From 58d3d8428095dc184f0455092f88e757116014b8 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Thu, 30 Apr 2026 11:04:27 -0700 Subject: [PATCH 1/2] fix: EVP_CIPHER_iv_length returns 0 for CFB/OFB modes --- tests/api/test_evp_cipher.c | 44 +++++++++++++++++++++++++++++ wolfcrypt/src/evp.c | 55 +++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) diff --git a/tests/api/test_evp_cipher.c b/tests/api/test_evp_cipher.c index 1e88da9979c..13649c88829 100644 --- a/tests/api/test_evp_cipher.c +++ b/tests/api/test_evp_cipher.c @@ -501,6 +501,28 @@ int test_wolfSSL_EVP_CIPHER_iv_length(void) #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) NID_chacha20_poly1305, #endif + #ifdef WOLFSSL_AES_CFB + #ifdef WOLFSSL_AES_128 + NID_aes_128_cfb128, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_cfb128, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_cfb128, + #endif + #endif /* WOLFSSL_AES_CFB */ + #ifdef WOLFSSL_AES_OFB + #ifdef WOLFSSL_AES_128 + NID_aes_128_ofb, + #endif + #ifdef WOLFSSL_AES_192 + NID_aes_192_ofb, + #endif + #ifdef WOLFSSL_AES_256 + NID_aes_256_ofb, + #endif + #endif /* WOLFSSL_AES_OFB */ }; int iv_lengths[] = { #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) @@ -546,6 +568,28 @@ int test_wolfSSL_EVP_CIPHER_iv_length(void) #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) CHACHA20_POLY1305_AEAD_IV_SIZE, #endif + #ifdef WOLFSSL_AES_CFB + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif /* WOLFSSL_AES_CFB */ + #ifdef WOLFSSL_AES_OFB + #ifdef WOLFSSL_AES_128 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_192 + AES_BLOCK_SIZE, + #endif + #ifdef WOLFSSL_AES_256 + AES_BLOCK_SIZE, + #endif + #endif /* WOLFSSL_AES_OFB */ }; int i; int nidsLen = (sizeof(nids)/sizeof(int)); diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 40bca5578f2..5fc22650e01 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -9960,6 +9960,61 @@ int wolfSSL_EVP_CIPHER_iv_length(const WOLFSSL_EVP_CIPHER* cipher) #endif /* WOLFSSL_AES_256 */ #endif /* WOLFSSL_AES_XTS && (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3)) */ +#ifdef WOLFSSL_AES_OFB + #ifdef WOLFSSL_AES_128 + if (XSTRCMP(name, EVP_AES_128_OFB) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_192 + if (XSTRCMP(name, EVP_AES_192_OFB) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_256 + if (XSTRCMP(name, EVP_AES_256_OFB) == 0) + return WC_AES_BLOCK_SIZE; + #endif +#endif /* WOLFSSL_AES_OFB */ +#ifdef WOLFSSL_AES_CFB +#ifndef WOLFSSL_NO_AES_CFB_1_8 + #ifdef WOLFSSL_AES_128 + if (XSTRCMP(name, EVP_AES_128_CFB1) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_192 + if (XSTRCMP(name, EVP_AES_192_CFB1) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_256 + if (XSTRCMP(name, EVP_AES_256_CFB1) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_128 + if (XSTRCMP(name, EVP_AES_128_CFB8) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_192 + if (XSTRCMP(name, EVP_AES_192_CFB8) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_256 + if (XSTRCMP(name, EVP_AES_256_CFB8) == 0) + return WC_AES_BLOCK_SIZE; + #endif +#endif /* !WOLFSSL_NO_AES_CFB_1_8 */ + #ifdef WOLFSSL_AES_128 + if (XSTRCMP(name, EVP_AES_128_CFB128) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_192 + if (XSTRCMP(name, EVP_AES_192_CFB128) == 0) + return WC_AES_BLOCK_SIZE; + #endif + #ifdef WOLFSSL_AES_256 + if (XSTRCMP(name, EVP_AES_256_CFB128) == 0) + return WC_AES_BLOCK_SIZE; + #endif +#endif /* WOLFSSL_AES_CFB */ + #endif #ifdef HAVE_ARIA if (XSTRCMP(name, EVP_ARIA_128_GCM) == 0) From f9d6a0339ff176bbf6d881c0b6655a7ace3cb633 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Thu, 30 Apr 2026 13:57:51 -0700 Subject: [PATCH 2/2] fix: add CFB128 and OFB cases to wolfSSL_EVP_get_cipherbynid The iv_length test used EVP_get_cipherbynid(NID_aes_128_cfb128) which returned NULL because the switch had no CFB128 or OFB cases, causing a segfault in EVP_CIPHER_iv_length(NULL). --- wolfcrypt/src/evp.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 5fc22650e01..a4b5ac4365d 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -5674,6 +5674,34 @@ const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_get_cipherbynid(int id) return wolfSSL_EVP_aes_256_ccm(); #endif #endif + #ifdef WOLFSSL_AES_OFB + #ifdef WOLFSSL_AES_128 + case WC_NID_aes_128_ofb: + return wolfSSL_EVP_aes_128_ofb(); + #endif + #ifdef WOLFSSL_AES_192 + case WC_NID_aes_192_ofb: + return wolfSSL_EVP_aes_192_ofb(); + #endif + #ifdef WOLFSSL_AES_256 + case WC_NID_aes_256_ofb: + return wolfSSL_EVP_aes_256_ofb(); + #endif + #endif /* WOLFSSL_AES_OFB */ + #ifdef WOLFSSL_AES_CFB + #ifdef WOLFSSL_AES_128 + case WC_NID_aes_128_cfb128: + return wolfSSL_EVP_aes_128_cfb128(); + #endif + #ifdef WOLFSSL_AES_192 + case WC_NID_aes_192_cfb128: + return wolfSSL_EVP_aes_192_cfb128(); + #endif + #ifdef WOLFSSL_AES_256 + case WC_NID_aes_256_cfb128: + return wolfSSL_EVP_aes_256_cfb128(); + #endif + #endif /* WOLFSSL_AES_CFB */ #endif #ifdef HAVE_ARIA