Commit Graph

11333 Commits

Author SHA1 Message Date
Sean Parkinson 58c41b6d57 Merge pull request #10458 from philljj/fix_GetShortInt
asn: fix GetShortInt for asn original.
2026-05-13 16:44:38 +10:00
Sean Parkinson cef3187fdb Merge pull request #10456 from padelsbach/lms-xmss-sw-fallback-fix
Fix LMS and XMSS cryptocb software fallback
2026-05-13 16:43:41 +10:00
Sean Parkinson 9e739c6ad0 Merge pull request #10455 from sebastian-carpenter/hpke-fix
Fix: hpke return code improvements
2026-05-13 16:42:45 +10:00
Sean Parkinson 581a9688c6 Merge pull request #10444 from philljj/fix_wc_export_int
wolfmath: check mpSz in wc_export_int.
2026-05-13 16:41:17 +10:00
Sean Parkinson 2670a4f976 Merge pull request #10441 from padelsbach/pkcs7-verify-fix
Fix OOB possibility in PKCS7_VerifySignedData
2026-05-13 16:19:15 +10:00
Daniel Pouzzner dc4796b06c Merge pull request #10404 from SparkiDev/test_c_refactor_1
test.c: Improved testing
2026-05-12 20:46:25 -05:00
David Garske dfe03ff538 Merge pull request #10381 from kareem-wolfssl/zd21694
Validate DSA parameters when verifying DSA key.
2026-05-12 16:29:29 -07:00
David Garske 32439c975f Merge pull request #10448 from SparkiDev/lms_fixes_1
LMS: fixes and improvements
2026-05-12 09:26:42 -07:00
David Garske 2239fc336b Merge pull request #10430 from SparkiDev/mlkem_avx2_fixes
ML-KEM: fix AVX2 assembly
2026-05-12 09:25:54 -07:00
David Garske 15f3f7b102 Merge pull request #10439 from ejohnstown/octeon-fix
port/cavium: fix Octeon AES-GCM AAD GHASH bug
2026-05-12 09:22:10 -07:00
Sean Parkinson df5b2b6cb1 test.c: Improved testing
Top-level test extraction into typed sub-functions

- Digest tests (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
SHA-512/224,   SHA-512/256, SHA-3 224/256/384/512, SHAKE128/256): each
test category (KAT, large-hash, copy-cleanup, unaligned-memory,
interleave, copy-Sha3 heap-allocation pattern) is now its own static
wc_test_ret_t function rather than inline blocks inside one giant
top-level test.
- rsa_test: extracted rsa_pkcs1_test, rsa_cert_parse_test,
rsa_pub_key_decode_test, rsa_certreq_test.
- ecc_test: extracted ecc_test_all_curves, ecc_test_all_deterministic_k
from the dispatcher; ecc_encrypt_combos_test from ecc_encrypt_test;
ecc_buffers_encrypt_test, ecc_buffers_sign_verify_test,
ecc_buffers_pub_key_decode_test from ecc_test_buffers.
- dh_test: extracted dh_keyagree_test, dh_check_priv_key_test,
dh_agree_ct_test, dh_key_import_export_test, dh_set_check_key_test.
- Curve25519 / Ed25519 / Curve448 / Ed448: extracted KAT, key-agreement,
ASN, and rare-sig sub-tests from each top-level dispatcher.
- Cipher tests: extracted streaming sub-tests from aesofb_test,
aescfb_test, aes_cts_test (aes_cts_192/256_stream_test).

Coverage additions

- Added state-copy testing inside the SHA-3 KAT loops (matching the
existing pattern in SHA-1/224/256/etc. KAT loops).
- Added a SHA-224 large-hash test (parity with the other digest
families).
- Added copy-cleanup tests for SHA-512/224 and SHA-512/256.
- Added Unaligned memory access testing to all *_large_hash_test
functions (MD5, SHA-1/224/256/384, SHA3-224/256/384/512), matching the
pattern that previously only existed for SHA-512/224/256.
2026-05-12 09:21:00 -07:00
David Garske 3e6efbac52 Merge pull request #9567 from jackctj117/serial-0
Allow serial number 0 for root CA certificates
2026-05-12 09:19:56 -07:00
David Garske 33efd8c9b3 Merge pull request #10050 from anhu/pbkdf_max
Add upper limit to PBKDF iteration count
2026-05-12 09:10:54 -07:00
Daniel Pouzzner 7cfc9e9103 Merge pull request #10465 from Frauschi/slhdsa_pre_hash
SLH-DSA fixes
2026-05-12 10:38:49 -05:00
Sean Parkinson 2c4f854962 Merge pull request #10447 from mattia-moffa/20260508-blake2-long-key-fix
Fix Blake2 oversized key path
2026-05-12 22:07:16 +10:00
Tobias Frauenschläger bec6c0fef2 SLH-DSA fixes
Follow up to PR #10450 with some minor fixes:

* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
  hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
  match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
  SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
  SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
  decoder failure-rollback wording; tighter return-code lists for
  Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
  happens to equal the digest size of the chosen hashType.
2026-05-12 13:24:24 +02:00
David Garske a2b054e3b8 Merge pull request #10155 from aidangarske/fenrir-fixes-2
Add Negative Testing and Zeroization
2026-05-11 21:07:53 -07:00
Sean Parkinson 3c9423257f ML-KEM: fix AVX2 assembly
AVX2 not decompressing 5-bit values correctly.
AVX2 not comparing last 32 bytes of ciphertext.
Protect mlkemkey_get_k to only be compiled when make key is compiled in.
2026-05-12 13:32:19 +10:00
Sean Parkinson 218ddb449e Merge pull request #10394 from dgarske/sp_nonblock_rsa_dh
Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096
2026-05-12 13:25:43 +10:00
jordan 5918eabe2c wolfmath: fix mpSz cast. 2026-05-11 21:46:36 -05:00
John Safranek 82b30797a1 port/cavium: fix Octeon AES-GCM AAD GHASH bug
Octeon_AesGcm_SetAAD unconditionally ran XOR0/XORMUL1 on the partial-block
buffer after the main loop, which processed an extra all-zero block when
aadSz was a non-zero multiple of 16, corrupting the GCM tag. Guard the
trailing XOR/MUL with `if (remainder > 0)`.

Issue: F-3335
2026-05-11 14:39:06 -07:00
Daniel Pouzzner 3afa9018f4 Merge pull request #10450 from Frauschi/slhdsa_pre_hash
HashSLH-DSA APIs take the pre-hashed digest, not the raw message
2026-05-11 16:29:32 -05:00
Daniel Pouzzner 0470910acb wolfcrypt/test/test.c: fix unused-result warnings and unencoded result codes in pwdbased_test(). 2026-05-11 16:23:39 -05:00
Daniel Pouzzner b2a56e7947 wolfcrypt/src/pwdbased.c:
* fix typography of wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() (peer review).
* refactor overflow prevention in wc_PKCS12_PBKDF_ex() to use WC_SAFE_SUM_UNSIGNED().

wolfcrypt/test/test.c: in pwdbased_test(), omit "INT_MAX MAC iterations" test if WOLFSSL_NO_MALLOC (uses wc_PKCS12_new_ex()).
2026-05-11 15:57:23 -05:00
Daniel Pouzzner 5b687baa94 wolfcrypt/test/test.c and wolfcrypt/test/test.h:
* add correct gating around pbkdf1_test(), pkcs12_pbkdf_test(), and scrypt_test() prototypes;
* add unit tests for wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() in pbkdf2_test();
* fix pkcs12_test() to skip the evilPkcs12 test if evil_p12 can't be parsed for any reason, mirroring the new stanza around evil_p12 in pwdbased_test().
2026-05-11 15:57:22 -05:00
Daniel Pouzzner f248b272db rename WC_PBKDF_MAX_ITERATIONS to WC_PBKDF_DEFAULT_MAX_ITERATIONS, raise it to 10000000, add wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get(), and restore new negative tests in pwdbased_test(). 2026-05-11 15:57:22 -05:00
Anthony Hu 1cd9caca02 Line length fixup and repro in second impl. 2026-05-11 15:57:22 -05:00
Anthony Hu 0e7a094e83 get rid of bad tests 2026-05-11 15:57:22 -05:00
Anthony Hu 421826ed18 better macro gating in tests 2026-05-11 15:57:22 -05:00
Anthony Hu 685a6fee6d simplify the tests. 2026-05-11 15:57:22 -05:00
Anthony Hu 3f6c8316c7 Add upper limit to PBKDF iteration count
Add WC_PBKDF_MAX_ITERATIONS (default 100000) to cap the iteration
count in wc_PBKDF1_ex(), wc_PBKDF2_ex(), and wc_PKCS12_PBKDF_ex().
2026-05-11 15:57:22 -05:00
jordan 333aaaa3a9 asn: fix GetShortInt for asn original. 2026-05-11 14:50:48 -05:00
Paul Adelsbach d56831c90d Fix LMS and XMSS cryptocb software fallback 2026-05-11 10:45:38 -07:00
sebastian-carpenter 0ff622c709 F-1908, improve hpke return codes 2026-05-11 11:35:22 -06:00
jordan 99e5597372 wolfmath: check mpSz cleanup. 2026-05-11 12:09:50 -05:00
Kareem a12ccca612 Fully exclude the wc_DsaCheckPubKey function when building with NO_DSA_PUBKEY_CHECK. 2026-05-11 10:05:45 -07:00
Kareem b79870e1ba Add opt-out macro NO_DSA_PUBKEY_CHECK to allow skipping the newly added DSA public key check. 2026-05-11 10:05:45 -07:00
Kareem 44d3659244 Code review feedback 2026-05-11 10:05:45 -07:00
Kareem ea67ace873 Validate DSA parameters when verifying DSA key.
Thanks to Kr0emer for the report.
2026-05-11 10:05:45 -07:00
David Garske 01ba609f0d Merge pull request #9702 from danielinux/ta100_2025
[Microchip TA-100] Fix port + update to cryptoauthlib v3.6.0
2026-05-11 07:26:43 -07:00
Tobias Frauenschläger f16216e5b8 HashSLH-DSA APIs now take the pre-hashed digest, not the raw message
wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.

This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.

Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
2026-05-11 10:14:13 +02:00
Sean Parkinson 69027c2445 LMS: fixes and improvements
Remove WC_LMS_PARM_NONE as it serves no purpose.
Change sig_len from a 16-bit value to a 32-bit value in the parameters.
Added wc_LmsKey_SetParameters_ex() and wc_LmsKey_GetParameters_ex() to
handle hash algorithm.
Change mass ForceZeros to smaller amounts with XMEMSET and setting to
NULL or default valus.
Allow signing of empty message.
Other minor fixes.

Fix API tests to work when WOLFSSL_LMS_MAX_HEIGHT/WOLFSSL_LMS_MAX_LEVELS
are/is defined.
2026-05-11 16:18:12 +10:00
Paul Adelsbach 3cad0bfe50 Fix OOB possibility in PKCS7_VerifySignedData 2026-05-10 20:34:48 -07:00
Mattia Moffa 5aa8e6aa2b Fix Blake2 oversized key path
- Reduce long keys in a separate state rather than reusing the state used
for the HMAC inner hash.
- Pad the rest of the buffer with zeros as required by the spec.
- Add regression tests
2026-05-11 04:56:16 +02:00
David Garske 867ce26474 Merge pull request #10278 from twcook86/lpc55s69_crypto
Add wolfCrypt support for lpc55s69 hw crypto
2026-05-08 16:00:54 -07:00
jordan 98831c25d4 wolfmath: check mpSz in wc_export_int. 2026-05-08 15:26:57 -05:00
David Garske 3351eb429a Merge pull request #10354 from embhorn/zd21725
Fix IPSAN and registeredID handling
2026-05-08 12:15:37 -07:00
David Garske d465d8b130 Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096 2026-05-08 10:36:28 -07:00
Daniel Pouzzner f1fff73352 tests/api.c: fix readability-uppercase-literal-suffix in rfc9802_verify_one_cert();
tests/api/test_mldsa.c: fix misplaced PRIVATE_KEY_UNLOCK() in dilithium_oneasymkey_version_check();

wolfcrypt/test/test.c: fix valgrind-detected "Conditional jump or move depends on uninitialised value(s)" in ecc_test_curve_size() negative test on all-zeros digest.
2026-05-08 18:53:57 +02:00
Daniele Lacamera ae0d09ccff More fixes to the broken atecc608 test 2026-05-08 18:50:44 +02:00