diff --git a/wolfcrypt/src/wc_mlkem.c b/wolfcrypt/src/wc_mlkem.c index 60a0850dc5a..11b4515875d 100644 --- a/wolfcrypt/src/wc_mlkem.c +++ b/wolfcrypt/src/wc_mlkem.c @@ -1205,6 +1205,8 @@ int wc_MlKemKey_EncapsulateWithRandom(MlKemKey* key, unsigned char* c, } #endif + ForceZero(kr, sizeof(kr)); + return ret; } #endif /* !WOLFSSL_MLKEM_NO_ENCAPSULATE */ @@ -1541,6 +1543,9 @@ int wc_MlKemKey_Decapsulate(MlKemKey* key, unsigned char* ss, } #endif + ForceZero(msg, sizeof(msg)); + ForceZero(kr, sizeof(kr)); + return ret; } #endif /* WOLFSSL_MLKEM_NO_DECAPSULATE */