Cryptocb hooks rsapss ed448 cmac#10886
Conversation
|
retest this please |
|
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10886
Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 4
4 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
0108bd2 to
10370ac
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10886
Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
…ext state on wc_CmacFree.
…a device does the full verify.
…nd RSA-PSS hooks.
10370ac to
513619f
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10886
Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10886
Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| /* The device verified internally; there is no recovered PSS | ||
| * block to expose (in is the untouched ciphertext), so report | ||
| * no inline output rather than a misleading pointer. */ | ||
| if (out != NULL) |
There was a problem hiding this comment.
*🟠 [Medium] wc_RsaPSS_VerifyCheckInline returns positive length with out=NULL on callback path · NULL pointer dereference
When a crypto callback device handles the verify, the function sets *out = NULL but still returns a positive length (inLen), violating the established contract that a positive return means *out points to valid recovered PSS data. External callers that dereference *out after a positive return will NULL-deref. The behavioral change is documented only in the C source comment, not in the public WOLFSSL_API header declaration.
Fix: Either return a non-length positive sentinel (e.g., 1) on callback success so callers cannot use the value as a byte count against *out, or add the NULL-*out caveat to wolfssl/wolfcrypt/rsa.h.
No description provided.