Commit Graph

28332 Commits

Author SHA1 Message Date
Eric Blankenhorn 9062b98319 Fix f284 harden wc_FreeRsaKey 2026-03-05 15:25:29 -06:00
JacobBarthelmeh 37e3a8f3bd fix for sanity checks on serial input 2026-03-05 14:23:44 -07:00
Daniel Pouzzner 58f48a96bf Merge pull request #9836 from Frauschi/pkcs11_dilithium
Add support for ML-DSA in PKCS#11
2026-03-05 15:22:10 -06:00
Eric Blankenhorn d638824b63 Fix F382 to harden wc_FreeDsaKey 2026-03-05 15:16:55 -06:00
Daniel Pouzzner c65e3e50fd Merge pull request #9825 from embhorn/zd21240
Fix issue in TLS_hmac size calculation
2026-03-05 15:16:47 -06:00
Eric Blankenhorn f093268bb9 Fix F381 to harden wc_MakeDsaKey 2026-03-05 15:15:41 -06:00
Eric Blankenhorn 967aaa2c56 Fix F380 to harden wc_MakeDsaKey 2026-03-05 15:14:47 -06:00
Eric Blankenhorn fdec6d0a06 Harden wc_ecc_shared_secret_gen_sync 2026-03-05 15:09:06 -06:00
Daniel Pouzzner 178f96c483 Merge pull request #9854 from sameehj/rsa-pss-fix
Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
2026-03-05 15:03:46 -06:00
Daniel Pouzzner 26e2f05bfd Merge pull request #9848 from Frauschi/dtls_hrr_group
Fix for DTLS1.3 HRR group handling
2026-03-05 15:02:16 -06:00
Daniel Pouzzner 5fa18d9817 Merge pull request #9784 from dgarske/async_cryptocb
Fixes and tests for async and crypto callbacks
2026-03-05 14:59:27 -06:00
Daniel Pouzzner 91ea97ecdf Merge pull request #9712 from night1rider/max-32666-code-improvements
Fix Crash when using Sha224 Callback with MAX32666
2026-03-05 14:58:02 -06:00
Daniel Pouzzner b2913d27dd Merge pull request #9842 from rlm2002/coverity
20260227 Coverity changes
2026-03-05 14:53:14 -06:00
Ruby Martin b43fb41024 remove word16 cast, add WOLFSSL_MAX_16BIT check 2026-03-05 13:26:03 -07:00
jordan dd2c5a7d2e hmac: add missing ForceZero for tmp, prk. 2026-03-05 14:24:20 -06:00
jordan 3e39a5c11e pwdbased: add missing ForceZero for blocks, v, y. 2026-03-05 13:09:26 -06:00
jordan fb8b3e779c wc_encrypt: add missing ForceZero for Des, Arc4, Rc2. 2026-03-05 12:22:00 -06:00
Ruby Martin 2e1a2b951b remove unused tempBuf = NULL 2026-03-05 10:52:20 -07:00
Ruby Martin adc7b81d9d check if ripemd->buffLen >= RIPEMD_BLOCK_SZ is true to prevent out of bounds write 2026-03-05 10:52:20 -07:00
Tobias Frauenschläger f285a523d7 Make sure ticket lifetime is in allowed range 2026-03-05 18:22:53 +01:00
Tobias Frauenschläger 11fc781d0d Treat alerts as fatal errors regardless of level in TLS1.3 2026-03-05 18:21:02 +01:00
JacobBarthelmeh 54816e8b18 Fix to free RNG with SRP function in failure case 2026-03-05 09:30:16 -07:00
Tobias Frauenschläger 0bb094e644 Send alert in case of decrypted all-zero message 2026-03-05 17:11:39 +01:00
David Garske 36328e31a5 Merge pull request #9857 from douzzer/20260303-linuxkm-aarch64-fixes
20260303-linuxkm-aarch64-fixes
2026-03-05 07:53:00 -08:00
Tobias Frauenschläger 4c5df4f2d9 fix typo in PKCS#11 V3 init 2026-03-05 16:41:05 +01:00
Eric Blankenhorn 0c2de309db Fix wc_ecc_sign_hash_ex with Intel QA 2026-03-05 09:35:23 -06:00
Eric Blankenhorn 998967ea41 Fix review feedback 2026-03-05 08:51:52 -06:00
Eric Blankenhorn 7f487b9869 Fix checkPad to test for zero padding 2026-03-05 08:32:18 -06:00
Eric Blankenhorn 6dc4ba8a24 Fix from review 2026-03-05 08:23:02 -06:00
Eric Blankenhorn fe12395e61 Add null check in wolfSSL_EVP_PKEY_encrypt_init / _decrypt_init 2026-03-05 08:13:26 -06:00
Tobias Frauenschläger eaa40f3df6 Harden hash comparison in TLS1.2 finished 2026-03-05 11:46:33 +01:00
Paul Adelsbach 73f352692b Fix cppcheck warning 2026-03-04 19:51:22 -08:00
Sean Parkinson 34916c80c8 ASN: improve handling of ASN.1 parsing/encoding
ToTraditionalInline_ex2 original ASN code:
  - Now return 0 when no OCTECT_STRING data found.
  - Change callers to accept 0 as a valid returnb value.

SizeASN_Items:
  - Change encoded size to word32 as won't be negative.
- Change callers to supply a pointer to a word32 instead of integer.
Fix casting due to change of parameter type.

ASN_LEN_ENC_LEN: Function to calculate the length of the encoded ASN.1
length.

GetLength_ex:
  - Change minLen to word32
- Change length to word32 and change negative check appropriately for
different type.

GetASNHeader_ex:
  - If not checking lengths in GetLength_ex, check it here.
DecodeObjectId:
  - Ensure no overflow in calculation.

_RsaPrivateKeyDecode (original)
  - Clear RSA integers on failure (will be done in free anyway).

wc_CreatePKCS8Key (original):
  - safe check of overflow.

DecryptContent (templare):
- Parse will fail if OID not recognized, and recognized OIDs are 9/10
bytes long - but check idx is 9/10 anyway so we know we can read 2 end
bytes of data.

wc_RsaPublicKeyDecode_ex (original):
- Fix calculation of seqEndIdx and use it to bound modulus and
exponent.

DecodePolicyOID
  - enusre inSz is not too long.
  - Ensure no overflow in calculation.

SetOidValue (orginal):
  - Safe check of inSz and oidSz.

SetAltNames (original):
  - Improve length checks

FlattenAltNames:
  - Check for overflow.
  - Better length check.

ParseCRL_CertList (original):
  - overflow check
2026-03-05 13:11:30 +10:00
Paul Adelsbach 569a96fbd2 Fix for C++ compilers 2026-03-04 15:01:08 -08:00
JacobBarthelmeh 13ebc5b9bf fix to free x509 struct in error case with wolfSSL_PKCS7_get0_signers 2026-03-04 15:59:56 -07:00
Paul Adelsbach 22d7550f8e CRL enhancements for revoked entries 2026-03-04 14:53:28 -08:00
JacobBarthelmeh 1ddefce99b fix benign typo with sizeof 2026-03-04 15:28:27 -07:00
Daniel Pouzzner 67bcaff4b8 linuxkm/module_hooks.c: fix syntax error in wolfssl_init(). 2026-03-04 16:13:09 -06:00
kaleb-himes 2603996be7 Implement copilot suggestion 2026-03-04 15:10:16 -07:00
kaleb-himes b807595932 Fix all shellcheck items 2026-03-04 15:06:55 -07:00
Eric Blankenhorn 165c2cf017 Fix wolfSSL_get_peer_quic_transport_version 2026-03-04 15:26:59 -06:00
Eric Blankenhorn d9237210fc Fix sniffer CreateSession 2026-03-04 14:50:21 -06:00
Daniel Pouzzner f04e6e8718 tests/api.c and tests/api/test_pkcs7.c: fixes for CFLAGS="-Og" --enable-all (PRB-single-flag.txt line 3). 2026-03-04 14:46:20 -06:00
Eric Blankenhorn 37d6c14ddf Fix in wolfSSL_CTX_GenerateEchConfig 2026-03-04 14:43:27 -06:00
Eric Blankenhorn 2cd3b7b67d F362 kNistCurves Table 2026-03-04 14:29:50 -06:00
Daniel Pouzzner 1297a85b03 wolfcrypt/test/test.c:
* skip pkcs12_test() if NO_SHA;
* sha3_224_test(): fix error-path leak and possible uninited-read of shaCopy.
2026-03-04 13:14:07 -06:00
Daniel Pouzzner fe93ec87b1 linuxkm/module_hooks.c: in dump_to_file(), accommodate mis-prototyped kernel_write() in kernels 3.9-4.13. 2026-03-04 13:14:07 -06:00
Daniel Pouzzner f67c29ae51 linuxkm/Kbuild:
* for aarch64/arm64, only add -mno-outline-atomics if the compiler supports it.
* in ENABLED_LINUXKM_PIE setup, avoid -fPIE on arm32 <5.11 (missing reloc support).

linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, and wolfcrypt/src/wc_port.c: gate interception of alt_cb_patch_nops() on kernel >= 6.1.

linuxkm/linuxkm_wc_port.h: define WC_LINUXKM_SUPPORT_DUMP_TO_FILE implicitly when WC_SYM_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT.

linuxkm/module_hooks.c: fixes for text_dump_path and rodata_dump_path handler code.
2026-03-04 13:14:07 -06:00
Daniel Pouzzner 8d1b825558 configure.ac:
* add --enable-wolfentropy as a synonym for --enable-wolfEntropy;
* avoid -Wno-deprecated-enum-enum-conversion when KERNEL_MODE_DEFAULTS, to work around old gcc with broken results from AX_CHECK_COMPILE_FLAG();
* rework help messages for several synonym options to refer to the canonical option (--enable-linuxkm-pie, --enable-kyber, --enable-dilithium, --enable-amdrand, --enable-entropy-memues).
2026-03-04 13:14:07 -06:00
Daniel Pouzzner 4a51ed4c26 wolfcrypt/test/test.c: add FIPS gates around "Copy cleanup test" exercises added by 4713ad5675 (#9829). 2026-03-04 13:14:07 -06:00