Commit Graph

2084 Commits

Author SHA1 Message Date
Daniel Pouzzner 44adc4a71d linuxkm/lkcapi_rsa_glue.c: gate LINUXKM_DIRECT_RSA directly on WC_RSA_NO_PADDING;
configure.ac: always pass -DWC_RSA_NO_PADDING for --enable-linuxkm-lkcapi-register=rsa or =all.
2025-04-17 10:38:45 -05:00
Juliusz Sosinowicz 290dbaa18e wolfSSL_EVP_PKEY_cmp: only compare the public keys 2025-04-16 18:14:09 +02:00
jordan ff93e6d5d4 linuxkm: register rsa. 2025-04-16 09:50:06 -05:00
Daniel Pouzzner 6bf93c93d4 Merge pull request #8594 from julek-wolfssl/nss
Implement AES-CTS in wolfCrypt
2025-04-15 18:35:52 -05:00
Daniel Pouzzner 43389b248a Merge pull request #8621 from dgarske/dotnet35
Fixes for building with .NET 3.5
2025-04-14 22:35:28 -05:00
Daniel Pouzzner 4ae057e79f Merge pull request #8663 from philljj/register_ecdh
linuxkm: register ecdh.
2025-04-14 19:04:33 -05:00
David Garske 42644a55fb Fixes for building with .NET 3.5 (new WindowsCE macro). Fix for build error with NO_WOLFSSL_MSG_EX. Fix for ECC TFM option (only set with TFM). 2025-04-14 16:07:03 -07:00
Daniel Pouzzner 57baae90f1 linuxkm/lkcapi_glue.c: update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit 7450ebd29c (merged for Linux 6.15);
configure.ac: fix --disable-linuxkm-lkcapi-register;

.wolfssl_known_macro_extras: fix order.
2025-04-14 00:01:40 -05:00
jordan 380c3613ed linuxkm: register ecdh. 2025-04-11 15:16:09 -04:00
Juliusz Sosinowicz 75ca54889c Implement AES-CTS in wolfCrypt 2025-04-09 12:11:08 +02:00
jordan a626ec242e linuxkm ecdsa: tiny cleanup. 2025-04-04 14:01:47 -04:00
jordan d62c65231b linuxkm: register ecdsa. 2025-04-04 11:54:03 -04:00
JacobBarthelmeh 47ed447987 Merge pull request #8632 from douzzer/20250403-fixes
20250403-fixes
2025-04-03 17:26:40 -06:00
JacobBarthelmeh f6894a3949 add compileharden flag 2025-04-03 15:05:24 -06:00
JacobBarthelmeh c4fcd5fd54 do sanity check that the -Wa,-mbranches-within-32B-boundaries is supported for cases where CC=gcc is really clang 2025-04-03 13:58:43 -06:00
Daniel Pouzzner 971dafb1c2 configure.ac: add v5-kcapi to FIPS version map, same as v5-dev, but version 5.3.0 (as v5-dev was before 9d931d45de). 2025-04-03 14:30:22 -05:00
JacobBarthelmeh 5ecacfd8eb Merge pull request #8577 from SparkiDev/x64-branch-32b
Intel x86_64, gcc, icc: put branches on 32 byte boundary
2025-04-03 10:53:46 -06:00
Sean Parkinson c29fba5b7e Merge pull request #8614 from douzzer/20250317-linuxkm-lkcapi-aes-ctr-ofb-ecb
20250317-linuxkm-lkcapi-aes-ctr-ofb-ecb
2025-04-03 10:45:04 +10:00
Daniel Pouzzner 3e87c4465c update copyright year in configure.ac. 2025-04-02 18:51:28 -05:00
Daniel Pouzzner 8705d28d48 wolfcrypt/src/aes.c: in wc_AesSetKeyLocal(), rework support for WC_FLAG_DONT_USE_AESNI (fixes WC_C_DYNAMIC_FALLBACK).
wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, #ifdef LINUXKM_LKCAPI_REGISTER, #define WOLFSSL_TEST_SUBROUTINE to nothing, and #define WC_TEST_EXPORT_SUBTESTS.

linuxkm/lkcapi_glue.c:
* add check_skcipher_driver_masking() and check_aead_driver_masking(),
* use _masking() checks in all linuxkm_test_*().
* add !WOLFSSL_AESGCM_STREAM implementation of linuxkm_test_aesgcm().
* add implementations of linuxkm_test_aesctr(), linuxkm_test_aesofb(), and linuxkm_test_aesecb()
* remove incomplete+disabled AES-CCM shim implementation.

linuxkm/module_hooks.c: pull in wolfcrypt/test/test.h if LINUXKM_LKCAPI_REGISTER.

linuxkm/Makefile: build wolfcrypt/test/test.o if ENABLED_LINUXKM_LKCAPI_REGISTER.

Makefile.am: add ENABLED_LINUXKM_LKCAPI_REGISTER to exports in BUILD_LINUXKM section.

configure.ac: add AC_SUBST([ENABLED_LINUXKM_LKCAPI_REGISTER]); in ENABLED_LINUXKM_DEFAULTS set up, remove `-DWOLFSSL_TEST_SUBROUTINE=static` from AM_CFLAGS adds; fix whitespace.

.wolfssl_known_macro_extras: add WC_WANT_FLAG_DONT_USE_AESNI.

wolfcrypt/test/test.c: add `|| defined(WC_TEST_EXPORT_SUBTESTS)` to outermost gate, add wc_test_ prefix to render_error_message() and export it,

wolfcrypt/test/test.h: add prototype for wc_test_render_error_message(), and #ifdef WC_TEST_EXPORT_SUBTESTS, add prototypes for all the subtests.
2025-04-02 17:00:48 -05:00
Daniel Pouzzner 6d92dae632 configure.ac: add support for --enable-aesni-with-avx/USE_INTEL_SPEEDUP_FOR_AES (AESNI+AVX, but only for AES modes).
linuxkm/lkcapi_glue.c: implement WC_LINUXKM_C_FALLBACK_IN_SHIMS, km_AesGet(), and km_AesFree().

src/include.am: add missing gates for AES-GCM and AES-XTS asm.

wolfcrypt/src/aes_xts_asm.S and wolfssl/wolfcrypt/sp_int.h: don't redefine HAVE_INTEL_AVX2.
2025-04-02 17:00:48 -05:00
Daniel Pouzzner 9d931d45de LKCAPI checkpoint (all AES except CCM working). 2025-04-02 17:00:48 -05:00
Sean Parkinson 3969dd5a11 Merge pull request #8596 from dgarske/various_isacii_keylog
Various improvements to iscacii and CMake key log
2025-03-28 08:51:49 +10:00
David Garske a59075b908 Various improvements to iscacii and CMake key log:
* Detect 'isascii' at configuration (tested with `./configure CFLAGS="-DNO_STDLIB_ISASCII" && make check`).
* Add mew CMake option `WOLFSSL_KEYLOG_EXPORT` (fixes #8165)
Replaces PR #8174 and #8158. Thank you @redbaron.
2025-03-26 15:24:15 -07:00
Daniel Pouzzner 8b8873fb2c Merge pull request #8553 from kareem-wolfssl/zd19458
Check for whether librt is needed for clock_gettime.
2025-03-26 12:44:24 -05:00
Sean Parkinson 50304cfb1c Intel x86_64, gcc, icc: align loops to 64 byte boundary
Improved security with compile flag.
2025-03-25 09:40:01 +10:00
Daniel Pouzzner 576c489b0f Merge pull request #8583 from lealem47/fips_linuxkm
Remove linuxkm-pie dependency for FIPS linuxkm
2025-03-21 21:09:04 -05:00
Daniel Pouzzner b0a16a3d94 configure.ac: remove PWDBASED and PBKDF2 from fips=lean-aesgcm. 2025-03-21 16:56:24 -05:00
Lealem Amedie 2fdac57a69 Remove linuxkm-pie dependency for FIPS linuxkm 2025-03-21 15:36:31 -06:00
Daniel Pouzzner 1e89002762 fix various -Wdeclaration-after-statements, and add
-Wdeclaration-after-statement to .github/workflows/pq-all.yml.

rearrange code/gating in wolfcrypt/src/wc_mlkem.c:mlkemkey_encapsulate() for
  clarity and to fix a -Wdeclaration-after-statement.

also, made mlkem_encapsulate_c() and mlkem_encapsulate() return error code
  (currently always zero) rather than void, for consistency.

configure.ac: fix Kyber/ML-KEM option setup.
2025-03-21 15:46:44 -05:00
Kareem 91239dc42d Only search for clock_gettime when using RNG with wolfEntropy. 2025-03-21 11:05:24 -07:00
Kareem 17bb8c4c84 Check for whether librt is needed for clock_gettime. 2025-03-21 11:01:37 -07:00
Sean Parkinson 295ba3b416 Intel x86_64, gcc, icc: put branches on 32 byte boundary
Improved security with compile flag.
2025-03-21 17:50:31 +10:00
Daniel Pouzzner 57ecd4b246 configure.ac: fix -DNO_BIG_INT setup to recognize $ENABLED_SP_MATH.
wolfcrypt/test/test.c: fix gating around modLen in rsa_test().

wolfssl/openssl/bn.h: remove superfluous WOLFSSL_SP_MATH gate around mp_int mpi
  in struct WOLFSSL_BIGNUM definition.

wolfssl/wolfcrypt/wolfmath.h: add check for "Conflicting MPI settings.", add
  initial check for WOLFSSL_SP_MATH_ALL || WOLFSSL_SP_MATH to include sp_int.h,
  and remove superfluous WOLFSSL_SP_MATH gate on "common math functions".
2025-03-20 22:18:22 -05:00
Daniel Pouzzner e870e7f6d2 configure.ac: in FIPS lean-aesgcm setup, don't lock features that are outside
the FIPS boundary, just set up appropriate defaults.

wolfssl/wolfcrypt/wolfmath.h: if legacy math back ends aren't defined, and
   NO_BIG_INT isn't defined, then always include sp_int.h, for backward compat.
2025-03-20 21:07:15 -05:00
Daniel Pouzzner b544354306 wolfssl/wolfcrypt/wolfmath.h: don't include an MPI header if NO_BIG_INT is
defined, and issue a #error if no MPI backend gate is defined and NO_BIG_INT
   is not defined either.

configure.ac:
* add support for FIPS lean-aesgcm[-{ready,dev}].
* implement handler for --enable-sha256.
* move setup for WOLFSSL_FIPS_DEV and WOLFSSL_FIPS_READY into the applicable
    per-flavor sections.
* fix sensing of $ENABLED_AESGCM in FIPS setup clauses to pivot on `!= "no"`
    rather than `= "yes"`, to accommodate "4bit" and other non-"yes" values.
* fix SNI_DEFAULT to be "no" if $ENABLED_TLS = no.
* fix ENABLED_DHDEFAULTPARAMS default to be $ENABLED_DH rather than yes.

wc_encrypt.c: add missing gates in wc_CryptKey() for NO_SHA256.

wolfcrypt/test/test.c: gating fixes for NO_SHA256.

wolfcrypt/benchmark/benchmark.c: basic fixes for building/running with
  --disable-rng (-DWC_NO_RNG).

With the above additions and fixes, it's now a clean build, test, and benchmark,
  with --disable-sha256 --enable-cryptonly --disable-hashdrbg --disable-rng
  --disable-hmac, though RSA/DH/ECC benches are disabled.
2025-03-20 20:03:34 -05:00
David Garske 2c36ae268f Merge pull request #8536 from SparkiDev/kyber_to_mlkem
Update Kyber APIs to ML-KEM APIs
2025-03-20 11:07:53 -07:00
David Garske 4c0d4a931e Merge pull request #8555 from bigbrett/default-devid-disable
Add option to disallow automatic use of "default" devId
2025-03-20 10:56:17 -07:00
Daniel Pouzzner ab7713676e linuxkm/lkcapi_glue.c: for AES-{CBC,CFB,GCM}, treat ctx->aes_{encrypt,decrypt}
as readonly in the encrypt/decrypt handlers -- clone them before setting the IV
-- for thread safety.  also, remove the "experimental" designation of
--enable-linuxkm-lkcapi-register=all.
2025-03-18 22:39:17 -05:00
Daniel Pouzzner ac89fbc9e6 linuxkm: fix AES-GCM shim implementation and self-test. 2025-03-17 17:25:53 -05:00
Brett Nicholas c7db28ef5a merge --no-default-devid configure option into --enable-cryuptocb=no-default-devid 2025-03-17 12:15:32 -06:00
Daniel Pouzzner 87c0ac90b8 configure.ac:
* sense assert.h and define WOLFSSL_HAVE_ASSERT_H accordingly.
* force off enable_aesgcm_stream if 32 bit armasm or riscv-asm (not yet implemented or buildable).
* add AM_CONDITIONAL([BUILD_CHACHA_NOASM, ...]) when --enable-chacha=noasm.

src/include.am: gate armasm/riscv_asm chacha files on !BUILD_CHACHA_NOASM.

tests/api.c: add missing HAVE_CHACHA&&HAVE_POLY1305 gate around test_TLSX_CA_NAMES_bad_extension().

wolfcrypt/src/chacha.c: tweak WOLFSSL_ARMASM and WOLFSSL_RISCV_ASM codepaths to also depend on !NO_CHACHA_ASM.

wolfssl/wolfcrypt/types.h: in setup for wc_static_assert(), #include <assert.h> if WOLFSSL_HAVE_ASSERT_H, >=C11, or >=C++11.
2025-03-13 23:17:57 -05:00
Brett Nicholas b7764e9308 add support for WC_NO_DEFAULT_DEVID to configure 2025-03-13 14:51:05 -06:00
Daniel Pouzzner c80a050c29 linuxkm/lkcapi_glue.c: fix aes-cfb wrappers, and add
WOLFSSL_DEBUG_TRACE_ERROR_CODES support for EINVAL/ENOMEM/EBADMSG;

configure.ac: remove ENABLED_EXPERIMENTAL requirement for
  --enable-linuxkm-lkcapi-register=cfb(aes);

linuxkm/module_hooks.c: omit "skipping full wolfcrypt_test" message if
  wc_RunAllCast_fips() was run.
2025-03-12 17:08:04 -05:00
Daniel Pouzzner 2a4dbbf545 configure.ac: remove mutual exclusion of armasm and WOLFSSL_AESXTS_STREAM --
this now works, and uses armasm-accelerated _AesEcb{En,De}crypt() via
  _AesXtsHelper().  also, add -DNO_CRYPT_TEST to CFLAGS in builds with
  $ENABLED_CRYPT_TESTS = no.
2025-03-11 14:47:32 -05:00
Sean Parkinson a7690ca24b ML-KEM/Kyber: finish name change 2025-03-10 08:37:14 +10:00
Daniel Pouzzner cbcca93fde configure.ac: print a warning, not an error, on "Conflicting asm settings", for backward compatibility. 2025-03-07 19:52:26 -06:00
Daniel Pouzzner 66376bed28 wolfcrypt/src/misc.c: in xorbufout() and xorbuf(), call XorWords() directly via a simplified path if all args are already aligned to WOLFSSL_WORD_SIZE (fixes performance regression from dc2e2631bc).
configure.ac: add a "Conflicting asm settings" error check at end, since our configuration currently blows up if --enable-intelasm and --disable-asm are combined.
2025-03-07 19:52:26 -06:00
Daniel Pouzzner dc2e2631bc linuxkm: various fixes for LKCAPI wrapper for AES-CBC (now passing kernel-native
self-test and crypto fuzzer), and de-experimentalize it.

wolfssl/wolfcrypt/types.h: add definitions for WOLFSSL_WORD_SIZE_LOG2.

wolfcrypt/src/misc.c: fix xorbuf() to make the XorWords() reachable; also,
  refactor integer division and modulus ops as masks and shifts, and add pragma
  to suppress linuxkm FORTIFY_SOURCE false positive -Wmaybe-uninitialized.
2025-03-05 17:56:08 -06:00
Reda Chouk 3e5e81c45f Enable TLS 1.3 middlebox compatibility by default with --enable-jni
Adding -DWOLFSSL_TLS13_MIDDLEBOX_COMPAT flag to the default
compilation flags when --enable-jni is used.

Related PRs in other repositories:
- wolfSSL/wolfssljni#255
- wolfSSL/testing#845
2025-03-03 14:12:20 +01:00