Fenrir fixes

.github/workflows/haproxy.yml

@@ -72,7 +72,7 @@ jobs:
 
     - name: Download haproxy if needed
       if: steps.cache-haproxy.outputs.cache-hit != 'true'
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         repository: haproxy/haproxy
         ref: ${{matrix.haproxy_ref}}

.github/workflows/msys2.yml

@@ -20,7 +20,7 @@ jobs:
       run:
         shell: msys2 {0}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: msys2/setup-msys2@v2
         with:
           msystem: msys

.github/workflows/threadx.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
     - name: Cache NetXDuo bundle
       id: cache-netxduo
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ./v6.4.3_rel.tar.gz
         key: netxduo-bundle-v6.4.3_rel

src/internal.c

@@ -7956,7 +7956,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
             (unsigned long)wolfSSL_X509_VERIFY_PARAM_get_flags(
             wolfSSL_CTX_get0_param(ctx))) != WOLFSSL_SUCCESS) {
             WOLFSSL_MSG("ssl->param set flags error");
-            return WOLFSSL_FAILURE;
+            return BAD_STATE_E;
         }
 #endif
 
@@ -8106,7 +8106,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     if (ctx->quic.method) {
         ret = wolfSSL_set_quic_method(ssl, ctx->quic.method);
         if (ret != WOLFSSL_SUCCESS)
-            return ret;
+            return WOLFSSL_FATAL_ERROR;
     }
 #endif
 
@@ -14957,6 +14957,7 @@ int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
     #elif !defined(NO_SHA)
         retHash = wc_ShaHash((const byte*)pbuf, (word32)len, dgt);
     #endif
+        wolfSSL_OPENSSL_free(pbuf);
         if (retHash == 0) {
             /* 4 bytes in little endian as unsigned long */
             hash = (((unsigned long)dgt[3] << 24) |
@@ -14967,7 +14968,6 @@ int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
             WOLFSSL_MSG("failed hash operation");
             return WOLFSSL_FAILURE;
         }
-        wolfSSL_OPENSSL_free(pbuf);
     }
 
     /* try to load each hashed name file in path */

src/pk_rsa.c

@@ -3899,7 +3899,7 @@ int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa)
         }
     }
 
-    mp_clear(t);
+    mp_forcezero(t);
 
 #ifdef WOLFSSL_SMALL_STACK
     if (rsa != NULL) {

src/ssl_sess.c

@@ -2930,24 +2930,33 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess,
 #endif
 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
 #ifdef WOLFSSL_TLS13
-    if (i - idx < (OPAQUE32_LEN * 2)) {
+
+#ifdef WOLFSSL_32BIT_MILLI_TIME
+    if (i - idx < OPAQUE32_LEN) {
         ret = BUFFER_ERROR;
         goto end;
     }
-#ifdef WOLFSSL_32BIT_MILLI_TIME
     ato32(data + idx, &s->ticketSeen);
     idx += OPAQUE32_LEN;
 #else
+    if (i - idx < (OPAQUE32_LEN * 2)) {
+        ret = BUFFER_ERROR;
+        goto end;
+    }
     {
         word32 seenHi, seenLo;
-
         ato32(data + idx, &seenHi);
         idx += OPAQUE32_LEN;
         ato32(data + idx, &seenLo);
         idx += OPAQUE32_LEN;
         s->ticketSeen = ((sword64)seenHi << 32) + seenLo;
     }
 #endif
+
+    if (i - idx < OPAQUE32_LEN) {
+        ret = BUFFER_ERROR;
+        goto end;
+    }
     ato32(data + idx, &s->ticketAdd);
     idx += OPAQUE32_LEN;
     if (i - idx < OPAQUE8_LEN) {

tests/api.c

@@ -33615,14 +33615,13 @@ int test_wc_LmsKey_reload_cache(void);
 static int test_lms_write_key(const byte* priv, word32 privSz, void* context)
 {
     FILE* f = fopen((const char*)context, "wb");
+    int ret = WC_LMS_RC_SAVED_TO_NV_MEMORY;
     if (f == NULL)
         return -1;
-    if (fwrite(priv, 1, privSz, f) != privSz) {
-        fclose(f);
-        return -1;
-    }
+    if (fwrite(priv, 1, privSz, f) != privSz)
+        ret = -1;
     fclose(f);
-    return WC_LMS_RC_SAVED_TO_NV_MEMORY;
+    return ret;
 }
 
 static int test_lms_read_key(byte* priv, word32 privSz, void* context)

wolfcrypt/src/asn.c

@@ -9491,14 +9491,15 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
         if (rsa == NULL)
             return MEMORY_E;
 
-        wc_InitRsaKey(rsa, heap);
-        if (wc_RsaPrivateKeyDecode(key, &tmpIdx, rsa, keySz) == 0) {
-            *algoID = RSAk;
-        }
-        else {
-            WOLFSSL_MSG("Not RSA DER key");
+        if (wc_InitRsaKey(rsa, heap) == 0) {
+            if (wc_RsaPrivateKeyDecode(key, &tmpIdx, rsa, keySz) == 0) {
+                *algoID = RSAk;
+            }
+            else {
+                WOLFSSL_MSG("Not RSA DER key");
+            }
+            wc_FreeRsaKey(rsa);
         }
-        wc_FreeRsaKey(rsa);
         XFREE(rsa, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
     #endif /* !NO_RSA && !NO_ASN_CRYPT */
@@ -9509,22 +9510,23 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
             return MEMORY_E;
 
         tmpIdx = 0;
-        wc_ecc_init_ex(ecc, heap, INVALID_DEVID);
-        if (wc_EccPrivateKeyDecode(key, &tmpIdx, ecc, keySz) == 0) {
-            *algoID = ECDSAk;
-
-            /* now find oid */
-            if (wc_ecc_get_oid(ecc->dp->oidSum, curveOID, oidSz) < 0) {
-                WOLFSSL_MSG("Error getting ECC curve OID");
-                wc_ecc_free(ecc);
-                XFREE(ecc, heap, DYNAMIC_TYPE_TMP_BUFFER);
-                return BAD_FUNC_ARG;
+        if (wc_ecc_init_ex(ecc, heap, INVALID_DEVID) == 0) {
+            if (wc_EccPrivateKeyDecode(key, &tmpIdx, ecc, keySz) == 0) {
+                *algoID = ECDSAk;
+
+                /* now find oid */
+                if (wc_ecc_get_oid(ecc->dp->oidSum, curveOID, oidSz) < 0) {
+                    WOLFSSL_MSG("Error getting ECC curve OID");
+                    wc_ecc_free(ecc);
+                    XFREE(ecc, heap, DYNAMIC_TYPE_TMP_BUFFER);
+                    return BAD_FUNC_ARG;
+                }
             }
+            else {
+                WOLFSSL_MSG("Not ECC DER key either");
+            }
+            wc_ecc_free(ecc);
         }
-        else {
-            WOLFSSL_MSG("Not ECC DER key either");
-        }
-        wc_ecc_free(ecc);
         XFREE(ecc, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
 #endif /* HAVE_ECC && !NO_ASN_CRYPT */

wolfcrypt/src/dh.c

@@ -1465,7 +1465,7 @@ static int wc_DhGenerateKeyPair_Async(DhKey* key, WC_RNG* rng,
         if (ret == MP_OKAY)
             ret = IntelQaDhKeyGen(&key->asyncDev, &key->p.raw, &key->g.raw,
                 &x.raw, pub, pubSz);
-        mp_clear(&x);
+        mp_forcezero(&x);
 
         return ret;
     }

wolfcrypt/src/dilithium.c

@@ -8026,6 +8026,7 @@ static int dilithium_make_key(dilithium_key* key, WC_RNG* rng)
         ret = wc_dilithium_make_key_from_seed(key, seed);
     }
 
+    ForceZero(seed, sizeof(seed));
     return ret;
 }
 #endif /* !WOLFSSL_DILITHIUM_NO_MAKE_KEY */

wolfcrypt/src/eccsi.c

@@ -68,8 +68,6 @@ int wc_InitEccsiKey_ex(EccsiKey* key, int keySz, int curveId, void* heap,
         int devId)
 {
     int err = 0;
-    ecc_key* ecc = NULL;
-    ecc_key* pubkey = NULL;
     EccsiKeyParams* params = NULL;
 
     if (key == NULL) {
@@ -84,7 +82,6 @@ int wc_InitEccsiKey_ex(EccsiKey* key, int keySz, int curveId, void* heap,
         err = wc_ecc_init_ex(&key->ecc, heap, devId);
     }
     if (err == 0) {
-        ecc = &key->ecc;
         err = wc_ecc_init_ex(&key->pubkey, heap, devId);
     }
     if (err == 0) {
@@ -94,7 +91,6 @@ int wc_InitEccsiKey_ex(EccsiKey* key, int keySz, int curveId, void* heap,
         }
     }
     if (err == 0) {
-        pubkey = &key->pubkey;
         err = mp_init_multi(&params->order,
 #ifdef WOLFCRYPT_ECCSI_CLIENT
                 &params->a, &params->b, &params->prime, &key->tmp, &key->ssk
@@ -111,8 +107,7 @@ int wc_InitEccsiKey_ex(EccsiKey* key, int keySz, int curveId, void* heap,
     }
 
     if (err != 0) {
-        wc_ecc_free(pubkey);
-        wc_ecc_free(ecc);
+        wc_FreeEccsiKey(key);
     }
 
     return err;

wolfcrypt/src/ed25519.c

@@ -416,26 +416,21 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
     /* step 1: create nonce to use where nonce is r in
        r = H(h_b, ... ,h_2b-1,M) */
     ret = ed25519_hash(key, key->k, ED25519_KEY_SIZE, az);
-    if (ret != 0)
-        return ret;
 
-    /* apply clamp */
-    az[0]  &= 248;
-    az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
-    az[31] |= 64;
-
-    {
+    if (ret == 0) {
 #ifdef WOLFSSL_ED25519_PERSISTENT_SHA
         wc_Sha512 *sha = &key->sha;
 #else
         wc_Sha512 sha[1];
         ret = ed25519_hash_init(key, sha);
-        if (ret < 0) {
-            return ret;
-        }
 #endif
 
-        if (type == Ed25519ctx || type == Ed25519ph) {
+        /* apply clamp */
+        az[0]  &= 248;
+        az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
+        az[31] |= 64;
+
+        if (ret == 0 && (type == Ed25519ctx || type == Ed25519ph)) {
             ret = ed25519_hash_update(key, sha, ed25519Ctx, ED25519CTX_SIZE);
             if (ret == 0)
                 ret = ed25519_hash_update(key, sha, &type, sizeof(type));
@@ -457,39 +452,36 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
 #endif
     }
 
-    if (ret != 0)
-        return ret;
-
+    if (ret == 0) {
 #ifdef FREESCALE_LTC_ECC
-    ltcPoint.X = &tempBuf[0];
-    ltcPoint.Y = &tempBuf[32];
-    LTC_PKHA_sc_reduce(nonce);
-    LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), nonce,
-           ED25519_KEY_SIZE, &ltcPoint, kLTC_Ed25519 /* result on Ed25519 */);
-    LTC_PKHA_Ed25519_Compress(&ltcPoint, out);
+        ltcPoint.X = &tempBuf[0];
+        ltcPoint.Y = &tempBuf[32];
+        LTC_PKHA_sc_reduce(nonce);
+        LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), nonce,
+               ED25519_KEY_SIZE, &ltcPoint,
+               kLTC_Ed25519 /* result on Ed25519 */);
+        LTC_PKHA_Ed25519_Compress(&ltcPoint, out);
 #else
-    sc_reduce(nonce);
+        sc_reduce(nonce);
 
-    /* step 2: computing R = rB where rB is the scalar multiplication of
-       r and B */
-    ge_scalarmult_base(&R,nonce);
-    ge_p3_tobytes(out,&R);
+        /* step 2: computing R = rB where rB is the scalar multiplication of
+           r and B */
+        ge_scalarmult_base(&R,nonce);
+        ge_p3_tobytes(out,&R);
 #endif
+    }
 
     /* step 3: hash R + public key + message getting H(R,A,M) then
        creating S = (r + H(R,A,M)a) mod l */
-    {
+    if (ret == 0) {
 #ifdef WOLFSSL_ED25519_PERSISTENT_SHA
         wc_Sha512 *sha = &key->sha;
 #else
         wc_Sha512 sha[1];
-
         ret = ed25519_hash_init(key, sha);
-        if (ret < 0)
-            return ret;
 #endif
 
-        if (type == Ed25519ctx || type == Ed25519ph) {
+        if (ret == 0 && (type == Ed25519ctx || type == Ed25519ph)) {
             ret = ed25519_hash_update(key, sha, ed25519Ctx, ED25519CTX_SIZE);
             if (ret == 0)
                 ret = ed25519_hash_update(key, sha, &type, sizeof(type));
@@ -512,20 +504,22 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
 #endif
     }
 
-    if (ret != 0)
-        return ret;
-
+    if (ret == 0) {
 #ifdef FREESCALE_LTC_ECC
-    LTC_PKHA_sc_reduce(hram);
-    LTC_PKHA_sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
+        LTC_PKHA_sc_reduce(hram);
+        LTC_PKHA_sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
 #else
-    sc_reduce(hram);
-    sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
+        sc_reduce(hram);
+        sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
 #endif
+    }
+
+    ForceZero(az, sizeof(az));
+    ForceZero(nonce, sizeof(nonce));
 #endif /* WOLFSSL_SE050 */
 
 #ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
-    {
+    if (ret == 0) {
         int  i;
         byte c = 0;
         for (i = 0; i < ED25519_KEY_SIZE; i++) {