Security fixes: constant-time comparisons, ForceZero, and sizeof fix

  Replace XMEMCMP with ConstantCompare for cryptographic verification to
  prevent timing attacks in:
  - wc_PKCS12_verify (pkcs12.c)
  - wolfSSL_EVP_DigestVerifyFinal HMAC check (evp.c)
  - wc_SrpVerifyPeersProof (srp.c)
  - wc_ecc_decrypt HMAC verification (ecc.c)
  - wc_AesSivEncryptDecrypt SIV comparison (aes.c)
  - wc_AesKeyUnWrap_ex IV verification (aes.c)
  - sakke_decapsulate authentication check (sakke.c)

  Add ForceZero to clear sensitive cryptographic material before freeing:
  - HPKE: dh, kemContext, sharedSecret, context buffers (hpke.c)
  - ChaCha20-Poly1305: authKey in Init functions (chacha20_poly1305.c)
  - ML-KEM: kr and msg buffers in encapsulate/decapsulate (wc_mlkem.c)
  - ECIES: sharedSecret and keys buffers (ecc.c)
  - PBKDF1/2: digest and buffer arrays (pwdbased.c)
  - SRP: digest buffer (srp.c)

  Fix copy-paste error in ALLOC_ASNSETDATA macro using sizeof(ASNSetData)
  instead of sizeof(ASNGetData) (asn.c).

Author: aidangarske

wolfcrypt/src/aes.c

@@ -14643,7 +14643,7 @@ int wc_AesKeyUnWrap_ex(Aes *aes, const byte* in, word32 inSz, byte* out,
         return ret;
 
     /* verify IV */
-    if (XMEMCMP(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0)
+    if (ConstantCompare(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0)
         return BAD_KEYWRAP_IV_E;
 
     return (int)(inSz - KEYWRAP_BLOCK_SIZE);
@@ -16303,7 +16303,7 @@ static WARN_UNUSED_RESULT int AesSivCipher(
             WOLFSSL_MSG("S2V failed.");
         }
 
-        if (XMEMCMP(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {
+        if (ConstantCompare(siv, sivTmp, WC_AES_BLOCK_SIZE) != 0) {
             WOLFSSL_MSG("Computed SIV doesn't match received SIV.");
             ret = AES_SIV_AUTH_E;
         }

wolfcrypt/src/asn.c

@@ -487,7 +487,7 @@ static word32 SizeASNLength(word32 length)
     #define ALLOC_ASNSETDATA(name, cnt, err, heap)                             \
     do {                                                                       \
         if ((err) == 0) {                                                      \
-            (name) = (ASNSetData*)XMALLOC(sizeof(ASNGetData) * (cnt), (heap),  \
+            (name) = (ASNSetData*)XMALLOC(sizeof(ASNSetData) * (cnt), (heap),  \
                                     DYNAMIC_TYPE_TMP_BUFFER);                  \
             if ((name) == NULL) {                                              \
                 (err) = MEMORY_E;                                              \

wolfcrypt/src/chacha20_poly1305.c

@@ -187,6 +187,8 @@ int wc_ChaCha20Poly1305_Init(ChaChaPoly_Aead* aead,
         aead->state = CHACHA20_POLY1305_STATE_READY;
     }
 
+    ForceZero(authKey, sizeof(authKey));
+
     return ret;
 }
 
@@ -332,25 +334,30 @@ int wc_XChaCha20Poly1305_Init(
     /* Create the Poly1305 key */
     if ((ret = wc_Chacha_Process(&aead->chacha, authKey, authKey,
                                  (word32)sizeof authKey)) < 0)
-        return ret;
+        goto out;
     /* advance to start of the next ChaCha block. */
     wc_Chacha_purge_current_block(&aead->chacha);
 
     /* Initialize Poly1305 context */
     if ((ret = wc_Poly1305SetKey(&aead->poly, authKey,
                                  (word32)sizeof authKey)) < 0)
-        return ret;
+        goto out;
 
     if ((ret = wc_Poly1305Update(&aead->poly, ad, (word32)ad_len)) < 0)
-        return ret;
+        goto out;
 
     if ((ret = wc_Poly1305_Pad(&aead->poly, (word32)ad_len)) < 0)
-        return ret;
+        goto out;
 
     aead->isEncrypt = isEncrypt ? 1 : 0;
     aead->state = CHACHA20_POLY1305_STATE_AAD;
 
-    return 0;
+    ret = 0;
+
+out:
+    ForceZero(authKey, sizeof(authKey));
+
+    return ret;
 }
 
 static WC_INLINE int wc_XChaCha20Poly1305_crypt_oneshot(

wolfcrypt/src/ecc.c

@@ -14484,6 +14484,8 @@ int wc_ecc_encrypt_ex(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 
     RESTORE_VECTOR_REGISTERS();
 
+    ForceZero(sharedSecret, sharedSz);
+    ForceZero(keys, (word32)keysLen);
     WC_FREE_VAR_EX(sharedSecret, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER);
     WC_FREE_VAR_EX(keys, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER);
 
@@ -14778,8 +14780,8 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 
                     if (ret == 0)
                         ret = wc_HmacFinal(hmac, verify);
-                    if ((ret == 0) && (XMEMCMP(verify, msg + msgSz - digestSz,
-                                                             digestSz) != 0)) {
+                    if ((ret == 0) && (ConstantCompare(verify, msg + msgSz - digestSz,
+                                                             (int)digestSz) != 0)) {
                         ret = HASH_TYPE_E;
                         WOLFSSL_MSG("ECC Decrypt HMAC Check failed!");
                     }
@@ -14882,6 +14884,8 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
     if (pubKey == peerKey)
         wc_ecc_free(peerKey);
 #endif
+    ForceZero(sharedSecret, sharedSz);
+    ForceZero(keys, (word32)keysLen);
 #ifdef WOLFSSL_SMALL_STACK
 #ifndef WOLFSSL_ECIES_OLD
     XFREE(peerKey, ctx->heap, DYNAMIC_TYPE_ECC_BUFFER);

wolfcrypt/src/evp.c

@@ -4962,7 +4962,7 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSSL_EVP_MD_CTX *ctx,
 
     if (ctx->isHMAC) {
         /* Check HMAC result matches the signature. */
-        if (XMEMCMP(sig, digest, (size_t)siglen) == 0)
+        if (ConstantCompare(sig, digest, (int)siglen) == 0)
             return WOLFSSL_SUCCESS;
         return WOLFSSL_FAILURE;
     }

wolfcrypt/src/hpke.c

@@ -796,6 +796,8 @@ static int wc_HpkeEncap(Hpke* hpke, void* ephemeralKey, void* receiverKey,
             hpke->Npk * 2, sharedSecret);
     }
 
+    ForceZero(dh, hpke->Ndh);
+    ForceZero(kemContext, hpke->Npk * 2);
     WC_FREE_VAR_EX(dh, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
     WC_FREE_VAR_EX(kemContext, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
@@ -827,6 +829,7 @@ static int wc_HpkeSetupBaseSender(Hpke* hpke, HpkeBaseContext* context,
             infoSz);
     }
 
+    ForceZero(sharedSecret, hpke->Nsecret);
     WC_FREE_VAR_EX(sharedSecret, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
     return ret;
@@ -914,6 +917,7 @@ int wc_HpkeSealBase(Hpke* hpke, void* ephemeralKey, void* receiverKey,
 
     PRIVATE_KEY_LOCK();
 
+    ForceZero(context, sizeof(HpkeBaseContext));
     WC_FREE_VAR_EX(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
     return ret;
@@ -1032,6 +1036,7 @@ static int wc_HpkeDecap(Hpke* hpke, void* receiverKey, const byte* pubKey,
             hpke->Npk * 2, sharedSecret);
     }
 
+    ForceZero(dh, hpke->Ndh);
     WC_FREE_VAR_EX(dh, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
     WC_FREE_VAR_EX(kemContext, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
@@ -1058,6 +1063,7 @@ static int wc_HpkeSetupBaseReceiver(Hpke* hpke, HpkeBaseContext* context,
             infoSz);
     }
 
+    ForceZero(sharedSecret, hpke->Nsecret);
     WC_FREE_VAR_EX(sharedSecret, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
     return ret;
@@ -1144,6 +1150,7 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey,
 
     PRIVATE_KEY_LOCK();
 
+    ForceZero(context, sizeof(HpkeBaseContext));
     WC_FREE_VAR_EX(context, hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
     return ret;

wolfcrypt/src/pkcs12.c

@@ -637,7 +637,9 @@ static int wc_PKCS12_verify(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
     }
 #endif
 
-    return XMEMCMP(digest, mac->digest, mac->digestSz);
+    if (ConstantCompare(digest, mac->digest, (int)mac->digestSz) != 0)
+        return MAC_CMP_FAILED_E;
+    return 0;
 }
 
 int wc_PKCS12_verify_ex(WC_PKCS12* pkcs12, const byte* psw, word32 pswSz)

wolfcrypt/src/pwdbased.c

@@ -152,6 +152,8 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
 
     WC_FREE_VAR_EX(hash, heap, DYNAMIC_TYPE_HASHCTX);
 
+    ForceZero(digest, sizeof(digest));
+
     if (err != 0)
         return err;
 
@@ -294,6 +296,7 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
         wc_HmacFree(hmac);
     }
 
+    ForceZero(buffer, hLen);
     WC_FREE_VAR_EX(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);
     WC_FREE_VAR_EX(hmac, heap, DYNAMIC_TYPE_HMAC);
 

wolfcrypt/src/sakke.c

@@ -6941,7 +6941,7 @@ int wc_DeriveSakkeSSV(SakkeKey* key, enum wc_HashType hashType, byte* ssv,
 
         err = sakke_compute_point_r(key, key->id, key->idSz, ri, n, test);
     }
-    if ((err == 0) && (XMEMCMP(auth, test, (size_t)(2 * n + 1)) != 0)) {
+    if ((err == 0) && (ConstantCompare(auth, test, (int)(2 * n + 1)) != 0)) {
         err = SAKKE_VERIFY_FAIL_E;
     }
 

wolfcrypt/src/srp.c

@@ -994,9 +994,11 @@ int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
         if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
     }
 
-    if (!r && XMEMCMP(proof, digest, size) != 0)
+    if (!r && ConstantCompare(proof, digest, (int)size) != 0)
         r = SRP_VERIFY_E;
 
+    ForceZero(digest, sizeof(digest));
+
     return r;
 }