Address Fenrir findings

F-3340: AesGcmStream.final decrypt path passed len(authTag) straight to
wc_AesGcmDecryptFinal, letting a caller truncate the verification window
(forgery probability ~2^-32 instead of 2^-128 for a 4-byte tag against a
16-byte configuration). Reject len(authTag) != self._tag_bytes and pass
self._tag_bytes to wolfSSL, mirroring ChaCha20Poly1305.decrypt. Added
test_decrypt_rejects_wrong_tag_length. Also fixed test_encrypt_short_tag
which was relying on the bug (decrypt side defaulted to tag_bytes=16
against a 12-byte tag).

F-3089: Declare label as const byte* in the wc_RsaPublicEncrypt_ex and
wc_RsaPrivateDecrypt_ex cdefs so CFFI can accept Python bytes without
exposing a writable pointer into immutable memory. wolfSSL does not
modify label.

F-3090: Declare nonce as const byte* in the wc_InitRngNonce and
wc_InitRngNonce_ex cdefs for the same reason.

F-1983, F-1984: Add minimum + upper bounds to requirements/{prod,test,
docs}.txt so a hijacked release of cffi, tox, pytest, types-cffi,
Sphinx, or sphinx_rtd_theme does not get pulled silently on the next
pip install. setup.txt resolves transitively via prod.txt.

Author: LinuxJedi

pyproject.toml

@@ -23,7 +23,7 @@ classifiers = [
 ]
 dynamic = ["version"]
 dependencies = [
-    "cffi>=1.0.0",
+    "cffi>=1.0.0,<2",
 ]
 
 [project.urls]

requirements/docs.txt

@@ -1,3 +1,3 @@
 -r prod.txt
-Sphinx
-sphinx_rtd_theme
+Sphinx>=7,<9
+sphinx_rtd_theme>=2,<4

requirements/prod.txt

@@ -1 +1 @@
-cffi
+cffi>=1.17,<2

requirements/test.txt

@@ -1,4 +1,4 @@
 -r prod.txt
-tox
-pytest
-types-cffi
+tox>=4,<5
+pytest>=8,<9
+types-cffi>=1.16,<2

scripts/build_ffi.py

@@ -545,8 +545,8 @@ def build_ffi(local_wolfssl, features):
         typedef struct { ...; } OS_Seed;
 
         int wc_InitRng(WC_RNG*);
-        int wc_InitRngNonce(WC_RNG*, byte*, word32);
-        int wc_InitRngNonce_ex(WC_RNG*, byte*, word32, void*, int);
+        int wc_InitRngNonce(WC_RNG*, const byte*, word32);
+        int wc_InitRngNonce_ex(WC_RNG*, const byte*, word32, void*, int);
         int wc_RNG_GenerateBlock(WC_RNG*, byte*, word32);
         int wc_RNG_GenerateByte(WC_RNG*, byte*);
         int wc_FreeRng(WC_RNG*);
@@ -1039,10 +1039,12 @@ def build_ffi(local_wolfssl, features):
                                 RsaKey*, WC_RNG*);
         int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
                    word32 outLen, RsaKey* key, WC_RNG* rng, int type,
-                   enum wc_HashType hash, int mgf, byte* label, word32 labelSz);
+                   enum wc_HashType hash, int mgf, const byte* label,
+                   word32 labelSz);
         int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen,
                    byte* out, word32 outLen, RsaKey* key, int type,
-                   enum wc_HashType hash, int mgf, byte* label, word32 labelSz);
+                   enum wc_HashType hash, int mgf, const byte* label,
+                   word32 labelSz);
         int wc_RsaSSL_Sign(const byte*, word32, byte*, word32, RsaKey*, WC_RNG*);
         int wc_RsaSSL_Verify(const byte*, word32, byte*, word32, RsaKey*);
         """

setup.py

@@ -60,8 +60,8 @@
 
     packages=find_packages(),
 
-    setup_requires=["cffi>=1.0.0"],
-    install_requires=["cffi>=1.0.0"],
+    setup_requires=["cffi>=1.0.0,<2"],
+    install_requires=["cffi>=1.0.0,<2"],
     cffi_modules=["./scripts/build_ffi.py:ffibuilder"],
 
     package_data={"wolfcrypt": ["*.dll", "**/*.pyi"]}

tests/test_aesgcmstream.py

@@ -50,7 +50,7 @@ def test_encrypt_short_tag():
         authTag = gcm.final()
         assert b2h(authTag) == bytes('ac8fcee96dc6ef8e5236da19', 'utf-8')
         assert b2h(buf) == bytes('5ba7d42e1bf01d7998e932', "utf-8")
-        gcmdec = AesGcmStream(key, iv)
+        gcmdec = AesGcmStream(key, iv, 12)
         bufdec = gcmdec.decrypt(buf)
         gcmdec.final(authTag)
         assert bufdec == t2b("hello world")
@@ -144,6 +144,33 @@ def test_invalid_tag_bytes():
             tag = gcm.final()
             assert len(tag) == good
 
+    def test_decrypt_rejects_wrong_tag_length():
+        key = "fedcba9876543210"
+        iv = "0123456789abcdef"
+        gcm = AesGcmStream(key, iv, tag_bytes=16)
+        buf = gcm.encrypt("hello world")
+        authTag = gcm.final()
+        assert len(authTag) == 16
+
+        # Truncated tag: would silently lower the verification window to
+        # 32-bit forgery probability without this check.
+        gcmdec = AesGcmStream(key, iv, tag_bytes=16)
+        gcmdec.decrypt(buf)
+        with pytest.raises(ValueError, match="authTag must be 16 bytes"):
+            gcmdec.final(authTag[:4])
+
+        # Over-long tag is also rejected.
+        gcmdec2 = AesGcmStream(key, iv, tag_bytes=16)
+        gcmdec2.decrypt(buf)
+        with pytest.raises(ValueError, match="authTag must be 16 bytes"):
+            gcmdec2.final(authTag + b"\x00")
+
+        # Happy path with the configured length still verifies.
+        gcmdec3 = AesGcmStream(key, iv, tag_bytes=16)
+        plain = gcmdec3.decrypt(buf)
+        gcmdec3.final(authTag)
+        assert plain == t2b("hello world")
+
     def test_repeated_construction_destruction():
         import gc
         key = "fedcba9876543210"

wolfcrypt/ciphers.py

@@ -496,7 +496,12 @@ def final(self, authTag=None):
                 if authTag is None:
                     raise WolfCryptError("authTag parameter required")
                 authTag = t2b(authTag)
-                ret = _lib.wc_AesGcmDecryptFinal(self._native_object, authTag, len(authTag))
+                if len(authTag) != self._tag_bytes:
+                    raise ValueError(
+                        "authTag must be %d bytes, got %d" %
+                        (self._tag_bytes, len(authTag)))
+                ret = _lib.wc_AesGcmDecryptFinal(
+                    self._native_object, authTag, self._tag_bytes)
                 if ret < 0:
                     raise WolfCryptApiError("Decryption error", ret)