Conversation
The default is a palindrome, so was missed. F-1311
When `derivedKey` is not `NULL`, don't set the attribute states. F-1312
F-1313
F-1316, F-1317, F-1318
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #173
Scan targets checked: wolfpkcs11-bugs, wolfpkcs11-src
Findings: 1
Low (1)
Incomplete integer overflow protection in TLS key material size computation
File: src/crypto.c:7950-7963
Function: C_DeriveKey
Category: Integer overflows
The PR reworks the TLS key material size computation to use a CK_ULONG totalBits intermediate variable and adds a check totalBits > (CK_ULONG)0xFFFFFFFF before truncating to word32. However, the individual multiplications 2 * tlsParams->ulMacSizeInBits, 2 * tlsParams->ulKeySizeInBits, and 2 * tlsParams->ulIVSizeInBits and their sum can all overflow CK_ULONG before the range check. On 32-bit platforms where CK_ULONG is 32 bits, the > 0xFFFFFFFF check is tautologically false and provides no protection at all. An attacker providing crafted mechanism parameters (e.g., ulMacSizeInBits = 0x80000004) could cause the arithmetic to wrap to a small totalBits/keyLen, resulting in a small derivedKey allocation while the individual field sizes used later to partition the buffer remain large. This is an improvement over the prior code (which had direct word32 truncation), but the overflow protection is incomplete for the scenario it was designed to address.
CK_ULONG totalBits;
totalBits = (2 * tlsParams->ulMacSizeInBits) +
(2 * tlsParams->ulKeySizeInBits) +
(2 * tlsParams->ulIVSizeInBits);
if (totalBits == 0)
return CKR_MECHANISM_PARAM_INVALID;
if ((totalBits % 8) != 0)
return CKR_MECHANISM_PARAM_INVALID;
totalBits /= 8;
if (totalBits > (CK_ULONG)0xFFFFFFFF)
return CKR_MECHANISM_PARAM_INVALID;
keyLen = (word32)totalBits;Recommendation: Add upper-bound validation on individual fields before arithmetic, or use overflow-safe multiplication. For example, check that each of ulMacSizeInBits, ulKeySizeInBits, and ulIVSizeInBits is less than CK_ULONG_MAX / 2 (or a reasonable maximum like 0xFFFFFFFF) before computing totalBits. This ensures the 2 * val multiplications and their sum cannot wrap.
This review was generated automatically by Fenrir. Findings are non-blocking.
There was a problem hiding this comment.
Pull request overview
This PR addresses several static analysis findings and hardening fixes across wolfPKCS11’s cryptographic operations and test suite, including RSA exponent handling, HKDF robustness, TLS 1.2 derivation sizing, and AES key wrap resource cleanup.
Changes:
- Adds a new RSA exponent endianness regression test and a new HKDF regression test for NULL
CKA_VALUE_LEN. - Fixes/cleans up internal AES key wrap state teardown and expands use of
wc_ForceZerofor sensitive buffers. - Hardens
C_DeriveKeyaround HKDF expand template parsing and TLS 1.2 key material length computation; updates sanitizer CI to exercise AES key wrap.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/rsa_exponent_test.c | New standalone regression test for RSA public exponent byte-order in key generation. |
| tests/pkcs11test.c | Adds HKDF regression test targeting NULL CKA_VALUE_LEN expand crash. |
| tests/include.am | Registers new RSA exponent test program in Automake test targets. |
| src/internal.c | Fixes RSA exponent conversion order, adds AES key wrap session cleanup, and zeros sensitive buffers. |
| src/crypto.c | Prevents HKDF NULL deref and adds overflow guard structure for TLS12 key material sizing. |
| .github/workflows/sanitizer-tests.yml | Enables AES key wrap in sanitizer CI to cover the affected code paths. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/crypto.c
Outdated
| tlsParams->ulIVSizeInBits > ((CK_ULONG)0xFFFFFFFF / 2)) { | ||
| return CKR_MECHANISM_PARAM_INVALID; | ||
| } | ||
| totalBits = (2 * tlsParams->ulMacSizeInBits) + |
There was a problem hiding this comment.
TLS totalBits sum can still overflow on 32-bit platforms
| totalBits = (2 * tlsParams->ulMacSizeInBits) + | |
| CK_ULONG a = 2 * tlsParams->ulMacSizeInBits; | |
| CK_ULONG b = 2 * tlsParams->ulKeySizeInBits; | |
| CK_ULONG c = 2 * tlsParams->ulIVSizeInBits; | |
| if (a > (CK_ULONG)0xFFFFFFFF - b) | |
| return CKR_MECHANISM_PARAM_INVALID; | |
| totalBits = a + b; | |
| if (totalBits > (CK_ULONG)0xFFFFFFFF - c) | |
| return CKR_MECHANISM_PARAM_INVALID; | |
| totalBits += c; |
| } | ||
| keyLen = *(word32*)lenAttr->pValue; | ||
| XMEMCPY(&reqLen, lenAttr->pValue, sizeof(CK_ULONG)); | ||
| if (reqLen == 0 || reqLen > (CK_ULONG)0xFFFFFFFF) { |
There was a problem hiding this comment.
reqLen > (CK_ULONG)0xFFFFFFFF is unreachable on 32-bit
| if (reqLen == 0 || reqLen > (CK_ULONG)0xFFFFFFFF) { | |
| /* On 64-bit, CK_ULONG may exceed word32 range */ | |
| if (reqLen == 0 || reqLen > (CK_ULONG)0xFFFFFFFF) { |
tests/rsa_exponent_test.c
Outdated
| } \ | ||
| while (0) | ||
|
|
||
| static int verbose = 0; |
There was a problem hiding this comment.
The verbose variable is set from command-line arguments on line 531 but is never read to control behavior. The test output is unconditional regardless of -v.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| static unsigned char exp_65537[] = { 0x01, 0x00, 0x01 }; | ||
|
|
||
| /* Non-palindromic exponent: 65539 = 0x010003 | ||
| * If byte-order is reversed, this becomes 0x030001 = 196611. |
There was a problem hiding this comment.
The comment’s decimal conversion is incorrect: 0x030001 equals 196609 (not 196611). Please fix the numeric value so the explanation of the byte-reversal case is accurate.
| * If byte-order is reversed, this becomes 0x030001 = 196611. | |
| * If byte-order is reversed, this becomes 0x030001 = 196609. |
| CK_ULONG reqLen; | ||
| if (!lenAttr || !lenAttr->pValue) { | ||
| return CKR_ATTRIBUTE_VALUE_INVALID; | ||
| } | ||
| if (lenAttr->ulValueLen != sizeof(CK_ULONG)) { | ||
| return CKR_ATTRIBUTE_VALUE_INVALID; | ||
| } |
There was a problem hiding this comment.
When HKDF expand requires CKA_VALUE_LEN, this code returns CKR_ATTRIBUTE_VALUE_INVALID both when the attribute is missing and when it has an invalid value. Elsewhere in crypto.c, missing required template attributes return CKR_TEMPLATE_INCOMPLETE (and CKR_ATTRIBUTE_VALUE_INVALID is used for NULL pValue/wrong ulValueLen). Consider returning CKR_TEMPLATE_INCOMPLETE when lenAttr is NULL, and reserve CKR_ATTRIBUTE_VALUE_INVALID for NULL pValue / wrong size / out-of-range values.
| { CKM_HKDF_DERIVE, ¶msExpand, sizeof(paramsExpand) }; | ||
|
|
||
| /* Expand template with NULL pValue for CKA_VALUE_LEN. | ||
| * This triggers the NULL dereference at crypto.c:7870. |
There was a problem hiding this comment.
This comment hard-codes an internal source line reference ("crypto.c:7870"), which will drift as the file changes (and is already inaccurate after this fix). Prefer referencing the condition being tested (NULL CKA_VALUE_LEN pValue) and/or the issue ID, without a specific file:line pointer.
| * This triggers the NULL dereference at crypto.c:7870. | |
| * This exercises the previously failing NULL CKA_VALUE_LEN pValue case. |
CKM_TLS12_KEY_AND_MAC_DERIVEattributes