Commit Graph

690 Commits

Author SHA1 Message Date
Eric Blankenhorn 412c428b0a Fix TLS ext bounds checking 2026-04-24 07:23:07 -05:00
Jeremiah Mackey 4a103a1b4e AES: tighten AEAD input validation 2026-04-20 17:20:54 +00:00
Jeremiah Mackey 625ea89284 save heap before Free in Delete wrappers 2026-04-16 17:14:05 +00:00
night1rider 1295f4fe0e Add WOLF_CRYPTO_CB_SETKEY and WOLF_CRYPTO_CB_EXPORT_KEY crypto callback
utilities for generic SetKey and ExportKey operations on HMAC, RSA, ECC,
  and AES. Add wc_ecc_size/wc_ecc_sig_size callback hooks for hardware-only
  keys. Integrate into configure.ac as --enable-cryptocbutils=setkey,export
  options with CI test configurations in os-check.yml.

  Add test handlers in test.c and api.c with export/import delegation
  pattern, small-stack-safe allocations, custom curve support, and
  DEBUG_CRYPTOCB helpers.
2026-04-14 16:21:50 -06:00
Daniel Pouzzner c4c2d8fafe src/include.am, wolfcrypt/src/aes.c, wolfcrypt/src/port/riscv/riscv-64-aes.c: initial buildability of fips-dev with --enable-riscv-asm. 2026-04-13 18:57:20 -05:00
David Garske c36beba9b7 Merge pull request #10174 from SparkiDev/api_test_cipher_algs_1
API testing additions: cipher tests
2026-04-13 09:54:23 -07:00
David Garske bf492eba12 Merge pull request #10175 from yosuke-wolfssl/f_2205
Fix authTagSz validation
2026-04-13 09:33:14 -07:00
David Garske 3b63f4bdee Merge pull request #10072 from night1rider/extend-cmac-api-id-label
Extend/Add label/id extension functions
2026-04-13 08:15:46 -07:00
night1rider 8b49e0abf0 Fix -Wcast-qual errors by replacing void* with typed id/label params in _common helpers and add input validation. 2026-04-10 13:19:01 -06:00
night1rider 88396d7d12 Fix -Wcast-qual errors in _Label functions by making _common helpers accept const void* data parameter. 2026-04-10 13:19:01 -06:00
night1rider 3e112a380b Extend CMAC API to pull in label/id extension functions to pass down to the AES init call
Refactor CMAC init to common function, add wc_AesNew_Id/Label API, do same for RSA new
functions, and add test init helpers for id[] support along with some test disable options
2026-04-10 13:19:00 -06:00
Sean Parkinson b764aac074 API testing additions: cipher tests
Fixed wc_AesEaxAuthDataUpdate to check eax for NULL before
dereferencing.

Fix AesSivCipher to delete/free AES if new/initialization succeeded.
Memsetting to 0 doesn't work when WC_DEBUG_CIPHER_LIFECYCLE is defined.

Added tests for:
 - AES-EAX streaming
 - AES-SIV
 - Poly1305
 - DES-CBC
2026-04-10 15:43:21 +10:00
Sean Parkinson 41aae56ab8 ARM ASM: AES-GCM small table without NEON
Non-neon GCM_gmult_len requires M0 which is not available with a small
build.
Fix to have C implementation when M0 and NEON not available.
2026-04-10 08:06:17 +10:00
Yosuke Shimizu 0a05129bd6 Fix authTagSz validation 2026-04-09 17:15:28 +09:00
Tobias Frauenschläger a88dd07c70 pkcs7,aes: reject truncated GCM auth tags
wc_PKCS7_DecodeAuthEnvelopedData() accepted an attacker-controlled GCM tag
length from the mac OCTET STRING and did not validate it against the
parsed aes-ICVlen parameter. In parallel, wc_AesGcmDecrypt() accepted
very short tags on decrypt while encrypt enforced WOLFSSL_MIN_AUTH_TAG_SZ.

This made short-tag verification reachable through CMS AuthEnvelopedData
and weakened integrity checks by allowing tag truncation.

Fixes:
- validate parsed macSz range in AuthEnvelopedData decode
- require authTagSz to match parsed macSz
- reject undersized GCM tags in PKCS7 decode
- enforce WOLFSSL_MIN_AUTH_TAG_SZ in wc_AesGcmDecrypt() and
  wc_AesGcmDecryptFinal()

Also add a regression test in pkcs7authenveloped vectors that truncates
the final MAC OCTET STRING length from 16 to 1 and verifies decode fails.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:05 -06:00
Tobias Frauenschläger 10953f021b CMAC: fix wraparound in streaming update.
The guard `if (cmac->totalSz != 0)` was used to skip XOR-chaining on
the first block (where digest is all-zeros and the XOR is a no-op).
However, totalSz is word32 and wraps to zero after 2^28 block flushes
(4 GiB), causing the guard to erroneously fire again and discard the
live CBC-MAC chain state.  Any two messages sharing a common suffix
beyond the 4 GiB mark then produce identical CMAC tags, enabling a
zero-work prefix-substitution forgery.  The fix removes the guard,
making the XOR unconditional; the no-op property on the first block is
preserved because digest is zero-initialized by wc_InitCmac_ex.

Identified by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 12:35:15 +02:00
Ruby Martin 8b2fd34e95 free authInPadded if alloc'd on early return 2026-03-26 16:11:19 -06:00
David Garske 4c75a866d9 Add inline documentation for missing macros and fix spelling errors 2026-03-16 17:09:13 -07:00
Daniel Pouzzner 58f48a96bf Merge pull request #9836 from Frauschi/pkcs11_dilithium
Add support for ML-DSA in PKCS#11
2026-03-05 15:22:10 -06:00
Tobias Frauenschläger ad22f9a37c Support for ML-DSA in PKCS#11
Offload ML-DSA operations onto a PKCS#11 token via the cryptoCb
interface:
* Key generation
* Signature generation
* Signature verification
* Key import

Both the pure and pre-hash versions are supported. Not yet supported are
the pre-hash versions that also offload the hashing onto the token.

This also fixes casting errors introduced in #9780 due to usage of
uintptr_t, which is unavailable without including stdint.h on some
platforms. Use the wolfssl own wc_ptr_t instead.
2026-03-02 11:45:11 +01:00
Daniel Pouzzner 4110887871 wolfcrypt/src/aes.c: in AesSivCipher(), burn sivTmp before return (Fenrir M-69). 2026-02-27 23:40:19 -06:00
Eric Blankenhorn 2243133572 Fix prefix for WC_ALL_ARGS_NOT_NULL 2026-02-27 07:29:41 -06:00
Sean Parkinson f3b57679a5 Merge pull request #9835 from douzzer/20260226-fix-aes-prefetch-optimize
20260226-fix-aes-prefetch-optimize
2026-02-27 08:23:02 +10:00
JacobBarthelmeh 921ecf0bca Merge pull request #9830 from aidangarske/fix-wolfcrypt-fenrir
Fix fenrir security findings for wolfcrypt
2026-02-26 14:20:31 -07:00
Daniel Pouzzner 100e79f9e5 wolfcrypt/src/aes.c: add _TI_CRYPT and _RISCV_ASM fallthrough definitions for Aes{En,de}crypt_preFetchOpt. 2026-02-26 09:24:10 -06:00
Sean Parkinson 2064ff461c Merge pull request #9797 from douzzer/20260218-aes-prefetch-optimize
20260218-aes-prefetch-optimize
2026-02-26 08:27:08 +10:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
aidan garske 3295a6521c Fix Fenrir issues in wolfcrypt 2026-02-24 18:51:58 -08:00
Daniel Pouzzner 39987a9d53 wolfcrypt/src/aes.c, wolfcrypt/src/cmac.c, wolfssl/wolfcrypt/aes.h, wolfssl/wolfcrypt/types.h: optimizations to mitigate performance regressions from 299e7bd097 (#9783):
* add prefetch_ptr flag argument to AesEncrypt_C() and AesDecrypt_C(), and call PreFetchTe() and PreFetchSBox() only if *prefetch_ptr is zero, whereupon it is set to 1;
* when C implementations are available, add prefetch_ptr arg to wc_AesEncrypt() and wc_AesDecrypt(), and pass it through;
* in functions that directly call the AES block encryption methods, opportunistically inhibit prefetch on all but the first call;
* move AES-specific code in wc_CmacUpdate() in cmac.c to wc_local_CmacUpdateAes() in aes.c to let it use conditional prefetching;
* add WC_ARG_NOT_NULL(), WC_ARGS_NOT_NULL(), and WC_ALL_ARGS_NOT_NULL attribute abstractions.
2026-02-24 13:59:12 -06:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Sean Parkinson 299e7bd097 AES clang: make x volatile in pre-fetch functions
Latest version of clang with optimization turned right up will make the
pre-fetch functions return 0.
The pre-fetch functions are there to ensure tables are all in cache not
to calculate a value.
2026-02-17 08:44:24 +10:00
Daniel Pouzzner 10d4b1dd92 wolfcrypt/src/aes.c: fix -Wunused-variable in wc_AesSetKey(). 2026-02-04 14:14:57 -06:00
Sameeh Jubran 425dc1372d cryptocb: add AES CryptoCB key import support and tests
Add CryptoCB-based AES key import support to enable Secure Element
offload without exposing raw AES key material to wolfCrypt.

When WOLF_CRYPTO_CB_AES_SETKEY is defined, wolfCrypt invokes a CryptoCB
callback during AES key setup. Behavior is determined by the callback
return value:

- If callback returns 0: Key is imported to the device (aes->devCtx).
  Key is NOT copied to wolfCrypt RAM; GCM H/M tables are NOT generated.
  Full hardware offload is assumed.

- If callback returns CRYPTOCB_UNAVAILABLE: Device does not support
  SetKey. Normal software path is used; key is copied to devKey for
  optional encrypt/decrypt acceleration.

- Any other error: Propagated to the caller.

Key points:
- Add wc_CryptoCb_AesSetKey() callback for AES key import
- Update AES SetKey paths to call CryptoCB and branch on return value
- Skip GCM H/M table generation when callback succeeded (devCtx set)
- Preserve existing behavior when devId is INVALID_DEVID or
  WOLF_CRYPTO_CB_AES_SETKEY is not defined

Testing:
- Add unit test for CryptoCB AES SetKey (verifies key isolation when
  callback succeeds)
- Add end-to-end AES-GCM offload test (SetKey, Encrypt, Decrypt, Free
  via CryptoCB)
- Tests use a mock SE with software AES to validate routing

Enable with: CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-03 16:59:02 +02:00
Daniel Pouzzner 8719df2666 wolfcrypt/src/aes.c: in wc_AesGcmSetKey(), don't VECTOR_REGISTERS_POP() until after GCM_generate_m0_*(). 2026-01-30 17:33:30 -06:00
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
Tesfa Mael d3d2105035 Fix cert SW issues 2026-01-21 12:09:53 -08:00
David Garske 6bdc6a7550 Merge pull request #9618 from SparkiDev/volatile_multi_statement
Multiple volatile variables in a C statement undefined
2026-01-20 10:42:49 -08:00
Sean Parkinson 1aa79af41e Multiple volatile variables in a C statement undefined
Undefined behaviour when there are multiple volatile variables accessed
in the one C statement.
Changes to introduce non-volatile temporaries, split statement or make
variable non-volatile.
2026-01-13 15:08:50 +10:00
JacobBarthelmeh 7a2e1c1dd0 Merge pull request #9585 from dgarske/add-missing-api-docs
Add missing API documentation
2025-12-30 09:37:22 -07:00
David Garske 5b5686c53c Peer review improvements. 2025-12-29 08:37:51 -08:00
Daniel Pouzzner 7bbd28d369 wolfcrypt/src/aes.c: fix clang-diagnostic-unreachable-code in AesSetKey_C(). 2025-12-26 18:13:44 -06:00
night1rider afbc65a6c3 Aes Free callback support 2025-12-22 12:39:41 -07:00
Sean Parkinson af2c6cc932 AES-GCM ARM32/Thumb2 ASM: don't change aes->reg in decrypt
OpenSSL compatability layer expects aes->reg to be unmodified by AES-GCM
decrypt call. ARM32/Thumb2 assembly implementation  modifies buffer.
Keep a copy and restore aes->reg after call.
2025-12-17 16:04:25 +10:00
Sean Parkinson 8e14d4a774 Aarch64 AES ASM no hw crypto: no dead code
Fix code so that there is no dead code compiled.
That is, change if checks to #ifdef checks.
2025-12-12 12:31:36 +10:00
Sean Parkinson 80b7ea638e Aarch64 no harware crypto assembly AES
Implementations of AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-XTS with base
instructions and NEON but not using crypto instructions.

Benchmark of AES-ECB added.
Updated AES tests.
2025-12-10 08:55:58 +10:00
Sean Parkinson 697bc47d8e AES-GCM, 4-bit table, Big Endian: fast impl of GMULT
Add fast implementation GMULT for big-endian platforms like PowerPC and
PowerPC64.
Speeds up AES-GCM.
2025-12-03 11:22:49 +10:00
David Garske dd40417fca Merge pull request #9479 from josepho0918/aes-cbc-mmcau
Prefer ARMASM over MMCAU for AES CBC when both enabled
2025-12-02 07:58:17 -08:00
Joseph Chen 26206821ff Prefer ARMASM over MMCAU for AES CBC when both enabled 2025-11-26 16:05:05 +08:00
Daniel Pouzzner be1f916028 wolfcrypt/src/aes.c: in the WOLFSSL_ARMASM && GCM_SMALL && !__aarch64__ static C implementation of GCM_gmult_len(), rename to GCM_gmult_len_armasm_C() (incompatible with other implementations);
wolfcrypt/src/aes.c: move FREESCALE_MMCAU implementations later (minimum precedence) for wc_AesEncrypt(), wc_AesDecrypt(), wc_AesSetKeyLocal(), wc_AesSetKey(), and wc_AesSetKeyDirect() (fixes ZD#20862).
2025-11-25 23:01:05 -06:00
David Garske 6fc99ac6d8 Merge pull request #9431 from Pushyanth-Infineon/psoc6_aes_support
Enable hardware acceleration for AES on PSoC6.
2025-11-25 13:31:23 -08:00