Commit Graph

10546 Commits

Author SHA1 Message Date
Zackery Backman 4ef0492f23 Improve logic behind copy and free for sha, add copy and free callback functions, fix sha224 crashing when using callbacks for MAX32666 due to unitialized struct. 2026-03-04 10:27:22 -07:00
Eric Blankenhorn 42e51701e1 Fix DRBG_internal alloc in wc_RNG_HealthTestLocal 2026-03-02 11:19:38 -06:00
Sean Parkinson 215fe1341c Merge pull request #9829 from night1rider/tmpSha-fixes
Fix potential memory leak when copying into existing SHA contexts and zero init tmpSha
2026-03-02 21:18:55 +10:00
Daniel Pouzzner 76bc6e337b wolfcrypt/src/hpke.c, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c: implement RFC 9180 overflow checks on context->seq in wc_HpkeContextSealBase() and wc_HpkeContextOpenBase(), and add SEQ_OVERFLOW_E to wolfCrypt_ErrorCodes (Fenrir M-70). 2026-02-27 23:40:37 -06:00
Daniel Pouzzner 4110887871 wolfcrypt/src/aes.c: in AesSivCipher(), burn sivTmp before return (Fenrir M-69). 2026-02-27 23:40:19 -06:00
Daniel Pouzzner 616a6a5789 wolfcrypt/src/ecc.c: in wc_ecc_import_point_der_ex() and wc_ecc_import_x963_ex2(), add missing retval capture for sp_ecc_uncompress_sm2_256() (Fenrir M-68). 2026-02-27 23:39:57 -06:00
night1rider 69ddefb099 Zero-initialize stack-declared hash contexts in GetHash functions before passing to Copy, which now calls Free(dst) and requires valid fields. 2026-02-27 16:13:21 -07:00
night1rider 4c5e321dfb Add missing error check for wc_Sha512Final in unaligned memory test. 2026-02-27 14:31:33 -07:00
night1rider 70ccda7619 Free the reused struct before reiniting it for new test 2026-02-27 12:56:58 -07:00
night1rider d4f8f0d0a5 Revert XMEMSET 0 after free in copy process for digest/hashing functions 2026-02-27 12:56:58 -07:00
night1rider 39ab81bdda Use WC_DECLARE_VAR/WC_ALLOC_VAR for shaCopy in SHA3/Shake tests to avoid stack frame overflow on small-stack builds. 2026-02-27 12:56:58 -07:00
night1rider ca150724b3 Revert "Fix SHA3/Shake copy cleanup tests to heap-allocate shaCopy to avoid exceeding stack frame limit."
This reverts commit d99fe3bbfd.
2026-02-27 12:56:58 -07:00
night1rider b87cb3e1cd Fix SHA3/Shake copy cleanup tests to heap-allocate shaCopy to avoid exceeding stack frame limit. 2026-02-27 12:56:58 -07:00
night1rider 4713ad5675 Add Free(dst) + XMEMSET before XMEMCPY in all wc_ hash Copy functions (MD5, SHA, SHA2, SHA3, SHAKE) and add copy cleanup tests to prevent resource leaks when copying into previously-used contexts. 2026-02-27 12:56:58 -07:00
night1rider 60573a3782 memset 0 the temp contexts 2026-02-27 12:56:57 -07:00
night1rider 4c9b980c72 Fix potential memory leak in SHA Copy and zero-initialize temp GetHash contexts; zero HMAC dst hash before copy to prevent shared pointers 2026-02-27 12:56:57 -07:00
night1rider 1f3bea4907 Fix potential memory leak when copying into existing SHA contexts and zero-initialize temp GetHash contexts 2026-02-27 12:56:57 -07:00
David Garske 9102df3c83 Merge pull request #9837 from jackctj117/PKCS7-unused-variable
Fix unused variable warning in PKCS7 without WC_RSA_PSS
2026-02-27 11:27:13 -08:00
jackctj117 e6d4c5561c Move paramsStart declaration inside WC_RSA_PSS guard 2026-02-27 09:20:54 -07:00
Eric Blankenhorn 2243133572 Fix prefix for WC_ALL_ARGS_NOT_NULL 2026-02-27 07:29:41 -06:00
Sean Parkinson b9838aa563 Merge pull request #9711 from julek-wolfssl/nginx-1.28.0
nginx 1.28.1 fixes
2026-02-27 08:39:10 +10:00
Sean Parkinson f3b57679a5 Merge pull request #9835 from douzzer/20260226-fix-aes-prefetch-optimize
20260226-fix-aes-prefetch-optimize
2026-02-27 08:23:02 +10:00
JacobBarthelmeh 921ecf0bca Merge pull request #9830 from aidangarske/fix-wolfcrypt-fenrir
Fix fenrir security findings for wolfcrypt
2026-02-26 14:20:31 -07:00
jackctj117 1f9dd3c955 Fix unused variable warning in PKCS7 without WC_RSA_PSS 2026-02-26 14:04:49 -07:00
Daniel Pouzzner 100e79f9e5 wolfcrypt/src/aes.c: add _TI_CRYPT and _RISCV_ASM fallthrough definitions for Aes{En,de}crypt_preFetchOpt. 2026-02-26 09:24:10 -06:00
JacobBarthelmeh 1b1b085290 Merge pull request #9822 from SparkiDev/mlkem_decap_h_set
ML-KEM decapsulate: check for H
2026-02-25 16:44:47 -07:00
Sean Parkinson 2064ff461c Merge pull request #9797 from douzzer/20260218-aes-prefetch-optimize
20260218-aes-prefetch-optimize
2026-02-26 08:27:08 +10:00
Juliusz Sosinowicz 38b52d8079 nginx 1.28.1
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
2026-02-25 15:19:13 +01:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
aidan garske 3295a6521c Fix Fenrir issues in wolfcrypt 2026-02-24 18:51:58 -08:00
Daniel Pouzzner 39987a9d53 wolfcrypt/src/aes.c, wolfcrypt/src/cmac.c, wolfssl/wolfcrypt/aes.h, wolfssl/wolfcrypt/types.h: optimizations to mitigate performance regressions from 299e7bd097 (#9783):
* add prefetch_ptr flag argument to AesEncrypt_C() and AesDecrypt_C(), and call PreFetchTe() and PreFetchSBox() only if *prefetch_ptr is zero, whereupon it is set to 1;
* when C implementations are available, add prefetch_ptr arg to wc_AesEncrypt() and wc_AesDecrypt(), and pass it through;
* in functions that directly call the AES block encryption methods, opportunistically inhibit prefetch on all but the first call;
* move AES-specific code in wc_CmacUpdate() in cmac.c to wc_local_CmacUpdateAes() in aes.c to let it use conditional prefetching;
* add WC_ARG_NOT_NULL(), WC_ARGS_NOT_NULL(), and WC_ALL_ARGS_NOT_NULL attribute abstractions.
2026-02-24 13:59:12 -06:00
Tobias Frauenschläger 96fc896265 Wdeclaration-after-statement fixes 2026-02-24 16:20:10 +01:00
Sean Parkinson 8a75e7d1c7 ML-KEM decapsulate: check for H
Decapsulation needs H, hash of public key, and it is not present if you
have a new key made from a seed.
Code changed to check for and create H in decapsulate.
2026-02-24 10:11:05 +10:00
JacobBarthelmeh 505d170631 Merge pull request #9812 from rlm2002/coverity
02202026 Coverity changes
2026-02-23 14:42:48 -07:00
David Garske c3bc68806c Merge pull request #9811 from julek-wolfssl/ntp-4.2.8p18
Add changes for ntp 4.2.8p18
2026-02-23 10:46:11 -08:00
Ruby Martin 00c773e1b5 remove dead code in MakeSignature() 2026-02-20 14:38:12 -07:00
Juliusz Sosinowicz a9f23ad140 Add changes for ntp 4.2.8p18
Depends on https://github.com/wolfSSL/osp/pull/319
2026-02-20 19:06:55 +01:00
Daniel Pouzzner 70aa3dc5b1 20260204-linuxkm-fips-hash: more fixes+improvements from peer and AI review:
linuxkm/linuxkm_memory.c:
* fix straddle check in wc_reloc_normalize_text();
* fix seg_map bounds checks in wc_fips_generate_hash();

linuxkm/linuxkm_memory.h: fix initializer for wc_reloc_table_segments.bss_end;

wolfssl/wolfcrypt/settings.h: add WC_BITS_TO_BYTES() and WC_BITS_FULL_BYTES() and deploy opportunistically to wolfssl/internal.h, wolfssl/wolfcrypt/{asn.h,dh.h,rsa.h,types.h}, wolfcrypt/src/sakke.c, and wolfcrypt/test/test.c.
2026-02-20 11:09:37 -06:00
Daniel Pouzzner f376ae210e Implement Linux kernel module offline integrity hash calculation:
Add:

* linuxkm/linuxkm-fips-hash.c
* linuxkm/linuxkm-fips-hash-wrapper.sh
* linuxkm/linuxkm_memory.h

Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c:
* reloc_layouts[]
* find_reloc_tab_offset()
* the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text()
* most of updateFipsHash() as wc_fips_generate_hash()

Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h:
* struct wc_linuxkm_pie_reloc_tab_ent
* enum wc_reloc_dest_segment
* enum wc_reloc_type

linuxkm/Makefile:
* Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent.
* Add targets:
  * libwolfssl-user-build/src/.libs/libwolfssl.so
  * linuxkm-fips-hash
  * module-with-matching-fips-hash
  * module-with-matching-fips-hash-no-sign
* Add support for alternate target module name, via LIBWOLFSSL_NAME make variable.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:
* Fixes to make linuxkm-pie work with CONFIG_KASAN.
* Implement WC_LINUXKM_STACK_DEBUG:
  * wc_linuxkm_stack_bottom()
  * wc_linuxkm_stack_top()
  * wc_linuxkm_stack_current()
  * wc_linuxkm_stack_left()
  * wc_linuxkm_stack_hwm_prepare()
  * wc_linuxkm_stack_hwm_measure_rel()
  * wc_linuxkm_stack_hwm_measure_total()

wolfssl/wolfcrypt/settings.h:
* When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG.
* When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined.

configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
2026-02-20 11:09:37 -06:00
Andrew Hutchings 0c19fb17d6 Merge pull request #9745 from dgarske/stm32_hmac
Support for STM32 HMAC hardware
2026-02-20 14:30:31 +00:00
David Garske 41614d10ed Add STM32 hardware HMAC support 2026-02-19 09:11:02 -08:00
David Garske f1e8c1b886 Merge pull request #9787 from holtrop-wolfssl/fix-integrity-only-cipher-nonce-calculation
Fix integrity-only cipher nonce calculation
2026-02-19 09:05:24 -08:00
David Garske 936d20afbe Merge pull request #9799 from SparkiDev/arm64_aes_dec_fix
ARM64 AES ASM base: TD4 is only 256 bytes long
2026-02-19 08:50:48 -08:00
David Garske 1047aaa881 Merge pull request #9796 from JacobBarthelmeh/copyright
update Copyright year
2026-02-19 08:47:30 -08:00
Andrew Hutchings 17680a2359 Fix leak in PKCS7 RSA-OAEP 2026-02-19 11:42:21 +00:00
Andrew Hutchings 4551926dad Fix inverted logic in Sphincs and Falcon 2026-02-19 11:40:36 +00:00
Sean Parkinson 88451a71b3 ARM64 AES ASM base: TD4 is only 256 bytes long
Pre-fetch fewer entries of TD4, than TD, as it is only 256 bytes long.
2026-02-19 09:31:00 +10:00
Sean Parkinson 3a1aa8310e Merge pull request #9780 from mattia-moffa/20260216-pkcs-ecdh-fixes
Fix PKCS11 object leak in Pkcs11ECDH
2026-02-19 08:46:30 +10:00
David Garske c5bbe798ec Merge pull request #9760 from SparkiDev/mldsa_small_matrix_mul_reduce
ML-DSA/Dilithium: reduce vector when small build
2026-02-18 14:40:40 -08:00
David Garske eceb55ebeb Merge pull request #9795 from LinuxJedi/static-fixes2
Static analysis fixes
2026-02-18 12:07:26 -08:00