Commit Graph

29919 Commits

Author SHA1 Message Date
Daniel Pouzzner 4993571ccd Merge pull request #10549 from rizlik/nc_dns_wildcards
NameConstraints: support wildcard SAN
2026-06-03 22:29:49 -05:00
Daniel Pouzzner 374ad4051d Merge pull request #10555 from anhu/NO_STDATOMIC_FENCE
Change macro name to avoid suspicion of typo
2026-06-03 20:49:47 -05:00
Daniel Pouzzner 590a367d16 Merge pull request #10576 from holtrop-wolfssl/zd21906
Fix user buffer overrun from wolfSSL_get_finished/wolfSSL_get_peer_finished
2026-06-03 20:48:03 -05:00
Daniel Pouzzner c96da9a002 Merge pull request #10581 from miyazakh/ra6m4_update
Removes the legacy ASN parser override (`WOLFSSL_ASN_ORIGINAL`) from …
2026-06-03 20:42:46 -05:00
Daniel Pouzzner 86fa502285 Merge pull request #10577 from kareem-wolfssl/zd21907
Fix compilation with WOLFSSL_RNG_USE_FULL_SEED.  Fix benchmark compilation with MAIN_NO_ARGS.
2026-06-03 20:41:02 -05:00
Sean Parkinson aef6283a7e Merge pull request #10540 from Frauschi/small_order_check
Reject small-order public keys for Ed25519 and Ed448
2026-06-04 09:58:24 +10:00
David Garske 3bc1575e12 Merge pull request #9852 from SparkiDev/ppc64_asm_aes
PPC64 ASM: AES-ECB/CBC/CTR/GCM
2026-06-03 16:30:12 -07:00
David Garske 4cce154024 Merge pull request #10530 from SparkiDev/riscv_unaligned_fix
RISC-V ASM unaligned read/writes: alternative assembly
2026-06-03 16:29:33 -07:00
Daniel Pouzzner df9f3e4cf9 Merge pull request #10377 from jackctj117/DTLS13-Kernel
docs(linuxkm): document DTLS 1.3 configure flags
2026-06-03 17:58:25 -05:00
David Garske 70da83972b Merge pull request #10536 from SparkiDev/curve25519_x64_red_fix
X25519 x64 ASM: fix full reduction
2026-06-03 09:24:48 -07:00
Tobias Frauenschläger e80b4b5888 Merge pull request #10578 from douzzer/20260602-FPKI-DecodeGeneralName-URI
20260602-FPKI-DecodeGeneralName-URI
2026-06-03 16:47:21 +02:00
David Garske cf9d2446a5 Merge pull request #10490 from LinuxJedi/more-membrowse
Add lots more membrowse platforms
2026-06-03 07:30:17 -07:00
Andrew Hutchings 10c1816e35 Add GCC-ARM large linker script for membrowse 2026-06-03 11:21:35 +01:00
Andrew Hutchings 61a77e2dd6 Add lots more membrowse platforms
Lots more ARM Cortex, RiscV, AArch64, linuxkm and some Zephyr
2026-06-03 11:21:35 +01:00
Hideki Miyazaki 5af10ad14c Fixed typo in README.md 2026-06-03 16:46:36 +09:00
Hideki Miyazaki f3a60c2c69 Removes the legacy ASN parser override (WOLFSSL_ASN_ORIGINAL) from the RA6M4 demo project 2026-06-03 14:00:53 +09:00
Daniel Pouzzner 768cdc39d3 wolfcrypt/src/asn.c: in DecodeGeneralName() and DecodeAcertGeneralName(),
* don't disable URI validation when defined(WOLFSSL_FPKI).
* return immediately with ASN_ALT_NAME_E when URI contains an unexpected '/', as in asn_orig.c DecodeAltNames(), fixing OOB read defect.

wolfcrypt/src/asn_orig.c: fix URI validation gating (ignore WOLFSSL_FPKI) in DecodeAltNames().

tests/api/test_certman.c: fix uriSan in test_wolfSSL_X509_check_host_URI_SAN_not_DNS_match() (make it a URI).

tests/api.c: align gating in test_wolfSSL_URI() with new dynamics (URIs validated regardless of defined(WOLFSSL_FPKI)).
2026-06-02 22:16:40 -05:00
Kareem 586fe466bf Fix compilation of benchmark with MAIN_NO_ARGS defined. 2026-06-02 15:57:01 -07:00
Kareem 9592d8254a Fix compilation with WOLFSSL_RNG_USE_FULL_SEED. 2026-06-02 15:50:42 -07:00
Josh Holtrop faad28301a Fix user buffer overrun from wolfSSL_get_finished/wolfSSL_get_peer_finished 2026-06-02 18:21:26 -04:00
JacobBarthelmeh 4c0c093fe9 Merge pull request #10544 from holtrop-wolfssl/zd21880
Support importing/exporting DTLS sessions with encrypt-then-mac options
2026-06-02 11:59:46 -06:00
Josh Holtrop 7f3d589c12 Support importing/exporting DTLS sessions with encrypt-then-mac options 2026-06-02 09:34:14 -04:00
Sean Parkinson 95158fa31f Merge pull request #10563 from douzzer/20260528-pk-vector-regs
20260528-pk-vector-regs
2026-06-02 12:59:46 +10:00
David Garske 151e0d9ccc Merge pull request #10567 from douzzer/20260601-fixes
20260601-fixes
2026-06-01 14:26:23 -07:00
Daniel Pouzzner d037bd1eed tests/api/test_pkcs12.c, tests/api/test_pwdbased.c: add missing FIPS version gates to test_wc_PKCS12_PBKDF(), test_wc_PKCS12_PBKDF_ex(), and test_wc_PBKDF1_ex_iterations();
wolfcrypt/src/evp_pk.c: fix identicalInnerCondition in wolfSSL_d2i_PKCS8_PKEY().
2026-06-01 14:23:38 -05:00
David Garske aec2756a1b Merge pull request #10566 from julek-wolfssl/membrowse-fork-guard
ci: don't run membrowse workflows on forks
2026-06-01 12:09:49 -07:00
Daniel Pouzzner 62c0c8fc13 Merge pull request #10557 from dgarske/cryptocb_fips
Fix FIPS v6 or older build with crypto callbacks and SHA512
2026-06-01 13:32:08 -05:00
David Garske 71ca579ef2 Merge pull request #10317 from Roy-Carter/feature/pem_write_enhancement
Implementation for PEM_write_PrivateKey & PEM_write_PUBKEY
2026-06-01 10:10:39 -07:00
David Garske 6852a0abd0 Merge pull request #10564 from SparkiDev/sp_fixes_8
Improvements to SP code
2026-06-01 10:05:59 -07:00
Juliusz Sosinowicz 2703458535 ci: don't run membrowse workflows on forks
Forks with Actions enabled would otherwise run the membrowse build matrix on push/workflow_dispatch and report fork builds to the membrowse backend. Guard the jobs in both workflows with github.repository_owner == 'wolfssl' (combined with the existing draft check in the report workflow), matching tls-anvil.yml and coverity-scan-fixes.yml.

Also default the analyze/onboard matrix to '[]' so strategy expansion does not error when load-targets is skipped on forks or draft PRs.
2026-06-01 18:08:37 +02:00
Daniel Pouzzner 58fcbd46a8 wolfcrypt/src/sp_*: synchronize with scripts#581.
* Fixes frivolous ASSERT_SAVED_VECTOR_REGISTERS() in sp_#_div_#(),
* Adds "force off unneeded vector register save/restore." macro masking to all archs, and
* Removes now-unused x86 SSE2 asm implementations of sp_#_get_from_table_#().
2026-06-01 10:59:27 -05:00
Sean Parkinson 55c9f83d64 Improvements to SP code
Fixed left shifts to be on unsigned types.

Mod exp change to correctly get the highest indeces of exponent -
corrected in some places and now the same in all.
2026-06-01 10:57:11 +10:00
Sean Parkinson 14b55a0bc4 X25519 x64 ASM: fix full reduction
The last add was overflowing into the top bit.
Must mask the last word to clear top bit.

Add test vectors from Wycheproof.
2026-06-01 09:14:57 +10:00
Daniel Pouzzner 3a4c2cded0 activate ECCSI and SAKKE in linuxkm:
wolfssl/wolfcrypt/settings.h: add WC_NO_GLOBAL_OBJECT_POINTERS implicitly in WC_SYM_RELOC_TABLES section of WOLFSSL_LINUXKM setup.

wolfssl/wolfcrypt/wolfmath.h, wolfcrypt/src/wolfmath.c, wolfcrypt/src/sp_int.c, wolfcrypt/src/sakke.c: when WC_NO_GLOBAL_OBJECT_POINTERS, use static local wc_off_on_addr rather than global in wolfmath.c.

wolfcrypt/src/sakke.c:
* in wc_DeriveSakkeSSV(), initialize a[] with explicit XMEMSET() rather than " = {0}", to avoid unmaskable implicit memset() emitted by compiler.
* remove all vector register provisions (SAVE_VECTOR_REGISTERS(), RESTORE_VECTOR_REGISTERS(), ASSERT_SAVED_VECTOR_REGISTERS()).

linuxkm/module_exports.c.template: add includes for eccsi.h and sakke.h.

configure.ac:

* tweak enable-all-crypto setup to make enable_eccsi unconditional alongside enable_fpecc;

* move enable_sakke to be conditional only on !FIPS.

* notably this activates ECCSI and SAKKE on kernel all-crypto builds.

wolfcrypt/test/test.c: WC_*_VAR*() refactors for eccsi_test() and sakke_test().
2026-05-30 15:11:36 -05:00
Daniel Pouzzner 3121c55e4e linuxkm on x86: global refactor across PK implementations of sp-asm vector register preservation, including removal of all residual can't-fail vector paths in PK algs.
wolfcrypt/src/sp_x86_64.c:

* fix ASSERT_SAVED_VECTOR_REGISTERS() in C wrappers: add where missing for implementations that use AVX2, and remove frivolous checks for ones that don't.

* refactor vector save-restore with a single locally tracked save in sp_RsaPublic_#(), sp_RsaPrivate_#(), sp_ecc_mulmod_add_#(), sp_ecc_mulmod_base_add_#(), sp_ecc_make_key_#(), and sp_#_calc_s_#().

* fix feature test in sp_ModExp_Fp_star_1024(), sp_Pairing_1024(), and sp_Pairing_gen_precomp_1024(), to properly gate on IS_INTEL_AVX2(cpuid_flags) and SAVE_VECTOR_REGISTERS2() == 0.

wolfcrypt/src/{dh.c,dsa.c,ecc.c,eccsi.c,rsa.c,sp_int.c}:

* remove all vector register provisions (SAVE_VECTOR_REGISTERS(), RESTORE_VECTOR_REGISTERS(), ASSERT_SAVED_VECTOR_REGISTERS());

* add explicit WC_CHECK_FOR_INTR_SIGNALS() and WC_RELAX_LONG_LOOP() to the lengthy loops in wc_DhGenerateParams(), wc_MakeDsaParameters(), ecc_sign_hash_sw(), and wc_MakeRsaKey().

wolfssl/wolfcrypt/{error-crypt.h,logging.h,memory.h}:

* make wc_backtrace_render() and wc_backtrace_set_fp() available whenever defined(WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES);

* add support for DEBUG_VECTOR_REGISTERS_BACKTRACE_ON_FAIL, activating backtraces on vector register errors.

* also improve the debugging format from the DEBUG_VECTOR_REGISTER_ACCESS variants of SAVE_VECTOR_REGISTERS() and friends.

linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa}_glue.c: harmonize PK driver names with AES, SHA, and DRBG, notably adding AVX2 annotation when enabled.

wolfcrypt/src/{sp_x86_64_asm.S,sp_x86_64_asm.asm}: synchronize with wolfssl/scripts#581 (removes SSE2 implementations of sp_#_get_from_table_#(), which no longer have users).
2026-05-30 15:11:15 -05:00
JacobBarthelmeh f6f27652dd Merge pull request #10495 from LinuxJedi/PIC32MZ-Sim
Add PIC32MZ emulator tests
2026-05-29 16:21:15 -06:00
JacobBarthelmeh 9fa5db5606 Merge pull request #10509 from kareem-wolfssl/zd21863_5
Disallow matching URI type in CheckForAltNames.  NULL *response on error in wolfSSL_d2i_OCSP_RESPONSE.
2026-05-29 16:08:04 -06:00
JacobBarthelmeh 1f32365e45 Merge pull request #10547 from SparkiDev/api_c_split_4
api.c: move out tests into other files
2026-05-29 16:03:56 -06:00
David Garske f41a9dc1e7 Fix FIPS v6 or older build with crypto callbacks and SHA512 2026-05-29 10:01:22 -07:00
David Garske ac1c727c66 Merge pull request #10538 from michael-membrowse/membrowse-report-path-filter
fix memory report and add path filter
2026-05-29 08:23:17 -07:00
Anthony Hu adac2aae7b Change macro name to avoid suspicion of typo 2026-05-29 09:38:58 -04:00
Sean Parkinson 018e937a91 RISC-V ASM unaligned read/writes: alternative assembly
Not all RISC-V chips allow unaligned reads and writes with basic
assembly instructions like lw/sw.
Add alternative assembly that is turned on with:
WOLFSSL_RISCV_ASM_NO_UNALIGNED.
2026-05-29 10:11:12 +10:00
JacobBarthelmeh beff858833 Merge pull request #10552 from julek-wolfssl/evp-x25519-x448
Add NID_X25519 and NID_X448 support to the EVP layer
2026-05-28 15:57:50 -06:00
JacobBarthelmeh a31ce6e981 Merge pull request #10546 from philljj/malloc_nowait
bsdkm: misc cleanup.
2026-05-28 15:55:46 -06:00
Tobias Frauenschläger 25a1a20444 Reject small-order public keys for Ed25519 and Ed448
Add defense-in-depth checks to wc_ed{25519,448}_check_key() and
ed{25519,448}_verify_msg_final_with_sha() that reject the identity
point and other small-order public keys. Honest EdDSA key generation
never produces such keys, but wolfSSL previously accepted them on
import and verification. The guard runs at both entry points so it
holds even when a key is imported with trusted=1. New tests are gated
on !HAVE_FIPS || FIPS_VERSION3_GE(7,0,0).
2026-05-28 19:53:19 +02:00
Daniel Pouzzner 7467ce2173 Merge pull request #10531 from SparkiDev/kernel_sp_vector
SP x86_64: save and restore vector registers
2026-05-28 11:43:48 -05:00
JacobBarthelmeh 8fb72de2e9 Merge pull request #10402 from holtrop-wolfssl/rust-crate-updates-2026-05-05
Rust wrapper: ensure memory safety for C RNG struct
2026-05-28 10:06:05 -06:00
JacobBarthelmeh fc12de010d Merge pull request #10513 from SparkiDev/tls13_aead_limit_fix
TLS 1.3: AEAD limit fixed
2026-05-28 09:30:43 -06:00
Juliusz Sosinowicz df8cc30cb8 Add NID_X25519 and NID_X448 support to the EVP layer 2026-05-28 14:40:36 +00:00
Marco Oliverio c4b4e6cd14 NameConstraints: support wildcard SAN 2026-05-28 15:19:20 +02:00