From 6c2ff8a5f1a2f6a0f7b336c5b6217a206903dfcd Mon Sep 17 00:00:00 2001 From: aidan garske Date: Tue, 16 Jun 2026 12:38:26 -0700 Subject: [PATCH 1/5] Reject HKDF info appends that would overflow the accumulated word32 length --- wolfcrypt/src/evp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 7dfa159227..07186089cb 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -3106,6 +3106,11 @@ int wolfSSL_EVP_PKEY_CTX_add1_hkdf_info(WOLFSSL_EVP_PKEY_CTX* ctx, WOLFSSL_MSG("WOLFSSL_EVP_PKEY type is not HKDF."); ret = WOLFSSL_FAILURE; } + if (ret == WOLFSSL_SUCCESS && info != NULL && infoSz > 0 && + ctx->pkey->hkdfInfoSz > (WOLFSSL_MAX_32BIT - (word32)infoSz)) { + WOLFSSL_MSG("HKDF info length overflow."); + ret = WOLFSSL_FAILURE; + } if (ret == WOLFSSL_SUCCESS && info != NULL && infoSz > 0) { unsigned char* p; From 699744c8b6bdc45fffcaaceb6999f64410df8a48 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Tue, 16 Jun 2026 12:38:26 -0700 Subject: [PATCH 2/5] Guard Base16_Encode output sizing against word32 wraparound --- wolfcrypt/src/coding.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c index b3f804fcf0..a96d4d5ae5 100644 --- a/wolfcrypt/src/coding.c +++ b/wolfcrypt/src/coding.c @@ -675,6 +675,9 @@ int Base16_Encode(const byte* in, word32 inLen, byte* out, word32* outLen) if (in == NULL || out == NULL || outLen == NULL) return BAD_FUNC_ARG; + if (inLen > (WOLFSSL_MAX_32BIT / 2)) + return BAD_FUNC_ARG; + if (*outLen < (2 * inLen)) return BAD_FUNC_ARG; From 4576227e236919dd3c75361a4eea1e1300cdda57 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Tue, 16 Jun 2026 12:38:26 -0700 Subject: [PATCH 3/5] Reject XChaCha20-Poly1305 AAD lengths that would truncate to word32 --- wolfcrypt/src/chacha20_poly1305.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c index e9e5bb80c4..b173db9621 100644 --- a/wolfcrypt/src/chacha20_poly1305.c +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -411,6 +411,11 @@ static WC_INLINE int wc_XChaCha20Poly1305_crypt_oneshot( goto out; } + if ((word32)ad_len != ad_len) { + ret = BAD_FUNC_ARG; + goto out; + } + if ((ret = wc_XChaCha20Poly1305_Init(aead, ad, (word32)ad_len, nonce, (word32)nonce_len, key, (word32)key_len, 1)) < 0) From 9bbf3d295ffb8a56e9d64207f1bc954071788788 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Tue, 16 Jun 2026 12:38:26 -0700 Subject: [PATCH 4/5] Use an overflow-safe comparison for the TLS 1.3 early data quota check --- src/internal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index e1c3a4a14a..485f8058e4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -22175,7 +22175,8 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff) #ifdef WOLFSSL_EARLY_DATA if (ssl->options.side == WOLFSSL_SERVER_END && ssl->earlyData > early_data_ext) { - if (ssl->earlyDataSz + dataSz > ssl->options.maxEarlyDataSz) { + if ((word32)dataSz > + ssl->options.maxEarlyDataSz - ssl->earlyDataSz) { if (sniff == NO_SNIFF) { SendAlert(ssl, alert_fatal, unexpected_message); } From d8637448efce55d651fcf7b009b6fe186b02e92c Mon Sep 17 00:00:00 2001 From: aidan garske Date: Tue, 16 Jun 2026 12:38:26 -0700 Subject: [PATCH 5/5] Reject BLAKE2-HMAC update lengths that would truncate to word32 --- wolfcrypt/src/blake2b.c | 2 ++ wolfcrypt/src/blake2s.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/wolfcrypt/src/blake2b.c b/wolfcrypt/src/blake2b.c index 0876e7b728..2b4a1da385 100644 --- a/wolfcrypt/src/blake2b.c +++ b/wolfcrypt/src/blake2b.c @@ -532,6 +532,8 @@ int wc_Blake2bHmacUpdate(Blake2b* b2b, const byte* in, size_t in_len) { if (in == NULL) return BAD_FUNC_ARG; + if ((word32)in_len != in_len) + return BAD_FUNC_ARG; return wc_Blake2bUpdate(b2b, in, (word32)in_len); } diff --git a/wolfcrypt/src/blake2s.c b/wolfcrypt/src/blake2s.c index 40caa34b37..202fd9b2a2 100644 --- a/wolfcrypt/src/blake2s.c +++ b/wolfcrypt/src/blake2s.c @@ -529,6 +529,8 @@ int wc_Blake2sHmacUpdate(Blake2s* b2s, const byte* in, size_t in_len) { if (in == NULL) return BAD_FUNC_ARG; + if ((word32)in_len != in_len) + return BAD_FUNC_ARG; return wc_Blake2sUpdate(b2s, in, (word32)in_len); }