- Fix missing cleanup on error in wc_XChaCha20Poly1305_crypt_oneshot:
change early return to goto out so ForceZero and free are called
- Fix memory leak in wc_DeCompressDynamic: free tmp buffer before
early return on avail_out size check failure
- Fix unconditional mutex unlock in PQC sign functions (falcon,
sphincs, dilithium): only call unlock when lock was acquired
- Remove dead oqssig NULL checks in falcon sign/verify that are
unreachable after the preceding SIG_TYPE_E assignment
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
sources to include them at the top.
wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
conditionally, config.h. settings.h and wc_port.h are unconditionally
included at the top of types.h.
wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.
Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
files.
Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
wolfssl/wolfcrypt/settings.h to allow coverage testing.
In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.
Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.
Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
for clarity.
* fix WC_LINUXKM_ROUND_UP_P_OF_2() to not round up values that are already powers of 2, nor values larger than 8192.
linuxkm/lkcapi_glue.c:
* fix gating on km_AesSetKeyCommon().
* small stack refactors of Aes objects in self-test routines.
* change kmalloc/free to malloc/free in self-test routines.
* fix error-path "return"s to "goto exit"s in self-test routines.
* fix memory leak around large_input in aes_xts_128_test().
wolfcrypt/benchmark/benchmark.c:
* smallstack refactors in bench_chacha() and bench_chacha20_poly1305_aead().
* add error handling in bench_chacha().
wolfcrypt/src/chacha20_poly1305.c: smallstack refactor for wc_ChaCha20Poly1305_Encrypt() and wc_ChaCha20Poly1305_Decrypt().
Add a define WOLFSSL_CHECK_MEM_ZERO to turn on code that checks that
memory that must be zeroized before going out of use is zero.
Everytime sensitive data is put into a allocated buffer or stack buffer;
the address, its length and a name is stored to be checked later.
Where the stack buffer is about to go out of use, a call is added to
check that the required parts are zero.
wc_MemZero_Add() adds an address with length and name to a table of
addressed to be checked later.
wc_MemZero_Check() checks that the memory associated with the address is
zeroized where required.
mp_memzero_add() adds mp_int's data pointer with length and name to
table.
mp_memzero_check() checks that the data pointer is zeroized where
required.
Freeing memory will check the address. The length was prepended on
allocation.
Realloction was changed for WOLFSSL_CHECK_MEM_ZERO to perform an
allocate, check, copy, free.
Allow Chachac20-Poly1305 to take an empty msg.
Allow AES-SIV to have an empty nonce.
Don't allow the length to be malleable. Must use the smallest number of
bytes to represent value.
ECDSA and DSA signature values are positive.
Add Sha512-224 and Sha512-256 OIDs.
ASN template - ensure the ECDSA/DSA signature uses all data.
Curve25519/Curve448 - WOLFSSL_ECDHX_SHARED_NOT_ZERO means shared secret
can't be 0.
Curve25519/Curve448 - check public value is less than order.
ECC - x or y may be zero but not both.
Ed25519/Ed448 - check S is less than order.
Ed448 - ge_p3_dbl can be simplified for ASM.
Prime check (integer.c/tfm.c/sp_int.c): Don't allow negative values and
make sure random candidate doesn't have bits higher than those in a set
when bits not a multiple of 8.
RSA: support Sha512-224 and Sha512-256.
RSA: Fix check for invalid in decryption. Affects plaintexts 256 bytes
and longer.
RSA: Don't allow base be larger than modulus.
RSA: Check small ciphertext (1 or 0) on decrypt when not using OAEP.
RSA: WOLFSSL_RSA_DECRYPT_TO_0_LEN allows decrypted value to be 0.
SP math all: fix div to handle large a and d when checking size of
remainder.
SP math all: set sign of result in sp_mod_2d()
* Provides a context for AEAD to allow "chunked" updates of data then a final calculation for the authentication tag.
* New API's are on by default and can be disabled using NO_CHACHAPOLY_AEAD_IUF.
Create an AVX2 version of the small block size chacha20 encryption code.
Only update the poly1305 once for the two lengths in chacha20-poly1305.
Poly1305 AVX2 uses AVX code to handle last bytes, store H whole.
Fix error codes in poly1305 test and add a longer data test case.