Commit Graph

29626 Commits

Author SHA1 Message Date
Kareem 6aadfaa9ca Code review feedback 2026-05-12 10:30:24 -07:00
Kareem 2dc257834d Code review feedback 2026-05-12 10:30:24 -07:00
Kareem d9985b8a81 Add configure and CMake options for WOLF_CRYPTO_CB_RSA_PAD.
Fixes #10271.
2026-05-12 10:30:24 -07:00
Kareem 75e38c360f NULL check wolfSSL_get_cipher_name_by_hash arguments.
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Kareem ef7671f664 In DoTls13CertificateRequest, avoid assigned the CertReqCtx to the SSL object until the function has finished.
This avoids ssl->certReqCtx being set when the function returns an error.
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
Kareem 86d9a6f212 In Tls13_Exporter, check all length arguments before casting and using them.
Thanks to Cal Page for the report.
2026-05-12 10:30:24 -07:00
David Garske eecb8cc601 Merge pull request #10461 from SparkiDev/tls13_cipher_fuzzing
TLSv1.3 testing: add fuzz test of decryption
2026-05-12 09:26:53 -07:00
David Garske 32439c975f Merge pull request #10448 from SparkiDev/lms_fixes_1
LMS: fixes and improvements
2026-05-12 09:26:42 -07:00
David Garske 2239fc336b Merge pull request #10430 from SparkiDev/mlkem_avx2_fixes
ML-KEM: fix AVX2 assembly
2026-05-12 09:25:54 -07:00
David Garske f8bc0ce95a Merge pull request #10457 from danielinux/iotsafe-fix-tls-wrapper
IDE/iotsafe: fix memory TLS wrapper and example build
2026-05-12 09:23:28 -07:00
David Garske 15f3f7b102 Merge pull request #10439 from ejohnstown/octeon-fix
port/cavium: fix Octeon AES-GCM AAD GHASH bug
2026-05-12 09:22:10 -07:00
Sean Parkinson df5b2b6cb1 test.c: Improved testing
Top-level test extraction into typed sub-functions

- Digest tests (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
SHA-512/224,   SHA-512/256, SHA-3 224/256/384/512, SHAKE128/256): each
test category (KAT, large-hash, copy-cleanup, unaligned-memory,
interleave, copy-Sha3 heap-allocation pattern) is now its own static
wc_test_ret_t function rather than inline blocks inside one giant
top-level test.
- rsa_test: extracted rsa_pkcs1_test, rsa_cert_parse_test,
rsa_pub_key_decode_test, rsa_certreq_test.
- ecc_test: extracted ecc_test_all_curves, ecc_test_all_deterministic_k
from the dispatcher; ecc_encrypt_combos_test from ecc_encrypt_test;
ecc_buffers_encrypt_test, ecc_buffers_sign_verify_test,
ecc_buffers_pub_key_decode_test from ecc_test_buffers.
- dh_test: extracted dh_keyagree_test, dh_check_priv_key_test,
dh_agree_ct_test, dh_key_import_export_test, dh_set_check_key_test.
- Curve25519 / Ed25519 / Curve448 / Ed448: extracted KAT, key-agreement,
ASN, and rare-sig sub-tests from each top-level dispatcher.
- Cipher tests: extracted streaming sub-tests from aesofb_test,
aescfb_test, aes_cts_test (aes_cts_192/256_stream_test).

Coverage additions

- Added state-copy testing inside the SHA-3 KAT loops (matching the
existing pattern in SHA-1/224/256/etc. KAT loops).
- Added a SHA-224 large-hash test (parity with the other digest
families).
- Added copy-cleanup tests for SHA-512/224 and SHA-512/256.
- Added Unaligned memory access testing to all *_large_hash_test
functions (MD5, SHA-1/224/256/384, SHA3-224/256/384/512), matching the
pattern that previously only existed for SHA-512/224/256.
2026-05-12 09:21:00 -07:00
David Garske 3e6efbac52 Merge pull request #9567 from jackctj117/serial-0
Allow serial number 0 for root CA certificates
2026-05-12 09:19:56 -07:00
David Garske 33efd8c9b3 Merge pull request #10050 from anhu/pbkdf_max
Add upper limit to PBKDF iteration count
2026-05-12 09:10:54 -07:00
JeremiahM37 f60f8cd965 Clamp sakke_xor_in_v write to buffer length 2026-05-12 16:04:45 +00:00
Daniel Pouzzner 7cfc9e9103 Merge pull request #10465 from Frauschi/slhdsa_pre_hash
SLH-DSA fixes
2026-05-12 10:38:49 -05:00
Juliusz Sosinowicz 415f4f0504 tests: add OCSP responder CertID issuerKeyHash binding test
Adds resp_certid_keyhash_mismatch — a forged response signed by the
legitimate ocsp-responder whose CertID pairs the legitimate root CA's
issuerNameHash with the imposter root CA's issuerKeyHash. The new
test_ocsp_responder_keyhash_binding asserts wolfSSL_OCSP_basic_verify
rejects it, exercising the fix that requires both halves of the
CertID to match the responder's issuer.
2026-05-12 14:36:00 +02:00
Juliusz Sosinowicz 49906319f6 ocsp: address review feedback on PR 10303
- Use KEYID_SIZE for Signer key-hash comparisons since
  Signer.{subject,issuer}KeyHash is sized KEYID_SIZE, not OCSP_DIGEST_SIZE.
- Rename subjectHash/issuerHash to subjectNameHash/issuerNameHash in
  CheckOcspResponder/CheckOcspResponderChain to make the name-vs-key
  hash distinction explicit.
- Expand the Signer.issuerKeyHash field comment to clarify it is the
  subject key hash of the immediate issuer CA.
- Add an imposter-root-ca cert (same DN as root-ca, different RSA key)
  for tests that need to exercise the new CertID issuerKeyHash binding.
2026-05-12 14:36:00 +02:00
Juliusz Sosinowicz 0735a0a7b5 ocsp: bind responder authorization to CertID issuerKeyHash
Addresses ZD21675
2026-05-12 14:36:00 +02:00
Sean Parkinson d7bdfd3e90 Merge pull request #10349 from rizlik/dtls13_rtx_fixes
DTLS13:  Fixes unnecessary client rtx and increase server robustness
2026-05-12 22:19:56 +10:00
Sean Parkinson 6942797cd3 Merge pull request #10301 from julek-wolfssl/openssh-10.3p1
ci: add OpenSSH 10.3p1 to CI matrix
2026-05-12 22:10:10 +10:00
Sean Parkinson f436fb858e Merge pull request #10437 from gasbytes/CertManagerLoadCABufferType_MoveXMemset
zero-initialize DecodedCert immediately after allocation in wolfSSL_CertManagerCABufferType
2026-05-12 22:08:53 +10:00
Sean Parkinson 2c4f854962 Merge pull request #10447 from mattia-moffa/20260508-blake2-long-key-fix
Fix Blake2 oversized key path
2026-05-12 22:07:16 +10:00
Sean Parkinson 443861563d Merge pull request #10453 from LinuxJedi/fix-memtrack
Fix mem_track.h compile failure on multi-threaded non-Linux builds
2026-05-12 22:01:21 +10:00
Tobias Frauenschläger bec6c0fef2 SLH-DSA fixes
Follow up to PR #10450 with some minor fixes:

* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
  hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
  match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
  SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
  SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
  decoder failure-rollback wording; tighter return-code lists for
  Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
  happens to equal the digest size of the chosen hashType.
2026-05-12 13:24:24 +02:00
William Beasley (The Capable Hub) ba0122628c cheri: Use conditional copy over bitmask arithmetic in sakke_modexp_loop
On CHERI casting mp_int pointers to wc_ptr_t for the bitmask
arithmetic strips the hardware capability tag. The reconstructed
pointer won't have a valid tag and will cause a tag violation when it
is dereferenced.

Under __CHERI_PURE_CAPABILITY__, replace the pointer arithmetic with
four mp_cond_copy calls that operate on the digit data directly.
This preserves the capability tags and accesses both accumulators
unconditionally.

Non-CHERI builds retain the original wc_off_on_addr path unchanged.

Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
2026-05-12 10:11:58 +01:00
William Beasley (The Capable Hub) 225d1beda8 cheri: Increase OpenSSL compat holder sizes for MD5, SHA and RC4
wc_Md5, wc_Sha & Arc4 have all increased in size on CHERI

Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
2026-05-12 10:11:58 +01:00
William Beasley (The Capable Hub) fd59db0a32 cheri: Increase size of argument buffer and align
CHERI pointers are capabilities and are larger than other platforms.
They also require 16-byte alignment.

Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
2026-05-12 10:11:58 +01:00
William Beasley (The Capable Hub) 7cba06da8a cheri: Fix CHERI tag violation on constant time pointer selection
The branchless code in casts sp_int pointers to size_t for bitmask
arithmetic, then casts the result back to sp_int*.

On CHERI, pointer-to-integer casts strip the hardware capability tag.
The reconstructed pointer is tagless and cannot be dereferenced,
causing a tag-violation fault.

Add _sp_cond_copy that uses the bitmask on the digit data itself rather
than the addresses, this avoids needed to do pointer arithmetic.

On non-CHERI targets the behaviour is the same.

Signed-off-by: William Beasley (The Capable Hub) <wbeasley@thegoodpenguin.co.uk>
2026-05-12 10:11:54 +01:00
Sean Parkinson c1cf8ffb2e TLSv1.3 testing: add fuzz test of decryption
Fixes F-3478
Add a fuzzing test for each cipher that modifies a random byte at a
random offset of an encrypted message and checks that the reading fails
with an appropriate return and error code.
Fuzzes both sides 5 times each for each cipher suite.
2026-05-12 15:59:28 +10:00
David Garske a2b054e3b8 Merge pull request #10155 from aidangarske/fenrir-fixes-2
Add Negative Testing and Zeroization
2026-05-11 21:07:53 -07:00
Sean Parkinson 3c9423257f ML-KEM: fix AVX2 assembly
AVX2 not decompressing 5-bit values correctly.
AVX2 not comparing last 32 bytes of ciphertext.
Protect mlkemkey_get_k to only be compiled when make key is compiled in.
2026-05-12 13:32:19 +10:00
Sean Parkinson 218ddb449e Merge pull request #10394 from dgarske/sp_nonblock_rsa_dh
Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096
2026-05-12 13:25:43 +10:00
jordan 5918eabe2c wolfmath: fix mpSz cast. 2026-05-11 21:46:36 -05:00
John Safranek 82b30797a1 port/cavium: fix Octeon AES-GCM AAD GHASH bug
Octeon_AesGcm_SetAAD unconditionally ran XOR0/XORMUL1 on the partial-block
buffer after the main loop, which processed an extra all-zero block when
aadSz was a non-zero multiple of 16, corrupting the GCM tag. Guard the
trailing XOR/MUL with `if (remainder > 0)`.

Issue: F-3335
2026-05-11 14:39:06 -07:00
Daniel Pouzzner 3afa9018f4 Merge pull request #10450 from Frauschi/slhdsa_pre_hash
HashSLH-DSA APIs take the pre-hashed digest, not the raw message
2026-05-11 16:29:32 -05:00
Daniel Pouzzner 717ce03614 .wolfssl_known_macro_extras: clean up unneeded and out-of-order ents. 2026-05-11 16:24:09 -05:00
Daniel Pouzzner 0470910acb wolfcrypt/test/test.c: fix unused-result warnings and unencoded result codes in pwdbased_test(). 2026-05-11 16:23:39 -05:00
Daniel Pouzzner b2a56e7947 wolfcrypt/src/pwdbased.c:
* fix typography of wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() (peer review).
* refactor overflow prevention in wc_PKCS12_PBKDF_ex() to use WC_SAFE_SUM_UNSIGNED().

wolfcrypt/test/test.c: in pwdbased_test(), omit "INT_MAX MAC iterations" test if WOLFSSL_NO_MALLOC (uses wc_PKCS12_new_ex()).
2026-05-11 15:57:23 -05:00
Daniel Pouzzner 5b687baa94 wolfcrypt/test/test.c and wolfcrypt/test/test.h:
* add correct gating around pbkdf1_test(), pkcs12_pbkdf_test(), and scrypt_test() prototypes;
* add unit tests for wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() in pbkdf2_test();
* fix pkcs12_test() to skip the evilPkcs12 test if evil_p12 can't be parsed for any reason, mirroring the new stanza around evil_p12 in pwdbased_test().
2026-05-11 15:57:22 -05:00
Daniel Pouzzner f248b272db rename WC_PBKDF_MAX_ITERATIONS to WC_PBKDF_DEFAULT_MAX_ITERATIONS, raise it to 10000000, add wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get(), and restore new negative tests in pwdbased_test(). 2026-05-11 15:57:22 -05:00
Anthony Hu c4be7f3f59 API Docs 2026-05-11 15:57:22 -05:00
Anthony Hu 03ef4562e8 Known macros 2026-05-11 15:57:22 -05:00
Anthony Hu 1cd9caca02 Line length fixup and repro in second impl. 2026-05-11 15:57:22 -05:00
Anthony Hu e0e6610503 Comment fixup. 2026-05-11 15:57:22 -05:00
Anthony Hu 79b4efb9ea Limit was too low 2026-05-11 15:57:22 -05:00
Anthony Hu 0e7a094e83 get rid of bad tests 2026-05-11 15:57:22 -05:00
Anthony Hu 421826ed18 better macro gating in tests 2026-05-11 15:57:22 -05:00
Anthony Hu 685a6fee6d simplify the tests. 2026-05-11 15:57:22 -05:00
Anthony Hu 3f6c8316c7 Add upper limit to PBKDF iteration count
Add WC_PBKDF_MAX_ITERATIONS (default 100000) to cap the iteration
count in wc_PBKDF1_ex(), wc_PBKDF2_ex(), and wc_PKCS12_PBKDF_ex().
2026-05-11 15:57:22 -05:00