Commit Graph

10565 Commits

Author SHA1 Message Date
Eric Blankenhorn 296493acf0 f283 harden GeneratePrivateDh186 2026-03-05 15:43:10 -06:00
Daniel Pouzzner 178f96c483 Merge pull request #9854 from sameehj/rsa-pss-fix
Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
2026-03-05 15:03:46 -06:00
Daniel Pouzzner 5fa18d9817 Merge pull request #9784 from dgarske/async_cryptocb
Fixes and tests for async and crypto callbacks
2026-03-05 14:59:27 -06:00
Daniel Pouzzner 91ea97ecdf Merge pull request #9712 from night1rider/max-32666-code-improvements
Fix Crash when using Sha224 Callback with MAX32666
2026-03-05 14:58:02 -06:00
Daniel Pouzzner b2913d27dd Merge pull request #9842 from rlm2002/coverity
20260227 Coverity changes
2026-03-05 14:53:14 -06:00
Daniel Pouzzner 1297a85b03 wolfcrypt/test/test.c:
* skip pkcs12_test() if NO_SHA;
* sha3_224_test(): fix error-path leak and possible uninited-read of shaCopy.
2026-03-04 13:14:07 -06:00
Daniel Pouzzner f67c29ae51 linuxkm/Kbuild:
* for aarch64/arm64, only add -mno-outline-atomics if the compiler supports it.
* in ENABLED_LINUXKM_PIE setup, avoid -fPIE on arm32 <5.11 (missing reloc support).

linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, and wolfcrypt/src/wc_port.c: gate interception of alt_cb_patch_nops() on kernel >= 6.1.

linuxkm/linuxkm_wc_port.h: define WC_LINUXKM_SUPPORT_DUMP_TO_FILE implicitly when WC_SYM_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT.

linuxkm/module_hooks.c: fixes for text_dump_path and rodata_dump_path handler code.
2026-03-04 13:14:07 -06:00
Daniel Pouzzner 4a51ed4c26 wolfcrypt/test/test.c: add FIPS gates around "Copy cleanup test" exercises added by 4713ad5675 (#9829). 2026-03-04 13:14:07 -06:00
night1rider daf3b067d4 Add common SHA copy/free helpers with leak-safe msg buffer handling and copy/free crypto callbacks to replicate the non-callback code behavior when using MAX3266X_SHA_CB. 2026-03-04 10:27:22 -07:00
night1rider c3b329eb2e Refactor to use HASH_KEEP option instead of dedicated context for SHA, also add HASH_KEEP to sha1 context with correct init/free calls 2026-03-04 10:27:22 -07:00
Zackery Backman 2f2fca6a91 Remove stdio inclusion and then revert removal of null check for MXC free 2026-03-04 10:27:22 -07:00
night1rider 224ac9e2ff Add setting callback and MXC init when using arm asm with callbacks 2026-03-04 10:27:22 -07:00
Zackery Backman 4ef0492f23 Improve logic behind copy and free for sha, add copy and free callback functions, fix sha224 crashing when using callbacks for MAX32666 due to unitialized struct. 2026-03-04 10:27:22 -07:00
Sameeh Jubran 441bcbb680 Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
RSA-PSS signed certificates contain a valid RSA public key that can be
used for key transport, but wc_PKCS7_AddRecipient_KTRI and the
EnvelopedData/AuthEnvelopedData encode paths rejected them because they
only checked for RSAk. Allow RSAPSSk to fall through to the RSAk key
transport path, and always use RSAk as the KeyEncryptionAlgorithmIdentifier
since the operation is RSA encryption, not RSA-PSS signing.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-03-04 12:24:08 +02:00
Ruby Martin 682901e32e return MP_VAL if n < 0. remove check for max int value
remove comment
2026-03-03 09:50:16 -07:00
Ruby Martin 0ef8541b73 validate hashAlgSz is within bounds before calling XMEMCPY 2026-03-02 15:05:01 -07:00
Eric Blankenhorn 42e51701e1 Fix DRBG_internal alloc in wc_RNG_HealthTestLocal 2026-03-02 11:19:38 -06:00
Sean Parkinson 215fe1341c Merge pull request #9829 from night1rider/tmpSha-fixes
Fix potential memory leak when copying into existing SHA contexts and zero init tmpSha
2026-03-02 21:18:55 +10:00
Daniel Pouzzner 76bc6e337b wolfcrypt/src/hpke.c, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c: implement RFC 9180 overflow checks on context->seq in wc_HpkeContextSealBase() and wc_HpkeContextOpenBase(), and add SEQ_OVERFLOW_E to wolfCrypt_ErrorCodes (Fenrir M-70). 2026-02-27 23:40:37 -06:00
Daniel Pouzzner 4110887871 wolfcrypt/src/aes.c: in AesSivCipher(), burn sivTmp before return (Fenrir M-69). 2026-02-27 23:40:19 -06:00
Daniel Pouzzner 616a6a5789 wolfcrypt/src/ecc.c: in wc_ecc_import_point_der_ex() and wc_ecc_import_x963_ex2(), add missing retval capture for sp_ecc_uncompress_sm2_256() (Fenrir M-68). 2026-02-27 23:39:57 -06:00
night1rider 69ddefb099 Zero-initialize stack-declared hash contexts in GetHash functions before passing to Copy, which now calls Free(dst) and requires valid fields. 2026-02-27 16:13:21 -07:00
David Garske 0dffc8abff Fixes for async and crypto callbacks 2026-02-27 14:35:03 -08:00
night1rider 4c5e321dfb Add missing error check for wc_Sha512Final in unaligned memory test. 2026-02-27 14:31:33 -07:00
night1rider 70ccda7619 Free the reused struct before reiniting it for new test 2026-02-27 12:56:58 -07:00
night1rider d4f8f0d0a5 Revert XMEMSET 0 after free in copy process for digest/hashing functions 2026-02-27 12:56:58 -07:00
night1rider 39ab81bdda Use WC_DECLARE_VAR/WC_ALLOC_VAR for shaCopy in SHA3/Shake tests to avoid stack frame overflow on small-stack builds. 2026-02-27 12:56:58 -07:00
night1rider ca150724b3 Revert "Fix SHA3/Shake copy cleanup tests to heap-allocate shaCopy to avoid exceeding stack frame limit."
This reverts commit d99fe3bbfd.
2026-02-27 12:56:58 -07:00
night1rider b87cb3e1cd Fix SHA3/Shake copy cleanup tests to heap-allocate shaCopy to avoid exceeding stack frame limit. 2026-02-27 12:56:58 -07:00
night1rider 4713ad5675 Add Free(dst) + XMEMSET before XMEMCPY in all wc_ hash Copy functions (MD5, SHA, SHA2, SHA3, SHAKE) and add copy cleanup tests to prevent resource leaks when copying into previously-used contexts. 2026-02-27 12:56:58 -07:00
night1rider 60573a3782 memset 0 the temp contexts 2026-02-27 12:56:57 -07:00
night1rider 4c9b980c72 Fix potential memory leak in SHA Copy and zero-initialize temp GetHash contexts; zero HMAC dst hash before copy to prevent shared pointers 2026-02-27 12:56:57 -07:00
night1rider 1f3bea4907 Fix potential memory leak when copying into existing SHA contexts and zero-initialize temp GetHash contexts 2026-02-27 12:56:57 -07:00
David Garske 9102df3c83 Merge pull request #9837 from jackctj117/PKCS7-unused-variable
Fix unused variable warning in PKCS7 without WC_RSA_PSS
2026-02-27 11:27:13 -08:00
Ruby Martin d6c8e7bced add tmp variable to satisfy coverity before casting and assigning to word32 variable 2026-02-27 09:32:01 -07:00
Ruby Martin 5c257e15bb remove redundant NULL check 2026-02-27 09:32:01 -07:00
Ruby Martin 7a8550c217 compare to original type when searching private key headers, prevent deadcode when WOLF_PRIVATE_KEY_ID enabled 2026-02-27 09:32:01 -07:00
jackctj117 e6d4c5561c Move paramsStart declaration inside WC_RSA_PSS guard 2026-02-27 09:20:54 -07:00
Eric Blankenhorn 2243133572 Fix prefix for WC_ALL_ARGS_NOT_NULL 2026-02-27 07:29:41 -06:00
Sean Parkinson b9838aa563 Merge pull request #9711 from julek-wolfssl/nginx-1.28.0
nginx 1.28.1 fixes
2026-02-27 08:39:10 +10:00
Sean Parkinson f3b57679a5 Merge pull request #9835 from douzzer/20260226-fix-aes-prefetch-optimize
20260226-fix-aes-prefetch-optimize
2026-02-27 08:23:02 +10:00
JacobBarthelmeh 921ecf0bca Merge pull request #9830 from aidangarske/fix-wolfcrypt-fenrir
Fix fenrir security findings for wolfcrypt
2026-02-26 14:20:31 -07:00
jackctj117 1f9dd3c955 Fix unused variable warning in PKCS7 without WC_RSA_PSS 2026-02-26 14:04:49 -07:00
Daniel Pouzzner 100e79f9e5 wolfcrypt/src/aes.c: add _TI_CRYPT and _RISCV_ASM fallthrough definitions for Aes{En,de}crypt_preFetchOpt. 2026-02-26 09:24:10 -06:00
JacobBarthelmeh 1b1b085290 Merge pull request #9822 from SparkiDev/mlkem_decap_h_set
ML-KEM decapsulate: check for H
2026-02-25 16:44:47 -07:00
Sean Parkinson 2064ff461c Merge pull request #9797 from douzzer/20260218-aes-prefetch-optimize
20260218-aes-prefetch-optimize
2026-02-26 08:27:08 +10:00
Juliusz Sosinowicz 38b52d8079 nginx 1.28.1
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
2026-02-25 15:19:13 +01:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
aidan garske 3295a6521c Fix Fenrir issues in wolfcrypt 2026-02-24 18:51:58 -08:00
Daniel Pouzzner 39987a9d53 wolfcrypt/src/aes.c, wolfcrypt/src/cmac.c, wolfssl/wolfcrypt/aes.h, wolfssl/wolfcrypt/types.h: optimizations to mitigate performance regressions from 299e7bd097 (#9783):
* add prefetch_ptr flag argument to AesEncrypt_C() and AesDecrypt_C(), and call PreFetchTe() and PreFetchSBox() only if *prefetch_ptr is zero, whereupon it is set to 1;
* when C implementations are available, add prefetch_ptr arg to wc_AesEncrypt() and wc_AesDecrypt(), and pass it through;
* in functions that directly call the AES block encryption methods, opportunistically inhibit prefetch on all but the first call;
* move AES-specific code in wc_CmacUpdate() in cmac.c to wc_local_CmacUpdateAes() in aes.c to let it use conditional prefetching;
* add WC_ARG_NOT_NULL(), WC_ARGS_NOT_NULL(), and WC_ALL_ARGS_NOT_NULL attribute abstractions.
2026-02-24 13:59:12 -06:00