From 9bc3ecfbce92245bf0e744402c3ca8321385f2d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 13 Apr 2026 14:30:06 +0200 Subject: [PATCH 1/8] Fix various range and size bugs in PKCS#7 code --- tests/api.c | 102 ++++++++++++++++++++++++++++++++++++++++++ wolfcrypt/src/pkcs7.c | 64 +++++++++++++++++++++++--- 2 files changed, 159 insertions(+), 7 deletions(-) diff --git a/tests/api.c b/tests/api.c index 7cde2a6bdc5..a3893ff21b1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -35539,6 +35539,107 @@ static int test_pkcs7_ori_oversized_oid(void) return EXPECT_RESULT(); } +/* ORI callback that flags if oriValueSz looks like an underflow (>= 0x80000000) */ +#if defined(HAVE_PKCS7) && !defined(WOLFSSL_NO_MALLOC) +static int test_ori_underflow_cb(wc_PKCS7* pkcs7, byte* oriType, + word32 oriTypeSz, byte* oriValue, + word32 oriValueSz, byte* decryptedKey, + word32* decryptedKeySz, void* ctx) +{ + int* called = (int*)ctx; + (void)pkcs7; (void)oriType; (void)oriTypeSz; + (void)oriValue; (void)decryptedKey; (void)decryptedKeySz; + if (called != NULL) + *called = (int)oriValueSz; /* record what we received */ + return -1; +} +#endif + +/* Test: PKCS#7 ORI must reject when OID consumption exceeds the [4] implicit + * SEQUENCE length (integer underflow in oriValueSz computation). + * + * With implicit tagging, [4] CONSTRUCTED replaces the SEQUENCE tag, so + * wc_PKCS7_DecryptOri reads seqSz directly from the [4] length field. + * We set [4] length = 5 while the OID inside consumes 22 bytes + * (tag + length + 20 content), triggering oriValueSz = 5 - 22 = underflow. + * + * The buffer includes a dummy EncryptedContentInfo after the RecipientInfos + * so the total message is large enough for the PKCS7 streaming code (which + * requests the full remaining message before parsing the ORI). */ +static int test_pkcs7_ori_seqsz_underflow(void) +{ + EXPECT_DECLS; +#if defined(HAVE_PKCS7) && !defined(WOLFSSL_NO_MALLOC) + wc_PKCS7* p7 = NULL; + byte out[256]; + int cbCalled = 0; + + /* + * Byte layout (all outer lengths match actual byte counts on wire): + * + * OID inside [4]: 06 14 <20 bytes> = 22 bytes + * [4] (declared len 5, actual content 22): + * a4 05 <22 bytes> = 24 bytes on wire + * SET: 31 18 <24 bytes> = 26 bytes on wire + * version: 02 01 00 = 3 bytes + * EncryptedContentInfo (filler, never parsed): + * 30 0b { 06 09 <9 bytes OID> } = 13 bytes on wire + * EnvelopedData: 30 2a <3+26+13=42 bytes> = 44 bytes on wire + * [0] EXPLICIT: a0 2c <44 bytes> = 46 bytes on wire + * OID(envelopedData): 06 09 <9 bytes> = 11 bytes on wire + * ContentInfo: 30 39 <11+46=57 bytes> = 59 bytes total + */ + static const byte poc[] = { + /* ContentInfo SEQUENCE (length 57) */ + 0x30, 0x39, + /* contentType = envelopedData 1.2.840.113549.1.7.3 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, + /* [0] EXPLICIT (length 44) */ + 0xa0, 0x2c, + /* EnvelopedData SEQUENCE (length 42) */ + 0x30, 0x2a, + /* version = 0 */ + 0x02, 0x01, 0x00, + /* RecipientInfos SET (length 24) */ + 0x31, 0x18, + /* [4] CONSTRUCTED = ORI implicit SEQUENCE, declared len 5 */ + /* Actual OID is 22 bytes -> exceeds declared 5 */ + 0xa4, 0x05, + /* OID: tag=06, len=0x14(20), content=20 bytes = 22 total */ + 0x06, 0x14, + 0x2a, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, + 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, + 0x12, 0x13, 0x14, 0x15, + /* EncryptedContentInfo SEQUENCE (length 11) - filler so + * streaming has enough data; never actually parsed because + * DecryptOri fails before we get here */ + 0x30, 0x0b, + /* contentType = data 1.2.840.113549.1.7.1 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x01 + }; + + p7 = wc_PKCS7_New(NULL, INVALID_DEVID); + ExpectNotNull(p7); + if (p7 != NULL) { + wc_PKCS7_SetOriDecryptCb(p7, test_ori_underflow_cb); + wc_PKCS7_SetOriDecryptCtx(p7, &cbCalled); + + /* Must return an error before the callback sees an underflowed size */ + ExpectIntLT(wc_PKCS7_DecodeEnvelopedData(p7, (byte*)poc, sizeof(poc), + out, sizeof(out)), 0); + + /* The callback must NOT have been invoked with a wrapped oriValueSz. + * cbCalled == 0 means the callback was never reached (ideal). + * cbCalled < 0 would indicate the underflow was passed through. */ + ExpectIntGE(cbCalled, 0); + + wc_PKCS7_Free(p7); + } +#endif + return EXPECT_RESULT(); +} + /* Dilithium verify_ctx_msg must reject absurdly large msgLen */ static int test_dilithium_hash(void) { @@ -36477,6 +36578,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_ed448_rejects_identity_key), TEST_DECL(test_pkcs7_decode_encrypted_outputsz), TEST_DECL(test_pkcs7_ori_oversized_oid), + TEST_DECL(test_pkcs7_ori_seqsz_underflow), TEST_DECL(test_pkcs7_padding), #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_CHAIN_INPUT) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 3f6649d0adb..36eccb46d88 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -10758,15 +10758,19 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; - if ((word32)keyIdSize > pkiMsgSz - (*idx)) + /* Validate SKID container and keyIdSize against buffer */ + if ((word32)length > pkiMsgSz - (*idx)) return BUFFER_E; + if (length < keyIdSize) + return ASN_PARSE_E; + /* if we found correct recipient, SKID will match */ if (XMEMCMP(pkiMsg + (*idx), pkcs7->issuerSubjKeyId, (word32)keyIdSize) == 0) { *recipFound = 1; } - (*idx) += (word32)keyIdSize; + (*idx) += (word32)length; } if (GetAlgoId(pkiMsg, idx, &encOID, oidKeyType, pkiMsgSz) < 0) @@ -11043,6 +11047,14 @@ static int wc_PKCS7_KariGetOriginatorIdentifierOrKey(WC_PKCS7_KARI* kari, if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; + /* BIT STRING must have at least unused-bits byte + 1 byte of content */ + if (length < 2) + return ASN_PARSE_E; + + /* Validate BIT STRING content is within input buffer */ + if (*idx > pkiMsgSz || (word32)length > pkiMsgSz - *idx) + return ASN_PARSE_E; + if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) return ASN_EXPECT_0_E; @@ -11522,9 +11534,22 @@ static int wc_PKCS7_DecryptOri(wc_PKCS7* pkcs7, byte* in, word32 inSz, XMEMCPY(oriOID, pkiMsg + *idx, (word32)oriOIDSz); *idx += (word32)oriOIDSz; + /* Validate OID did not consume more than the SEQUENCE declared */ + if ((*idx - tmpIdx) > (word32)seqSz) { + WOLFSSL_MSG("ORI oriType OID exceeds SEQUENCE boundary"); + return ASN_PARSE_E; + } + /* get oriValue, increment idx */ oriValue = pkiMsg + *idx; oriValueSz = (word32)seqSz - (*idx - tmpIdx); + + /* Validate oriValue region is within input buffer */ + if (*idx > pkiMsgSz || oriValueSz > pkiMsgSz - *idx) { + WOLFSSL_MSG("ORI oriValue exceeds input buffer"); + return ASN_PARSE_E; + } + *idx += oriValueSz; /* pass oriOID and oriValue to user callback, expect back @@ -11702,6 +11727,12 @@ static int wc_PKCS7_DecryptPwri(wc_PKCS7* pkcs7, byte* in, word32 inSz, return ASN_PARSE_E; } + /* Validate IV is within input buffer */ + if (*idx > pkiMsgSz || (word32)length > pkiMsgSz - *idx) { + XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + return ASN_PARSE_E; + } + XMEMCPY(tmpIv, pkiMsg + (*idx), (word32)length); *idx += (word32)length; @@ -11721,6 +11752,12 @@ static int wc_PKCS7_DecryptPwri(wc_PKCS7* pkcs7, byte* in, word32 inSz, return ASN_PARSE_E; } + /* Validate EncryptedKey is within input buffer */ + if (*idx > pkiMsgSz || (word32)length > pkiMsgSz - *idx) { + XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + return ASN_PARSE_E; + } + /* allocate temporary space for decrypted key */ cekSz = (word32)length; cek = (byte*)XMALLOC(cekSz, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); @@ -11807,7 +11844,7 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz, byte* keyId = NULL; const byte* datePtr = NULL; byte dateFormat, tag; - word32 keyIdSz, kekIdSz, keyWrapOID, localIdx; + word32 keyIdSz, kekIdSz, kekIdEnd, keyWrapOID, localIdx; int ret = 0; byte* pkiMsg = in; @@ -11833,6 +11870,11 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz, return ASN_PARSE_E; kekIdSz = (word32)length; + kekIdEnd = *idx + kekIdSz; + + /* Validate KEKIdentifier boundary is within input buffer */ + if (kekIdEnd < *idx || kekIdEnd > pkiMsgSz) + return ASN_PARSE_E; if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) return ASN_PARSE_E; @@ -11843,6 +11885,10 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz, if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; + /* Validate keyIdentifier is within input buffer */ + if (*idx > pkiMsgSz || (word32)length > pkiMsgSz - *idx) + return ASN_PARSE_E; + /* save keyIdentifier and length */ keyId = pkiMsg + *idx; keyIdSz = (word32)length; @@ -11850,10 +11896,10 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz, /* may have OPTIONAL GeneralizedTime */ localIdx = *idx; - if ((*idx < kekIdSz) && GetASNTag(pkiMsg, &localIdx, &tag, + if ((*idx < kekIdEnd) && GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) == 0 && tag == ASN_GENERALIZED_TIME) { - if (wc_GetDateInfo(pkiMsg + *idx, (int)pkiMsgSz, &datePtr, - &dateFormat, &dateLen) != 0) { + if (wc_GetDateInfo(pkiMsg + *idx, (int)(pkiMsgSz - *idx), + &datePtr, &dateFormat, &dateLen) != 0) { return ASN_PARSE_E; } *idx += (word32)(dateLen + 1); @@ -11865,7 +11911,7 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz, /* may have OPTIONAL OtherKeyAttribute */ localIdx = *idx; - if ((*idx < kekIdSz) && GetASNTag(pkiMsg, &localIdx, &tag, + if ((*idx < kekIdEnd) && GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) == 0 && tag == (ASN_SEQUENCE | ASN_CONSTRUCTED)) { if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0) @@ -11894,6 +11940,10 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz, if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; + /* Validate EncryptedKey is within input buffer */ + if (*idx > pkiMsgSz || (word32)length > pkiMsgSz - *idx) + return ASN_PARSE_E; + #ifndef NO_AES direction = AES_DECRYPTION; #else From 248f8cac592ff4c8d05c443a0a8a795b1e379f89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 13 Apr 2026 15:52:56 +0200 Subject: [PATCH 2/8] add length check in PKCS#7 --- wolfcrypt/src/pkcs7.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 36eccb46d88..cfbe08acb43 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -14444,7 +14444,16 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, if (GetLength_ex(pkiMsg, &idx, &length, pkiMsgSz, 0) <= 0) { ret = ASN_PARSE_E; } - #ifndef NO_PKCS7_STREAM + + #ifdef NO_PKCS7_STREAM + /* In non-streaming mode, validate authenticatedAttributes + * length is within the input buffer. The streaming path + * handles this via wc_PKCS7_AddDataToStream instead. */ + if (ret == 0 && + (idx > pkiMsgSz || (word32)length > pkiMsgSz - idx)) { + ret = ASN_PARSE_E; + } + #else pkcs7->stream->expected = (word32)length; #endif encodedAttribSz = (word32)length + (idx - encodedAttribIdx); From 9cc2deecb13d5dd427db5ffb1f6bd368f5e4c46f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 13 Apr 2026 15:53:35 +0200 Subject: [PATCH 3/8] Fix PKCS#7 regression with --enable-all and NO_PKCS7_STREAM --- tests/api/test_pkcs7.c | 34 ++++++++++++++++------------------ wolfcrypt/src/pkcs7.c | 11 ++++++----- 2 files changed, 22 insertions(+), 23 deletions(-) diff --git a/tests/api/test_pkcs7.c b/tests/api/test_pkcs7.c index 3c8b59fb8e4..cd9f7aa5752 100644 --- a/tests/api/test_pkcs7.c +++ b/tests/api/test_pkcs7.c @@ -2397,7 +2397,8 @@ static int myCEKwrapFunc(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* keyId, HAVE_AES_KEYWRAP */ -#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER) && !defined(NO_RSA) +#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER) && !defined(NO_RSA) && \ + !defined(NO_PKCS7_STREAM) #define MAX_TEST_DECODE_SIZE 6000 static int test_wc_PKCS7_DecodeEnvelopedData_stream_decrypt_cb(wc_PKCS7* pkcs7, const byte* output, word32 outputSz, void* ctx) { @@ -2430,7 +2431,8 @@ static int test_wc_PKCS7_DecodeEnvelopedData_stream_decrypt_cb(wc_PKCS7* pkcs7, int test_wc_PKCS7_DecodeEnvelopedData_stream(void) { EXPECT_DECLS; -#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER) && !defined(NO_RSA) +#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER) && !defined(NO_RSA) && \ + !defined(NO_PKCS7_STREAM) PKCS7* pkcs7 = NULL; int ret = 0; XFILE f = XBADFILE; @@ -2579,7 +2581,7 @@ int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) EXPECT_DECLS; #if defined(HAVE_PKCS7) PKCS7* pkcs7 = NULL; -#ifdef ASN_BER_TO_DER +#if defined(ASN_BER_TO_DER) && !defined(NO_PKCS7_STREAM) int encodedSz = 0; #endif #ifdef ECC_TIMING_RESISTANT @@ -2784,7 +2786,7 @@ int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) testSz = (int)sizeof(testVectors)/(int)sizeof(pkcs7EnvelopedVector); for (i = 0; i < testSz; i++) { - #ifdef ASN_BER_TO_DER + #if defined(ASN_BER_TO_DER) && !defined(NO_PKCS7_STREAM) encodeSignedDataStream strm; /* test setting stream mode, the first one using IO callbacks */ @@ -2950,17 +2952,11 @@ int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) pkcs7->singleCert = NULL; } #ifndef NO_RSA - #if defined(NO_PKCS7_STREAM) - /* when none streaming mode is used and PKCS7 is in bad state buffer error - * is returned from kari parse which gets set to bad func arg */ - ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output, - (word32)sizeof(output), decoded, (word32)sizeof(decoded)), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - #else + /* With corrupted singleCert, decode should fail with a parse error. + * State is properly reset on error so re-decode starts from scratch. */ ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output, (word32)sizeof(output), decoded, (word32)sizeof(decoded)), WC_NO_ERR_TRACE(ASN_PARSE_E)); - #endif #endif /* !NO_RSA */ if (pkcs7 != NULL) { pkcs7->singleCert = tmpBytePtr; @@ -3991,7 +3987,8 @@ int test_wc_PKCS7_Degenerate(void) } /* END test_wc_PKCS7_Degenerate() */ #if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && \ - defined(ASN_BER_TO_DER) && !defined(NO_DES3) && !defined(NO_SHA) + defined(ASN_BER_TO_DER) && !defined(NO_DES3) && !defined(NO_SHA) && \ + !defined(NO_PKCS7_STREAM) static byte berContent[] = { 0x30, 0x80, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03, 0xA0, 0x80, 0x30, @@ -4182,7 +4179,7 @@ static byte berContent[] = { 0x00, 0x00, 0x00, 0x00, 0x00 }; #endif /* HAVE_PKCS7 && !NO_FILESYSTEM && ASN_BER_TO_DER && - * !NO_DES3 && !NO_SHA + * !NO_DES3 && !NO_SHA && !NO_PKCS7_STREAM */ /* @@ -4197,7 +4194,7 @@ int test_wc_PKCS7_BER(void) char fName[] = "./certs/test-ber-exp02-05-2022.p7b"; XFILE f = XBADFILE; byte der[4096]; -#ifndef NO_DES3 +#if !defined(NO_DES3) && !defined(NO_PKCS7_STREAM) byte decoded[2048]; #endif word32 derSz = 0; @@ -4242,8 +4239,9 @@ int test_wc_PKCS7_BER(void) wc_PKCS7_Free(pkcs7); pkcs7 = NULL; -#ifndef NO_DES3 - /* decode BER content */ +#if !defined(NO_DES3) && !defined(NO_PKCS7_STREAM) + /* decode BER content - requires PKCS7 streaming to handle indefinite + * length encoding in the EnvelopedData structure */ ExpectTrue((f = XFOPEN("./certs/1024/client-cert.der", "rb")) != XBADFILE); ExpectTrue((derSz = (word32)XFREAD(der, 1, sizeof(der), f)) > 0); if (f != XBADFILE) { @@ -4280,7 +4278,7 @@ int test_wc_PKCS7_BER(void) sizeof(berContent), decoded, sizeof(decoded)), WC_NO_ERR_TRACE(NOT_COMPILED_IN)); #endif wc_PKCS7_Free(pkcs7); -#endif /* !NO_DES3 */ +#endif /* !NO_DES3 && !NO_PKCS7_STREAM */ #endif return EXPECT_RESULT(); } /* END test_wc_PKCS7_BER() */ diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index cfbe08acb43..e6202db87df 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -10758,15 +10758,13 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; - /* Validate SKID container and keyIdSize against buffer */ + /* Validate SKID container is within buffer */ if ((word32)length > pkiMsgSz - (*idx)) return BUFFER_E; - if (length < keyIdSize) - return ASN_PARSE_E; - /* if we found correct recipient, SKID will match */ - if (XMEMCMP(pkiMsg + (*idx), pkcs7->issuerSubjKeyId, + if (length == keyIdSize && + XMEMCMP(pkiMsg + (*idx), pkcs7->issuerSubjKeyId, (word32)keyIdSize) == 0) { *recipFound = 1; } @@ -13389,6 +13387,9 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, } } #else + if (ret < 0) { + wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START); + } if (decryptedKey != NULL && ret < 0) { ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ); XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); From ffbedac5a853554c766327c3bb06e194341ca344 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 13 Apr 2026 15:58:47 +0200 Subject: [PATCH 4/8] Fix invalid preprocessor guard in PKCS7 with SHA224 Also add missing ForceZero for ECDH shared secret on the heap. --- wolfcrypt/src/pkcs7.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index e6202db87df..e009dc478e0 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -7771,7 +7771,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, kdfType = WC_HASH_TYPE_SHA; break; #endif - #ifndef WOLFSSL_SHA224 + #ifdef WOLFSSL_SHA224 case dhSinglePass_stdDH_sha224kdf_scheme: kdfType = WC_HASH_TYPE_SHA224; break; @@ -7793,6 +7793,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, #endif default: WOLFSSL_MSG("Unsupported key agreement algorithm"); + ForceZero(secret, secretSz); XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return BAD_FUNC_ARG; }; @@ -7805,6 +7806,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, ret = NOT_COMPILED_IN; #endif + ForceZero(secret, secretSz); XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return ret; } From 3561d35389b8bfbba3b0d2cca62c97b590440649 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Mon, 13 Apr 2026 16:20:55 +0200 Subject: [PATCH 5/8] Add missing ForceZero calls in PKCS#7 --- wolfcrypt/src/pkcs7.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index e009dc478e0..269089d9632 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -211,6 +211,9 @@ static void wc_PKCS7_ResetStream(wc_PKCS7* pkcs7) XFREE(pkcs7->stream->tag, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->nonce, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->buffer, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + /* stream->key is always allocated with MAX_ENCRYPTED_KEY_SZ */ + if (pkcs7->stream->key != NULL) + ForceZero(pkcs7->stream->key, MAX_ENCRYPTED_KEY_SZ); XFREE(pkcs7->stream->key, pkcs7->heap, DYNAMIC_TYPE_PKCS7); pkcs7->stream->aad = NULL; pkcs7->stream->tag = NULL; @@ -7759,6 +7762,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, } if (ret != 0) { + ForceZero(secret, secretSz); XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return ret; } @@ -9752,6 +9756,7 @@ int wc_PKCS7_AddRecipient_PWRI(wc_PKCS7* pkcs7, byte* passwd, word32 pLen, (word32)kekKeySz); if (ret < 0) { XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; @@ -9763,6 +9768,7 @@ int wc_PKCS7_AddRecipient_PWRI(wc_PKCS7* pkcs7, byte* passwd, word32 pLen, tmpIv, (word32)kekBlockSz, encryptOID); if (ret < 0) { XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; @@ -9787,6 +9793,7 @@ int wc_PKCS7_AddRecipient_PWRI(wc_PKCS7* pkcs7, byte* passwd, word32 pLen, ret = wc_SetContentType(PWRI_KEK_WRAP, keyEncAlgoId, sizeof(keyEncAlgoId)); if (ret <= 0) { XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; @@ -9818,6 +9825,7 @@ int wc_PKCS7_AddRecipient_PWRI(wc_PKCS7* pkcs7, byte* passwd, word32 pLen, ret = wc_SetContentType(kdfOID, kdfAlgoId, sizeof(kdfAlgoId)); if (ret <= 0) { XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; @@ -9843,6 +9851,7 @@ int wc_PKCS7_AddRecipient_PWRI(wc_PKCS7* pkcs7, byte* passwd, word32 pLen, if (totalSz > MAX_RECIP_SZ) { WOLFSSL_MSG("CMS Recipient output buffer too small"); XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return BUFFER_E; @@ -9880,7 +9889,7 @@ int wc_PKCS7_AddRecipient_PWRI(wc_PKCS7* pkcs7, byte* passwd, word32 pLen, XMEMCPY(recip->recip + idx, encryptedKey, encryptedKeySz); idx += encryptedKeySz; - ForceZero(kek, (word32)kekBlockSz); + ForceZero(kek, (word32)kekKeySz); ForceZero(encryptedKey, encryptedKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); @@ -10601,7 +10610,9 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, word32 pkiMsgSz = inSz; byte tag; - +#ifndef WC_NO_RSA_OAEP + word32 outKeySz = 0; +#endif #ifndef NO_PKCS7_STREAM word32 tmpIdx = *idx; #endif @@ -10910,8 +10921,8 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, #ifndef WC_NO_RSA_OAEP } else { - word32 outLen = (word32)wc_RsaEncryptSize(privKey); - outKey = (byte*)XMALLOC(outLen, pkcs7->heap, + outKeySz = (word32)wc_RsaEncryptSize(privKey); + outKey = (byte*)XMALLOC(outKeySz, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (!outKey) { WOLFSSL_MSG("Failed to allocate out key buffer"); @@ -10925,9 +10936,9 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, } keySz = wc_RsaPrivateDecrypt_ex(encryptedKey, - (word32)encryptedKeySz, outKey, outLen, privKey, - WC_RSA_OAEP_PAD, - WC_HASH_TYPE_SHA, WC_MGF1SHA1, NULL, 0); + (word32)encryptedKeySz, outKey, outKeySz, + privKey, WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA, + WC_MGF1SHA1, NULL, 0); } #endif } @@ -10950,6 +10961,7 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, #ifndef WC_NO_RSA_OAEP if (encOID == RSAESOAEPk) { if (outKey) { + ForceZero(outKey, outKeySz); XFREE(outKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); } } @@ -10966,6 +10978,7 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, #ifndef WC_NO_RSA_OAEP if (encOID == RSAESOAEPk) { if (outKey) { + ForceZero(outKey, outKeySz); XFREE(outKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); } } @@ -11780,6 +11793,7 @@ static int wc_PKCS7_DecryptPwri(wc_PKCS7* pkcs7, byte* in, word32 inSz, iterations, kek, (word32)kekKeySz); if (ret < 0) { XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ASN_PARSE_E; @@ -11792,7 +11806,9 @@ static int wc_PKCS7_DecryptPwri(wc_PKCS7* pkcs7, byte* in, word32 inSz, pwriEncAlgoId); if (ret < 0) { XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(cek, cekSz); XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; } @@ -11801,7 +11817,9 @@ static int wc_PKCS7_DecryptPwri(wc_PKCS7* pkcs7, byte* in, word32 inSz, if (*decryptedKeySz < cekSz) { WOLFSSL_MSG("Decrypted key buffer too small for CEK"); XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(cek, cekSz); XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return BUFFER_E; } @@ -11810,7 +11828,9 @@ static int wc_PKCS7_DecryptPwri(wc_PKCS7* pkcs7, byte* in, word32 inSz, *decryptedKeySz = cekSz; XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(kek, (word32)kekKeySz); XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(cek, cekSz); XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7); /* mark recipFound, since we only support one RecipientInfo for now */ From 8c8409388bde3d062fc45810a2690db12b41c519 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Tue, 14 Apr 2026 13:51:28 +0200 Subject: [PATCH 6/8] More PKCS#7 bounds checks --- wolfcrypt/src/pkcs7.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 269089d9632..a6a3d4dd950 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -7035,6 +7035,9 @@ static int PKCS7_VerifySignedData(wc_PKCS7* pkcs7, const byte* hashBuf, idx += (word32)length; } + else if (ret == 0) { + ret = ASN_PARSE_E; + } pkcs7->content = content; pkcs7->contentSz = (word32)contentSz; @@ -9615,7 +9618,7 @@ static int wc_PKCS7_PwriKek_KeyUnWrap(wc_PKCS7* pkcs7, const byte* kek, cekLen = outTmp[0]; /* verify length */ - fail |= ctMaskGT(cekLen, (int)inSz); + fail |= ctMaskGT(cekLen, (int)inSz - 4); /* verify check bytes */ fail |= ctMaskNotEq((int)(outTmp[1] ^ outTmp[4]), 0xFF); fail |= ctMaskNotEq((int)(outTmp[2] ^ outTmp[5]), 0xFF); @@ -11922,7 +11925,9 @@ static int wc_PKCS7_DecryptKekri(wc_PKCS7* pkcs7, byte* in, word32 inSz, &datePtr, &dateFormat, &dateLen) != 0) { return ASN_PARSE_E; } - *idx += (word32)(dateLen + 1); + /* datePtr points to the start of the date value + * within pkiMsg; advance past the full TLV. */ + *idx = (word32)(datePtr - pkiMsg) + (word32)dateLen; } if (*idx > pkiMsgSz) { @@ -13091,6 +13096,14 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, ret = ASN_PARSE_E; } + #ifdef NO_PKCS7_STREAM + if (ret == 0 && encryptedContentTotalSz > (int)(pkiMsgSz - idx)) { + /* In non-streaming mode, ensure the content fits in the buffer. + * Streaming mode handles this via AddDataToStream. */ + ret = BUFFER_E; + } + #endif + if (ret != 0) break; @@ -15344,6 +15357,12 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz, pkiMsgSz, NO_USER_CHECK) <= 0) ret = ASN_PARSE_E; +#ifdef NO_PKCS7_STREAM + if (ret == 0 && encryptedContentSz > (int)(pkiMsgSz - idx)) { + ret = BUFFER_E; + } +#endif + if (ret < 0) break; #ifndef NO_PKCS7_STREAM @@ -15381,7 +15400,8 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz, version = (int)pkcs7->stream->vers; tmpIv = pkcs7->stream->tmpIv; #endif - if (encryptedContentSz <= 0) { + if (encryptedContentSz <= 0 || + encryptedContentSz > (int)(pkiMsgSz - idx)) { ret = BUFFER_E; break; } From 2a13910adcbc7f7ba908f0928b7af94f04844303 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Tue, 14 Apr 2026 14:23:17 +0200 Subject: [PATCH 7/8] Add more PKCS#7 tests --- tests/api.c | 605 +++++++++++++++++++++++++++++++++++++++++ tests/api/test_pkcs7.c | 5 + 2 files changed, 610 insertions(+) diff --git a/tests/api.c b/tests/api.c index a3893ff21b1..1a5c424ecbc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -35640,6 +35640,605 @@ static int test_pkcs7_ori_seqsz_underflow(void) return EXPECT_RESULT(); } +/* Test: PKCS#7 ORI must reject when seqSz extends oriValue past input buffer. + * + * The first ORI bounds check (OID exceeds SEQUENCE boundary) is covered by + * test_pkcs7_ori_seqsz_underflow. This test covers the *second* check: + * oriValue region extends past the end of the input buffer. We craft a + * message where the [4] SEQUENCE length is valid relative to the OID + * (OID fits inside it), but the remaining oriValue portion extends past + * the end of the actual input buffer. + * + * To bypass GetLength's own bounds validation, we set the outer lengths + * (EnvelopedData SEQUENCE, RecipientInfos SET) to match the [4] claim, + * but truncate the actual buffer we pass to DecodeEnvelopedData. */ +static int test_pkcs7_ori_orivalue_overflow(void) +{ + EXPECT_DECLS; +#if defined(HAVE_PKCS7) && !defined(WOLFSSL_NO_MALLOC) + wc_PKCS7* p7 = NULL; + byte out[256]; + + /* EnvelopedData with [4] ORI whose seqSz (40) is valid for the OID + * (6 bytes consumed) but oriValueSz (34) extends past the truncated + * input buffer. + * + * Layout: + * ContentInfo SEQUENCE + * OID envelopedData + * [0] EXPLICIT + * EnvelopedData SEQUENCE + * version = 0 + * RecipientInfos SET + * [4] CONSTRUCTED (seqSz = 40) + * OID (tag 06, len 04, 4 content bytes = 6 total) + * oriValue should be 34 bytes but input is truncated + * EncryptedContentInfo (filler for streaming) + * + * We pass the full array to DecodeEnvelopedData, but the actual + * input ends before [4]'s declared 40 bytes are consumed. + */ + static const byte poc[] = { + /* ContentInfo SEQUENCE */ + 0x30, 0x43, + /* contentType = envelopedData 1.2.840.113549.1.7.3 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, + /* [0] EXPLICIT */ + 0xa0, 0x36, + /* EnvelopedData SEQUENCE */ + 0x30, 0x34, + /* version = 0 */ + 0x02, 0x01, 0x00, + /* RecipientInfos SET (len = 44 covers [4] tag+len+40) */ + 0x31, 0x2c, + /* [4] CONSTRUCTED = ORI implicit SEQUENCE, seqSz = 40 */ + 0xa4, 0x28, + /* OID: tag=06, len=04, 4 content bytes = 6 total */ + 0x06, 0x04, 0x2a, 0x03, 0x04, 0x05, + /* Only 4 bytes of oriValue here, but seqSz claims 34 more */ + 0x00, 0x00, 0x00, 0x00, + /* EncryptedContentInfo SEQUENCE (filler) */ + 0x30, 0x0b, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x01 + }; + + p7 = wc_PKCS7_New(NULL, INVALID_DEVID); + ExpectNotNull(p7); + if (p7 != NULL) { + wc_PKCS7_SetOriDecryptCb(p7, test_dummy_ori_cb); + + /* Must return error - oriValue extends past input buffer */ + ExpectIntLT(wc_PKCS7_DecodeEnvelopedData(p7, (byte*)poc, sizeof(poc), + out, sizeof(out)), 0); + + wc_PKCS7_Free(p7); + } +#endif + return EXPECT_RESULT(); +} + +/* Test: PKCS#7 KTRI must not match recipient when SKID length differs + * from expected keyIdSize. + * + * The fix adds a `length == keyIdSize` check before comparing the SKID + * bytes. Without this check, XMEMCMP could compare against data beyond + * the SKID content. This test crafts a KTRI RecipientInfo where the + * [0] SubjectKeyIdentifier has length 5 instead of KEYID_SIZE (20). + * The decode must return an error (no matching recipient). */ +static int test_pkcs7_ktri_skid_length_mismatch(void) +{ + EXPECT_DECLS; +#if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(WOLFSSL_NO_MALLOC) + wc_PKCS7* p7 = NULL; + byte out[256]; + + /* Minimal EnvelopedData with KTRI using version=2 (SKID path). + * The SKID [0] has length 5 instead of 20. + * + * ContentInfo SEQUENCE + * OID envelopedData + * [0] EXPLICIT + * EnvelopedData SEQUENCE + * version = 2 + * RecipientInfos SET + * KTRI SEQUENCE + * version = 2 + * [0] SKID (5 bytes, should be 20) + * AlgorithmIdentifier (RSA OID) + * OCTET STRING (fake encrypted key) + * EncryptedContentInfo (filler) + */ + static const byte poc[] = { + /* ContentInfo SEQUENCE */ + 0x30, 0x46, + /* contentType = envelopedData 1.2.840.113549.1.7.3 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, + /* [0] EXPLICIT */ + 0xa0, 0x39, + /* EnvelopedData SEQUENCE */ + 0x30, 0x37, + /* version = 2 (triggers SKID-based recipient identification) */ + 0x02, 0x01, 0x02, + /* RecipientInfos SET */ + 0x31, 0x21, + /* KTRI SEQUENCE */ + 0x30, 0x1f, + /* version = 2 (SKID) */ + 0x02, 0x01, 0x02, + /* [0] IMPLICIT SubjectKeyIdentifier, length = 5 (wrong!) */ + 0x80, 0x05, 0x01, 0x02, 0x03, 0x04, 0x05, + /* AlgorithmIdentifier: RSA 1.2.840.113549.1.1.1 */ + 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, + 0x05, 0x00, /* NULL params */ + /* encryptedKey OCTET STRING (2 bytes fake) */ + 0x04, 0x02, 0xAA, 0xBB, + /* EncryptedContentInfo SEQUENCE (filler) */ + 0x30, 0x0b, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x01 + }; + + p7 = wc_PKCS7_New(NULL, INVALID_DEVID); + ExpectNotNull(p7); + if (p7 != NULL) { + /* Decode without a cert - SKID will never match, and the + * mismatched SKID length must not cause out-of-bounds reads */ + ExpectIntLT(wc_PKCS7_DecodeEnvelopedData(p7, (byte*)poc, sizeof(poc), + out, sizeof(out)), 0); + + wc_PKCS7_Free(p7); + } +#endif + return EXPECT_RESULT(); +} + +/* Test: PKCS#7 KARI must reject BIT STRING with length < 2 in + * OriginatorPublicKey. + * + * The fix adds `if (length < 2) return ASN_PARSE_E` after parsing + * the BIT STRING tag and length. A BIT STRING must have at least + * the unused-bits byte plus one byte of content. This test crafts + * a KARI [1] RecipientInfo where the OriginatorPublicKey's BIT STRING + * has length 1 (degenerate). The PKCS7 object is initialized with a + * real ECC cert so that KariParseRecipCert succeeds and parsing reaches + * the BIT STRING validation. */ +static int test_pkcs7_kari_degenerate_bitstring(void) +{ + EXPECT_DECLS; +#if defined(HAVE_PKCS7) && defined(HAVE_ECC) && defined(HAVE_X963_KDF) && \ + !defined(WOLFSSL_NO_MALLOC) + wc_PKCS7* p7 = NULL; + byte out[256]; + byte* eccCert = NULL; + byte* eccPrivKey = NULL; + word32 eccCertSz = 0; + word32 eccPrivKeySz = 0; +#if !defined(USE_CERT_BUFFERS_256) && !defined(NO_FILESYSTEM) + XFILE f = XBADFILE; +#endif + + /* Minimal EnvelopedData with KARI [1] containing a degenerate + * BIT STRING (length 1) in OriginatorPublicKey. + * + * ContentInfo SEQUENCE + * OID envelopedData + * [0] EXPLICIT + * EnvelopedData SEQUENCE + * version = 2 + * RecipientInfos SET + * [1] CONSTRUCTED (KARI) + * version = 3 + * [0] CONSTRUCTED (OriginatorIdentifierOrKey) + * [1] CONSTRUCTED (OriginatorPublicKey) + * AlgorithmIdentifier (ECDSAk) + * BIT STRING length=1 (degenerate!) + * EncryptedContentInfo (filler) + */ + static const byte poc[] = { + /* ContentInfo SEQUENCE */ + 0x30, 0x44, + /* contentType = envelopedData 1.2.840.113549.1.7.3 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, + /* [0] EXPLICIT */ + 0xa0, 0x37, + /* EnvelopedData SEQUENCE */ + 0x30, 0x35, + /* version = 2 */ + 0x02, 0x01, 0x02, + /* RecipientInfos SET */ + 0x31, 0x1f, + /* [1] CONSTRUCTED (KARI implicit) */ + 0xa1, 0x1d, + /* version = 3 */ + 0x02, 0x01, 0x03, + /* [0] CONSTRUCTED (OriginatorIdentifierOrKey) */ + 0xa0, 0x18, + /* [1] CONSTRUCTED (OriginatorPublicKey) */ + 0xa1, 0x16, + /* AlgorithmIdentifier SEQUENCE */ + 0x30, 0x13, + /* OID: id-ecPublicKey 1.2.840.10045.2.1 */ + 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, + /* OID: prime256v1 1.2.840.10045.3.1.7 */ + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, + 0x01, 0x07, + /* BIT STRING with length 1 - degenerate! */ + 0x03, 0x01, 0x00, + /* EncryptedContentInfo SEQUENCE (filler) */ + 0x30, 0x0b, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x01 + }; + + /* Load ECC cert and key so KariParseRecipCert succeeds and + * parsing reaches the BIT STRING check */ +#ifdef USE_CERT_BUFFERS_256 + eccCertSz = (word32)sizeof_cliecc_cert_der_256; + ExpectNotNull(eccCert = (byte*)XMALLOC(eccCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (eccCert != NULL) + XMEMCPY(eccCert, cliecc_cert_der_256, eccCertSz); + eccPrivKeySz = (word32)sizeof_ecc_clikey_der_256; + ExpectNotNull(eccPrivKey = (byte*)XMALLOC(eccPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (eccPrivKey != NULL) + XMEMCPY(eccPrivKey, ecc_clikey_der_256, eccPrivKeySz); +#elif !defined(NO_FILESYSTEM) + eccCertSz = FOURK_BUF; + ExpectNotNull(eccCert = (byte*)XMALLOC(eccCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue((f = XFOPEN("./certs/client-ecc-cert.der", "rb")) != XBADFILE); + ExpectTrue((eccCertSz = (word32)XFREAD(eccCert, 1, eccCertSz, f)) > 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + eccPrivKeySz = FOURK_BUF; + ExpectNotNull(eccPrivKey = (byte*)XMALLOC(eccPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue((f = XFOPEN("./certs/ecc-client-key.der", "rb")) != XBADFILE); + ExpectTrue((eccPrivKeySz = (word32)XFREAD(eccPrivKey, 1, eccPrivKeySz, + f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); +#else + eccCert = NULL; + eccCertSz = 0; + eccPrivKey = NULL; + eccPrivKeySz = 0; +#endif + + p7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID); + ExpectNotNull(p7); + if (p7 != NULL && eccCert != NULL) { + ExpectIntEQ(wc_PKCS7_InitWithCert(p7, eccCert, eccCertSz), 0); + if (p7 != NULL) { + p7->privateKey = eccPrivKey; + p7->privateKeySz = eccPrivKeySz; + } + + /* Must return error - BIT STRING length < 2 is invalid */ + ExpectIntLT(wc_PKCS7_DecodeEnvelopedData(p7, (byte*)poc, sizeof(poc), + out, sizeof(out)), 0); + + if (p7 != NULL) { + p7->privateKey = NULL; + p7->privateKeySz = 0; + } + wc_PKCS7_Free(p7); + } + else if (p7 != NULL) { + wc_PKCS7_Free(p7); + } + + XFREE(eccCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return EXPECT_RESULT(); +} + +/* Test: PKCS#7 EncryptedData must reject when encryptedContentSz exceeds + * the remaining input buffer. + * + * The fix adds `encryptedContentSz > (int)(pkiMsgSz - idx)` to the + * existing `encryptedContentSz <= 0` check in stage 6. This test crafts + * a minimal EncryptedData where the [0] IMPLICIT content length claims + * 0x200 (512) bytes but only 32 bytes of ciphertext are present. */ +static int test_pkcs7_encrypted_content_size_overflow(void) +{ + EXPECT_DECLS; +#if defined(HAVE_PKCS7) && !defined(NO_AES) && defined(HAVE_AES_CBC) && \ + defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA) && \ + !defined(WOLFSSL_NO_MALLOC) + wc_PKCS7* p7 = NULL; + byte key[32]; + byte out[256]; + + /* EncryptedData with [0] content claiming 512 bytes but only 32 present. + * + * ContentInfo SEQUENCE + * OID encryptedData (1.2.840.113549.1.7.6) + * [0] EXPLICIT + * EncryptedData SEQUENCE + * version = 0 + * EncryptedContentInfo SEQUENCE + * OID data (1.2.840.113549.1.7.1) + * AlgorithmIdentifier + * OID AES-256-CBC (2.16.840.1.101.3.4.1.42) + * OCTET STRING IV (16 zero bytes) + * [0] IMPLICIT content (claimed len=0x200, actual=32 bytes) + */ + static const byte poc[] = { + /* ContentInfo SEQUENCE (len covers entire message) */ + 0x30, 0x50, + /* OID encryptedData 1.2.840.113549.1.7.6 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, + /* [0] EXPLICIT */ + 0xa0, 0x43, + /* EncryptedData SEQUENCE */ + 0x30, 0x41, + /* version = 0 */ + 0x02, 0x01, 0x00, + /* EncryptedContentInfo SEQUENCE */ + 0x30, 0x3c, + /* OID data 1.2.840.113549.1.7.1 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x01, + /* AlgorithmIdentifier SEQUENCE */ + 0x30, 0x1d, + /* OID AES-256-CBC 2.16.840.1.101.3.4.1.42 */ + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, + 0x2a, + /* IV: OCTET STRING (16 zero bytes) */ + 0x04, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* [0] IMPLICIT encryptedContent - claims 512 bytes! + * Only 16 bytes of fake ciphertext follow. */ + 0x80, 0x82, 0x02, 0x00, + 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, + 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA + }; + + XMEMSET(key, 0, sizeof(key)); + + p7 = wc_PKCS7_New(NULL, INVALID_DEVID); + ExpectNotNull(p7); + if (p7 != NULL) { + p7->encryptionKey = key; + p7->encryptionKeySz = sizeof(key); + + /* Must return error - content extends past input buffer */ + ExpectIntLT(wc_PKCS7_DecodeEncryptedData(p7, (byte*)poc, sizeof(poc), + out, sizeof(out)), 0); + + wc_PKCS7_Free(p7); + } +#endif + return EXPECT_RESULT(); +} + +/* Test: PKCS#7 SignedData must reject when the signature field is not + * an OCTET STRING. + * + * The fix adds `else if (ret == 0) { ret = ASN_PARSE_E; }` so that + * when the tag at the signature position is not ASN_OCTET_STRING, + * parsing returns an error instead of silently continuing with no + * signature. This test encodes a valid SignedData, then corrupts + * the signature OCTET STRING tag and verifies that decode fails. */ +static int test_pkcs7_signed_bad_sig_tag(void) +{ + EXPECT_DECLS; +#if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(NO_SHA256) && \ + !defined(WOLFSSL_NO_MALLOC) + PKCS7* pkcs7 = NULL; + WC_RNG rng; + byte encoded[FOURK_BUF]; + int encodedSz = 0; + int i; + byte* rsaCert = NULL; + byte* rsaPrivKey = NULL; + word32 rsaCertSz = 0; + word32 rsaPrivKeySz = 0; +#if !defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_1024) && \ + !defined(NO_FILESYSTEM) + XFILE f = XBADFILE; +#endif + + const byte data[] = "Test signed data"; + + XMEMSET(&rng, 0, sizeof(WC_RNG)); + + /* Load RSA cert and key */ +#if defined(USE_CERT_BUFFERS_2048) + rsaCertSz = (word32)sizeof_client_cert_der_2048; + ExpectNotNull(rsaCert = (byte*)XMALLOC(rsaCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaCert != NULL) + XMEMCPY(rsaCert, client_cert_der_2048, rsaCertSz); + rsaPrivKeySz = (word32)sizeof_client_key_der_2048; + ExpectNotNull(rsaPrivKey = (byte*)XMALLOC(rsaPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaPrivKey != NULL) + XMEMCPY(rsaPrivKey, client_key_der_2048, rsaPrivKeySz); +#elif defined(USE_CERT_BUFFERS_1024) + rsaCertSz = (word32)sizeof_client_cert_der_1024; + ExpectNotNull(rsaCert = (byte*)XMALLOC(rsaCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaCert != NULL) + XMEMCPY(rsaCert, client_cert_der_1024, rsaCertSz); + rsaPrivKeySz = (word32)sizeof_client_key_der_1024; + ExpectNotNull(rsaPrivKey = (byte*)XMALLOC(rsaPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaPrivKey != NULL) + XMEMCPY(rsaPrivKey, client_key_der_1024, rsaPrivKeySz); +#elif !defined(NO_FILESYSTEM) + rsaCertSz = FOURK_BUF; + ExpectNotNull(rsaCert = (byte*)XMALLOC(rsaCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue((f = XFOPEN("./certs/client-cert.der", "rb")) != XBADFILE); + ExpectTrue((rsaCertSz = (word32)XFREAD(rsaCert, 1, rsaCertSz, f)) > 0); + if (f != XBADFILE) { XFCLOSE(f); f = XBADFILE; } + rsaPrivKeySz = FOURK_BUF; + ExpectNotNull(rsaPrivKey = (byte*)XMALLOC(rsaPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue((f = XFOPEN("./certs/client-key.der", "rb")) != XBADFILE); + ExpectTrue((rsaPrivKeySz = (word32)XFREAD(rsaPrivKey, 1, + rsaPrivKeySz, f)) > 0); + if (f != XBADFILE) XFCLOSE(f); +#else + rsaCert = NULL; rsaCertSz = 0; + rsaPrivKey = NULL; rsaPrivKeySz = 0; +#endif + + if (rsaCert == NULL || rsaPrivKey == NULL) { + XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + return TEST_SKIPPED; + } + + ExpectIntEQ(wc_InitRng(&rng), 0); + + /* Encode a valid SignedData */ + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, rsaCert, rsaCertSz), 0); + if (pkcs7 != NULL) { + pkcs7->content = (byte*)data; + pkcs7->contentSz = (word32)sizeof(data); + pkcs7->contentOID = DATA; + pkcs7->hashOID = SHA256h; + pkcs7->encryptOID = RSAk; + pkcs7->privateKey = rsaPrivKey; + pkcs7->privateKeySz = rsaPrivKeySz; + pkcs7->rng = &rng; + } + + ExpectIntGT(encodedSz = wc_PKCS7_EncodeSignedData(pkcs7, encoded, + sizeof(encoded)), 0); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; + + /* Find the signature OCTET STRING tag (0x04) near the end of the + * encoded message and corrupt it. The signature is the last large + * OCTET STRING in the SignerInfo. Search backwards for 0x04 followed + * by a length that looks like an RSA signature (>= 64 bytes). + * This heuristic depends on the signature being the last large + * OCTET STRING; the found==1 assertion below guards against + * silent false passes if encoding changes. */ + if (EXPECT_SUCCESS()) { + int found = 0; + for (i = encodedSz - 10; i > 10; i--) { + if (encoded[i] == 0x04) { + int len = 0, lbytes = 0; + if (encoded[i+1] < 0x80) { + len = encoded[i+1]; lbytes = 1; + } + else if (encoded[i+1] == 0x81) { + len = encoded[i+2]; lbytes = 2; + } + else if (encoded[i+1] == 0x82) { + len = (encoded[i+2] << 8) | encoded[i+3]; lbytes = 3; + } + /* RSA signature is typically >= 128 bytes */ + if (len >= 64 && i + 1 + lbytes + len <= encodedSz) { + /* Corrupt the OCTET STRING tag to INTEGER */ + encoded[i] = 0x02; /* ASN_INTEGER instead of OCTET STRING */ + found = 1; + break; + } + } + } + ExpectIntEQ(found, 1); + } + + /* Verify the corrupted SignedData - must fail */ + if (EXPECT_SUCCESS()) { + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0); + ExpectIntLT(wc_PKCS7_VerifySignedData(pkcs7, encoded, + (word32)encodedSz), 0); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; + } + + DoExpectIntEQ(wc_FreeRng(&rng), 0); + XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return EXPECT_RESULT(); +} + +/* Test: PKCS#7 EnvelopedData must reject when encryptedContentTotalSz + * exceeds the remaining input buffer. + * + * The fix adds a bounds check under NO_PKCS7_STREAM, but the same + * crafted message should also be properly handled in streaming mode. + * This test crafts an EnvelopedData where the [0] content length + * claims 512 bytes but only minimal data follows. */ +static int test_pkcs7_enveloped_content_size_overflow(void) +{ + EXPECT_DECLS; +#if defined(HAVE_PKCS7) && !defined(WOLFSSL_NO_MALLOC) && !defined(NO_RSA) + wc_PKCS7* p7 = NULL; + byte out[256]; + + /* EnvelopedData with KTRI where the EncryptedContentInfo [0] claims + * 512 bytes but only 16 are present. + * + * The outer structure is valid enough to reach the content parsing: + * ContentInfo -> EnvelopedData -> version=0 -> + * RecipientInfos (empty SET) -> EncryptedContentInfo -> + * contentType + AlgorithmIdentifier + [0] oversized content */ + static const byte poc[] = { + /* ContentInfo SEQUENCE */ + 0x30, 0x50, + /* OID envelopedData 1.2.840.113549.1.7.3 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, + /* [0] EXPLICIT */ + 0xa0, 0x43, + /* EnvelopedData SEQUENCE */ + 0x30, 0x41, + /* version = 0 */ + 0x02, 0x01, 0x00, + /* RecipientInfos SET (empty - no recipients) */ + 0x31, 0x00, + /* EncryptedContentInfo SEQUENCE */ + 0x30, 0x3c, + /* OID data 1.2.840.113549.1.7.1 */ + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x01, + /* AlgorithmIdentifier SEQUENCE */ + 0x30, 0x1d, + /* OID AES-256-CBC 2.16.840.1.101.3.4.1.42 */ + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, + 0x2a, + /* IV: OCTET STRING (16 zero bytes) */ + 0x04, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* [0] IMPLICIT encryptedContent - claims 512 bytes! */ + 0x80, 0x82, 0x02, 0x00, + 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, + 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA + }; + + p7 = wc_PKCS7_New(NULL, INVALID_DEVID); + ExpectNotNull(p7); + if (p7 != NULL) { + /* With an empty RecipientInfos SET, the function may fail at + * the recipient matching stage before reaching the content-size + * bounds check. The ExpectIntLT assertion ensures the + * oversized content does not cause a buffer over-read. */ + ExpectIntLT(wc_PKCS7_DecodeEnvelopedData(p7, (byte*)poc, sizeof(poc), + out, sizeof(out)), 0); + + wc_PKCS7_Free(p7); + } +#endif + return EXPECT_RESULT(); +} + /* Dilithium verify_ctx_msg must reject absurdly large msgLen */ static int test_dilithium_hash(void) { @@ -36579,6 +37178,12 @@ TEST_CASE testCases[] = { TEST_DECL(test_pkcs7_decode_encrypted_outputsz), TEST_DECL(test_pkcs7_ori_oversized_oid), TEST_DECL(test_pkcs7_ori_seqsz_underflow), + TEST_DECL(test_pkcs7_ori_orivalue_overflow), + TEST_DECL(test_pkcs7_ktri_skid_length_mismatch), + TEST_DECL(test_pkcs7_kari_degenerate_bitstring), + TEST_DECL(test_pkcs7_encrypted_content_size_overflow), + TEST_DECL(test_pkcs7_signed_bad_sig_tag), + TEST_DECL(test_pkcs7_enveloped_content_size_overflow), TEST_DECL(test_pkcs7_padding), #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_CHAIN_INPUT) diff --git a/tests/api/test_pkcs7.c b/tests/api/test_pkcs7.c index cd9f7aa5752..646db1bdb8d 100644 --- a/tests/api/test_pkcs7.c +++ b/tests/api/test_pkcs7.c @@ -2763,6 +2763,11 @@ int test_wc_PKCS7_EncodeDecodeEnvelopedData(void) AES128CBCb, AES128_WRAP, dhSinglePass_stdDH_sha1kdf_scheme, eccCert, eccCertSz, eccPrivKey, eccPrivKeySz}, #endif + #if defined(WOLFSSL_SHA224) && defined(WOLFSSL_AES_128) + {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, + AES128CBCb, AES128_WRAP, dhSinglePass_stdDH_sha224kdf_scheme, + eccCert, eccCertSz, eccPrivKey, eccPrivKeySz}, + #endif #if !defined(NO_SHA256) && defined(WOLFSSL_AES_256) {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb, AES256_WRAP, dhSinglePass_stdDH_sha256kdf_scheme, From 995985611d77b07766583306e22bdd5c7f031acc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Tue, 14 Apr 2026 18:04:12 +0200 Subject: [PATCH 8/8] Harden PKCS#7 EnvelopedData key unwrap --- .wolfssl_known_macro_extras | 1 + tests/api/test_pkcs7.c | 223 ++++++++++++++++++++++++++++++++++++ tests/api/test_pkcs7.h | 21 ++++ wolfcrypt/src/pkcs7.c | 215 +++++++++++++++++++++++++++++++++- 4 files changed, 455 insertions(+), 5 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 3943d477390..cd06d68a1f2 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -829,6 +829,7 @@ WOLFSSL_NO_KCAPI_HMAC_SHA256 WOLFSSL_NO_KCAPI_HMAC_SHA384 WOLFSSL_NO_KCAPI_HMAC_SHA512 WOLFSSL_NO_KCAPI_SHA224 +WOLFSSL_NO_KTRI_ORACLE_WARNING WOLFSSL_NO_OCSP_DATE_CHECK WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK WOLFSSL_NO_OCSP_OPTIONAL_CERTS diff --git a/tests/api/test_pkcs7.c b/tests/api/test_pkcs7.c index 646db1bdb8d..76b79111032 100644 --- a/tests/api/test_pkcs7.c +++ b/tests/api/test_pkcs7.c @@ -1118,6 +1118,229 @@ int test_wc_PKCS7_EnvelopedData_KTRI_RSA_PSS(void) #endif +/* + * Bleichenbacher padding-oracle regression: wc_PKCS7_DecryptKtri must not + * return a distinguishable error when RSA PKCS#1 v1.5 unwrap of the + * encrypted CEK fails vs. when it succeeds with a wrong key. The + * mitigation substitutes a deterministic pseudo-random CEK on RSA failure + * so content decryption fails indistinguishably. This test corrupts the + * encryptedKey in a valid EnvelopedData and asserts the error matches + * content corruption rather than surfacing an RSA/recipient-level code. + * Runs for AES-128 and AES-256 because the fake CEK is a fixed 32 bytes: + * AES-128 (key size 16) exercises the path where the fake size differs + * from the real CEK size. + */ +#if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(NO_SHA256) && \ + !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) && \ + defined(WOLFSSL_AES_256) && !defined(NO_HMAC) && \ + !defined(WOLFSSL_NO_MALLOC) && \ + (defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) || \ + !defined(NO_FILESYSTEM)) +static int pkcs7_ktri_bad_pad_case(int encryptOID, byte* rsaCert, + word32 rsaCertSz, byte* rsaPrivKey, + word32 rsaPrivKeySz, byte* encrypted, + word32 encryptedCap, byte* decoded, + word32 decodedCap) +{ + EXPECT_DECLS; + PKCS7* pkcs7 = NULL; + byte data[] = "PKCS7 KTRI bad-RSA-padding regression payload."; + int encryptedSz = 0; + int badKeyRet = 0; + int badContentRet = 0; + byte savedKeyByte = 0; + byte savedContentByte = 0; + word32 i; + word32 encryptedKeyOff = 0; + static const byte rsaEncOid[] = { + 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, + 0x01, 0x01, 0x01 + }; + + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, rsaCert, rsaCertSz), 0); + if (pkcs7 != NULL) { + pkcs7->content = data; + pkcs7->contentSz = (word32)sizeof(data); + pkcs7->contentOID = DATA; + pkcs7->encryptOID = encryptOID; + } + ExpectIntGT(encryptedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, + encrypted, encryptedCap), 0); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; + + /* Locate the KTRI encryptedKey OCTET STRING. After the rsaEncryption + * OID there are NULL algorithm parameters (05 00), then a 256-byte + * OCTET STRING (tag 04, long-form length 82 01 00 for RSA-2048). */ + for (i = 0; (int)(i + sizeof(rsaEncOid)) < encryptedSz; i++) { + if (XMEMCMP(&encrypted[i], rsaEncOid, sizeof(rsaEncOid)) == 0) { + word32 p = i + (word32)sizeof(rsaEncOid); + if (p + 2 < (word32)encryptedSz && + encrypted[p] == 0x05 && encrypted[p + 1] == 0x00) { + p += 2; + } + if (p + 4 < (word32)encryptedSz && encrypted[p] == 0x04) { + if (encrypted[p + 1] == 0x82) { + encryptedKeyOff = p + 4; + } + else if (encrypted[p + 1] == 0x81) { + encryptedKeyOff = p + 3; + } + else { + encryptedKeyOff = p + 2; + } + } + break; + } + } + ExpectIntGT(encryptedKeyOff, 0); + ExpectIntLT(encryptedKeyOff + 32, (word32)encryptedSz); + + /* Case 1: corrupt a byte inside the RSA ciphertext, decode, restore. */ + savedKeyByte = encrypted[encryptedKeyOff + 16]; + encrypted[encryptedKeyOff + 16] ^= 0xA5; + + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, rsaCert, rsaCertSz), 0); + if (pkcs7 != NULL) { + pkcs7->privateKey = rsaPrivKey; + pkcs7->privateKeySz = rsaPrivKeySz; + } + badKeyRet = wc_PKCS7_DecodeEnvelopedData(pkcs7, encrypted, + (word32)encryptedSz, decoded, decodedCap); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; + encrypted[encryptedKeyOff + 16] = savedKeyByte; + + /* Case 2: corrupt a byte in the second-to-last AES ciphertext block. + * In CBC mode this deterministically XOR-flips the corresponding byte + * in the last plaintext block, invalidating the PKCS#7 padding + * (original pad byte 0x01 becomes 0x01^0xA5 = 0xA4 > blockSz). + * Corrupting the last ciphertext block directly would randomize the + * entire last plaintext block, giving ~1/256 chance of accidentally + * valid padding and intermittent test failures. */ + savedContentByte = encrypted[encryptedSz - 17]; + encrypted[encryptedSz - 17] ^= 0xA5; + + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, rsaCert, rsaCertSz), 0); + if (pkcs7 != NULL) { + pkcs7->privateKey = rsaPrivKey; + pkcs7->privateKeySz = rsaPrivKeySz; + } + badContentRet = wc_PKCS7_DecodeEnvelopedData(pkcs7, encrypted, + (word32)encryptedSz, decoded, decodedCap); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; + encrypted[encryptedSz - 17] = savedContentByte; + + /* Case 2 must always fail: the CBC-chain corruption deterministically + * invalidates the PKCS#7 padding. */ + ExpectIntLT(badContentRet, 0); + /* Bad-key must NOT leak as an RSA- or recipient-level error. */ + ExpectIntNE(badKeyRet, WC_NO_ERR_TRACE(PKCS7_RECIP_E)); + ExpectIntNE(badKeyRet, WC_NO_ERR_TRACE(RSA_PAD_E)); + ExpectIntNE(badKeyRet, WC_NO_ERR_TRACE(RSA_BUFFER_E)); + ExpectIntNE(badKeyRet, WC_NO_ERR_TRACE(BAD_PADDING_E)); + /* Case 1 (bad RSA key) decrypts content with a random fake CEK, + * producing fully random plaintext. With ~1/256 probability the + * PKCS#7 padding accidentally looks valid, causing a positive + * garbage-length return instead of an error. This does not leak + * RSA key information, so it is acceptable. When both cases do + * fail, verify they fail at the same content-decryption layer. */ + if (badKeyRet < 0) { + ExpectIntEQ(badKeyRet, badContentRet); + } + + return EXPECT_RESULT(); +} + +int test_wc_PKCS7_EnvelopedData_KTRI_BadRsaPad(void) +{ + EXPECT_DECLS; + byte encrypted[FOURK_BUF]; + byte decoded[FOURK_BUF]; + byte* rsaCert = NULL; + byte* rsaPrivKey = NULL; + word32 rsaCertSz = 0; + word32 rsaPrivKeySz = 0; +#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \ + !defined(NO_FILESYSTEM) + XFILE f = XBADFILE; +#endif + + /* Load RSA cert and key */ +#if defined(USE_CERT_BUFFERS_1024) + rsaCertSz = (word32)sizeof_client_cert_der_1024; + ExpectNotNull(rsaCert = (byte*)XMALLOC(rsaCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaCert != NULL) + XMEMCPY(rsaCert, client_cert_der_1024, rsaCertSz); + rsaPrivKeySz = (word32)sizeof_client_key_der_1024; + ExpectNotNull(rsaPrivKey = (byte*)XMALLOC(rsaPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaPrivKey != NULL) + XMEMCPY(rsaPrivKey, client_key_der_1024, rsaPrivKeySz); +#elif defined(USE_CERT_BUFFERS_2048) + rsaCertSz = (word32)sizeof_client_cert_der_2048; + ExpectNotNull(rsaCert = (byte*)XMALLOC(rsaCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaCert != NULL) + XMEMCPY(rsaCert, client_cert_der_2048, rsaCertSz); + rsaPrivKeySz = (word32)sizeof_client_key_der_2048; + ExpectNotNull(rsaPrivKey = (byte*)XMALLOC(rsaPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + if (rsaPrivKey != NULL) + XMEMCPY(rsaPrivKey, client_key_der_2048, rsaPrivKeySz); +#elif !defined(NO_FILESYSTEM) + rsaCertSz = FOURK_BUF; + ExpectNotNull(rsaCert = (byte*)XMALLOC(rsaCertSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue((f = XFOPEN("./certs/client-cert.der", "rb")) != XBADFILE); + ExpectTrue((rsaCertSz = (word32)XFREAD(rsaCert, 1, rsaCertSz, f)) > 0); + if (f != XBADFILE) { + XFCLOSE(f); + f = XBADFILE; + } + rsaPrivKeySz = FOURK_BUF; + ExpectNotNull(rsaPrivKey = (byte*)XMALLOC(rsaPrivKeySz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue((f = XFOPEN("./certs/client-key.der", "rb")) != XBADFILE); + ExpectTrue((rsaPrivKeySz = (word32)XFREAD(rsaPrivKey, 1, + rsaPrivKeySz, f)) > 0); + if (f != XBADFILE) + XFCLOSE(f); +#endif + + if (rsaCert == NULL || rsaPrivKey == NULL) { + XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + return TEST_SKIPPED; + } + + /* AES-128: 32-byte fake CEK larger than real CEK size (16 bytes). */ + ExpectIntEQ(pkcs7_ktri_bad_pad_case(AES128CBCb, rsaCert, rsaCertSz, + rsaPrivKey, rsaPrivKeySz, encrypted, sizeof(encrypted), + decoded, sizeof(decoded)), TEST_SUCCESS); +#ifdef WOLFSSL_AES_192 + /* AES-192: fake CEK (32) vs real CEK (24) - another size mismatch. */ + ExpectIntEQ(pkcs7_ktri_bad_pad_case(AES192CBCb, rsaCert, rsaCertSz, + rsaPrivKey, rsaPrivKeySz, encrypted, sizeof(encrypted), + decoded, sizeof(decoded)), TEST_SUCCESS); +#endif + /* AES-256: fake CEK size matches real CEK size (32 bytes). */ + ExpectIntEQ(pkcs7_ktri_bad_pad_case(AES256CBCb, rsaCert, rsaCertSz, + rsaPrivKey, rsaPrivKeySz, encrypted, sizeof(encrypted), + decoded, sizeof(decoded)), TEST_SUCCESS); + + XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + return EXPECT_RESULT(); +} /* END test_wc_PKCS7_EnvelopedData_KTRI_BadRsaPad */ +#endif + + /* * Testing wc_PKCS7_EncodeSignedData_ex() and wc_PKCS7_VerifySignedData_ex() */ diff --git a/tests/api/test_pkcs7.h b/tests/api/test_pkcs7.h index 084744d43c6..e1c71c911df 100644 --- a/tests/api/test_pkcs7.h +++ b/tests/api/test_pkcs7.h @@ -38,6 +38,14 @@ int test_wc_PKCS7_EncodeSignedData_RSA_PSS(void); !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256) int test_wc_PKCS7_EnvelopedData_KTRI_RSA_PSS(void); #endif +#if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(NO_SHA256) && \ + !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) && \ + defined(WOLFSSL_AES_256) && !defined(NO_HMAC) && \ + !defined(WOLFSSL_NO_MALLOC) && \ + (defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) || \ + !defined(NO_FILESYSTEM)) +int test_wc_PKCS7_EnvelopedData_KTRI_BadRsaPad(void); +#endif int test_wc_PKCS7_EncodeSignedData_ex(void); int test_wc_PKCS7_VerifySignedData_RSA(void); int test_wc_PKCS7_VerifySignedData_ECC(void); @@ -82,6 +90,18 @@ int test_wc_PKCS7_VerifySignedData_IndefLenOOB(void); #define TEST_PKCS7_RSA_PSS_ED_DECL #endif +#if defined(HAVE_PKCS7) && !defined(NO_RSA) && !defined(NO_SHA256) && \ + !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128) && \ + defined(WOLFSSL_AES_256) && !defined(NO_HMAC) && \ + !defined(WOLFSSL_NO_MALLOC) && \ + (defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) || \ + !defined(NO_FILESYSTEM)) +#define TEST_PKCS7_KTRI_BADRSAPAD_DECL \ + TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_EnvelopedData_KTRI_BadRsaPad), +#else +#define TEST_PKCS7_KTRI_BADRSAPAD_DECL +#endif + #define TEST_PKCS7_SIGNED_DATA_DECLS \ TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_InitWithCert), \ TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_EncodeData), \ @@ -100,6 +120,7 @@ int test_wc_PKCS7_VerifySignedData_IndefLenOOB(void); TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_stream), \ TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_EncodeDecodeEnvelopedData), \ TEST_PKCS7_RSA_PSS_ED_DECL \ + TEST_PKCS7_KTRI_BADRSAPAD_DECL \ TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetAESKeyWrapUnwrapCb), \ TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_GetEnvelopedDataKariRid), \ TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_EncodeEncryptedData), \ diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index a6a3d4dd950..11caa007adc 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -44,6 +44,9 @@ #include #include +#ifndef NO_HMAC + #include +#endif #ifndef NO_RSA #include #endif @@ -207,6 +210,8 @@ static void wc_PKCS7_ResetStream(wc_PKCS7* pkcs7) #endif /* free any buffers that may be allocated */ + if (pkcs7->stream->aad != NULL && pkcs7->stream->aadSz > 0) + ForceZero(pkcs7->stream->aad, pkcs7->stream->aadSz); XFREE(pkcs7->stream->aad, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->tag, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->nonce, pkcs7->heap, DYNAMIC_TYPE_PKCS7); @@ -7730,6 +7735,9 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, secret = (byte*)XMALLOC(secretSz, kari->heap, DYNAMIC_TYPE_PKCS7); if (secret == NULL) return MEMORY_E; +#ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("wc_PKCS7_KariGenerateKEK secret", secret, secretSz); +#endif #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \ (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \ @@ -10597,6 +10605,61 @@ int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7, byte* output, word32 outputSz) } #ifndef NO_RSA +#if !defined(NO_HMAC) && !defined(NO_SHA256) +/* Bleichenbacher padding-oracle mitigation for PKCS#7/CMS KTRI: produce a + * WC_SHA256_DIGEST_SIZE-byte pseudo-random CEK derived from a fresh + * random seed and the encrypted-key ciphertext. The output is random per + * call (driven by the RNG seed); deriving via HMAC of the ciphertext + * simply gives the same value within one call regardless of where it is + * referenced. Called unconditionally so the work is in the timing path + * regardless of RSA padding validity. */ +static int wc_PKCS7_KtriFakeCEK(wc_PKCS7* pkcs7, const byte* encryptedKey, + word32 encryptedKeySz, byte* out) +{ + int ret; + byte seed[WC_SHA256_DIGEST_SIZE]; + WC_DECLARE_VAR(rng, WC_RNG, 1, pkcs7->heap); + WC_DECLARE_VAR(hmac, Hmac, 1, pkcs7->heap); + + if (pkcs7 == NULL || encryptedKey == NULL || out == NULL) { + return BAD_FUNC_ARG; + } + + WC_ALLOC_VAR_EX(rng, WC_RNG, 1, pkcs7->heap, DYNAMIC_TYPE_RNG, + return MEMORY_E); + WC_ALLOC_VAR_EX(hmac, Hmac, 1, pkcs7->heap, DYNAMIC_TYPE_HMAC, + WC_FREE_VAR_EX(rng, pkcs7->heap, DYNAMIC_TYPE_RNG); + return MEMORY_E); + + ret = wc_InitRng_ex(rng, pkcs7->heap, pkcs7->devId); + if (ret == 0) { + ret = wc_RNG_GenerateBlock(rng, seed, (word32)sizeof(seed)); + wc_FreeRng(rng); + } + if (ret != 0) { + WC_FREE_VAR_EX(hmac, pkcs7->heap, DYNAMIC_TYPE_HMAC); + WC_FREE_VAR_EX(rng, pkcs7->heap, DYNAMIC_TYPE_RNG); + return ret; + } + + ret = wc_HmacInit(hmac, pkcs7->heap, pkcs7->devId); + if (ret == 0) { + ret = wc_HmacSetKey(hmac, WC_SHA256, seed, (word32)sizeof(seed)); + if (ret == 0) { + ret = wc_HmacUpdate(hmac, encryptedKey, encryptedKeySz); + } + if (ret == 0) { + ret = wc_HmacFinal(hmac, out); + } + wc_HmacFree(hmac); + } + ForceZero(seed, sizeof(seed)); + WC_FREE_VAR_EX(hmac, pkcs7->heap, DYNAMIC_TYPE_HMAC); + WC_FREE_VAR_EX(rng, pkcs7->heap, DYNAMIC_TYPE_RNG); + return ret; +} +#endif /* !NO_HMAC && !NO_SHA256 */ + /* decode KeyTransRecipientInfo (ktri), return 0 on success, <0 on error */ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, word32* idx, byte* decryptedKey, @@ -10956,25 +11019,140 @@ static int wc_PKCS7_DecryptKtri(wc_PKCS7* pkcs7, byte* in, word32 inSz, } wc_FreeRsaKey(privKey); + #if !defined(NO_HMAC) && !defined(NO_SHA256) + { + /* Bleichenbacher padding-oracle mitigation: always compute + * a pseudo-random fallback CEK so timing and error + * behaviour do not depend on RSA padding validity. On + * unwrap failure we substitute the fallback and let + * content decryption fail indistinguishably from "unwrap + * succeeded but CEK is wrong". */ + byte fakeKey[WC_SHA256_DIGEST_SIZE]; + int fakeRet = wc_PKCS7_KtriFakeCEK(pkcs7, encryptedKey, + (word32)encryptedKeySz, + fakeKey); + + if (fakeRet != 0) { + /* Fallback generation failed (e.g. RNG/HMAC error). + * Return the fallback-generation status, which does + * not depend on RSA padding validity, rather than the + * RSA status which would re-open the oracle. */ + ForceZero(fakeKey, sizeof(fakeKey)); + /* In the non-OAEP path RSA is decrypted in-place via + * wc_RsaPrivateDecryptInline, so encryptedKey holds + * the (possibly valid) plaintext CEK. Zero it before + * free. */ + ForceZero(encryptedKey, (word32)encryptedKeySz); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_WOLF_BIGINT); + WC_FREE_VAR_EX(privKey, pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); + #ifndef WC_NO_RSA_OAEP + if (encOID == RSAESOAEPk) { + if (outKey != NULL) { + ForceZero(outKey, outKeySz); + XFREE(outKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + } + } + #endif + return fakeRet; + } + + /* Constant-time select between fake and real CEK. On RSA + * failure outKey may be NULL or keySz may be <= 0; in + * both cases the mask selects fakeKey for every byte. + * + * To avoid data-dependent branches that leak realLen, + * copy the real key into a fixed-size zero-padded buffer + * first, then select byte-by-byte in constant time. */ + { + word32 i; + byte useFake; + int realLen = keySz; + byte realPad[WC_SHA256_DIGEST_SIZE]; + + XMEMSET(realPad, 0, sizeof(realPad)); + /* Constant-time copy: avoid data-dependent branches + * that could leak whether RSA padding was valid. + * When outKey is NULL (inline RSA failure), use + * encryptedKey as a safe readable source; the mask + * will zero out all bytes anyway. Both encryptedKey + * and outKey (when non-NULL) are at least + * sizeof(realPad) bytes for any RSA key size. + * + * Use constant-time pointer selection to avoid + * branching on outKey nullity, which would leak + * whether RSA PKCS#1 v1.5 padding was valid. */ + { + byte haveSrc = ctMaskGTE(realLen, 1); + wc_ptr_t mask = (wc_ptr_t)0 - + (wc_ptr_t)(haveSrc & 1); + wc_ptr_t srcVal = ((wc_ptr_t)outKey & mask) | + ((wc_ptr_t)encryptedKey & ~mask); + const byte* src = (const byte*)srcVal; + word32 j; + /* safeJ is clamped to max(0, realLen-1): it + * only advances while the next index would + * still be inside realLen, so src[safeJ] is + * always in bounds. Bytes at j >= realLen are + * masked to zero by inBounds anyway. */ + word32 safeJ = 0; + for (j = 0; j < (word32)sizeof(realPad); j++) { + byte inBounds = ctMaskLT((int)j, realLen); + byte advance = ctMaskLT((int)(safeJ + 1), + realLen); + realPad[j] = src[safeJ] & haveSrc & inBounds; + safeJ += (word32)(advance & 1); + } + } + useFake = ctMaskLT(realLen, 1); /* 0xFF if realLen<=0 */ + + for (i = 0; i < (word32)sizeof(fakeKey); i++) { + decryptedKey[i] = ctMaskSel(useFake, fakeKey[i], + realPad[i]); + } + /* Report the real key size on success; on RSA + * failure (realLen <= 0) report sizeof(fakeKey). + * Constant-time select avoids branching on RSA + * padding validity. */ + *decryptedKeySz = (word32)ctMaskSelInt(useFake, + (int)sizeof(fakeKey), realLen); + ForceZero(realPad, sizeof(realPad)); + } + ForceZero(fakeKey, sizeof(fakeKey)); + /* In the non-OAEP path RSA is decrypted in-place via + * wc_RsaPrivateDecryptInline, so encryptedKey holds the + * plaintext CEK after the unwrap. Zero it before free. */ + ForceZero(encryptedKey, (word32)encryptedKeySz); + } + #else /* NO_HMAC || NO_SHA256: mitigation unavailable */ + #if !defined(WOLFSSL_NO_KTRI_ORACLE_WARNING) + #warning "PKCS7 KTRI Bleichenbacher mitigation requires HMAC " \ + "and SHA256; build without them leaves the RSA unwrap " \ + "error path observable to callers. " \ + "Define WOLFSSL_NO_KTRI_ORACLE_WARNING to silence." + #endif + if (keySz <= 0 || outKey == NULL) { ForceZero(encryptedKey, (word32)encryptedKeySz); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_WOLF_BIGINT); WC_FREE_VAR_EX(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); - #ifndef WC_NO_RSA_OAEP + #ifndef WC_NO_RSA_OAEP if (encOID == RSAESOAEPk) { if (outKey) { ForceZero(outKey, outKeySz); XFREE(outKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); } } - #endif + #endif return keySz; - } else { + } + else { *decryptedKeySz = (word32)keySz; XMEMCPY(decryptedKey, outKey, (word32)keySz); ForceZero(encryptedKey, (word32)encryptedKeySz); } + #endif /* !NO_HMAC && !NO_SHA256 */ XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_WOLF_BIGINT); WC_FREE_VAR_EX(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); @@ -12877,6 +13055,11 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, DYNAMIC_TYPE_PKCS7); if (decryptedKey == NULL) return MEMORY_E; + XMEMSET(decryptedKey, 0, MAX_ENCRYPTED_KEY_SZ); + #ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("wc_PKCS7 decryptedKey", decryptedKey, + MAX_ENCRYPTED_KEY_SZ); + #endif wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_2); tmpIdx = idx; recipientSetSz = (word32)ret; @@ -13119,10 +13302,18 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, wc_PKCS7_StreamStoreVar(pkcs7, encOID, expBlockSz, explicitOctet); if (explicitOctet) { - /* initialize decryption state in preparation */ + /* initialize decryption state in preparation. Use + * contentSz (blockKeySz from the content algorithm) as + * the AES key size rather than aadSz (the unwrapped CEK + * length): the two are equal for well-formed messages, + * but using blockKeySz avoids BAD_FUNC_ARG on crafted + * messages where the CEK length does not match the + * content cipher, which would otherwise be a + * distinguishable error. */ if (pkcs7->decryptionCb == NULL) { ret = wc_PKCS7_DecryptContentInit(pkcs7, encOID, - pkcs7->stream->aad, pkcs7->stream->aadSz, + pkcs7->stream->aad, + (word32)pkcs7->stream->contentSz, pkcs7->stream->tmpIv, expBlockSz, pkcs7->devId, pkcs7->heap); if (ret != 0) @@ -13412,6 +13603,16 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, #ifndef NO_PKCS7_STREAM if (ret < 0 && ret != WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E)) { + /* stream->aad aliases the MAX_ENCRYPTED_KEY_SZ decryptedKey + * buffer in this flow. ResetStream only zeros aadSz bytes, so + * explicitly zero and release the full buffer here to satisfy + * WOLFSSL_CHECK_MEM_ZERO and avoid leaking key material. */ + if (pkcs7->stream != NULL && pkcs7->stream->aad != NULL) { + ForceZero(pkcs7->stream->aad, MAX_ENCRYPTED_KEY_SZ); + XFREE(pkcs7->stream->aad, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + pkcs7->stream->aad = NULL; + pkcs7->stream->aadSz = 0; + } wc_PKCS7_ResetStream(pkcs7); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START); if (pkcs7->cachedEncryptedContent != NULL) { @@ -14185,6 +14386,10 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, } else { XMEMSET(decryptedKey, 0, MAX_ENCRYPTED_KEY_SZ); + #ifdef WOLFSSL_CHECK_MEM_ZERO + wc_MemZero_Add("wc_PKCS7 decryptedKey", decryptedKey, + MAX_ENCRYPTED_KEY_SZ); + #endif } #ifndef NO_PKCS7_STREAM pkcs7->stream->key = decryptedKey;