Ruby Martin
00e1fa651f
Adds tmpSz so int is not cast to word32 in wc_d2i_PKCS12
2026-05-01 13:36:33 -06:00
Ruby Martin
001939d663
Call ForceZero on sensitive buffers
2026-05-01 13:36:33 -06:00
Ruby Martin
c2d44b4359
Bound by curSz in PKCS12 ContentInfo parsing
2026-05-01 09:37:45 -06:00
Ruby Martin
3a799bd451
zeroize unicodePasswd before breaking
2026-05-01 09:21:04 -06:00
Ruby Martin
1bf33bcc0b
PKCS12 and unicode password size check improvement
2026-04-30 16:30:29 -06:00
Ruby Martin
3ff02a7a95
Zero byte array buffer before free
2026-04-30 15:10:03 -06:00
lealem47
d00a137de0
Merge pull request #10344 from douzzer/20260416-linuxkm-fips-rodata-canonify
...
20260416-linuxkm-fips-rodata-canonify
2026-04-30 10:19:43 -06:00
Daniel Pouzzner
a057975347
Merge pull request #10293 from Frauschi/liboqs_removal
...
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 09:04:11 -05:00
Daniel Pouzzner
76080d0b19
Merge pull request #10292 from Frauschi/liblms_libxmss_removal
...
Remove deprecated liblms and libxmss
2026-04-30 09:01:24 -05:00
Tobias Frauenschläger
7a2cf5b655
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 11:03:06 +02:00
Tobias Frauenschläger
e1fefcca4f
Remove deprecated liblms and libxmss
2026-04-29 19:52:09 +02:00
Daniel Pouzzner
9aec51d00b
Merge pull request #10334 from lealem47/acme
...
Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension)
2026-04-29 12:16:15 -05:00
Tobias Frauenschläger
71a8a55654
Merge pull request #10345 from douzzer/20260428-SLHDSA-fixes
...
20260428-SLHDSA-fixes
2026-04-29 16:44:02 +02:00
Daniel Pouzzner
f81f8479d5
fixes for SLH-DSA verifyonly:
...
wolfssl/wolfcrypt/wc_slhdsa.h: implement WOLFSSL_SLHDSA_NO_SHAKE and WOLFSSL_SLHDSA_NO_SHA2, and fix WC_SLHDSA_MAX_SIG_LEN setup to reflect SHA2 variants;
wolfssl/wolfcrypt/settings.h: if WOLFSSL_KERNEL_MODE, set WOLFSSL_SLHDSA_VERIFY_ONLY unless WOLFSSL_SLHDSA_NO_VERIFY_ONLY;
wolfcrypt/src/wc_slhdsa.c: fix WOLFSSL_SLHDSA_VERIFY_ONLY to work with --enable-slhdsa=sha2,verifyonly;
fix -Wunused-variables in slhdsakey_wots_pk_from_sig_x4();
wolfcrypt/test/test.c: in slhdsa_test(), fix gating for compatibility with --enable-slhdsa=sha2,verifyonly;
tests/api/test_slhdsa.c: fix gating in test_wc_slhdsa() and test_wc_slhdsa_sizes().
2026-04-28 18:06:00 -05:00
Daniel Pouzzner
b7ed413571
wolfcrypt/src/wc_lms_impl.c: work around false-positive -Wmaybe-uninitialized in wc_lms_treehash_update().
2026-04-28 15:05:30 -05:00
Daniel Pouzzner
d218d3fbdd
wolfcrypt/src/ge_operations.c and wolfssl/wolfcrypt/ge_operations.h: when ge_tobytes_nct and ge_tobytes have identical definitions, map the former to the latter using a macro and omit the latter definition, to avoid problematic R_ARM_THM_JUMP11 tail call.
2026-04-28 12:58:32 -05:00
Lealem Amedie
82b15efebc
Add acmeIdentifier to asn=original
2026-04-28 11:51:40 -06:00
Lealem Amedie
1f260ccb0a
Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension)
2026-04-27 17:15:06 -06:00
David Garske
e31e158225
Fix for using STM32 AES hardware crypto with WOLFSSL_ARMASM set (ZD 21262)
2026-04-27 14:46:18 -07:00
Daniel Pouzzner
66ea4daa09
wolfcrypt/src/wc_port.c: in wc_socket_cloexec(), add necessary but undocumented __USE_GNU gating on call to accept4() (pre-includes can bring in socket.h before the override setting of _GNU_SOURCE at the top). Also enable accept4() for FreeBSD.
2026-04-27 11:40:04 -05:00
Daniel Pouzzner
3279b367d7
wolfcrypt/src/wc_lms.c: remove redundant gating on WOLFSSL_LMS_SHAKE256 in wc_LmsParamsMap wc_lms_map[].
2026-04-27 11:37:29 -05:00
Daniel Pouzzner
ac11279c60
wolfcrypt/src/random.c:
...
* add workaround in Hash512_df() for gcc compiler bug around AVX512 and object alignment.
* add missing WC_VERBOSE_RNG clause.
2026-04-27 11:37:15 -05:00
Daniel Pouzzner
1d8028865f
wolfcrypt/benchmark/benchmark.c: add missing WOLFSSL_USE_SAVE_VECTOR_REGISTERS handling in bench_stats_ops_finish().
2026-04-27 11:36:48 -05:00
Daniel Pouzzner
beae56fba7
wolfcrypt/test/test.c:
...
* fix aes_eax_test() for NO_MALLOC (use WC_*_VAR() to allocate eax context).
* in slhdsa_test(), gate the profusely verbose TestDumpData() clauses on WC_SLHDSA_VERBOSE_DEBUG.
2026-04-27 11:36:34 -05:00
Daniel Pouzzner
7035fcf72b
wolfcrypt/src/wc_slhdsa.c:
...
* fix smallstackcache memory leaks in sha256 and sha512 contexts -- don't init or copy over a context that's been inited but not freed, and make sure to explicitly free any context that's been inited or copied over.
* fix uninited-var warnings in slhdsakey_wots_sign(), slhdsakey_xmss_sign(), and slhdsakey_fors_sign() (the uninited-var scenario depends on corrupt arg(s) resulting in zero iterations).
2026-04-27 11:36:15 -05:00
Daniel Pouzzner
df486d8cd5
src/ssl_load.c: fix -Wnull-dereference in wolfssl_ctx_set_tmp_dh() (detected by armel build);
...
.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);
wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner
363bb0e216
configure.ac:
...
* allow for fips-dev in v7|ready|dev ENABLED_SHA256_DRBG and ENABLED_SHA512_DRBG setup and change from AC_MSG_WARN to AC_MSG_ERROR if user tries to disable outside fips-dev;
* set ENABLED_SHA512_DRBG=no in lean-aesgcm setup;
wolfcrypt/test/test.c: suppress concurrency-mt-unsafe in myFipsCb();
.wolfssl_known_macro_extras: fix lexical order.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner
b79221acd3
wolfcrypt/test/test.c: in random_bank_test(), accommodate WOLFSSL_DRBG_SHA512 in the WC_RNG_BANK_FLAG_NO_VECTOR_OPS test;
...
linuxkm/lkcapi_sha_glue.c: in wc_mix_pool_bytes(), accommodate WOLFSSL_DRBG_SHA512.
2026-04-25 11:47:25 -05:00
Daniel Pouzzner
91c7c8f9fb
wolfcrypt/test/test.c and wolfcrypt/test/test.h: fix gating for dsa_test() and srp_test() prototypes to avoid -Wunused-function in --enable-sp-math builds.
2026-04-25 11:47:24 -05:00
David Garske
21921408b9
Merge pull request #10216 from ColtonWilley/add-null-checks-public-api
...
Add missing NULL checks in public API functions
2026-04-24 14:42:24 -07:00
JacobBarthelmeh
734a71180c
Merge pull request #10220 from embhorn/zd21596
...
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00
JacobBarthelmeh
c6953b868a
Merge pull request #10260 from Frauschi/ecc_fix
...
Fix ECC validation regression
2026-04-24 14:39:50 -06:00
JacobBarthelmeh
46cedcf0f6
Merge pull request #10268 from ColtonWilley/zephyr-4.3-default-tls-support
...
zephyr: changes needed for Zephyr 4.3 default TLS support
2026-04-24 14:30:59 -06:00
JacobBarthelmeh
0c9a496215
Merge pull request #10162 from embhorn/gh9753
...
Use O_CLOEXEC to avoid race conditions
2026-04-24 14:28:00 -06:00
JacobBarthelmeh
a20c391b84
Merge pull request #10282 from kareem-wolfssl/zd21527
...
Fix W560 "possible truncation at implicit conversion to type unsigned char" warnings raised by Tasking compiler.
2026-04-24 14:11:41 -06:00
kaleb-himes
08fd7bde58
PQ FIPS v7.0.0 Phase 2 & 3: All changes
...
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Eric Blankenhorn
412c428b0a
Fix TLS ext bounds checking
2026-04-24 07:23:07 -05:00
Juliusz Sosinowicz
31278ee8bd
Merge pull request #10296 from JacobBarthelmeh/hostap
2026-04-24 14:13:02 +02:00
Sean Parkinson
936f8e5423
Merge pull request #10203 from Frauschi/pkcs7_fixes
...
PKCS#7 fixes
2026-04-24 10:13:43 +10:00
JacobBarthelmeh
d9beec2e81
Merge pull request #10283 from night1rider/SHE-test-double-free-fix
...
Fix double-free of she2 in she_test()
2026-04-23 16:59:52 -06:00
JacobBarthelmeh
72c7d12cfb
exclude the trust anchor from prospective certification path with pathlen check
2026-04-23 16:23:07 -06:00
JacobBarthelmeh
fe8541cc47
Merge pull request #10193 from padelsbach/set-hashtype-in-ports
...
Set hashType in ports
2026-04-23 15:02:30 -06:00
JacobBarthelmeh
6a0303e299
Merge pull request #10066 from dgarske/wc_puf
...
wolfCrypt SRAM PUF Support
2026-04-23 14:28:37 -06:00
JacobBarthelmeh
5277556989
Merge pull request #10264 from JeremiahM37/fenrir-issues-5
...
Harden wolfCrypt input validation and zeroization
2026-04-23 14:06:29 -06:00
Tobias Frauenschläger
6c5de29758
Fix ECC validation regression
2026-04-23 11:26:33 +02:00
Tobias Frauenschläger
22d1441331
Bounds-check the RecipientInfo SET length in wc_PKCS7_ParseToRecipientInfoSet()
2026-04-23 11:03:24 +02:00
Tobias Frauenschläger
97b82b5087
Add nonce length validation for PKCS#7
2026-04-23 11:03:19 +02:00
Tobias Frauenschläger
b7f6e77a95
Reject PKCS#7 SignedData signer-identity forgery
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
589feabc0c
Harden PKCS#7 EnvelopedData key unwrap
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
4e423fde17
More PKCS#7 bounds checks
2026-04-23 09:36:32 +02:00