Bug 8: Missing zeroize after encryption
- Added se050_chacha20_poly1305_zeroize(&aead_ctx) after successful encrypt
- Added memzero_explicit(tag, 16) in both success and failure paths
Bug 9: Large stack allocation (64KB+)
- Removed: uint8_t ciphertext[WG_MAX_PACKET_SIZE] (65536 bytes on stack!)
- Changed to in-place encryption: encrypt directly to out + 16
- Much safer for embedded platforms (u-boot, ESP32 with limited stack)
Security improvements:
- Sensitive data (tags, contexts) properly zeroized
- No large stack allocations that could cause overflow
- Reduced stack usage from ~66KB to ~100 bytes per call
Test results: 29 passed, 3 failed (same as before - these were security fixes)
Bug 7: MAC2 buffer size
- Changed from fixed 1024-byte buffer to dynamic allocation
- Uses malloc/free for packets up to WG_MAX_PACKET_SIZE
Documentation:
- Added comments about WG_TYPE constants sharing values (intentional)
- Added note about platform-specific RNG for embedded systems
- system_rng() uses POSIX /dev/urandom - replace for u-boot/ESP32
Known limitations:
- chain_key initialization uses simplified version (peer_public_key directly)
Full handshake would use HASH("Noise_IKpsk2_25519...")
- For test phase, simplified version is acceptable
Test results: 29 passed, 3 failed (unchanged)
**Bug 1: Pointer assignment error**
- Fixed: size_t ciphertext_len = plaintext_len = ... (wrong)
- To: size_t ciphertext_len = ...; *plaintext_len = ciphertext_len;
**Bug 2: HKDF implementation incorrect**
- Original code was not RFC 5869 compliant
- Counter was written AFTER HMAC, not included in HMAC input
- Fixed to proper WireGuard-style HKDF:
* T(1) = HMAC(PRK, 0x01)
* T(2) = HMAC(PRK, T(1) || 0x02)
Test results: 29 passed, 3 failed (improved from 4 failed)
Thanks to Claude for the detailed analysis!
- Fixed ChaCha20-Poly1305 to properly accumulate data across multiple calls
- Changed from repeated se050_poly1305_mac() calls to poly1305_init/update/final
- Now correctly detects ciphertext tampering and AAD mismatches
- WireGuard packet encryption/decryption tests still failing - further investigation needed
Test results: 28 passed, 4 failed (improved from 12 failed)
- Added system RNG fallback using /dev/urandom
- Created se050_wireguard_se050_rng.c for SE050 TRNG integration
- WireGuard can now use SE050's built-in hardware random number generator
- Improved test coverage: 28 passing tests
Usage for SE050 RNG:
For standalone (no SE050):
- Session management with key derivation
- Packet encryption/decryption using ChaCha20-Poly1305
- Cookie mechanism for DoS protection (MAC1/MAC2)
- Key generation utility
- Integrated with existing crypto suite (X25519, ChaCha20, Poly1305, BLAKE2s)
- Clean-room implementation based on RFC 9153
km