David Garske
0792c674c5
Merge pull request #9960 from philljj/fix_coverity
...
asn: fix coverity null deref warnings.
2026-03-13 06:58:41 +01:00
David Garske
00cd1a7c22
Merge pull request #9962 from night1rider/ecc-dilithium-callback-free-fix
...
Fix expected callback behavior for ECC/Dilithium for Free Callbacks
2026-03-13 06:19:31 +01:00
David Garske
cdacf3a53e
Merge pull request #9964 from SparkiDev/asm_gen_fixes_1
...
SP fixes: 32-bit ARM assembly fixes
2026-03-13 06:16:57 +01:00
Sean Parkinson
bac0563669
Merge pull request #9919 from anhu/lms-leaf-idx
...
Fix buffer-overflow in LMS leaf cache indexing
2026-03-13 10:02:50 +10:00
Sean Parkinson
d23cb79f18
SP fixes: 32-bit ARM assembly fixes
...
mod_exp: subtract from 32 instread of 64 as n is 32 bits
sp_521_ecc_mulmod_fast: look up the last point in constant time when
required.
2026-03-13 09:37:28 +10:00
JacobBarthelmeh
424af6eb5b
Merge pull request #9956 from rlm2002/coverity
...
20260311 Coverity changes
2026-03-12 16:53:39 -06:00
night1rider
cdbd19551e
Have ret initialized to 0 in wc_ecc_free() and wc_dilithium_free()
2026-03-12 15:40:38 -06:00
night1rider
2626f976f5
Update the PKCS11 ECC and dilithium free handlers so they will now return CRYPTOCB_UNAVAILABLE after attempting the context free so the caller still does software cleanup on the rest of the context that the callback does not handle.
2026-03-12 15:18:56 -06:00
JacobBarthelmeh
80ba723e16
Merge pull request #9943 from philljj/fix_evp_set_iv_length
...
evp: check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length.
2026-03-12 14:47:32 -06:00
night1rider
5ff2b55345
Fix Free Callback Behavior for Dilithium's free callback path so that it respects the return code of the callback
2026-03-12 14:45:33 -06:00
JacobBarthelmeh
c1f71fcf33
Merge pull request #9959 from philljj/fix_wolfboot_build
...
asn: add HAVE_OCSP_RESPONDER guard, to fix wolfboot build.
2026-03-12 14:44:29 -06:00
JacobBarthelmeh
351d2594ac
Merge pull request #9938 from SparkiDev/regression_fixes_23
...
Fixes from regression testing
2026-03-12 14:41:18 -06:00
night1rider
e766b8f0af
Update the wolfCrypt test so that Dilithium init so that devID will get passed to hit callback paths when configured and that Dilithium will be retested in the callback section of the wolfCrypt test.
2026-03-12 14:31:05 -06:00
night1rider
9d65982d80
Fix Free Callback Behavior for ECC's free callback path so that it respects the return code of the callback
2026-03-12 14:24:10 -06:00
night1rider
352daa085b
Add test case for free ecc/dilithum callback for expected behavior to match existing free callback code paths
2026-03-12 14:18:31 -06:00
jordan
02bdde0264
asn: fix coverity null deref warnings.
2026-03-12 14:28:24 -05:00
Ruby Martin
d359f420ab
set *inLen = outLen if output == NULL, if != NULL, check that outLen <= *inLen before assigning *inLen = outLen
2026-03-12 10:25:14 -06:00
Ruby Martin
d432759fdd
verify algoSz is <= MAX_ALGO_SZ
2026-03-12 09:53:34 -06:00
Ruby Martin
8314aa56ae
catch MEMORY_E from CALLOC_ASNSETDATA()
2026-03-12 09:53:34 -06:00
jordan
d67c034b14
asn: add HAVE_OCSP_RESPONDER guard, to fix wolfboot build.
2026-03-12 10:50:18 -05:00
Juliusz Sosinowicz
4fbc81916c
Address final comments from #9761
...
- Fix line length
- Remove duplicate comment
- Check return of `wc_HashGetDigestSize`
- Use constant instead of magic number
2026-03-12 12:30:13 +01:00
JacobBarthelmeh
0de6e8fd50
Merge pull request #9950 from douzzer/20260311-bench_slhdsa-smallstack
...
20260311-bench_slhdsa-smallstack
2026-03-11 17:30:08 -06:00
JacobBarthelmeh
a8dfa59bbe
Merge pull request #9761 from julek-wolfssl/ocsp-responder
...
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson
bbd2f6f898
Fixes from regression testing
...
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
Anthony Hu
00d0b09401
Fix buffer-overflow in LMS leaf cache indexing
...
wc_lms_treehash_init() writes leaf node hashes into the leaf cache
using an absolute index (i * hash_len), but the cache is only
max_cb entries starting from leaf->idx. When leaf->idx > 0 (which
occurs when wc_LmsKey_Reload is called after signing more than
max_cb times), the write goes past the end of the cache buffer.
Fix by using the relative offset (i - leaf->idx) * hash_len instead.
Added unit tests (test_lms.c):
- test_wc_LmsKey_sign_verify: basic sign/verify sanity check
- test_wc_LmsKey_reload_cache: (TDD) reproduces the overflow by
signing 33 times then reloading the key
2026-03-11 16:58:48 -04:00
sebastian-carpenter
bb7c6a13c8
ECH tidying
2026-03-11 12:07:20 -06:00
Daniel Pouzzner
aeb4c042fd
wolfcrypt/benchmark/benchmark.c: smallstack (WC_*_VAR*()) refactor for bench_slhdsa().
2026-03-11 10:21:55 -05:00
Juliusz Sosinowicz
5a4c63423b
Address code review
2026-03-11 12:28:11 +01:00
Juliusz Sosinowicz
6bb122d29f
Address copilot review
2026-03-11 11:08:44 +01:00
Juliusz Sosinowicz
6fc83e292b
Address code review
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
0a1b4f9185
fix shaCopy errors
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
7ae2ecc686
fixup! Implement OCSP responder
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
10be06d747
Address copilot feedback
2026-03-11 10:21:17 +01:00
Juliusz Sosinowicz
9a9eb2bf1d
Add ocsp responder test to testsuite.c and tested on windows
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
a795b19db2
Implement copilot suggestions
2026-03-11 10:21:16 +01:00
Juliusz Sosinowicz
4578e1390f
Implement OCSP responder
...
OCSP Responder Core API:
- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM
Header Cleanup:
- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h
OCSP Responder Example (examples/ocsp_responder/):
- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client
Test Scripts (scripts/):
- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling
Certificate Infrastructure (certs/ocsp/):
- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions
Known Limitations (documented in src/ocsp.c header comment):
- Single request/response per OCSP exchange only
- Key-hash responder ID only (no name-based responder ID)
- No singleExtensions support
2026-03-11 10:21:16 +01:00
Daniel Pouzzner
3540d89c0d
Merge pull request #9945 from holtrop-wolfssl/zd21327
...
Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData()
2026-03-10 22:39:24 -05:00
Daniel Pouzzner
a5bc0cd929
Merge pull request #9887 from rlm2002/static_analysis
...
20260305 Coverity fixes
2026-03-10 22:34:57 -05:00
Daniel Pouzzner
2db5fbb04e
Merge pull request #9933 from rlm2002/coverity
...
20260309 Coverity changes for Sunday build
2026-03-10 22:32:23 -05:00
Daniel Pouzzner
bfe0b21829
Merge pull request #9765 from night1rider/zephyr-4_3_0-posix-fix
...
Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample.
2026-03-10 22:28:43 -05:00
Daniel Pouzzner
51693156fe
Merge pull request #9939 from SparkiDev/mlkem_comments_fixes
...
ML-KEM: Fixes for comments plus bug fixes
2026-03-10 19:34:39 -05:00
Daniel Pouzzner
4e84c7e05a
Merge pull request #9931 from aidangarske/fix-wolfcrypt-fenrir-1
...
Fix Fenrir 376
2026-03-10 19:33:32 -05:00
Daniel Pouzzner
f1508c910a
Merge pull request #9930 from julek-wolfssl/fenrir/260903
...
Fenrir fixes
2026-03-10 19:32:56 -05:00
Daniel Pouzzner
7af6decbf3
Merge pull request #9856 from anhu/rsa_guard
...
Macro guard parameter null check.
2026-03-10 19:32:19 -05:00
Daniel Pouzzner
f18d5ba359
Merge pull request #9928 from philljj/fix_f_451
...
ascon: don't skip wc_AsconAEAD128_Clear on auth error.
2026-03-10 19:31:20 -05:00
Daniel Pouzzner
65092ab5eb
Merge pull request #9838 from SparkiDev/slhdsa_1
...
FIPS 205, SLH-DSA: implementation
2026-03-10 19:28:59 -05:00
Daniel Pouzzner
2ad5afaf4d
wolfcrypt/src/wc_slhdsa.c: fixes for uninited data reads in slhdsakey_wots_sign_chain_x4_*() and slhdsakey_wots_pk_from_sig_x4;
...
CMakeLists.txt, cmake/functions.cmake, cmake/options.h.in: fixes for -DWOLFSSL_SLHDSA.
2026-03-10 17:51:18 -05:00
Josh Holtrop
d37b51c3ce
Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData()
2026-03-10 17:26:28 -04:00
jordan
77b6f531fb
evp: check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length.
2026-03-10 15:27:37 -05:00
night1rider
0442918391
Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample. Replace removed Kconfig options (PTHREAD_IPC, POSIX_CLOCK, NET_SOCKETS_POSIX_NAMES) with version-conditional config fragments and fix min/max macro collision with Zephyr's sys/util.h.
2026-03-10 14:23:47 -06:00