Commit Graph

11717 Commits

Author SHA1 Message Date
Sean Parkinson bce9fdda68 ML-KEM/ML-DSA: unaligned reads
Use readUnaligned32/64 to ensure no unaligned read faults.
Updated implementations of read/write unaligned 32/64 to not worry about alignment on CPUs that are known to not care.
2026-06-17 10:30:33 +10:00
Chris Conlon 6ebc379f31 Renesas TSIP: skip XMEMCPY on MEMORY_E from tsip_StoreMessage() 2026-06-16 13:58:52 -06:00
Ruby Martin 916a6a6904 Move err check inside else block of ALT_ECC_SIZE, prevent dead code 2026-06-16 13:51:36 -06:00
Tobias Frauenschläger 8f55480a1d SP math: validate ECDH shared-secret output buffer against the field size
Regenerate the SP backends so the ECDH secret generators check the caller's
buffer against the number of bytes actually written. Adds a P-384/P-521
buffer-size regression test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger 266e07e58d SLH-DSA: zeroize secret WOTS+/FORS material and fix alloc-failure paths
Zeroization:
- Add missing ForceZero on the PRF outputs and WOTS+ chain state that hold
  secret key material.
- Route the WOTS sign leaf through a temp so secret chain values never touch
  the public signature buffer.
- Add SLHDSA_SHAKE_X4_STATE_W so buffer and wipe sizes stay in sync.

Leak / alloc-failure fixes:
- Fix chain_idx_x4 returning on SAVE_VECTOR_REGISTERS2 failure without freeing
  state/fixed (memory leak, and the secret was left unzeroized); break to the
  cleanup path instead.
- Guard all function-scope wipes with WC_VAR_OK to avoid a NULL deref when an
  allocation fails under WOLFSSL_SMALL_STACK.
2026-06-16 15:48:39 +02:00
Tobias Frauenschläger 24321ec7ae Even more missing ForceZero in ML-KEM / ML-DSA
Ensure that all sensitive private key (derived) data is zeroed.
2026-06-16 11:35:30 +02:00
Marco Oliverio a39e8ae976 Route DNS name-constraint checks through one helper
Add wolfssl_local_MatchDnsNameConstraint() dispatching wildcard names
to the subtree matcher and literal names to plain base-name matching,
and use it for the ASN_DNS_TYPE branches of PermittedListOk() and
IsInExcludedList().

This also drops the outer name->len >= base len byte-length guard for
literal DNS names. That guard ran before MatchBaseName() could strip
the absolute-FQDN trailing dot, so a constraint base like
DNS:example.com. never matched the SAN example.com it denotes.
2026-06-15 12:09:56 +02:00
Tobias Frauenschläger d4eedf8af8 Add missing ForceZero call for ML-DSA 2026-06-15 12:07:00 +02:00
Tobias Frauenschläger e43281b2dc Add missing ForceZero calls for ML-KEM 2026-06-15 12:06:55 +02:00
Marco Oliverio ef8836a346 Handle the absolute-FQDN trailing dot in URI name constraints
One trailing dot marks an absolute FQDN and is not part of the host:
"host.com." and "host.com" denote the same host. Strip it from the
URI host before classification (so "12.31.2.3." is still recognized
as an IPv4 address) and from the constraint base before the exact-match
comparison, mirroring what wolfssl_local_MatchBaseName() already does
for DNS name constraints. Only a single dot is the marker: an empty
last label ("host.com..") is rejected.
2026-06-15 11:56:31 +02:00
Marco Oliverio 4b3bb49b27 NameConstraints: Require DNS reg-name host for URI name constraints
RFC 5280 4.2.1.10 defines URI name constraints in terms of a host that
is a fully qualified domain name; RFC 3986 IP-literal ([...]) and
IPv4address hosts are not DNS reg-names and cannot be meaningfully
matched against a DNS-style constraint base.

- Classify the host extracted by GetUriHost (IP-literal, IPv4address,
  reg-name) and validate that a reg-name has no empty labels.
- wolfssl_local_MatchUriNameConstraint() no longer matches URIs whose
  host is an IP address.
- ConfirmNameConstraints() fails closed: when URI constraints are
  present, a URI SAN without a DNS host is rejected. A plain non-match
  would otherwise let such names pass excluded-only constraints.
2026-06-15 11:04:27 +02:00
Marco Oliverio 3dc729002a Extract GetUriHost from wolfssl_local_MatchUriNameConstraint
Pull the URI host extraction (scheme skip, userinfo skip, IP-literal
brackets, port/path delimiters) into a GetUriHost helper so it can be
reused by other URI name-constraint checks. No functional change.
2026-06-15 09:58:18 +02:00
David Garske f42a698c59 Merge pull request #10668 from holtrop-wolfssl/f-5394
Force-zero wc_AesSivDecrypt*() output buffer on authentication failure
2026-06-12 16:35:31 -07:00
JacobBarthelmeh 86ba8f7770 Merge pull request #10652 from SparkiDev/regression_fixes_25
Regression testing fixes - memory allocation failure testing
2026-06-12 16:30:57 -06:00
Josh Holtrop 445b8b272c Document PUBLIC_KEY_E return value for wc_ed448_export_public() in source comment 2026-06-12 15:58:27 -04:00
Josh Holtrop 8c1e3a261f Fix Ed448/25519 export private-only key unit tests for FIPS pre-v7 2026-06-12 15:58:27 -04:00
Josh Holtrop 3d517841d5 Ed448: check for public key presence on export
Return PUBLIC_KEY_E for wc_ed25519_export_key if public key is not
present.
Return PUBLIC_KEY_E for wc_ed448_export_key if public key is not
present.
Rename several inLen parameters to outLen for consistency.

Fix F-4427
2026-06-12 15:58:27 -04:00
Josh Holtrop f420c66c38 Fix aes_siv_negative_test unit test style for skoll 2026-06-12 14:46:43 -04:00
Josh Holtrop 5bc5251c3e Dynamically find AES-SIV test vector index instead of hardcoding in unit test 2026-06-12 13:50:47 -04:00
Josh Holtrop 7064eeca89 Force-zero output buffer for AES-SIV decrypt for other AES errors as well 2026-06-12 12:19:06 -04:00
David Garske 6081106ae3 Merge pull request #10647 from philljj/misc_fixes
Misc wolfcrypt fixes
2026-06-12 09:13:26 -07:00
Josh Holtrop 20571a9beb Force-zero wc_AesSivDecrypt*() output buffer on authentication failure 2026-06-12 08:07:46 -04:00
Juliusz Sosinowicz 3a6c31a51e CI: pool the per-config runner matrices into parallel make-check jobs
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.

Converted workflows (runner jobs per full pass):
  os-check.yml             101 -> 8  (92 Ubuntu configs -> 4 shards;
                           the macOS matrix, the user-settings jobs and
                           the standalone
                           macos-apple-native-cert-validation.yml fold
                           into one macOS runner; Windows unchanged)
  pq-all.yml                21 -> 2 shards
  disable-pk-algs.yml       15 -> 1
  wolfCrypt-Wconversion.yml 11 -> 1
  trackmemory.yml            7 -> 1
  cryptocb-only.yml          8 -> 1  (incl. the two new SHA512 entries)
  multi-compiler.yml         6 -> 1
  smallStackSize.yml         6 -> 1
  multi-arch.yml             6 -> 1
  async.yml                  5 -> 1
  psk.yml                    5 -> 1
  no-malloc.yml              3 -> 1
  wolfsm.yml                 3 -> 1
  opensslcoexist.yml         2 -> 1

Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).

Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
  files, sniffer captures and helpers, examples/crypto_policies,
  input, quit) into the build tree via a BUILT_SOURCES stamp, removed
  again in distclean-local. ChangeToWolfRoot() and the script tests
  resolve everything relative to the working directory, so out-of-tree
  make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
  tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
  support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
  error-code headers from the source tree and generates into the build
  tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
  tree for the configure-generated headers (wolfssl/options.h,
  wolfssl/version.h); the in-tree-only guards are dropped.

Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
2026-06-12 09:47:13 +00:00
Tobias Frauenschläger 351b775fd4 Merge pull request #10665 from anhu/mlkem-keygen-zeroize
Zeroize some private data before releasing memory
2026-06-12 08:41:16 +02:00
jordan ab09d0c95b misc_fixes: cleanup for skoll review. 2026-06-12 00:12:45 -05:00
Daniel Pouzzner 3e390b1b29 Merge pull request #10666 from douzzer/20260611-AES-XTS-key-half-inequality
20260611-AES-XTS-key-half-inequality

approved by @dgarske and @kareem-wolfssl, final by @SparkiDev.
2026-06-11 21:55:37 -05:00
Sean Parkinson 3c34a97164 Merge pull request #10603 from aidangarske/pqc-decode-validation
PQC enforce modulus and eta range checks in DecodePrivateKey
2026-06-12 09:22:12 +10:00
Aidan Keefe 744d25fdc3 Merge pull request #10648 from aidankeefe2022/fix-Der-to-Oid-coversion
Fix EncodedDottedForm to handle when first arc is 2
2026-06-11 15:12:53 -06:00
Daniel Pouzzner 0097739dd8 fixes for F-3325:
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:

tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;

wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;

linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.

wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.

linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
2026-06-11 15:38:28 -05:00
Anthony Hu 0eea017a8b Zeroize some private data before releasing memory 2026-06-11 14:05:37 -04:00
aidan garske 514e39e2f5 test: wrap PUBLIC_KEY_E comparisons in WC_NO_ERR_TRACE for ML-KEM/ML-DSA decode tests 2026-06-11 09:35:03 -07:00
aidan garske a1bdacbb83 ML-DSA: reject private key with out-of-range s1/s2 coefficients on decode 2026-06-11 07:38:46 -07:00
aidan garske 477754024d ML-KEM: FIPS 203 modulus check - reject non-reduced private key vector on decode 2026-06-11 07:38:46 -07:00
Sean Parkinson b04f573e20 Regression testing fixes - memory allocation failure testing
crl.c, internal.h: leak of sigParams requiring reorder the struct fields to that it is above memcpy part.
dtl13.c: free the DRLS fragments buffer in Dtls13FreeFsmResources in case fragment is never sent.
ocsp.c: only free cid if locally allocated.
tls.c: make sure ecc_kse is zeroized and can be freed.
tls13.c: set hsHashesEch after init so isn't lost on failure.
evp_pk.c: free key on the BIO error path

Fixed various tests to not leak or crash on memory allocation failure.
2026-06-11 12:14:06 +10:00
Sean Parkinson 63fd322382 Merge pull request #10641 from rlm2002/zd21890
Fixes for SM2/3 and FindMultiAttrib
2026-06-11 08:01:20 +10:00
Thomas Cook 2ba2e389c6 address copilot comments 2026-06-10 17:44:47 -04:00
Aidan Keefe b810bba09b added case to handel when second arc of byte encoding is greater than 39 when first arc is 2 2026-06-10 12:39:18 -06:00
Colton Willey d312aa0e72 Merge remote-tracking branch 'upstream/master' into harden-chain-depth-and-parser-bounds
# Conflicts:
#	src/ssl.c
2026-06-10 11:26:12 -07:00
David Garske 10e2afa20a Merge pull request #10595 from miyazakh/f5381_RSASSA-PSS_trailerField
f5381 enforce trailerField==1 in DecodeRsaPssParams
2026-06-10 10:05:22 -07:00
Daniel Pouzzner 332c249c7a Merge pull request #10572 from Frauschi/lms_xmss_cert_gen
Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
2026-06-10 11:14:43 -05:00
David Garske 953467875f Merge pull request #10560 from philljj/fix_dh_agree
dh: fix subgroup check in wc_DhAgree.
2026-06-10 09:13:31 -07:00
David Garske 760392f403 Merge pull request #10636 from embhorn/zd21942
Harden PKCS#7 FlattenEncodedAttribs
2026-06-10 08:57:39 -07:00
jordan 2f5ad2d1d2 hmac: cleanup, and fix fips gating in api tests. 2026-06-10 09:53:00 -05:00
Tobias Frauenschläger e1413a177f Add missing ForceZero() calls
Fixes  F-5437 and F-5438
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger c01152d35a Minor fix in liboqs GetRandomData
Fixes F-4443
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger 9c60d87abc Fix minor CAVIUM issues
Fixes F-4441 and F-4442
2026-06-10 11:37:40 +02:00
Tobias Frauenschläger c611a22b2f Ensure a key is set for DES3 operations
Fixes F-5379
2026-06-10 11:36:59 +02:00
Tobias Frauenschläger c76c83258c Ensure a key is set for ARC4 operations
Fixes F-5378
2026-06-10 11:36:29 +02:00
Tobias Frauenschläger 09b288000c Size cert signature buffers from the key and check sig type vs key
MAX_ENCODED_SIG_SZ grows to ~50KB once SLH-DSA is enabled, yet it was
used to size PKCS#1/signature scratch and output buffers across the
library, wasting stack and heap even for classic RSA/ECC operations.

- Add MAX_ENCODED_CLASSIC_SIG_SZ for RSA/DSA/ECC DigestInfo buffers that
  can never hold a PQC signature.
- Size the certificate/CSR signing output buffer from the signing key at
  runtime instead of the worst-case macro.
- Add overridable WOLFSSL_MAX_SIG_SZ for the WOLFSSL_NO_MALLOC buffer.
- Reject a signature type that does not match the signing key.
2026-06-10 10:51:41 +02:00
Tobias Frauenschläger e05a453944 Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
Extend wc_MakeCert_ex/wc_SignCert_ex/wc_MakeCertReq_ex to issue HSS/LMS and
XMSS/XMSS^MT certificates and PKCS#10 requests, building on the existing
RFC 9802 verification support. New LMS_TYPE/XMSS_TYPE/XMSSMT_TYPE selectors,
wc_{Lms,Xmss}Key_PublicKeyToDer SPKI encoders, runtime signature-buffer
sizing, and sigType/key consistency checks. Generation is ASN.1-template
only, matching where the verification path lives.

Tests generate self-signed roots, CSRs and a CA->ECC-leaf chain in-process
and verify them, replacing the patched Bouncy Castle fixtures (only the stock
RFC 9802-aligned LMS interop anchor is kept).
2026-06-10 10:51:33 +02:00