Commit Graph

914 Commits

Author SHA1 Message Date
Daniel Pouzzner 80938758ac Merge pull request #9879 from embhorn/f379
Fix wc_ecc_sign_hash_ex with Intel QA
2026-03-05 22:53:55 -06:00
Daniel Pouzzner 58f48a96bf Merge pull request #9836 from Frauschi/pkcs11_dilithium
Add support for ML-DSA in PKCS#11
2026-03-05 15:22:10 -06:00
Daniel Pouzzner c65e3e50fd Merge pull request #9825 from embhorn/zd21240
Fix issue in TLS_hmac size calculation
2026-03-05 15:16:47 -06:00
Eric Blankenhorn 0c2de309db Fix wc_ecc_sign_hash_ex with Intel QA 2026-03-05 09:35:23 -06:00
Tobias Frauenschläger ad22f9a37c Support for ML-DSA in PKCS#11
Offload ML-DSA operations onto a PKCS#11 token via the cryptoCb
interface:
* Key generation
* Signature generation
* Signature verification
* Key import

Both the pure and pre-hash versions are supported. Not yet supported are
the pre-hash versions that also offload the hashing onto the token.

This also fixes casting errors introduced in #9780 due to usage of
uintptr_t, which is unavailable without including stdint.h on some
platforms. Use the wolfssl own wc_ptr_t instead.
2026-03-02 11:45:11 +01:00
Daniel Pouzzner 616a6a5789 wolfcrypt/src/ecc.c: in wc_ecc_import_point_der_ex() and wc_ecc_import_x963_ex2(), add missing retval capture for sp_ecc_uncompress_sm2_256() (Fenrir M-68). 2026-02-27 23:39:57 -06:00
Eric Blankenhorn 1cdb2974a9 Fix test cleanup 2026-02-26 14:51:49 -06:00
aidan garske 3295a6521c Fix Fenrir issues in wolfcrypt 2026-02-24 18:51:58 -08:00
David Garske 1047aaa881 Merge pull request #9796 from JacobBarthelmeh/copyright
update Copyright year
2026-02-19 08:47:30 -08:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Mattia Moffa 1707acee36 Bind PKCS11 ECC key duration to ECC object 2026-02-17 16:42:13 +01:00
David Garske 49ed1fa21f Merge pull request #9684 from SparkiDev/ecc_import_pub_check_fix
ECC: import point, always do some checks
2026-02-11 21:53:03 -08:00
Sean Parkinson 1847c6e778 Merge pull request #9721 from dgarske/x25519_nb
Add X25519 non-blocking support and async example improvements
2026-02-12 07:56:58 +10:00
David Garske bc12b7563f Peer review improvements 2026-02-10 14:51:51 -08:00
Kareem 4bb4648282 Ensure lru_count does not overflow. 2026-02-04 15:33:15 -07:00
Sean Parkinson 565ac4c101 ECC: import point, always do some checks when untrusted
Always check for infinity and, when B param available, whether the point
is on the curve when point is untrusted.
Change TLS code to treat points from peer as untrusted on import.
2026-02-02 16:12:19 +10:00
Eric Blankenhorn 625a3cd250 Resolve unused var warning in oss-fuzz 2026-01-14 11:23:19 -06:00
Ruby Martin 39056bb262 move null check to prevent dereference before null check issue
add new scope, whitespace
2025-12-29 10:55:13 -07:00
Sean Parkinson 6c30186168 ECC sign hash: only allow up to max digest size
Validate that the hash passed in is of an appropriate length - not
greater than the maximum digest size.
2025-11-13 11:53:51 +10:00
Daniel Pouzzner 6fbd101f7d Merge pull request #9153 from effbiae/wc-small-stack
Small stack compress -- 3000line reduction
2025-10-13 23:12:01 -05:00
effbiae 7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
Kamatham Pushyanth b2c5eb51d8 Enable hardware acceleration for SHA algorithms on PSoC6.
- Introduced conditional compilation for PSoC6 crypto support across SHA1, SHA2, SHA3 implementations.
- Ensured proper mutex locking for concurrent access to hardware resources during hash operations.
- Added public key creation functionality if only private key is provided in ECDSA verify function (psoc6_ecc_verify_hash_ex).
- Updated ECC parameter size handling to fix incorrect endianness conversions in psoc6_ecc_verify_hash_ex().
- Added README for PSOC6 port.
2025-10-11 05:23:40 +05:30
David Garske e4b7f66927 Merge pull request #9286 from holtrop/rust-wc-ecc
Rust wrapper: add wolfssl::wolfcrypt::ecc module
2025-10-10 10:26:47 -07:00
Josh Holtrop 883da3dd35 Rust wrapper: add wolfssl::wolfcrypt::ecc module 2025-10-09 14:58:07 -04:00
Sean Parkinson abfcb7122c KCAPI ECC: initialize mp_ints
Was not initializing mp_ints and it is needed now.
2025-10-07 20:59:27 +10:00
Daniel Pouzzner 234ba7780a Merge pull request #9148 from SparkiDev/ct_volatile
Mark variables as volatile
2025-09-30 20:35:52 -05:00
Daniel Pouzzner 7ea66aeffe refactor WOLFSSL_LINUXKM gates as generic WOLFSSL_KERNEL_MODE gates where appropriate:
rename WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS to WOLFSSL_USE_SAVE_VECTOR_REGISTERS, and wherever appropriate, replace defined(WOLFSSL_LINUXKM) with defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS).

rename WC_WANT_FLAG_DONT_USE_AESNI to WC_WANT_FLAG_DONT_USE_VECTOR_OPS.

rename lkm_printf() to wc_km_printf().

replace WOLFSSL_LINUXKM gates on kernel-incompatible includes with header-specific gates NO_STRING_H, NO_STDINT_H, NO_LIMITS_H, NO_CTYPE_H, NO_STDLIB_H

remove low level threading setup section of wolfssl/internal.h, which duplicated existing logic in wc_port.h, except for off-topic WOLFSSL_APACHE_MYNEWT TLS-layer setup, which is preserved, and a defined(__NT__) clause, which is now merged into the existing section in wc_port.h.
2025-09-29 16:59:12 -05:00
Sean Parkinson aa87b35964 Mark variables as volatile
Ensures compiler optimizers don't stop code from being constant time.
2025-09-24 08:47:20 +10:00
Daniel Pouzzner 77dccc0c32 linuxkm:
* add wc_linuxkm_check_for_intr_signals(), wc_linuxkm_relax_long_loop(),
  WC_CHECK_FOR_INTR_SIGNALS(), WC_RELAX_LONG_LOOP(), SAVE_NO_VECTOR_REGISTERS(),
  RESTORE_NO_VECTOR_REGISTERS(), and new error code INTERRUPTED_E ("Process
  interrupted");

* update the no-asm remaps in the PK implementations to use
  SAVE_NO_VECTOR_REGISTERS() and RESTORE_NO_VECTOR_REGISTERS(), so that inner
  loops in them are always covered by the new logic.
2025-07-25 15:56:48 -05:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
David Garske ad9d068174 Fix issues with crypto callbacks and HAVE_ECC_DHE. Fix issues with ecc_onlycb_test. 2025-06-24 09:41:33 -07:00
Kareem e8c110d2ac Rename get_digit* to mp_get_digit* to avoid conflicts with other functions named get_digit. 2025-06-17 10:12:06 -07:00
Daniel Pouzzner 401868908a add .github/workflows/smallStackSize.yml;
smallstack refactors in
* wolfcrypt/src/asn.c : wc_GetSubjectPubKeyInfoDerFromCert(),
* wolfcrypt/src/dilithium.c : dilithium_sign_with_seed_mu(),
* wolfcrypt/src/ecc.c : wc_ecc_mulmod_ex2(),
* wolfcrypt/src/wc_mlkem.c : mlkemkey_decapsulate(),
* and wolfcrypt/src/wc_mlkem_poly.c : mlkem_gen_matrix_k*_avx2() and mlkem_get_noise_k2_avx2();

wolfcrypt/test/test.c: in TEST_PASS(), fix STACK_SIZE_CHECKPOINT_WITH_MAX_CHECK to honor TEST_ALWAYS_RUN_TO_END.
2025-05-15 15:28:11 -05:00
Daniel Pouzzner c5021c0690 wolfcrypt/src/ecc.c: fix identicalInnerCondition in ecc_mulmod(). 2025-05-14 03:18:35 -05:00
jordan efd5405d0e coverity: fix check_after_deref, assignment_where_comparison_intended, uninit vars, return values, etc. 2025-05-05 13:18:29 -05:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
David Garske a709b16ed2 Adding option for NO_ECC_CHECK_PUBKEY_ORDER. ZD 19422 2025-03-24 14:00:23 -07:00
Reda Chouk 9178c53f79 Fix: Address and clean up code conversion in various files. 2025-02-25 11:17:58 +01:00
Andrew Hutchings cb42f18a47 Minor SE050 improvements
Adds two features for SE050:

1. `WOLFSSL_SE050_AUTO_ERASE`. When enabled, this will automatically
   erase a key from the SE050 when `wc_ecc_free()` and friends are
   called.
2. `WOLFSSL_SE050_NO_RSA`. This stops RSA offloading onto the SE050,
   useful for the SE050E which does not have RSA support.
2025-02-11 16:25:06 +00:00
Andrew Hutchings 8870b76c26 Fix SE050 Port
The SE050 port won't compile in the latest wolfSSL. This patch:

* Updates the documentation
* Fixes a missing `#ifdef` that breaks the build
* Changes the use of `mp_int` to `MATH_INT_T`
* Fixes compiler error with `ecc.c`
* Adds a tiny bit of extra debugging info
2025-02-10 14:27:28 +00:00
David Garske 7ad4131b13 Merge pull request #8343 from anhu/maxq_pkcs11
New additions for MAXQ with wolfPKCS11
2025-01-24 11:34:27 -08:00
Anthony Hu 18396c4740 New additions for MAXQ with wolfPKCS11
- Support using MAXQ for:
    - AES-ECB
    - AES-CCM
    - AES-CBC
    - ECC Key Generation and ECDH
- in wc_ecc_import_private_key_ex():
    - check to make sure devId is not invalid before calling wc_MAXQ10XX_EccSetKey().
    - This is because the raspberry pi sometimes need to sign stuff.
- in aes_set_key() and ecc_set_key():
    - delete a key in case it already exists; ignore error since it might not exist.
    - unlock, lock the HW mutex around ECDSA_sign() because it needs access to rng
- in wolfSSL_MAXQ10XX_CryptoDevCb:
    - allow maxq1065 to call the crypto callback.
    - do not set the key during signing; use pre provisioned one instead (DEVICE_KEY_PAIR_OBJ_ID)
2025-01-24 13:53:27 -05:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
Daniel Pouzzner 7cd2fd3617 numerous fixes for memory errors reported by clang-tidy, most of them true positives, unmasked by CPPFLAGS=-DNO_WOLFSSL_MEMORY: clang-analyzer-unix.Malloc, clang-analyzer-core.NullDereference, clang-analyzer-core.uninitialized.Assign, clang-analyzer-core.UndefinedBinaryOperatorResult, and clang-analyzer-optin.portability.UnixAPI (re malloc(0)).
several fixes for defects reported by cppcheck:

wolfcrypt/src/ecc.c: fix for cppcheck oppositeInnerCondition from cppcheck-2.16.0 in _ecc_make_key_ex(), and fixes for related unhandled errors discovered by manual inspection;

wolfcrypt/test/test.c: fix XREALLOC call in memcb_test() to resolve cppcheck-detected memleak.
2025-01-10 14:30:42 -06:00
Sean Parkinson 93812e4286 Merge pull request #8289 from JacobBarthelmeh/harden
add option for additional sanity checks
2024-12-24 09:17:08 +10:00
JacobBarthelmeh 961453b5ee fix for free'ing up memory after use 2024-12-20 14:58:57 -07:00
Daniel Pouzzner 122502e2b1 wolfCrypt -Wconversion expansion: fix numerous warnings, all benign, from -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion. 2024-12-18 11:51:06 -06:00
JacobBarthelmeh 613c1aa16d fix for no malloc build 2024-12-17 14:47:45 -07:00
JacobBarthelmeh 87ae31b48f some additional sanity checks with harden build 2024-12-17 12:47:42 -07:00