Commit Graph

11737 Commits

Author SHA1 Message Date
philljj 2f2ffbac04 Merge pull request #10856 from douzzer/20260702-linuxkm-various
20260702-linuxkm-various
2026-07-07 17:44:50 -05:00
David Garske d805c804b9 Merge pull request #10733 from mattia-moffa/20260617-max32666-sha-streaming-old
MAX32666 fixes for old SDK
2026-07-07 14:54:34 -07:00
David Garske bee18d122d Merge pull request #10801 from SparkiDev/windows_asm_1
Add Windows assembly files to the build
2026-07-07 14:26:31 -07:00
David Garske 5ebc44ee4e Merge pull request #10848 from SparkiDev/wycheproof_fixes_5
Wycheproof: fixes for various platforms
2026-07-07 14:10:07 -07:00
Daniel Pouzzner 833e360ccd fixes for issues identified by CI tests and AI review:
tests/api/api.h: always use FIPS 186-4 settings if defined(HAVE_SELFTEST).

wolfssl/wolfcrypt/settings.h: if defined(HAVE_SELFTEST), #define WC_FIPS_186_4.
2026-07-07 02:35:51 -05:00
Daniel Pouzzner 5cee8bec39 wolfcrypt/src/rng_bank.c:
* refactor rng_bank.refcount management using wolfSSL_RefInc_IfAtLeast() and wolfSSL_RefDec_IfEquals(), to mitigate deallocation races.
* in wc_rng_bank_init(), fail fast for non-retryable errors.
* in wc_rng_bank_init(), wc_rng_bank_checkout(), and wc_rng_bank_inst_reinit(), consistently treat timeout_secs==0 as dont-wait, and timeout_secs<0 as wait-forever if wc_rng_bank_init() or flags & WC_RNG_BANK_FLAG_CAN_WAIT.
* in wc_rng_bank_checkout(), fix affinity dynamics to recompute after possible sleep, or drop affinity attempts entirely if using WC_RNG_BANK_FLAG_CAN_FAIL_OVER_INST strategy.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 0fdceafe6b wolfcrypt/src/wc_port.c, wolfssl/wolfcrypt/wc_port.h:
* implement wolfSSL_RefInc_IfAtLeast() and wolfSSL_RefDec_IfEquals().
* implement wolfSSL_RefWithMutexInc_IfAtLeast() and wolfSSL_RefWithMutexDec_IfEquals().

wolfssl/wolfcrypt/wc_port.h: for old FIPS when __GNUC__ or __clang__, always map __FUNCTION__ to __func__ for pedantic conformance.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 09db3a6410 linuxkm/linuxkm_wc_port.h:
* set up WC_LINUXKM_HAVE_SELFTEST and WC_LINUXKM_HAVE_SELFTEST_FULL early.
* replace the forced-downgrade from FIPS 186-5 to 186-4 for SHA-1 support, with a #error if configuration is incompatible.

linuxkm/linuxkm_wc_port.h, linuxkm/lkcapi_glue.c, linuxkm/module_exports.c.template, linuxkm/module_hooks.c, wolfcrypt/src/random.c: consolidate into the warning-masked span of linuxkm_wc_port.h, the #includes for kernel headers linux/fips.h, linux/vmalloc.h, and linux/random.h.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 12272e1c06 wolfssl/wolfcrypt/hash.h, src/internal.c, src/pk_ec.c, tests/api/api.h, wolfcrypt/src/dsa.c, wolfcrypt/src/ecc.c, wolfcrypt/src/pkcs7.c, wolfcrypt/test/test.c:
* remove FIPS 186-5 sign-mode restrictions from WC_HASH_CUSTOM_MIN_DIGEST_SIZE.
* set up WC_MIN_DIGEST_SIZE_FOR_SIGN and WC_MIN_DIGEST_SIZE_FOR_VERIFY, derived from WC_HASH_CUSTOM_MIN_DIGEST_SIZE, but enforcing FIPS 186-5 sign-mode restrictions only for WC_MIN_DIGEST_SIZE_FOR_SIGN.
* replace all uses of WC_MIN_DIGEST_SIZE with WC_MIN_DIGEST_SIZE_FOR_SIGN or WC_MIN_DIGEST_SIZE_FOR_VERIFY as appropriate.

wolfcrypt/test/test.c: in cryptocb_test(), don't expect callback execution in FIPS builds.

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, if defined(NO_SHA) while registering ECDSA handlers, force WC_MIN_DIGEST_SIZE_FOR_VERIFY to 20 for SHA-1 verify support.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner d7a29f58b4 wolfcrypt/src/aes.c: activate USE_INTEL_SPEEDUP when defined(USE_INTEL_SPEEDUP_FOR_AES) in the WOLFSSL_X86_64_BUILD build path too.
linuxkm/lkcapi_aes_glue.c: tweak WOLFKM_AES_DRIVER_ISA_EXT to reflect AVX512 and VAES capabilities.
2026-07-07 00:19:48 -05:00
David Garske 675d5df2cd Merge pull request #10833 from kareem-wolfssl/zd22079
Add some missing PKCS7 length checks and bound DTLS 1.3 ACK list.
2026-07-06 17:28:22 -07:00
Sean Parkinson 649054f7b8 Wycheproof: fixes for various platforms
Fixes for C, Intel x64, Aarch64, ARM32, Thumb2, Thumb.
2026-07-07 09:06:00 +10:00
Sean Parkinson bcef8f4f6d Add Windows assembly files to the build
Windows ASM files generated along side the ATT assembly files.
Adding them to the build so they can be used.
2026-07-07 08:02:20 +10:00
David Garske b560973780 Merge pull request #10825 from SparkiDev/aes_x64_perf_1
AES Intel x64: improve performance
2026-07-06 08:04:19 -07:00
Tobias Frauenschläger d40aeeabc0 Fix ret check in test.c 2026-07-03 09:15:26 +02:00
Daniel Pouzzner 8847cf2aa4 Merge pull request #10768 from Frauschi/altNames_API
Add public alt-name list APIs
2026-07-03 01:14:57 -05:00
Daniel Pouzzner f22ec4ccae Merge pull request #10804 from Frauschi/pkcs7_no_eContent
PKCS#7: support SignedData with absent eContent
2026-07-03 01:14:05 -05:00
Daniel Pouzzner cce3f2571e Merge pull request #10803 from Frauschi/fenrir
Fenrir fixes
2026-07-03 01:11:03 -05:00
Daniel Pouzzner d638d2afd7 Merge pull request #10209 from ColtonWilley/harden-chain-depth-and-parser-bounds
Harden chain depth bounds and parser input validation
2026-07-03 01:03:36 -05:00
Daniel Pouzzner ec37935a1f Merge pull request #10697 from Frauschi/zd21977
Even more missing ForceZero in ML-KEM / ML-DSA
2026-07-03 00:47:57 -05:00
Daniel Pouzzner 460b7ad041 Merge pull request #10742 from tjko/rpi_compile
Fix compiler error when WOLFSSL_RPIPICO is used.
2026-07-03 00:45:19 -05:00
Sean Parkinson 3a6717e7c2 AES Intel x64: improve performance
wolfcrypt/src/aes.c - hand‑written: CFB‑decrypt fast path rewritten (ECB straight from in, E(reg) once, carry E(last), direct AesEcbEncryptBlocks); dropped 6 redundant XTS sz checks; WC_VAES_ECB_MIN_BLOCKS 8→2.
wolfcrypt/src/aes_x86_64_asm.S/.asm - regenerated from aes_avx512.rb/aes_vaes.rb (small power‑of‑2 tiers).
wolfcrypt/src/aes_gcm_asm.S/.asm - regenerated from the GCM generators (8‑block tier, 2‑way GHASH, aggregated aad_update/calc_aad).
2026-07-03 11:44:25 +10:00
David Garske 0ecc0c5973 Merge pull request #10828 from SparkiDev/sp_func_block_comment_1
SP: fix function block comments
2026-07-02 15:53:03 -07:00
Daniel Pouzzner 9d3152cae2 Merge pull request #10708 from rlm2002/support-fixes
Support fixes - various reports
2026-07-02 12:51:11 -05:00
David Garske d390a98f64 Merge pull request #10754 from SparkiDev/arm64_asm_c_fallback
Aarch64 asm: Have software fallback and CPU id checks
2026-07-02 09:30:19 -07:00
Tobias Frauenschläger 11f71108ba PKCS#7: support SignedData with absent eContent
Allow encoding and verifying a CMS SignedData whose encapContentInfo
carries no eContent, that is, a signed-attributes-only signature over
empty content (RFC 5652 makes eContent OPTIONAL). This is required for
SCEP CertRep PENDING and FAILURE messages (RFC 8894 section 3.2.2),
which must omit the pkcsPKIEnvelope entirely.

Encode: wc_PKCS7_EncodeSignedData computes the messageDigest over the
empty content when detached is set and contentSz is 0, since there is no
eContent to drive the normal content-hashing pass.

Verify: PKCS7_VerifySignedData no longer rejects an absent eContent when
no external content or hash was supplied. It is processed as a detached
signature over empty content, and wc_PKCS7_VerifyContentMessageDigest
computes the digest of zero-length content using the parsed digest
algorithm. The messageDigest comparison still rejects a stripped
non-empty eContent.

Add pkcs7_signed_no_content_test, a round-trip over a CMS SignedData
whose encapContentInfo carries no eContent (a detached signature over
empty content, signed-attributes-only), as produced by SCEP CertRep
PENDING/FAILURE messages. The encode omits the eContent and the verify
accepts it without any caller-supplied content or hash, checking the
messageDigest against the hash of empty content. Run for RSA/SHA-256.
2026-07-02 14:17:20 +02:00
Tobias Frauenschläger d88ac76fda F-6347 - Reject negative and oversized length in EVP_EncodeUpdate
wolfSSL_EVP_EncodeUpdate did not validate the input length. A large
inl caused the block loop and the residual copy to read far past the
caller's input buffer, and a negative inl was silently treated as
success. Reject negative lengths and lengths whose base64 output would
overflow a positive int before processing any data.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 2943ee6a69 F-6346 - Reject oversized length in EVP_EncodeBlock
wolfSSL_EVP_EncodeBlock rejected negative input lengths but passed any
large positive length straight to Base64_Encode_NoNl, which read that
many bytes from the caller input buffer and ran past its allocation.

Reject input lengths whose base64 output would overflow a positive int,
which also bounds the read against the caller allocation. The encoded
length is the int return value, so the safe maximum input is
(INT_MAX / 4) * 3.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 7562ae5e37 F-6427 - Reject RC2 cipher ops when no key is set
The RC2 encrypt and decrypt operations used the expanded key schedule
without checking that a key had ever been configured. On a zeroed or
otherwise unkeyed context the ECB ops ran over an all-zero schedule and
returned success, and the CBC wrappers inherited the same behavior, so
a caller who skipped wc_Rc2SetKey received ciphertext under an
unintended key with no error signalled.

Guard wc_Rc2EcbEncrypt and wc_Rc2EcbDecrypt on a zero keylen and return
MISSING_KEY when no key has been set. The CBC wrappers call these and
propagate the error. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed path for all four ops.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 5cf136d15a F-6426 - Reject Camellia cipher ops when no key is set
The Camellia encrypt and decrypt operations used the key schedule
without checking that a key had ever been configured. A zeroed or
otherwise unkeyed context has a keySz that does not match 128, 192,
or 256, so the underlying block transform hit the default no-op case
and CBC emitted an easily reversible XOR chain while still returning
success. A caller who forgot wc_CamelliaSetKey received a success
code with effectively unencrypted output.

Add a key-state check that accepts only valid Camellia key sizes and
have wc_CamelliaEncryptDirect, wc_CamelliaDecryptDirect,
wc_CamelliaCbcEncrypt, and wc_CamelliaCbcDecrypt return MISSING_KEY
when no key has been set. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed and garbage key-size paths.
2026-07-02 11:36:01 +02:00
Daniel Pouzzner 076dc5a206 Merge pull request #10773 from rlm2002/coverity
24062026 Coverity fixes
2026-07-01 17:59:19 -05:00
Daniel Pouzzner fd3b489ea5 Merge pull request #10787 from stenslae/update-wolfssl-email
Updated email to facts@wolfssl.com
2026-07-01 17:52:20 -05:00
Daniel Pouzzner 7dd269fc52 Merge pull request #10793 from embhorn/gh10790
Restore error code from DecodeGeneralName
2026-07-01 17:49:37 -05:00
Daniel Pouzzner 22b552c668 Merge pull request #10809 from aidangarske/fenrir-6558-nameconstraints-minmax
Reject name constraint subtree with non-zero minimum or maximum
2026-07-01 17:38:28 -05:00
Daniel Pouzzner fed8d6a57e Merge pull request #10814 from kojiws/fix_ecc_31bytes_on_test
Fix ECC buffer test by correcting message length
2026-07-01 17:35:47 -05:00
Daniel Pouzzner 7afcc3eef6 Merge pull request #10687 from rlm2002/zd-NameConstraints
Name Constraints cert chain walk
2026-07-01 17:24:52 -05:00
Daniel Pouzzner 9f48aef47f Merge pull request #10638 from rizlik/nc_uri_trailing_dot
NameConstraints fixes
2026-07-01 17:14:08 -05:00
Daniel Pouzzner d733f203fa Merge pull request #10663 from rizlik/pubkey_ecc_operation_cb
Introduce ECC Make PUB and ECC Check Pub crypto callbacks
2026-07-01 16:53:24 -05:00
Kareem eb7ebfa222 Validate IV length in the non-streaming path in wc_PKCS7_DecodeEnvelopedData.
Reported by: Jorge Milla (Pig-Tail) <jorge@jmilla.es>
2026-07-01 14:32:58 -07:00
David Garske c9e4b13be4 Merge pull request #10829 from douzzer/20260630-various-fixes
20260630-various-fixes
2026-07-01 14:28:27 -07:00
Kareem 6409a9e9a2 Fix two issues with the authTag length in wc_PKCS7_DecodeAuthEnvelopedData.
Reported by: Jorge Milla (Pig-Tail) <jorge@jmilla.es>
2026-07-01 14:15:29 -07:00
Daniel Pouzzner 323027d1d2 Merge pull request #10820 from lealem47/dh_min_sz
FIPS: Default to 2048 bit min DH crypto
2026-07-01 14:40:04 -05:00
Daniel Pouzzner ed4fb32c92 fixes from Fenrir review:
linuxkm/linuxkm_wc_port.h: strcpy() takes 2 args.

wolfcrypt/src/aes.c: add VECTOR_REGISTERS_PUSH2() and use it to free tmp in smallstack path if the push fails.
2026-07-01 13:46:11 -05:00
Josh Holtrop 1e73f8e387 0 memset kop in devcrypto_x25519 before use 2026-07-01 11:35:55 -07:00
Daniel Pouzzner 8b29a95da4 * add WC_MAYBE_UNUSED attribute to AesEcbEncryptBlocks(), AesEcbDecryptBlocks(),
AesCbcEncryptBlocks(), AesCbcDecryptBlocks(), and AesCtrEncryptBlocks(), to
  fix -Wunused-functions in default build with --enable-aesni under clang.

* in AesCfbDecrypt_C(), add smallstack implementation for fast inner loop on
  intelasm/armasm.
2026-07-01 12:54:35 -05:00
Daniel Pouzzner bb7b4ccc77 wolfcrypt/src/port/kcapi/kcapi_aes.c: add backward-compat code paths for authTagSz validation on old FIPS. 2026-07-01 12:48:02 -05:00
JacobBarthelmeh 64a4c7a7ae Merge pull request #10750 from night1rider/SHAKE-Callbacks
SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization
2026-07-01 10:53:57 -06:00
Lealem Amedie f15681a6c1 Remove 9-bit prime generation testing, disallowed with DH_MIN_SIZE 2026-07-01 08:26:23 -06:00
Lealem Amedie 53fe0b3fc1 Adjust test.c for dh_min_sz 2026-07-01 08:26:23 -06:00
Lealem Amedie 277bd66624 FIPS: Default to 2048 bit min DH crypto 2026-07-01 08:26:23 -06:00