decoder: skip foreign-OID keys before FIPS CAST#413
Open
ColtonWilley wants to merge 2 commits into
Open
Conversation
A decoder probed with a non-owned key instantiated a wolfCrypt key and fired that algorithm's lazy primitive-Z CAST before any OID check. Check the AlgorithmIdentifier OID and skip instantiation while the CAST is cold. Fixes the ~8s FIPS CMS/RSA-sign regression.
aidangarske
previously approved these changes
Jun 24, 2026
…decode race Concurrent decoder probing under FIPS races wolfCrypt's lazy, non-thread-safe CASTs. Two manifestations, both fixed here: - RSA: wp_rsa_base_new -> wc_InitRsaKey fires the gated RSA CAST from the decode path. Serialize it with WP_CHECK_FIPS_ALGO_PTR(WP_CAST_ALGO_RSA) at the top of the constructor (inside the is-running guard, mirroring wp_rsa_gen) so the KAT runs once under wolfProvider's mutex instead of racing a concurrent decode. - DH/ECC: a foreign key reaching the wrong decoder is instantiated then freed, and the gated free (wc_FreeDhKey / wc_ecc_free) fires the primitive-Z CAST. Rework wp_decode_should_skip to treat the AlgorithmIdentifier OID as authoritative instead of trusting the decoder's format label: read the OID with both the PKCS#8 and SPKI readers, then skip only when it is positively a known key type owned by a different decoder (new global wp_known_key_nids[]). Raw material with no OID still proceeds, so legitimate type-specific inputs load. This is what keeps the DH/ECC primitive-Z CASTs cold during an RSA load. Because the OID is now authoritative, wp_decode_should_skip no longer consults the format label; drop the unused format parameter from its signature and the three call sites. Also relocate the DH CAST warm from the tops of wp_dh_decode_spki/_pki (which guarded ungated calls) to immediately before wc_DhAgree, the one gated call on the DH decode path. Update the white-box should_skip test to match the new signature and to assert a well-formed foreign RSA SPKI is skipped regardless of the decoder's format label (OID over label). Validated: make test green (incl. decode_oid_precheck), repro_tls 15/15, grpc client_ssl_test 10/10.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In FIPS, loading a key probes every keytype decoder and each instantiates a wolfCrypt key, firing that algorithm's lazy primitive-Z CAST (~150ms+) before any OID check. The decoder now checks the wrapped AlgorithmIdentifier OID and skips instantiation when the key is foreign and the CAST is still cold. Fixes the ~8s FIPS CMS/RSA-sign regression. Includes a FIPS regression test.