* add prefetch_ptr flag argument to AesEncrypt_C() and AesDecrypt_C(), and call PreFetchTe() and PreFetchSBox() only if *prefetch_ptr is zero, whereupon it is set to 1;
* when C implementations are available, add prefetch_ptr arg to wc_AesEncrypt() and wc_AesDecrypt(), and pass it through;
* in functions that directly call the AES block encryption methods, opportunistically inhibit prefetch on all but the first call;
* move AES-specific code in wc_CmacUpdate() in cmac.c to wc_local_CmacUpdateAes() in aes.c to let it use conditional prefetching;
* add WC_ARG_NOT_NULL(), WC_ARGS_NOT_NULL(), and WC_ALL_ARGS_NOT_NULL attribute abstractions.
Decapsulation needs H, hash of public key, and it is not present if you
have a new key made from a seed.
Code changed to check for and create H in decapsulate.
In ImportKeyState(), wordAdj was always zero because it was computed
after clamping wordCount, and the subtraction direction was reversed.
This caused misaligned parsing of all subsequent fields when importing
state from a peer compiled with a larger WOLFSSL_DTLS_WINDOW_WORDS.
Fix both window and prevWindow blocks to compute the adjustment before
clamping, with the correct subtraction direction.
Add test that imports a state buffer with wordCount > WOLFSSL_DTLS_WINDOW_WORDS
to verify the fix.
Add bounds check before subtracting WC_AES_BLOCK_SIZE from the
attacker-controlled innerClientHelloLen field in TLSX_ECH_Parse().
Values 0-15 caused a word16 underflow to ~65K, leading to a heap
buffer overflow write via XMEMSET and heap buffer over-read via
wc_AesGcmDecrypt. Return BAD_FUNC_ARG if the field is too small.
Add missing bounds validation in wolfSSL_select_next_proto. Three
issues fixed:
1. Outer loop: no check that length byte + position stays within inLen,
allowing XMEMCMP to read past the server protocol list buffer.
2. Inner loop: same missing check for clientNames/clientLen boundary.
3. No-overlap fallback unconditionally dereferences clientNames[0] even
when clientLen is 0, and returns an outLen that may exceed the buffer.
Also reject zero-length protocol entries (invalid per RFC 7301) to
prevent infinite loops.
Add unit test test_wolfSSL_select_next_proto with 8 cases covering NULL
params, normal match, no overlap, malformed length overruns, zero-length
entries, and empty client lists.
The CRL_STATIC_REVOKED_LIST code path stored revoked certificates in a
fixed array but never sorted it after parsing, causing binary search to
silently miss revoked serials when entries arrived in non-sorted wire
order. Additionally, comparisons used rc[0].serialSz instead of
rc[mid].serialSz, omitted the length-equality check before XMEMCMP,
and ignored the serialHash lookup path entirely (causing a NULL
dereference when hash-based lookup was used).
Fixes:
- Sort the revoked cert array in InitCRL_Entry after populating it
- Use rc[mid].serialSz instead of rc->serialSz in binary search
- Add serialSz equality check before XMEMCMP, matching linked-list path
- Implement serialHash-based linear scan for hash lookup callers
Add unit test that loads a CRL with serials in unsorted wire order and
verifies that a revoked certificate is correctly detected.
* add a kernel-appropriate subset of enable-all-crypto to enable whenever KERNEL_MODE_DEFAULTS (almost all of these overlap with FIPS v5/v6 settings);
* move ocspstapling features from enable-all-crypto to enable-all.
linuxkm/linuxkm_memory.c:
* fix straddle check in wc_reloc_normalize_text();
* fix seg_map bounds checks in wc_fips_generate_hash();
linuxkm/linuxkm_memory.h: fix initializer for wc_reloc_table_segments.bss_end;
wolfssl/wolfcrypt/settings.h: add WC_BITS_TO_BYTES() and WC_BITS_FULL_BYTES() and deploy opportunistically to wolfssl/internal.h, wolfssl/wolfcrypt/{asn.h,dh.h,rsa.h,types.h}, wolfcrypt/src/sakke.c, and wolfcrypt/test/test.c.
configure.ac: add --enable-kernel-verbose-debug and --enable-kernel-stack-debug;
linuxkm/Makefile:
* add QFLAG and VFLAG setup, and pass their values appropriately;
* add missing `@set -e` and `-Wall -Wextra` to the linuxkm-fips-hash recipe;
* use +$(MAKE), not @$(MAKE), for proper dry run recursion.
linuxkm/README.md: update to reflect new goodies, and generally revise+extend remarks.
linuxkm/linuxkm-fips-hash-wrapper.sh: add copyright header; pass through extra caller arguments to ./linuxkm-fips-hash.
linuxkm/linuxkm-fips-hash.c:
* add copyright header;
* fix code around user_coreKey;
* add explicit wolfCrypt_Cleanup() and cleanup of mod_fd and mod_map at end;
* remove unused reloc_tab_len
* fix a couple -Wsign-compares;
* add missing fprintf arguments
* properly set ret = -1 in a couple failure paths.
linuxkm/linuxkm_wc_port.h: set WOLFSSL_LINUXKM_VERBOSE_DEBUG when WOLFSSL_KERNEL_VERBOSE_DEBUG, and recognize WOLFSSL_KERNEL_STACK_DEBUG as a synonym for WC_LINUXKM_STACK_DEBUG.
linuxkm/linuxkm_memory.c and linuxkm/linuxkm_memory.h: add brief explanatory comments.
Add:
* linuxkm/linuxkm-fips-hash.c
* linuxkm/linuxkm-fips-hash-wrapper.sh
* linuxkm/linuxkm_memory.h
Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c:
* reloc_layouts[]
* find_reloc_tab_offset()
* the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text()
* most of updateFipsHash() as wc_fips_generate_hash()
Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h:
* struct wc_linuxkm_pie_reloc_tab_ent
* enum wc_reloc_dest_segment
* enum wc_reloc_type
linuxkm/Makefile:
* Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent.
* Add targets:
* libwolfssl-user-build/src/.libs/libwolfssl.so
* linuxkm-fips-hash
* module-with-matching-fips-hash
* module-with-matching-fips-hash-no-sign
* Add support for alternate target module name, via LIBWOLFSSL_NAME make variable.
linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:
* Fixes to make linuxkm-pie work with CONFIG_KASAN.
* Implement WC_LINUXKM_STACK_DEBUG:
* wc_linuxkm_stack_bottom()
* wc_linuxkm_stack_top()
* wc_linuxkm_stack_current()
* wc_linuxkm_stack_left()
* wc_linuxkm_stack_hwm_prepare()
* wc_linuxkm_stack_hwm_measure_rel()
* wc_linuxkm_stack_hwm_measure_total()
wolfssl/wolfcrypt/settings.h:
* When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG.
* When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined.
configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.