Skip to content

additional sanity checks on invalid input #10302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JacobBarthelmeh wants to merge 2 commits into
base: master
Choose a base branch
from
Open

additional sanity checks on invalid input #10302

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7d62319
additional sanity checks on invalid input
JacobBarthelmeh Apr 24, 2026
f762a42
adjust test case for CI tests after additional sanity check
JacobBarthelmeh Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions tests/api/test_evp_cipher.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2195,7 +2195,7 @@ int test_wolfssl_EVP_sm4_ecb(void)
};
byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE];
byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE];
EVP_CIPHER_CTX* ctx;
EVP_CIPHER_CTX* ctx = NULL;
int outSz;

XMEMSET(key, 0, sizeof(key));
Expand Down Expand Up @@ -2251,7 +2251,7 @@ int test_wolfssl_EVP_sm4_cbc(void)
};
byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE];
byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE];
EVP_CIPHER_CTX* ctx;
EVP_CIPHER_CTX* ctx = NULL;
int outSz;

XMEMSET(key, 0, sizeof(key));
Expand Down Expand Up @@ -2319,7 +2319,7 @@ int test_wolfssl_EVP_sm4_ctr(void)
byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF};
byte cipherText[sizeof(plainText)];
byte decryptedText[sizeof(plainText)];
EVP_CIPHER_CTX* ctx;
EVP_CIPHER_CTX* ctx = NULL;
int outSz;

XMEMSET(key, 0, sizeof(key));
Expand Down
22 changes: 19 additions & 3 deletions tests/api/test_evp_pkey.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1592,9 +1592,25 @@ static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType)
ExpectIntEQ(EVP_PKEY_verify(
ctx_verify, sig, siglen, hash, SHA256_DIGEST_LENGTH),
WOLFSSL_SUCCESS);
ExpectIntEQ(EVP_PKEY_verify(
ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
WC_NO_ERR_TRACE(WOLFSSL_FAILURE));

if (keyType == EVP_PKEY_EC) {
#if (!defined(HAVE_FIPS) || FIPS_VERSION_GT(7,0)) && !defined(HAVE_SELFTEST)
/* wolfSSL differs from OpenSSL in that it treats a hash of all 0's as a
* fatal error and does not attempt to verify */
ExpectIntEQ(EVP_PKEY_verify(
ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
#else
ExpectIntEQ(EVP_PKEY_verify(
ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
#endif
}
else {
ExpectIntEQ(EVP_PKEY_verify(
ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
}

#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \
!defined(HAVE_SELFTEST)
Expand Down
8 changes: 8 additions & 0 deletions wolfcrypt/src/ecc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7426,6 +7426,10 @@ int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
/* may still need bit truncation too */
if (err == MP_OKAY && (WOLFSSL_BIT_SIZE * inlen) > orderBits)
mp_rshb(e, (int)(WOLFSSL_BIT_SIZE - (orderBits & 0x7)));

if (err == MP_OKAY && mp_iszero(e)) {
err = ECC_BAD_ARG_E;
}
}

/* make up a key and export the public copy */
Expand Down Expand Up @@ -9005,6 +9009,10 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
/* may still need bit truncation too */
if (err == MP_OKAY && (WOLFSSL_BIT_SIZE * hashlen) > orderBits)
mp_rshb(e, (int)(WOLFSSL_BIT_SIZE - (orderBits & 0x7)));

if (err == MP_OKAY && mp_iszero(e)) {
err = ECC_BAD_ARG_E;
}
}

/* check for async hardware acceleration */
Expand Down
125 changes: 107 additions & 18 deletions wolfcrypt/src/sp_arm32.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79334,8 +79334,8 @@ static int sp_256_calc_s_8(sp_digit* s, const sp_digit* r, sp_digit* k,
* rm First part of result as an mp_int.
* sm Sirst part of result as an mp_int.
* heap Heap to use for allocation.
* returns RNG failures, MEMORY_E when memory allocation fails and
* MP_OKAY on success.
* returns RNG failures, MEMORY_E when memory allocation fails,
* ECC_BAD_ARG_E with invalid argument, and MP_OKAY on success.
*/
int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng,
const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
Expand Down Expand Up @@ -79365,6 +79365,11 @@ int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng,
if (hashLen > 32U) {
hashLen = 32U;
}

sp_256_from_bin(e, 8, hash, (int)hashLen);
if (sp_256_iszero_8(e)) {
err = ECC_BAD_ARG_E;
}
}

for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
Expand Down Expand Up @@ -79454,12 +79459,25 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W

switch (ctx->state) {
case 0: /* INIT */
{
word32 hl = hashLen;

ctx->s = ctx->e;
ctx->kInv = ctx->k;

ctx->i = SP_ECC_MAX_SIG_GEN;
ctx->state = 1;
break;
if (hl > 32U) {
hl = 32U;
}
sp_256_from_bin(ctx->e, 8, hash, (int)hl);
if (sp_256_iszero_8(ctx->e)) {
err = ECC_BAD_ARG_E;
}
else {
ctx->i = SP_ECC_MAX_SIG_GEN;
ctx->state = 1;
}
}
break;
case 1: /* GEN */
/* New random point. */
if (km == NULL || mp_iszero(km)) {
Expand Down Expand Up @@ -80576,7 +80594,12 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX,
sp_256_from_mp(p2->y, 8, pY);
sp_256_from_mp(p2->z, 8, pZ);

err = sp_256_calc_vfy_point_8(p1, p2, s, u1, u2, tmp, heap);
if (sp_256_iszero_8(u1)) {
err = ECC_BAD_ARG_E;
}
else {
err = sp_256_calc_vfy_point_8(p1, p2, s, u1, u2, tmp, heap);
}
}
if (err == MP_OKAY) {
/* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
Expand Down Expand Up @@ -80659,6 +80682,10 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
sp_256_from_mp(ctx->p2.x, 8, pX);
sp_256_from_mp(ctx->p2.y, 8, pY);
sp_256_from_mp(ctx->p2.z, 8, pZ);
if (sp_256_iszero_8(ctx->u1)) {
err = ECC_BAD_ARG_E;
break;
}
ctx->state = 1;
break;
case 1: /* NORMS0 */
Expand Down Expand Up @@ -97495,8 +97522,8 @@ static int sp_384_calc_s_12(sp_digit* s, const sp_digit* r, sp_digit* k,
* rm First part of result as an mp_int.
* sm Sirst part of result as an mp_int.
* heap Heap to use for allocation.
* returns RNG failures, MEMORY_E when memory allocation fails and
* MP_OKAY on success.
* returns RNG failures, MEMORY_E when memory allocation fails,
* ECC_BAD_ARG_E with invalid argument, and MP_OKAY on success.
*/
int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng,
const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
Expand Down Expand Up @@ -97526,6 +97553,11 @@ int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng,
if (hashLen > 48U) {
hashLen = 48U;
}

sp_384_from_bin(e, 12, hash, (int)hashLen);
if (sp_384_iszero_12(e)) {
err = ECC_BAD_ARG_E;
}
}

for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
Expand Down Expand Up @@ -97615,12 +97647,25 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W

switch (ctx->state) {
case 0: /* INIT */
{
word32 hl = hashLen;

ctx->s = ctx->e;
ctx->kInv = ctx->k;

ctx->i = SP_ECC_MAX_SIG_GEN;
ctx->state = 1;
break;
if (hl > 48U) {
hl = 48U;
}
sp_384_from_bin(ctx->e, 12, hash, (int)hl);
if (sp_384_iszero_12(ctx->e)) {
err = ECC_BAD_ARG_E;
}
else {
ctx->i = SP_ECC_MAX_SIG_GEN;
ctx->state = 1;
}
}
break;
case 1: /* GEN */
/* New random point. */
if (km == NULL || mp_iszero(km)) {
Expand Down Expand Up @@ -98859,7 +98904,12 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX,
sp_384_from_mp(p2->y, 12, pY);
sp_384_from_mp(p2->z, 12, pZ);

err = sp_384_calc_vfy_point_12(p1, p2, s, u1, u2, tmp, heap);
if (sp_384_iszero_12(u1)) {
err = ECC_BAD_ARG_E;
}
else {
err = sp_384_calc_vfy_point_12(p1, p2, s, u1, u2, tmp, heap);
}
}
if (err == MP_OKAY) {
/* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
Expand Down Expand Up @@ -98942,6 +98992,10 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
sp_384_from_mp(ctx->p2.x, 12, pX);
sp_384_from_mp(ctx->p2.y, 12, pY);
sp_384_from_mp(ctx->p2.z, 12, pZ);
if (sp_384_iszero_12(ctx->u1)) {
err = ECC_BAD_ARG_E;
break;
}
ctx->state = 1;
break;
case 1: /* NORMS0 */
Expand Down Expand Up @@ -125905,8 +125959,8 @@ static int sp_521_calc_s_17(sp_digit* s, const sp_digit* r, sp_digit* k,
* rm First part of result as an mp_int.
* sm Sirst part of result as an mp_int.
* heap Heap to use for allocation.
* returns RNG failures, MEMORY_E when memory allocation fails and
* MP_OKAY on success.
* returns RNG failures, MEMORY_E when memory allocation fails,
* ECC_BAD_ARG_E with invalid argument, and MP_OKAY on success.
*/
int sp_ecc_sign_521(const byte* hash, word32 hashLen, WC_RNG* rng,
const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
Expand Down Expand Up @@ -125936,6 +125990,15 @@ int sp_ecc_sign_521(const byte* hash, word32 hashLen, WC_RNG* rng,
if (hashLen > 66U) {
hashLen = 66U;
}

sp_521_from_bin(e, 17, hash, (int)hashLen);
if (hashLen == 66U) {
sp_521_rshift_17(e, e, 7);
}

if (sp_521_iszero_17(e)) {
err = ECC_BAD_ARG_E;
}
}

for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
Expand Down Expand Up @@ -126030,12 +126093,29 @@ int sp_ecc_sign_521_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W

switch (ctx->state) {
case 0: /* INIT */
{
word32 hl = hashLen;

ctx->s = ctx->e;
ctx->kInv = ctx->k;

ctx->i = SP_ECC_MAX_SIG_GEN;
ctx->state = 1;
break;
if (hl > 66U) {
hl = 66U;
}
sp_521_from_bin(ctx->e, 17, hash, (int)hl);
if (hl == 66U) {
sp_521_rshift_17(ctx->e, ctx->e, 7);
}

if (sp_521_iszero_17(ctx->e)) {
err = ECC_BAD_ARG_E;
}
else {
ctx->i = SP_ECC_MAX_SIG_GEN;
ctx->state = 1;
}
}
break;
case 1: /* GEN */
/* New random point. */
if (km == NULL || mp_iszero(km)) {
Expand Down Expand Up @@ -127800,7 +127880,12 @@ int sp_ecc_verify_521(const byte* hash, word32 hashLen, const mp_int* pX,
sp_521_rshift_17(u1, u1, 7);
}

err = sp_521_calc_vfy_point_17(p1, p2, s, u1, u2, tmp, heap);
if (sp_521_iszero_17(u1)) {
err = ECC_BAD_ARG_E;
}
else {
err = sp_521_calc_vfy_point_17(p1, p2, s, u1, u2, tmp, heap);
}
}
if (err == MP_OKAY) {
/* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
Expand Down Expand Up @@ -127886,6 +127971,10 @@ int sp_ecc_verify_521_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
if (hashLen == 66U) {
sp_521_rshift_17(ctx->u1, ctx->u1, 7);
}
if (sp_521_iszero_17(ctx->u1)) {
err = ECC_BAD_ARG_E;
break;
}
ctx->state = 1;
break;
case 1: /* NORMS0 */
Expand Down
Loading
Loading