Commit Graph

30589 Commits

Author SHA1 Message Date
David Garske 0d02f2fe2f Merge pull request #10816 from kojiws/fix_mem_cast_on_mldsa
Fix unaligned memory access in ML-DSA
2026-07-08 09:28:28 -07:00
David Garske 60085b0e48 Merge pull request #10837 from rlm2002/zd-NameConstraints
DNS name constraint fix
2026-07-08 09:21:52 -07:00
Tobias Frauenschläger 673d8d00bb Merge pull request #10778 from SparkiDev/time_stamp_protocol
Time-Stamp Protocol (RFC 3161)
2026-07-08 17:43:38 +02:00
David Garske b19f00a736 Merge pull request #10807 from SparkiDev/aes_gcm_siv_asm
AES-GCM-SIV: Add implementation in C and assembly
2026-07-08 08:30:02 -07:00
David Garske a8d223b308 Merge pull request #10834 from SparkiDev/cmake_update_1
cmake: add more build options in line with automake
2026-07-08 08:29:11 -07:00
David Garske 7f441a687a Merge pull request #10748 from night1rider/AES-Callbacks
AES callbacks for CFB and OFB
2026-07-08 08:25:23 -07:00
Tobias Frauenschläger dcc2b23b1a Merge pull request #10852 from stenslae/fix-mldsa-privkeydecode-no-asn1
Fix ML-DSA level auto-detection in WOLFSSL_MLDSA_NO_ASN1 builds
2026-07-08 10:03:34 +02:00
Tobias Frauenschläger 3b07f7df34 Merge pull request #10855 from philljj/misc_fixes
wolfcrypt: fix several redefinition of typedef errors.
2026-07-08 09:56:45 +02:00
David Garske 3cc69f0fae Merge pull request #10839 from kojiws/fix_arm64_macro_name
ML-DSA: Fix misspelled `__arch64__` macro to `__aarch64__`
2026-07-07 21:55:46 -07:00
David Garske e0a8f3f475 Merge pull request #10706 from JacobBarthelmeh/dev
defense in depth hardening for x509 extension create by OBJ and EVP decode update
2026-07-07 16:41:15 -07:00
Sean Parkinson ae023a5643 Time-Stamp Protocol (RFC 3161)
Implementation in wolfCrypt
OpenSSL compatibility layer in wolfSSL
Added tests, certificates, examples.
2026-07-08 09:33:47 +10:00
David Garske a296ac07fc Merge pull request #10842 from miyazakh/f6162_tsiphash
[Renesas RX72N] RX72N TSIP fixes and command-line build/flash/UART tooling
2026-07-07 16:17:30 -07:00
Sean Parkinson 7a1513468d cmake: add more build options in line with automake
Updates
  - ~100 individual options added (ciphers, TLS features, debug/test, caches,
  kernel-module, key-size numerics, asm) + fixed WOLFSSL_32BIT's missing define.
  - 37 app-integration bundles (openssh, nginx, haproxy, openvpn, wpas,
  apachehttpd, jni, wolfclu, wolfsentry, ...) - each force-enables its
  sub-options and emits its defines; all build clean and match ./configure
  --enable-X exactly (miss=0/extra=0).
  - Each option wired in 3 places: add_option + define in CMakeLists.txt,
  #cmakedefine in options.h.in, source selection where needed. Verified by real
  libwolfssl.so builds.
2026-07-08 09:11:14 +10:00
philljj 2f2ffbac04 Merge pull request #10856 from douzzer/20260702-linuxkm-various
20260702-linuxkm-various
2026-07-07 17:44:50 -05:00
David Garske 6d38bc12e8 Merge pull request #10854 from rlm2002/gi10846-7
IDE resource handling and error-path improvements
2026-07-07 15:13:28 -07:00
David Garske d805c804b9 Merge pull request #10733 from mattia-moffa/20260617-max32666-sha-streaming-old
MAX32666 fixes for old SDK
2026-07-07 14:54:34 -07:00
David Garske 7dd7ae86c0 Merge pull request #10770 from embhorn/zd22032
Fix wolfSSL_BUF_MEM_grow_ex with WOLFSSL_NO_REALLOC
2026-07-07 14:48:29 -07:00
David Garske bee18d122d Merge pull request #10801 from SparkiDev/windows_asm_1
Add Windows assembly files to the build
2026-07-07 14:26:31 -07:00
David Garske 926a50458b Merge pull request #10841 from SparkiDev/extract_funcs_ssl_1
internal.c: extract functions to make code cleaner
2026-07-07 14:26:16 -07:00
Sean Parkinson 2c0e235bd1 AES-GCM-SIV: Add implementation in C and assembly
Added assembly for Intel x64, ARM64, ARM32, Thumb2.
2026-07-08 07:15:26 +10:00
David Garske 5ebc44ee4e Merge pull request #10848 from SparkiDev/wycheproof_fixes_5
Wycheproof: fixes for various platforms
2026-07-07 14:10:07 -07:00
David Garske c635740d6e Merge pull request #10850 from holtrop-wolfssl/wolfssl-wolfcrypt-2.1.0
Rust wrapper: wolfssl-wolfcrypt v2.1.0
2026-07-07 14:07:57 -07:00
Aidan Garske e6567ac353 Merge pull request #10838 from cyberstormdotmu/loganaden-patch-wolfssl_quic_underflow
quic: Fix buffer underflow
2026-07-07 13:30:26 -07:00
night1rider 2c6261d1a8 Add testing for cryptocb only for aes ofb and cfb 2026-07-07 14:20:29 -06:00
night1rider d09803154b Adding callbacks for AES mode OFB and CFB, along with callback testing/coverage for the callback paths 2026-07-07 14:20:26 -06:00
Daniel Pouzzner 833e360ccd fixes for issues identified by CI tests and AI review:
tests/api/api.h: always use FIPS 186-4 settings if defined(HAVE_SELFTEST).

wolfssl/wolfcrypt/settings.h: if defined(HAVE_SELFTEST), #define WC_FIPS_186_4.
2026-07-07 02:35:51 -05:00
Daniel Pouzzner 3965993c6d wolfssl/wolfcrypt/types.h: in fallback definition of DISABLE_VECTOR_REGISTERS(), return NOT_COMPILED_IN rather than (-1), for clarity and traceability.
linuxkm/lkcapi_sha_glue.c: require defined(WOLFSSL_EXPERIMENTAL_SETTINGS) when defined(WOLFSSL_LINUXKM_USE_GET_RANDOM_KPROBES).
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 5cee8bec39 wolfcrypt/src/rng_bank.c:
* refactor rng_bank.refcount management using wolfSSL_RefInc_IfAtLeast() and wolfSSL_RefDec_IfEquals(), to mitigate deallocation races.
* in wc_rng_bank_init(), fail fast for non-retryable errors.
* in wc_rng_bank_init(), wc_rng_bank_checkout(), and wc_rng_bank_inst_reinit(), consistently treat timeout_secs==0 as dont-wait, and timeout_secs<0 as wait-forever if wc_rng_bank_init() or flags & WC_RNG_BANK_FLAG_CAN_WAIT.
* in wc_rng_bank_checkout(), fix affinity dynamics to recompute after possible sleep, or drop affinity attempts entirely if using WC_RNG_BANK_FLAG_CAN_FAIL_OVER_INST strategy.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 0fdceafe6b wolfcrypt/src/wc_port.c, wolfssl/wolfcrypt/wc_port.h:
* implement wolfSSL_RefInc_IfAtLeast() and wolfSSL_RefDec_IfEquals().
* implement wolfSSL_RefWithMutexInc_IfAtLeast() and wolfSSL_RefWithMutexDec_IfEquals().

wolfssl/wolfcrypt/wc_port.h: for old FIPS when __GNUC__ or __clang__, always map __FUNCTION__ to __func__ for pedantic conformance.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner bd977dc0b9 linuxkm/lkcapi_ecdsa_glue.c and linuxkm/lkcapi_glue.c: implement support for ECDSA verify on kernel 6.13+ (struct sig_alg API). 2026-07-07 00:19:48 -05:00
Daniel Pouzzner 09db3a6410 linuxkm/linuxkm_wc_port.h:
* set up WC_LINUXKM_HAVE_SELFTEST and WC_LINUXKM_HAVE_SELFTEST_FULL early.
* replace the forced-downgrade from FIPS 186-5 to 186-4 for SHA-1 support, with a #error if configuration is incompatible.

linuxkm/linuxkm_wc_port.h, linuxkm/lkcapi_glue.c, linuxkm/module_exports.c.template, linuxkm/module_hooks.c, wolfcrypt/src/random.c: consolidate into the warning-masked span of linuxkm_wc_port.h, the #includes for kernel headers linux/fips.h, linux/vmalloc.h, and linux/random.h.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 12272e1c06 wolfssl/wolfcrypt/hash.h, src/internal.c, src/pk_ec.c, tests/api/api.h, wolfcrypt/src/dsa.c, wolfcrypt/src/ecc.c, wolfcrypt/src/pkcs7.c, wolfcrypt/test/test.c:
* remove FIPS 186-5 sign-mode restrictions from WC_HASH_CUSTOM_MIN_DIGEST_SIZE.
* set up WC_MIN_DIGEST_SIZE_FOR_SIGN and WC_MIN_DIGEST_SIZE_FOR_VERIFY, derived from WC_HASH_CUSTOM_MIN_DIGEST_SIZE, but enforcing FIPS 186-5 sign-mode restrictions only for WC_MIN_DIGEST_SIZE_FOR_SIGN.
* replace all uses of WC_MIN_DIGEST_SIZE with WC_MIN_DIGEST_SIZE_FOR_SIGN or WC_MIN_DIGEST_SIZE_FOR_VERIFY as appropriate.

wolfcrypt/test/test.c: in cryptocb_test(), don't expect callback execution in FIPS builds.

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, if defined(NO_SHA) while registering ECDSA handlers, force WC_MIN_DIGEST_SIZE_FOR_VERIFY to 20 for SHA-1 verify support.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner d7a29f58b4 wolfcrypt/src/aes.c: activate USE_INTEL_SPEEDUP when defined(USE_INTEL_SPEEDUP_FOR_AES) in the WOLFSSL_X86_64_BUILD build path too.
linuxkm/lkcapi_aes_glue.c: tweak WOLFKM_AES_DRIVER_ISA_EXT to reflect AVX512 and VAES capabilities.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 42a9983e05 tests/api.c: appropriately pivot expected result code on minDhKeySz in test_wolfSSL_CTX_SetTmpDH_file() and test_wolfSSL_SetTmpDH_file().
tests/api/test_evp_pkey.c and tests/api/test_ossl_rsa.c: for FIPS, use WC_RSA_EXPONENT as the exponent for RSA_generate_key(), not 3.
2026-07-07 00:19:47 -05:00
Loganaden Velvindron 0cdc7ab583 Fix whitespaces 2026-07-07 08:51:12 +04:00
jordan e6e8d9c7e2 wolfcrypt: fix several redefinition of typedef errors. 2026-07-06 23:49:14 -05:00
Loganaden Velvindron 98c48a43b7 move check earlier 2026-07-07 08:47:50 +04:00
David Garske 675d5df2cd Merge pull request #10833 from kareem-wolfssl/zd22079
Add some missing PKCS7 length checks and bound DTLS 1.3 ACK list.
2026-07-06 17:28:22 -07:00
Sean Parkinson 649054f7b8 Wycheproof: fixes for various platforms
Fixes for C, Intel x64, Aarch64, ARM32, Thumb2, Thumb.
2026-07-07 09:06:00 +10:00
Ruby Martin 3cc906f5d1 Rework fail cleanup (GCC-ARM) 2026-07-06 16:27:01 -06:00
Ruby Martin 1cad9fb5b6 IDE examples: fix ssl double-free and unsafe connd close in servers 2026-07-06 16:27:01 -06:00
Ruby Martin e54ef44870 Fix ssl double-free and accepted-socket leak in Azure Sphere server
Set ssl = NULL after the per-connection free so the final util_Cleanup
no longer double-frees it; close(connd) on post-accept error paths.
2026-07-06 16:27:01 -06:00
Ruby Martin f5610a8a76 Jump to exit on error paths to free resources before returning
iotsafe-raspberrypi: goto exit on cert-load failure (was return -1).
MQX server: replace bare return -1 with goto exit + guarded cleanup.
QNX client: correct cleanup-ladder jump targets to unwind properly.
initialize ctx and ssl to NULL
validate wolfIoTSafe_GetCert's int return before casting to uint32_t
2026-07-06 16:27:01 -06:00
Sean Parkinson 9918a1177a internal.c: extract functions to make code cleaner 2026-07-07 08:11:10 +10:00
Emma Stensland 8407359792 fix ml-dsa level auto detection in no asn1 builds 2026-07-06 16:08:58 -06:00
Sean Parkinson bcef8f4f6d Add Windows assembly files to the build
Windows ASM files generated along side the ATT assembly files.
Adding them to the build so they can be used.
2026-07-07 08:02:20 +10:00
JacobBarthelmeh f1b700180c Merge pull request #10738 from dgarske/zd_ecc_nonblock_certchain
Add WOLFSSL_ASYNC_CERT_YIELD: per-certificate non-blocking yield
2026-07-06 14:21:08 -06:00
Josh Holtrop a29a882a3a Rust wrapper: wolfssl-wolfcrypt v2.1.0 2026-07-06 12:07:39 -04:00
Josh Holtrop 19f6f01c61 Rust wrapper: update CHANGELOG for v2.1.0 2026-07-06 12:05:45 -04:00
Josh Holtrop 0a85d07ab3 Rust wrapper: update crate dependencies 2026-07-06 12:03:14 -04:00