RHEL9 kernels (9.6+) disable RSA signing and decryption in the kernel
crypto API for security reasons (CVE-2023-6240). The kernel forcibly
overwrites akcipher sign/decrypt callbacks to return -ENOSYS, regardless
of what the driver provides.
Commit 3709c35c in the RHEL kernel:
"crypto: akcipher - Disable signing and decryption"
This affects our self-tests which call crypto_akcipher_sign() and
crypto_akcipher_decrypt(). On RHEL9, these operations return -ENOSYS
even though our driver correctly implements them.
Add compile-time checks for RHEL_RELEASE_CODE >= 9.6 to detect this
scenario and skip the affected self-tests gracefully. The tests pass
since the algorithms are registered correctly; the kernel simply
refuses to execute sign/decrypt operations as a matter of policy.
Note: encrypt and verify operations are unaffected and continue to be
tested normally.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
... by using the same additional includes as on Linux.
Fixes:
CC tests/api/unit_test-test_rsa.o
tests/api.c:19554:9: error: call to undeclared function 'waitpid'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
19554 | waitpid(pid, &waitstatus, 0);
| ^
Tested on ElectroBSD amd64 14.3-STABLE.
Add MAX_RECORD_SIZE-based bounds checks in SendHandshakeMsg and Dtls13SendFragmentedInternal to prevent negative/overflowed fragment sizes from reaching memcpy/BuildMessage/DtlsMsgPoolSave.
This PR adds Doxygen documentation for native wolfSSL API functions that were previously undocumented. It includes documentation notes for APIs gated on specific preprocessor macros:
- WOLF_PRIVATE_KEY_ID: _Id and _Label init helpers (wc_AesInit_Id, wc_AesInit_Label, wc_ecc_init_id, wc_ecc_init_label, wc_InitRsaKey_Id, wc_InitRsaKey_Label) require this for PKCS11 support
- WC_NO_CONSTRUCTORS: New/Delete constructor functions (wc_AesNew/Delete, wc_curve25519_new/delete, wc_ed25519_new/delete, wc_NewRsaKey/DeleteRsaKey) are only available when this is not defined. WC_NO_CONSTRUCTORS is automatically defined when WOLFSSL_NO_MALLOC is defined.
- WOLFSSL_PUBLIC_ASN: ASN functions marked with WOLFSSL_ASN_API include notes indicating they are not public by default
- WOLFSSL_DUAL_ALG_CERTS: wc_GeneratePreTBS and wc_MakeSigWithBitStr for Post-Quantum dual algorithm certificate signing
The New/Delete functions are documented as being exposed to support allocation of structures using dynamic memory to provide better ABI compatibility.
