JacobBarthelmeh
156db7dd2d
Merge pull request #9831 from julek-wolfssl/pytho-3.13.4
...
Fixes to run python with --enable-all
2026-03-13 10:50:23 -06:00
David Garske
0792c674c5
Merge pull request #9960 from philljj/fix_coverity
...
asn: fix coverity null deref warnings.
2026-03-13 06:58:41 +01:00
David Garske
00cd1a7c22
Merge pull request #9962 from night1rider/ecc-dilithium-callback-free-fix
...
Fix expected callback behavior for ECC/Dilithium for Free Callbacks
2026-03-13 06:19:31 +01:00
David Garske
cdacf3a53e
Merge pull request #9964 from SparkiDev/asm_gen_fixes_1
...
SP fixes: 32-bit ARM assembly fixes
2026-03-13 06:16:57 +01:00
Sean Parkinson
bac0563669
Merge pull request #9919 from anhu/lms-leaf-idx
...
Fix buffer-overflow in LMS leaf cache indexing
2026-03-13 10:02:50 +10:00
Sean Parkinson
d23cb79f18
SP fixes: 32-bit ARM assembly fixes
...
mod_exp: subtract from 32 instread of 64 as n is 32 bits
sp_521_ecc_mulmod_fast: look up the last point in constant time when
required.
2026-03-13 09:37:28 +10:00
JacobBarthelmeh
424af6eb5b
Merge pull request #9956 from rlm2002/coverity
...
20260311 Coverity changes
2026-03-12 16:53:39 -06:00
JacobBarthelmeh
357c2ad8e9
fixes for CAAM port without hash store
2026-03-12 15:55:19 -06:00
night1rider
cdbd19551e
Have ret initialized to 0 in wc_ecc_free() and wc_dilithium_free()
2026-03-12 15:40:38 -06:00
night1rider
2626f976f5
Update the PKCS11 ECC and dilithium free handlers so they will now return CRYPTOCB_UNAVAILABLE after attempting the context free so the caller still does software cleanup on the rest of the context that the callback does not handle.
2026-03-12 15:18:56 -06:00
JacobBarthelmeh
80ba723e16
Merge pull request #9943 from philljj/fix_evp_set_iv_length
...
evp: check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length.
2026-03-12 14:47:32 -06:00
night1rider
5ff2b55345
Fix Free Callback Behavior for Dilithium's free callback path so that it respects the return code of the callback
2026-03-12 14:45:33 -06:00
JacobBarthelmeh
c1f71fcf33
Merge pull request #9959 from philljj/fix_wolfboot_build
...
asn: add HAVE_OCSP_RESPONDER guard, to fix wolfboot build.
2026-03-12 14:44:29 -06:00
JacobBarthelmeh
351d2594ac
Merge pull request #9938 from SparkiDev/regression_fixes_23
...
Fixes from regression testing
2026-03-12 14:41:18 -06:00
night1rider
9d65982d80
Fix Free Callback Behavior for ECC's free callback path so that it respects the return code of the callback
2026-03-12 14:24:10 -06:00
jordan
02bdde0264
asn: fix coverity null deref warnings.
2026-03-12 14:28:24 -05:00
Ruby Martin
d359f420ab
set *inLen = outLen if output == NULL, if != NULL, check that outLen <= *inLen before assigning *inLen = outLen
2026-03-12 10:25:14 -06:00
Ruby Martin
d432759fdd
verify algoSz is <= MAX_ALGO_SZ
2026-03-12 09:53:34 -06:00
Ruby Martin
8314aa56ae
catch MEMORY_E from CALLOC_ASNSETDATA()
2026-03-12 09:53:34 -06:00
jordan
d67c034b14
asn: add HAVE_OCSP_RESPONDER guard, to fix wolfboot build.
2026-03-12 10:50:18 -05:00
Juliusz Sosinowicz
4fbc81916c
Address final comments from #9761
...
- Fix line length
- Remove duplicate comment
- Check return of `wc_HashGetDigestSize`
- Use constant instead of magic number
2026-03-12 12:30:13 +01:00
JacobBarthelmeh
a8dfa59bbe
Merge pull request #9761 from julek-wolfssl/ocsp-responder
...
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson
bbd2f6f898
Fixes from regression testing
...
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
Anthony Hu
00d0b09401
Fix buffer-overflow in LMS leaf cache indexing
...
wc_lms_treehash_init() writes leaf node hashes into the leaf cache
using an absolute index (i * hash_len), but the cache is only
max_cb entries starting from leaf->idx. When leaf->idx > 0 (which
occurs when wc_LmsKey_Reload is called after signing more than
max_cb times), the write goes past the end of the cache buffer.
Fix by using the relative offset (i - leaf->idx) * hash_len instead.
Added unit tests (test_lms.c):
- test_wc_LmsKey_sign_verify: basic sign/verify sanity check
- test_wc_LmsKey_reload_cache: (TDD) reproduces the overflow by
signing 33 times then reloading the key
2026-03-11 16:58:48 -04:00
sebastian-carpenter
bb7c6a13c8
ECH tidying
2026-03-11 12:07:20 -06:00
Juliusz Sosinowicz
5a4c63423b
Address code review
2026-03-11 12:28:11 +01:00
Juliusz Sosinowicz
6bb122d29f
Address copilot review
2026-03-11 11:08:44 +01:00
Juliusz Sosinowicz
6fc83e292b
Address code review
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
7ae2ecc686
fixup! Implement OCSP responder
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
10be06d747
Address copilot feedback
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
9a9eb2bf1d
Add ocsp responder test to testsuite.c and tested on windows
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
a795b19db2
Implement copilot suggestions
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
4578e1390f
Implement OCSP responder
...
OCSP Responder Core API:
- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM
Header Cleanup:
- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h
OCSP Responder Example (examples/ocsp_responder/):
- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client
Test Scripts (scripts/):
- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling
Certificate Infrastructure (certs/ocsp/):
- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions
Known Limitations (documented in src/ocsp.c header comment):
- Single request/response per OCSP exchange only
- Key-hash responder ID only (no name-based responder ID)
- No singleExtensions support
2026-03-11 10:21:16 +01:00
Sean Parkinson
31cfcdf3f0
sp_int.c: comment fixes
...
Fix comments.
Reformat @param lines.
Reformat XMALLOC lines.
Fix lines to be no longer than 80 characters.
2026-03-11 14:45:10 +10:00
Daniel Pouzzner
3540d89c0d
Merge pull request #9945 from holtrop-wolfssl/zd21327
...
Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData()
2026-03-10 22:39:24 -05:00
Daniel Pouzzner
a5bc0cd929
Merge pull request #9887 from rlm2002/static_analysis
...
20260305 Coverity fixes
2026-03-10 22:34:57 -05:00
Daniel Pouzzner
bfe0b21829
Merge pull request #9765 from night1rider/zephyr-4_3_0-posix-fix
...
Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample.
2026-03-10 22:28:43 -05:00
Daniel Pouzzner
51693156fe
Merge pull request #9939 from SparkiDev/mlkem_comments_fixes
...
ML-KEM: Fixes for comments plus bug fixes
2026-03-10 19:34:39 -05:00
Daniel Pouzzner
4e84c7e05a
Merge pull request #9931 from aidangarske/fix-wolfcrypt-fenrir-1
...
Fix Fenrir 376
2026-03-10 19:33:32 -05:00
Daniel Pouzzner
f1508c910a
Merge pull request #9930 from julek-wolfssl/fenrir/260903
...
Fenrir fixes
2026-03-10 19:32:56 -05:00
Daniel Pouzzner
7af6decbf3
Merge pull request #9856 from anhu/rsa_guard
...
Macro guard parameter null check.
2026-03-10 19:32:19 -05:00
Daniel Pouzzner
f18d5ba359
Merge pull request #9928 from philljj/fix_f_451
...
ascon: don't skip wc_AsconAEAD128_Clear on auth error.
2026-03-10 19:31:20 -05:00
Daniel Pouzzner
65092ab5eb
Merge pull request #9838 from SparkiDev/slhdsa_1
...
FIPS 205, SLH-DSA: implementation
2026-03-10 19:28:59 -05:00
Daniel Pouzzner
2ad5afaf4d
wolfcrypt/src/wc_slhdsa.c: fixes for uninited data reads in slhdsakey_wots_sign_chain_x4_*() and slhdsakey_wots_pk_from_sig_x4;
...
CMakeLists.txt, cmake/functions.cmake, cmake/options.h.in: fixes for -DWOLFSSL_SLHDSA.
2026-03-10 17:51:18 -05:00
Josh Holtrop
d37b51c3ce
Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData()
2026-03-10 17:26:28 -04:00
jordan
77b6f531fb
evp: check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length.
2026-03-10 15:27:37 -05:00
night1rider
0442918391
Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample. Replace removed Kconfig options (PTHREAD_IPC, POSIX_CLOCK, NET_SOCKETS_POSIX_NAMES) with version-conditional config fragments and fix min/max macro collision with Zephyr's sys/util.h.
2026-03-10 14:23:47 -06:00
Sean Parkinson
b180a279b0
ML-KEM: Fixes for comments plus bug fixes
...
wc_MlKemKey_SharedSecretSize: Check len is not NULL before use.
wc_MlKemKey_DecodePrivateKey:
Don't set flags when public key hash fails.
ForceZero the private key on failure if copied.
2026-03-10 21:09:08 +10:00
Juliusz Sosinowicz
7a264162b8
wc_ChaCha20Poly1305_Decrypt: clear unauthed plaintext
...
F-452
2026-03-10 09:52:05 +01:00
Juliusz Sosinowicz
0b03d56127
wc_GetKeyOID: Clean up logging in mldsa case
...
F-449
2026-03-10 09:52:05 +01:00