Commit Graph

11359 Commits

Author SHA1 Message Date
David Garske c73f431687 Merge pull request #10392 from JeremiahM37/fenrir-5
wolfCrypt input validation and side-channel hardening
2026-05-05 12:24:17 -07:00
Daniel Pouzzner c1b2660a08 Merge pull request #10396 from douzzer/20260501-fips-v7-fixes
20260501-fips-v7-fixes -- reviewed+approved by @Frauschi
2026-05-05 14:20:49 -05:00
David Garske b47f71678d Merge pull request #10363 from MarkAtwood/fix/curve25519-clamp-check-rule3
fix: curve25519 clamp check missing rule 3 (bit 6 of byte 31) (ZD-21731)
2026-05-05 12:16:06 -07:00
David Garske 00abce3474 Merge pull request #10310 from cconlon/d2iMLDSA
Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey
2026-05-05 12:11:49 -07:00
David Garske 7de26312e6 Merge pull request #10378 from rlm2002/fenrir
Various PKCS12 Fixes
2026-05-05 12:07:17 -07:00
David Garske 3a1f51d2e6 Merge pull request #10388 from Frauschi/slh-dsa_Wconversion
SLH-DSA Wconversion fixes
2026-05-05 12:04:22 -07:00
David Garske 15b10454bc Merge pull request #10340 from JeremiahM37/fenrir-3
harden falcon key handling
2026-05-05 11:57:41 -07:00
David Garske c3cd71ea02 Merge pull request #9965 from kojo1/mldsa
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-05 11:57:06 -07:00
David Garske 519c08ae32 Merge pull request #10121 from JacobBarthelmeh/bench
use heap hints where possible in benchmark
2026-05-05 11:56:04 -07:00
David Garske d4d1f03fef Merge pull request #10333 from JacobBarthelmeh/oss-fuzz
change call to GetSigAlg in ASN original to sanity check length
2026-05-05 11:55:21 -07:00
David Garske 87536214bf Merge pull request #10375 from LinuxJedi/STSAFEA120Sim
Add STSAFE A120 CI support
2026-05-05 11:53:29 -07:00
David Garske 5074cf3726 Merge pull request #10366 from embhorn/zd21744
Fix CUDA with WOLFSSL_AES_SMALL_TABLES
2026-05-05 11:51:01 -07:00
David Garske 5266329c9a Merge pull request #10352 from embhorn/zd21724
Fix static / mem tracker build error
2026-05-05 11:48:16 -07:00
David Garske 9b1167772d Merge pull request #10350 from LinuxJedi/ATECC608Sim
Add ATECC608 CI tests
2026-05-05 11:45:45 -07:00
David Garske 678ddd6c73 Merge pull request #10339 from embhorn/zd21707
Fix handling of otherName in ConfirmNameConstraints
2026-05-05 11:41:28 -07:00
David Garske b0fca9df10 Merge pull request #10276 from padelsbach/asn1-time-chars-check
Add checks for ascii digits in time decode functions
2026-05-05 11:38:47 -07:00
David Garske aaca0948e8 Merge pull request #10335 from julek-wolfssl/pkcs11-hmac-session
wolfcrypt/src/wc_pkcs11.c: cache PKCS#11 session across multi-call HMAC
2026-05-05 11:33:10 -07:00
David Garske 04984a5d5e Merge pull request #10346 from Frauschi/ecc_leak_fix
Prevent ECC tmp key leak and UB
2026-05-05 11:32:48 -07:00
David Garske 7e9635df19 Merge pull request #10208 from ColtonWilley/bio-io-negative-length-checks
Guard against negative length in BIO, I/O callbacks and PKCS12 PBKDF
2026-05-05 11:32:21 -07:00
David Garske d793452264 Merge pull request #10353 from julek-wolfssl/dtls-13-client-only
DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
2026-05-05 11:24:44 -07:00
David Garske 80c9d3f048 Merge pull request #10183 from douzzer/20260409-IsValidFQDN
20260409-IsValidFQDN
2026-05-05 11:22:51 -07:00
David Garske c0bc5efe31 Merge pull request #10307 from padelsbach/nxp-aes-multiblock
Fix AES multiblock issues for NXP DCP
2026-05-05 10:56:21 -07:00
Daniel Pouzzner 610b109241 fixes for fips#379 and related:
linuxkm/Makefile, linuxkm/linuxkm-fips-hash-wrapper.sh, linuxkm/linuxkm_memory.c: refactor coreKey extraction to use ELF tools rather than WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE and user_settings.h.

linuxkm/module_hooks.c: add stack measurement for wc_RunAllCast_fips().

tests/api/test_slhdsa.c: frivolous initialization to work around a false positive -Wmaybe-uninitialized in slhdsa_der_roundtrip_one().

wolfcrypt/src/wc_slhdsa.c,  wolfssl/wolfcrypt/wc_slhdsa.h:
* refactor lifecycle management for SHA-2 objects to fix a leak via wc_SlhDsaKey_CheckKey().
* add support for WC_SLHDSA_NO_ASM.
* add WOLFSSL_SLHDSA_VERIFY_ONLY gates around prototypes, to get compile-time failures for misuse.

wolfcrypt/test/test.c:
* clean up myFipsCb() and restore usability of TEST_ALWAYS_RUN_TO_END with bad FIPS hash (useful test coverage).
* add wc_RunAllCast_fips() to wolfcrypt_test().
* when WOLFSSL_KERNEL_MODE or BENCH_EMBEDDED, force on WOLFSSL_SLHDSA_VERIFY_ONLY unless WOLFSSL_SLHDSA_FORCE_FULL_TESTS is defined.

wolfssl/wolfcrypt/settings.h:
* add WC_MLKEM_NO_ASM to WOLFSSL_LINUXKM section to work around asm bug.
* remove clause in WOLFSSL_KERNEL_MODE section that forced on WOLFSSL_SLHDSA_VERIFY_ONLY.
2026-05-05 11:02:13 -05:00
Thomas Cook 5e0cb5eab3 Merge branch 'master' into lpc55s69_crypto 2026-05-05 10:20:39 -04:00
Thomas Cook 30fc5887ee Address PR comments 2026-05-05 10:20:21 -04:00
Thomas Cook 9605d96ccb Fix rsa acceleration exponent issue, turn back on. 2026-05-05 10:20:21 -04:00
Thomas Cook 83799e3767 Fix multi-test issues 2026-05-05 10:20:21 -04:00
Thomas Cook 1e2ab2c7c8 more pr fixes 2026-05-05 10:20:21 -04:00
Jeremiah Mackey 6a1b737dae PKCS7 PWRI decrypt: parse PBKDF2 prf 2026-05-05 04:36:16 +00:00
Jeremiah Mackey 9f79f79d86 wc_Entropy_GetRawEntropy: hold entropy_mutex 2026-05-05 04:36:16 +00:00
Jeremiah Mackey 19ff338be9 mp_cond_swap_ct: branchless masked XOR 2026-05-05 04:36:16 +00:00
David Garske 02dfd12466 Merge pull request #10376 from rlm2002/coverity
20260501 Coverity Fixes
2026-05-04 15:15:11 -07:00
Jeremiah Mackey f3c3687efc wc_hash2sz: fix SHA-224 size to 28 2026-05-04 17:18:39 +00:00
Jeremiah Mackey cf9f852db6 validate preconditions at public API boundary 2026-05-04 17:18:39 +00:00
Chris Conlon fe4473fbea Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey. 2026-05-04 09:24:02 -06:00
Tobias Frauenschläger bbcfa97144 SLH-DSA Wconversion fixes 2026-05-04 13:58:00 +02:00
Takashi Kojo 1a6dee2bb3 Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id 2026-05-02 08:13:08 +09:00
Takashi Kojo 4c04ba306b fix error case in d2iTryAltDhKey 2026-05-02 08:13:08 +09:00
JacobBarthelmeh da440d19a8 account for FIPS ready build and SE050 test 2026-05-01 16:00:19 -06:00
Daniel Pouzzner 7b5330391b Merge pull request #10051 from anhu/mp_int_bounds
Add bounds checks for MP integer size in SizeASN_Items
2026-05-01 15:32:18 -05:00
Ruby Martin 3137d62cf3 fix issue where ToTraditional_ex may assign negative value to *pkeySz 2026-05-01 14:06:51 -06:00
Ruby Martin 00e1fa651f Adds tmpSz so int is not cast to word32 in wc_d2i_PKCS12 2026-05-01 13:36:33 -06:00
Ruby Martin 001939d663 Call ForceZero on sensitive buffers 2026-05-01 13:36:33 -06:00
JacobBarthelmeh b3e9e51967 extra sanity check for hash of all 0's 2026-05-01 13:27:39 -06:00
JacobBarthelmeh 5b4ad8690e update function comments 2026-05-01 09:43:52 -06:00
JacobBarthelmeh d9361e2d8c use INVALID_DEVID in benchmark and copy over heap hint with XMSS export pub 2026-05-01 09:43:51 -06:00
JacobBarthelmeh 78564f0c78 fix XMSS heap hint use 2026-05-01 09:43:25 -06:00
JacobBarthelmeh e5d27b61dc use heap hints where possible in benchmark 2026-05-01 09:43:24 -06:00
Ruby Martin c2d44b4359 Bound by curSz in PKCS12 ContentInfo parsing 2026-05-01 09:37:45 -06:00
Ruby Martin 3a799bd451 zeroize unicodePasswd before breaking 2026-05-01 09:21:04 -06:00