Skip to content

Zeroizations, code reinforcements, ECC key size fixes #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgarske merged 17 commits into from
Mar 16, 2026
Merged

Zeroizations, code reinforcements, ECC key size fixes #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
aec0647
Zeroize key data before freeing
danielinux Mar 16, 2026
f1e9958
Zeroize volatile keys on destroy
danielinux Mar 16, 2026
19d7da8
Zeroize generated keys after import
danielinux Mar 16, 2026
454e830
Fix ECC curve ids for 192-bit and 224-bit curves
danielinux Mar 16, 2026
c48ec68
Fix ECC key bit inference for non-byte-aligned curves
danielinux Mar 16, 2026
cecfc2a
Reject oversized PSA random requests
danielinux Mar 16, 2026
f1d0585
Zero DES3 expanded keys after setup
danielinux Mar 16, 2026
4ff8496
zero HKDF PRK stack buffer
danielinux Mar 16, 2026
f35207c
Scrub TLS 1.2 PSK premaster buffer
danielinux Mar 16, 2026
2138fbf
scrub PBKDF2 CMAC stack buffers
danielinux Mar 16, 2026
3772e4d
Zero derived key buffer before free
danielinux Mar 16, 2026
a4f407d
zero ECDH secret before free
danielinux Mar 16, 2026
436714a
Zero key agreement secrets before free
danielinux Mar 16, 2026
024cf0d
Reject wrapped AEAD multipart lengths
danielinux Mar 16, 2026
4647472
Don't shadow variables: reuse existing
danielinux Mar 16, 2026
e28140a
Updated .gitignore with new test artifacts
danielinux Mar 16, 2026
b06b31b
Addressed copilot's review comments
danielinux Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 30 additions & 2 deletions .github/workflows/test-psa-api.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,40 @@ jobs:
- name: Build sibling wolfSSL for wolfPSA tests
run: make -C test rebuild-wolfssl-psa

- name: Build PSA API test
run: make -C test psa_api_test
- name: Build PSA API tests
run: make -C test psa_api_test psa_des3_stack_scrub_test psa_ecc_bit_inference_test psa_ecc_curve_id_test psa_random_size_test

- name: Run PSA API test
env:
LD_LIBRARY_PATH: ${{ github.workspace }}:${{ github.workspace }}/../wolfssl/src/.libs
run: |
rm -rf test/.store
./test/psa_api_test

- name: Run ECC bit inference test
env:
LD_LIBRARY_PATH: ${{ github.workspace }}:${{ github.workspace }}/../wolfssl/src/.libs
run: |
rm -rf test/.store
./test/psa_ecc_bit_inference_test

- name: Run DES3 stack scrub test
env:
LD_LIBRARY_PATH: ${{ github.workspace }}:${{ github.workspace }}/../wolfssl/src/.libs
run: |
rm -rf test/.store
./test/psa_des3_stack_scrub_test

- name: Run ECC curve id test
env:
LD_LIBRARY_PATH: ${{ github.workspace }}:${{ github.workspace }}/../wolfssl/src/.libs
run: |
rm -rf test/.store
./test/psa_ecc_curve_id_test

- name: Run random size test
env:
LD_LIBRARY_PATH: ${{ github.workspace }}:${{ github.workspace }}/../wolfssl/src/.libs
run: |
rm -rf test/.store
./test/psa_random_size_test
5 changes: 5 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,12 @@ test-psa-api/psa-arch-tests
libwolfpsa.so
*.o
test/psa_api_test
test/psa_ecc_bit_inference_test
test/psa_ecc_curve_id_test
test/psa_tls_server
test/psa_des3_stack_scrub_test
test/psa_random_size_test
test/psa_rsa_pss_interop_test
psa_server/tls_client/psa_tls_client
psa_tls_client
wolfcrypt-benchmark/wolfcrypt-psa-benchmark
Expand Down
57 changes: 19 additions & 38 deletions src/psa_aead.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,32 +33,11 @@
#include <wolfpsa/psa_chacha20_poly1305.h>
#include <wolfssl/wolfcrypt/aes.h>
#include <wolfssl/wolfcrypt/mem_track.h>

typedef struct wolfpsa_aead_ctx {
psa_algorithm_t alg;
psa_key_type_t key_type;
size_t key_bits;
int direction;
uint8_t *key;
size_t key_length;
uint8_t nonce[PSA_AEAD_NONCE_MAX_SIZE];
size_t nonce_length;
uint8_t *aad;
size_t aad_length;
uint8_t *input;
size_t input_length;
size_t ad_expected;
size_t plaintext_expected;
size_t tag_length;
int lengths_set;
} wolfpsa_aead_ctx_t;
#include "psa_aead_internal.h"

static wolfpsa_aead_ctx_t* wolfpsa_aead_get_ctx(psa_aead_operation_t *operation)
{
if (operation == NULL) {
return NULL;
}
return (wolfpsa_aead_ctx_t *)(uintptr_t)operation->opaque;
return wolfpsa_aead_get_ctx_ptr(operation);
}

static psa_status_t wolfpsa_aead_append(uint8_t **buf, size_t *len,
Expand Down Expand Up @@ -124,30 +103,30 @@ static psa_status_t wolfpsa_aead_check_key(psa_key_id_t key,
if (PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ||
PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM)) {
if (attributes->type != PSA_KEY_TYPE_AES) {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_INVALID_ARGUMENT;
}
}
else if (PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305)) {
if (attributes->type != PSA_KEY_TYPE_CHACHA20) {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_INVALID_ARGUMENT;
}
}
else {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_SUPPORTED;
}

key_usage = psa_get_key_usage_flags(attributes);
if ((key_usage & usage) == 0) {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
Expand All @@ -161,29 +140,29 @@ static psa_status_t wolfpsa_aead_check_key(psa_key_id_t key,
req_tag_len = wolfpsa_aead_tag_length(alg);

if (key_tag_len == 0 || req_tag_len == 0) {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_INVALID_ARGUMENT;
}

if (key_base != req_base) {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}

if ((key_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
if (req_tag_len < key_tag_len) {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
}
}
else if (req_tag_len != key_tag_len) {
wolfpsa_free_key_data(*key_data);
wolfpsa_forcezero_free_key_data(*key_data, *key_data_length);
*key_data = NULL;
*key_data_length = 0;
return PSA_ERROR_NOT_PERMITTED;
Expand Down Expand Up @@ -224,7 +203,7 @@ static psa_status_t wolfpsa_aead_setup(psa_aead_operation_t *operation,
ctx = (wolfpsa_aead_ctx_t *)XMALLOC(sizeof(*ctx), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (ctx == NULL) {
wolfpsa_free_key_data(key_data);
wolfpsa_forcezero_free_key_data(key_data, key_data_length);
return PSA_ERROR_INSUFFICIENT_MEMORY;
}
XMEMSET(ctx, 0, sizeof(*ctx));
Expand All @@ -234,29 +213,29 @@ static psa_status_t wolfpsa_aead_setup(psa_aead_operation_t *operation,
ctx->key_bits = attributes.bits;
ctx->tag_length = wolfpsa_aead_tag_length(alg);
if (ctx->tag_length == 0) {
wolfpsa_free_key_data(key_data);
wolfpsa_forcezero_free_key_data(key_data, key_data_length);
XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return PSA_ERROR_INVALID_ARGUMENT;
}
ctx->direction = (usage == PSA_KEY_USAGE_ENCRYPT) ? 1 : 0;
if (PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) &&
wc_AesCcmCheckTagSize((int)ctx->tag_length) != 0) {
wolfpsa_free_key_data(key_data);
wolfpsa_forcezero_free_key_data(key_data, key_data_length);
XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return PSA_ERROR_INVALID_ARGUMENT;
}

ctx->key = (uint8_t *)XMALLOC(key_data_length, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (ctx->key == NULL) {
wolfpsa_free_key_data(key_data);
wolfpsa_forcezero_free_key_data(key_data, key_data_length);
XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return PSA_ERROR_INSUFFICIENT_MEMORY;
}
XMEMCPY(ctx->key, key_data, key_data_length);
ctx->key_length = key_data_length;

wolfpsa_free_key_data(key_data);
wolfpsa_forcezero_free_key_data(key_data, key_data_length);
operation->opaque = (uintptr_t)ctx;
return PSA_SUCCESS;
}
Expand Down Expand Up @@ -398,7 +377,8 @@ psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
return PSA_ERROR_BAD_STATE;
}
if (ctx->lengths_set &&
ctx->aad_length + input_length > ctx->ad_expected) {
(input_length > SIZE_MAX - ctx->aad_length ||
ctx->aad_length + input_length > ctx->ad_expected)) {
status = PSA_ERROR_INVALID_ARGUMENT;
psa_aead_abort(operation);
return status;
Expand Down Expand Up @@ -443,7 +423,8 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation,
return status;
}
if (ctx->lengths_set &&
ctx->input_length + input_length > ctx->plaintext_expected) {
(input_length > SIZE_MAX - ctx->input_length ||
ctx->input_length + input_length > ctx->plaintext_expected)) {
status = PSA_ERROR_INVALID_ARGUMENT;
psa_aead_abort(operation);
return status;
Expand Down
37 changes: 37 additions & 0 deletions src/psa_aead_internal.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#ifndef WOLFPSA_PSA_AEAD_INTERNAL_H
#define WOLFPSA_PSA_AEAD_INTERNAL_H

#include <stdint.h>

#include <wolfpsa/psa/crypto.h>

typedef struct wolfpsa_aead_ctx {
psa_algorithm_t alg;
psa_key_type_t key_type;
size_t key_bits;
int direction;
uint8_t *key;
size_t key_length;
uint8_t nonce[PSA_AEAD_NONCE_MAX_SIZE];
size_t nonce_length;
uint8_t *aad;
size_t aad_length;
uint8_t *input;
size_t input_length;
size_t ad_expected;
size_t plaintext_expected;
size_t tag_length;
int lengths_set;
} wolfpsa_aead_ctx_t;

static inline wolfpsa_aead_ctx_t*
wolfpsa_aead_get_ctx_ptr(psa_aead_operation_t *operation)
{
if (operation == NULL) {
return NULL;
}

return (wolfpsa_aead_ctx_t *)(uintptr_t)operation->opaque;
}

#endif /* WOLFPSA_PSA_AEAD_INTERNAL_H */
16 changes: 16 additions & 0 deletions src/psa_asymmetric.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -655,10 +655,18 @@ int wc_psa_get_ecc_curve_id(psa_key_type_t type, size_t bits)
case PSA_ECC_FAMILY_SECP_R1:
switch (bits) {
case 192:
#ifdef HAVE_ECC192
return ECC_SECP192R1;
#else
return ECC_CURVE_INVALID;
#endif

case 224:
#ifdef HAVE_ECC224
return ECC_SECP224R1;
#else
return ECC_CURVE_INVALID;
#endif

case 256:
return ECC_SECP256R1;
Expand All @@ -676,10 +684,18 @@ int wc_psa_get_ecc_curve_id(psa_key_type_t type, size_t bits)
case PSA_ECC_FAMILY_SECP_K1:
switch (bits) {
case 192:
#if defined(HAVE_ECC192) && defined(HAVE_ECC_KOBLITZ)
return ECC_SECP192K1;
#else
return ECC_CURVE_INVALID;
#endif

case 224:
#if defined(HAVE_ECC224) && defined(HAVE_ECC_KOBLITZ)
return ECC_SECP224K1;
#else
return ECC_CURVE_INVALID;
#endif

case 256:
return ECC_SECP256K1;
Expand Down
Loading
Loading