Daniel Pouzzner
d218d3fbdd
wolfcrypt/src/ge_operations.c and wolfssl/wolfcrypt/ge_operations.h: when ge_tobytes_nct and ge_tobytes have identical definitions, map the former to the latter using a macro and omit the latter definition, to avoid problematic R_ARM_THM_JUMP11 tail call.
2026-04-28 12:58:32 -05:00
Daniel Pouzzner
0bfa206b74
configure.ac: for FIPS v6 setup, explicitly set WOLFSSL_NOSHA512_224 and WOLFSSL_NOSHA512_256;
...
wolfssl/wolfcrypt/hash.h: when WOLFSSL_NOSHA512_{224,256}, gate out prototypes for wc_Sha512_{224,256}Hash[_ex](), to shift build failures from link-time to compile-time.
2026-04-25 12:21:26 -05:00
Daniel Pouzzner
72a39bfa57
wolfssl/wolfcrypt/random.h: fix "comma at end of enumerator list [-Werror=pedantic]" in enum wc_DrbgType.
2026-04-25 11:47:25 -05:00
David Garske
426dc7bb76
Merge pull request #10236 from Roy-Carter/feature/enhance_conf_and_max_size
...
Enhance extra user data value and external cookie length max size
2026-04-24 14:42:44 -07:00
JacobBarthelmeh
734a71180c
Merge pull request #10220 from embhorn/zd21596
...
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00
JacobBarthelmeh
0c9a496215
Merge pull request #10162 from embhorn/gh9753
...
Use O_CLOEXEC to avoid race conditions
2026-04-24 14:28:00 -06:00
JacobBarthelmeh
b9514e70be
Merge pull request #10148 from julek-wolfssl/openvpn-master-bn2binpad
...
Add BN_bn2binpad API and enable OpenVPN master CI testing
2026-04-24 13:54:06 -06:00
JacobBarthelmeh
cf2db428ba
Merge pull request #9843 from kaleb-himes/PQ-FS-2026-Part2
...
Phase 2: PQ in boundary and SHA512 DRBG
2026-04-24 10:55:36 -06:00
Daniel Pouzzner
134f63a38c
Merge pull request #10280 from philljj/no_stddef_h_guard
...
wc_port: guard stddef header include.
2026-04-24 11:33:55 -05:00
kaleb-himes
08fd7bde58
PQ FIPS v7.0.0 Phase 2 & 3: All changes
...
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Eric Blankenhorn
412c428b0a
Fix TLS ext bounds checking
2026-04-24 07:23:07 -05:00
Sean Parkinson
936f8e5423
Merge pull request #10203 from Frauschi/pkcs7_fixes
...
PKCS#7 fixes
2026-04-24 10:13:43 +10:00
JacobBarthelmeh
6a0303e299
Merge pull request #10066 from dgarske/wc_puf
...
wolfCrypt SRAM PUF Support
2026-04-23 14:28:37 -06:00
Tobias Frauenschläger
97b82b5087
Add nonce length validation for PKCS#7
2026-04-23 11:03:19 +02:00
JacobBarthelmeh
b5738236d9
Merge pull request #10187 from embhorn/zd21587
...
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
JacobBarthelmeh
bc4bec63fc
Merge pull request #10094 from sebastian-carpenter/GH-10068
...
Fixes: for GH #10068
2026-04-22 14:24:25 -06:00
jordan
6aa3cd653e
wc_port: guard stddef header include.
2026-04-22 15:16:19 -05:00
David Garske
e05ce26fc9
wolfCrypt SRAM PUF Support
...
Add SRAM PUF (Physically Unclonable Function) support to wolfCrypt. Derives device-unique cryptographic keys from the power-on state of SRAM memory using a BCH(127,64,t=10) fuzzy extractor with HKDF key derivation.
- **wolfCrypt PUF API** (`wolfcrypt/src/puf.c`, `wolfssl/wolfcrypt/puf.h`)
- `wc_PufInit`, `wc_PufReadSram`, `wc_PufEnroll`, `wc_PufReconstruct`
- `wc_PufDeriveKey` (HKDF-SHA256), `wc_PufGetIdentity` (SHA-256 device fingerprint)
- `wc_PufZeroize` (secure context cleanup)
- `wc_PufSetTestData` (synthetic SRAM for testing without hardware)
- **BCH(127,64,t=10) error-correcting codec** - corrects up to 10 bit flips per 127-bit codeword across 16 codewords
- **`WC_PUF_SHA3` build option** - select SHA3-256 instead of SHA-256 for identity hash and HKDF (default: SHA-256)
- **Precomputed GF(2^7) tables** - `const` arrays in `.rodata` (no runtime init, thread-safe, flash-resident on embedded)
- `./configure --enable-puf` (auto-enables HKDF dependency)
- CMake: `WOLFSSL_PUF=yes`
- `WOLFSSL_USER_SETTINGS`: define `WOLFSSL_PUF` and `WOLFSSL_PUF_SRAM`
- See wolfssl-examples/puf for example implementation on STM32 NUCLEO-H563ZI (Cortex-M33, STM32H563ZI)
- Supports test mode (synthetic SRAM)
- Builds to ~13KB `.elf`
- Tested on NUCLEO-H563ZI: enrollment, noisy reconstruction, key derivation all pass
- `.github/workflows/puf.yml`: host build + test workflow for PUF feature
- Doxygen API docs for all 8 public functions
- PUF group added to `doxygen_groups.h`
2026-04-22 11:39:39 -07:00
JacobBarthelmeh
98cd7fe404
Merge pull request #10265 from ejohnstown/qnx-fix
...
Tasking Warning
2026-04-21 16:18:38 -06:00
Eric Blankenhorn
2dc007678d
Fix latent test issue found with the PR
2026-04-20 19:06:40 -05:00
Tobias Frauenschläger
847f3d6bab
Make sure large buffers are on the heap with SMALL_STACK
2026-04-19 20:38:41 +02:00
Roy Carter
16fd8d4910
FIx: trailing white spaces fails the job
2026-04-18 11:15:05 +03:00
Roy Carter
8342738f02
Fix: PR notes fixes
2026-04-17 22:24:48 +03:00
John Safranek
6f89331377
Tasking Warning
...
Tasking compiler does not support #warning and needs the #pragma message
case where available. This will fix the wolfSSH QNX nightly from
failing.
2026-04-17 09:52:00 -07:00
Eric Blankenhorn
e26ab427a5
Use O_CLOEXEC to avoid race conditions
2026-04-17 11:14:31 -05:00
Roy Carter
46de2b3cfd
Fix: move define to be before the define check for TLS & PSK
2026-04-17 18:40:33 +03:00
Tobias Frauenschläger
0de3925207
Add RFC8773bis cert_with_extern_psk support
...
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.
Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
roy
a8ca71be95
Fix: Julek PR notes
2026-04-17 15:14:26 +03:00
Sean Parkinson
755a90b3f3
Merge pull request #10218 from julek-wolfssl/zd/21535
...
Fix bugs found in crl.c, keys.c, and ssl_certman.c review
2026-04-17 10:46:48 +10:00
Brett Nicholas
4bf334c299
Merge pull request #10009 from night1rider/SHE-update
...
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-16 16:49:00 -06:00
Daniel Pouzzner
801c412ad2
src/tls.c, wolfssl/ssl.h, tests/api.c: followup to ff7a32d022 ( #10182 ):
...
* Fix OOB heap reads via TLSX_ExtractEch() by preemptively rejecting oversized
SNI names in TLSX_UseSNI().
* In TLSX_EchChangeSNI(), don't attempt to truncate if an oversized name is
seen, just return error.
* Move definition of WOLFSSL_HOST_NAME_MAX to an ungated context in ssl.h, and
use it consistently in tls.c, eliminating the duplicative
WOLFSSL_HOST_NAME_MAX.
2026-04-16 11:12:02 -05:00
Roy Carter
31111287d4
Cosmetic - fixed mispell
2026-04-16 15:04:34 +03:00
Roy Carter
ca018078f8
Cosmetic - fix documentation
2026-04-16 14:20:37 +03:00
Roy Carter
564248891e
Refactor - Change note to support maximum of 255 (based on RFC) for that we define maximum copy of <=254 to avoid buffer overflow attempts upon exactly 255..
2026-04-16 13:24:11 +03:00
Roy Carter
e64305f9ff
Refactor - when crafting a DTLS packet max external cookie length (for hijacking) can be more than 32 in size based on RFC6347
2026-04-16 13:03:08 +03:00
Daniel Pouzzner
0f0dab0105
wolfcrypt/src/logging.c and wolfssl/wolfcrypt/logging.h: add wc_backtrace_set_fp().
2026-04-15 21:28:43 -05:00
night1rider
64a1ac8dd2
wc_SHE_ImportM1M2M3: fix guard from || to && so it gates on WOLF_CRYPTO_CB
2026-04-15 18:03:39 -06:00
Sean Parkinson
3c2a92d21d
Merge pull request #10225 from kareem-wolfssl/zd21544
...
Fix uninitialized before use warning. Fix unsupported #warning directive by Tasking compiler.
2026-04-16 08:55:49 +10:00
Sean Parkinson
0c93bf9e7c
Merge pull request #10229 from mattia-moffa/20260415-zd21621
...
Fix regressions (fast math MAX_ENCODED_SIG_SZ; DTLS export IV buffer size)
2026-04-16 08:33:23 +10:00
Sean Parkinson
1fab25301f
Merge pull request #10221 from julek-wolfssl/gh/10197
...
TLS 1.3: evict session from cache after accepted 0-RTT resumption
2026-04-16 08:16:31 +10:00
David Garske
26a7d594e3
Merge pull request #10232 from douzzer/20260415-confusing_globals
...
20260415-confusing_globals
2026-04-15 15:02:40 -07:00
David Garske
48a0347581
Merge pull request #10180 from Frauschi/dilithium-alloc-key
...
Add dynamic key allocation support for Dilithium
2026-04-15 10:36:14 -07:00
Daniel Pouzzner
4ac3c89cd7
wolfssl/ssl.h: add backward compat mappings for wolfSSL*PrivateKey_id().
2026-04-15 12:29:35 -05:00
night1rider
1078e797f8
Fix CMake SHE deps, const-correctness in CryptoCb uid, stale comment, XSTRLEN double call, configure.ac AES-CBC guard, and add LoadKey/LoadKey_Verify test coverage
2026-04-15 11:28:03 -06:00
night1rider
994b0cdedd
Add one-shot SHE LoadKey and LoadKey Verify convenience APIs: wc_SHE_LoadKey, wc_SHE_LoadKey_Id, wc_SHE_LoadKey_Label and their verify counterparts
2026-04-15 11:28:03 -06:00
night1rider
f8956abcc1
update she union for callback to be getUid not setUid
2026-04-15 11:28:03 -06:00
night1rider
f081a08c5c
Address comments from bigbrett and Fenrir bot. Rename she.{c,h} to wc_she.{c,h}, fix naming consistency, auto-enable CMAC/AES dependencies, add WC_SHE_SW_DEFAULT opt-inAddress PR #10009 review comments from bigbrett and Fenrir
2026-04-15 11:28:03 -06:00
night1rider
802c34018c
Add more in depth comments in header file for she.h
2026-04-15 11:28:03 -06:00
night1rider
ee7fe9e1b1
SHE API: remove key storage from context, add direct output params
2026-04-15 11:28:03 -06:00
night1rider
eeedc470e9
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-15 11:27:44 -06:00