Fenrir fixes

tests/api/test_blake2.c

@@ -50,6 +50,12 @@ int test_wc_InitBlake2b(void)
     ExpectIntEQ(wc_InitBlake2b(&blake, 128), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_InitBlake2b(NULL, WC_BLAKE2B_DIGEST_SIZE),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    /* digestSz values that truncate via (byte) cast to a valid size must be
+     * rejected: 257 mod 256 = 1, 320 mod 256 = 64 - both within BLAKE2B range */
+    ExpectIntEQ(wc_InitBlake2b(&blake, 257),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_InitBlake2b(&blake, 256 + BLAKE2B_OUTBYTES),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
     /* Test good arg. */
     ExpectIntEQ(wc_InitBlake2b(&blake, WC_BLAKE2B_DIGEST_SIZE), 0);
@@ -82,6 +88,12 @@ int test_wc_InitBlake2b_WithKey(void)
     ExpectIntEQ(wc_InitBlake2b_WithKey(NULL, digestSz, key, keylen),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
+    /* digestSz that truncates to a valid byte-sized value must be rejected */
+    ExpectIntEQ(wc_InitBlake2b_WithKey(&blake, 257, NULL, keylen),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_InitBlake2b_WithKey(&blake, 256 + BLAKE2B_OUTBYTES, NULL, keylen),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+
     /* Test good arg. */
     ExpectIntEQ(wc_InitBlake2b_WithKey(&blake, digestSz, NULL, keylen), 0);
     ExpectIntEQ(wc_InitBlake2b_WithKey(&blake, digestSz, key, keylen), 0);
@@ -127,8 +139,14 @@ int test_wc_Blake2bFinal(void)
     ExpectIntEQ(wc_Blake2bFinal(&blake, NULL, 0),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_Blake2bFinal(NULL, hash, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    /* requestSz that truncates to valid byte must be rejected */
+    ExpectIntEQ(wc_Blake2bFinal(&blake, hash, 257),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_Blake2bFinal(&blake, hash, 256 + BLAKE2B_OUTBYTES),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
     /* Test good args. */
+    ExpectIntEQ(wc_InitBlake2b(&blake, WC_BLAKE2B_DIGEST_SIZE), 0);
     ExpectIntEQ(wc_Blake2bFinal(&blake, hash, WC_BLAKE2B_DIGEST_SIZE), 0);
 #endif
     return EXPECT_RESULT();
@@ -322,6 +340,12 @@ int test_wc_InitBlake2s(void)
     ExpectIntEQ(wc_InitBlake2s(&blake, 128), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_InitBlake2s(NULL, WC_BLAKE2S_DIGEST_SIZE),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    /* digestSz that truncates via (byte) cast to a valid size must be rejected:
+     * 257 mod 256 = 1, 288 mod 256 = 32 - both within BLAKE2S range */
+    ExpectIntEQ(wc_InitBlake2s(&blake, 257),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_InitBlake2s(&blake, 256 + BLAKE2S_OUTBYTES),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
     /* Test good arg. */
     ExpectIntEQ(wc_InitBlake2s(&blake, WC_BLAKE2S_DIGEST_SIZE), 0);
@@ -352,6 +376,12 @@ int test_wc_InitBlake2s_WithKey(void)
     ExpectIntEQ(wc_InitBlake2s_WithKey(NULL, digestSz, key, keylen),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
+    /* digestSz that truncates to a valid byte-sized value must be rejected */
+    ExpectIntEQ(wc_InitBlake2s_WithKey(&blake, 257, NULL, keylen),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_InitBlake2s_WithKey(&blake, 256 + BLAKE2S_OUTBYTES, NULL, keylen),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+
     /* Test good arg. */
     ExpectIntEQ(wc_InitBlake2s_WithKey(&blake, digestSz, NULL, keylen), 0);
     ExpectIntEQ(wc_InitBlake2s_WithKey(&blake, digestSz, key, keylen), 0);
@@ -397,8 +427,14 @@ int test_wc_Blake2sFinal(void)
     ExpectIntEQ(wc_Blake2sFinal(&blake, NULL, 0),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wc_Blake2sFinal(NULL, hash, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    /* requestSz that truncates to valid byte must be rejected */
+    ExpectIntEQ(wc_Blake2sFinal(&blake, hash, 257),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_Blake2sFinal(&blake, hash, 256 + BLAKE2S_OUTBYTES),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
     /* Test good args. */
+    ExpectIntEQ(wc_InitBlake2s(&blake, WC_BLAKE2S_DIGEST_SIZE), 0);
     ExpectIntEQ(wc_Blake2sFinal(&blake, hash, WC_BLAKE2S_DIGEST_SIZE), 0);
 #endif
     return EXPECT_RESULT();

wolfcrypt/src/ascon.c

@@ -45,6 +45,9 @@
 #ifndef WORD64_AVAILABLE
     #error "Ascon implementation requires a 64-bit word"
 #endif
+#ifdef BIG_ENDIAN_ORDER
+    #error "Ascon not yet supported on big-endian systems"
+#endif
 
 /* Data block size in bytes */
 #define ASCON_HASH256_RATE                              8

wolfcrypt/src/blake2b.c

@@ -426,6 +426,9 @@ int wc_InitBlake2b(Blake2b* b2b, word32 digestSz)
     if (b2b == NULL){
         return BAD_FUNC_ARG;
     }
+    if (digestSz == 0 || digestSz > BLAKE2B_OUTBYTES) {
+        return BAD_FUNC_ARG;
+    }
     b2b->digestSz = digestSz;
 
     return blake2b_init(b2b->S, (byte)digestSz);
@@ -437,6 +440,9 @@ int wc_InitBlake2b_WithKey(Blake2b* b2b, word32 digestSz, const byte *key, word3
     if (b2b == NULL){
         return BAD_FUNC_ARG;
     }
+    if (digestSz == 0 || digestSz > BLAKE2B_OUTBYTES) {
+        return BAD_FUNC_ARG;
+    }
     b2b->digestSz = digestSz;
 
     if (keylen >= 256)
@@ -478,6 +484,9 @@ int wc_Blake2bFinal(Blake2b* b2b, byte* final, word32 requestSz)
     }
 
     sz = requestSz ? requestSz : b2b->digestSz;
+    if (sz == 0 || sz > BLAKE2B_OUTBYTES) {
+        return BAD_FUNC_ARG;
+    }
 
     return blake2b_final(b2b->S, final, (byte)sz);
 }

wolfcrypt/src/blake2s.c

@@ -421,6 +421,9 @@ int wc_InitBlake2s(Blake2s* b2s, word32 digestSz)
     if (b2s == NULL){
         return BAD_FUNC_ARG;
     }
+    if (digestSz == 0 || digestSz > BLAKE2S_OUTBYTES) {
+        return BAD_FUNC_ARG;
+    }
     b2s->digestSz = digestSz;
 
     return blake2s_init(b2s->S, (byte)digestSz);
@@ -433,6 +436,9 @@ int wc_InitBlake2s_WithKey(Blake2s* b2s, word32 digestSz, const byte *key, word3
     if (b2s == NULL){
         return BAD_FUNC_ARG;
     }
+    if (digestSz == 0 || digestSz > BLAKE2S_OUTBYTES) {
+        return BAD_FUNC_ARG;
+    }
     b2s->digestSz = digestSz;
 
     if (keylen >= 256)
@@ -475,6 +481,9 @@ int wc_Blake2sFinal(Blake2s* b2s, byte* final, word32 requestSz)
     }
 
     sz = requestSz ? requestSz : b2s->digestSz;
+    if (sz == 0 || sz > BLAKE2S_OUTBYTES) {
+        return BAD_FUNC_ARG;
+    }
 
     return blake2s_final(b2s->S, final, (byte)sz);
 }

wolfcrypt/src/evp.c

@@ -695,10 +695,16 @@ static int evpCipherBlock(WOLFSSL_EVP_CIPHER_CTX *ctx,
             break;
         #if defined(WOLFSSL_DES_ECB)
         case WC_DES_ECB_TYPE:
-            ret = wc_Des_EcbEncrypt(&ctx->cipher.des, out, in, inl);
+            if (ctx->enc)
+                ret = wc_Des_EcbEncrypt(&ctx->cipher.des, out, in, inl);
+            else
+                ret = wc_Des_EcbDecrypt(&ctx->cipher.des, out, in, inl);
             break;
         case WC_DES_EDE3_ECB_TYPE:
-            ret = wc_Des3_EcbEncrypt(&ctx->cipher.des3, out, in, inl);
+            if (ctx->enc)
+                ret = wc_Des3_EcbEncrypt(&ctx->cipher.des3, out, in, inl);
+            else
+                ret = wc_Des3_EcbDecrypt(&ctx->cipher.des3, out, in, inl);
             break;
         #endif
     #endif
@@ -8749,13 +8755,19 @@ void wolfSSL_EVP_init(void)
 #ifdef WOLFSSL_DES_ECB
             case WC_DES_ECB_TYPE :
                 WOLFSSL_MSG("DES ECB");
-                ret = wc_Des_EcbEncrypt(&ctx->cipher.des, dst, src, len);
+                if (ctx->enc)
+                    ret = wc_Des_EcbEncrypt(&ctx->cipher.des, dst, src, len);
+                else
+                    ret = wc_Des_EcbDecrypt(&ctx->cipher.des, dst, src, len);
                 if (ret == 0)
                     ret = (int)((len / DES_BLOCK_SIZE) * DES_BLOCK_SIZE);
                 break;
             case WC_DES_EDE3_ECB_TYPE :
                 WOLFSSL_MSG("DES3 ECB");
-                ret = wc_Des3_EcbEncrypt(&ctx->cipher.des3, dst, src, len);
+                if (ctx->enc)
+                    ret = wc_Des3_EcbEncrypt(&ctx->cipher.des3, dst, src, len);
+                else
+                    ret = wc_Des3_EcbDecrypt(&ctx->cipher.des3, dst, src, len);
                 if (ret == 0)
                     ret = (int)((len / DES_BLOCK_SIZE) * DES_BLOCK_SIZE);
                 break;

wolfcrypt/src/port/caam/wolfcaam_seco.c

@@ -1075,7 +1075,7 @@ static hsm_err_t wc_SECO_AESGCM(unsigned int args[4], CAAM_BUFFER* buf, int sz)
     }
     XFREE(cipherAndTag, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     (void)sz;
-    return HSM_NO_ERROR;
+    return err;
 }
 
 

wolfcrypt/src/sp_arm32.c

@@ -75874,17 +75874,16 @@ static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g,
         if (cache->cnt == 2)
             sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_256_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_256_ecc_mulmod_fast_8(r, g, k, map, ct, heap);
         }
         else {
             err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);
@@ -76256,17 +76255,16 @@ static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g,
         if (cache->cnt == 2)
             sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_256_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_256_ecc_mulmod_fast_8(r, g, k, map, ct, heap);
         }
         else {
             err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);
@@ -93909,17 +93907,16 @@ static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g,
         if (cache->cnt == 2)
             sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_384_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_384_ecc_mulmod_fast_12(r, g, k, map, ct, heap);
         }
         else {
             err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);
@@ -94307,17 +94304,16 @@ static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g,
         if (cache->cnt == 2)
             sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_384_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_384_ecc_mulmod_fast_12(r, g, k, map, ct, heap);
         }
         else {
             err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);
@@ -121070,17 +121066,16 @@ static int sp_521_ecc_mulmod_17(sp_point_521* r, const sp_point_521* g,
         if (cache->cnt == 2)
             sp_521_gen_stripe_table_17(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_521_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_521_ecc_mulmod_fast_17(r, g, k, map, ct, heap);
         }
         else {
             err = sp_521_ecc_mulmod_stripe_17(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_521_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);
@@ -121488,17 +121483,16 @@ static int sp_521_ecc_mulmod_17(sp_point_521* r, const sp_point_521* g,
         if (cache->cnt == 2)
             sp_521_gen_stripe_table_17(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_521_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_521_ecc_mulmod_fast_17(r, g, k, map, ct, heap);
         }
         else {
             err = sp_521_ecc_mulmod_stripe_17(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_521_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);
@@ -150839,17 +150833,16 @@ static int sp_1024_ecc_mulmod_32(sp_point_1024* r, const sp_point_1024* g,
         if (cache->cnt == 2)
             sp_1024_gen_stripe_table_32(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_1024_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_1024_ecc_mulmod_fast_32(r, g, k, map, ct, heap);
         }
         else {
             err = sp_1024_ecc_mulmod_stripe_32(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_1024_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);
@@ -151154,17 +151147,16 @@ static int sp_1024_ecc_mulmod_32(sp_point_1024* r, const sp_point_1024* g,
         if (cache->cnt == 2)
             sp_1024_gen_stripe_table_32(g, cache->table, tmp, heap);
 
-#ifndef HAVE_THREAD_LS
-        wc_UnLockMutex(&sp_cache_1024_lock);
-#endif /* HAVE_THREAD_LS */
-
         if (cache->cnt < 2) {
             err = sp_1024_ecc_mulmod_fast_32(r, g, k, map, ct, heap);
         }
         else {
             err = sp_1024_ecc_mulmod_stripe_32(r, g, cache->table, k,
                     map, ct, heap);
         }
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_1024_lock);
+#endif /* HAVE_THREAD_LS */
     }
 
     SP_FREE_VAR(tmp, heap, DYNAMIC_TYPE_ECC);