Commit Graph

27803 Commits

Author SHA1 Message Date
Josh Holtrop 7af0fa497a Rust wrapper: update dilithium module after review 2026-02-24 14:23:59 -05:00
Josh Holtrop 504617bbe9 Rust wrapper: add dilithium module 2026-02-23 10:54:21 -05:00
Kaleb Himes 9ed2f4bad1 Merge pull request #9815 from douzzer/20260221-configure-kernel-mode-defaults
20260221-configure-kernel-mode-defaults
2026-02-22 11:19:07 -07:00
Daniel Pouzzner 47dd864f32 configure.ac:
* add a kernel-appropriate subset of enable-all-crypto to enable whenever KERNEL_MODE_DEFAULTS (almost all of these overlap with FIPS v5/v6 settings);
* move ocspstapling features from enable-all-crypto to enable-all.
2026-02-21 15:09:30 -06:00
David Garske f9572880bf Merge pull request #9813 from embhorn/tlsanvil-fixes
Extend timeout for tls13-client
2026-02-21 12:13:27 -08:00
Kaleb Himes f60beb6c7c Merge pull request #9814 from douzzer/20260221-configure-all-crypto-fpecc
20260221-configure-all-crypto-fpecc
2026-02-21 11:16:19 -07:00
Daniel Pouzzner ff7bc11774 configure.ac: restore fpecc to enable-all-crypto, accidentally removed in f376ae210e. 2026-02-21 10:48:14 -06:00
philljj 1a0549fe5a Merge pull request #9800 from douzzer/20260204-linuxkm-fips-hash
20260204-linuxkm-fips-hash
2026-02-20 18:39:25 -06:00
Eric Blankenhorn 4f8fc76d9d Extend timeout for tls13-client 2026-02-20 16:35:52 -06:00
Daniel Pouzzner 9ca32e23d4 linuxkm/linuxkm-fips-hash.c: cosmetic bikeshedding (AI-prompted);
linuxkm/linuxkm_memory.c and linuxkm/linuxkm_memory.h: set up and use WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ.
2026-02-20 15:45:27 -06:00
Daniel Pouzzner 10ba02fe40 linuxkm/lkcapi_sha_glue.c: add -wolfentropy and/or -rdseed to WOLFKM_STDRNG_DRIVER to advertise the seed source. 2026-02-20 15:44:54 -06:00
David Garske 9641ab4b68 Merge pull request #9805 from julek-wolfssl/openldap-2.6.9-testing
Add openldap 2.6.9 testing
2026-02-20 11:16:44 -08:00
David Garske 1e544b303f Merge pull request #9810 from julek-wolfssl/rng-tools-6.17
Add rng-tools 6.17 testing
2026-02-20 11:16:18 -08:00
David Garske 670aa59dee Merge pull request #9809 from holtrop-wolfssl/cmake-null-cipher
Add CMake support for NULL_CIPHER
2026-02-20 10:59:17 -08:00
David Garske e34e679766 Merge pull request #9804 from embhorn/tls-anvil-workflow
TLS Anvil workflow
2026-02-20 10:59:05 -08:00
David Garske 940ac7093f Merge pull request #9808 from holtrop-wolfssl/rust-no-std
Rust wrapper: fix no_std support
2026-02-20 10:55:01 -08:00
Daniel Pouzzner f84377ed69 linuxkm/linuxkm-fips-hash-wrapper.sh: make sure awk is gawk. 2026-02-20 11:35:47 -06:00
Daniel Pouzzner 70aa3dc5b1 20260204-linuxkm-fips-hash: more fixes+improvements from peer and AI review:
linuxkm/linuxkm_memory.c:
* fix straddle check in wc_reloc_normalize_text();
* fix seg_map bounds checks in wc_fips_generate_hash();

linuxkm/linuxkm_memory.h: fix initializer for wc_reloc_table_segments.bss_end;

wolfssl/wolfcrypt/settings.h: add WC_BITS_TO_BYTES() and WC_BITS_FULL_BYTES() and deploy opportunistically to wolfssl/internal.h, wolfssl/wolfcrypt/{asn.h,dh.h,rsa.h,types.h}, wolfcrypt/src/sakke.c, and wolfcrypt/test/test.c.
2026-02-20 11:09:37 -06:00
Daniel Pouzzner 9443f59db1 linuxkm/linuxkm-fips-hash.c: fix overlong lines;
.wolfssl_known_macro_extras: fix lexical order.
2026-02-20 11:09:37 -06:00
Daniel Pouzzner db7a04a626 improvements spurred by peer review for 20260204-linuxkm-fips-hash:
configure.ac: add --enable-kernel-verbose-debug and --enable-kernel-stack-debug;

linuxkm/Makefile:
* add QFLAG and VFLAG setup, and pass their values appropriately;
* add missing `@set -e` and `-Wall -Wextra` to the linuxkm-fips-hash recipe;
* use +$(MAKE), not @$(MAKE), for proper dry run recursion.

linuxkm/README.md: update to reflect new goodies, and generally revise+extend remarks.

linuxkm/linuxkm-fips-hash-wrapper.sh: add copyright header; pass through extra caller arguments to ./linuxkm-fips-hash.

linuxkm/linuxkm-fips-hash.c:
* add copyright header;
* fix code around user_coreKey;
* add explicit wolfCrypt_Cleanup() and cleanup of mod_fd and mod_map at end;
* remove unused reloc_tab_len
* fix a couple -Wsign-compares;
* add missing fprintf arguments
* properly set ret = -1 in a couple failure paths.

linuxkm/linuxkm_wc_port.h: set WOLFSSL_LINUXKM_VERBOSE_DEBUG when WOLFSSL_KERNEL_VERBOSE_DEBUG, and recognize WOLFSSL_KERNEL_STACK_DEBUG as a synonym for WC_LINUXKM_STACK_DEBUG.

linuxkm/linuxkm_memory.c and linuxkm/linuxkm_memory.h: add brief explanatory comments.
2026-02-20 11:09:37 -06:00
Daniel Pouzzner f376ae210e Implement Linux kernel module offline integrity hash calculation:
Add:

* linuxkm/linuxkm-fips-hash.c
* linuxkm/linuxkm-fips-hash-wrapper.sh
* linuxkm/linuxkm_memory.h

Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c:
* reloc_layouts[]
* find_reloc_tab_offset()
* the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text()
* most of updateFipsHash() as wc_fips_generate_hash()

Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h:
* struct wc_linuxkm_pie_reloc_tab_ent
* enum wc_reloc_dest_segment
* enum wc_reloc_type

linuxkm/Makefile:
* Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent.
* Add targets:
  * libwolfssl-user-build/src/.libs/libwolfssl.so
  * linuxkm-fips-hash
  * module-with-matching-fips-hash
  * module-with-matching-fips-hash-no-sign
* Add support for alternate target module name, via LIBWOLFSSL_NAME make variable.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:
* Fixes to make linuxkm-pie work with CONFIG_KASAN.
* Implement WC_LINUXKM_STACK_DEBUG:
  * wc_linuxkm_stack_bottom()
  * wc_linuxkm_stack_top()
  * wc_linuxkm_stack_current()
  * wc_linuxkm_stack_left()
  * wc_linuxkm_stack_hwm_prepare()
  * wc_linuxkm_stack_hwm_measure_rel()
  * wc_linuxkm_stack_hwm_measure_total()

wolfssl/wolfcrypt/settings.h:
* When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG.
* When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined.

configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
2026-02-20 11:09:37 -06:00
Juliusz Sosinowicz ec5a901c33 Add rng-tools 6.17 testing
Depends on https://github.com/wolfSSL/osp/pull/318
2026-02-20 16:11:11 +01:00
Andrew Hutchings 0c19fb17d6 Merge pull request #9745 from dgarske/stm32_hmac
Support for STM32 HMAC hardware
2026-02-20 14:30:31 +00:00
Josh Holtrop 616f1eec75 Add CMake support for NULL_CIPHER 2026-02-20 07:50:36 -05:00
Josh Holtrop 3da3e12edc Rust wrapper: fix no_std support
Generate bindgen API with core instead of std
Replace C types using std:: with core::
Replace std::mem usage with core::mem
2026-02-20 07:10:01 -05:00
David Garske 9e5d03b23e Merge pull request #9803 from holtrop-wolfssl/rust-fips-v5
Rust wrapper: add compatibility with older FIPS v5 package
2026-02-19 13:40:21 -08:00
Eric Blankenhorn c2b5f29d5c Replace em dashes with hyphens in tls-anvil workflow
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 14:16:29 -06:00
Juliusz Sosinowicz 77dcf3587e Add openldap 2.6.9 testing
Depends on https://github.com/wolfSSL/osp/pull/315
2026-02-19 19:18:34 +01:00
Josh Holtrop 2ada1a3629 Rust wrapper: add compatibility with older FIPS v5 package 2026-02-19 12:50:05 -05:00
David Garske 41614d10ed Add STM32 hardware HMAC support 2026-02-19 09:11:02 -08:00
David Garske f1e8c1b886 Merge pull request #9787 from holtrop-wolfssl/fix-integrity-only-cipher-nonce-calculation
Fix integrity-only cipher nonce calculation
2026-02-19 09:05:24 -08:00
Eric Blankenhorn a0721b94fb Fix tls-anvil workflow: C_EXTRA_FLAGS quoting and report.json parsing
CPPFLAGS replaces C_EXTRA_FLAGS with embedded single-quotes, which were
passed as literal characters through the shell variable and caused
configure's C compiler test to fail. Fix the report.json summary parser
to use the actual TLS-Anvil field names (TotalTests, FullyFailedTests,
etc.) and include category scores.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-19 11:01:16 -06:00
David Garske 936d20afbe Merge pull request #9799 from SparkiDev/arm64_aes_dec_fix
ARM64 AES ASM base: TD4 is only 256 bytes long
2026-02-19 08:50:48 -08:00
David Garske 1047aaa881 Merge pull request #9796 from JacobBarthelmeh/copyright
update Copyright year
2026-02-19 08:47:30 -08:00
David Garske 7e8b08179c Merge pull request #9798 from lealem47/arm32_kernel
Fix SIZEOF_LONG default for 32-bit Linux kernel modules
2026-02-19 08:45:57 -08:00
David Garske 69b28cd5e4 Merge pull request #9801 from LinuxJedi/static-fixes3
Fix things found in static analysis
2026-02-19 08:44:38 -08:00
Eric Blankenhorn 0898046113 Add TLS-Anvil RFC compliance GitHub Actions workflow
Runs the TLS-Anvil combinatorial test suite nightly against wolfSSL in
all four roles: TLS 1.2/1.3 server and TLS 1.2/1.3 client. Results are
summarized in the job summary and uploaded as artifacts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-19 10:35:12 -06:00
Andrew Hutchings 17680a2359 Fix leak in PKCS7 RSA-OAEP 2026-02-19 11:42:21 +00:00
Andrew Hutchings 4551926dad Fix inverted logic in Sphincs and Falcon 2026-02-19 11:40:36 +00:00
Andrew Hutchings 66de1d6cdb Fix wolfSSL_CRYPTO_memcmp
This is used by the OpenSSL compatibility layer. If either parameter was
NULL, it would return as a match. We should return a non-match instead.

OpenSSL itself has no safety checks here.
2026-02-19 11:01:52 +00:00
Sean Parkinson 88451a71b3 ARM64 AES ASM base: TD4 is only 256 bytes long
Pre-fetch fewer entries of TD4, than TD, as it is only 256 bytes long.
2026-02-19 09:31:00 +10:00
Sean Parkinson 3a1aa8310e Merge pull request #9780 from mattia-moffa/20260216-pkcs-ecdh-fixes
Fix PKCS11 object leak in Pkcs11ECDH
2026-02-19 08:46:30 +10:00
David Garske c5bbe798ec Merge pull request #9760 from SparkiDev/mldsa_small_matrix_mul_reduce
ML-DSA/Dilithium: reduce vector when small build
2026-02-18 14:40:40 -08:00
David Garske 2aa9f991f8 Merge pull request #9738 from anhu/cmake_HSC
Add HAVE_SECRET_CALLBACK to cmake.
2026-02-18 13:56:19 -08:00
Lealem Amedie 63c4b29638 Add __SIZEOF_LONG__ to .wolfssl_known_macro_extras 2026-02-18 14:30:39 -07:00
David Garske eceb55ebeb Merge pull request #9795 from LinuxJedi/static-fixes2
Static analysis fixes
2026-02-18 12:07:26 -08:00
Lealem Amedie 4e6d9ea02b Fix SIZEOF_LONG default for 32-bit Linux kernel modules 2026-02-18 12:23:29 -07:00
David Garske 2971c7024b Merge pull request #9671 from SparkiDev/aes_gcm_arm32_hw_crypto_set_key_unaligned
ARM32 HW Crypto: AES-GCM set key unaligned key
2026-02-18 10:54:42 -08:00
David Garske 7efefc7b22 Merge pull request #9792 from SparkiDev/sp_c_rsa_pub_only
SP C - RSA public only build with DH
2026-02-18 10:01:53 -08:00
Andrew Hutchings 7248ca3592 Add SM2 to renewcerts.sh 2026-02-18 18:01:33 +00:00