Zeroizations, code reinforcements, ECC key size fixes#6
Merged
dgarske merged 17 commits intowolfSSL:masterfrom Mar 16, 2026
Merged
Zeroizations, code reinforcements, ECC key size fixes#6dgarske merged 17 commits intowolfSSL:masterfrom
dgarske merged 17 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens wolfPSA’s crypto/key-handling by adding systematic zeroization of sensitive buffers, tightening length validation to prevent overflows/wraps, and fixing ECC curve/key-size inference for non-byte-aligned curves.
Changes:
- Replace key-data frees with a new zeroizing free routine and add explicit scrubbing for multiple secret-bearing buffers (KDF, key agreement, key generation, volatile key storage, DES3 expanded keys).
- Reject oversized RNG requests and reject AEAD multipart accumulated-length wraparounds.
- Fix ECC curve ID selection for 192/224-bit curves and correct ECC key-bit inference for 521-bit curves; add targeted tests and CI wiring for ECC tests.
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
wolfpsa/psa_key_storage.h |
Renames the public key-data free API to a force-zeroing variant. |
src/psa_key_storage.c |
Adds ECC bit inference mapping and widespread key buffer scrubbing (volatile keys, generated keys, exports/copy). |
src/psa_key_derivation.c |
Scrubs HKDF PRK, TLS1.2 PSK premaster, PBKDF2-CMAC stack buffers, and key-agreement secrets. |
src/psa_asymmetric_api.c |
Scrubs ECDH/key-agreement secret buffers before free. |
src/psa_cipher.c |
Scrubs DES3 expanded key material on stack and key_data on free paths. |
src/psa_mac.c |
Uses zeroizing free for key buffers across validation/setup error paths. |
src/psa_aead.c |
Adds overflow-safe accumulated-length checks for multipart AEAD update paths. |
src/psa_asymmetric.c |
Corrects curve ID mapping for 192/224-bit curves with feature guards. |
src/psa_random.c |
Rejects psa_generate_random() sizes larger than UINT32_MAX. |
test/psa_server/psa_random_size_test.c |
New test exercising oversized RNG request rejection. |
test/psa_server/psa_ecc_curve_id_test.c |
New test verifying ECC curve ID mapping for 192/224-bit curves. |
test/psa_server/psa_ecc_bit_inference_test.c |
New test verifying 521-bit ECC key-size inference for pub/priv imports. |
test/psa_server/psa_des3_stack_scrub_test.c |
New smoke test for DES3 setup/abort path. |
test/psa_server/psa_api_test.c |
Adds AEAD multipart length wraparound regression test. |
test/Makefile |
Builds new test binaries; links curve-id test with internal objects. |
.github/workflows/test-psa-api.yml |
Builds/runs ECC-focused new tests in CI. |
.gitignore |
Ignores newly built test binaries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
There was a problem hiding this comment.
Pull request overview
This PR hardens wolfPSA’s cryptographic handling by adding comprehensive zeroization on key/secret buffers, tightening input length validation (random and AEAD multipart), and correcting ECC curve ID/bit-size inference (including non-byte-aligned curves).
Changes:
- Replace key-data free paths with forced-zeroization and scrub additional sensitive stack/heap buffers across MAC/cipher/derivation/asymmetric/key storage flows.
- Add overflow/oversize validation for PSA random generation and AEAD multipart length accumulation.
- Fix ECC curve ID selection for 192/224-bit curves and improve ECC key bit inference; add corresponding regression tests and CI steps.
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfpsa/psa_key_storage.h | Updates key-data free API to support zeroization with length. |
| src/psa_key_storage.c | Adds ECC bit inference mapping, zeroizes volatile key material and generated/import buffers, implements forcezero-free helper. |
| src/psa_key_derivation.c | Scrubs HKDF PRK, TLS12 premaster, PBKDF2 CMAC intermediates, and zeroizes key agreement secrets. |
| src/psa_cipher.c | Zeroizes DES3 expanded key material and forcezero-frees key buffers in error/cleanup paths. |
| src/psa_mac.c | Forcezero-frees key buffers across MAC validation/setup error paths. |
| src/psa_asymmetric_api.c | Forcezero-frees key buffers and zeroizes ECDH/key agreement secret buffers on failure/success paths. |
| src/psa_asymmetric.c | Corrects ECC curve IDs for 192/224-bit curves with feature guards. |
| src/psa_random.c | Rejects oversized random requests (> UINT32_MAX). |
| src/psa_aead.c | Moves AEAD ctx definition to internal header and rejects wrapped multipart accumulated lengths. |
| src/psa_aead_internal.h | Introduces internal AEAD ctx accessor for tests/internal use. |
| test/psa_server/psa_api_test.c | Adds regression test for AEAD multipart accumulated-length wrap rejection. |
| test/psa_server/psa_random_size_test.c | New test ensuring oversized random requests are rejected. |
| test/psa_server/psa_ecc_curve_id_test.c | New test validating ECC curve IDs for 192/224-bit secp r1/k1. |
| test/psa_server/psa_ecc_bit_inference_test.c | New test validating ECC bit inference for P-521 sized material. |
| test/psa_server/psa_des3_stack_scrub_test.c | New test covering DES3 setup path (for scrub behavior). |
| test/Makefile | Builds new test binaries and adds include path for internal header usage. |
| .github/workflows/test-psa-api.yml | Builds and runs the new tests in CI. |
| .gitignore | Ignores newly built test binaries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
dgarske
approved these changes
Mar 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
F/845 - Variable shadowing cleanup in psa_copy_key (4647472)
F/857 - Reject wrapped AEAD multipart lengths (024cf0d)
F/856 - Zero key agreement secrets before free (436714a)
F/855 - Zero ECDH secret before free (a4f407d)
F/854 - Zero derived key buffer before free (3772e4d)
F/853 - Scrub PBKDF2 CMAC stack buffers (2138fbf)
F/852 - Scrub TLS 1.2 PSK premaster buffer (f35207c)
F/851 - Zero HKDF PRK stack buffer (4ff8496)
F/850 - Zero DES3 expanded keys after setup (f1d0585)
F/846 - Reject oversized PSA random requests (cecfc2a)
F/844 - Fix ECC key bit inference for non-byte-aligned curves (c48ec68)
F/843 - Fix ECC curve IDs for 192-bit and 224-bit curves (454e830)
F/849 - Zeroize generated keys after import (19d7da8)
F/848 - Zeroize volatile keys on destroy (f1e9958)
F/847 - Zeroize key data before freeing (aec0647)