Skip to content

Crypto layer: Add missing input validation#10819

Open
lealem47 wants to merge 1 commit into
wolfSSL:masterfrom
lealem47:input_validation
Open

Crypto layer: Add missing input validation#10819
lealem47 wants to merge 1 commit into
wolfSSL:masterfrom
lealem47:input_validation

Conversation

@lealem47

@lealem47 lealem47 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Description

Adding miscellaneous input validation throughout wolfcrypt files.

Testing

./configure --enable-all && make check

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@lealem47 lealem47 self-assigned this Jun 30, 2026
Copilot AI review requested due to automatic review settings June 30, 2026 16:31

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens wolfCrypt/wolfSSL by adding additional input validation and tightening default Diffie–Hellman parameter minimums to align with modern security guidance (2048-bit minimum by default, overridable for legacy use).

Changes:

  • Introduces DH_MIN_SIZE (default 2048 bits) and aligns TLS-layer DH minimums with the DH primitive’s minimum.
  • Adds/adjusts input validation to prevent overflow/wraparound and invalid arguments in KDF/PRF, ECC key import, RSA key generation, and DH operations.
  • Updates an existing DH test to be conditionally compiled based on DH_MIN_SIZE.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
wolfssl/wolfcrypt/settings.h Defines DH_MIN_SIZE with a secure default and legacy override mapping.
wolfssl/version.h Updates library version macros (currently inconsistent with rest of repo).
wolfssl/internal.h Aligns WOLFSSL_MIN_DHKEY_BITS default with DH_MIN_SIZE and enforces consistency.
wolfcrypt/src/rsa.c Fixes heap usage in an OAEP error path and tightens RSA exponent validation under FIPS.
wolfcrypt/src/kdf.c Adds null/length argument validation and prevents word32 wraparound in length checks.
wolfcrypt/src/ecc.c Prevents potential word32 overflow when expanding compressed ECC point lengths.
wolfcrypt/src/dh.c Rejects DH primes smaller than DH_MIN_SIZE and adds a null check in wc_DhCheckPubValue.
tests/api/test_dh.c Gates a subgroup-check test on DH_MIN_SIZE (affects coverage in default builds).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfssl/version.h Outdated
Comment thread tests/api/test_dh.c
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m0plus

  • FLASH: .text +468 B (+0.7%, 64,563 B / 262,144 B, total: 25% used)

gcc-arm-cortex-m3

  • FLASH: .text +404 B (+0.3%, 122,517 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4

  • FLASH: .text +448 B (+0.2%, 200,204 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m4-baremetal

  • FLASH: .text +448 B (+0.7%, 67,147 B / 262,144 B, total: 26% used)

gcc-arm-cortex-m4-crypto-only

  • FLASH: .text +192 B (+0.1%, 174,506 B / 262,144 B, total: 67% used)

gcc-arm-cortex-m4-dtls13

  • FLASH: .text +384 B (+0.2%, 180,888 B / 1,048,576 B, total: 17% used)

gcc-arm-cortex-m4-min-ecc

  • FLASH: .text +448 B (+0.7%, 62,125 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m4-openssl-compat

  • FLASH: .text +128 B (+0.0%, 769,028 B / 1,048,576 B, total: 73% used)

gcc-arm-cortex-m4-pkcs7

  • FLASH: .text +448 B (+0.2%, 212,525 B / 262,144 B, total: 81% used)

gcc-arm-cortex-m4-pq

  • FLASH: .text +384 B (+0.1%, 279,024 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m4-rsa-only

  • FLASH: .text +128 B (+0.0%, 324,304 B / 1,048,576 B, total: 31% used)

gcc-arm-cortex-m4-sp-math

  • FLASH: .text +448 B (+0.7%, 62,125 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m4-tls12

  • FLASH: .text +384 B (+0.3%, 123,277 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4-tls13

  • FLASH: .text +384 B (+0.2%, 235,774 B / 262,144 B, total: 90% used)

gcc-arm-cortex-m7

  • FLASH: .text +384 B (+0.2%, 200,140 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m7-pq

  • FLASH: .text +384 B (+0.1%, 279,600 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-tls13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Comment thread wolfcrypt/src/ecc.c
Comment thread wolfcrypt/src/kdf.c
Comment thread wolfcrypt/src/kdf.c
@lealem47

lealem47 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Jenkins Retest this please

@lealem47 lealem47 assigned wolfSSL-Bot and unassigned lealem47 Jun 30, 2026
@lealem47 lealem47 force-pushed the input_validation branch from cb5d209 to 69af8ed Compare July 1, 2026 00:39
@Frauschi

Frauschi commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@lealem47 PRB-master-job failures are legit.

@Frauschi Frauschi assigned lealem47 and unassigned wolfSSL-Bot Jul 1, 2026
@lealem47 lealem47 force-pushed the input_validation branch from 69af8ed to b465f15 Compare July 1, 2026 23:01
@lealem47 lealem47 force-pushed the input_validation branch from b465f15 to 7a1e0ca Compare July 1, 2026 23:04
@Frauschi

Frauschi commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Jenkins retest this please

@Frauschi Frauschi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: APPROVE
Findings: 2 total — 2 posted, 0 skipped

Posted findings

  • [Low] FIPS RSA exponent floor reuses WC_RSA_EXPONENT default macrowolfcrypt/src/rsa.c:5415-5419
  • [Info] Non-conforming indentation in wc_PRF NULL-argument checkwolfcrypt/src/kdf.c:92-94

Review generated by Skoll via Claude/Codex

Comment thread wolfcrypt/src/rsa.c
goto out;
}

#if defined(HAVE_FIPS)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] FIPS RSA exponent floor reuses WC_RSA_EXPONENT default macro
💡 SUGGEST question

The new FIPS branch rejects e < WC_RSA_EXPONENT. WC_RSA_EXPONENT is defined in wolfssl/wolfcrypt/rsa.h as the default public exponent (65537L) and is user-overridable via -DWC_RSA_EXPONENT. It defaults to the correct FIPS minimum (2^16+1), so in the common case this is right. But repurposing the "default exponent" macro as a "minimum allowed exponent" for FIPS couples two unrelated concepts: if a user overrides WC_RSA_EXPONENT to a smaller value (e.g. 3), the FIPS floor silently weakens below the FIPS-required 65537, and if they raise it, valid FIPS keys could be rejected. A hardcoded literal (65537L) or a dedicated WC_RSA_MIN_EXPONENT-style macro would express the FIPS constraint unambiguously.

Suggestion:

Suggested change
#if defined(HAVE_FIPS)
#if defined(HAVE_FIPS)
if (e < 65537L || (e & 1) == 0) {
#else
if (e < 3 || (e & 1) == 0) {
#endif

Comment thread wolfcrypt/src/kdf.c
Hmac hmac[1];
#endif

if ((result == NULL && resLen != 0) || (secret == NULL && secLen != 0) ||

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚪ [Info] Non-conforming indentation in wc_PRF NULL-argument check
🔧 NIT style

The new NULL-check block uses 3-space continuation indentation and a 2-space indent on the return, unlike the 4-space style used consistently in the sibling checks added to wc_PRF_TLSv1 (lines 241-246) and wc_PRF_TLS (lines 305-310) in the same PR, and unlike the rest of the file. Aligning it keeps the newly added validation blocks uniform.

Suggestion:

Suggested change
if ((result == NULL && resLen != 0) || (secret == NULL && secLen != 0) ||
if ((result == NULL && resLen != 0) || (secret == NULL && secLen != 0) ||
(seed == NULL && seedLen != 0)) {
return BAD_FUNC_ARG;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants