From d6d439c6e6a9c91b9fe82aa20a5a5b9d2530d7db Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 09:57:27 +0200 Subject: [PATCH 1/9] Add NULL parameter validation to wc_Des_CbcEncryptWithKey/DecryptWithKey F-1371 --- wolfcrypt/src/wc_encrypt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index 7cb130b522..52505adefc 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -100,6 +100,10 @@ int wc_Des_CbcEncryptWithKey(byte* out, const byte* in, word32 sz, int ret = 0; WC_DECLARE_VAR(des, Des, 1, 0); + if (out == NULL || in == NULL || key == NULL) { + return BAD_FUNC_ARG; + } + WC_ALLOC_VAR_EX(des, Des, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E); @@ -118,6 +122,10 @@ int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, int ret = 0; WC_DECLARE_VAR(des, Des, 1, 0); + if (out == NULL || in == NULL || key == NULL) { + return BAD_FUNC_ARG; + } + WC_ALLOC_VAR_EX(des, Des, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E); From dcde00a1ebac4ea366d983e722cb6b333952b803 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 09:57:35 +0200 Subject: [PATCH 2/9] Add NULL parameter validation to wc_CryptKey F-1372 --- wolfcrypt/src/wc_encrypt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index 52505adefc..9c80ee1da4 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -338,6 +338,9 @@ int wc_CryptKey(const char* password, int passwordSz, const byte* salt, WOLFSSL_ENTER("wc_CryptKey"); + if (password == NULL || salt == NULL || input == NULL) + return BAD_FUNC_ARG; + if (length < 0) return BAD_LENGTH_E; From d7ecfec5e29c2cd3a19fdf21e61b2bd5afad0bbf Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 09:57:43 +0200 Subject: [PATCH 3/9] Add NULL checks for context/ciphertext/out in wc_HpkeContextOpenBase F-1374 --- wolfcrypt/src/hpke.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c index c83158d4f6..8f16f66f70 100644 --- a/wolfcrypt/src/hpke.c +++ b/wolfcrypt/src/hpke.c @@ -1175,7 +1175,7 @@ int wc_HpkeContextOpenBase(Hpke* hpke, HpkeBaseContext* context, byte* aad, int ret; byte nonce[HPKE_Nn_MAX]; WC_DECLARE_VAR(aes, Aes, 1, 0); - if (hpke == NULL) { + if (hpke == NULL || context == NULL || ciphertext == NULL || out == NULL) { return BAD_FUNC_ARG; } From b72a2133fc86e55b46886a38dee5a8aef850e49f Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 09:57:59 +0200 Subject: [PATCH 4/9] ForceZero hmac buffer in Tls13IntegrityOnly_Decrypt before return F-1466 --- src/tls13.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tls13.c b/src/tls13.c index 8bce848a50..2524658153 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -2968,6 +2968,7 @@ static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output, /* Copy the input to output if not the same buffer */ if (ret == 0 && output != input) XMEMCPY(output, input, sz); + ForceZero(hmac, sizeof(hmac)); return ret; } #endif From ed0976a821bdfed16a39ce2893f2e1a389cea43b Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 10:01:01 +0200 Subject: [PATCH 5/9] ForceZero binderKey and binder buffers in DoPreSharedKeys F-1463 --- src/tls13.c | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 2524658153..1e468c2d13 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6144,7 +6144,8 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); if (ext == NULL) { WOLFSSL_MSG("No pre shared extension keys found"); - return BAD_FUNC_ARG; + ret = BAD_FUNC_ARG; + goto cleanup; } /* Look through all client's pre-shared keys for a match. */ @@ -6152,7 +6153,8 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, current = current->next) { #ifndef NO_PSK if (current->identityLen > MAX_PSK_ID_LEN) { - return BUFFER_ERROR; + ret = BUFFER_ERROR; + goto cleanup; } XMEMCPY(ssl->arrays->client_identity, current->identity, current->identityLen); @@ -6179,7 +6181,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, #ifdef WOLFSSL_ASYNC_CRYPT if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) - return ret; + goto cleanup; #endif if (ret != WOLFSSL_TICKET_RET_OK && current->sess_free_cb != NULL) { @@ -6214,45 +6216,45 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, ssl->options.cipherSuite = ssl->session->cipherSuite; ret = SetCipherSpecs(ssl); if (ret != 0) - return ret; + goto cleanup; /* Resumption PSK is resumption master secret. */ ssl->arrays->psk_keySz = ssl->specs.hash_size; if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data, ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) { - return ret; + goto cleanup; } /* Derive the early secret using the PSK. */ ret = DeriveEarlySecret(ssl); if (ret != 0) - return ret; + goto cleanup; /* Hash data up to binders for deriving binders in PSK extension. */ ret = HashInput(ssl, input, (int)inputSz); if (ret < 0) - return ret; + goto cleanup; /* Derive the binder key to use with HMAC. */ ret = DeriveBinderKeyResume(ssl, binderKey); if (ret != 0) - return ret; + goto cleanup; } else #endif /* HAVE_SESSION_TICKET */ #ifndef NO_PSK if (FindPsk(ssl, current, suite, &ret)) { if (ret != 0) - return ret; + goto cleanup; ret = HashInput(ssl, input, (int)inputSz); if (ret < 0) - return ret; + goto cleanup; /* Derive the binder key to use with HMAC. */ ret = DeriveBinderKey(ssl, binderKey); if (ret != 0) - return ret; + goto cleanup; } else #endif @@ -6267,18 +6269,19 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, ssl->keys.client_write_MAC_secret, 0 /* neither end */); if (ret != 0) - return ret; + goto cleanup; /* Derive the binder and compare with the one in the extension. */ ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, binder, &binderLen); if (ret != 0) - return ret; + goto cleanup; if (binderLen != current->binderLen || ConstantCompare(binder, current->binder, binderLen) != 0) { WOLFSSL_ERROR_VERBOSE(BAD_BINDER); - return BAD_BINDER; + ret = BAD_BINDER; + goto cleanup; } /* This PSK works, no need to try any more. */ @@ -6290,19 +6293,26 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, if (current == NULL) { #ifdef WOLFSSL_PSK_ID_PROTECTION #ifndef NO_CERTS - if (ssl->buffers.certChainCnt != 0) - return 0; + if (ssl->buffers.certChainCnt != 0) { + ret = 0; + goto cleanup; + } #endif WOLFSSL_ERROR_VERBOSE(BAD_BINDER); - return BAD_BINDER; + ret = BAD_BINDER; + goto cleanup; #else - return 0; + ret = 0; + goto cleanup; #endif } *first = (current == ext->data); *usingPSK = 1; +cleanup: + ForceZero(binderKey, sizeof(binderKey)); + ForceZero(binder, sizeof(binder)); WOLFSSL_LEAVE("DoPreSharedKeys", ret); return ret; From 96b4e01b2091f4fe7d5629ef1a56fe0df26312b5 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 10:01:49 +0200 Subject: [PATCH 6/9] ForceZero mac buffer in DoTls13Finished before return F-1464 --- src/tls13.c | 45 +++++++++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 1e468c2d13..7ff2924ea2 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -11346,28 +11346,30 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ret = NO_PEER_CERT; /* NO_PEER_VERIFY */ WOLFSSL_MSG("TLS v1.3 client did not present peer cert"); DoCertFatalAlert(ssl, ret); - return ret; + goto cleanup; } } #endif /* check against totalSz */ - if (*inOutIdx + size > totalSz) - return BUFFER_E; + if (*inOutIdx + size > totalSz) { + ret = BUFFER_E; + goto cleanup; + } #if defined(WOLFSSL_RENESAS_TSIP_TLS) ret = tsip_Tls13HandleFinished(ssl, input, inOutIdx, size, totalSz); if (ret == 0) { ssl->options.serverState = SERVER_FINISHED_COMPLETE; - return ret; + goto cleanup; } if (ret == WC_NO_ERR_TRACE(VERIFY_FINISHED_ERROR)) { SendAlert(ssl, alert_fatal, decrypt_error); - return ret; + goto cleanup; } if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { /* other errors */ - return ret; + goto cleanup; } ret = 0; #endif /* WOLFSSL_RENESAS_TSIP_TLS */ @@ -11377,7 +11379,7 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->keys.client_write_MAC_secret, WOLFSSL_CLIENT_END); if (ret != 0) - return ret; + goto cleanup; secret = ssl->keys.client_write_MAC_secret; } @@ -11389,13 +11391,13 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->keys.client_write_MAC_secret, WOLFSSL_CLIENT_END); if (ret != 0) - return ret; + goto cleanup; ret = DeriveFinishedSecret(ssl, ssl->serverSecret, ssl->keys.server_write_MAC_secret, WOLFSSL_SERVER_END); if (ret != 0) - return ret; + goto cleanup; secret = ssl->keys.server_write_MAC_secret; } @@ -11408,7 +11410,8 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz); #ifdef WOLFSSL_HAVE_TLS_UNIQUE if (finishedSz > TLS_FINISHED_SZ_MAX) { - return BUFFER_ERROR; + ret = BUFFER_ERROR; + goto cleanup; } if (ssl->options.side == WOLFSSL_CLIENT_END) { XMEMCPY(ssl->serverFinished, mac, finishedSz); @@ -11420,9 +11423,11 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #endif /* WOLFSSL_HAVE_TLS_UNIQUE */ if (ret != 0) - return ret; - if (size != finishedSz) - return BUFFER_ERROR; + goto cleanup; + if (size != finishedSz) { + ret = BUFFER_ERROR; + goto cleanup; + } } #ifdef WOLFSSL_CALLBACKS @@ -11437,7 +11442,8 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_MSG("Verify finished error on hashes"); SendAlert(ssl, alert_fatal, decrypt_error); WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR); - return VERIFY_FINISHED_ERROR; + ret = VERIFY_FINISHED_ERROR; + goto cleanup; } } @@ -11450,12 +11456,12 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef WOLFSSL_EARLY_DATA if (ssl->earlyData != no_early_data) { if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0) - return ret; + goto cleanup; } #endif /* Setup keys for application data messages from client. */ if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) - return ret; + goto cleanup; } #endif @@ -11486,10 +11492,13 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #endif /* WOLFSSL_QUIC && WOLFSSL_EARLY_DATA */ - WOLFSSL_LEAVE("DoTls13Finished", 0); + ret = 0; +cleanup: + ForceZero(mac, sizeof(mac)); + WOLFSSL_LEAVE("DoTls13Finished", ret); WOLFSSL_END(WC_FUNC_FINISHED_DO); - return 0; + return ret; } #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) From f28fd3746b7170269846c336ddca92260d64c53c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 10:02:40 +0200 Subject: [PATCH 7/9] ForceZero mac buffer in ExpectedResumptionSecret before return F-1465 --- src/tls13.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 7ff2924ea2..8c9c836b0c 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -12323,8 +12323,6 @@ static int ExpectedResumptionSecret(WOLFSSL* ssl) wc_Sha256Free(&ssl->hsHashes->hashSha256); ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256); wc_Sha256Free(&digest.sha256); - if (ret != 0) - return ret; break; #endif #ifdef WOLFSSL_SHA384 @@ -12332,8 +12330,6 @@ static int ExpectedResumptionSecret(WOLFSSL* ssl) wc_Sha384Free(&ssl->hsHashes->hashSha384); ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384); wc_Sha384Free(&digest.sha384); - if (ret != 0) - return ret; break; #endif #ifdef WOLFSSL_TLS13_SHA512 @@ -12341,8 +12337,6 @@ static int ExpectedResumptionSecret(WOLFSSL* ssl) wc_Sha512Free(&ssl->hsHashes->hashSha512); ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha512); wc_Sha512Free(&digest.sha512); - if (ret != 0) - return ret; break; #endif #ifdef WOLFSSL_SM3 @@ -12350,12 +12344,11 @@ static int ExpectedResumptionSecret(WOLFSSL* ssl) wc_Sm3Free(&ssl->hsHashes->hashSm3); ret = wc_Sm3Copy(&digest.sm3, &ssl->hsHashes->hashSm3); wc_Sm3Free(&digest.sm3); - if (ret != 0) - return ret; break; #endif } + ForceZero(mac, sizeof(mac)); return ret; } #endif From f2b9e3d6549464242549450885e829edb7946236 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 10:03:17 +0200 Subject: [PATCH 8/9] Unconditionally validate TLS 1.2 ciphertext size in ProcessReply F-1476 --- src/internal.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/internal.c b/src/internal.c index 067b7a6c08..0995bcb645 100644 --- a/src/internal.c +++ b/src/internal.c @@ -23005,9 +23005,7 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) } if (IsEncryptionOn(ssl, 0)) { -#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS) int tooLong = 0; -#endif #ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version)) { @@ -23017,18 +23015,16 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) MAX_TLS13_PLAIN_SZ; } } + else #endif -#ifdef WOLFSSL_EXTRA_ALERTS - if (!IsAtLeastTLSv1_3(ssl->version)) + { tooLong = ssl->curSize > MAX_TLS_CIPHER_SZ; -#endif -#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS) + } if (tooLong) { WOLFSSL_MSG("Encrypted data too long"); SendAlert(ssl, alert_fatal, record_overflow); return BUFFER_ERROR; } -#endif } ssl->keys.padSz = 0; From e443ef0304749002bb757cb2930e3edf5a1a5692 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 3 Apr 2026 15:25:14 +0200 Subject: [PATCH 9/9] Use InetPtonA for XINET_PTON macro on Windows Explicitly call the ANSI version of the InetPton function to avoid an incorrect cast to PCWSTR when the input string is a standard character pointer. --- wolfssl/wolfio.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/wolfio.h b/wolfssl/wolfio.h index c215fa0b89..98415d012a 100644 --- a/wolfssl/wolfio.h +++ b/wolfssl/wolfio.h @@ -1019,7 +1019,7 @@ WOLFSSL_API void wolfSSL_SetIOWriteFlags(WOLFSSL* ssl, int flags); #if (defined(__MINGW32__) || defined(__MINGW64__)) && !defined(UNICODE) #define XINET_PTON(a,b,c) InetPton((a),(b),(c)) #else - #define XINET_PTON(a,b,c) InetPton((a),(PCWSTR)(b),(c)) + #define XINET_PTON(a,b,c) InetPtonA((a),(b),(c)) #endif #elif defined(FREESCALE_MQX) #define XINET_PTON(a,b,c,d) inet_pton((a),(b),(c),(d))