Commit Graph

27788 Commits

Author SHA1 Message Date
Eric Blankenhorn 4f8fc76d9d Extend timeout for tls13-client 2026-02-20 16:35:52 -06:00
David Garske 9641ab4b68 Merge pull request #9805 from julek-wolfssl/openldap-2.6.9-testing
Add openldap 2.6.9 testing
2026-02-20 11:16:44 -08:00
David Garske 1e544b303f Merge pull request #9810 from julek-wolfssl/rng-tools-6.17
Add rng-tools 6.17 testing
2026-02-20 11:16:18 -08:00
David Garske 670aa59dee Merge pull request #9809 from holtrop-wolfssl/cmake-null-cipher
Add CMake support for NULL_CIPHER
2026-02-20 10:59:17 -08:00
David Garske e34e679766 Merge pull request #9804 from embhorn/tls-anvil-workflow
TLS Anvil workflow
2026-02-20 10:59:05 -08:00
David Garske 940ac7093f Merge pull request #9808 from holtrop-wolfssl/rust-no-std
Rust wrapper: fix no_std support
2026-02-20 10:55:01 -08:00
Juliusz Sosinowicz ec5a901c33 Add rng-tools 6.17 testing
Depends on https://github.com/wolfSSL/osp/pull/318
2026-02-20 16:11:11 +01:00
Andrew Hutchings 0c19fb17d6 Merge pull request #9745 from dgarske/stm32_hmac
Support for STM32 HMAC hardware
2026-02-20 14:30:31 +00:00
Josh Holtrop 616f1eec75 Add CMake support for NULL_CIPHER 2026-02-20 07:50:36 -05:00
Josh Holtrop 3da3e12edc Rust wrapper: fix no_std support
Generate bindgen API with core instead of std
Replace C types using std:: with core::
Replace std::mem usage with core::mem
2026-02-20 07:10:01 -05:00
David Garske 9e5d03b23e Merge pull request #9803 from holtrop-wolfssl/rust-fips-v5
Rust wrapper: add compatibility with older FIPS v5 package
2026-02-19 13:40:21 -08:00
Eric Blankenhorn c2b5f29d5c Replace em dashes with hyphens in tls-anvil workflow
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 14:16:29 -06:00
Juliusz Sosinowicz 77dcf3587e Add openldap 2.6.9 testing
Depends on https://github.com/wolfSSL/osp/pull/315
2026-02-19 19:18:34 +01:00
Josh Holtrop 2ada1a3629 Rust wrapper: add compatibility with older FIPS v5 package 2026-02-19 12:50:05 -05:00
David Garske 41614d10ed Add STM32 hardware HMAC support 2026-02-19 09:11:02 -08:00
David Garske f1e8c1b886 Merge pull request #9787 from holtrop-wolfssl/fix-integrity-only-cipher-nonce-calculation
Fix integrity-only cipher nonce calculation
2026-02-19 09:05:24 -08:00
Eric Blankenhorn a0721b94fb Fix tls-anvil workflow: C_EXTRA_FLAGS quoting and report.json parsing
CPPFLAGS replaces C_EXTRA_FLAGS with embedded single-quotes, which were
passed as literal characters through the shell variable and caused
configure's C compiler test to fail. Fix the report.json summary parser
to use the actual TLS-Anvil field names (TotalTests, FullyFailedTests,
etc.) and include category scores.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-19 11:01:16 -06:00
David Garske 936d20afbe Merge pull request #9799 from SparkiDev/arm64_aes_dec_fix
ARM64 AES ASM base: TD4 is only 256 bytes long
2026-02-19 08:50:48 -08:00
David Garske 1047aaa881 Merge pull request #9796 from JacobBarthelmeh/copyright
update Copyright year
2026-02-19 08:47:30 -08:00
David Garske 7e8b08179c Merge pull request #9798 from lealem47/arm32_kernel
Fix SIZEOF_LONG default for 32-bit Linux kernel modules
2026-02-19 08:45:57 -08:00
David Garske 69b28cd5e4 Merge pull request #9801 from LinuxJedi/static-fixes3
Fix things found in static analysis
2026-02-19 08:44:38 -08:00
Eric Blankenhorn 0898046113 Add TLS-Anvil RFC compliance GitHub Actions workflow
Runs the TLS-Anvil combinatorial test suite nightly against wolfSSL in
all four roles: TLS 1.2/1.3 server and TLS 1.2/1.3 client. Results are
summarized in the job summary and uploaded as artifacts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-19 10:35:12 -06:00
Andrew Hutchings 17680a2359 Fix leak in PKCS7 RSA-OAEP 2026-02-19 11:42:21 +00:00
Andrew Hutchings 4551926dad Fix inverted logic in Sphincs and Falcon 2026-02-19 11:40:36 +00:00
Andrew Hutchings 66de1d6cdb Fix wolfSSL_CRYPTO_memcmp
This is used by the OpenSSL compatibility layer. If either parameter was
NULL, it would return as a match. We should return a non-match instead.

OpenSSL itself has no safety checks here.
2026-02-19 11:01:52 +00:00
Sean Parkinson 88451a71b3 ARM64 AES ASM base: TD4 is only 256 bytes long
Pre-fetch fewer entries of TD4, than TD, as it is only 256 bytes long.
2026-02-19 09:31:00 +10:00
Sean Parkinson 3a1aa8310e Merge pull request #9780 from mattia-moffa/20260216-pkcs-ecdh-fixes
Fix PKCS11 object leak in Pkcs11ECDH
2026-02-19 08:46:30 +10:00
David Garske c5bbe798ec Merge pull request #9760 from SparkiDev/mldsa_small_matrix_mul_reduce
ML-DSA/Dilithium: reduce vector when small build
2026-02-18 14:40:40 -08:00
David Garske 2aa9f991f8 Merge pull request #9738 from anhu/cmake_HSC
Add HAVE_SECRET_CALLBACK to cmake.
2026-02-18 13:56:19 -08:00
Lealem Amedie 63c4b29638 Add __SIZEOF_LONG__ to .wolfssl_known_macro_extras 2026-02-18 14:30:39 -07:00
David Garske eceb55ebeb Merge pull request #9795 from LinuxJedi/static-fixes2
Static analysis fixes
2026-02-18 12:07:26 -08:00
Lealem Amedie 4e6d9ea02b Fix SIZEOF_LONG default for 32-bit Linux kernel modules 2026-02-18 12:23:29 -07:00
David Garske 2971c7024b Merge pull request #9671 from SparkiDev/aes_gcm_arm32_hw_crypto_set_key_unaligned
ARM32 HW Crypto: AES-GCM set key unaligned key
2026-02-18 10:54:42 -08:00
David Garske 7efefc7b22 Merge pull request #9792 from SparkiDev/sp_c_rsa_pub_only
SP C - RSA public only build with DH
2026-02-18 10:01:53 -08:00
Andrew Hutchings 7248ca3592 Add SM2 to renewcerts.sh 2026-02-18 18:01:33 +00:00
Andrew Hutchings 2e8f9fe595 Fix SM2 certs to have the correct public key OID
OpenSSL 3.5+ handles the OIDs differently.
2026-02-18 18:01:33 +00:00
Andrew Hutchings 4e37d99d07 Fix OCSP key-based responder ID lookup when SM2/SM3 is enabled.
When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32
(WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per
RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in
OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20),
completely disabling key-based OCSP responder ID matching. This caused
OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against
any server using a key-based responder ID (e.g. login.live.com).

Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder
ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before
passing to CA lookup functions that compare the full KEYID_SIZE.
2026-02-18 18:01:33 +00:00
Andrew Hutchings 730519211d Fix wrong flags read on BIO write 2026-02-18 18:01:33 +00:00
Andrew Hutchings 3ffa625fd4 Fix leak in Aria upon error 2026-02-18 18:01:33 +00:00
Andrew Hutchings 2d2efccf71 Add CI test for wolfSM + wolfSSL 2026-02-18 18:01:33 +00:00
Andrew Hutchings 5bb447dee6 Fix copy/paste error in SM4 CBC Decrypt Async 2026-02-18 18:01:33 +00:00
Andrew Hutchings 43aad1e4d7 Fix SM4 TLS 1.3 decrypt auth tag and SM2 cert verification
- Fix SM4 GCM/CCM TLS 1.3 decrypt to read auth tag from input buffer
  instead of output buffer, consistent with all other AEAD ciphers
  (src/tls13.c)

- Fix SM4_BLOCK_SIZE typo (was SM$_BLOCK_SIZE) in TicketEncDec SM4-GCM
  decrypt path (src/internal.c)

- Fix SM2 certificate signature verification for certs using
  id-ecPublicKey (ECDSAk) with SM2-with-SM3 signature algorithm.
  OpenSSL creates SM2 cert signatures without the standard
  distinguishing identifier in the ZA hash. The SM2k code path already
  handled this correctly (idSz=0), but the ECDSAk + CTC_SM3wSM2 path
  was incorrectly using CERT_SIG_ID_SZ (16), causing ASN_SIG_CONFIRM_E
  (-155) when verifying non-self-signed SM2 certs (wolfcrypt/src/asn.c)

- Regenerate expired SM2 test certificates via certs/sm2/gen-sm2-certs.sh
  They had expired.
2026-02-18 18:01:33 +00:00
Andrew Hutchings b7c3bbf101 Fixes to size checking
In `quic_record_transfer()`, the unsigned subtraction
`qr->end - qr->start` could wrap around if `end < start`, and the
subsequent `len <= 0` check was ineffective on a `word32`. Move the
comparison before the subtraction so the function returns `0` safely.

In `GetEchConfig()`, `XSTRLEN(config->publicName)` was assigned to a
single byte, silently truncating names longer than 255 characters while
`XMEMCPY` still copied the full string. Add a 255-byte length
validation in both `wolfSSL_CTX_GenerateEchConfig()` and
`GetEchConfig()`, and cache the length in a local variable to avoid
redundant `XSTRLEN` calls.
2026-02-18 18:01:33 +00:00
JacobBarthelmeh 4d3463cccd addjust ESP-IDF comment to match expected pattern 2026-02-18 10:08:14 -07:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Daniel Pouzzner add60da56a Merge pull request #9794 from sameehj/vtest2-fix
Fix haproxy CI: VTest2 repo archived, use `last` tag
2026-02-18 10:30:01 -06:00
David Garske 0dd5009db0 Merge pull request #9768 from anhu/wc_CheckPrivateKey
wc_CheckPrivateKey returns NOT_COMPILED_IN for certain gating flags
2026-02-18 08:01:53 -08:00
Sameeh Jubran f19c563331 Fix haproxy CI: VTest2 repo archived, use last tag
The vtest/VTest2 GitHub repo was archived on 2026-02-18 and its main
branch Makefile now exits with "THIS REPOSITORY HAS MOVED". The
maintainers tagged the last buildable commit as `last`.

Patch build-vtest.sh for both haproxy versions in the matrix:
- v3.1.0 still references wlallemand/VTest (removed long ago)
- v3.2.0 references vtest/VTest2 main branch (now broken)

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-18 15:53:05 +02:00
Sean Parkinson 63b9d13db8 Merge pull request #9790 from bigbrett/sp-rsa-unused-var
Fix macro protection in SP code for RSA_LOW_MEM
2026-02-18 16:36:04 +10:00
Mattia Moffa 817523df72 Adjust execution flow 2026-02-18 03:52:47 +01:00