JacobBarthelmeh
da440d19a8
account for FIPS ready build and SE050 test
2026-05-01 16:00:19 -06:00
JacobBarthelmeh
b3e9e51967
extra sanity check for hash of all 0's
2026-05-01 13:27:39 -06:00
Daniel Pouzzner
a057975347
Merge pull request #10293 from Frauschi/liboqs_removal
...
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 09:04:11 -05:00
Daniel Pouzzner
76080d0b19
Merge pull request #10292 from Frauschi/liblms_libxmss_removal
...
Remove deprecated liblms and libxmss
2026-04-30 09:01:24 -05:00
Tobias Frauenschläger
7a2cf5b655
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 11:03:06 +02:00
Tobias Frauenschläger
e1fefcca4f
Remove deprecated liblms and libxmss
2026-04-29 19:52:09 +02:00
Daniel Pouzzner
9aec51d00b
Merge pull request #10334 from lealem47/acme
...
Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension)
2026-04-29 12:16:15 -05:00
Tobias Frauenschläger
71a8a55654
Merge pull request #10345 from douzzer/20260428-SLHDSA-fixes
...
20260428-SLHDSA-fixes
2026-04-29 16:44:02 +02:00
Daniel Pouzzner
f81f8479d5
fixes for SLH-DSA verifyonly:
...
wolfssl/wolfcrypt/wc_slhdsa.h: implement WOLFSSL_SLHDSA_NO_SHAKE and WOLFSSL_SLHDSA_NO_SHA2, and fix WC_SLHDSA_MAX_SIG_LEN setup to reflect SHA2 variants;
wolfssl/wolfcrypt/settings.h: if WOLFSSL_KERNEL_MODE, set WOLFSSL_SLHDSA_VERIFY_ONLY unless WOLFSSL_SLHDSA_NO_VERIFY_ONLY;
wolfcrypt/src/wc_slhdsa.c: fix WOLFSSL_SLHDSA_VERIFY_ONLY to work with --enable-slhdsa=sha2,verifyonly;
fix -Wunused-variables in slhdsakey_wots_pk_from_sig_x4();
wolfcrypt/test/test.c: in slhdsa_test(), fix gating for compatibility with --enable-slhdsa=sha2,verifyonly;
tests/api/test_slhdsa.c: fix gating in test_wc_slhdsa() and test_wc_slhdsa_sizes().
2026-04-28 18:06:00 -05:00
Lealem Amedie
82b15efebc
Add acmeIdentifier to asn=original
2026-04-28 11:51:40 -06:00
Lealem Amedie
1f260ccb0a
Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension)
2026-04-27 17:15:06 -06:00
David Garske
e31e158225
Fix for using STM32 AES hardware crypto with WOLFSSL_ARMASM set (ZD 21262)
2026-04-27 14:46:18 -07:00
Daniel Pouzzner
66ea4daa09
wolfcrypt/src/wc_port.c: in wc_socket_cloexec(), add necessary but undocumented __USE_GNU gating on call to accept4() (pre-includes can bring in socket.h before the override setting of _GNU_SOURCE at the top). Also enable accept4() for FreeBSD.
2026-04-27 11:40:04 -05:00
Daniel Pouzzner
3279b367d7
wolfcrypt/src/wc_lms.c: remove redundant gating on WOLFSSL_LMS_SHAKE256 in wc_LmsParamsMap wc_lms_map[].
2026-04-27 11:37:29 -05:00
Daniel Pouzzner
ac11279c60
wolfcrypt/src/random.c:
...
* add workaround in Hash512_df() for gcc compiler bug around AVX512 and object alignment.
* add missing WC_VERBOSE_RNG clause.
2026-04-27 11:37:15 -05:00
Daniel Pouzzner
7035fcf72b
wolfcrypt/src/wc_slhdsa.c:
...
* fix smallstackcache memory leaks in sha256 and sha512 contexts -- don't init or copy over a context that's been inited but not freed, and make sure to explicitly free any context that's been inited or copied over.
* fix uninited-var warnings in slhdsakey_wots_sign(), slhdsakey_xmss_sign(), and slhdsakey_fors_sign() (the uninited-var scenario depends on corrupt arg(s) resulting in zero iterations).
2026-04-27 11:36:15 -05:00
David Garske
21921408b9
Merge pull request #10216 from ColtonWilley/add-null-checks-public-api
...
Add missing NULL checks in public API functions
2026-04-24 14:42:24 -07:00
JacobBarthelmeh
734a71180c
Merge pull request #10220 from embhorn/zd21596
...
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00
JacobBarthelmeh
c6953b868a
Merge pull request #10260 from Frauschi/ecc_fix
...
Fix ECC validation regression
2026-04-24 14:39:50 -06:00
JacobBarthelmeh
46cedcf0f6
Merge pull request #10268 from ColtonWilley/zephyr-4.3-default-tls-support
...
zephyr: changes needed for Zephyr 4.3 default TLS support
2026-04-24 14:30:59 -06:00
JacobBarthelmeh
0c9a496215
Merge pull request #10162 from embhorn/gh9753
...
Use O_CLOEXEC to avoid race conditions
2026-04-24 14:28:00 -06:00
JacobBarthelmeh
a20c391b84
Merge pull request #10282 from kareem-wolfssl/zd21527
...
Fix W560 "possible truncation at implicit conversion to type unsigned char" warnings raised by Tasking compiler.
2026-04-24 14:11:41 -06:00
kaleb-himes
08fd7bde58
PQ FIPS v7.0.0 Phase 2 & 3: All changes
...
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Eric Blankenhorn
412c428b0a
Fix TLS ext bounds checking
2026-04-24 07:23:07 -05:00
Juliusz Sosinowicz
31278ee8bd
Merge pull request #10296 from JacobBarthelmeh/hostap
2026-04-24 14:13:02 +02:00
Sean Parkinson
936f8e5423
Merge pull request #10203 from Frauschi/pkcs7_fixes
...
PKCS#7 fixes
2026-04-24 10:13:43 +10:00
JacobBarthelmeh
72c7d12cfb
exclude the trust anchor from prospective certification path with pathlen check
2026-04-23 16:23:07 -06:00
JacobBarthelmeh
fe8541cc47
Merge pull request #10193 from padelsbach/set-hashtype-in-ports
...
Set hashType in ports
2026-04-23 15:02:30 -06:00
JacobBarthelmeh
6a0303e299
Merge pull request #10066 from dgarske/wc_puf
...
wolfCrypt SRAM PUF Support
2026-04-23 14:28:37 -06:00
JacobBarthelmeh
5277556989
Merge pull request #10264 from JeremiahM37/fenrir-issues-5
...
Harden wolfCrypt input validation and zeroization
2026-04-23 14:06:29 -06:00
Tobias Frauenschläger
6c5de29758
Fix ECC validation regression
2026-04-23 11:26:33 +02:00
Tobias Frauenschläger
22d1441331
Bounds-check the RecipientInfo SET length in wc_PKCS7_ParseToRecipientInfoSet()
2026-04-23 11:03:24 +02:00
Tobias Frauenschläger
97b82b5087
Add nonce length validation for PKCS#7
2026-04-23 11:03:19 +02:00
Tobias Frauenschläger
b7f6e77a95
Reject PKCS#7 SignedData signer-identity forgery
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
589feabc0c
Harden PKCS#7 EnvelopedData key unwrap
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
4e423fde17
More PKCS#7 bounds checks
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
46f3ebb0c6
Add missing ForceZero calls in PKCS#7
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
16e1d33f24
Fix invalid preprocessor guard in PKCS7 with SHA224
...
Also add missing ForceZero for ECDH shared secret on the heap.
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
5634cfd67c
Fix PKCS#7 regression with --enable-all and NO_PKCS7_STREAM
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
e2167e4bbd
add length check in PKCS#7
2026-04-23 09:36:32 +02:00
Tobias Frauenschläger
84fb0f694c
Fix various range and size bugs in PKCS#7 code
2026-04-23 09:36:32 +02:00
Kareem
9fef016106
Fix W560 "possible truncation at implicit conversion to type unsigned char" warnings raised by Tasking compiler.
2026-04-22 15:47:48 -07:00
Kareem
b3c2877a14
Add additional checks for encryptedContentSz exceeding pkiMsgSz.
2026-04-22 15:22:36 -07:00
Kareem
3e04475875
Fix unused variable error
2026-04-22 15:22:36 -07:00
Kareem
ebdcc03b71
Code review feedback
2026-04-22 15:22:36 -07:00
Kareem
1397268aa1
In wc_PKCS7_DecodeEnvelopedData, confirm encryptedContentTotalSz does not exceed the total message size before using it in the non-streaming case.
...
Thanks to Zou Dikai for the report.
2026-04-22 15:22:36 -07:00
Kareem
7f218574c4
Ensure esd->signedAttribsCount contains the correct count in case some are skipped by using the current idx rather than the total array size.
...
Thanks to Zou Dikai for the report.
2026-04-22 15:22:36 -07:00
JacobBarthelmeh
b5738236d9
Merge pull request #10187 from embhorn/zd21587
...
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
JacobBarthelmeh
bc4bec63fc
Merge pull request #10094 from sebastian-carpenter/GH-10068
...
Fixes: for GH #10068
2026-04-22 14:24:25 -06:00
Paul Adelsbach
ea6af18bc1
Set hashType in ports
2026-04-22 13:17:28 -07:00