Daniel Pouzzner
416072f298
Merge pull request #9969 from Frauschi/mlkem_wconversion
...
ML-KEM Wconversion fixes
2026-03-16 15:03:26 -05:00
David Garske
77c7418052
Merge pull request #9973 from JacobBarthelmeh/static_analysis
...
fix to sanity check on importing raw session key info
2026-03-16 13:46:53 -06:00
David Garske
87906a38ab
Merge pull request #9974 from JacobBarthelmeh/oss-fuzz
...
fix to free CRL reason extension
2026-03-16 13:46:34 -06:00
Andrew Hutchings
cfd819370a
Fix SE050 RSA-PSS signing, key cleanup, and mutex leaks
...
RSA-PSS fix:
Skip SE050 hardware path for RSA-PSS sign and verify operations in
RsaPublicEncryptEx() and RsaPrivateDecryptEx(). The SE050's PSS sign
API (Se05x_API_RSASign) is a hash-then-sign operation, which
double-hashes when wolfSSL passes a pre-computed digest (as done during
TLS CertificateVerify). PSS operations now fall through to the software
RSA path. PKCS#1 v1.5 signing continues to use SE050 hardware.
Key object leak fix:
Add se050_rsa_free_key() called from wc_FreeRsaKey() to erase
wolfSSL-allocated RSA key objects from SE050 persistent storage on
free. Without this, persistent key slots on the SE050 are never
reclaimed and eventually exhaust secure storage. Add matching
sss_key_store_erase_key() calls to se050_ecc_free_key(),
se050_ed25519_free_key(), and se050_curve25519_free_key(). Only keys
with keyId >= SE050_KEYID_START are erased (pre-provisioned keys are
left intact).
Mutex leak fix:
Add missing wolfSSL_CryptHwMutexUnLock() calls before early returns in
se050_rsa_sign(), se050_rsa_verify(), se050_rsa_public_encrypt(), and
se050_rsa_private_decrypt() when the algorithm lookup fails after the
mutex has already been acquired.
ZD 21212
2026-03-16 19:19:14 +00:00
JacobBarthelmeh
7de150eff0
Merge pull request #9975 from rlm2002/coverity
...
20260313 Coverity changes
2026-03-16 12:52:27 -06:00
Tobias Frauenschläger
987a705318
Fix stack tracking in wolfCrypt benchmark
2026-03-16 18:33:55 +01:00
Daniel Pouzzner
30d8cf1a66
Merge pull request #9971 from JacobBarthelmeh/linuxkm
...
Use ENOMEM return and add goto out on AAD error with linuxkm
2026-03-16 11:43:15 -05:00
Juliusz Sosinowicz
2051297ab0
DoTls13CertificateRequest: call CertSetupCbWrapper only once
2026-03-16 17:02:02 +01:00
Daniel Pouzzner
49796a5159
configure.ac: don't include enable_ocsp_responder in enable-all if $enable_sha = no, remove enable_ocsp_responder from enable-all-crypto setup, and remove superseded fixup clause for ENABLED_OCSP_RESPONDER with ENABLED_SHA = no.
...
.wolfssl_known_macro_extras: remove unneeded WOLFSSL_PYTHON.
2026-03-16 10:20:48 -05:00
JacobBarthelmeh
7ad9c25a5b
Merge pull request #9978 from SparkiDev/xmss_sign_idx_fix
...
XMSS: Fix index copy for signing.
2026-03-16 09:20:38 -06:00
Anthony Hu
2939ab7f6a
Fixes SPHINCS else-if chain key detection
...
F-751
2026-03-16 11:20:19 -04:00
JacobBarthelmeh
93fc517dd1
add NO_RSA macro guard to test case
2026-03-16 08:58:15 -06:00
Anthony Hu
3b36db0c9d
Fixes Falcon else-if chain key detection
...
F-750
2026-03-16 10:55:28 -04:00
JacobBarthelmeh
f8dda213b0
Merge pull request #9972 from cconlon/getCiphersCompatFix
...
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
Sean Parkinson
9590255ceb
XMSS: Fix index copy for signing.
...
The index is already big-endian encoded but it needs to be front padded
with zeros instead of back end padded.
2026-03-16 21:24:08 +10:00
JacobBarthelmeh
8f810c2705
clear q with integer.c and mp_div_3 in error case
2026-03-16 00:09:37 -06:00
JacobBarthelmeh
73e425923b
setting heap pointer based on if key is null
2026-03-16 00:08:04 -06:00
JacobBarthelmeh
9b96f49505
check return value of fwrite in test case
2026-03-16 00:07:09 -06:00
JacobBarthelmeh
681fb41fcb
Null check on SNI pointer before potential use
2026-03-16 00:06:38 -06:00
JacobBarthelmeh
eaa6db9462
account for --enable-all-crypto and --disable-sha build now having OCSP responder
2026-03-16 00:06:13 -06:00
Ruby Martin
2ca2781756
reallocate tmp buffer with space for null terminator
2026-03-13 17:28:00 -06:00
Ruby Martin
8b7b6754d9
macro guard with WOLFSSL_SMALL_STACK to prevent dead code
2026-03-13 17:03:02 -06:00
Ruby Martin
1ac4ba282b
remove early der free
2026-03-13 17:03:02 -06:00
Kareem
0b26791168
Code review feedback
2026-03-13 15:57:18 -07:00
Kareem
3cc15548bc
Code review feedback. Error out on len = 0 as well.
2026-03-13 15:57:18 -07:00
Kareem
0a082b08ca
Code review feedback
2026-03-13 15:57:18 -07:00
Kareem
42b321a7d3
Use safe sum of used size after calculating it. No reason to redo the additions. Fixes unused variable warning as well.
...
Fix different type addition in hash.c.
2026-03-13 15:57:18 -07:00
Kareem
d205fcac87
Fix potential overflows in two additional hash functions.
...
Thanks to Arjuna Arya for the report.
Fixes #9955 .
2026-03-13 15:57:18 -07:00
Kareem
091016a149
Ensure se050Ctx->used does not overflow in se050_hash_update.
...
Thanks to Arjuna Arya for the report.
Fixes #9951 .
2026-03-13 15:57:18 -07:00
JacobBarthelmeh
bbf3beef35
fix to free CRL reason extension
2026-03-13 16:17:52 -06:00
JacobBarthelmeh
a6195c30c1
Merge pull request #9947 from kareem-wolfssl/zd21325
...
Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
2026-03-13 15:37:24 -06:00
JacobBarthelmeh
d36f7a2b99
fix to sanity check on importing raw session key info
2026-03-13 15:32:46 -06:00
Chris Conlon
428030a3e8
Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available
2026-03-13 15:07:25 -06:00
Tobias Frauenschläger
3b4e51c150
ML-KEM Wconversion fixes
...
* fix -Wconversion warnings
* allow APIs without RNG usage in case WC_NO_RNG is defined
2026-03-13 21:22:48 +01:00
JacobBarthelmeh
b97b3da81b
use ENOMEM instead of MEMORY_E with aes glue returns f-669
2026-03-13 14:08:03 -06:00
JacobBarthelmeh
1958fbdf71
Add goto out on AAD error f-631
2026-03-13 14:03:31 -06:00
JacobBarthelmeh
b06458f9a4
use heap hint with dilithium benchmark
2026-03-13 13:46:02 -06:00
Chris Conlon
aa9ee8b4fa
Merge pull request #9963 from JacobBarthelmeh/caam
...
fixes for CAAM port without hash store
2026-03-13 13:45:08 -06:00
JacobBarthelmeh
73eb8f933b
Merge pull request #9967 from Frauschi/pqc_cmake
...
Move PQC algos out of experimental in CMake
2026-03-13 13:12:53 -06:00
Kareem
94b370f5e2
Rework check to compare only ints.
2026-03-13 11:42:12 -07:00
Kareem
19b99f8072
Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
...
Thanks to Haruto Kimura (Stella) for the report.
2026-03-13 11:42:12 -07:00
Ruby Martin
5d54d8a488
init caCert before function can error out
2026-03-13 11:57:24 -06:00
sebastian-carpenter
47a24d7b90
minor coverity fixes for tls ech
2026-03-13 11:04:44 -06:00
Tobias Frauenschläger
da94ea6265
Move PQC algos out of experimental in CMake
...
This has already been done long time in autoconf. User
now does not have to enable experimental features to use
PQC.
2026-03-13 17:53:54 +01:00
JacobBarthelmeh
156db7dd2d
Merge pull request #9831 from julek-wolfssl/pytho-3.13.4
...
Fixes to run python with --enable-all
2026-03-13 10:50:23 -06:00
Josh Holtrop
b6584d1e96
Rust wrapper: wolfssl-wolfcrypt crate version 1.2.0
2026-03-13 08:08:23 -04:00
David Garske
0792c674c5
Merge pull request #9960 from philljj/fix_coverity
...
asn: fix coverity null deref warnings.
2026-03-13 06:58:41 +01:00
David Garske
00cd1a7c22
Merge pull request #9962 from night1rider/ecc-dilithium-callback-free-fix
...
Fix expected callback behavior for ECC/Dilithium for Free Callbacks
2026-03-13 06:19:31 +01:00
David Garske
cdacf3a53e
Merge pull request #9964 from SparkiDev/asm_gen_fixes_1
...
SP fixes: 32-bit ARM assembly fixes
2026-03-13 06:16:57 +01:00
Sean Parkinson
bac0563669
Merge pull request #9919 from anhu/lms-leaf-idx
...
Fix buffer-overflow in LMS leaf cache indexing
2026-03-13 10:02:50 +10:00