Commit Graph

11114 Commits

Author SHA1 Message Date
JacobBarthelmeh 4162f24434 Merge pull request #9555 from embhorn/zd20964
Null deref check in Pkcs11ECDH
2025-12-18 15:14:35 -07:00
Kareem 81d32f4fe6 Move Curve25519 public key check to make_pub/make_pub_blind to cover the case where they are called directly by an application. 2025-12-18 14:37:59 -07:00
Kareem 0420c942a0 Only use -1 for uninitialized fds as 0 is a valid fd. 2025-12-18 11:22:22 -07:00
Kareem 2e83b97909 Only attempt to close RNG file descriptor on platforms with XCLOSE. 2025-12-18 11:15:33 -07:00
Kareem fb880e943b Reset fd after closing it. 2025-12-18 11:15:33 -07:00
Kareem 6bcbfec200 Initalize RNG seed fd in _InitRng. 2025-12-18 11:15:33 -07:00
Kareem ea43bcba72 Keep RNG seed file descriptor open until the RNG is freed. 2025-12-18 11:15:33 -07:00
Daniel Pouzzner 83e9a0780f wolfcrypt/src/wc_lms.c: fix leak in wc_LmsKey_Reload(). 2025-12-18 11:09:37 -06:00
Daniel Pouzzner 59b3219c0f wolfcrypt/test/test.c: fix memory leaks in Hmac tests. 2025-12-18 10:47:21 -06:00
Eric Blankenhorn d1a4677a8a Null deref check in Pkcs11ECDH 2025-12-18 10:10:57 -06:00
Sean Parkinson a103f5af8b Merge pull request #9545 from douzzer/20251211-DRBG-SHA2-smallstackcache-prealloc
20251211-DRBG-SHA2-smallstackcache-prealloc
2025-12-18 10:07:37 +10:00
Sean Parkinson b7e69fb2f3 Merge pull request #9543 from kareem-wolfssl/zd20944
Check Curve25519 public key after generating one to avoid generating invalid keys.
2025-12-18 09:29:58 +10:00
JacobBarthelmeh 911e996a8d Merge pull request #9546 from SparkiDev/curve25519_base_smul_improv
Curve25519: improved smul
2025-12-17 15:28:56 -07:00
Daniel Pouzzner b23f59f137 Merge pull request #9540 from sameehj/linuxkm_tegra_fips_fixes
linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
2025-12-17 12:49:23 -06:00
JacobBarthelmeh e93835acd9 sanity checks on buffer size with AES and CAAM Integrity use 2025-12-17 10:15:32 -07:00
Daniel Pouzzner fc7d4ffad4 PR#9545 20251211-DRBG-SHA2-smallstackcache-prealloc addressing peer review: clear dest if necessary in InitHandshakeHashesAndCopy(), style tweaks in random.c, explanatory comments in sha512.c. 2025-12-17 11:07:22 -06:00
Daniel Pouzzner 33fc601011 tweaks from PRBs results:
tests/api.c:
* remove inapt SSL_library_init() in test_wolfSSL_EVP_Cipher_extra();
* move TEST_X509_DECLS to follow TEST_DECL(test_wolfSSL_Init);

tests/api/test_random.c: enlarge seed buffer in test_wc_RNG_TestSeed() to accommodate amdrand block size;

tests/quic.c: wrap exercises in wolfSSL_Init()...wolfSSL_Cleanup();

tests/unit.c: in unit_test(), add several more fflush(stdout)s, report error from wolfSSL_Cleanup(), and fix line length;

wolfcrypt/test/test.c: omit reseed test in _rng_test() if HAVE_INTEL_RDRAND or old FIPS, and use simplified random_test() if HAVE_INTEL_RDRAND;

wolfssl/wolfcrypt/mem_track.h: add memList pointer in struct memoryStats, and set it in InitMemoryTracker();

wolfssl/wolfcrypt/settings.h: undefine WOLFSSL_SMALL_STACK_CACHE if WOLFSSL_SMALL_STACK is undefined;

.github/workflows/trackmemory.yml: add --enable-intelrdseed scenario.
2025-12-17 11:01:11 -06:00
Daniel Pouzzner fb82bdbc35 wolfcrypt/test/test.c:
* in wolfcrypt_test_main(), when WOLFSSL_TRACK_MEMORY, check and error if wc_MemStats_Ptr->currentBytes > 0;
  * don't call the hash initialization APIs for hash structs that are later copied over with the hash copy API (sha224_test(), sha256_test(), sha512_test(), etc)
  * in hash_test(), either wc_HashNew() or wc_HashInit(), not both (fixes leaks);
  * in hmac_*_test(), add test coverage for wc_HmacCopy();
  * in _rng_test(), when WOLFSSL_TRACK_MEMORY && WOLFSSL_SMALL_STACK_CACHE, check that wc_MemStats_Ptr->totalAllocs doesn't increase when wc_RNG_GenerateBlock() is called, and if HAVE_HASHDRBG) && !CUSTOM_RAND_GENERATE_BLOCK, check that forcing a reseed doesn't result in an increase.
  * add missing context cleanups in openSSL_evpMD_test().
2025-12-17 11:01:10 -06:00
Daniel Pouzzner 8bd0fb0e4b wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h: refactor WOLFSSL_SMALL_STACK_CACHE support to eliminate all heap calls after init and before cleanup.
* add DRBG_internal.{seed_scratch,digest_scratch}
  * add WC_RNG.{drbg_scratch,health_check_scratch,newSeed_buf}
  * refactor to implement new WOLFSSL_SMALL_STACK_CACHE dynamics:
    * wc_RNG_HealthTestLocal()
    * Hash_df()
    * Hash_gen()
    * Hash_DRBG_Generate()
    * Hash_DRBG_Instantiate()
    * _InitRng()
    * PollAndReSeed()
    * wc_FreeRng()
    * wc_RNG_HealthTest_ex_internal()
    * wc_RNG_HealthTest_ex()
    * wc_RNG_HealthTestLocal()
  * refactor out WOLFSSL_KERNEL_MODE gates (now all WOLFSSL_SMALL_STACK_CACHE)
2025-12-17 11:01:10 -06:00
Daniel Pouzzner 2b28931855 wolfcrypt/src/sha256.c and wolfcrypt/src/sha512.c: in WOLFSSL_SMALL_STACK_CACHE builds, allocate shafoo->W at init or context copy time, rather than in the transform function. for the SHA512 family, allocate additional space in W for "buffer" in wc_Sha512Transform(). 2025-12-17 11:01:10 -06:00
Daniel Pouzzner 525266c467 wolfssl/wolfcrypt/mem_track.h and wolfcrypt/src/memory.c: add WOLFSSL_API extern memoryStats *wc_MemStats_Ptr, set by InitMemoryTracker() and cleared by CleanupMemoryTracker(), allowing public access to the memory statistics.
tests/unit.c: at end of unit_test(), when WOLFSSL_TRACK_MEMORY, explicitly wolfSSL_Cleanup() then check and error if wc_MemStats_Ptr->currentBytes > 0.
2025-12-17 11:01:10 -06:00
Daniel Pouzzner 1e38a1011e wolfcrypt/src/wolfentropy.c: in wc_Entropy_Get():
* use a bss segment allocation for noise, to avoid a heap allocation (access is already mutex-protected), and
  * in the loop, WC_CHECK_FOR_INTR_SIGNALS() and WC_RELAX_LONG_LOOP().
2025-12-17 11:01:10 -06:00
Daniel Pouzzner 50b51adc93 wolfcrypt/src/hmac.c and wolfssl/wolfcrypt/hmac.h: implement WOLFSSL_API wc_HmacCopy(), and remove the WOLFSSL_HMAC_COPY_HASH gate on HmacKeyCopyHash(). 2025-12-17 11:01:10 -06:00
Daniel Pouzzner 2802e2d82b wolfcrypt/src/rsa.c: in RsaUnPad_OAEP(), refactor volatile-based constant time mitigation to fix "using value of assignment with ‘volatile’-qualified left operand is deprecated [-Werror=volatile]" (new warning from gcc-16.0.0_p20251207, not reported by gcc-16.0.0_p20251116-r1). 2025-12-17 11:01:10 -06:00
Sameeh Jubran a5f1fde955 linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
Fix multiple build and runtime issues when building wolfSSL LinuxKM FIPS
on NVIDIA Tegra (ARM64) kernels under Yocto.

- Disable ARM64 LSE atomics for out-of-tree modules to avoid jump_table
  asm constraints
- Handle PREEMPT_RT mutex and spinlock differences correctly
- Avoid alt_cb_patch_nops / queued_spin_lock_slowpath on Tegra
- Remove conflicting compiler auto-var-init flags for PIE objects
- Align PIE symbol redirection with RT and Tegra kernels

This restores successful LinuxKM FIPS builds on Tegra-based Yocto systems.

Signed-off-by: Sameeh Jubran <sameeh.j@gmail.com>
2025-12-17 14:32:26 +02:00
Sean Parkinson af2c6cc932 AES-GCM ARM32/Thumb2 ASM: don't change aes->reg in decrypt
OpenSSL compatability layer expects aes->reg to be unmodified by AES-GCM
decrypt call. ARM32/Thumb2 assembly implementation  modifies buffer.
Keep a copy and restore aes->reg after call.
2025-12-17 16:04:25 +10:00
Sean Parkinson f54266c2c6 Curve25519: improved smul
Use the Ed25519 base smul in Curve25519 base mul and covert to
Montogmery curve for a faster implementation.
Only when Ed25519 is compiled in or WOLFSSL_CURVE25519_USE_ED25519 is
defined.
When compiling Intel x64 assembly and Aarch64 assembly, always define
WOLFSSL_CURVE25519_USE_ED25519.
Can't use with blinding - normal C implementation.

Optimized the Curve25519 smul slightly for Intel x64 and Aarch64.
Improved the conditional table lookup on Intel x64 to use AVX2 when
available.
2025-12-17 13:25:36 +10:00
JacobBarthelmeh b42e9a9410 Merge pull request #9529 from SparkiDev/dsa_pg_sp_int_fix
DSA Parameter Generation: init g earlier
2025-12-16 14:52:45 -07:00
JacobBarthelmeh 75fdf959c1 Merge pull request #9514 from kareem-wolfssl/zd20936
Fix uninitialized variable, fix potentially undefined printf reference in HASH_DRBG_Generate.
2025-12-16 14:48:17 -07:00
Kareem 36eda9fb75 Check Curve25519 public key after generating one to avoid generating invalid keys.
Thanks to Kr0emer for the report.
2025-12-15 16:31:29 -07:00
Sean Parkinson 85d40c8e9b Merge pull request #9522 from JacobBarthelmeh/time
tie in use of check_time with x509 store
2025-12-16 08:24:49 +10:00
Kareem 968662063d Merge remote-tracking branch 'upstream/master' into zd20936 2025-12-15 14:06:18 -07:00
Daniel Pouzzner b9368d7a3d Merge pull request #9516 from embhorn/gh3665
Add checking of size param and clarify usage in doc
2025-12-15 10:49:57 -06:00
Sean Parkinson dacb3425cd DSA Parameter Generation: init g earlier
Ensure dsa->g is initialized with other mp_ints so that it can be
cleared at the end regardless of failures.

Don't clear tmp or tmp2 if allocation or initialization failed as you
will access uninitialized data.
2025-12-15 09:12:11 +10:00
Sean Parkinson 6e94381149 ARM64 ASM: Darwin specific address calc fix
Don't use ':lo12:' in Darwin specific address calculation code.
@PAGEOFF is indicating this.
2025-12-15 08:46:24 +10:00
JacobBarthelmeh 5099e6e315 add macro guard on use of time_t 2025-12-12 16:42:19 -07:00
Kareem 2d4e589a8d Merge remote-tracking branch 'upstream/master' into zd20936 2025-12-12 11:37:45 -07:00
Kareem 3797c03e6c Merge remote-tracking branch 'upstream/master' into zd20936 2025-12-12 11:37:34 -07:00
night1rider cf42d14e10 Fix wc_CmacFree() and wc_CMAC_Grow() to use correct heap pointer from internal Aes structure 2025-12-12 11:14:16 -07:00
JacobBarthelmeh e1bbb71878 tie in use of check_time with x509 store 2025-12-12 09:22:23 -07:00
Sean Parkinson 8e14d4a774 Aarch64 AES ASM no hw crypto: no dead code
Fix code so that there is no dead code compiled.
That is, change if checks to #ifdef checks.
2025-12-12 12:31:36 +10:00
Daniel Pouzzner 9201b4e5eb Merge pull request #9515 from anhu/salt_len_min
Note that HMAC_FIPS_MIN_KEY is also salt len min for HKDF
2025-12-11 13:03:06 -06:00
Daniel Pouzzner ef8bf55528 Merge pull request #9495 from SparkiDev/aarch64_no_hw_crypto_asm_aes
Aarch64 no harware crypto assembly AES
2025-12-11 12:46:07 -06:00
Anthony Hu cd4f96924b Better error message too. 2025-12-11 12:23:38 -05:00
Eric Blankenhorn 67b6b284d6 Add checking of size param and clarify usage in doc 2025-12-11 08:27:57 -06:00
Kareem 63976cb09b Fix uninitialized variable, use WOLFSSL_DEBUG_PRINTF macro in Hash_DRBG_Generate to avoid undefined printf reference. 2025-12-10 12:28:54 -07:00
Sean Parkinson 0ab09ab147 PPC32 SHA-256 ASM: support comnpiling for PIC
When compiling for PIC, 30 and 31 are not always available.
Alternative implementation added not using them that puts registers on
the stack.
Small code size version implemented as well.
2025-12-10 16:20:49 +10:00
Sean Parkinson 80b7ea638e Aarch64 no harware crypto assembly AES
Implementations of AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-XTS with base
instructions and NEON but not using crypto instructions.

Benchmark of AES-ECB added.
Updated AES tests.
2025-12-10 08:55:58 +10:00
Sean Parkinson 886b0c2ec6 Benchmark ECDSA: use digest size instead of key size
The key size can be larger than the maximum digest size supported by the
sign and verify APIs.
Calculate a reasonable digest size for the key size and bound it on the
maximum digest size.
2025-12-05 09:01:12 +10:00
JacobBarthelmeh 5b7480486e Merge pull request #9487 from dgarske/qathash
Fix QAT hash final with no update and fix g++ warnings
2025-12-04 11:35:46 -07:00