Commit Graph

11597 Commits

Author SHA1 Message Date
Tobias Frauenschläger d4eedf8af8 Add missing ForceZero call for ML-DSA 2026-06-15 12:07:00 +02:00
Tobias Frauenschläger e43281b2dc Add missing ForceZero calls for ML-KEM 2026-06-15 12:06:55 +02:00
David Garske f42a698c59 Merge pull request #10668 from holtrop-wolfssl/f-5394
Force-zero wc_AesSivDecrypt*() output buffer on authentication failure
2026-06-12 16:35:31 -07:00
JacobBarthelmeh 86ba8f7770 Merge pull request #10652 from SparkiDev/regression_fixes_25
Regression testing fixes - memory allocation failure testing
2026-06-12 16:30:57 -06:00
Josh Holtrop 445b8b272c Document PUBLIC_KEY_E return value for wc_ed448_export_public() in source comment 2026-06-12 15:58:27 -04:00
Josh Holtrop 8c1e3a261f Fix Ed448/25519 export private-only key unit tests for FIPS pre-v7 2026-06-12 15:58:27 -04:00
Josh Holtrop 3d517841d5 Ed448: check for public key presence on export
Return PUBLIC_KEY_E for wc_ed25519_export_key if public key is not
present.
Return PUBLIC_KEY_E for wc_ed448_export_key if public key is not
present.
Rename several inLen parameters to outLen for consistency.

Fix F-4427
2026-06-12 15:58:27 -04:00
Josh Holtrop f420c66c38 Fix aes_siv_negative_test unit test style for skoll 2026-06-12 14:46:43 -04:00
Josh Holtrop 5bc5251c3e Dynamically find AES-SIV test vector index instead of hardcoding in unit test 2026-06-12 13:50:47 -04:00
Josh Holtrop 7064eeca89 Force-zero output buffer for AES-SIV decrypt for other AES errors as well 2026-06-12 12:19:06 -04:00
David Garske 6081106ae3 Merge pull request #10647 from philljj/misc_fixes
Misc wolfcrypt fixes
2026-06-12 09:13:26 -07:00
Josh Holtrop 20571a9beb Force-zero wc_AesSivDecrypt*() output buffer on authentication failure 2026-06-12 08:07:46 -04:00
Juliusz Sosinowicz 3a6c31a51e CI: pool the per-config runner matrices into parallel make-check jobs
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.

Converted workflows (runner jobs per full pass):
  os-check.yml             101 -> 8  (92 Ubuntu configs -> 4 shards;
                           the macOS matrix, the user-settings jobs and
                           the standalone
                           macos-apple-native-cert-validation.yml fold
                           into one macOS runner; Windows unchanged)
  pq-all.yml                21 -> 2 shards
  disable-pk-algs.yml       15 -> 1
  wolfCrypt-Wconversion.yml 11 -> 1
  trackmemory.yml            7 -> 1
  cryptocb-only.yml          8 -> 1  (incl. the two new SHA512 entries)
  multi-compiler.yml         6 -> 1
  smallStackSize.yml         6 -> 1
  multi-arch.yml             6 -> 1
  async.yml                  5 -> 1
  psk.yml                    5 -> 1
  no-malloc.yml              3 -> 1
  wolfsm.yml                 3 -> 1
  opensslcoexist.yml         2 -> 1

Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).

Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
  files, sniffer captures and helpers, examples/crypto_policies,
  input, quit) into the build tree via a BUILT_SOURCES stamp, removed
  again in distclean-local. ChangeToWolfRoot() and the script tests
  resolve everything relative to the working directory, so out-of-tree
  make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
  tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
  support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
  error-code headers from the source tree and generates into the build
  tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
  tree for the configure-generated headers (wolfssl/options.h,
  wolfssl/version.h); the in-tree-only guards are dropped.

Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
2026-06-12 09:47:13 +00:00
Tobias Frauenschläger 351b775fd4 Merge pull request #10665 from anhu/mlkem-keygen-zeroize
Zeroize some private data before releasing memory
2026-06-12 08:41:16 +02:00
jordan ab09d0c95b misc_fixes: cleanup for skoll review. 2026-06-12 00:12:45 -05:00
Daniel Pouzzner 3e390b1b29 Merge pull request #10666 from douzzer/20260611-AES-XTS-key-half-inequality
20260611-AES-XTS-key-half-inequality

approved by @dgarske and @kareem-wolfssl, final by @SparkiDev.
2026-06-11 21:55:37 -05:00
Sean Parkinson 3c34a97164 Merge pull request #10603 from aidangarske/pqc-decode-validation
PQC enforce modulus and eta range checks in DecodePrivateKey
2026-06-12 09:22:12 +10:00
Aidan Keefe 744d25fdc3 Merge pull request #10648 from aidankeefe2022/fix-Der-to-Oid-coversion
Fix EncodedDottedForm to handle when first arc is 2
2026-06-11 15:12:53 -06:00
Daniel Pouzzner 0097739dd8 fixes for F-3325:
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:

tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;

wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;

linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.

wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.

linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
2026-06-11 15:38:28 -05:00
Anthony Hu 0eea017a8b Zeroize some private data before releasing memory 2026-06-11 14:05:37 -04:00
aidan garske 514e39e2f5 test: wrap PUBLIC_KEY_E comparisons in WC_NO_ERR_TRACE for ML-KEM/ML-DSA decode tests 2026-06-11 09:35:03 -07:00
aidan garske a1bdacbb83 ML-DSA: reject private key with out-of-range s1/s2 coefficients on decode 2026-06-11 07:38:46 -07:00
aidan garske 477754024d ML-KEM: FIPS 203 modulus check - reject non-reduced private key vector on decode 2026-06-11 07:38:46 -07:00
Sean Parkinson b04f573e20 Regression testing fixes - memory allocation failure testing
crl.c, internal.h: leak of sigParams requiring reorder the struct fields to that it is above memcpy part.
dtl13.c: free the DRLS fragments buffer in Dtls13FreeFsmResources in case fragment is never sent.
ocsp.c: only free cid if locally allocated.
tls.c: make sure ecc_kse is zeroized and can be freed.
tls13.c: set hsHashesEch after init so isn't lost on failure.
evp_pk.c: free key on the BIO error path

Fixed various tests to not leak or crash on memory allocation failure.
2026-06-11 12:14:06 +10:00
Sean Parkinson 63fd322382 Merge pull request #10641 from rlm2002/zd21890
Fixes for SM2/3 and FindMultiAttrib
2026-06-11 08:01:20 +10:00
Aidan Keefe b810bba09b added case to handel when second arc of byte encoding is greater than 39 when first arc is 2 2026-06-10 12:39:18 -06:00
David Garske 10e2afa20a Merge pull request #10595 from miyazakh/f5381_RSASSA-PSS_trailerField
f5381 enforce trailerField==1 in DecodeRsaPssParams
2026-06-10 10:05:22 -07:00
Daniel Pouzzner 332c249c7a Merge pull request #10572 from Frauschi/lms_xmss_cert_gen
Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
2026-06-10 11:14:43 -05:00
David Garske 953467875f Merge pull request #10560 from philljj/fix_dh_agree
dh: fix subgroup check in wc_DhAgree.
2026-06-10 09:13:31 -07:00
David Garske 760392f403 Merge pull request #10636 from embhorn/zd21942
Harden PKCS#7 FlattenEncodedAttribs
2026-06-10 08:57:39 -07:00
jordan 2f5ad2d1d2 hmac: cleanup, and fix fips gating in api tests. 2026-06-10 09:53:00 -05:00
Tobias Frauenschläger e1413a177f Add missing ForceZero() calls
Fixes  F-5437 and F-5438
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger c01152d35a Minor fix in liboqs GetRandomData
Fixes F-4443
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger 9c60d87abc Fix minor CAVIUM issues
Fixes F-4441 and F-4442
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger c611a22b2f Ensure a key is set for DES3 operations
Fixes F-5379
2026-06-10 11:36:59 +02:00
Tobias Frauenschläger c76c83258c Ensure a key is set for ARC4 operations
Fixes F-5378
2026-06-10 11:36:29 +02:00
Tobias Frauenschläger 09b288000c Size cert signature buffers from the key and check sig type vs key
MAX_ENCODED_SIG_SZ grows to ~50KB once SLH-DSA is enabled, yet it was
used to size PKCS#1/signature scratch and output buffers across the
library, wasting stack and heap even for classic RSA/ECC operations.

- Add MAX_ENCODED_CLASSIC_SIG_SZ for RSA/DSA/ECC DigestInfo buffers that
  can never hold a PQC signature.
- Size the certificate/CSR signing output buffer from the signing key at
  runtime instead of the worst-case macro.
- Add overridable WOLFSSL_MAX_SIG_SZ for the WOLFSSL_NO_MALLOC buffer.
- Reject a signature type that does not match the signing key.
2026-06-10 10:51:41 +02:00
Tobias Frauenschläger e05a453944 Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
Extend wc_MakeCert_ex/wc_SignCert_ex/wc_MakeCertReq_ex to issue HSS/LMS and
XMSS/XMSS^MT certificates and PKCS#10 requests, building on the existing
RFC 9802 verification support. New LMS_TYPE/XMSS_TYPE/XMSSMT_TYPE selectors,
wc_{Lms,Xmss}Key_PublicKeyToDer SPKI encoders, runtime signature-buffer
sizing, and sigType/key consistency checks. Generation is ASN.1-template
only, matching where the verification path lives.

Tests generate self-signed roots, CSRs and a CA->ECC-leaf chain in-process
and verify them, replacing the patched Bouncy Castle fixtures (only the stock
RFC 9802-aligned LMS interop anchor is kept).
2026-06-10 10:51:33 +02:00
jordan c78fb5f41b dh: fix subgroup check in wc_DhAgree. 2026-06-10 01:28:12 -05:00
jordan 2648a84f46 hmac: appease multi-test for unused ret value. 2026-06-10 01:11:35 -05:00
Ruby Martin b167c2687e verify i >= 0 before continuing loop. clears coverity false positive 2026-06-09 15:40:16 -06:00
Ruby Martin 1786cebf8c add negative value check after wc_HashGetDigestSize 2026-06-09 15:40:16 -06:00
Ruby Martin 6bfb53f084 Add pubKeySize check for SM3-with-SM2 2026-06-09 14:45:26 -06:00
David Garske 52681591fe Merge pull request #10640 from douzzer/20260608-atomic-fixes
20260608-atomic-fixes
2026-06-09 10:41:01 -07:00
jordan f063721fac dsa: check that key was created before export. 2026-06-09 12:27:08 -05:00
jordan 8b8603c702 pwdbased: add missing force zero. 2026-06-09 11:20:28 -05:00
jordan 04e57d7fd7 evp: fix dangling pkey pointer. 2026-06-09 10:51:58 -05:00
jordan 132079d2a1 hmac: err on update if key not set. 2026-06-09 10:02:51 -05:00
David Garske bbace5a1cc Merge pull request #10494 from LinuxJedi/STM32MP13-SHAKE
Fix SHAKE with STM32MP13 and add simulator
2026-06-08 15:45:30 -07:00
David Garske e2d3b63139 Merge pull request #10207 from ColtonWilley/d2i_pem_negative_length
Add signed-length validation to d2i, PEM, and buffer-load APIs
2026-06-08 15:42:00 -07:00