From d1c321abdc0f1b6fcd029a6305461b59bb39b95b Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 12 Nov 2025 17:10:45 +0100 Subject: [PATCH 1/3] Don't override errors when blinding the priv key --- src/ssl_load.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/src/ssl_load.c b/src/ssl_load.c index 95af6d4f6..bb14cbef3 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -1354,26 +1354,31 @@ static int ProcessBufferPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */ #ifdef WOLFSSL_BLIND_PRIVATE_KEY + { + int blindRet = 0; #ifdef WOLFSSL_DUAL_ALG_CERTS - if (type == ALT_PRIVATEKEY_TYPE) { + if (type == ALT_PRIVATEKEY_TYPE) { + if (ssl != NULL) { + blindRet = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey, + &ssl->buffers.altKeyMask); + } + else { + blindRet = wolfssl_priv_der_blind(NULL, ctx->altPrivateKey, + &ctx->altPrivateKeyMask); + } + } + else +#endif if (ssl != NULL) { - ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey, - &ssl->buffers.altKeyMask); + blindRet = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key, + &ssl->buffers.keyMask); } else { - ret = wolfssl_priv_der_blind(NULL, ctx->altPrivateKey, - &ctx->altPrivateKeyMask); + blindRet = wolfssl_priv_der_blind(NULL, ctx->privateKey, + &ctx->privateKeyMask); } - } - else -#endif - if (ssl != NULL) { - ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key, - &ssl->buffers.keyMask); - } - else { - ret = wolfssl_priv_der_blind(NULL, ctx->privateKey, - &ctx->privateKeyMask); + if (ret == 0 && blindRet != 0) + ret = blindRet; } #endif From 4b7c052ee925ffa60fb1a878c7fefd3edddb881c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 12 Nov 2025 17:11:18 +0100 Subject: [PATCH 2/3] test_wolfSSL_inject: don't call accept on completed handshake --- tests/api.c | 52 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/tests/api.c b/tests/api.c index 64fa90fdd..30dacdc7b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -50626,6 +50626,8 @@ static int test_wolfSSL_inject(void) struct test_memio_ctx test_ctx; WOLFSSL_ALERT_HISTORY h; int rounds; + int hs_c = 0; + int hs_s = 0; printf("Testing %s\n", params[i].tls_version); @@ -50635,31 +50637,41 @@ static int test_wolfSSL_inject(void) params[i].client_meth, params[i].server_meth), 0); for (rounds = 0; rounds < 10 && EXPECT_SUCCESS(); rounds++) { - wolfSSL_SetLoggingPrefix("client"); - if (wolfSSL_negotiate(ssl_c) != 1) { - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), - WOLFSSL_ERROR_WANT_READ); + if (!hs_c) { + wolfSSL_SetLoggingPrefix("client"); + if (wolfSSL_negotiate(ssl_c) != 1) { + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), + WOLFSSL_ERROR_WANT_READ); + } + else + hs_c = 1; } - wolfSSL_SetLoggingPrefix("server"); - if (test_ctx.s_len > 0) { - ExpectIntEQ(wolfSSL_inject(ssl_s, test_ctx.s_buff, - test_ctx.s_len), 1); - test_memio_clear_buffer(&test_ctx, 0); + if (!hs_s) { + wolfSSL_SetLoggingPrefix("server"); + if (test_ctx.s_len > 0) { + ExpectIntEQ(wolfSSL_inject(ssl_s, test_ctx.s_buff, + test_ctx.s_len), 1); + test_memio_clear_buffer(&test_ctx, 0); + } + if (wolfSSL_negotiate(ssl_s) != 1) { + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), + WOLFSSL_ERROR_WANT_READ); + } + else + hs_s = 1; } - if (wolfSSL_negotiate(ssl_s) != 1) { - ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), - WOLFSSL_ERROR_WANT_READ); - } - wolfSSL_SetLoggingPrefix("client"); - if (test_ctx.c_len > 0) { - ExpectIntEQ(wolfSSL_inject(ssl_c, test_ctx.c_buff, - test_ctx.c_len), 1); - test_memio_clear_buffer(&test_ctx, 1); + if (!hs_c) { + wolfSSL_SetLoggingPrefix("client"); + if (test_ctx.c_len > 0) { + ExpectIntEQ(wolfSSL_inject(ssl_c, test_ctx.c_buff, + test_ctx.c_len), 1); + test_memio_clear_buffer(&test_ctx, 1); + } } wolfSSL_SetLoggingPrefix(NULL); } - ExpectIntEQ(wolfSSL_negotiate(ssl_c), 1); - ExpectIntEQ(wolfSSL_negotiate(ssl_s), 1); + ExpectIntEQ(hs_c, 1); + ExpectIntEQ(hs_s, 1); wolfSSL_free(ssl_c); wolfSSL_free(ssl_s); From 32911dc6b845c18001b83dd7f238865789ce5287 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 12 Nov 2025 17:11:34 +0100 Subject: [PATCH 3/3] Add blinding to CI --- .github/workflows/os-check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 4068d34f5..9d1761673 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -64,6 +64,7 @@ jobs: '--enable-dtls --enable-dtls13 --enable-ocspstapling --enable-ocspstapling2 --enable-cert-setup-cb --enable-sessioncerts', '--disable-sni --disable-ecc --disable-tls13 --disable-secure-renegotiation-info', + 'CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY', ] name: make check if: github.repository_owner == 'wolfssl'