Commit Graph

28660 Commits

Author SHA1 Message Date
David Garske a3ef93567e Merge pull request #10147 from julek-wolfssl/ocsp-responder-docs
Add documentation for new OCSP responder and cert accessor APIs
2026-04-09 11:42:03 -07:00
JacobBarthelmeh 044a5f8b81 Merge pull request #10143 from dgarske/qat_aes_gcm
Improve QAT AES GCM tag checking
2026-04-09 09:40:25 -06:00
Sean Parkinson 3e0679ee17 Merge pull request #10156 from douzzer/20260407-SHA3-unaligned-access
20260407-SHA3-unaligned-access
2026-04-09 18:47:06 +10:00
Sean Parkinson 6617863249 Merge pull request #10145 from Frauschi/ecc_follow_up
ECC curve validation follow-up
2026-04-09 18:35:56 +10:00
Sean Parkinson 2a064607e4 Merge pull request #10150 from julek-wolfssl/enable-ocsp-responder-disable-tls13
Guard OCSP signature params with WC_RSA_PSS ifdef
2026-04-09 18:13:00 +10:00
Sean Parkinson 139042e6d5 Merge pull request #10159 from Frauschi/dual_alg_fix
Fix build failure for DUAL_ALG_CERTS
2026-04-09 18:00:47 +10:00
David Garske 1d363f3adc Merge pull request #10163 from JacobBarthelmeh/release
prepare for release 5.9.1
2026-04-08 10:40:06 -07:00
Juliusz Sosinowicz bfad5398b1 MSVC: replace UINT32_MAX with WOLFSSL_MAX_32BIT in dilithium.c 2026-04-08 10:00:52 -07:00
JacobBarthelmeh 719e98f717 prepare for release 5.9.1 2026-04-08 07:34:41 -06:00
Juliusz Sosinowicz 78e5ae3978 Address review comments 2026-04-08 11:35:48 +02:00
Tobias Frauenschläger 178d2f61f4 Fix build with WOLFSSL_DUAL_ALG_CERTS and HAVE_PK_CALLBACKS 2026-04-08 10:18:00 +02:00
Daniel Pouzzner 750f3b119e Merge pull request #10088 from anhu/new_various
Various security fixes and tests
2026-04-07 22:13:18 -05:00
JacobBarthelmeh 4fd0df42e7 add adjustment for review 2026-04-07 21:08:11 -06:00
JacobBarthelmeh 9a79c412a5 Merge pull request #10154 from douzzer/20260407-fips-ready-WC_FIPS_186_4
20260407-fips-ready-WC_FIPS_186_4
2026-04-07 16:46:16 -06:00
JacobBarthelmeh 7f84fb2624 Merge pull request #10152 from douzzer/20260407-BLAKE-gating
20260407-BLAKE-gating
2026-04-07 16:18:09 -06:00
JacobBarthelmeh d1c6423b82 make the padding check constant time and move evp exponent print size macro to local file 2026-04-07 16:09:52 -06:00
David Garske 852ddcb37d Improve QAT AES GCM tag checking 2026-04-07 13:53:41 -07:00
Daniel Pouzzner 296148b4e6 wolfcrypt/src/sha3.c: fix Load64Unaligned() implementation with unaligned integer access when WC_SHA3_FAULT_HARDEN && !BIG_ENDIAN_ORDER. 2026-04-07 15:39:31 -05:00
JacobBarthelmeh ecfd1174bb refactor sanity pointer set of session and clean up macro guards 2026-04-07 14:10:25 -06:00
Daniel Pouzzner 5fa8b1535a wolfssl/wolfcrypt/settings.h: for fips-ready, set WC_FIPS_186_4, not _5, to match v5/v6. 2026-04-07 14:35:15 -05:00
Daniel Pouzzner 60d1e222b2 globally fix all "BLAKE2" references (implicit BLAKE2B) to explicit "BLAKE2B":
* implement legacy compatibility in settings.h and configure.ac (adds --enable-blake2b while retaining --enable-blake2);
* fix incorrect Blake2 gates in wolfcrypt/src/hash.c wc_HashGetDigestSize() and wc_HashGetBlockSize();
* in wolfcrypt/test/test.c hash_test(), backfill missing Blake2 test coverage and separate blake2b from blake2s in typesHashBad[];
* in tests/api/test_hash.c, separate blake2b from blake2s in notCompiledHash[], sizeSupportedHash[], and sizeNotCompiledHash[].
2026-04-07 13:18:53 -05:00
JacobBarthelmeh ad1cc4e87f adjust test case return value check after rebase 2026-04-07 10:26:16 -06:00
Paul Adelsbach c335f7dd6f Remove UTF-8 chars
Get rid of weird character

Fix warning found by CI

Style changes

Addressed 1 and 2.
2026-04-07 10:07:12 -06:00
Anthony Hu 2e32094545 Add regression tests for fixes 2026-04-07 10:05:56 -06:00
Anthony Hu 5bd5f36dff Fix RSA exponent printing (ZD 21426)
Increase buff size from 8 to 24 bytes in PrintPubKeyRSA and related
EVP PKEY print functions.
2026-04-07 10:05:48 -06:00
Anthony Hu 985cceaa97 Fix session cache restore dangling pointer (ZD 21423)
Reinitialize pointer fields in WOLFSSL_SESSION after raw XMEMCPY or
XFREAD in wolfSSL_memrestore_session_cache and
wolfSSL_restore_session_cache. After restore, ticket is reset to
staticTicket, ticketLenAlloc to 0, and peer to NULL.
2026-04-07 10:05:31 -06:00
Anthony Hu c563f3932a Fix PKCS7 CBC padding oracle in EnvelopedData and EncryptedData (ZD 21422)
Replace single last-byte padding check with full PKCS#5/PKCS#7
validation: verify padLen is non-zero and within block size.
Both wc_PKCS7_DecodeEnvelopedData and wc_PKCS7_DecodeEncryptedData
paths are fixed.
2026-04-07 10:05:21 -06:00
Anthony Hu d14b506c51 Fix Dilithium with USE_INTEL_SPEEDUP (ZD 21417)
Add check before word32 addition in dilithium_hash256() that
could wrap to zero, bypassing the size check.
Also reject absurdly large msgLen (> UINT32_MAX/2) in
wc_dilithium_verify_ctx_msg.
2026-04-07 10:04:41 -06:00
Anthony Hu b3278af8dc Fix wc_*_delete() functions (ZD 21415)
Save key->heap before calling wc_*_free(), which zeros the entire key
structure via ForceZero. The saved heap pointer is then passed to XFREE
instead of the now-zeroed key->heap.
2026-04-07 10:04:35 -06:00
Anthony Hu e0421828ff Fix TLS 1.3 PQC key share over heap read (ZD 21413)
Validate that the received key share data length (keLen) is at least
as large as the expected ciphertext size (ctSz) before passing it to
wc_KyberKey_Decapsulate. A malicious TLS 1.3 server could send a
short ML-KEM key share.
2026-04-07 10:04:19 -06:00
Juliusz Sosinowicz 8d54e2213f Guard OCSP signature params with WC_RSA_PSS ifdef
OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS is only defined when WC_RSA_PSS
is enabled but was used unconditionally in EncodeBasicOcspResponse,
causing a build error when WC_RSA_PSS is not defined.
2026-04-07 17:30:30 +02:00
JacobBarthelmeh 7aac9e5766 Merge pull request #10139 from philljj/fix_nightly_mem
Fix nightly mem
2026-04-07 09:08:01 -06:00
Juliusz Sosinowicz a96f20e26b Add documentation for new OCSP responder and cert accessor APIs 2026-04-07 14:25:35 +02:00
Tobias Frauenschläger 06e63f0a7b ECC curve validation follow-up 2026-04-07 12:40:44 +02:00
philljj b5874a6d9e Merge pull request #10132 from douzzer/20260404-default_rng_bank
20260404-default_rng_bank
2026-04-06 22:54:20 -05:00
Daniel Pouzzner efe6ad4bd6 Merge pull request #10116 from Frauschi/zd21457
Additional fixes
2026-04-06 20:23:25 -05:00
Daniel Pouzzner 9347c895fc Merge pull request #10133 from Frauschi/ecc_curve_validation
Improved ECC curve validation
2026-04-06 20:20:35 -05:00
Daniel Pouzzner ede15b4ff4 Merge pull request #10137 from JacobBarthelmeh/acert
fix for acert builds
2026-04-06 19:17:48 -05:00
Daniel Pouzzner 32502e9963 Merge pull request #10102 from Frauschi/zd21460
Various fixes
2026-04-06 18:41:31 -05:00
Daniel Pouzzner 995092362f Merge pull request #10126 from julek-wolfssl/fenrir/20260302
Fenrir fixes
2026-04-06 18:40:11 -05:00
Daniel Pouzzner 0afd9f8819 Merge pull request #10127 from rlm2002/coverity
Coverity change 03042026
2026-04-06 18:24:22 -05:00
Daniel Pouzzner 4924402051 Merge pull request #10125 from kareem-wolfssl/zd21521
Add sz check to ChachaAEADDecrypt to prevent potential underflow.
2026-04-06 18:23:25 -05:00
Daniel Pouzzner 53a3d23ce6 Merge pull request #10131 from douzzer/20260403-WC_FIPS_186
20260403-WC_FIPS_186

approved by @JacobBarthelmeh, @Frauschi, and @dgarske.
2026-04-06 18:22:27 -05:00
Daniel Pouzzner 1d6f295113 wolfssl/wolfcrypt/md2.h and wolfssl/wolfcrypt/md4.h: fix stray commas in compat #defines. 2026-04-06 18:09:48 -05:00
Tobias Frauenschläger e32e926f4e evp: fix EVP_PKEY2PKCS8 returning NULL for private-key-only EC keys
When an EC_KEY is created via EC_KEY_new + EC_KEY_set_group +
EC_KEY_set_private_key (no public point set), SetECKeyInternal
incorrectly marks the internal ecc_key as ECC_PRIVATEKEY (instead of
ECC_PRIVATEKEY_ONLY) because pub_key is always non-NULL — EC_KEY_new
always allocates it as an empty, zero-initialised EC_POINT.

ECC_populate_EVP_PKEY only calls wc_ecc_make_pub for ECC_PRIVATEKEY_ONLY
keys, so the zero public-key point was serialised into the DER stored in
pkey->pkey.ptr.  After commit 929dd9913 made wc_ecc_import_x963_ex always
pass untrusted=1, the re-decode inside wolfSSL_EVP_PKEY2PKCS8 →
wolfSSL_d2i_PrivateKey_EVP correctly rejected that zero point with an
on-curve failure, causing EVP_PKEY2PKCS8 to return NULL.

Fix: in ECC_populate_EVP_PKEY, also call wc_ecc_make_pub when the key
type is ECC_PRIVATEKEY but pubkey.x is zero (meaning the public key was
never actually populated).  This reconstructs the public key from the
private scalar so that the encoded DER contains a valid on-curve point.
2026-04-06 21:18:32 +02:00
Tobias Frauenschläger 0fb2d2ec11 ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.

An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.

Four changes close the attack:

1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
   wc_ecc_point_is_on_curve() is compiled in all builds, not only
   those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
   builds in settings.h).

2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
   so that ECIES, PKCS#7 KARI, and EVP callers that go through the
   four-argument wrapper always validate the imported point.

3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
   helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
   (which additionally performs a full point*order scalar multiply).
   For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
   equation check y^2 = x^3 + ax + b is sufficient to defeat
   invalid-curve attacks — every non-identity point on a prime-order
   curve has the full group order, so the expensive order-multiply
   check is unnecessary. This avoids the ~50% ECDH performance
   regression caused by the redundant scalar multiplication.

4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
   validation via wolfSSL_EC_POINT_is_on_curve after import. The
   existing check was gated on !wolfSSL_BN_is_one(point->Z) and
   therefore dead code for all uncompressed-point imports. This closes
   the OpenSSL compat layer attack path (EC_POINT_oct2point followed
   by ECDH_compute_key).

Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-06 21:18:32 +02:00
Daniel Pouzzner 31d0fcef81 wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h: add new wc_rng_bank_default facility:
* wc_rng_bank_default_set()
  * wc_rng_bank_default_checkout()
  * wc_rng_bank_default_checkin()
  * wc_rng_bank_default_clear()

  * Added additional argument error checking to existing APIs, with a new
    rng_inst_matches_bank() helper function.

  * Implemented feature gates WC_RNG_BANK_DEFAULT_SUPPORT and
    WC_RNG_BANK_NO_DEFAULT_SUPPORT.  When WC_RNG_BANK_DEFAULT_SUPPORT, the new
    APIs are available, and a NULL bank passed to APIs implicitly refers to the
    default bank.

wolfcrypt/test/test.c: in random_bank_test() add comprehensive smoke test coverage of new APIs and argument checking.

wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c:

  * Add wolfSSL_RefInc2(), wolfSSL_RefDec2(), wolfSSL_RefWithMutexInc2(), and
    wolfSSL_RefWithMutexDec2(), returning the atomically determined new count in
    the second arg;

  * Fix type of second arg in the fallback definition of
    wolfSSL_Atomic_Ptr_CompareExchange().

linuxkm/lkcapi_sha_glue.c:

  Refactor the _REGISTER_HASH_DRBG / _REGISTER_HASH_DRBG_DEFAULT facility around
  the new wc_rng_bank_default facility, eliminating post-init use of
  kernel-native crypto_default_rng, crypto_get_default_rng(), and
  crypto_put_default_rng(), and eliminating all use on kernel 7.1+ (where these
  will become unexported kernel-native statics).  With the refactor, the
  LINUXKM_DRBG_GET_RANDOM_BYTES facility uses only direct native wolfCrypt
  objects and calls to fulfill requests.

wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, wolfcrypt/test/test.c, tests/api.c: add WC_SUCCESS = 0 "wolfCrypt generic success".
2026-04-06 14:06:20 -05:00
jordan 01689b837f tests api: use XFREE instead of free in dual_alg tests. 2026-04-06 14:00:08 -05:00
jordan f48fd9595d test_pkcs7: use XFREE instead of free. 2026-04-06 13:53:11 -05:00
JacobBarthelmeh f6b022883f fix for acert builds 2026-04-06 11:17:01 -06:00