Crypto layer: Add missing input validation#10819
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens wolfCrypt/wolfSSL by adding additional input validation and tightening default Diffie–Hellman parameter minimums to align with modern security guidance (2048-bit minimum by default, overridable for legacy use).
Changes:
- Introduces
DH_MIN_SIZE(default 2048 bits) and aligns TLS-layer DH minimums with the DH primitive’s minimum. - Adds/adjusts input validation to prevent overflow/wraparound and invalid arguments in KDF/PRF, ECC key import, RSA key generation, and DH operations.
- Updates an existing DH test to be conditionally compiled based on
DH_MIN_SIZE.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/wolfcrypt/settings.h | Defines DH_MIN_SIZE with a secure default and legacy override mapping. |
| wolfssl/version.h | Updates library version macros (currently inconsistent with rest of repo). |
| wolfssl/internal.h | Aligns WOLFSSL_MIN_DHKEY_BITS default with DH_MIN_SIZE and enforces consistency. |
| wolfcrypt/src/rsa.c | Fixes heap usage in an OAEP error path and tightens RSA exponent validation under FIPS. |
| wolfcrypt/src/kdf.c | Adds null/length argument validation and prevents word32 wraparound in length checks. |
| wolfcrypt/src/ecc.c | Prevents potential word32 overflow when expanding compressed ECC point lengths. |
| wolfcrypt/src/dh.c | Rejects DH primes smaller than DH_MIN_SIZE and adds a null check in wc_DhCheckPubValue. |
| tests/api/test_dh.c | Gates a subgroup-check test on DH_MIN_SIZE (affects coverage in default builds). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
c66cde1 to
8961b60
Compare
|
Jenkins Retest this please |
cb5d209 to
69af8ed
Compare
|
@lealem47 PRB-master-job failures are legit. |
69af8ed to
b465f15
Compare
b465f15 to
7a1e0ca
Compare
|
Jenkins retest this please |
Frauschi
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: APPROVE
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [Low] FIPS RSA exponent floor reuses WC_RSA_EXPONENT default macro —
wolfcrypt/src/rsa.c:5415-5419 - [Info] Non-conforming indentation in wc_PRF NULL-argument check —
wolfcrypt/src/kdf.c:92-94
Review generated by Skoll via Claude/Codex
| goto out; | ||
| } | ||
|
|
||
| #if defined(HAVE_FIPS) |
There was a problem hiding this comment.
🔵 [Low] FIPS RSA exponent floor reuses WC_RSA_EXPONENT default macro
💡 SUGGEST question
The new FIPS branch rejects e < WC_RSA_EXPONENT. WC_RSA_EXPONENT is defined in wolfssl/wolfcrypt/rsa.h as the default public exponent (65537L) and is user-overridable via -DWC_RSA_EXPONENT. It defaults to the correct FIPS minimum (2^16+1), so in the common case this is right. But repurposing the "default exponent" macro as a "minimum allowed exponent" for FIPS couples two unrelated concepts: if a user overrides WC_RSA_EXPONENT to a smaller value (e.g. 3), the FIPS floor silently weakens below the FIPS-required 65537, and if they raise it, valid FIPS keys could be rejected. A hardcoded literal (65537L) or a dedicated WC_RSA_MIN_EXPONENT-style macro would express the FIPS constraint unambiguously.
Suggestion:
| #if defined(HAVE_FIPS) | |
| #if defined(HAVE_FIPS) | |
| if (e < 65537L || (e & 1) == 0) { | |
| #else | |
| if (e < 3 || (e & 1) == 0) { | |
| #endif |
| Hmac hmac[1]; | ||
| #endif | ||
|
|
||
| if ((result == NULL && resLen != 0) || (secret == NULL && secLen != 0) || |
There was a problem hiding this comment.
⚪ [Info] Non-conforming indentation in wc_PRF NULL-argument check
🔧 NIT style
The new NULL-check block uses 3-space continuation indentation and a 2-space indent on the return, unlike the 4-space style used consistently in the sibling checks added to wc_PRF_TLSv1 (lines 241-246) and wc_PRF_TLS (lines 305-310) in the same PR, and unlike the rest of the file. Aligning it keeps the newly added validation blocks uniform.
Suggestion:
| if ((result == NULL && resLen != 0) || (secret == NULL && secLen != 0) || | |
| if ((result == NULL && resLen != 0) || (secret == NULL && secLen != 0) || | |
| (seed == NULL && seedLen != 0)) { | |
| return BAD_FUNC_ARG; | |
| } |
Description
Adding miscellaneous input validation throughout wolfcrypt files.
Testing
./configure --enable-all && make check
Checklist