Sean Parkinson
a20d5f7b9d
Merge pull request #9613 from philljj/fix_ecc_test_name
...
wolfcrypt test: fix ecc521 err msg.
2026-01-06 08:49:01 +10:00
jordan
842511b0ef
wolfcrypt test: fix ecc521 err msg.
2026-01-05 12:25:53 -06:00
Sameeh Jubran
d27c04bbca
linuxkm: handle RHEL9 disabled akcipher sign/decrypt ops
...
RHEL9 kernels (9.6+) disable RSA signing and decryption in the kernel
crypto API for security reasons (CVE-2023-6240). The kernel forcibly
overwrites akcipher sign/decrypt callbacks to return -ENOSYS, regardless
of what the driver provides.
Commit 3709c35c in the RHEL kernel:
"crypto: akcipher - Disable signing and decryption"
This affects our self-tests which call crypto_akcipher_sign() and
crypto_akcipher_decrypt(). On RHEL9, these operations return -ENOSYS
even though our driver correctly implements them.
Add compile-time checks for RHEL_RELEASE_CODE >= 9.6 to detect this
scenario and skip the affected self-tests gracefully. The tests pass
since the algorithms are registered correctly; the kernel simply
refuses to execute sign/decrypt operations as a matter of policy.
Note: encrypt and verify operations are unaffected and continue to be
tested normally.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com >
2026-01-05 19:42:29 +02:00
Tobias Frauenschläger
116260762f
Fix for WOLFSSL_BLIND_PRIVATE_KEY and WOLFSSL_DUAL_ALG_CERTS
2026-01-05 17:26:11 +01:00
Tobias Frauenschläger
62764d08e4
Remove PQC-based buffer size increase for PreMasterSecret
...
The size of the PreMasterSecret buffer is based on the ENCRYPT_LEN
constant, which has been increased to 5kB for PQC support (Dilithium and
Falcon, as their signatures are that large).
However, only in the TLS 1.2 case, the PreMasterSecret buffer is used to
store signatures. In the TLS 1.3 path, only actual symmetric secrets are
stored in that buffer, which are much smaller in size (the "old" size of
the constant without the PQC increase).
As PQC is only allowed in TLS 1.3 and NOT in TLS 1.2, we can revert
that size increase, saving around 4,5kB of dynamic memory during the
handshake.
2026-01-05 15:58:53 +01:00
Tobias Frauenschläger
99bde324aa
Build systems improvements
...
* Add `WOLFSSL_USER_SETTINGS` to CMake `options.h.in`
* Add CMake support for Dilithium
* Add user_settings.h support for aes_asm.S
* Add PKCS#11 support to CMake
* Minor ARM assembly port fixes
2026-01-05 15:46:58 +01:00
Josh Holtrop
9007d12d2a
Rust wrapper: add wolfssl_wolfcrypt::chacha20_poly1305 module
2026-01-05 08:44:34 -05:00
Andrew Hutchings
4b606ebbeb
Fix trailing whitespace and flush-left
2026-01-05 13:39:43 +00:00
Andrew Hutchings
0c4ca257a0
Add Renode GH Action for STM32H753
...
This adds bare metal wolfCrypt test with hardware RNG and AES-GCM for
STM32H753 using Renode.
Renode does not support HASH HAL at this time.
2026-01-05 13:39:43 +00:00
Sean Parkinson
99692003d4
PPC32 ASM: alternative C code with registers prepended
...
C implementation with registers prepended with letter 'r'.
2026-01-05 21:12:10 +10:00
Marco Oliverio
7b9d3748cf
tls13: early_data: prevent earlyData reset on re-entry
...
Avoid resetting ssl->earlyData in wolfSSL_write_early_data when the
function is re-entered due to WC_PENDING_E, WANT_WRITE, or WANT_READ.
2026-01-05 10:40:34 +01:00
Marco Oliverio
29941d5645
(d)tls13: check if early data is possible in write_early_data
2026-01-05 10:35:02 +01:00
Marco Oliverio
d9bba72b8c
tls13: merge guarded code in a single section
2026-01-05 09:04:36 +01:00
David Garske
80c1228a38
Merge pull request #9594 from holtrop-wolfssl/rust-curve25519
...
Rust wrapper: add wolfssl_wolfcrypt::curve25519 module
2025-12-31 12:45:43 -08:00
Daniel Pouzzner
bbd3d4f55d
Merge pull request #9579 from dgarske/coding_standard_20251223
...
Add new coding standard for local (internal) function names
2025-12-31 11:55:58 -06:00
philljj
776512846f
Merge pull request #9598 from fabiankeil/unbreak-freebsd-build
...
tests: Unbreak the build on FreeBSD-based systems
2025-12-31 10:31:52 -06:00
Fabian Keil
21f35137a1
tests: Unbreak the build on FreeBSD-based systems
...
... by using the same additional includes as on Linux.
Fixes:
CC tests/api/unit_test-test_rsa.o
tests/api.c:19554:9: error: call to undeclared function 'waitpid'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
19554 | waitpid(pid, &waitstatus, 0);
| ^
Tested on ElectroBSD amd64 14.3-STABLE.
2025-12-31 14:48:06 +01:00
Daniel Pouzzner
cb78341886
Merge pull request #7586 from kareem-wolfssl/gh7197
...
Keep RNG seed file descriptor open until the RNG is freed.
2025-12-30 15:57:25 -06:00
philljj
5fa06818c0
Merge pull request #9595 from douzzer/20251229-linuxkm-rng-wolfentropy
...
20251229-linuxkm-rng-wolfentropy
2025-12-30 14:50:53 -06:00
Kareem
ddb2fb628e
Add a runtime option to enable or disable the secure renegotation check.
2025-12-30 13:19:04 -07:00
Kareem
1773a4ab41
Send no_renegotiation alert when rejecting renegotation attempt as defined in RFC 5246 section 7.2.2.
2025-12-30 13:18:48 -07:00
Daniel Pouzzner
0621615b15
wolfcrypt/src/random.c: remove WC_VERBOSE_RNG messaging from wc_RNG_TestSeed(), which is called by test code with expected failure, and move it to _InitRng() and PollAndReSeed(), where it's always expected to succeed.
2025-12-30 13:27:31 -06:00
Daniel Pouzzner
299ca1cfef
fixes from peer review: added comments for clarity, and remove errant condition added in _InitRng().
2025-12-30 12:13:15 -06:00
JacobBarthelmeh
7a2e1c1dd0
Merge pull request #9585 from dgarske/add-missing-api-docs
...
Add missing API documentation
2025-12-30 09:37:22 -07:00
Josh Holtrop
8c125df85e
Rust wrapper: ensure curve25519_key struct will have free called after init
2025-12-30 10:46:44 -05:00
Daniel Pouzzner
d504baaf3a
linuxkm/lkcapi_sha_glue.c and .wolfssl_known_macro_extras: fixes from check-source-text.
2025-12-29 20:55:36 -06:00
Daniel Pouzzner
450b0b46c6
wolfcrypt/src/random.c and wolfssl/wolfcrypt/settings.h: add WC_VERBOSE_RNG messages, and activate by default when WOLFSSL_KERNEL_MODE.
2025-12-29 20:55:36 -06:00
Daniel Pouzzner
fecc1cffe7
linuxkm/lkcapi_sha_glue.c: add retry loop around wc_InitRng(), and allow interrupt in preemptible threads, in wc_linuxkm_drbg_init_tfm().
2025-12-29 20:55:36 -06:00
Daniel Pouzzner
1844b8e3ac
linuxkm/Makefile: fix bash cleanup in recipe for libwolfssl.ko -- new trap for an event replaces previous trap rather than adding to it.
2025-12-29 20:55:36 -06:00
David Garske
d39b0e6f82
Fixes from peer review.
2025-12-29 17:30:23 -08:00
David Garske
0d44018627
Merge pull request #9593 from julek-wolfssl/copilot/changes-20251229
...
Add AGENTS.md to .gitignore
2025-12-29 17:22:39 -08:00
Anthony Hu
48ebe99372
Validate asn date based on position of Z ( #8603 )
2025-12-29 16:01:22 -06:00
Josh Holtrop
e971cb6942
Rust wrapper: avoid warning when neither blake2b nor blake2s is enabled
2025-12-29 14:33:25 -05:00
Josh Holtrop
0a834bed7a
Rust wrapper: add wolfssl_wolfcrypt::curve25519 module
2025-12-29 14:33:25 -05:00
Juliusz Sosinowicz
730b0d3e38
Add AGENTS.md to .gitignore
2025-12-29 19:01:50 +01:00
David Garske
5dee8ddfcb
Merge pull request #9586 from holtrop-wolfssl/rust-blake2
...
Rust wrapper: add wolfssl_wolfcrypt::blake2 module
2025-12-29 09:55:58 -08:00
Ruby Martin
39056bb262
move null check to prevent dereference before null check issue
...
add new scope, whitespace
2025-12-29 10:55:13 -07:00
David Garske
ea8af7ae71
Merge pull request #9592 from julek-wolfssl/fix/coverity-tls-frag
...
Fix Coverity (D)TLS fragmentation size checks
2025-12-29 09:54:32 -08:00
David Garske
17e992ab3f
Merge pull request #9589 from douzzer/20251226-fixes
...
20251226-fixes
2025-12-29 09:20:16 -08:00
David Garske
8bcac03086
Fix duplicated wc_rng_free and wc_rng_new
2025-12-29 08:52:17 -08:00
David Garske
5b5686c53c
Peer review improvements.
2025-12-29 08:37:51 -08:00
Juliusz Sosinowicz
f2d24404c8
Fix Coverity (D)TLS fragmentation size checks
...
Add MAX_RECORD_SIZE-based bounds checks in SendHandshakeMsg and Dtls13SendFragmentedInternal to prevent negative/overflowed fragment sizes from reaching memcpy/BuildMessage/DtlsMsgPoolSave.
2025-12-29 17:16:04 +01:00
jordan
b33a8568c3
bsdkm: small cleanup.
2025-12-28 10:32:18 -06:00
jordan
e4996c317e
bsdkm: fips support.
2025-12-28 10:16:53 -06:00
Daniel Pouzzner
7bbd28d369
wolfcrypt/src/aes.c: fix clang-diagnostic-unreachable-code in AesSetKey_C().
2025-12-26 18:13:44 -06:00
Daniel Pouzzner
283792c207
linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_startup(), deinstall the callbacks and stdrng first before checking refcnt.
2025-12-26 16:41:43 -06:00
Kareem
7d04a53a6c
Update X509_get_default_cert_* stubs to return empty strings.
...
According to the documentation, these functions must return static strings, so NULL was not valid.
Fixes #6474 .
2025-12-26 15:26:05 -07:00
Kareem
6145f3aba2
Fix incorrect alert being sent when wolfSSL receives unexpected PSK extension.
...
Fixes #9503 .
2025-12-26 15:24:14 -07:00
Kareem
a7b83b06c1
Alert on out of order message with unexpected_message.
...
Fixes #9531 .
2025-12-26 15:23:23 -07:00
Daniel Pouzzner
3b3ddd1fb4
wolfcrypt/src/random.c: in wc_GenerateSeed(), move the gate closures for !FORCE_FAILURE_RDSEED and !ENTROPY_MEMUSE_FORCE_FAILURE to follow the /dev/urandom fallback method.
2025-12-26 14:16:11 -06:00