Commit Graph

30513 Commits

Author SHA1 Message Date
Daniel Pouzzner 6d21d600f6 in all FIPS-relevant C sources, add a "#define _WC_BUILDING_foo" first (where foo is a stylization of the filename), before including libwolfssl_sources.h, to allow future file-specific suppressions or other settings without altering FIPS sources. 2026-06-27 14:06:52 -05:00
Daniel Pouzzner 300f58db6e src/include.am: remove wolfcrypt/src/aes_x86_64_asm.S from AESNI source lists in FIPS v2/v5/v6 sections. 2026-06-27 14:04:12 -05:00
Daniel Pouzzner 479a685199 wolfcrypt/src/aes.c: fix performance regressions on GMAC and AES-CFB decrypt:
* add WC_VAES_MIN_BLOCKS, WC_VAES_ECB_MIN_BLOCKS, and WC_VAES_GCM_MIN_BLOCKS, and check against them before using AVX512/VAES implementations.
* in AesCfbDecrypt_C(), enlarge the tmp[] buffer and parameterize its size with newly added WC_AES_CFB_DEC_BUF_BLOCKS.
2026-06-27 14:03:42 -05:00
Emma Stensland 92e76d4667 updated email to facts@wolfssl.com 2026-06-26 14:44:16 -06:00
Daniel Pouzzner d4eaeb1b2e linuxkm/lkcapi_sha_glue.c: refactor error code handling in wc_linuxkm_drbg_generate() (followup to 3c9996efe0 in #10688). 2026-06-26 14:25:48 -05:00
Daniel Pouzzner c38f11b9a7 fixes for false positives on linuxkm CONFIG_FORTIFY_SOURCE builds on gcc-16:
linuxkm/linuxkm_memory.c: use packed-struct intermediates rather than memcpy()s for wc_get_unaligned() and wc_put_unaligned().

linuxkm/linuxkm_wc_port.h: on old FIPS, retrofit nonnull attribute to GHASH() arg 1, so that it unconditionally writes out the hash.

wolfcrypt/src/aes.c and wolfssl/wolfcrypt/aes.h: in GHASH(), add nonnull attribute to arg 1, and remove runtime nullness check for arg 1 in the implementations.
2026-06-26 14:25:48 -05:00
Eric Blankenhorn 5d0678d38b Fix from review 2026-06-26 12:46:30 -05:00
Eric Blankenhorn c18833f520 Fix to send record_overflow alert 2026-06-26 11:49:59 -05:00
Eric Blankenhorn e1a2ba3b02 Restore error code from DecodeGeneralName 2026-06-26 11:11:22 -05:00
David Garske 0cecccdf6e Merge pull request #10756 from SparkiDev/aes_asm_ymm_zmm
Intel x64 ASM: Add new assembly for AES
2026-06-25 21:41:17 -07:00
David Garske 39c0336cb1 Merge pull request #10728 from SparkiDev/intel_asm_fixup
Intel x86/x64 assembly fixes
2026-06-25 21:41:08 -07:00
jordan cfdbeac11b bsdkm: fenrir and misc cleanup. 2026-06-25 22:43:38 -05:00
David Garske 23bfe9b65e Merge pull request #10775 from SparkiDev/regression_fixes_26
Regression testing fixes: ARM/PP64 asm fixes, plus more
2026-06-25 14:47:08 -07:00
aidan garske 5bd8fc5b47 Move tinytls13 smoke test to examples/tls13/tls13_memio.c and restore WOLFSSL_MLKEM_DYNAMIC_KEYS macro 2026-06-25 14:32:33 -07:00
Ruby Martin 37365796bd Fix untrusted pointer issue. Bound tainted lengths in ECH test helper 2026-06-25 14:44:03 -06:00
Ruby Martin 720662e013 capture and free NULL peer to prevent resource leak false positive 2026-06-25 14:44:03 -06:00
Ruby Martin c26f22e9f9 Correct assignment to ssl->options.tls1_3 2026-06-25 14:44:03 -06:00
Ruby Martin c50d4d2a52 Add bounds check to test helper ech_find_extension() 2026-06-25 14:44:03 -06:00
Ruby Martin 92ed948907 Ignore return from remove() function in tests with (void) 2026-06-25 14:44:03 -06:00
Ruby Martin 26625b7d5e Remove dead code. Dead XBADFILE check, remove() call 2026-06-25 14:44:03 -06:00
Ruby Martin 2c23f174ce FreePeerProtocol before freeing, clears potential resource leak (currently false positive) 2026-06-25 14:44:03 -06:00
Ruby Martin acfaac4959 Move cast to return, prevents overflowed return value. Adds hardening to maxSz assignment 2026-06-25 14:44:03 -06:00
Ruby Martin 0129f6fb72 Remove logically dead len and *data checks 2026-06-25 14:44:03 -06:00
David Garske c3366597b3 Merge pull request #10707 from SparkiDev/mlkem_mldsa_unaligned
ML-KEM/ML-DSA: unaligned reads
2026-06-25 13:00:18 -07:00
David Garske 039e97df89 Merge pull request #10779 from lealem47/guard_rsa_modulus_test
Testing: Guard RSA OversizedModulus test result by FIPS version
2026-06-25 12:06:14 -07:00
twcook86 6ef3df248a Merge pull request #10598 from twcook86/hkdf_cryptocb_split
Create individual crypto callbacks for hkdf extract and hkdf expand
2026-06-25 14:58:15 -04:00
David Garske cee4b2bb47 Merge pull request #10713 from SparkiDev/curve25519_hibit_mask
X25519: standard requires masking of top bit
2026-06-25 10:34:49 -07:00
David Garske 70dad95573 Merge pull request #10776 from julek-wolfssl/fix-sha512-w-cache-free-type
sha512: free SHA-512/384 W cache with its allocated memory type
2026-06-25 09:29:47 -07:00
David Garske 10444189d4 Merge pull request #10771 from julek-wolfssl/socat-parallel-shards
socat CI: run the test suite as parallel shards via parallel-make-check.py
2026-06-25 08:00:59 -07:00
Josh Holtrop b6d962350d Rust wrapper: rename dilithium to mldsa 2026-06-25 10:31:44 -04:00
Lealem Amedie b707c00f80 Testing: Guard RSA OversizedModulus test result by FIPS version 2026-06-25 08:16:06 -06:00
Juliusz Sosinowicz 044a477378 parallel-make-check.py: only require bwrap for an actual netns run
netns needs bwrap; without it commands silently share the host network
namespace and parallel network tests collide on ports. Skip the check for
--list (it inspects configs, runs nothing), hard-fail on CI so a missing-
bubblewrap misconfig can't silently degrade, and locally just warn and fall
back to the shared namespace.
2026-06-25 13:05:35 +00:00
Juliusz Sosinowicz f2fa741bad socat CI: run the test suite as parallel netns shards
The socat suite is sleep-bound and slow run serially. Drive it through
parallel-make-check.py as ~6 shards per CPU, 2 running per CPU at once: each
shard runs a round-robin slice of the tests in its own bwrap network
namespace (so parallel shards don't collide on ports) and its own build-dir
copy. The work is almost all waiting, so the oversubscription just overlaps
the waits.

Install bubblewrap so the netns isolation actually happens (without it the
runner silently shares one namespace and the shards collide). Each fresh
netns is IPv4-loopback only, so re-create IPv6 loopback (CAP_NET_ADMIN) for
the ::1 / dual-stack tests, and add non-loopback placeholders (fc00::1,
192.0.2.1) so glibc's AI_ADDRCONFIG still returns both families - without
them socat's getaddrinfo fails on numeric non-loopback addresses, e.g. the
multicast tests. Relax the AppArmor unprivileged-userns restriction so the
bwrap netns + CAP_NET_ADMIN work on ubuntu-24.04.
2026-06-25 09:35:13 +00:00
Juliusz Sosinowicz c9d71d52f8 parallel-make-check.py: add generic pool extensions for arbitrary commands
Let any command ride the build/check pool, not just wolfSSL builds:
  build  false skips configure/make/check (config is just prepare+run)
  netns  true runs each command under 'bwrap --unshare-net --cap-add
         CAP_NET_ADMIN' (its own network namespace) so parallel network
         tests can't collide on ports and can configure that namespace
  shards fan a config out into N instances, each with $SHARD (1..N) and
         $SHARDS=N in its env and its own build-<name>-<k> dir, so a
         command can split its work N ways (the pool load-balances them)

Error out, rather than silently degrade, on two misconfigurations that
otherwise surface as confusing test failures: netns requested but bwrap
missing (commands would share the host namespace and collide on ports),
and config-name collisions after shard fan-out (two jobs would share a
build dir and race).
2026-06-25 09:35:13 +00:00
Sean Parkinson cb11e2ff28 Regression testing fixes: ARM/PP64 asm fixes, plus more
ARM64/ARM32/Thumb2:
  - Inline-asm use param names not registers.
  - Return value through first parameter and not first register
  - 32-bit values zero extended when loaded off stack
aes.c: Aligned-accedd GHASH for 32-bit CPUs.
test.c: #ifdef protection update.
sha3.h: make digest and block size constants defines for use in hash.h
sha512.h: internal Transform_Sha512* functions declared when only SHA-384.
sp_int.h: include WOLFSSL_SP_MATH_ALL in SP_INT_BITS selection
memory.c: fix printf format to be compatible with more platforms
2026-06-25 17:33:49 +10:00
Juliusz Sosinowicz dbd495dacb sha512: free SHA-512/384 W cache with its allocated memory type
With WOLFSSL_SMALL_STACK_CACHE, wc_Sha512Free and wc_Sha384Free freed the
cached W buffer as DYNAMIC_TYPE_TMP_BUFFER, but it is allocated as
DYNAMIC_TYPE_DIGEST in InitSha512_Family/InitSha384 and the Copy functions
(the in-Init error cleanup already frees it as DYNAMIC_TYPE_DIGEST).

The mismatch is flagged by the memusage test (DHE_RSA TLS1.2 reports
Errors: 2) and matters for type-bucketed static memory pools. SHA-256/224
already use DYNAMIC_TYPE_DIGEST consistently. Free W as DYNAMIC_TYPE_DIGEST.
2026-06-24 22:50:29 +00:00
aidan garske 93d16f431c Address tinytls13 review: ML-DSA-44, canonical ML-DSA/ML-KEM macros, optimizer-measured static-mem bucket guidance, footprint hygiene 2026-06-24 15:43:01 -07:00
JacobBarthelmeh 0ff9278bd9 fix for ecc init flag being set 2026-06-24 16:04:53 -06:00
JacobBarthelmeh ac01707f55 Merge pull request #10757 from philljj/release
prepare for release 5.9.2
2026-06-24 13:21:53 -06:00
jordan 0fe21bbcd5 prepare for release 5.9.2 2026-06-24 12:01:51 -05:00
philljj ad1cd4789b Merge pull request #10763 from douzzer/20260623-WC_16BIT_CPU-WC_ATOMIC_INT_ARG
20260623-WC_16BIT_CPU-WC_ATOMIC_INT_ARG
2026-06-23 17:51:11 -05:00
Eric Blankenhorn 17523c69f6 Fix TLS1.2 error code correction 2026-06-23 14:32:24 -05:00
Daniel Pouzzner 18c2329167 wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c: for 16 bit portability,
use target native int for WC_ATOMIC_INT_ARG, add user overrideability, and
  adjust WC_INIT_STATE_COUNT_BITS to depend on sizeof(WC_ATOMIC_UINT_ARG).  add
  a wc_static_assert to sanity-check WC_INIT_STATE_STATE_BITS, and use CHAR_BIT
  opportunistically in the other wc_static_assert to sanity check that CHAR_BIT
  is at least 8.
2026-06-23 11:24:51 -05:00
Sean Parkinson a342eba578 Intel x64 ASM: Add new assembly for AES
Support AES-XTS AVX512/VAES
Support AES-GCM AVX512/VAES
Support AES-ECB/CBC/CTR AVX512/VAES/AVX1/AES-NI.
Remove code from aes_asm.S/aes_asm.asm
Add CPU defines for AVX512 and VAES
Updated ASM files with new defines for AVX512.
Added support for printing out the new CPU Id flags in benchmark.
Added new files to Windows projects.
aes.c: Supports ECB/CBC/CTR in assembly. Supports calling AVX512/VAES assembly.
2026-06-23 20:54:59 +10:00
Juliusz Sosinowicz 88032c1e56 Make the server timeout wrap Linux-only
timeout(1) is GNU coreutils and is not installed on macOS, so the
"make check macos" job failed with "timeout: command not found" for
every wrapped server. Add a small shim to each affected test: when
timeout is unavailable (e.g. macOS) run the server unbounded, restoring
the prior macOS behavior. The flaky hang the timeout guards against is on
the Linux-only trackmemory job, so macOS does not need the bound.
2026-06-23 10:35:44 +00:00
Juliusz Sosinowicz 5c5cbd3094 Bound waited example servers with timeout in remaining test scripts
Several test scripts share the same pattern as ocsp-stapling_tls13multi:
a backgrounded example server is "wait"ed on with no timeout, so a
server that flakily fails to exit blocks the script until the CI job
timeout. Wrap those servers in "timeout -s KILL 2m" as well.

Scripts: ocsp-stapling, ocsp-stapling2,
ocsp-stapling-with-wolfssl-responder, crl-revoked, tls13, resume,
pkcallbacks, dtlscid.
2026-06-23 00:07:58 +00:00
Juliusz Sosinowicz e82ecdff93 Fix ocsp-stapling_tls13multi.test hang from unbounded server wait
Test cases 6 and 7 background the example server and then "wait" for it
to exit. When the server occasionally fails to exit (a timing race under
heavy parallel CI load), the script blocks until the job's
timeout-minutes, cancelling the whole trackmemory run - seen
consistently on the all-wolfentropy config.

Wrap those two servers in "timeout -s KILL 2m" (as scripts/dtls.test
already does) so a stuck server is killed and the test fails fast instead
of timing out the whole job.
2026-06-22 21:30:33 +00:00
night1rider fed375fcea SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization. 2026-06-22 13:35:37 -06:00
Aidan Garske 41fad5f307 Fix and expand tinytls13 footprint profile across CI configs
Make every --enable-tinytls13 spelling build and pass locally, and grow the
CI matrix to cover them. These are fixes found while testing the configs the
CI workflow had not actually exercised.

- internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the
  pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles.
- tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match
  its call site.
- settings.h: let the AES-256 adder survive the floor, default the
  user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so
  the test suite still runs, and keep ML-DSA ASN.1 for the cert profile.
- configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C
  floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor,
  and print a notice for the reduced security cert verify.
- examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as
  PSK mode in echoserver and echoclient.
- Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test
  that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced
  cipher suites, for builds with no example or unit test harness.
- certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert
  profiles drive a real PQC and PSS chain verify in CI.
- .github/workflows/tinytls13.yml: cover every profile and adder, run the
  smoke handshake on the build verified configs, and least privilege the
  workflow token.
2026-06-22 12:08:58 -07:00
Sean Parkinson 0481cba126 ARM64 ASM: optimizations
Fewer instructions in assembly for minor improvements.
2026-06-20 08:56:52 +10:00