- Add a GitHub Actions workflow to automate testing of Python integration
- Implement Blake2b and Blake2s hash functions into the EVP API.
- Improve OpenSSL compatibility by standardizing ASN.1 encoding for
serial numbers and registered IDs, streamlining cipher stack management, and optimizing stack node copying.
- Enforce maximum fragment size during data transmission to ensure proper TLS/DTLS record fragmentation.
ML-DSA: check pointer to the y parameter has not be faulted.
ML-KEM: to harden against faultiong, use a different buffer for private
seed, sigma, and add a check that the buffer was copied correctly.
SHA-3: fix size of check variables.
ToTraditionalInline_ex2 original ASN code:
- Now return 0 when no OCTECT_STRING data found.
- Change callers to accept 0 as a valid returnb value.
SizeASN_Items:
- Change encoded size to word32 as won't be negative.
- Change callers to supply a pointer to a word32 instead of integer.
Fix casting due to change of parameter type.
ASN_LEN_ENC_LEN: Function to calculate the length of the encoded ASN.1
length.
GetLength_ex:
- Change minLen to word32
- Change length to word32 and change negative check appropriately for
different type.
GetASNHeader_ex:
- If not checking lengths in GetLength_ex, check it here.
DecodeObjectId:
- Ensure no overflow in calculation.
_RsaPrivateKeyDecode (original)
- Clear RSA integers on failure (will be done in free anyway).
wc_CreatePKCS8Key (original):
- safe check of overflow.
DecryptContent (templare):
- Parse will fail if OID not recognized, and recognized OIDs are 9/10
bytes long - but check idx is 9/10 anyway so we know we can read 2 end
bytes of data.
wc_RsaPublicKeyDecode_ex (original):
- Fix calculation of seqEndIdx and use it to bound modulus and
exponent.
DecodePolicyOID
- enusre inSz is not too long.
- Ensure no overflow in calculation.
SetOidValue (orginal):
- Safe check of inSz and oidSz.
SetAltNames (original):
- Improve length checks
FlattenAltNames:
- Check for overflow.
- Better length check.
ParseCRL_CertList (original):
- overflow check
* for aarch64/arm64, only add -mno-outline-atomics if the compiler supports it.
* in ENABLED_LINUXKM_PIE setup, avoid -fPIE on arm32 <5.11 (missing reloc support).
linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, and wolfcrypt/src/wc_port.c: gate interception of alt_cb_patch_nops() on kernel >= 6.1.
linuxkm/linuxkm_wc_port.h: define WC_LINUXKM_SUPPORT_DUMP_TO_FILE implicitly when WC_SYM_RELOC_TABLES && DEBUG_LINUXKM_PIE_SUPPORT.
linuxkm/module_hooks.c: fixes for text_dump_path and rodata_dump_path handler code.