Commit Graph

29160 Commits

Author SHA1 Message Date
Daniel Pouzzner 51f5f8799d src/ssl_api_pk.c: fix -Wmaybe-uninitialized in check_cert_key_dev() (defect introduced in #9723);
wolfcrypt/test/test.c: fix error-path memory leaks in srtpkdf_test(), and properly gate out incompatible SRTP_KDF_LONG_KEY test on old FIPS (defect introduced in #9733);

.wolfssl_known_macro_extras: get into lexical order and remove unneeded WC_RSA_DIRECT.
2026-02-06 13:06:10 -06:00
David Garske 19bb7198a2 Peer review fixes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 10:24:31 -08:00
Josh Holtrop 70a7f4d5de Rust wrapper: update wolfssl-wolfcrypt crate to v1.1.0 2026-02-06 13:18:18 -05:00
Anthony Hu 6bc2c6f071 Merge branch 'master' into cmake_HSC 2026-02-06 13:11:55 -05:00
Reda Chouk f94eb68ea3 add missing checks in wolfSSL_d2i_SSL_SESSION 2026-02-06 17:00:42 +01:00
David Garske 78bba7e90f Fix for TLS with WOLFSSL_SMALL_CERT_VERIFY 2026-02-05 21:55:32 -08:00
JacobBarthelmeh 4fc778c8eb warning for 'type' may be used uninitialiized 2026-02-05 22:14:43 -07:00
Daniel Pouzzner 25db90afe7 Merge pull request #9741 from kareem-wolfssl/variousFixes
Various fixes
2026-02-05 20:32:12 -06:00
Daniel Pouzzner 8e6ebdb8ac Merge pull request #9723 from SparkiDev/ssl_split_cert
Split out code form ssl.c and pk.c
2026-02-05 18:21:36 -06:00
David Garske c3ef6afcfd Merge pull request #9743 from douzzer/20260205-fixes
20260205-fixes
2026-02-05 15:23:57 -08:00
Daniel Pouzzner 1d871879df Merge pull request #9726 from Frauschi/pkcs11_pqc_prep
PKCS#11 PQC preparation work
2026-02-05 16:50:25 -06:00
Daniel Pouzzner a6ee93c84c Merge pull request #9739 from holtrop-wolfssl/rust-crate-fips-support
Rust wrapper: add FIPS support
2026-02-05 16:49:58 -06:00
Daniel Pouzzner 88edcf6c96 Merge pull request #9736 from embhorn/gh9731
Exclude Config.cmake.in in .gitignore
2026-02-05 16:49:35 -06:00
Daniel Pouzzner da426d9c1d Merge pull request #9725 from Frauschi/cmake
CMake fixes and improvements
2026-02-05 16:49:03 -06:00
Daniel Pouzzner 681d09fc3c Merge pull request #9714 from philljj/bsdkm_crypto_accel
bsdkm: x86 crypto acceleration support.
2026-02-05 16:48:03 -06:00
Daniel Pouzzner 2a32e108d0 Merge pull request #9656 from jackctj117/PKCS7-signing
Add PKCS7 ECC raw sign callback support
2026-02-05 16:46:27 -06:00
Daniel Pouzzner 6d7cb87965 Merge pull request #9733 from SparkiDev/srtp_kdf_ctr_fix
SRTP-KDF: use two bytes of index
2026-02-05 16:21:38 -06:00
Paul Adelsbach 635832010e Use WOLFSSL_STACK methods in new AIA functions 2026-02-05 11:54:26 -08:00
jackctj117 cfcd384c4c Address copilot feedback 2026-02-05 12:12:16 -07:00
jackctj117 d581a409eb Delete tests/test_cert_sign_cb_no_malloc_simple.c 2026-02-05 11:58:38 -07:00
jackctj117 a61a5792b8 Delete tests/test_cert_sign_cb_no_malloc.c 2026-02-05 11:58:05 -07:00
jackctj117 d774825ab8 Address copilot feedback 2026-02-05 11:57:33 -07:00
David Garske 8c30cfb0da Add tests for async with static memory. Fix issue with mixed-declaration in SP ECC non-blocking. 2026-02-05 09:43:31 -08:00
David Garske 6a4415911b Merge pull request #9727 from miyazakh/tsip_rm_asn_original
Renesas RX72N : Remove WOLFSSL_ASN_ORIGINAL from user_settings.h
2026-02-05 08:42:59 -08:00
Daniel Pouzzner 0cc1dc29c4 src/x509.c: in x509_aia_append_string(), use heap pointer from supplied *head, and initialize WOLFSSL_STACK.type (fixes "Conditional jump or move depends on uninitialised value(s)" from 08c1397cc1);
wolfssl/wolfcrypt/asn.h: use WC_BITFIELD for extAuthInfoListSz and extAuthInfoListOverflow bitfields, for C89 compat (fixes -Wpedantic from 08c1397cc1).
2026-02-05 10:04:17 -06:00
David Garske e9b711e42b Tests for mutual authentication 2026-02-04 21:28:53 -08:00
David Garske 4d3925d526 Add X25519 non-blocking support for key gen and shared secret
## Summary
- Add non-blocking (incremental) Curve25519 key generation and shared secret via `WC_X25519_NONBLOCK`, modeled after the existing ECC non-blocking pattern (`WC_ECC_NONBLOCK`)
- Implement `curve25519_nb()` and `fe_inv__distinct_nb()` in `fe_low_mem.c` as state-machine variants that return `FP_WOULDBLOCK` to yield after each field multiply
- Add `wc_curve25519_set_nonblock()` API to attach/detach non-blocking context to a key
- Integrate X25519 non-blocking with TLS 1.2/1.3 key share generation and shared secret in `tls.c` and `internal.c` (behind `WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW`)
- Add `--enable-curve25519=nonblock` configure option (auto-enables `--enable-asynccrypt` and `--enable-asynccrypt-sw`)
- Add X25519 async software dispatch cases in `async.c` and types in `async.h`
- Fix async guard in `curve25519.c` to require `WOLFSSL_ASYNC_CRYPT_SW` (matching other algorithms)
- Overhaul `examples/async/` client/server: non-blocking I/O via `WOLFSSL_USER_IO`, standalone `Makefile`, X25519/ECC mode selection, CI-friendly ready-file sync
- Add `examples/configs/user_settings_curve25519nonblock.h` and CI coverage in `os-check.yml` and new `async-examples.yml` workflow
- Add wolfcrypt test and API test coverage for X25519 non-blocking
2026-02-04 21:28:52 -08:00
David Garske c7ed5ff179 Merge pull request #9740 from douzzer/20260204-linuxkm-with-global-replace-etc
20260204-linuxkm-with-global-replace-etc
2026-02-04 19:07:06 -08:00
Kareem a429eb7191 Add prefix for SetLength/Sequence when WOLFSSL_API_PREFIX_MAP is defined. 2026-02-04 16:39:29 -07:00
Kareem eae22ab37d Send illegal_parameter alert rather than handshake_failure when the server tries to use a cipher suite that the client does not support. Fixes #9639. 2026-02-04 15:44:16 -07:00
Kareem 1e770e1a0f Send decode_error alert rather than illegal_parameter when receiving an empty/malformed keyshare extension. Fixes #9640. 2026-02-04 15:40:30 -07:00
Kareem 4bb4648282 Ensure lru_count does not overflow. 2026-02-04 15:33:15 -07:00
Kareem f94489b66d Fix issues in documentation of wc_LoadStaticMemory's return code. 2026-02-04 15:25:03 -07:00
Kareem 59c14cdc6c Allow setting SetLength and SetSequence to public APIs by adding them to ASN APIs. 2026-02-04 15:24:13 -07:00
Chris Conlon 3753f69a50 Merge pull request #9728 from padelsbach/aia-updates
Extend AIA interface
2026-02-04 15:11:02 -07:00
Daniel Pouzzner 5fca3786c6 .wolfssl_known_macro_extras: remove WC_SHA3_HARDEN (unneeded because --enable-faultharden defines it). 2026-02-04 14:30:31 -06:00
Daniel Pouzzner 0364a348b5 linuxkm/lkcapi_sha_glue.c and linuxkm/linuxkm_wc_port.h: when LINUXKM_DRBG_GET_RANDOM_BYTES, add "-with-global-replace" to the DRBG driver name, to advertise that /dev/[u]random and getrandom() are FIPS PRNGs; when NO_LINUXKM_DRBG_GET_RANDOM_BYTES, don't implicitly define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT. 2026-02-04 14:30:08 -06:00
Daniel Pouzzner 10d4b1dd92 wolfcrypt/src/aes.c: fix -Wunused-variable in wc_AesSetKey(). 2026-02-04 14:14:57 -06:00
Daniel Pouzzner 017ac97de0 configure.ac: remove prohibition on ARM32 --enable-armasm with --enable-aesgcm-stream (current code in aes.c falls back to C gracefully in that case). 2026-02-04 14:12:51 -06:00
Josh Holtrop f9cea09f5b Rust wrapper: add FIPS support 2026-02-04 14:32:05 -05:00
Paul Adelsbach 08c1397cc1 Enable 8 combined OCSP and URLs instead of 1 of each 2026-02-04 11:04:46 -08:00
jackctj117 cb2b7adfcc Address PR feedback: move doxygen to proper location and add RSA test coverage 2026-02-04 10:45:38 -07:00
Anthony Hu 22b25dcde3 Add HAVE_SECRET_CALLBACK to cmake. 2026-02-04 10:26:40 -05:00
Hideki Miyazaki c74a95c8d0 rm WOLFSSL_ASN_ORIGINAL from user_settings.h
- update signed ca cert (rsa/ecc)
 - update compiler options for v3.06.00
2026-02-05 00:08:35 +09:00
jackctj117 8b5bd3b3b1 Add wc_SignCert_cb API for external signing callbacks 2026-02-03 12:58:12 -07:00
Daniel Pouzzner 492ff386dc Merge pull request #9658 from sameehj/aes-offload
cryptocb: add AES CryptoCB key import support and tests
2026-02-03 12:23:42 -06:00
Eric Blankenhorn 808896e82f Exclude Config.cmake.in in .gitignore 2026-02-03 11:29:34 -06:00
Sameeh Jubran 425dc1372d cryptocb: add AES CryptoCB key import support and tests
Add CryptoCB-based AES key import support to enable Secure Element
offload without exposing raw AES key material to wolfCrypt.

When WOLF_CRYPTO_CB_AES_SETKEY is defined, wolfCrypt invokes a CryptoCB
callback during AES key setup. Behavior is determined by the callback
return value:

- If callback returns 0: Key is imported to the device (aes->devCtx).
  Key is NOT copied to wolfCrypt RAM; GCM H/M tables are NOT generated.
  Full hardware offload is assumed.

- If callback returns CRYPTOCB_UNAVAILABLE: Device does not support
  SetKey. Normal software path is used; key is copied to devKey for
  optional encrypt/decrypt acceleration.

- Any other error: Propagated to the caller.

Key points:
- Add wc_CryptoCb_AesSetKey() callback for AES key import
- Update AES SetKey paths to call CryptoCB and branch on return value
- Skip GCM H/M table generation when callback succeeded (devCtx set)
- Preserve existing behavior when devId is INVALID_DEVID or
  WOLF_CRYPTO_CB_AES_SETKEY is not defined

Testing:
- Add unit test for CryptoCB AES SetKey (verifies key isolation when
  callback succeeds)
- Add end-to-end AES-GCM offload test (SetKey, Encrypt, Decrypt, Free
  via CryptoCB)
- Tests use a mock SE with software AES to validate routing

Enable with: CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-03 16:59:02 +02:00
Sean Parkinson b1d3529419 SRTP-KDF: use two bytes of index
One byte of index creates up to 4096 bytes for a key.
Increase output size to match specification.
2026-02-03 11:01:11 +10:00
jordan 8ae27c75e4 bsdkm: x86 crypto acceleration support. 2026-02-02 12:00:22 -06:00