Juliusz Sosinowicz
643427040b
Clear seed buffer after dilithium key generation
...
F-767
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
4ee9a263f0
Fix resource leak in wc_InitEccsiKey_ex error path
...
F-752
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
b168bfaa6a
Check wc_ecc_init_ex return value in wc_GetKeyOID
...
F-749
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
265fbdb3dd
Check wc_InitRsaKey return value in wc_GetKeyOID
...
F-748
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
f56356a9b4
test_lms_write_key: check fwrite return
2026-03-16 15:15:11 -07:00
Juliusz Sosinowicz
43a36a17d4
Upgrade deprecated GitHub Actions to v4
...
F-876
2026-03-16 15:14:26 -07:00
Juliusz Sosinowicz
c6f41bce2f
Fix memory leak on hash failure in LoadCertByIssuer
...
F-721
2026-03-16 15:14:26 -07:00
Juliusz Sosinowicz
4596e9e1a7
Fix error return in InitSSL verify param path
...
F-720
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
a9a9eae4d9
Fix error propagation in InitSSL QUIC path
...
F-719
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
3ff051f3e4
Use secure wipe for RSA temporary
...
F-718
2026-03-16 15:14:25 -07:00
Juliusz Sosinowicz
0d7ef87f09
Fix bounds check in session deserialization
...
F-717
2026-03-16 15:14:25 -07:00
David Garske
b5c532703a
Merge pull request #9954 from kareem-wolfssl/gh9951
...
Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.
2026-03-16 15:09:22 -07:00
David Garske
da635c9004
Merge pull request #9980 from anhu/sphincs_no_elseif
...
Fixes SPHINCS else-if chain key detection
2026-03-16 15:03:59 -07:00
David Garske
90377e10c5
Merge pull request #9979 from anhu/falcon_no_elseif
...
Fixes Falcon else-if chain key detection
2026-03-16 15:03:43 -07:00
David Garske
96661a5dab
Merge pull request #9977 from JacobBarthelmeh/multi-test
...
Minor fixes for nightly multi-test tool
2026-03-16 14:31:39 -07:00
JacobBarthelmeh
57f416fc43
Merge pull request #9961 from sebastian-carpenter/tls-ech-coverity
...
minor coverity fixes for tls ech code
2026-03-16 15:27:27 -06:00
Daniel Pouzzner
416072f298
Merge pull request #9969 from Frauschi/mlkem_wconversion
...
ML-KEM Wconversion fixes
2026-03-16 15:03:26 -05:00
David Garske
77c7418052
Merge pull request #9973 from JacobBarthelmeh/static_analysis
...
fix to sanity check on importing raw session key info
2026-03-16 13:46:53 -06:00
David Garske
87906a38ab
Merge pull request #9974 from JacobBarthelmeh/oss-fuzz
...
fix to free CRL reason extension
2026-03-16 13:46:34 -06:00
Andrew Hutchings
cfd819370a
Fix SE050 RSA-PSS signing, key cleanup, and mutex leaks
...
RSA-PSS fix:
Skip SE050 hardware path for RSA-PSS sign and verify operations in
RsaPublicEncryptEx() and RsaPrivateDecryptEx(). The SE050's PSS sign
API (Se05x_API_RSASign) is a hash-then-sign operation, which
double-hashes when wolfSSL passes a pre-computed digest (as done during
TLS CertificateVerify). PSS operations now fall through to the software
RSA path. PKCS#1 v1.5 signing continues to use SE050 hardware.
Key object leak fix:
Add se050_rsa_free_key() called from wc_FreeRsaKey() to erase
wolfSSL-allocated RSA key objects from SE050 persistent storage on
free. Without this, persistent key slots on the SE050 are never
reclaimed and eventually exhaust secure storage. Add matching
sss_key_store_erase_key() calls to se050_ecc_free_key(),
se050_ed25519_free_key(), and se050_curve25519_free_key(). Only keys
with keyId >= SE050_KEYID_START are erased (pre-provisioned keys are
left intact).
Mutex leak fix:
Add missing wolfSSL_CryptHwMutexUnLock() calls before early returns in
se050_rsa_sign(), se050_rsa_verify(), se050_rsa_public_encrypt(), and
se050_rsa_private_decrypt() when the algorithm lookup fails after the
mutex has already been acquired.
ZD 21212
2026-03-16 19:19:14 +00:00
JacobBarthelmeh
7de150eff0
Merge pull request #9975 from rlm2002/coverity
...
20260313 Coverity changes
2026-03-16 12:52:27 -06:00
Tobias Frauenschläger
987a705318
Fix stack tracking in wolfCrypt benchmark
2026-03-16 18:33:55 +01:00
Daniel Pouzzner
30d8cf1a66
Merge pull request #9971 from JacobBarthelmeh/linuxkm
...
Use ENOMEM return and add goto out on AAD error with linuxkm
2026-03-16 11:43:15 -05:00
Juliusz Sosinowicz
2051297ab0
DoTls13CertificateRequest: call CertSetupCbWrapper only once
2026-03-16 17:02:02 +01:00
Daniel Pouzzner
49796a5159
configure.ac: don't include enable_ocsp_responder in enable-all if $enable_sha = no, remove enable_ocsp_responder from enable-all-crypto setup, and remove superseded fixup clause for ENABLED_OCSP_RESPONDER with ENABLED_SHA = no.
...
.wolfssl_known_macro_extras: remove unneeded WOLFSSL_PYTHON.
2026-03-16 10:20:48 -05:00
JacobBarthelmeh
7ad9c25a5b
Merge pull request #9978 from SparkiDev/xmss_sign_idx_fix
...
XMSS: Fix index copy for signing.
2026-03-16 09:20:38 -06:00
Anthony Hu
2939ab7f6a
Fixes SPHINCS else-if chain key detection
...
F-751
2026-03-16 11:20:19 -04:00
JacobBarthelmeh
93fc517dd1
add NO_RSA macro guard to test case
2026-03-16 08:58:15 -06:00
Anthony Hu
3b36db0c9d
Fixes Falcon else-if chain key detection
...
F-750
2026-03-16 10:55:28 -04:00
JacobBarthelmeh
f8dda213b0
Merge pull request #9972 from cconlon/getCiphersCompatFix
...
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
Sean Parkinson
9590255ceb
XMSS: Fix index copy for signing.
...
The index is already big-endian encoded but it needs to be front padded
with zeros instead of back end padded.
2026-03-16 21:24:08 +10:00
JacobBarthelmeh
8f810c2705
clear q with integer.c and mp_div_3 in error case
2026-03-16 00:09:37 -06:00
JacobBarthelmeh
73e425923b
setting heap pointer based on if key is null
2026-03-16 00:08:04 -06:00
JacobBarthelmeh
9b96f49505
check return value of fwrite in test case
2026-03-16 00:07:09 -06:00
JacobBarthelmeh
681fb41fcb
Null check on SNI pointer before potential use
2026-03-16 00:06:38 -06:00
JacobBarthelmeh
eaa6db9462
account for --enable-all-crypto and --disable-sha build now having OCSP responder
2026-03-16 00:06:13 -06:00
Ruby Martin
2ca2781756
reallocate tmp buffer with space for null terminator
2026-03-13 17:28:00 -06:00
Ruby Martin
8b7b6754d9
macro guard with WOLFSSL_SMALL_STACK to prevent dead code
2026-03-13 17:03:02 -06:00
Ruby Martin
1ac4ba282b
remove early der free
2026-03-13 17:03:02 -06:00
Kareem
0b26791168
Code review feedback
2026-03-13 15:57:18 -07:00
Kareem
3cc15548bc
Code review feedback. Error out on len = 0 as well.
2026-03-13 15:57:18 -07:00
Kareem
0a082b08ca
Code review feedback
2026-03-13 15:57:18 -07:00
Kareem
42b321a7d3
Use safe sum of used size after calculating it. No reason to redo the additions. Fixes unused variable warning as well.
...
Fix different type addition in hash.c.
2026-03-13 15:57:18 -07:00
Kareem
d205fcac87
Fix potential overflows in two additional hash functions.
...
Thanks to Arjuna Arya for the report.
Fixes #9955 .
2026-03-13 15:57:18 -07:00
Kareem
091016a149
Ensure se050Ctx->used does not overflow in se050_hash_update.
...
Thanks to Arjuna Arya for the report.
Fixes #9951 .
2026-03-13 15:57:18 -07:00
JacobBarthelmeh
bbf3beef35
fix to free CRL reason extension
2026-03-13 16:17:52 -06:00
JacobBarthelmeh
a6195c30c1
Merge pull request #9947 from kareem-wolfssl/zd21325
...
Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
2026-03-13 15:37:24 -06:00
JacobBarthelmeh
d36f7a2b99
fix to sanity check on importing raw session key info
2026-03-13 15:32:46 -06:00
Chris Conlon
428030a3e8
Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available
2026-03-13 15:07:25 -06:00
Tobias Frauenschläger
3b4e51c150
ML-KEM Wconversion fixes
...
* fix -Wconversion warnings
* allow APIs without RNG usage in case WC_NO_RNG is defined
2026-03-13 21:22:48 +01:00