Commit Graph

10047 Commits

Author SHA1 Message Date
Daniel Pouzzner 00fe73b2ca Merge pull request #10484 from SparkiDev/arm32_neon_chacha20_align_fix
ARM32 NEON ChaCha20: alignment fix
2026-05-14 08:54:09 -05:00
Sean Parkinson 81cce394db Merge pull request #10440 from JeremiahM37/gh10423
fix NO_VERIFY_OID build in GetOID
2026-05-14 20:02:06 +10:00
Sean Parkinson 31a76d333b Merge pull request #10468 from JeremiahM37/fenrir-wolfcrypt-api-hardening
wolfCrypt API hardening: input validation, key zeroization, hardware ports
2026-05-14 20:00:39 +10:00
Sean Parkinson 75f32a336c Merge pull request #10442 from JeremiahM37/zd21783
Fix SAKKE OOB write and correctness gap in sakke_hash_to_range
2026-05-14 19:51:52 +10:00
Sean Parkinson e1840c6f83 ARM32 NEON ChaCha20: alignment fix
vldm and vstm assume an 32-bit alignment.
Change to use vld1 and vst1.
2026-05-14 19:39:10 +10:00
David Garske c450bdb381 Merge pull request #10471 from JacobBarthelmeh/cavium_octeon
fix Octeon AES-GCM J0 derivation when ivSz is a non-12-byte non-zero …
2026-05-13 15:25:11 -07:00
David Garske 497ed9843e Merge pull request #10303 from julek-wolfssl/zd/21675
ocsp: bind responder authorization to CertID issuerKeyHash
2026-05-13 10:33:17 -07:00
David Garske d6931b9f29 Merge pull request #10272 from The-Capable-Hub/wbeasley/meta-cheri-fixes
Fix support on CHERI RISC-V architecture
2026-05-13 09:33:53 -07:00
Jeremiah Mackey cd34cefbad Reject ssvSz=0 in SAKKE public APIs 2026-05-13 14:58:56 +00:00
JeremiahM37 623ab49572 Fix sakke_xor_in_v write offset and read base 2026-05-13 14:58:56 +00:00
Sean Parkinson 58c41b6d57 Merge pull request #10458 from philljj/fix_GetShortInt
asn: fix GetShortInt for asn original.
2026-05-13 16:44:38 +10:00
Sean Parkinson cef3187fdb Merge pull request #10456 from padelsbach/lms-xmss-sw-fallback-fix
Fix LMS and XMSS cryptocb software fallback
2026-05-13 16:43:41 +10:00
Sean Parkinson 9e739c6ad0 Merge pull request #10455 from sebastian-carpenter/hpke-fix
Fix: hpke return code improvements
2026-05-13 16:42:45 +10:00
Sean Parkinson 581a9688c6 Merge pull request #10444 from philljj/fix_wc_export_int
wolfmath: check mpSz in wc_export_int.
2026-05-13 16:41:17 +10:00
Sean Parkinson 2670a4f976 Merge pull request #10441 from padelsbach/pkcs7-verify-fix
Fix OOB possibility in PKCS7_VerifySignedData
2026-05-13 16:19:15 +10:00
David Garske dfe03ff538 Merge pull request #10381 from kareem-wolfssl/zd21694
Validate DSA parameters when verifying DSA key.
2026-05-12 16:29:29 -07:00
Jeremiah Mackey b235af7714 Harden wolfCrypt hardware port paths 2026-05-12 20:57:31 +00:00
Jeremiah Mackey c516d9b6af Add wc_Rc2Free for key zeroization 2026-05-12 20:57:31 +00:00
Jeremiah Mackey 9fd21431c2 Null-check wolfCrypt API inputs 2026-05-12 20:57:31 +00:00
JacobBarthelmeh d184b79217 fix Octeon AES-GCM J0 derivation when ivSz is a non-12-byte non-zero multiple of WC_AES_BLOCK_SIZE 2026-05-12 14:17:43 -06:00
Jeremiah Mackey 76b48f8fc4 fix NO_VERIFY_OID build in GetOID 2026-05-12 20:00:04 +00:00
David Garske 32439c975f Merge pull request #10448 from SparkiDev/lms_fixes_1
LMS: fixes and improvements
2026-05-12 09:26:42 -07:00
David Garske 2239fc336b Merge pull request #10430 from SparkiDev/mlkem_avx2_fixes
ML-KEM: fix AVX2 assembly
2026-05-12 09:25:54 -07:00
David Garske 15f3f7b102 Merge pull request #10439 from ejohnstown/octeon-fix
port/cavium: fix Octeon AES-GCM AAD GHASH bug
2026-05-12 09:22:10 -07:00
David Garske 3e6efbac52 Merge pull request #9567 from jackctj117/serial-0
Allow serial number 0 for root CA certificates
2026-05-12 09:19:56 -07:00
David Garske 33efd8c9b3 Merge pull request #10050 from anhu/pbkdf_max
Add upper limit to PBKDF iteration count
2026-05-12 09:10:54 -07:00
JeremiahM37 f60f8cd965 Clamp sakke_xor_in_v write to buffer length 2026-05-12 16:04:45 +00:00
Daniel Pouzzner 7cfc9e9103 Merge pull request #10465 from Frauschi/slhdsa_pre_hash
SLH-DSA fixes
2026-05-12 10:38:49 -05:00
Juliusz Sosinowicz 0735a0a7b5 ocsp: bind responder authorization to CertID issuerKeyHash
Addresses ZD21675
2026-05-12 14:36:00 +02:00
Sean Parkinson 2c4f854962 Merge pull request #10447 from mattia-moffa/20260508-blake2-long-key-fix
Fix Blake2 oversized key path
2026-05-12 22:07:16 +10:00
Tobias Frauenschläger bec6c0fef2 SLH-DSA fixes
Follow up to PR #10450 with some minor fixes:

* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
  hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
  match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
  SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
  SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
  decoder failure-rollback wording; tighter return-code lists for
  Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
  happens to equal the digest size of the chosen hashType.
2026-05-12 13:24:24 +02:00
William Beasley (The Capable Hub) ba0122628c cheri: Use conditional copy over bitmask arithmetic in sakke_modexp_loop
On CHERI casting mp_int pointers to wc_ptr_t for the bitmask
arithmetic strips the hardware capability tag. The reconstructed
pointer won't have a valid tag and will cause a tag violation when it
is dereferenced.

Under __CHERI_PURE_CAPABILITY__, replace the pointer arithmetic with
four mp_cond_copy calls that operate on the digit data directly.
This preserves the capability tags and accesses both accumulators
unconditionally.

Non-CHERI builds retain the original wc_off_on_addr path unchanged.

Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
2026-05-12 10:11:58 +01:00
William Beasley (The Capable Hub) 7cba06da8a cheri: Fix CHERI tag violation on constant time pointer selection
The branchless code in casts sp_int pointers to size_t for bitmask
arithmetic, then casts the result back to sp_int*.

On CHERI, pointer-to-integer casts strip the hardware capability tag.
The reconstructed pointer is tagless and cannot be dereferenced,
causing a tag-violation fault.

Add _sp_cond_copy that uses the bitmask on the digit data itself rather
than the addresses, this avoids needed to do pointer arithmetic.

On non-CHERI targets the behaviour is the same.

Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
2026-05-12 10:11:54 +01:00
David Garske a2b054e3b8 Merge pull request #10155 from aidangarske/fenrir-fixes-2
Add Negative Testing and Zeroization
2026-05-11 21:07:53 -07:00
Sean Parkinson 3c9423257f ML-KEM: fix AVX2 assembly
AVX2 not decompressing 5-bit values correctly.
AVX2 not comparing last 32 bytes of ciphertext.
Protect mlkemkey_get_k to only be compiled when make key is compiled in.
2026-05-12 13:32:19 +10:00
Sean Parkinson 218ddb449e Merge pull request #10394 from dgarske/sp_nonblock_rsa_dh
Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096
2026-05-12 13:25:43 +10:00
jordan 5918eabe2c wolfmath: fix mpSz cast. 2026-05-11 21:46:36 -05:00
John Safranek 82b30797a1 port/cavium: fix Octeon AES-GCM AAD GHASH bug
Octeon_AesGcm_SetAAD unconditionally ran XOR0/XORMUL1 on the partial-block
buffer after the main loop, which processed an extra all-zero block when
aadSz was a non-zero multiple of 16, corrupting the GCM tag. Guard the
trailing XOR/MUL with `if (remainder > 0)`.

Issue: F-3335
2026-05-11 14:39:06 -07:00
Daniel Pouzzner 3afa9018f4 Merge pull request #10450 from Frauschi/slhdsa_pre_hash
HashSLH-DSA APIs take the pre-hashed digest, not the raw message
2026-05-11 16:29:32 -05:00
Daniel Pouzzner b2a56e7947 wolfcrypt/src/pwdbased.c:
* fix typography of wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() (peer review).
* refactor overflow prevention in wc_PKCS12_PBKDF_ex() to use WC_SAFE_SUM_UNSIGNED().

wolfcrypt/test/test.c: in pwdbased_test(), omit "INT_MAX MAC iterations" test if WOLFSSL_NO_MALLOC (uses wc_PKCS12_new_ex()).
2026-05-11 15:57:23 -05:00
Daniel Pouzzner f248b272db rename WC_PBKDF_MAX_ITERATIONS to WC_PBKDF_DEFAULT_MAX_ITERATIONS, raise it to 10000000, add wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get(), and restore new negative tests in pwdbased_test(). 2026-05-11 15:57:22 -05:00
Anthony Hu 1cd9caca02 Line length fixup and repro in second impl. 2026-05-11 15:57:22 -05:00
Anthony Hu 3f6c8316c7 Add upper limit to PBKDF iteration count
Add WC_PBKDF_MAX_ITERATIONS (default 100000) to cap the iteration
count in wc_PBKDF1_ex(), wc_PBKDF2_ex(), and wc_PKCS12_PBKDF_ex().
2026-05-11 15:57:22 -05:00
jordan 333aaaa3a9 asn: fix GetShortInt for asn original. 2026-05-11 14:50:48 -05:00
Paul Adelsbach d56831c90d Fix LMS and XMSS cryptocb software fallback 2026-05-11 10:45:38 -07:00
sebastian-carpenter 0ff622c709 F-1908, improve hpke return codes 2026-05-11 11:35:22 -06:00
jordan 99e5597372 wolfmath: check mpSz cleanup. 2026-05-11 12:09:50 -05:00
Kareem a12ccca612 Fully exclude the wc_DsaCheckPubKey function when building with NO_DSA_PUBKEY_CHECK. 2026-05-11 10:05:45 -07:00
Kareem b79870e1ba Add opt-out macro NO_DSA_PUBKEY_CHECK to allow skipping the newly added DSA public key check. 2026-05-11 10:05:45 -07:00
Kareem 44d3659244 Code review feedback 2026-05-11 10:05:45 -07:00