Commit Graph

54 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 7a264162b8 wc_ChaCha20Poly1305_Decrypt: clear unauthed plaintext
F-452
2026-03-10 09:52:05 +01:00
aidan garske 3295a6521c Fix Fenrir issues in wolfcrypt 2026-02-24 18:51:58 -08:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Andrew Hutchings 8042f767ed Fix issues found in static analysis
- Fix missing cleanup on error in wc_XChaCha20Poly1305_crypt_oneshot:
  change early return to goto out so ForceZero and free are called
- Fix memory leak in wc_DeCompressDynamic: free tmp buffer before
  early return on avail_out size check failure
- Fix unconditional mutex unlock in PQC sign functions (falcon,
  sphincs, dilithium): only call unlock when lock was acquired
- Remove dead oqssig NULL checks in falcon sign/verify that are
  unreachable after the preceding SIG_TYPE_E assignment
2026-02-17 15:20:36 +00:00
Anthony Hu 7d7299e254 Do not allow NULL with non-zero length. 2026-01-21 17:49:30 -05:00
Anthony Hu 4550814e66 wc_XChaCha20Poly1305_Init: NULL check aead, not ad 2026-01-20 16:37:20 -05:00
effbiae 7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
Daniel Pouzzner 4af6eb4f2b wolfcrypt/src/chacha20_poly1305.c: in wc_XChaCha20Poly1305_crypt_oneshot(), allow empty message. 2025-09-23 17:06:22 -05:00
Kareem 7afcf20077 Fix non constant compare of TLS 1.3 binder, check for negative dst_len in wc_XChaCha20Poly1305_crypt_oneshot. 2025-09-19 11:39:46 -07:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
Daniel Pouzzner b1edb08119 linuxkm/linuxkm_wc_port.h:
* fix WC_LINUXKM_ROUND_UP_P_OF_2() to not round up values that are already powers of 2, nor values larger than 8192.

linuxkm/lkcapi_glue.c:
* fix gating on km_AesSetKeyCommon().
* small stack refactors of Aes objects in self-test routines.
* change kmalloc/free to malloc/free in self-test routines.
* fix error-path "return"s to "goto exit"s in self-test routines.
* fix memory leak around large_input in aes_xts_128_test().

wolfcrypt/benchmark/benchmark.c:
* smallstack refactors in bench_chacha() and bench_chacha20_poly1305_aead().
* add error handling in bench_chacha().

wolfcrypt/src/chacha20_poly1305.c: smallstack refactor for wc_ChaCha20Poly1305_Encrypt() and wc_ChaCha20Poly1305_Decrypt().
2024-03-01 14:55:49 -06:00
Daniel Pouzzner 131b7c2bcf wolfcrypt/src/chacha20_poly1305.c: refactor ssize_t uses in wc_XChaCha20Poly1305_crypt_oneshot() as long int, for portability. 2023-06-14 12:28:50 -05:00
Daniel Pouzzner f396989d20 more -Wconversion fixes, now covering everything inside the 140-3 boundary with default build options, everything in wolfcrypt with default build options, all modes of AES, builds with/without intelasm, all permutations of c89/c99 32/64 bit, and much of the crypto-all-cryptonly boundary;
also a gating fix for asn.c:SetShortInt().
2023-04-19 15:26:05 -05:00
Jacob Barthelmeh 9dcc48c8f7 update copyright to 2023 2022-12-30 17:12:11 -07:00
Uriah Pollock b200d65a6a Added new ABI reference hooks. This is round two, more to come. 2022-08-08 09:08:23 -05:00
Jacob Barthelmeh 8eaa85e412 update copyright year to 2022 2022-07-19 10:44:31 -06:00
Sean Parkinson 1b29f7353a Check memory is zeroized
Add a define WOLFSSL_CHECK_MEM_ZERO to turn on code that checks that
memory that must be zeroized before going out of use is zero.
Everytime sensitive data is put into a allocated buffer or stack buffer;
the address, its length and a name is stored to be checked later.
Where the stack buffer is about to go out of use, a call is added to
check that the required parts are zero.

wc_MemZero_Add() adds an address with length and name to a table of
addressed to be checked later.
wc_MemZero_Check() checks that the memory associated with the address is
zeroized where required.
mp_memzero_add() adds mp_int's data pointer with length and name to
table.
mp_memzero_check() checks that the data pointer is zeroized where
required.

Freeing memory will check the address. The length was prepended on
allocation.
Realloction was changed for WOLFSSL_CHECK_MEM_ZERO to perform an
allocate, check, copy, free.
2022-06-16 10:22:32 +10:00
Sean Parkinson e9187f5f00 Wycheproof fixes/changes
Allow Chachac20-Poly1305 to take an empty msg.
Allow AES-SIV to have an empty nonce.
Don't allow the length to be malleable. Must use the smallest number of
bytes to represent value.
ECDSA and DSA signature values are positive.
Add Sha512-224 and Sha512-256 OIDs.
ASN template - ensure the ECDSA/DSA signature uses all data.
Curve25519/Curve448 - WOLFSSL_ECDHX_SHARED_NOT_ZERO means shared secret
can't be 0.
Curve25519/Curve448 - check public value is less than order.
ECC - x or y may be zero but not both.
Ed25519/Ed448 - check S is less than order.
Ed448 - ge_p3_dbl can be simplified for ASM.
Prime check (integer.c/tfm.c/sp_int.c): Don't allow negative values and
make sure random candidate doesn't have bits higher than those in a set
when bits not a multiple of 8.
RSA: support Sha512-224 and Sha512-256.
RSA: Fix check for invalid in decryption. Affects plaintexts 256 bytes
and longer.
RSA: Don't allow base be larger than modulus.
RSA: Check small ciphertext (1 or 0) on decrypt when not using OAEP.
RSA: WOLFSSL_RSA_DECRYPT_TO_0_LEN allows decrypted value to be 0.
SP math all: fix div to handle large a and d when checking size of
remainder.
SP math all: set sign of result in sp_mod_2d()
2022-04-06 15:35:01 +10:00
Jacob Barthelmeh c729318ddd update copyright date 2021-03-11 13:42:46 +07:00
Daniel Pouzzner f277339528 add explicit casts to XMALLOC()s, even for (void *), to avoid warnings in C++ and MSVC/MSVS builds, and to avoid false positives on simple text searches. 2020-12-10 14:16:21 -06:00
Daniel Pouzzner f37c25f9c0 wc_XChaCha20Poly1305_crypt_oneshot(): use ForceZero, not XMEMSET(), to safely clear the AEAD state before return. 2020-10-28 17:28:05 -05:00
Daniel Pouzzner c910c94824 rename API wc_XChaCha20Poly1305_{encrypt,decrypt}_oneshot to wc_XChaCha20Poly1305_{Encrypt,Decrypt} for consistency; remove stray debugging printf in XChaCha20Poly1305_test(). 2020-10-21 14:36:46 -05:00
Daniel Pouzzner e1d3f2c7b4 chacha20_poly1305.c: add _SMALL_STACK code in wc_XChaCha20Poly1305_crypt_oneshot(). 2020-10-21 14:08:41 -05:00
Daniel Pouzzner f65947ae09 rename wc_XChaCha_init() to wc_XChacha_SetKey() for consistency, and add a counter argument to provide for future random access scenarios; refactor wc_Chacha_purge_current_block() to use a dummy wc_Chacha_Process() call for intrinsically correct counter dynamics. 2020-10-21 14:08:41 -05:00
Daniel Pouzzner 6142c22948 add wc_XChaCha_init(), wc_XChaCha20Poly1305_Init(), wc_XChaCha20Poly1305_encrypt_oneshot(), wc_XChaCha20Poly1305_decrypt_oneshot(), and wc_Poly1305_EncodeSizes64(). also, remove redundant arg check (typo) in wc_Poly1305Update(). 2020-10-21 14:08:41 -05:00
Tesfa Mael cebb283822 DO-178 changes 2020-07-30 09:18:45 -07:00
JacobBarthelmeh 0ec7b311d8 set chacha20 similar to aes-ctr when handling leftover stream and add test case 2020-01-09 16:39:48 -07:00
toddouska 11a0b117f8 Merge pull request #2706 from dgarske/chapoly_aead_iuf
New API's for ChaCha20/Poly1305 AEAD init/update/final
2020-01-09 14:49:26 -08:00
David Garske bc1cb4ead8 Fix to keep existing behavior where AAD is optional for wc_ChaCha20Poly1305_Encrypt and wc_ChaCha20Poly1305_Decrypt. 2020-01-07 18:58:26 -08:00
David Garske 56e57f3216 Refactor Poly1305 AEAD / MAC to reduce duplicate code. Tested with TLS v1.3 interop and AEAD test vectors. 2020-01-07 07:04:01 -08:00
David Garske d68d5229e1 Refactor wc_ChaCha20Poly1305_Encrypt and wc_ChaCha20Poly1305_Decrypt to use the new ChaChaPoly_Aead context and init/update/final functions. 2020-01-06 17:07:09 -08:00
Chris Conlon 45c5a2d39c update copyright to 2020 2020-01-03 15:06:03 -08:00
David Garske 01c7cc6502 Fixes to avoid declaring any variables mid-function and always initializing. 2019-12-31 11:43:13 -08:00
David Garske 784d95afbe Improved state handling. 2019-12-31 10:34:06 -08:00
David Garske bff6dcec24 Added support for AAD calc only. Allows Init, UpdateAad and Final sequence. Verfied again with customer test cases. 2019-12-31 08:25:23 -08:00
David Garske f01999b322 Peer review feedback. 2019-12-31 08:08:33 -08:00
David Garske 1ee9d182cf New API's for ChaCha20/Poly1305 AEAD init/update/final:
* Provides a context for AEAD to allow "chunked" updates of data then a final calculation for the authentication tag.
* New API's are on by default and can be disabled using NO_CHACHAPOLY_AEAD_IUF.
2019-12-30 15:20:55 -08:00
John Safranek 246c444b93 Updates for v4.0.0
Update the copyright dates on all the source files to the current year.
2019-03-15 10:37:36 -07:00
Sean Parkinson be1aba1f70 Improve performance of chacha20-poly1305 on AVX and AVX2.
Create an AVX2 version of the small block size chacha20 encryption code.
Only update the poly1305 once for the two lengths in chacha20-poly1305.
Poly1305 AVX2 uses AVX code to handle last bytes, store H whole.
Fix error codes in poly1305 test and add a longer data test case.
2018-01-16 13:45:36 +10:00
David Garske 911b6f95f8 Release v3.12.2 (lib 14.0.0). Updated copywright. 2017-10-22 15:58:35 -07:00
Jacob Barthelmeh e60adfc9da better naming of macro and alter misc.c check 2016-03-29 13:42:40 -06:00
Jacob Barthelmeh 2665db73a4 check for compiling misc.c when not needed 2016-03-28 16:03:15 -06:00
Jacob Barthelmeh e99a5b0483 prepare for release v3.9.0 2016-03-17 16:02:13 -06:00
David Garske e031d2fa06 Removed the execute bit on all .c files. These were inadvertently set in PR #293 due to editing files through Windows VMWare shared folder. 2016-02-05 14:25:43 -08:00
David Garske 2257c1dcef Fixes several warnings that were seeing building with Visual Studio 2015. Also noticed issue with "struct Options" in internal.h for the bit flags that was causing split due to type difference (byte vs. word16). 2016-02-04 11:30:48 -08:00
toddouska b7db43a189 make ConstantCompare available outside of internal.c 2015-02-26 17:31:47 -08:00