Daniel Pouzzner
6a04c03e4c
Merge pull request #10113 from Frauschi/zd21464
...
Zeroize heap buffer after ML-DSA signing
2026-04-02 00:06:43 -05:00
Daniel Pouzzner
0c67d7a844
Merge pull request #10080 from JeremiahM37/fenrir-issues
...
Fenrir fixes
2026-04-02 00:06:02 -05:00
Daniel Pouzzner
7fd41b13de
Merge pull request #10104 from padelsbach/cast-shift-slhdsa.c
...
Cast to unsigned prior to shift to avoid UB in SLH-DSA
2026-04-02 00:03:42 -05:00
Paul Adelsbach
2d8e853c74
Fix compile issue with --enable-crl and --disable-ecc
2026-04-01 10:10:35 -07:00
Paul Adelsbach
4aac31bf09
Cast to unsigned prior to shift to avoid UB in SLH-DSA
2026-03-31 09:43:58 -07:00
Tobias Frauenschläger
b7684c1bcc
Zeroize heap buffer after ML-DSA signing
...
Ensure that the heap buffer used (among others) to store sensitive data
during ML-DSA signing is zeroized before freeing the memory.
Follow-up for zd21464
Reported by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
2026-03-31 16:44:49 +02:00
Jeremiah Mackey
9c3895332e
fix lost error in SE050 ECC key insert
2026-03-31 14:34:49 +00:00
Daniel Pouzzner
a2298dde9c
Merge pull request #10105 from padelsbach/lms-sign-external
...
Add buffer size and callback checks to external wc_LmsKey_Sign
2026-03-30 23:01:00 -05:00
Daniel Pouzzner
1a3daf0148
Merge pull request #10087 from padelsbach/crl-num-negative
...
Reject negative CRL numbers when decoding
2026-03-30 22:58:34 -05:00
Daniel Pouzzner
8e54eb9364
Merge pull request #10048 from anhu/constraints
...
Enforce URI name constraints in ConfirmNameConstraints
2026-03-30 22:51:52 -05:00
Daniel Pouzzner
c8415c407f
Merge pull request #10100 from Frauschi/zd21464
...
Zeroize sensitive buffers for ML-DSA
2026-03-30 22:34:53 -05:00
Paul Adelsbach
18494e154f
Reject negative CRL numbers when decoding
2026-03-30 16:09:32 -07:00
Paul Adelsbach
2ac3020bb6
Add buffer size and callback checks to external wc_LmsKey_Sign
2026-03-30 15:02:13 -07:00
Daniel Pouzzner
0a61997059
Merge pull request #10045 from embhorn/zd21385
...
Fix IAR warning about volatile access
2026-03-30 13:42:14 -05:00
Daniel Pouzzner
edb4b2828f
Merge pull request #10091 from rlm2002/gi10063Xchacha
...
GI issue fix use `size_t` instead of `long int`
2026-03-30 11:38:32 -05:00
Daniel Pouzzner
df055976ed
Merge pull request #10079 from rlm2002/ghi10063
...
Various GI and ZD fixes
2026-03-30 11:34:05 -05:00
Daniel Pouzzner
9c0a9a6ceb
Merge pull request #10084 from holtrop-wolfssl/zd21439
...
Add buffer size and callback checks to wc_LmsKey_Sign
2026-03-30 11:32:38 -05:00
Tobias Frauenschläger
7bdf13a3a3
Zeroize sensitive buffers for ML-DSA
...
Make sure stack-allocated buffers containing potentially senstive
material are zeroized before function exit.
Identified by: Abhinav Agarwal (GitHub: @abhinavagarwal07)
2026-03-30 11:21:32 +02:00
Daniel Pouzzner
76a498f7ea
wolfcrypt/src/asn.c: fix invalid-pointer-pair "wild pointer" in CheckCertSignature_ex().
2026-03-27 17:07:53 -05:00
Daniel Pouzzner
e3d4d220c3
src/conf.c, src/ssl.c, wolfcrypt/src/asn.c, wolfssl/wolfcrypt/asn.h: fixes for invalid-pointer-pair memory errors reported by clang sanitizer with detect_invalid_pointer_pairs=2 in ASAN_OPTIONS.
2026-03-27 16:40:05 -05:00
Ruby Martin
88fdc3d92a
remove casts that would cause truncation if long int is 32-bit but size_t is 64-bit
2026-03-27 12:09:53 -06:00
Josh Holtrop
048a03e8bf
Add buffer size and callback checks to wc_LmsKey_Sign
...
Fixes ZD#21439
2026-03-27 08:49:43 -04:00
Ruby Martin
8b2fd34e95
free authInPadded if alloc'd on early return
2026-03-26 16:11:19 -06:00
Daniel Pouzzner
53f3ce635e
wolfcrypt/src/asn.c: fix flub in wc_EccPublicKeyDecode() -- restore FREE_ASNGETDATA(dataASN, key->heap).
2026-03-26 16:54:19 -05:00
Daniel Pouzzner
292ea549cc
wolfcrypt/src/asn.c: fixes for invalid memory access in wc_DsaPublicKeyDecode() and wc_EccPublicKeyDecode(), detected by cppcheck-force-source, lms-xmss-wolfssl-all-clang-sanitizer, and sanitizer-clang-all-noasm.
2026-03-26 16:07:37 -05:00
Daniel Pouzzner
52d5d0a940
linuxkm/, wolfcrypt/src/dh.c, wolfcrypt/test/test.c, wolfcrypt/test/test.h, wolfssl/wolfcrypt/wc_port.h:
...
fixes and workarounds for clang-tidy complaints:
* clang-diagnostic-unknown-warning-option
* bugprone-sizeof-expression
* clang-diagnostic-error "address argument to atomic operation must be a pointer to a trivially-copyable type"
* bugprone-macro-parentheses
* clang-diagnostic-unused-but-set-variable
* readability-redundant-declaration
2026-03-26 15:41:47 -05:00
Jeremiah Mackey
dcbb5539f1
fix SE050 hash msg buffer leak
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
079e7c5692
fix SE050 mutex leaks on early returns
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
5ff7fde919
update outlen after silabs ECC sign
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
7d369889f7
fix uninitialized enc in CAAM keygen
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
c8e0e23660
use constant-time tag compare in TI AES
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
f382526bcc
zero FSL CAAM ECC private key buffers
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
8d9a4b47c2
zero CAAM ECC private key stack buffers
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
6f710aa8f7
fix DH privkey leak and zero buffer
2026-03-26 17:30:14 +00:00
Jeremiah Mackey
0aae4251a6
zero RSA DER key buffer before free
2026-03-26 17:29:59 +00:00
Jeremiah Mackey
b71c2a27bf
zero ECC private key stack buffers
2026-03-26 17:29:59 +00:00
Jeremiah Mackey
a5ae5f128e
zero RSA key buffers before free
2026-03-26 17:29:59 +00:00
Jeremiah Mackey
7aeffa2c29
fix silabs_ecc_sign_hash buffer validation
2026-03-26 17:29:59 +00:00
Jeremiah Mackey
0b2a9d3dbc
fix SHA-512/224,256 KCAPI digest sizes
2026-03-26 17:29:44 +00:00
Ruby Martin
75e6406cd3
upper bounds check for DSA signature
2026-03-26 11:28:36 -06:00
Ruby Martin
d4b25d0ebc
guard against heap buffer overflow
2026-03-26 11:28:36 -06:00
Eric Blankenhorn
1a1bdb2cfe
Address review feedback
2026-03-25 07:48:16 -05:00
David Garske
cf6c1722ae
Merge pull request #10027 from embhorn/zd21394
...
Remove FIPS guards in GetASN_BitString length check
2026-03-24 14:06:40 -07:00
David Garske
636f0e50a1
Merge pull request #10059 from douzzer/20260324-wc_PKCS12_PBKDF_ex-bugprone-inc-dec-in-conditions
...
20260324-wc_PKCS12_PBKDF_ex-bugprone-inc-dec-in-conditions
2026-03-24 13:13:42 -07:00
Daniel Pouzzner
ec61e07d18
wolfcrypt/src/pwdbased.c: in wc_PKCS12_PBKDF_ex(), refactor the "Increment B by 1" loop to avoid bugprone-inc-dec-in-conditions.
2026-03-24 12:07:04 -05:00
David Garske
328822b447
Merge pull request #10047 from Frauschi/mldsa_no_ctx
...
Guard old non-ctx ML-DSA API by default
2026-03-24 09:26:24 -07:00
David Garske
3cf4aeab5c
Merge pull request #10025 from embhorn/zd21392
...
Fix DecodeObjectId unknown ext parse
2026-03-24 09:17:10 -07:00
David Garske
03beeae44e
Merge pull request #10033 from embhorn/gh10028
...
Fix FillSigner to clear pubkeystored
2026-03-24 09:15:05 -07:00
Daniel Pouzzner
d36ddf4063
Merge pull request #9920 from dgarske/asn_old
...
Split original ASN.1 code from asn.c into asn_orig.c
2026-03-24 10:52:15 -05:00
David Garske
ab8cd6fc46
Merge pull request #9937 from douzzer/20260306-wc_Hash-refactor
...
20260306-wc_Hash-refactor
2026-03-24 08:48:08 -07:00