Commit Graph

11655 Commits

Author SHA1 Message Date
philljj 3fa342a76c Merge pull request #10812 from douzzer/20260629-linuxkm-fixes
20260629-linuxkm-fixes
2026-06-30 13:36:04 -05:00
philljj b5636ffaf9 Merge pull request #10696 from douzzer/20260615-linuxkm-fixes
20260615-linuxkm-fixes
2026-06-30 12:00:25 -05:00
Daniel Pouzzner 8820b810f2 Merge pull request #10725 from SparkiDev/aes_x25519_arm32_thumb2_fixes
ARM32/Thumb2: generated asm fixes
2026-06-30 10:47:03 -05:00
David Garske 07b677edba Merge pull request #10744 from SparkiDev/arm64_asm_opt
ARM64 ASM: optimizations
2026-06-30 08:42:23 -07:00
David Garske 8d63afab99 Merge pull request #10767 from SparkiDev/ppc64_ppc32_asm_1
PPC64/PPC32 ASM: AES, SHA-2, SHA-3
2026-06-30 07:13:35 -07:00
Daniel Pouzzner 2af2a2967f fix F-3085 "Base64_Decode silently returns success with outLen=0 when input is a 1-3 byte truncated base64 fragment, violating decode(encode(x)) roundtrip for inputs producing 2-3 base64 chars without padding"
wolfcrypt/src/coding.c: in Base64_Decode() and Base64_Decode_nonCT(), check for non-whitespace characters past the end and return ASN_INPUT_E if found;

wolfcrypt/test/test.c: in base64_test(), remove ';' from goodChar[], and add trailing*[] test strings and N_BYTE_TRAILING_TEST(), for positive and negative testing of new checks.
2026-06-29 23:48:36 -05:00
Sean Parkinson 3e99430671 PPC64/PPC32 ASM: AES, SHA-2, SHA-3
PPC64:
  - Added AES-ECB/CBC/CTR/GCM/XTS using crypto instructions
  - Added SHA-256/512 using base scalar and crypto instructions
  - Added SHA-3 using base scalar and POWER8 VSX
  - Added SHA-3 x2/x3 but disabled compilation.
  - Added CPU id flags.
  - Changed the constant data format to be consistent with other platforms.
PPC32:
  - Added AES-ECB/CBC/CTR/GCM/XTS using base scalar
  - Added SHA-256/512 using base scalar
  - Added SHA-3 using base scalar
2026-06-30 08:52:45 +10:00
Sean Parkinson 5956da84c2 ARM32/Thumb2: generated asm fixes
Fix Thumb2 Curve25519 asm to do full reduce.
Change ARM32 to simpler carry/overflow processing.
Minor optimizations - use ubfx, no need to move register into temporary, cache value instead of loading again later.
Reduce the register push and pops in Thumb2 generated code.
Fix Thumb2 to have values less than 64 in decimal.
2026-06-30 06:25:51 +10:00
David Garske 18c9684c9d Merge pull request #10740 from SparkiDev/ppc32_cond_reg
PPC32 ASM: Use condition register
2026-06-29 10:41:46 -07:00
Daniel Pouzzner 568c660bf5 wolfcrypt/src/pkcs7.c: in wc_PKCS7_DecodeAuthEnvelopedData(), accommodate old FIPS using old authTagSz check. 2026-06-27 19:50:52 -05:00
Daniel Pouzzner d69d49cc68 wolfcrypt/src/aes.c: don't use explicit inline attribute on wc_local_AesGcmCheckTagSz() with C++ (namespace breakage). 2026-06-27 16:14:59 -05:00
Daniel Pouzzner 47cf8d066c wolfcrypt/src/pkcs7.c: in wc_PKCS7_DecodeAuthEnvelopedData(), accommodate AES*GCMb with !HAVE_AESGCM, and add AES-CCM authTagSz check. 2026-06-27 16:13:23 -05:00
Daniel Pouzzner 262b0ed3b8 tweaks for linuxkm targeting clang-built kernels:
linuxkm/: when logging PTR_ERR(), cast it to int, and use "%d" as the format.  Globally, `#define PTR_ERR(x) ((int)PTR_ERR(x))` in linuxkm_wc_port.h to fix clang warnings on kernel headers.

linuxkm/lkcapi_aes_glue.c: add casts in linuxkm_test_aesgcm() to mollify clang.

linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c:
* add __clang__ compat code to allow including clang stdatomic.h while masking out kernel-incompatible __CLANG_STDINT_H.
* add clang-specific suppressions for kernel headers (-Wshorten-64-to-32, -Wframe-address).

linuxkm/lkcapi_sha_glue.c:
* in wc__get_random_bytes(), add bounds-checking for len.
* in wc_extract_crng_user(), fix type conflicts.

wolfssl/wolfcrypt/wc_port.h and wolfssl/wolfcrypt/types.h:
* move the old-FIPS compatibility mapping from INLINE to WC_INLINE from types.h to wc_port.h.
* activate stdatomic.h for clang kernel module builds.

linuxkm/Kbuild:
* add clang-specific flags.
* add gcc gate around gcc-specific flags.
* allow override value for MAX_STACK_FRAME_SIZE.

wolfcrypt/src/asn.c: add casts in GetFormattedTime_ex() to mollify clang build of linuxkm.
2026-06-27 14:48:17 -05:00
Daniel Pouzzner 3811ec0aa7 linuxkm-related loose ends:
* wolfssl/ocsp.h: gate out the CheckOcspResponder() prototype if defined(CheckOcspResponder) (for linuxkm-pie).
* wolfcrypt/src/wc_mldsa.c: add support for WC_MLDSA_NO_ASM.
* .wolfssl_known_macro_extras: add new macros.
2026-06-27 14:47:32 -05:00
Daniel Pouzzner ac5f2b98e7 wolfcrypt/src/wc_slhdsa.c:
* disable asm accelerations if WC_SHA3_NO_ASM is set.
* fix an uninited-data warning in slhdsakey_wots_pkgen_chain_c().
2026-06-27 14:41:44 -05:00
Daniel Pouzzner cba69093cc wolfcrypt/src/port/riscv/riscv-64-aes.c: in GHASH(), remove runtime nullness check for arg 1 (matching nonnull attribute to arg 1 added to prototype in earlier commit). 2026-06-27 14:41:17 -05:00
Daniel Pouzzner 649197d159 replace several nonconformant uses of __FUNCTION__ with __func__ (linuxkm/linuxkm_memory.c, wolfcrypt/src/random.c, wolfcrypt/test/test.c, wolfssl/wolfcrypt/mem_track.h, wolfssl/wolfcrypt/memory.h, wolfssl/wolfcrypt/settings.h). 2026-06-27 14:37:35 -05:00
Daniel Pouzzner 7a402566b6 wolfcrypt/src/sha3.c: refactor WC_C_DYNAMIC_FALLBACK using SAVE_VECTOR_REGISTERS2(). 2026-06-27 14:21:36 -05:00
Daniel Pouzzner 4d46e1eb74 wolfcrypt/test/test.c:
* in slhdsa_keygen_kat() and slhdsa_id_label_test(), pass devId to wc_SlhDsaKey_Init*()
* in cryptocb_test(), inhibit the callback verification check for SLHDSA if FIPS (no crypto callbacks in FIPS-wrapped calls).
2026-06-27 14:14:31 -05:00
Daniel Pouzzner 5ae99fb03b wolfcrypt/src/aes.c, wolfcrypt/src/port/, wolfssl/wolfcrypt/aes.h, wolfcrypt/src/pkcs7.c, wolfcrypt/test/test.c:
* implement wc_local_AesGcmCheckTagSz() with pedantic checks for valid authtag size.  SP 800-38D restrictions are now uniformly imposed, unless WC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTH is defined (not allow with FIPS).
* refactor tag size checks in wc_AesGcmEncrypt(), wc_AesGcmDecrypt(), wc_AesGcmEncryptFinal(), wc_AesGcmDecryptFinal(), and wc_PKCS7_DecodeAuthEnvelopedData().
* in test.c, update aesgcm_non12iv_test() to skip tag sizes expected to fail.
2026-06-27 14:12:34 -05:00
Daniel Pouzzner 6d21d600f6 in all FIPS-relevant C sources, add a "#define _WC_BUILDING_foo" first (where foo is a stylization of the filename), before including libwolfssl_sources.h, to allow future file-specific suppressions or other settings without altering FIPS sources. 2026-06-27 14:06:52 -05:00
Daniel Pouzzner 479a685199 wolfcrypt/src/aes.c: fix performance regressions on GMAC and AES-CFB decrypt:
* add WC_VAES_MIN_BLOCKS, WC_VAES_ECB_MIN_BLOCKS, and WC_VAES_GCM_MIN_BLOCKS, and check against them before using AVX512/VAES implementations.
* in AesCfbDecrypt_C(), enlarge the tmp[] buffer and parameterize its size with newly added WC_AES_CFB_DEC_BUF_BLOCKS.
2026-06-27 14:03:42 -05:00
Daniel Pouzzner c38f11b9a7 fixes for false positives on linuxkm CONFIG_FORTIFY_SOURCE builds on gcc-16:
linuxkm/linuxkm_memory.c: use packed-struct intermediates rather than memcpy()s for wc_get_unaligned() and wc_put_unaligned().

linuxkm/linuxkm_wc_port.h: on old FIPS, retrofit nonnull attribute to GHASH() arg 1, so that it unconditionally writes out the hash.

wolfcrypt/src/aes.c and wolfssl/wolfcrypt/aes.h: in GHASH(), add nonnull attribute to arg 1, and remove runtime nullness check for arg 1 in the implementations.
2026-06-26 14:25:48 -05:00
David Garske 0cecccdf6e Merge pull request #10756 from SparkiDev/aes_asm_ymm_zmm
Intel x64 ASM: Add new assembly for AES
2026-06-25 21:41:17 -07:00
David Garske 39c0336cb1 Merge pull request #10728 from SparkiDev/intel_asm_fixup
Intel x86/x64 assembly fixes
2026-06-25 21:41:08 -07:00
David Garske 23bfe9b65e Merge pull request #10775 from SparkiDev/regression_fixes_26
Regression testing fixes: ARM/PP64 asm fixes, plus more
2026-06-25 14:47:08 -07:00
David Garske c3366597b3 Merge pull request #10707 from SparkiDev/mlkem_mldsa_unaligned
ML-KEM/ML-DSA: unaligned reads
2026-06-25 13:00:18 -07:00
twcook86 6ef3df248a Merge pull request #10598 from twcook86/hkdf_cryptocb_split
Create individual crypto callbacks for hkdf extract and hkdf expand
2026-06-25 14:58:15 -04:00
David Garske cee4b2bb47 Merge pull request #10713 from SparkiDev/curve25519_hibit_mask
X25519: standard requires masking of top bit
2026-06-25 10:34:49 -07:00
Sean Parkinson cb11e2ff28 Regression testing fixes: ARM/PP64 asm fixes, plus more
ARM64/ARM32/Thumb2:
  - Inline-asm use param names not registers.
  - Return value through first parameter and not first register
  - 32-bit values zero extended when loaded off stack
aes.c: Aligned-accedd GHASH for 32-bit CPUs.
test.c: #ifdef protection update.
sha3.h: make digest and block size constants defines for use in hash.h
sha512.h: internal Transform_Sha512* functions declared when only SHA-384.
sp_int.h: include WOLFSSL_SP_MATH_ALL in SP_INT_BITS selection
memory.c: fix printf format to be compatible with more platforms
2026-06-25 17:33:49 +10:00
Juliusz Sosinowicz dbd495dacb sha512: free SHA-512/384 W cache with its allocated memory type
With WOLFSSL_SMALL_STACK_CACHE, wc_Sha512Free and wc_Sha384Free freed the
cached W buffer as DYNAMIC_TYPE_TMP_BUFFER, but it is allocated as
DYNAMIC_TYPE_DIGEST in InitSha512_Family/InitSha384 and the Copy functions
(the in-Init error cleanup already frees it as DYNAMIC_TYPE_DIGEST).

The mismatch is flagged by the memusage test (DHE_RSA TLS1.2 reports
Errors: 2) and matters for type-bucketed static memory pools. SHA-256/224
already use DYNAMIC_TYPE_DIGEST consistently. Free W as DYNAMIC_TYPE_DIGEST.
2026-06-24 22:50:29 +00:00
Daniel Pouzzner 18c2329167 wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c: for 16 bit portability,
use target native int for WC_ATOMIC_INT_ARG, add user overrideability, and
  adjust WC_INIT_STATE_COUNT_BITS to depend on sizeof(WC_ATOMIC_UINT_ARG).  add
  a wc_static_assert to sanity-check WC_INIT_STATE_STATE_BITS, and use CHAR_BIT
  opportunistically in the other wc_static_assert to sanity check that CHAR_BIT
  is at least 8.
2026-06-23 11:24:51 -05:00
Sean Parkinson a342eba578 Intel x64 ASM: Add new assembly for AES
Support AES-XTS AVX512/VAES
Support AES-GCM AVX512/VAES
Support AES-ECB/CBC/CTR AVX512/VAES/AVX1/AES-NI.
Remove code from aes_asm.S/aes_asm.asm
Add CPU defines for AVX512 and VAES
Updated ASM files with new defines for AVX512.
Added support for printing out the new CPU Id flags in benchmark.
Added new files to Windows projects.
aes.c: Supports ECB/CBC/CTR in assembly. Supports calling AVX512/VAES assembly.
2026-06-23 20:54:59 +10:00
Sean Parkinson 0481cba126 ARM64 ASM: optimizations
Fewer instructions in assembly for minor improvements.
2026-06-20 08:56:52 +10:00
Sean Parkinson 9eb8858fb7 PPC32 ASM: Use condition register
Use condition registers in SHA-256 small code to speed it up.
2026-06-19 09:36:25 +10:00
JacobBarthelmeh dd6da70d39 Merge pull request #10732 from douzzer/20260618-FORCE_FAILURE_RDSEED-fixes
20260618-FORCE_FAILURE_RDSEED-fixes
2026-06-18 15:30:54 -06:00
Daniel Pouzzner 296bfc8a83 wolfcrypt/src/random.c:
* in USE_WINDOWS_API wc_GenerateSeed(), recognize HAVE_AMD_RDSEED, and properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;

* in WOLFSSL_LINUXKM wc_GenerateSeed(), initialize ret to RNG_FAILURE_E, and properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;

* in WOLFSSL_BSDKM wc_GenerateSeed(), properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;
2026-06-18 11:53:44 -05:00
Sean Parkinson fc946d6327 Intel x86/x64 assembly fixes
Allow x86 to build with assembly for enable all - disable assembly when x86 and not assembly code available. Add file fe_operations.c when assembly and x86.
x86: fix ECB decrypt to use corect offsets for parameters
     fix AES-NI and AVX1 assembly code
     fix sp_int with assembly to compile
     minor optimizations of AES-GCM
x64: Don't emit move instruction if source and destination are the same reg
     Use xor instead of mov 0
     minor optimizations of AES-GCM for AES-NI
2026-06-18 21:03:50 +10:00
Sean Parkinson ad85f49926 Thumb2 X25519: Fix to do full reduction
This fix when into ARM32 assembly it is now being added to Thumb2 assembly.
Full reduction to ensure the number is in range at end of work.
2026-06-18 20:34:11 +10:00
JacobBarthelmeh 633784e91b Merge pull request #10714 from Frauschi/zd21992_2
Some more fixes
2026-06-17 17:34:15 -06:00
JacobBarthelmeh 3f9ae22010 Merge pull request #10709 from douzzer/20260616-aes-fixes
20260616-aes-fixes
2026-06-17 15:58:23 -06:00
JacobBarthelmeh aec9b202c9 Merge pull request #10702 from Frauschi/zd21992
Various fixes
2026-06-17 13:22:05 -06:00
Daniel Pouzzner 881fe769a3 wolfcrypt/src/aes.c, wolfcrypt/test/test.c: use WOLFSSL_MAX_32BIT rather than magic 0xffffffff;
wolfcrypt/test/test.c: in aesgcm_stream_test(), implement tests for sSz overflow, and in aesccm_128_badarg_test(), fix line length.
2026-06-17 13:55:10 -05:00
Daniel Pouzzner 9d15bc707c wolfcrypt/src/aes.c, wolfcrypt/src/port/caam/caam_aes.c, wolfcrypt/src/port/riscv/riscv-64-aes.c, wolfcrypt/src/port/silabs/silabs_aes.c, wolfcrypt/src/port/ti/ti-aes.c: implement AES-CCM counter overflow checks for ports;
wolfcrypt/test/test.c: add missing !HAVE_SELFTEST gate around AES-CCM counter overflow test in aesccm_128_badarg_test();

wolfcrypt/src/error.c and wolfssl/wolfcrypt/error-crypt.h: update messages for AES_{GCM,CCM}_OVERFLOW_E.
2026-06-17 13:18:46 -05:00
Tobias Frauenschläger dedba75ad4 Reject duplicate certificatePolicies extension in WOLFSSL_CERT_EXT builds
DecodeExtensionType() guarded the certificatePolicies duplicate check
(VERIFY_AND_SET_OID) under WOLFSSL_SEP only, because the extCertPolicySet
tracking bit was SEP-only. In a WOLFSSL_CERT_EXT-without-WOLFSSL_SEP build a
cert with two certificatePolicies extensions was accepted and the second
silently overwrote the first (RFC 5280 4.2 forbids repeats). Make the bit and
the guard available under WOLFSSL_CERT_EXT too, matching every other
non-repeatable extension.

Add test_DecodeCertExtensions_dup_certpol (DecodeExtensionType now
WOLFSSL_TEST_VIS).
2026-06-17 19:14:21 +02:00
Daniel Pouzzner 1070384034 wolfcrypt/src/aes.c and wolfcrypt/test/test.c: fixes from review, re "catch and error on total length overflow". 2026-06-17 12:01:06 -05:00
Daniel Pouzzner 5def276e07 wolfcrypt/src/aes.c: catch and error on total length overflow in wc_AesGcmEncryptUpdate(), wc_AesGcmDecryptUpdate(), wc_AesCcmEncrypt(), and wc_AesCcmEncrypt(). 2026-06-17 12:01:06 -05:00
JacobBarthelmeh 7aed5ac316 Merge pull request #10698 from Frauschi/slhdsa_fixes
SLH-DSA fixes
2026-06-17 10:36:58 -06:00
Sean Parkinson e017e6cba7 X25519: standard requires masking of top bit
Instead of failing when top bit is set, the standard and current research says to mask it.
WOLFSSL_X25519_NO_MASK_PEER is added to allow the rejection when required.
2026-06-17 15:37:26 +10:00
Sean Parkinson bce9fdda68 ML-KEM/ML-DSA: unaligned reads
Use readUnaligned32/64 to ensure no unaligned read faults.
Updated implementations of read/write unaligned 32/64 to not worry about alignment on CPUs that are known to not care.
2026-06-17 10:30:33 +10:00