Fix ChaCha20-Poly1305 and RSA-OAEP to allow empty plaintext

MarkAtwood · MarkAtwood · commit 1edcdc01f0e4 · 2026-04-11T22:18:18.000-07:00
ChaCha20-Poly1305 Final() rejected the READY state (no data or AAD
provided), though RFC 8439 §2.8 explicitly permits empty plaintext
and produces a well-defined authentication tag.

RSA-OAEP rejected zero-length plaintexts at both encrypt and decrypt.
RFC 8017 §7.1.1 permits empty messages; OpenSSL and BoringSSL both
accept them.
Found via Wycheproof test vectors.
diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c
@@ -275,7 +275,8 @@ int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,
     if (aead == NULL || outAuthTag == NULL) {
         return BAD_FUNC_ARG;
     }
-    if (aead->state != CHACHA20_POLY1305_STATE_AAD &&
+    if (aead->state != CHACHA20_POLY1305_STATE_READY &&
+        aead->state != CHACHA20_POLY1305_STATE_AAD &&
         aead->state != CHACHA20_POLY1305_STATE_DATA) {
         return BAD_STATE_E;
     }
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
@@ -3354,7 +3354,15 @@ static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
     RsaPadding padding;
 #endif
 
-    if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
+    if (out == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* For OAEP padding (RFC 8017, Section 7.1.1), zero-length messages are
+     * permitted: the spec requires mLen <= k - 2*hLen - 2, and mLen = 0
+     * satisfies this for all supported key sizes. For other padding types,
+     * a zero-length input is invalid. */
+    if (in == NULL || (inLen == 0 && pad_type != WC_RSA_OAEP_PAD)) {
         return BAD_FUNC_ARG;
     }
 
@@ -3752,8 +3760,13 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
             ret = ctMaskSelInt(ctMaskLTE(ret, (int)outLen), ret,
                                WC_NO_ERR_TRACE(RSA_BUFFER_E));
     #ifndef WOLFSSL_RSA_DECRYPT_TO_0_LEN
-            ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret,
-                               WC_NO_ERR_TRACE(RSA_BUFFER_E));
+            /* RFC 8017 Section 7.1.2: OAEP decryption may produce a valid
+             * zero-length message. Only reject ret==0 for non-OAEP types. */
+            {
+                int zeroOk = ctMaskEq(pad_type, WC_RSA_OAEP_PAD);
+                ret = ctMaskSelInt(ctMaskNotEq(ret, 0) | zeroOk, ret,
+                                   WC_NO_ERR_TRACE(RSA_BUFFER_E));
+            }
     #endif
 #else
             if (outLen < (word32)ret)

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,8 @@ int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,`
`275`	`275`	`if (aead == NULL \|\| outAuthTag == NULL) {`
`276`	`276`	`return BAD_FUNC_ARG;`
`277`	`277`	`}`
`278`		`- if (aead->state != CHACHA20_POLY1305_STATE_AAD &&`
	`278`	`+ if (aead->state != CHACHA20_POLY1305_STATE_READY &&`
	`279`	`+ aead->state != CHACHA20_POLY1305_STATE_AAD &&`
`279`	`280`	`aead->state != CHACHA20_POLY1305_STATE_DATA) {`
`280`	`281`	`return BAD_STATE_E;`
`281`	`282`	`}`