- Add support for extracting hash type from PBES2 parameters
- Handle both WOLFSSL_ASN_TEMPLATE and original ASN implementations
- Return ASN_PARSE_E if hash type cannot be determined
- Add proper error handling and messages
Co-Authored-By: lealem@wolfssl.com <lealem@wolfssl.com>
Matrix A is expensive to calculate.
Usage of ML-KEM/Kyber is
1. First peer generates a key and sends public to second peer.
2. Second peer encapsulates secret with public key and sends to first
peer.
3. First peer decapsulates (including encapsulating to ensure same as
seen) with key from key generation.
Caching A keeps the matrix A for encapsulation part of decapsulation.
The matrix needs to be transposed for encapsulation.
AES-GCM: don't generate M0 when using assembly unless falling back to C
and then use new assembly code.
HMAC: add option to copy hashes (--enable-hash-copy
-DWOLFSSL_HMAC_COPY_HASH) to improve performance when using the same key
for multiple operations.
XOR in random value to scalar and perform special scalar multiplication.
Multiply x3 and z3 by random value to randomize co-ordinates.
Add new APIs to support passing in an RNG.
Old APIs create a new RNG.
Only needed for the C implementations that are not small.
Modified TLS and OpenSSL compat API implementations to pass in RNG.
Fixed tests and benchmark program to pass in RNG.
Adds two features for SE050:
1. `WOLFSSL_SE050_AUTO_ERASE`. When enabled, this will automatically
erase a key from the SE050 when `wc_ecc_free()` and friends are
called.
2. `WOLFSSL_SE050_NO_RSA`. This stops RSA offloading onto the SE050,
useful for the SE050E which does not have RSA support.
AES-GCM: don't generate M0 when using assembly unless falling back to C
and then use new assembly code.
HMAC: add option to copy hashes (--enable-hash-copy
-DWOLFSSL_HMAC_COPY_HASH) to improve performance when using the same key
for multiple operations.
The SE050 port won't compile in the latest wolfSSL. This patch:
* Updates the documentation
* Fixes a missing `#ifdef` that breaks the build
* Changes the use of `mp_int` to `MATH_INT_T`
* Fixes compiler error with `ecc.c`
* Adds a tiny bit of extra debugging info
* Correct cmake script to support Open Watcom toolchain (#8167)
* Fix thread start callback prototype for Open Watcom toolchain (#8175)
* Added GitHub CI action for Windows/Linux/OS2
* Improvements for C89 compliance.
Thank you @jmalak for your contributions.
in wolfcrypt/src/coding.c, add ALIGN64 to hexDecode[], and add hexEncode[] for use by Base16_Encode();
in wolfcrypt/src/misc.c and wolfssl/wolfcrypt/misc.h:
move ctMask*() up so that min() and max() can use them, and add ctMaskWord32GTE();
add ALIGN64 to kHexChar[];
add CT implementation of CharIsWhiteSpace();
remove min_size_t() and max_size_t() recently added, but only one user (refactored).
Implemented based on the NIST Initial Public Draft "NIST SP 800-232 ipd". Testing based on KAT's available at https://github.com/ascon/ascon-c. Added configuration for testing in github action.
Fix spaces at start of copyright line in .asm files.
Changed generation of X25519 and Ed448 code to better match changes
already in C code. Fixed formatting in places.
change Buffers.prevSent and .plainSz from int to word32;
change SendData() sz arg from int sz to size_t sz;
add asserts in SendData() and ReceiveData() to prevent sz > INT_MAX (assuring no overflow internally or in the returned int).
wolfssl/ssl.h and src/ssl.c:
change WOLFSSL_BUFFER_INFO.length from unsigned int to word32 (no functional change, just for consistency);
add wolfSSL_write_internal(), refactor wolfSSL_write() to call it, and fix wolfSSL_write_ex() to take size_t sz, not int sz.
fix internal functions wolfSSL_read_internal() and ReceiveData() to likewise accept size_t sz;
add negative sz checks where needed to other functions that call wolfSSL_read_internal() and ReceiveData();
add min_size_t() and max_size_t() to misc.c/misc.h.
- Support using MAXQ for:
- AES-ECB
- AES-CCM
- AES-CBC
- ECC Key Generation and ECDH
- in wc_ecc_import_private_key_ex():
- check to make sure devId is not invalid before calling wc_MAXQ10XX_EccSetKey().
- This is because the raspberry pi sometimes need to sign stuff.
- in aes_set_key() and ecc_set_key():
- delete a key in case it already exists; ignore error since it might not exist.
- unlock, lock the HW mutex around ECDSA_sign() because it needs access to rng
- in wolfSSL_MAXQ10XX_CryptoDevCb:
- allow maxq1065 to call the crypto callback.
- do not set the key during signing; use pre provisioned one instead (DEVICE_KEY_PAIR_OBJ_ID)
Add assembly for Poly1305 using ARM32 NEON instruction set.
For Poly1305 ARM32 Base:
Change name from poly1305_blocks_arm32_16 to poly1305_arm32_blocks_16
poly1305.c:
ARM32 NEON - buffer up to 4 blocks
x86_64 - only calculate powers of r once after key is set.
test.c: poly1305 testing with multiple updates.
benchmark: chacha20-poly1305 now uses AAD
0-return from quic_record_append is an error. `quic_record_complete(qr) || len == 0` is not an error condition. We should return as normal on success.
The issue is that passing in buffers with length 1 then 3 causes `qr_length` (in `quic_record_make`) to return 0. Then when `quic_record_append` gets called the `len` gets consumed by the first `if` and `len == 0` is true. This causes the error return which is not correct behaviour.
Reported in https://github.com/wolfSSL/wolfssl/issues/8156. Reproducing is a bit tricky. I couldn't get the docker to work.
First setup ngtcp2 as described in https://github.com/ngtcp2/ngtcp2/pkgs/container/ngtcp2-interop. The Relevant steps are (I tested with master/main branches of all libs):
```
$ git clone --depth 1 -b v5.7.4-stable https://github.com/wolfSSL/wolfssl
$ cd wolfssl
$ autoreconf -i
$ # For wolfSSL < v5.6.6, append --enable-quic.
$ ./configure --prefix=$PWD/build \
--enable-all --enable-aesni --enable-harden --enable-keylog-export \
--disable-ech
$ make -j$(nproc)
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
--with-wolfssl
$ make -j$(nproc) check
```
Download and unzip https://github.com/user-attachments/files/17621329/failing.pcap.zip
From the ngtcp2 dir:
```
./examples/wsslserver 127.0.0.1 44433 /path/to/wolfssl/certs/server-key.pem /path/to/wolfssl/certs/server-cert.pem
```
Then run the following python script (`failing.pcap` has to be available in the running dir) (probably needs to be run as `sudo`):
```
from scapy.utils import rdpcap, PcapNgReader
from scapy.all import *
reader = PcapNgReader("failing.pcap")
for i in reader:
p = i[IP]
p.dport = 44433
p.dst = "127.0.0.1"
p[UDP].chksum=0
p.display()
send(p)
```
Then observe the log line:
```
I00000000 0xa48accb7b49ec1556ac7111c64d3a4572a81 frm tx 625216795 Initial CONNECTION_CLOSE(0x1c) error_code=CRYPTO_ERROR(0x100) frame_type=0 reason_len=0 reason=[]
```
You can also use `gdb` and place a break inside the following section in `wolfssl/src/quic.c`.
```
if (quic_record_complete(qr) || len == 0) {
return 0;
}
```
The server was checking ssl->extensions which will always have an entry for TLSX_SIGNATURE_ALGORITHMS
as it is unconditionally added by TLSX_PopulateExtensions earlier in the DoTls13ClientHello function.
Instead, check args->clSuites->hashSigAlgoSz which is only set if signature_algorithms is found and parsed by TLSX_Parse.
This reverts commit bc12dad041.
This commit broke builds that combine QUIC and PQ -- known failures are pq-all-valgrind-unittest, pq-hybrid-all-rpk, pq-hybrid-all-rpk-valgrind-unittest, quantum-safe-wolfssl-all-gcc-latest, quantum-safe-wolfssl-all-g++-latest, quantum-safe-wolfssl-all-fortify-source-asm, quantum-safe-wolfssl-all-fortify-source-asm-noasm, and quantum-safe-wolfssl-all-intelasm-sp-asm-valgrind.
Note that the unit.test asserts added by this commit fail both before and after reversion.
wolfcrypt/src/integer.c: add additional guards against OOB access from uint wraps and null derefs of mp_int.dp, and refactor mp_grow() and mp_init_size() to use XMEMSET, for the benefit of clang-tidy. in mp_grow(), fix the condition for the realloc to assure always evaluated if a->alloc == 0.
wolfcrypt/src/asn.c: fix wc_CreatePKCS8Key() so that *outSz is always assigned when LENGTH_ONLY_E is returned.
wolfcrypt/src/pkcs7.c: remove redundant inner condition in wc_PKCS7_EncodeAuthEnvelopedData(), added in previous commit and caught on review by Jacob (thanks!).
wolfcrypt/src/sp_int.c: in sp_mont_norm(), add another suppression for the same false positive in sp_mul() suppressed in previous commit.
wolfcrypt/src/srp.c: refactor SrpHashSize() to return ALGO_ID_E rather than 0 when unknown/uncompiled alg is requested.
several fixes for defects reported by cppcheck:
wolfcrypt/src/ecc.c: fix for cppcheck oppositeInnerCondition from cppcheck-2.16.0 in _ecc_make_key_ex(), and fixes for related unhandled errors discovered by manual inspection;
wolfcrypt/test/test.c: fix XREALLOC call in memcb_test() to resolve cppcheck-detected memleak.
Plus fix location of the certificate files in the examples.
Tested with both Ada examples:
```
obj/tls_server_main --psk
obj/tls_client_main 127.0.0.1 --psk
```
0-return from quic_record_append is an error. `quic_record_complete(qr) || len == 0` is not an error condition. We should return as normal on success.
The issue is that passing in buffers with length 1 then 3 causes `qr_length` (in `quic_record_make`) to return 0. Then when `quic_record_append` gets called the `len` gets consumed by the first `if` and `len == 0` is true. This causes the error return which is not correct behaviour.
Reported in https://github.com/wolfSSL/wolfssl/issues/8156. Reproducing is a bit tricky. I couldn't get the docker to work.
First setup ngtcp2 as described in https://github.com/ngtcp2/ngtcp2/pkgs/container/ngtcp2-interop. The Relevant steps are (I tested with master/main branches of all libs):
```
$ git clone --depth 1 -b v5.7.4-stable https://github.com/wolfSSL/wolfssl
$ cd wolfssl
$ autoreconf -i
$ # For wolfSSL < v5.6.6, append --enable-quic.
$ ./configure --prefix=$PWD/build \
--enable-all --enable-aesni --enable-harden --enable-keylog-export \
--disable-ech
$ make -j$(nproc)
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
--with-wolfssl
$ make -j$(nproc) check
```
Download and unzip https://github.com/user-attachments/files/17621329/failing.pcap.zip
From the ngtcp2 dir:
```
./examples/wsslserver 127.0.0.1 44433 /path/to/wolfssl/certs/server-key.pem /path/to/wolfssl/certs/server-cert.pem
```
Then run the following python script (`failing.pcap` has to be available in the running dir) (probably needs to be run as `sudo`):
```
from scapy.utils import rdpcap, PcapNgReader
from scapy.all import *
reader = PcapNgReader("failing.pcap")
for i in reader:
p = i[IP]
p.dport = 44433
p.dst = "127.0.0.1"
p[UDP].chksum=0
p.display()
send(p)
```
Then observe the log line:
```
I00000000 0xa48accb7b49ec1556ac7111c64d3a4572a81 frm tx 625216795 Initial CONNECTION_CLOSE(0x1c) error_code=CRYPTO_ERROR(0x100) frame_type=0 reason_len=0 reason=[]
```
You can also use `gdb` and place a break inside the following section in `wolfssl/src/quic.c`.
```
if (quic_record_complete(qr) || len == 0) {
return 0;
}
```
- Add comments for the PSK value in the example.
- Add runtime argument for executing the PSK test.
- Warn user that their callback implementation can't be in the SPARK subset.
wolfcrypt/test/test.c: in dh_ffdhe_test(), when defined(HAVE_PUBLIC_FFDHE), use wc_DhSetKey_ex() rather than wc_DhSetKey() to exercise the primality check in _DhSetKey().
Tested with:
`wolfSSL/wolfssl-examples/psk/server-psk.c`
after changing `DTLSv1_3_Client_Method` to `DTLSv1_2_Client_Method` to comply with the server example.
AES GCM streaming - fix GHASH_ONE_BLOCK to use CPU feature information.
AES-GCM uses EOR3 (SHA-3 instruction) - split assembly code.
Kyber uses SQRDMLSH - split assembly code.
Changed define from WOLFSSL_AARCH64_NO_SQRMLSH to
WOLFSSL_AARCH64_NO_SQRDMLSH to match instruction.
Improved array data format for inline assembly code.
add wolfssl_no_resume flag to openssl.test
check for version of openssl testing against
check if RSA is supported for test case
guard on test case for TLS versions supported
test.c: Dilithium private key not available in cert_test.h unless
signing is enabled.
./configure --disable-shared --enable-dilithium=make,44,65,87
./configure --disable-shared --enable-dilithium=make,sign,44,65,87
./configure --disable-shared --enable-dilithium=make,verify,44,65,87
test.c: Dilithium doesn't have decode/encode when
WOLFSSL_DILITHIUM_NO_ASN1 is defined.
./configure --disable-shared --enable-dilithium=yes
CFLAGS=-DWOLFSSL_DILITHIUM_NO_ASN1
Automated replacement with
```
git ls-files -z wolfcrypt/src/port/ IDE/ | xargs -0 pcre2grep -l '[^_]AES_BLOCK_SIZE' | xargs sed --regexp-extended --in-place 's/([^_])AES_BLOCK_SIZE/\1WC_AES_BLOCK_SIZE/g'
```
Checked for mis-transformations with
```
git ls-files -z | xargs -0 pcre2grep '[^-[()+*/[:space:]]WC_AES_BLOCK_SIZE' | less
```
Checked for residual hits with
```
git ls-files -z | xargs -0 pcre2grep '[^_]AES_BLOCK_SIZE' | less
```
Deliberately excluded:
* ChangeLog.md -- do not alter history.
* doc/ -- do not confuse documentation with newly prefixed macro, because AES_BLOCK_SIZE is available unless -DOPENSSL_COEXIST.
* tests/api.c -- the unit tests deliberately use compatibility names, and are not compatible with -DOPENSSL_COEXIST.
* wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs -- false positive hits on C# names.
* wrapper/CSharp/wolfCrypt-Test/wolfCrypt-Test.cs -- false positive hits on C# names.
* reference in wolfssl/wolfcrypt/aes.h that defines AES_BLOCK_SIZE when -UOPENSSL_COEXIST.
* reference in wolfssl/wolfcrypt/settings.h that defines WC_AES_BLOCK_SIZE for old FIPS when -UWC_AES_BLOCK_SIZE.
When no AVX2 available, kyber_prf() is called to produce more than one
SHAKE-256 blocks worth of ouput. Otherwise only one block is needed.
Changed function to support an outlen of greater than one block.
src/x509.c: wolfssl_x509_name_entry_set() ne->object is freed if call to
wolfSSL_OBJ_nid2obj_ex() fails. Always assign directly back to
ne->object.
wolfcrypt/test/test.c: aes_ctr_test() doesn't need AES decrypt
./configure '--disable-shared' '--enable-cryptonly'
'CFLAGS=-DNO_AES_DECRYPT' '--disable-aescbc' '--disable-aesofb'
'--disable-aescfb' '--disable-aesgcm' '--disable-aesccm'
'--enable-aesctr' '--disable-aesxts' '--disable-aeseax'
tests/api.c: test_X509_STORE_InvalidCa() only defined when !NO_RSA
./configure '--disable-shared' '--enable-opensslall' '--disable-rsa'
tests/api.c: test_wolfSSL_GENERAL_NAME_print() free ridObj if not
assigned into gn.
Interrupted connection should return control to the user since they may want to handle the signal that caused the interrupt. Otherwise, we might never give back control to the user (the timeout would error out but that causes a big delay).
socat.yml: in test 475, the test would send a SIGTERM after 3 seconds. We would continue to ignore this signal and continue to call `recvfrom`. Instead we should error out and give control back to the user.
- wolfDTLS_accept_stateless - statelessly listen for incoming connections
- wolfSSL_inject - insert data into WOLFSSL object
- wolfSSL_SSL(Enable|Disable)Read - enable/disable reading from IO
- wolfSSL_get_wfd - get the write side file descriptor
- wolfSSL_dtls_set_pending_peer - set the pending peer that will be upgraded to regular peer when we successfully de-protect a DTLS record
- wolfSSL_dtls_get0_peer - zero copy access to the peer address
- wolfSSL_is_stateful - boolean to check if we have entered stateful processing
- wolfSSL_dtls_cid_get0_rx - zero copy access to the rx cid
- wolfSSL_dtls_cid_get0_tx - zero copy access to the tx cid
- wolfSSL_dtls_cid_parse - extract cid from a datagram/message
* change default WOLFSSL_REPO to the canonical upstream.
* refactor tag calculation without bash associative arrays, for backward compat.
* add support for fetching FIPS tags/branches into a persistent fips repo if one is found at ../fips.
* use --shared in git clones where applicable.
* always check out the master FIPS branch, for its tooling, and always make sure it's up to date with $FIPS_REPO.
* after each fetch for a previously unknown tag, explicitly associate the tag with the FETCH_HEAD.
* activate WOLFSSL_NO_OPTIONS_H in linuxkm/Kbuild for in-module test.o and benchmark.o.
* refine explanatory comments in settings.h re WOLFSSL_USE_OPTIONS_H, WOLFSSL_NO_OPTIONS_H, and WOLFSSL_CUSTOM_CONFIG.
* add safety catch to options.h/options.h.in to inhibit inclusion if defined(WOLFSSL_NO_OPTIONS_H).
* for good measure, add explicit check for WOLFSSL_NO_OPTIONS_H to wolfcrypt/benchmark/benchmark.c and wolfcrypt/test/test.c.
* Fix to properly set configure.ac LMS/XMSS enables and build of those code files.
* Remove duplicate aes.c `wc_AesSetKeyLocal` call to `wc_AesSetIV`. Moved earlier in function in commit a10260ca5f.
* Benchmark missing time.h with NO_ASN_TIME.
* Added option to support disabling AES CFB 1/8 `WOLFSSL_NO_AES_CFB_1_8`.
* Fixes for building with combinations of `WOLFSSL_RSA_VERIFY_ONLY` and `WOLFSSL_RSA_PUBLIC_ONLY`.
* Fix for building `--enable-stacksize=verbose` with single threaded.
* Various tab and formatting cleanups.
ZD 18996
The Ada wrapper had an `&` operator for the verification mode. This
effectively caused the verification mode to equal `0`.
The operator has been switched to `or` now, in addition, a getter has
been added to the API. This allows for the test I've added to the server
code to verify that it is being set correctly.
`OPENSSL_ALL` flag added to Ada so that the verify mode getter function
is compiled in.
Fixes#7461
Thanks to @dalybrown for reporting it.
This adds STM32 HAL support for:
* SHA384
* SHA512 (with -224 and -256)
* SHA3 (all variants apart from SHAKE)
The partial FIFO block calculations have been adjusted based in the
STM32 code to support the larger hash sizes.
This should work with other chips such as the STM32U5xx, but is not
enabled for that yet.
This adds support for the STM32MP13 HAL, tested on the STM32MP135F MPU.
Using the HAL this modifies our previous RNG, AES-CBC, AES-GCM, HASH,
ECDSA and DES3 ST HAL acceleration to work with the MPU. It also works
around bugs found in the AES-GCM code of the HAL.
The HAL does not appear to have support for MD5 HASH at the moment, so
this has been given a flag to disable it on this MPU.
configure.ac: add OPENSSL_EXTRA to --enable-wolfsentry.
linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, wolfssl/ssl.h: accommodate backward dependencies for wolfSSL_X509_NAME_add_entry_by_NID, wolfSSL_X509_NAME_free, and wolfSSL_X509_NAME_new_ex.
linuxkm/lkcapi_glue.c: if CONFIG_CRYPTO_MANAGER, assert match of CONFIG_CRYPTO_FIPS and HAVE_FIPS.
src/ssl_crypto.c, wolfcrypt/src/wc_lms.c, wolfcrypt/src/wc_lms_impl.c, wolfcrypt/src/wc_xmss.c, wolfcrypt/test/test.c: add missing casts for XMALLOC()s.
src/ssl_crypto.c: in wolfSSL_AES_decrypt(), fix gate for wc_AesDecryptDirect() return type.
wolfcrypt/test/test.c: smallstack refactor in test_dilithium_decode_level().
tests/api.c: fix uninited vars and "embedding a directive within macro arguments is not portable" in test_wc_dilithium_der().
```
Start wolf tsip crypt Test
simple crypt test by using TSIP
sha_test() passed
sha256_test() passed
tsip_aes_cbc_test() passed
tsip_aes256_test() passed
tsip_rsa_test(2048) passed
tsip_rsa_SignVerify_test(2048) passed
End wolf tsip crypt Test
```
* Fix for `TlsSessionCacheGetAndLock` that was not checking the sessionIDSz, so could return a pointer to an invalid session (if 0's). Resolves issue with `test_wolfSSL_CTX_sess_set_remove_cb` test.
* Fix cast warning with `HAVE_EX_DATA` in Windows VS.
* Fix openssl_extra without PKCS12.
* Refactor the EX data crypto and session API's to gate on `HAVE_EX_DATA_CRYPTO`.
* Grouped the EX data API's in ssl.h
* Moved API's in ssl.h to separate the compatibility ones from ours.
Cryptodev has two sections for the session info struct, cipher and hash.
Our debug mode was using hash for the output even if we were using
cipher, so would output random data. Simple 'if' statement to do the
correct thing.
src/wolfio.c: #include <errno.h> if necessary;
wolfcrypt/src/asn.c: gate WOLFSSL_MSG_EX() uses on defined(DEBUG_WOLFSSL), for pedantic C89 compatibility (no variadic macros);
wolfssl/wolfcrypt/wc_port.h: refine setup for XFENCE().
return error code from wolfSSL_RefWithMutexUnlock() to expose result to caller;
fix endianness bug in src/x509.c:wolfSSL_X509_add_ext() (fixes failing test_wolfSSL_X509_add_ext on BE targets);
fix possible file handle leak in tests/api.c:test_wolfSSL_d2i_X509_REQ() (reported by clang-tidy);
in wolfssl/ssl.h, define CONST_NUM_ERR_WOLFSSL_SUCCESS, so that WOLFSSL_SUCCESS can be benignly miswrapped in WC_NO_ERR_TRACE().
in in wc_port.c, rename mutexful implementations of wolfSSL_Ref*() to wolfSSL_RefWithMutex*(), and build them even if defined(WOLFSSL_ATOMIC_OPS).
refactor wolfSSL_CTX_UnloadIntermediateCerts() to wrap the refcount check and deallocation with wolfSSL_RefWithMutexLock()...wolfSSL_RefWithMutexUnlock().
move port-specific setup for WARN_UNUSED_RESULT, WC_MAYBE_UNUSED, and WC_INLINE, from types.h to wc_port.h, to make them usable by port-specific definitions later in wc_port.h.
when defined(SINGLE_THREADED) and !defined(WOLFSSL_NO_ATOMICS), typedef int wolfSSL_Atomic_Int, so that access to wolfSSL_Atomic_Ints in SINGLE_THREADED builds is easy.
refactor fallback definitions of wolfSSL_Atomic_Int_FetchAdd and wolfSSL_Atomic_Int_FetchSub as WC_INLINE functions to avoid -Wunused-result.
In file included from ./wolfssl/error-ssl.h:27,
from ./wolfssl/ssl.h:35,
from ./wolfssl/internal.h:28,
from src/ssl.c:36:
./src/x509_str.c: In function 'int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE*, byte*, word32, int)':
./wolfssl/wolfcrypt/error-crypt.h:336:37: error: 'CONST_NUM_ERR_WOLFSSL_SUCCESS' was not declared in this scope; did you mean 'CONST_NUM_ERR_WOLFSSL_UNKNOWN'?
336 | #define WC_NO_ERR_TRACE(label) (CONST_NUM_ERR_ ## label)
| ^~~~~~~~~~~~~~
./src/x509_str.c:1456:15: note: in expansion of macro 'WC_NO_ERR_TRACE'
1456 | int ret = WC_NO_ERR_TRACE(WOLFSSL_SUCCESS);
| ^~~~~~~~~~~~~~~
Remote original-only option for kyber in configure.ac.
Default is ML-KEM only.
original is Kyber only.
ml-lem is ML-KEM.
to have both: all,original,ml-kem.
Use WOLFSSL_NO_ML_KEM* instead of WOLFSSL_WC_ML_KEM_* which requires the
inclusion of kyber headers.
* add WOLFSSL_ATOMIC_INITIALIZER() to wc_port.h;
* rename feature macro to WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS for clarity;
* remove spin lock logic in wolfSSL_Init() and instead return DEADLOCK_AVERTED_E on contended initialization;
* unless WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS is user-defined to 0, automatically enable it when appropriate.
.github/workflows/codespell.yml: remove */README_jp.txt from "skip" list.
IDE/Renesas/cs+/Projects/t4_demo/README_jp.txt: convert from SHIFT_JIS to UTF-8.
cmake/options.h.in: use "#cmakedefine HAVE_PTHREAD 1" to avoid conflict with config.h.
configure.ac: add --enable-c89, and remove !ENABLED_OPENSSLEXTRA dependency from AM_CONDITIONAL([BUILD_CRYPTONLY],...).
wolfcrypt/src/asn.c: refactor SetOthername() for efficiency, and add PRAGMA_GCC to suppress false positive -Wstringop-overflow associated with -fstack-protector.
wolfssl/wolfcrypt/rsa.h: add WC_ prefixes to RSA_PKCS1_PADDING_SIZE and RSA_PKCS1_OAEP_PADDING_SIZE, and define unprefixed compat aliases only if !OPENSSL_COEXIST.
wolfssl/wolfcrypt/types.h:
#ifdef WOLF_C89, #define WC_BITFIELD unsigned;
enhance WOLF_ENUM_DUMMY_LAST_ELEMENT() to include the line number, to construct unique labels given a per-filename argument, to accommodate anonymous enums.
examples/asn1/asn1.c:
examples/client/client.c:
examples/pem/pem.c:
examples/server/server.c:
wolfcrypt/src/sp_dsp32.c:
wolfcrypt/src/wc_port.c:
wolfssl/test.h:
use XMALLOC/XREALLOC/XFREE consistently, not malloc/realloc/free.
wolfcrypt/benchmark/benchmark.c:
wolfcrypt/src/memory.c:
wolfcrypt/test/test.c:
wolfssl/wolfcrypt/mem_track.h:
wolfssl/wolfcrypt/settings.h:
wolfssl/wolfcrypt/types.h:
annotate intentional native heap access with "/* native heap */".
wolfcrypt/src/asn.c:
wolfssl/callbacks.h:
wolfssl/openssl/ec.h:
wolfssl/openssl/ssl.h:
wolfssl/wolfcrypt/hpke.h:
wolfssl/wolfcrypt/types.h:
fix enum trailing commas.
wolfssl/openssl/ec.h:
wolfssl/openssl/evp.h:
wolfssl/openssl/rsa.h:
wolfssl/openssl/ssl.h:
use WC_BITFIELD in bitfield elements, not byte or word16, to allow for pedantic C89 conformant builds.
wolfssl/openssl/ec.h:
wolfssl/openssl/evp.h:
wolfssl/openssl/pem.h:
wolfssl/openssl/ssl.h:
wolfssl/wolfcrypt/logging.h:
avoid variadic macros wherever possible, and where unavoidable, #ifdef WOLF_NO_VARIADIC_MACROS, define them with empty arg lists, rather than ..., to support Watcom compiler.
wolfssl/wolfcrypt/settings.h: if defined(__WATCOMC__), define WOLF_NO_VARIADIC_MACROS.
All required dependencies of a package must also be found in the
package configuration file. Consumers of wolfSSL can't know
if it was built with or without threads support. This change
adds find_package(Threads) lookup in the file used for
find_package(wolfssl) if wolfSSL was built with threads support.
This adds improved support for the Raspberry Pi Pico range of
microcontrollers.
Benchmark now compiles, and added support for the RNG functions of the
Pico SDK. This gives a ~2x RNG performance improvement on the RP2040 and
over 3x improvement on the RP2350.
The accelerated SHA256 in the RP2350 unfortunately cannot be used with
wolfSSL.
Make Kyber and ML-KEM individually available as well as at the same
time.
Modified TLS layer to support both Kyber and ML-KEM.
Added new identifiers in TLS layer for ML-KEM.
rename WOLFSSL_MAX_RSA_BITS to WC_MAX_RSA_BITS, and move its setup from wolfssl/internal.h to wolfssl/wolfcrypt/asn.h, preceding setup for WC_MAX_CERT_VERIFY_SZ.
configure.ac: restore opensslextra-linuxkm assertion, with a twist: "--enable-opensslextra with --enable-linuxkm-pie and without --enable-cryptonly is incompatible with --enable-linuxkm."
wolfcrypt/src/asn.c: fix trailing comma in enum.
wolfcrypt/src/port/arm/armv8-aes.c: fix wc_AesCcmEncrypt() and wc_AesCcmDecrypt() for test_wolfssl_EVP_aes_ccm_zeroLen().
add config-time assert for "dual-alg-certs is incompatible with --enable-cryptonly.";
remove obsolete config-time check for "--enable-opensslextra without --enable-cryptonly is incompatible with --enable-linuxkm.";
linuxkm/linuxkm_wc_port.h: add fallback definitions for INT32_MAX and UINT32_MAX;
linuxkm/module_exports.c.template: add wolfssl/openssl/fips_rand.h;
wolfssl/wolfcrypt/settings.h: add #undef HAVE_ATEXIT to WOLFSSL_LINUXKM settings;
wolfssl/wolfcrypt/types.h: fix trailing comma in the DYNAMIC_TYPE_* enum.
configure.ac:
* add --enable-all-osp to separate OSP meta-feature sets from --enable-all, allowing --enable-all --disable-all-osp --disable-opensslall (e.g. for testing OPENSSL_COEXIST).
* fix enable_all_crypto=yes in enable-all to be conditional on "$enable_all_crypto" = "".
* move enable_rsapss=yes from enable-all to enable-all-crypto.
examples/ and testsuite/: #undef OPENSSL_COEXIST unconditionally rather than only if defined(OPENSSL_EXTRA), to capture -DOPENSSL_EXTRA_X509_SMALL or any other such variants.
No functional changes.
Several compat symbols that were formerly enums are now macros.
All library source is refactored to use only native symbols in all code gated in with --enable-all-crypto --enable-opensslextra.
wolfcrypt/test/test.c is similarly refactored to use only native symbols.
examples/ and tests/ are unmodified except for header setup to disable OPENSSL_COEXIST and TEST_OPENSSL_COEXIST.
```
[CC-AARCH64] lib/wolfssl/wolfcrypt/src/port/arm/armv8-sha3-asm_c.o
lib/wolfssl/wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:212:6: error: conflicting types for 'BlockSha3'; have 'void(long unsigned int *)'
212 | void BlockSha3(unsigned long* state)
| ^~~~~~~~~
In file included from lib/wolfssl/wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:35:
lib/wolfssl/wolfssl/wolfcrypt/sha3.h:224:20: note: previous declaration of 'BlockSha3' with type 'void(word64 *)' {aka 'void(long long unsigned int *)'}
224 | WOLFSSL_LOCAL void BlockSha3(word64 *s);
| ^~~~~~~~~
```
Detect reading of packet errors
--enable-all and --enable-sniffer exposed this issue
Don't need variable
Rework argument parsing
Need a way to allow arguments to be supplied more granularly. Partucilarly, I needed a "-tracefile" argument without requiring the use of a PCAP file
Fix error prints to STDERR
Fix setting of port filtering
Fix 80 char limit
Not actually a bad packet when there are no more packets
Fix strcat size
Allow the sniffer to print the trace to STDOUT
Fix indexing
Take out superfluous error which is handled later
Set default port to 11111
Single return point
Combine chain to one contiguous memory block
Fix return
Add in error handling for XMALLOC
Add in debugging output when --enable-debug
It makes no sense to allocate a ton of small buffers to process chains
Ultimately, the code is slower because of the several small memcpy instead of a single large contiguous memcpy
Pass in a device name
Fix unused variable
Fix cast
Addressing PR comments
Add new flags to --help
* Consolidate the USE_WINDOWS_API to a single place.
* Expand the `WOLFSSL_NOT_WINDOWS_API` improvement for intrinsics and word sizes.
* Fix for macro variadic `...` when no variables are used (some compilers like Watcom C have issue with this).
* Fix for Watcom C compiler "long long" -> "__int64".
* Fix a couple of minor cast warnings reported from VS.
wolfcrypt/src/port/arm/armv8-aes.c: in the WOLFSSL_ARMASM_NO_HW_CRYPTO version of wc_AesSetKey(), copy the supplied userKey to a properly aligned buffer if necessary before calling AES_set_encrypt_key();
src/dtls13.c: in Dtls13GetRnMask(), if defined(WOLFSSL_LINUXKM)), return retval of wc_AesEncryptDirect();
wolfcrypt/src/misc.c: add readUnalignedWord32(), writeUnalignedWord32(), readUnalignedWords32(), and writeUnalignedWords32();
wolfcrypt/src/siphash.c: use readUnalignedWord64(), readUnalignedWord32(), and writeUnalignedWord64(), to avoid unaligned access faults, and fix cast in byte-reversing version of GET_U32().
- wolfSSL_EVP_PKEY_set1_DH: If both private and public present, output private key
- ToTraditionalInline_ex2: Add DH checking
- wc_ecc_get_curve_id: check index is not negative
- Fix i2d_PKCS8_PRIV_KEY_INFO to actually output pkcs8 instead of just der
- wolfSSL_EVP_PKEY2PKCS8: Create duplicate to avoid double free
- wolfSSL_DH_generate_key: Fix case where not enough buffer was allocated for 128 bit case
- pkcs8_encode: Add DSA and DH support
- wolfSSL_d2i_PKCS8_PKEY: Correctly advance buffer
- RSA_LOW_MEM: export all integers in compat layer
- Add softhsm action
- Define
- OPENSSL_DH_MAX_MODULUS_BITS
- OPENSSL_DSA_MAX_MODULUS_BITS
- OPENSSL_RSA_MAX_MODULUS_BITS
- Implement
- BN_mul_word
- i2d_ECPKParameters
- PEM_write_bio_PKCS8_PRIV_KEY_INFO
- PEM_read_bio_PKCS8_PRIV_KEY_INFO
- i2d_PKCS8_PRIV_KEY_INFO
- RSA_padding_add_PKCS1_PSS_mgf1
- RSA_verify_PKCS1_PSS_mgf1
wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs: update for new calling conventions around wc_AesNew, wc_curve25519_new, wc_ed25519_new, wc_HashNew, and wc_NewRsaKey, and the corresponding delete functions.
wolfssl/wolfcrypt/aes.h: add Aes.streamData_sz;
src/tls13.c: fix devId passed to wc_HmacInit() in CreateCookieExt() and TlsCheckCookie();
src/keys.c: in SetKeys(), call wc_HmacInit() on hmacs only if newly allocated;
wolfcrypt/src/aes.c:
* in wc_Gmac(), wc_GmacVerify(), and AesSivCipher(), use wc_AesNew() and wc_AesDelete();
* in wc_AesInit(), zero the object on entry, and remove superseded piecemeal initializations to zero;
* in wc_AesFree(), zero aes->streamData, and zero the entire object as final cleanup;
wolfcrypt/src/curve25519.c: in wc_curve25519_free(), zero the entire object rather than zeroing piecemeal;
wolfcrypt/test/test.c:
* add fallback implementations (for old FIPS) of wc_HashNew(), wc_HashDelete(), wc_curve25519_new(), wc_curve25519_delete(), wc_ed25519_new(), and wc_ed25519_delete();
* update constructor calls throughout for new semantics;
* refactor ed25519_test() for proper cleanup and error encoding.
add delete APIs, matching recently added wc_AesNew, wc_curve25519_new, wc_ed25519_new, wc_HashNew, and wc_NewRsaKey:
* wc_AesDelete()
* wc_HashDelete()
* wc_DeleteRsaKey()
* wc_curve25519_delete()
* wc_ed25519_delete()
* remove handling in corresponding preexisting free APIs for recently added .isAllocated member -- this restores preexisting semantics;
* add WC_NO_CONSTRUCTORS gate, and auto-activate it when NO_WOLFSSL_MEMORY && WOLFSSL_NO_MALLOC (unless preempted by XMALLOC_USER or XMALLOC_OVERRIDE);
* exclude recently added .isAllocated members from wolfcrypt structs when defined(WC_NO_CONSTRUCTORS);
* adjust wolfcrypt/test/test.c for consistency with the above, and fix cleanup codes/dynamics in several tests.
Dtls13HashClientHello(): fix wc_HashType handling;
Dtls13SendFragment(): fix identicalConditionAfterEarlyExit;
GetDtlsRecordHeader(): fix error handling around GetDtls13RecordHeader() (incorrectLogicOperator);
test_wolfSSL_dtls_stateless_maxfrag(): fix a clang-analyzer-core.NullDereference,
test_dtls_frag_ch(): fix a clang-diagnostic-embedded-directive,
test_AEAD_limit_client(): fix an united-data defect found by valgrind.
Scripts changed to make generated code not go over 80 characters per
line but SP not updated.
Fix input register formatting in all ARM32 C assembly code.
fix numerous trailing commas in enums, mostly by removing them, but one (in asn.h, enum Extensions_Sum) using WOLF_ENUM_DUMMY_LAST_ELEMENT();
rearrange bitfields in struct ed25519_key for contiguity;
always define WOLFSSL_SP_NO_DYN_STACK when defined(WOLF_C89).
wolfcrypt/src/dh.c: in wc_DhGenerateParams(), use named constant for buf size, and only XFREE it if !WOLFSSL_NO_MALLOC;
wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h: in wc_ecc_new_point_ex(), remove !WOLFSSL_NO_MALLOC gate around XMALLOC(), and if XMALLOC()ed, set ecc_point.isAllocated, then in wc_ecc_del_point_ex, XFREE() iff ecc_point.isAllocated;
wolfcrypt/src/pkcs7.c: in wc_PKCS7_RsaVerify(), when WOLFSSL_NO_MALLOC, jumbo-size the digest buffer to cope with in-place dynamics in RsaUnPad();
wolfcrypt/test/test.c: add !WOLFSSL_NO_MALLOC gates around various XFREE()s of objects that are on the stack in WOLFSSL_NO_MALLOC builds;
wolfssl/wolfcrypt/types.h: add an unconditional include of memory.h (itself guarded against multiple inclusion) to assure availability of WC_DEBUG_CIPHER_LIFECYCLE prototypes/macros.
wolfcrypt/src//asn.c: add stack buffer codepaths in ParseKeyUsageStr(), SetKeyIdFromPublicKey(), and EncodePolicyOID;
wolfcrypt/src/dh.c: add stack buffer codepath in wc_DhGenerateParams();
wolfcrypt/src/ecc.c: add always-fail codepath to find_hole() to preempt heap allocation attempts;
wolfcrypt/test/test.c: gate out several heap-dependent subtests when defined(WOLFSSL_NO_MALLOC), and add a stack buffer codepath in ed448_test();
wolfssl/wolfcrypt/types.h: harmonize macro definitions of XFREE() to use do { ... } while (0) wrappers to assure syntactic indivisibility.
Fix unit tests to not compile when NO_RSA is defined and RSA used.
test_wc_PKCS7_EncodeSignedData: only RSA supported with streaming.
test_wolfSSL_RSA when SP math and SP: CRT parameters required.
test_wolfSSL_OCSP_REQ_CTX to compile with NO_ASN_TIME.
test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS: make sure all objects freed even
on memory allocation failure.
test_wolfSSL_error_cb: don't use bio if is NULL.
test_wolfSSL_BN_enc_dec: don't free a twice on memory allocation error.
test_wc_dilithium_der: remove debug printing
test_othername_and_SID_ext: make sid_oid NULL after free to ensure no
double free on later memory allocation failure.
test_wolfSSL_RSA: don't leak when BN_dup fails.
test_wolfSSL_i2d_ASN1_TYPE: free ASN1 string whn no ASN1 type to put it
into.
test_tls13_rpk_handshake: don't leak on failure
test_dtls_client_hello_timeout_downgrade: only move memory when test is
wolfSSL_certs_clear, wolfSSL_set_SSL_CTX, SetSSL_CTX: Check return from
AllocCopyDer.
d2i_generic: make sure impBuf is only freed once.
wolfSSL_BIO_write: don't dereference front unless it is not NULL.
wolfssl_dns_entry_othername_to_gn: don't free obj twice
wolfSSL_X509_REQ_add1_attr_by_NID: don't access reqAttributes if NULL.
succeeding.
* Adds RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and Hashing to the CSharp wrapper.
* Adds GitHub action for building the CSharp wrapper solution and running wolfCrypt test and a TLS server/client example.
* Adds "new" API's for wolfCrypt for platforms that cannot tolerate the structs directly.
* Fixes for several scan-build warnings.
wolfssl/internal.h: refactor WOLFSSL_ASSERT_EQ() and WOLFSSL_ASSERT_SIZEOF_GE() to use wc_static_assert(), and drop unused WOLFSSL_ASSERT_TEST() and WOLFSSL_ASSERT_SIZEOF_TEST().
src/ssl_crypto.c and wolfcrypt/src/evp.c: refactor ad hoc asserts in wolfSSL_DES_ecb_encrypt(), wolfSSL_CRYPTO_cts128_decrypt(), and wolfSSL_EVP_DigestInit(), to use wc_static_assert().
Improved performance by reworking kyber_ntt, kyber_invtt,
kyber_basemul_mont, kyber_basemul_mont_add, kyber_rej_uniform_c to be
in assembly.
Replace WOLFSSL_SP_NO_UMAAL with WOLFSSL_ARM_ARCH_7M
The instruction 'li' is a pseduo instruction for 'load immediate'.
With some compilers, the immediate was interpretted R0[0].
Change to use XOR instead.
Make draft version of ML-DSA compiled in with final.
Use WC_ML_DSA_44_DRAFT, WC_ML_DSA_65_DRAFT and WC_ML_DSA_87_DRAFT for
the level to get the draft implementation.
configure.ac and src/include.am: add ENABLED_ARM_THUMB, BUILD_ARM_THUMB, BUILD_ARM_NONTHUMB, ENABLED_ARM_64, BUILD_ARM_64, ENABLED_ARM_32. and BUILD_ARM_32, and use them to gate building of ARM asm files, to fix "ISO C forbids an empty translation unit" warnings (the warning only affects inline asm files, but the gating is deployed more widely).
examples/pem/pem.c: fix stdio stream leaks.
src/ssl.c and src/ssl_load.c: suppress concurrency-mt-unsafe around getenv(). getenv() is threadsafe as long as no threads putenv() or setenv().
wolfssl/openssl/asn1.h: add parentheses to fix bugprone-macro-parentheses in ASN1_EX_TEMPLATE_TYPE(), and suppress misfiring bugprone-macro-parentheses around IMPLEMENT_ASN1_FUNCTIONS().
wolfcrypt/src/aes.c:
* when SAVE_VECTOR_REGISTERS2_DOES_NOTHING, define do-nothing VECTOR_REGISTERS_PUSH and VECTOR_REGISTERS_POP, to mollify Coverity CONSTANT_EXPRESSION_RESULT;
* in AesGcmDecryptUpdate_aesni(), omit " && (c != NULL)" clause from computation of endA argument to AesGcmAadUpdate_aesni(), to mollify Coverity FORWARD_NULL (impermissible nullness is already checked and BAD_FUNC_ARGed by the sole caller, wc_AesGcmDecryptUpdate());
wolfcrypt/src/misc.c: add readUnalignedWord64(), writeUnalignedWord64(), readUnalignedWords64(), and writeUnalignedWords64(), for safe word64 access to possibly-unaligned data;
wolfcrypt/src/wc_kyber_poly.c: use readUnalignedWords64() and readUnalignedWord64() to mitigate sanitizer-reported "load of misaligned address".
wolfcrypt/src/wc_kyber_poly.c: add SAVE_VECTOR_REGISTERS2()...RESTORE_VECTOR_REGISTERS() wrappers for AVX2 implementations.
src/bio.c and src/ssl.c: add several missing WC_NO_ERR_TRACE()s, and tweak several returns to generate error traces.
The ECC key generation test was failing due not using large enough of a
buffer. Fixed to use a better size.
1. Set the shared digest/sig buffer size in
_ecc_pairwise_consistency_test() to the maximum possible based on the
math in wc_ecc_sig_sz().
configure.ac:
* fix logic in "Forcing off" test expressions, first flubbed in 19106a9510;
* fix auto-enable of compkey to exclude v5 even if v5-dev.
src/tls13.c: fix gating for HKDF _ex() variants (>=6.0, not >=5.3).
wolfcrypt/src/error.c: snip out stray spaces at start of several ECC error message strings.
wolfcrypt/test/test.c:
* in render_error_message(), use wolfSSL_ERR_reason_error_string() if available rather than wc_GetErrorString(), to render non-wolfcrypt error strings;
* in ecc_test_deterministic_k(), ecc384_test_deterministic_k(), ecc521_test_deterministic_k(), on FIPS <6.0, gate out SHA384 and SHA512 tests (FIPS v5 only supports SHA256 in wc_ecc_gen_deterministic_k());
* in cmac_test(), gate use of wc_AesCmacGenerate_ex() and wc_AesCmacVerify_ex() on >=6.0, not >=5.3.
wolfssl/internal.h: add DTLS13_HANDSHAKE_HEADER_SZ;
src/tls13.c: in EchHashHelloInner(), use falseHeader[DTLS13_HANDSHAKE_HEADER_SZ] to fix buffer overrun;
src/dtls13.c: add static assert for DTLS13_HANDSHAKE_HEADER_SZ.
1. Update the ECC PCT to use the key's heap to allocate any buffers for
the test. This is similar to how RSA does it.
2. Put the buffers on the stack if not using small stack option.
wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API attribute to wolfSSL_Atomic_Int_Init, wolfSSL_Atomic_Int_FetchAdd, and wolfSSL_Atomic_Int_FetchAdd, and add fallback definitions for them, allowing elimination of SINGLE_THREADED implementations of wolfSSL_Ref*(), and allowing ungated use of wolfSSL_Atomic_* calls in api.c.
wolfcrypt/src/dh.c: in wc_DhAgree_ct(), remove frivolous XMEMSET() and stray semicolon.
wolfcrypt/benchmark/benchmark.c: fix bench_rsaKeyGen() to skip tests of key sizes below RSA_MIN_SIZE, and add 4096 bit benchmark if RSA_MAX_SIZE is big enough.
tests/unit.h:
* adopt definitions of TEST_FAIL, TEST_SUCCESS, and TEST_SKIPPED from unit.c, remap TEST_SKIPPED from -7777 to 3, and add TEST_SUCCESS_NO_MSGS, TEST_SKIPPED_NO_MSGS, EXPECT_DECLS_NO_MSGS(), and EXPECT_FAILURE_CODEPOINT_ID, to support existing and future expected-particular-failure test cases without log noise.
* rename outer gate from CyaSSL_UNIT_H to TESTS_UNIT_H.
tests/api.c:
* use EXPECT_DECLS_NO_MSGS() in test_ssl_memio_setup(), test_ssl_memio_read_write(), and test_wolfSSL_client_server_nofail_memio(), and globally update affected expected error codes to correspond.
* use atomics for {client,server}SessRemCount{Malloc,free} to fix races in SessRemCtxCb() and SessRemSslSetupCb().
The function _fp_exptmod_nct() is using WOLFSSL_NO_MALLOC to guard
using stack allocation vs malloc. It's twin function _fp_exptmod_ct()
is using WOLFSSL_SMALL_STACK for this. This is causing inappropriate use
of malloc() in a small stack environment. The no-malloc case will also
be kept so static memory and no-malloc fix still works.
1. Change the guards for `#ifndef WOLFSSL_NO_MALLOC` in the function
`_fp_exptmod_nct()` to `#if defined(WOLFSSL_SMALL_STACK) &&
!defined(WOLFSSL_NO_MALLOC)`.
* set DEFAULT_ENABLED_ALL_ASM=no if enable_afalg or ENABLED_32BIT;
* omit enable_srtp_kdf from enable-all-crypto if enable_afalg.
linuxkm: add GetCAByAKID to wolfssl_linuxkm_pie_redirect_table.
src/x509.c: in GenerateDNSEntryIPString(), use XMEMSET() to initialize tmpName, not = {0}, to avoid unmaskable compiler emission of memset() call.
wolfssl/openssl/ssl.h: add OPENSSL_EXTRA to an existing OPENSSL_ALL-gated section, consistent with gating of correspinding section in wolfssl/ssl.h.
wolfssl/wolfcrypt/settings.h: adopt setup for WOLFSSL_SP_NO_UMAAL from wolfssl/wolfcrypt/sp_int.h now that it's used by wolfcrypt/src/port/arm/thumb2-poly1305-asm.S.
* move leanpsk and asn option processing early to make their results available to existing math back end selector logic;
* add -DWOLFSSL_ASN_ALL to enable-all-crypto;
* tweak asn option processing to preserve "original" value in case later configure logic wants to pivot on that.
* in handling for enable-all-asm, add check for full Gnu C and don't auto-enable all-asm unless full Gnu C and enable-all-crypto, among other sanity checks.
* in enable-all and enable-all-crypto, correctly conditionalize several FIPS-v6-only features/algorithms.
* in FIPS v5 setup, force off SRTP and SRTP-KDF (with warnings).
* Proposed new interface for AesSivEncrypt with number of ADs != 1.
* Implement AES SIV S2V computation with a number of ADs not equal to 1.
* Add Example A.1 from RFC5297 to AES SIV test vectors.
* Add tests for new AES SIV interface, and add test vectors for examples given in RFC5297.
* Include the nonce in count of maximum number of ADs.
* Addressing review comments.
* Addressing review comments: Use uppercase 'U' suffix on unsigned constant.
* Rename local variables named 'ad0' to 'ad', since the zero makes no sense, especially since in the RFC 5297 document they're actually counting the ADs from 1.
* adds wc_DhAgree_ct().
* adds wolfSSL_DH_compute_key_padded(), using wc_DhAgree_ct() if available, with fallback fixup code.
* adds unit test coverage in api.c:test_wolfSSL_DH() for expected-success calls to wolfSSL_DH_compute_key() and wolfSSL_DH_compute_key_padded().
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
try to lookup the certificate using the key hash as key identifier
first. If we can't find a certificate, it means that the certificate
uses another method to compute the key identifier so we need to fallback
to linear search.
kdf.c: wc_PRF() - No need for previous, reuse current.
sha256.c: Transform_Sha256() - Add slow but small version for many
register implementation.
sp_int.h: Change 'used' and 'size' fields to 16-bit types when possible.
sp_int.c: Fixes for 16-bit used.
- RsaFunctionPrivate: detect when only n,e,d are available
- wolfSSL_EVP_add_digest: return success
- wolfSSL_EVP_add_cipher: return success
- wolfSSL_BN_bin2bn: accept NULL data if len is 0 (checked in mp_read_unsigned_bin)
- wolfssl_read_bio: advance correct bio
- wolfSSL_X509_set_ext: return raw extension data for BASIC_CA_OID
- Implement
- sk_X509_EXTENSION_free
- d2i_EC_PUBKEY_bio
- d2i_RSA_PUBKEY_bio
- d2i_X509_REQ_INFO
- X509_REQ_INFO_free
- ASN1_TIME_set_string_X509
- Add option to disable ECH
- InitSuites: clean up DTLS paths
- wolfSSL_parse_cipher_list: remove WOLFSSL_MAX_SUITE_SZ setting
- wolfSSL_parse_cipher_list: add rationale for keeping ciphersuites
- test_dtls_frag_ch: ECH and ciphersuites were pushing the ClientHello message over the fragmentation limit. Disabling ECH and limiting ciphersuites fixes the test.
wolfssl/ssl.h, wolfssl/error-ssl.h, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, and src/internal.c:
* fix values of WOLFSSL_ERROR_SSL and WOLFSSL_ERROR_WANT_X509_LOOKUP to match OpenSSL values;
* move legacy CyaSSL compat layer error codes from ssl.h to error-ssl.h and renumber them to conform to existing sequence;
* move enum IOerrors from ssl.h to error-ssl.h to get picked up by support/gen-debug-trace-error-codes.sh;
* add to enum wolfSSL_ErrorCodes negative counterparts for several positive error return constants;
* include error-ssl.h from ssl.h;
* add label (wolfCrypt_ErrorCodes) to error-crypt.h enum, and in wc_GetErrorString(), use switch ((enum wolfCrypt_ErrorCodes)error) to activate switch warnings for missing enums;
* in wolfSSL_ERR_reason_error_string(), use switch((enum wolfSSL_ErrorCodes)error) to activate switch warnings for missing enums;
* in ssl.h, add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* in error-crypt.h, add missing WOLFSSL_API attribute to wc_backtrace_render(); and
* harmonize gating of error codes, ssl.h / error-ssl.h / internal.c:wolfSSL_ERR_reason_error_string() / api.c:error_test().
tests/api.c:
* add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
* in post_auth_version_client_cb(), add missing !NO_ERROR_STRINGS gating.
add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h:
* move several negative error return codes from ssl.h to error-ssl.h,
* renumber them to conform to existing sequence, and
* include error-ssl.h from ssl.h;
* add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* add missing WOLFSSL_API attribute to wc_backtrace_render().
add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
Compile with WOLFSSL_DILITHIUM_FIPS204_DRAFT to get code that implements
the FIPS-204 August 2023 DRAFT.
Alternatively, --enable-dilithium=draft or
--enable-dilithium=fips204-draft
wolfssl/wolfcrypt/error-crypt.h: add WC_FIRST_E.
wolfcrypt/src/error.c: add MP error code strings.
wolfssl/error-ssl.h: add WOLFSSL_FIRST_E and WOLFSSL_LAST_E.
wolfcrypt/test/test.c: update error_test() for new error code layout, refactoring the "missing" check.
src/internal.c: use WC_FIRST_E and WC_LAST_E in wolfSSL_ERR_reason_error_string().
src/ssl.c: fix wolfSSL_ERR_GET_REASON() to identify in-range error codes using WC_FIRST_E, WC_LAST_E, WOLFSSL_FIRST_E, and WOLFSSL_LAST_E.
sp_int.h: provide for WOLFSSL_DEBUG_TRACE_ERROR_CODES, and refactor MP error codes as enums, for consistency with other error codes.
wolfcrypt/src/ecc.c: fix 2 identicalInnerCondition's.
* uses libbacktrace to enhance existing "ERR TRACE" messages with backtraces, rendered in same format as the sanitizers.
* adds wc_backtrace_render() and some related callbacks to wolfcrypt/src/logging.c.
* adds an overrideable WOLFSSL_DEBUG_BACKTRACE_RENDER_CLAUSE to the WC_ERR_TRACE() mechanism in wolfssl/wolfcrypt/error-crypt.h.
With --enable-dtlscid, a client sending a Client Hello to a DLTS1.2
server that supports CID, the server provides the appropriate CID and
assumes that CID has been negotiated.
However, in the case of MbedTLS, it then rejects packets that do not
match its expected CID from the client - as wolfSSL no longer sends
the CID as it is not DTLS1.2.
https://datatracker.ietf.org/doc/html/rfc9147#section-4
If a Connection ID is negotiated, then it MUST be contained in all datagrams.
This fix drops the CID if a Hello Verify Request is received, so the
second Client Hello does not include the CID.
https://datatracker.ietf.org/doc/html/rfc6347#section-4.2.1
When responding to a HelloVerifyRequest, the client MUST use the same
parameter values (version, random, session_id, cipher_suites,
compression_method) as it did in the original ClientHello.
Dropping the CID extension does not violate this.
If the server sends Server Hello, Server Key Exchange and Server Hello Done
in a single DTLS packet, but for DTLS1.2 in response to a client DTLS1.3
request, then FIRST_REPLAY state does not occur until the server re-sends
the packet. At this point wolfSSLconnect() gets used and all bursts into
life.
When processing handshakes in wolfSSL_connect_TLSv13() for case
HELLO_AGAIN_REPLY, downgrade to using wolfSSLconnect() to continue
processing the remaining handshakes in the packet.
Found when using Mbed TLS for the server.
As the WolfSSL implementation of the PQC KEM algorithm kyber also
supports the ML-KEM draft version (enabled by `WOLFSSL_ML_KEM`), we have
to update the groups code point to be compatible with other TLS
implementations (e.g. OQS provider).
Also updated the reference to the source of the values to the current
OQS Github.
Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
Something broke in the actions/download-artifact action and it is not preserving symbolic links. It didn't get a new release so my guess is that something was updated in the node environment or in npm. This is a future proof solution to preserve the fs structure between upload and download.
ASN macro simplification
merged with github CI tests failing due to unrelated upstream changes (same tests all previously succeeded on this PR, with only 25d14f1937 added in the meantime).
supplementary testing with `wolfssl-multi-test.sh ... super-quick-check` after rebase on then-current `master` 15e99c8eff.
Make sure the file `sha3_asm.S` is compiled when `WOLFSSL_INTEL_ASM` is
enabled using CMake.
Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
ChaCha20:
scalar and vector implementations
vector implementations doing 6, 4, 2, 1 block at a time.
scalar implemetations using roriw and pack
vector implementations using VROR_VI and roriw.
RISC-V SHA-256: avoid using s0 if it can be helped.
In the wc_GeneratePreTBS() method (used for WOLFSSL_DUAL_ALG_CERTS
support), there was a workaround for alt names in certificates, as the
CopyDecodedToX509() method wasn't properly copying them. As a proper
copy mechanism is implemented now, we have to remove the workaround as
it now causes a memory leak of the copied values.
Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
Resolves warning:
```
./configure CC="gcc -fsanitize=address" && make
In file included from ./wolfclu/clu_header_main.h:71:
/usr/local/include/wolfssl/test.h:1103:18: error: 'sprintf' is deprecated: This function is provided for compatibility reasons only. Due to security concerns inherent in the design of sprintf(3), it is highly recommended that you use snprintf(3) instead. [-Werror,-Wdeprecated-declarations]
strLen = sprintf(serialMsg, " %s", words[3]);
^
```
WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC added.
It allocates memory for and pre-calculates s1, s2 and t0.
This saves decoding the vectors repeatedly in each signature trial.
Added tests to cover ssl_load.c functions.
Fixes from testing.
pk.c: renamed wolfssl_dh_load_key to wolfssl_dh_load_params as it
doesn't handle keys - just parameters.
* Make sure wc_kyber implementation is compiled using CMake (also for
Zephyr)
* Fix compilation issue when Liboqs is also enabled
* Fix WOLFSSL_INTEL_ASM and WOLFSSL_ARM_ASM CMake options
Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
also, additional backward-compatibility measures around cp and clean recipe in linuxkm/Makefile.
also, in sp_int.c, tweak DECL_DYN_SP_INT_ARRAY() to use an explicit XMEMSET() to clear n[], to avoid unshimmable implicit memset() from gcc on aarch64.
wolfcrypt/src/dh.c: in GeneratePrivateDh186(), add explicit suppression of uninitvar for "cBuf" arg that isn't fully initialized.
wolfcrypt/test/test.c: in mp_test_param(), explicitly initialize "buffer" to avoid uninitvar warning.
configure.ac: in FIPS builds, don't include enable_cryptocb in --enable-all or --enable-all-crypto. (they can still be enabled explicitly in FIPS builds with --enable-cryptocb, but the combination is not currently supported.)
The required feature flag CONFIG_PTHREAD_IPC is deprecated since Zephyr
version 3.7. The new option is CONFIG_POSIX_THREADS. This change clears
the warning.
Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
* refactor WOLFSSL_BIO.num and WOLFSSL_BIO.ptr as unions, for clarity and bug resistance (no functional changes).
* in wolfSSL_BIO_free(), add WOLFSSL_BIO_DGRAM to the test for closing bio->num.fd, fixing a descriptor leak.
* use SOCKET_INVALID consistently as the invalid value for WOLFSSL_BIO.num.fd, and use SOCKET_T consistently as the internal type for file descriptors.
* move the definitions for SOCKET_T and SOCKET_INVALID from wolfio.h to the filesystem section of wc_port.h, and allow override definitions of SOCKET_T.
detected and tested with wolfssl-multi-test.sh ... pq-hybrid-all-rpk-valgrind-unittest. also tested with wolfssl-multi-test.sh ... super-quick-check.
* Fixed incorrect XFREE calls
* Use key->heap where possible
* Fixed compilation with WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM and
WC_DILITHIUM_CACHE_PUB_VECTORS
* Fixed compilation with WOLFSSL_DILITHIUM_ASSIGN_KEY (const pointers)
Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
* ecc.c: in wc_ecc_free(), fix gating around handling for key->sign_k to resolve memory leak, and in wc_ecc_gen_deterministic_k(), fix -Wconversion.
* test.c: add missing mp_free()s to ecdsa_test_deterministic_k_rs() and ecc521_test_deterministic_k().
* wc_HashType: change several occurrences of int to enum wc_HashType, including ecc_key.hashType and API wc_ecc_set_deterministic_ex(), to resolve C++ warnings.
* fixes for various C++ warnings/errors in crypto and TLS layers and test and benchmark code -- implicit casts, negative initializers for unsigned type, jumped initializers, and missing enums in switch()es.
* tweak typography;
* move wolfSSL_i2d_X509_PUBKEY() from ssl.c to x509.c;
* in asn.h, add !NO_ASN_OLD_TYPE_NAMES macros to remap old names (ISSUER, SUBJECT, BEFORE, AFTER) by default unless the macros are already defined.
refactor housekeeping for bio->bytes_read and bio->bytes_write, and add WOLFSSL_BIO_HAVE_FLOW_STATS gate;
add WOLFSSL_BIO_FLAG_RETRY housekeeping for WOLFSSL_BIO_SOCKET and WOLFSSL_BIO_DGRAM;
refactor WOLFSSL_BIO.peer_addr to be inline rather than a pointer;
add wolfSSL_set_mtu_compat() and wolfSSL_CTX_load_verify_locations_compat() implementations;
enable WOLFSSL_HAVE_BIO_ADDR and WOLFSSL_DTLS_MTU when OPENSSL_ALL.
This will allow the user to pass in a context pointer. Allows them to avoid
global variables.
We also add unknown extensions callback when processing a CA in cert manager
as CA certs can have unknown extensions as well.
Fixes ZD 18252
pk.c:
EncryptDerKey - setting wrong ret value on allocation failure.
wolfssl_rsa_generate_key_native - now checks e is a valid long
before passing in.
Fix formatting.
ssl_load.c:
ProcessBufferPrivPkcs8Dec - now checking password is not NULL
before zeroizing. Allocation may fail and ForceZero doesn't check for
NULL.
Fix formatting.
tests/api.c:
test_RsaSigFailure_cm - Check cert_sz is greater than zero
before use.
send_new_session_ticket - assert that building the message
doesn't return error or 0.
test_ticket_nonce_malloc - fix setting of medium and big to use
preprocessor. Fix big to be medium + 20.
asn.c:
GetLength_ex - Fix type of bytes so that it can go negative.
sp_int.h:
sp_clamp - add one to ii while it is a signed.
Fix formatting.
Added implementation of signing that allocates less memory by doing the
matrix/vector loops in the sign code - WOLFSSL_DILITHIUM_SIGN_SMALL_MEM.
Split out vector operations into vector and polynomial operations so
that small mem signing can call them.
Fix benchmark to be able to compile with only Dilithium and no
asymmetric algorithms.
Add option to use AES-CBC with HMAC for default session ticket enc/dec.
Defaults to AES-128-CBC with HMAC-SHA256.
Options include:
WOLFSSL_TICKET_ENC_HMAC_SHA512 for HMAC-SHA512
WOLFSSL_TICKET_ENC_HMAC_SHA384 for HMAC-SHA384
WOLFSSL_TICKET_ENC_AES256_CBC for AES-256-CBC
Disable ECC but have OPENSSL_EXTRA and curve25519 - fix #ifdef
protection in ssl.c.
tests/api.c:
SSL_SESSION_get_max_fragment_length is not available when no session
cache.
ASN1 APIs using generalized time disabled when NO_ASN_TIME defined so
disable tests.
LDRD/STRD not available with ARMv6 and the alternative is two ldr/str
operations. Pointer was 64-bits causing second ldr/str to be 8 bytes
passed first and not 4 bytes. Fixed in asm to add 4 rather than index.
TLS uses DER API now and needs to be protected with the right #ifdefs.
Do the right check of size in wc_Dilithium_PrivateKeyDecode().
Don't require public key when doing private DER.
Improve benchmark FreeRTOS default tick rate logic. For example Xilinx FreeRTOS uses 10ms tick (not default 1ms), so include `configTICK_RATE_HZ` in calculation if available.
Fix test.c warning around too many parens with no realloc.
Fixes from memory allocation failure testing.
Also:
fix asn.c to have ifdef protection around code compiled in with dual
algorithm certificates.
fix test_tls13_rpk_handshake() to support no TLS 1.2 or no TLS 1.3.
fix wc_xmss_sigsleft() to initialize the index to avoid compilation
error.
Unroll loops and use larger types.
Allow benchmark to run each kyber parameter separately.
Allow benchmark to have -ml-dsa specified which runs all parameters.
Fix thumb2 ASM C code to not have duplicate includes and ifdef checks.
Fix thumb2 ASM C code to include error-crypt.h to ensure no empty
translation unit.
Check for WOLFSSL_SHA3 before including Thumb2 SHA-3 assembly code.
* Update OIDs etc. to match OQS ML-DSA values (old ones were Dilithium
Round 3 values)
* Make sure private key files/buffers containing both the private and
the public key are parsed correctly
Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
Changes to get best out of 32-bit ARM chips.
Fixes come compile errors when cutting out functions.
WOLFSSL_DILITHIUM_SIGN_CHECK_Y and WOLFSSL_DILITHIUM_SIGN_CHECK_W0 added
to speed up signing. No longer specification conformat when either used.
Don't use RIP relative with XMM/YMM instructions.
For MSVC asm, explicitly state type for pointer.
For MSVC asm, don't use vmodvqu for saving XMM registers unless this is
AVX2 code.
Impemented FIPS 204 (Draft) Module-Lattice-Based Signature Standard.
Implementation include making a key, signing and verification.
Make key API added.
Updated liboqs calls to use ML-DSA implementation instead of Dilithium.
work around hang from test 373 to 374
add setting SHELL env for socat test
remove some tests for exec sniffing and sorted address options failing with actions but not locally
When functions are inlined, the labels need to be unique.
Putting '%=' on the end of the label ensures that the compilers appends
a unique number to the end.
add file_name and line_number args to wolfssl_log(),
and inside WOLFSSL_DEBUG_CODEPOINTS gates,
add WOLFSSL_MSG_EX2(), WOLFSSL_MSG2(), WOLFSSL_ENTER2(), and WOLFSSL_LEAVE2(), each with file and line args,
and add wrapper macros for WOLFSSL_MSG, WOLFSSL_MSG_EX, WOLFSSL_ENTER, and WOLFSSL_LEAVE, that pass in file and line.
Ignore protocol version being less than expected when received directly
after ClientHello.
Protocol version negotiation hasn't taken place and a lower version can
be sent to cover minimum supported protocol version.
* in wc_port.h, add XWRITE and XREAD definitions and include <io.h>;
* in wolfSSL_BIO_read(), implement Windows support for XREAD and XWRITE;
* in wolfSSL_BIO_write_filename(), add 'b' flag to XFOPEN flags;
* in wolfSSL_RAND_file_name(), add support for XALTHOMEVARNAME, and add Windows definition for it to wc_port.h alongside XWRITE and XREAD.
fixes test_wolfSSL_BIO, test_wolfSSL_X509_print, test_wolfSSL_RAND, test_wolfSSL_RSA_print in cross-mingw-all-crypto scenario.
Add implementations of AES for ECB/CBC/CTR/GCM/CCM for RISC-V using
assembly.
Assembly with standard/scalar cryptography/vector cryptographt
instructions.
New compilers with specific optimization levels will produce
non-constant time code for kyber_from_msg().
Add in an optimization blocker that stops the compiler from assuming
anything about the value to be ANDed with KYBER_Q_1_HALF.
1. Add API for importing an RSA private key, `wc_RsaPrivateKeyDecodeRaw()`,
when all you have are the components of the key in raw arrays. Also
recalculates dP and dQ if missing.
2. Add API test for `wc_RsaPrivateKeyDecodeRaw()`.
This commit adds varios fixes for the implementation of hybrid
certificates with two algorithms:
* Support for Certificate Signing Requests (both creating hybrid ones
and also verifying ones)
* Fix for SAN fields in the DecodedCert and PreTBS generation
* Fix related to WOLFSSL_SMALL_STACK
Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
Due to recent changes in the logic to decode private keys and to parse
the TLS1.3 CertificateVerify message, some regressions regarding PQC
private keys and hybrid certificates have been introduced:
* Decoding PQC private keys fails as the PKCS8 header of a decoded DER
file is now already removed before parsing the key.
* The key size wasn't properly stored in the context for PQC keys after
decoding a certificate (always the maximum size)
* The two 16-bit size values in case of a hybrid signature in the
CertificateVerify message have been incorrectly decoded as 32-bit
values instead of 16-bit values. This resulted in wrong values,
leading to segmentation faults.
All three regressions are fixed with the changes in this commit.
Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
wolfcrypt/test/test.c and linuxkm/lkcapi_glue.c: update AES-XTS streaming calls to use struct XtsAesStreamData;
linuxkm/lkcapi_glue.c: add handling for CONFIG_CRYPTO_MANAGER*.
- Fix BIO_BIO type
- Set retry flags correctly
- Add CRL callback
- Copy the alt names instead of trying to share a pointer
- Allow calling wolfSSL_get_servername on client side (to get the requested name)
- Return the chain in wolfSSL_X509_STORE_CTX_get_chain in the correct order
- Peer first, top CA last
- Fix leak in RebuildFullName
- Add CopyString helper function
- Implement
- X509_CRL_dup
- ASN1_UTCTIME_set
- X509_STORE_CTX_get0_param
- X509_STORE_get0_param
- X509_STORE_set_verify_cb
- X509_STORE_set_get_crl
- X509_set1_notAfter
- X509_set1_notBefore
wolfcrypt/test/test.c:
* add WOLFSSL_AESXTS_STREAM testing to the LARGE_XTS_SZ exercise in aes_xts_128_test().
* add the LARGE_XTS_SZ exercise to aes_xts_256_test().
* add aes_xts_192_test().
* fix -Werror=frame-larger-than=2048 in ed25519_test().
linuxkm/lkcapi_glue.c: typographic cleanups, and failsafe error return constructs when skcipher_walk_virt() returns zero walk.nbytes.
wolfcrypt/src/aes.c: additional comments and inline documentation.
.github/workflows/openvpn.yml: disable test on master branch.
Changed APIs from wc_AesXts*Start -> wc_AesXts*Init.
Enabled ASM for x64 in aes.c.
AesXtsDecryptStart_sw same as AesXtsEncryptStart_sw so changed them to
AesXtsInit_sw.
* added POSIX definitions for XFEOF(), XFERROR(), and XCLEARERR(), currently with no-op fallbacks for !POSIX.
* added missing file handle checks in testsuite/testsuite.c:file_test() and tests/utils.h:copy_file().
* added fixes and suppression around tests/api.c:test_wolfSSL_SMIME_read_PKCS7().
* added various fixes in examples/asn1/asn1.c and examples/pem/pem.c.
Pass around the algorithm id from the private key so that the WOLFSSL or
WOLFSSL_CTX get the correct key format set.
Use different verification context when self-signed certificate with SM2
and SM3 signature but public key OID is ECC.
1. Add some expository comments describing the purpose of:
* WOLFMEM_MAX_BUCKETS
* WOLFMEM_DEF_BUCKETS
* WOLFMEM_BUCKETS
* WOLFMEM_DIST
2. Switch the API test for LoadStaticMemory() to named constants.
3. Delete redundant test case. Add a new test case.
4. In the wolfCrypt test for the memory constants, check the sizes of
the WOLFMEM_BUCKETS and WOLFMEM_DIST lists against
WOLFMEM_DEF_BUCKETS which should be their length. Check that
WOLFMEM_DEF_BUCKETS is not greater than WOLFMEM_MAX_BUCKETS.
5. Default for WOLFMEM_MAX_BUCKETS should be WOLFMEM_DEF_BUCKETS, set it
to what is specified. Add a warning if MAX is less than DEF.
6. Separate the definition of the constant LARGEST_MEM_BUCKET so it is
dependent on config and not if WOLFMEM_BUCKETS isn't set.
The assumption is that the wrong PIDs are getting killed. Better use the current shell's child processes (ie: 'jobs' command) than storing some calculated PID
1. Add API for function `wc_UnloadStaticMemory()` which frees the mutex
used by the static memory pool.
2. Update the `wc_LoadStaticMemory_ex()` test to free the static memory
pool's mutex on each successful test case.
remove stray definitions of XTRANSFORM*() in wolfcrypt/src/sha512.c;
restore global intel_flags in the !WC_NO_INTERNAL_FUNCTION_POINTERS paths of sha256.c and sha512.c;
disable test_wolfSSL_dtls_compare_stateless() in tests/api.c when DEBUG_VECTOR_REGISTER_ACCESS_FUZZING (it depends on a stable SHA512 hash of the in-memory struct WOLFSSL image).
1. Added some extra parameter checking to wc_LoadStaticMemory_ex().
2. Added some extra parameter checking to wc_StaticBufferSz_ex().
3. Rename some parameters and add some logging prints.
4. Some static functions have some parameter checking and they are only
calling in one spot, remove it.
Fixed issue reported by scan-build when DTLS13 is enabled.
Fix compile issue when WOLFSSL_DTLS_CH_FRAG is enabled.
Fix running of scripts/dtlscid.test by removing 'set -e' as bwrap
command may not be there.
By default RPK (RFC7250) support is not enabled, but is enabled when
--enable-rpk, --enable-all or --enable-dist is used.
Makes use of the HAVE_RPK compile time option.
Fix clang issue reported in tests/api.c during test suites
* Redirect the AesEncrypt_C call to device
* Fix function declarations
* Force CC=nvcc with CUDA
* Don't let C++ mangle function names
* Add larger parallelization
* Add in memory copy to device
* `nvcc` does not support '-Wall' nor '-Wno-unused'
* Add in README.md
* Clean up script to output color coded data
* Fix Asymmetric cipher comparisons
* Add in standard output parsing in addition to the CSV
* Add option to output results in a CSV
---------
Co-authored-by: Andras Fekete <andras@wolfssl.com>
1. Add checks for listSz against WOLFMEM_MAX_BUCKETS.
2. Use WOLFMEM_DEF_BUCKETS for the size when using the default memory
descriptions.
3. Whitespace.
1. Add generic function wolfSSL_StaticBufferSz_ex() where one specifies
the memory bucket list sizes and distribution.
2. Rewrote wolfSSL_StaticBufferSz() in terms of the new function.
3. Changed the list pointers on wc_LoadStaticMemory_ex() and
wc_init_memory_heap() to be pointers to const.
1. Add the function wc_LoadStaticMemory_ex(), which is a generic version
of wc_LoadStaticMemory().
2. Modify wc_LoadStaticMemory() to call wc_LoadStaticMemory_ex() with
the bucket lists.
3. Rename the function wolfSSL_load_static_memory() as
wc_partition_static_memory(), make it static, move it higher in the file.
1. Modify wolfSSL_CTX_load_static_memory() to use wc_LoadStaticMemory()
instead of reimplementing it.
2. Initialize the pointers in wc_LoadStaticMemory() to null.
3. Whitespace changes.
The wrong cipher suite is potentially chosen if key_share is not seen by the client.
$ cat /tmp/test
Client_identitySHA256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Server:
$ gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK:+ECDHE-ECDSA:+AES-128-CCM-8:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL:+SHA256 --pskpasswd=/tmp/test
Client:
$ examples/client/client -vd -g -s -p 5556 2>&1| grep HTTP
asn1.c: Allow sample to build without coding (base64 decoding).
set_curves_list(): function for ECC, Ed25519, Ed448 but this block of
code is ECC only. Fixed #ifdef protection.
wolfSSL_CTX_set1_curves_list and wolfSSL_set1_curves_list also available
when Curve25519/Curve448 compiled in but not ECC.
Check that the Ed25519 and Ed448 public key is valid even without
private key.
Perform pairwise consistency test, only in FIPS, when making a key i
Ed25519 and Ed448.
Moved E[CD][25519||448] APIs to pk.c
Move public key PEM APIs to pk.c.
Move wolfSSL loading and using of private keys and certificates to
ssl_load.c
Move PKCS#7 and PKCS#12 APIs to ssl_p7p12.c.
Move session and session cache APIs to ssl_sess.c.
Other minor fixes.
TLS 1.0/1.1/1.2 specifications require the of a return a handshake
failure alert when no cipher suites match.
TLS 1.3 specification requires the return of a "handshake_failure" or
"insufficient_security" fatal alert.
Change alert sent from "illegal_parameter" to "handshake_failure".
fix clang-analyzer-deadcode.DeadStores in src/tls.c TLSX_ClientCertificateType_GetSize();
fix clang-analyzer-deadcode.DeadStores in tests/api.c test_tls13_rpk_handshake();
fix null pointer to XMEMCPY() in src/internal.c CopyDecodedName().
* Support for external keys (CryptoCb interface)
* Support for usage in mutual authentication
* better entity cert parsing
* Fix for Zephyr port to support the feature
* Check key support
* Proper validation of signatures in certificate chains
* Proper validation of peer cert with local issuer signature
(alt pub key is cached now)
* Support for ECC & RSA as alt keys with PQC as primary
* Support for PQC certificate generation
* Better support for hybrid signatures with variable length signatures
* Support for primary and alternative private keys in a single
file/buffer
* More API support for alternative private keys
Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
DTLS Server:
examples/server/server -v3 -u -s
DTLS Client:
examples/client/client -vd -g -u -s
TLS Server:
examples/server/server -v3 -s
TLS Client:
examples/client/client -vd -g -s
Support checking for DTLS1.2 Hello Verify Request when using PSK.
Unset options.tls1_3 when handling a DTLS1.2 Hello Verify Request.
Unset options.tls1_3 when handling a (D)TLS1.2 Server Hello to stop
checking of Encrypted Client Hello
Requires ./configure --enable-all --enable-dtls13
Add in tests for DTLS1.3 and TLS1.3 downgrade when using PSK.
As per https://datatracker.ietf.org/doc/html/rfc7250#section-3 Figure 1,
the RPK is a single ASN.1_subjectPublicKeyInfo, whereas X509 certificates
etc. are transmitted as a certificate list (even if there is only 1).
This is for (D)TLS1.2 transfers, and this PR fixes this.
As per https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 all
certificates (both RPK and Z509) are transferred using a certificate list.
Update examples client to support RPK certificates.
For testing:-
Server:
$ gnutls-serv --http --x509fmtder --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK --rawpkfile certs/server-keyPub.der --rawpkkeyfile certs/server-key.der
Client:
$ examples/client/client -g -p 5556 -c certs/client-keyPub.der -k certs/client-key.der --rpk --files-are-der
To support new session ticket nonce longer than MAX_TICKET_NONCE_STATIC_SZ. If
`--disable-ticket-nonce-malloc` is explicitly specified, the feature is not
enabled even if `--enable-curl` is specified.
DES3 support is required to use PBES2-3DES-CBC-encoded keys
but also enabling the DES3 ciphers may be undesirable.
When using Privoxy it results in a "Bad" rating at sites like
https://www.howsmyssl.com/ due to the Sweet32 attack.
static const byte plaintext[] = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras lacus odio, pretium vel sagittis ac, facilisis quis diam. Vivamus condimentum velit sed dolor consequat interdum. Etiam eleifend ornare felis, eleifend egestas odio vulputate eu. Sed nec orci nunc. Etiam quis mi augue. Donec ullamcorper suscipit lorem, vel luctus augue cursus fermentum. Etiam a porta arcu, in convallis sem. Integer efficitur elementum diam, vel scelerisque felis posuere placerat. Donec vestibulum sit amet leo sit amet tincidunt. Etiam et vehicula turpis. Phasellus quis finibus sapien. Sed et tristique turpis. Nullam vitae sagittis tortor, et aliquet lorem. Cras a leo scelerisque, convallis lacus ut, fermentum urna. Mauris quis urna diam. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nam aliquam vehicula orci id pulvinar. Proin mollis, libero sollicitudin tempor ultrices, massa augue tincidunt turpis, sit amet aliquam neque nibh nec dui. Fusce finibus massa quis rutrum suscipit cras amet";
rsource "Kconfig.tls-generic"
/* Loop over authenticated associated data AD1..ADn */
/* no easy answer [c'est la vie]. Just division */
NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024
## Vulnerabilities
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Analyzing the division through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas Eisenbarth (University of Lübeck) for reporting the vulnerability. Details will appear in the proceedings of CCS 24.
A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. If performing ECC private key operations in an environment where a malicious user could gain fine control over the device and perform row hammer style attacks it is recommended to update the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report (Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute)
Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7416
* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. There are existing sanity checks during a TLS handshake with wolfSSL which mitigate this issue. Thanks to Bing Shi for the report.
Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7597
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the Openssl compatibility function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. While calling without a NULL terminated string is very uncommon, it is still technically allowed. If a caller was attempting to do a name check on a non*NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.
Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7604
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello when downgrading from TLS 1.3.
Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7619
* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. Found with internal testing.
Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. A revoked CA certificate could incorrectly be loaded into the trusted signers list and used in a repeat connection attempt. Found with internal testing.
Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702
## New Feature Additions
* Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622)
* Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612)
* Updates and API additions for supporting socat version 1.8.0.0 (PR 7594)
* cmake build improvements, expanding build options with SINGLE_THREADED and post-quantum algorithms, adjusting the generation of options.h file and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480, 7380)
* Improvements for Renesas RZ support (PR 7474)
* Improvements to dual algorithm certificates for post-quantum keys (PR 7286)
* Added wolfSSL_SessionIsSetup so the user can check if a session ticket has been sent by the server (PR 7430)
* hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS version change (PR 7446)
* Changed subject name comparison to match different upper and lower cases (PR 7420)
* Support for DTLS 1.3 downgrade when using PSK (PR 7367)
* Update to static memory build for more generic memory pools used (PR 7418)
* Improved performance of Kyber C implementation (PR 7654)
* Support for ECC_CACHE_CURVE with no malloc (PR 7490)
* Added the configure option --enable-debug-trace-errcodes (macro WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of error code values (PR 7634)
* Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC (PR 7362)
* Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for use with MSVC (PR 7319)
* Cortex-M inline assembly labels with unique number appended (PR 7649)
* Added secret logging callback to TLS <= 1.2, enabled with the macro HAVE_SECRET_CALLBACK (PR 7372)
* Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386)
* Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher suites, use the configure flag --enable-des3-tls-suites (PR 7315)
* Added stubs required for latest nginx (1.25.5) (PR 7449)
* Added option for using a custom salt with the function wc_ecc_ctx_set_own_salt (PR 7552)
* Added PQ files for Windows (PR 7419)
* Enhancements to static memory feature, adding the option for a global heap hint (PR 7478) and build options for a lean or debug setting, enabled with --enable-staticmemory=small or --enable-staticmemory=debug (PR 7597)
* Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557)
* Exposed DTLS in Ada wrapper and updated examples (PR 7397)
* ESP improvements: updating the examples and libraries, updates for Apple HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR 7607, 7392, 7505, 7535)
* Made the wc_CheckCertSigPubKey API publicly available with the define of the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599)
* Added an alpha/preview of additional FIPS 140-3 full submission, bringing additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB, ED25519, and ED448 into the FIPS module boundary (PR 7295)
* XCODE support for v5.2.3 of the FIPS module (PR 7140)
* Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR 7191)
## Fixes
* Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from PQShield for the report
* Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389)
* Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431)
* Fixed use of %rip with SHA-256 x64 assembly (PR 7409)
* Fixed OCSP response message build for DTLS (PR 7671)
* Handled edge case in wc_ecc_mulmod() with zero (PR 7532)
* Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375)
* Added sanity check on record header with QUIC use (PR 7638)
* Added sanity check for empty directory strings in X.509 when parsing (PR 7669)
* Added sanity check on non-conforming serial number of 0 in certificates being parsed (PR 7625)
* Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform to the selected sig hash algorithm (PR 7693)
* Various fixes for dual algorithm certificates including small stack use and support for Certificate Signing Requests (PR 7577)
* Added sanity check for critical policy extension when wolfSSL is built without policy extension support enabled (PR 7388)
* Added sanity check that the ed25519 signature is smaller than the order (PR 7513)
Release 5.7.0 has been developed according to wolfSSL's development and QA
@ -112,7 +539,7 @@ fixed this omission in several PRs for this release.
* [Low] CVE-2023-6936: A potential heap overflow read is possible in servers connecting over TLS 1.3 when the optional `WOLFSSL_CALLBACKS` has been defined. The out of bounds read can occur when a server receives a malicious malformed ClientHello. Users should either discontinue use of `WOLFSSL_CALLBACKS` on the server side or update versions of wolfSSL to 5.6.6. Thanks to the tlspuffin fuzzer team for the report which was designed and developed by; Lucca Hirschi (Inria, LORIA), Steve Kremer (Inria, LORIA), and Max Ammann (Trail of Bits). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6949.
* [Low] A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the “`--enable-aes-bitsliced`” configure option. Thanks to Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom for the report (Universities of Lübeck, Melbourne, Adelaide and Bochum). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6854.
* [Low] CVE-2024-1543: A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the “`--enable-aes-bitsliced`” configure option. Thanks to Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom for the report (Universities of Lübeck, Melbourne, Adelaide and Bochum). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6854.
* [Low] CVE-2023-6937: wolfSSL prior to 5.6.6 did not check that messages in a single (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. Thanks to Johannes Wilson for the report (Sectra Communications and Linköping University). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/7029.
@ -766,9 +1193,9 @@ Release 5.5.1 of wolfSSL embedded TLS has bug fixes and new features including:
## Enhancements
* DTLSv1.3: Do HRR Cookie exchange by default
* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
* Update ide win10 build files to add missing sp source files
* Improve Workbench docs
* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
* Update ide win10 build files to add missing sp source files
* Improve Workbench docs
* Improve EVP support for CHACHA20_POLY1305
* Improve `wc_SetCustomExtension` documentation
* RSA-PSS with OCSP and add simple OCSP response DER verify test case
@ -776,23 +1203,23 @@ Release 5.5.1 of wolfSSL embedded TLS has bug fixes and new features including:
* Don't over-allocate memory for DTLS fragments
* Add WOLFSSL_ATECC_TFLXTLS for Atmel port
* SHA-3 performance improvements with x86_64 assembly
* Add code to fallback to S/W if TSIP cannot handle
* Add code to fallback to S/W if TSIP cannot handle
* Improves entropy with VxWorks
* Make time in milliseconds 64-bits for longer session ticket lives
* Update SP math all to not use sp_int_word when SQR_MUL_ASM is available
### SP Math Fixes
* Fixes for constant time with div function
* Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
* Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
* Fix for div_word when not using div function
* Fixes for user settings with SP ASM and ED/Curve25519 small
* Additional Wycheproof tests ran and fixes
@ -1096,7 +1523,7 @@ Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
### Math Library Fixes
* Sanity check with SP math that ECC points ordinates are not greater than modulus length
* Additional sanity checks that _sp_add_d does not error due to overflow
* Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge case tests
* Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge case tests
* TFM fp_div_2_ct rework to avoid potential overflow
### Misc.
@ -1337,7 +1764,7 @@ Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
###### PORT Fixes
* Building with Android wpa_supplicant and KeyStore
* Setting initial value of CA certificate with TSIP enabled
* Cryptocell ECC build fix and fix with RSA disabled
* Cryptocell ECC build fix and fix with RSA disabled
* IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and fixes for retrieving the public key after key generation
###### Math Library Fixes
@ -1476,7 +1903,7 @@ Release 5.0.0 of wolfSSL embedded TLS has bug fixes and new features including:
- SSL_SESSION_has_ticket()
- SSL_SESSION_get_ticket_lifetime_hint()
- DIST_POINT_new
- DIST_POINT_free
- DIST_POINT_free
- DIST_POINTS_free
- CRL_DIST_POINTS_free
- sk_DIST_POINT_push
@ -1639,7 +2066,7 @@ Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:
### Vulnerabilities
* [Low] CVE-2021-37155: OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. We recommend users that have wolfSSL version 4.6.0 and 4.7.0 with OCSP enabled update their version of wolfSSL. Version 4.5.0 and earlier are not affected by this report. Thanks to Rainer Mueller-Amersdorffer, Roee Yankelevsky, Barak Gutman, Hila Cohen and Shoshi Berko (from CYMOTIVE Technologies and CARIAD) for the report.
* [Low] CVE-2021-24116: Side-Channel cache look up vulnerability in base64 PEM decoding for versions of wolfSSL 4.5.0 and earlier. Versions 4.6.0 and up contain a fix and do not need to be updated for this report. If decoding a PEM format private key using version 4.5.0 and older of wolfSSL then we recommend updating the version of wolfSSL used. Thanks to Florian Sieck, Jan Wichelmann, Sebastian Berndt and Thomas Eisenbarth for the report.
* [Low] CVE-2021-24116: Side-Channel cache look up vulnerability in base64 PEM decoding for versions of wolfSSL 4.5.0 and earlier. Versions 4.6.0 and up contain a fix and do not need to be updated for this report. If decoding a PEM format private key using version 4.5.0 and older of wolfSSL then we recommend updating the version of wolfSSL used. Thanks to Florian Sieck, Jan Wichelmann, Sebastian Berndt and Thomas Eisenbarth for the report.
@ -4,10 +4,46 @@ This library is restructured from [wolfSSL](https://github.com/wolfSSL/wolfssl/)
The Official wolfSSL Arduino Library is found in [The Library Manager index](http://downloads.arduino.cc/libraries/library_index.json).
See the [Arduino-wolfSSL logs](https://downloads.arduino.cc/libraries/logs/github.com/wolfSSL/Arduino-wolfSSL/).
See the [Arduino-wolfSSL logs](https://downloads.arduino.cc/libraries/logs/github.com/wolfSSL/Arduino-wolfSSL/) for publishing status.
Instructions for installing and using libraries can be found in the [Arduino docs](https://docs.arduino.cc/software/ide-v1/tutorials/installing-libraries/).
## wolfSSL Configuration
As described in the [Getting Started with wolfSSL on Arduino](https://www.wolfssl.com/getting-started-with-wolfssl-on-arduino/), wolfSSL features are enabled and disabled in the `user_settings.h` file.
The `user_settings.h` file is found in the `<Arduino>/libraries/wolfssl/src` directory.
For Windows this is typically `C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src`
For Mac: `~/Documents/Arduino/libraries/wolfssl/src`
For Linux: `~/Arduino/libraries/wolfssl/src`
Tips for success:
- The `WOLFSSL_USER_SETTINGS` macro must be defined project-wide. (see [wolfssl.h](https://github.com/wolfSSL/wolfssl/blob/master/IDE/ARDUINO/wolfssl.h))
- Apply any customizations only to `user_settings.h`; Do not edit wolfSSL `settings.h` or `configh.h` files.
- Do not explicitly include `user_settings.h` in any source file.
- For every source file that uses wolfssl, include `wolfssl/wolfcrypt/settings.h` before any other wolfSSL include, typically via `#include "wolfssl.h"`.
- See the [wolfSSL docs](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter02.html) for details on build configuration macros.
The first Official wolfSSL Arduino Library is `5.6.6-Arduino.1`: a slightly modified, post [release 5.6.6](https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable) version update.
This release of wolfSSL is version [5.7.6](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.6-stable).
See other [wolfSSL releases versions](https://github.com/wolfSSL/wolfssl/releases). The `./wolfssl-arduino.sh INSTALL` [script](https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO) can be used to install specific GitHub versions as needed.
See GitHub for [all Arduino wolfSSL releases](https://github.com/wolfSSL/Arduino-wolfSSL/releases).
The first Official wolfSSL Arduino Library was `5.6.6-Arduino.1`: a slightly modified, post [release 5.6.6](https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable) version update.
The `./wolfssl-arduino.sh INSTALL` [script](https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO) can be used to install specific GitHub versions as needed.
@ -7,13 +7,33 @@ See the [example sketches](./sketches/README.md):
When publishing a new version to the Arduino Registry, be sure to edit `WOLFSSL_VERSION_ARUINO_SUFFIX` in the `wolfssl-arduino.sh` script.
## Getting Started
See [Getting Started with wolfSSL on Arduino](https://www.wolfssl.com/getting-started-with-wolfssl-on-arduino/), wolfSSL features are enabled and disabled in the `user_settings.h` file.
The `user_settings.h` file is found in the `<Arduino>/libraries/wolfssl/src` directory.
For Windows this is typically `C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src`
For Mac: `~/Documents/Arduino/libraries/wolfssl/src`
For Linux: `~/Arduino/libraries/wolfssl/src`
Tips for success:
- The `WOLFSSL_USER_SETTINGS` macro must be defined project-wide. (see [wolfssl.h](https://github.com/wolfSSL/wolfssl/blob/master/IDE/ARDUINO/wolfssl.h))
- Apply any customizations only to `user_settings.h`; Do not edit wolfSSL `settings.h` or `configh.h` files.
- Do not explicitly include `user_settings.h` in any source file.
- For every source file that uses wolfssl, include `wolfssl/wolfcrypt/settings.h` before any other wolfSSL include, typically via `#include "wolfssl.h"`.
- See the [wolfSSL docs](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter02.html) for details on build configuration macros.
## Boards
Many of the supported boards are natively built-in to the [Arduino IDE Board Manager](https://docs.arduino.cc/software/ide-v2/tutorials/ide-v2-board-manager/)
and by adding [additional cores](https://docs.arduino.cc/learn/starting-guide/cores/) as needed.
STM32 Support can be added by including this link in the "Additional Boards Managers URLs" field
from [stm32duino/Arduino_Core_STM32](https://github.com/stm32duino/Arduino_Core_STM32?tab=readme-ov-file#getting-started).
from [stm32duino/Arduino_Core_STM32](https://github.com/stm32duino/Arduino_Core_STM32?tab=readme-ov-file#getting-started).
@ -40,7 +40,7 @@ The folder hierarchy is the same as the wolfSSL folders with an exception of the
4. Right click on each folders, add or link all the source code in the corresponding folder in wolfSSL.
5. Remove non-C platform dependent files from your build. At the moment, only aes_asm.asm, aes_gcm_asm.asm and aes_asm.s must be removed from your wolfssl/wolfcrypt/src folder.
5. Remove non-C platform dependent files from your build. At the moment, only aes_asm.asm, aes_gcm_asm.asm, aes_xts_asm.asm and aes_asm.s must be removed from your wolfssl/wolfcrypt/src folder.
6. In your C/C++ compiler preprocessor settings, add the wolfSSL directories to your include paths.
Here's an example of the paths that must be added.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
