Commit Graph

30680 Commits

Author SHA1 Message Date
Tobias Frauenschläger bc3288204e PKCS#7: add ML-DSA (FIPS 204) SignedData support
Add ML-DSA signing and verification for CMS/PKCS#7 SignedData, following
RFC 9882. ML-DSA is used in CMS "pure" mode: the signature is computed
over the complete message (the DER SET OF signed attributes, or the
eContent when none are present) with an empty context string and absent
signatureAlgorithm parameters, rather than over a pre-computed DigestInfo
as with RSA/ECDSA.

wolfcrypt/src/pkcs7.c:
- New ML-DSA helpers: wc_PKCS7_MlDsaLevelFromOID, wc_PKCS7_BuildPureSigMessage,
  wc_PKCS7_MlDsaSign and wc_PKCS7_MlDsaVerify, wired into the per-algorithm
  switch sites (GetSignSize, SignedDataGetEncAlgoId, SetPublicKeyOID,
  CheckPublicKeyDer) and the sign/verify dispatchers. Only the final FIPS 204
  ML-DSA OIDs are accepted; pre-standard draft Dilithium OIDs are not.
- GetSignSize derives the ML-DSA signature length from the parameter set.
- InitWithCert copies the signer public key into the RSA-sized publicKey buffer
  only for RSA/ECC certs (the raw-sign callback consumers); large PQC keys such
  as ML-DSA would overflow it and are never read back, so publicKeySz stays 0.
- wc_MlDsaKey is always heap allocated (it embeds multi-KB key buffers); the
  accompanying DecodedCert uses the WC_DECLARE_VAR/WC_ALLOC_VAR_EX macros for
  stack-vs-heap handling under WOLFSSL_SMALL_STACK.
- wc_PKCS7_SignedDataBuildSignature skips building the DigestInfo for ML-DSA,
  which signs the full message in pure mode and never consumes it.
- wc_PKCS7_MlDsaSign wraps the ML-DSA private-key decode in
  PRIVATE_KEY_UNLOCK/PRIVATE_KEY_LOCK. Unlike RSA/ECC, the FIPS module gates
  wc_MlDsaKey_PrivateKeyDecode behind the private-key read lock, so signing
  would otherwise fail with FIPS_PRIVATE_KEY_LOCKED_E under --enable-fips. The
  macros are no-ops in non-FIPS builds.

wolfssl/wolfcrypt/pkcs7.h:
- Document that the fixed-size signer public key buffer (publicKey/publicKeySz)
  holds only RSA/ECC keys; it stays RSA-sized.

wolfcrypt/src/hash.c:
- Map the SHAKE128/SHAKE256 OIDs to their hash types in wc_OidGetHash().

certs/mldsa:
- Add expanded-only PKCS#8 DER private keys (mldsa44/65/87-key.der) matching
  the self-signed ML-DSA certificates, with README and include.am updates.
  The expanded-only shape (no seed) decodes via wc_MlDsaKey_ImportPrivRaw
  without keygen-from-seed or the ASN template, so pkcs7signed_mldsa_test also
  passes in WOLFSSL_MLDSA_NO_MAKE_KEY and non-WOLFSSL_ASN_TEMPLATE builds.

certs/renewcerts.sh:
- Generate the mldsa<N>-key.der files from the matching mldsa<N>-key.pem in the
  expanded-only shape (openssl pkey -provparam ml-dsa.output_formats=priv), so
  a regeneration keeps the DER key in step with the cert. The OpenSSL detection
  probe now requires both ML-DSA keygen and that conversion across all three
  levels, so the block runs fully (matched cert+key) or is skipped entirely
  rather than aborting mid-way.

wolfcrypt/test/test.c:
- Add pkcs7signed_mldsa_test(): round-trip encode/verify of SignedData across
  ML-DSA-44/65/87, with and without signed attributes, including a check that
  the digest algorithm parameters are encoded as expected. The message-digest
  OID is selected from the enabled hash set (SHA-512, else SHA-256, else SHA-1)
  so the test builds when SHA-512 is disabled. A negative case confirms ML-DSA
  rejects a caller-supplied pre-computed content hash with BAD_FUNC_ARG.
2026-07-09 18:09:03 +02:00
David Garske 9e72e8d718 Merge pull request #10853 from night1rider/cross-library-testing
Add cross-library compile-testing for wolfSSL products
2026-07-09 09:08:35 -07:00
David Garske f430d5b472 Merge pull request #10251 from MarkAtwood/fix/aes-eax-empty-plaintext
fix: AES-EAX allow empty plaintext
2026-07-09 08:24:55 -07:00
Daniel Pouzzner 5caa3565b8 Merge pull request #10858 from anhu/89compl
C89 compliance items
2026-07-09 10:14:16 -05:00
David Garske a03cd09dc0 Merge pull request #10868 from SparkiDev/tsp_staticmem_fix
Time-Stamping Protocol testing: fix CI loop static-memory
2026-07-08 20:26:39 -07:00
Sean Parkinson b3a9c18839 Time-Stamping Protocol testing: fix CI loop static-memory
Static-memory CI loop failed as tests were using too much memory.
Tests changed.
Name of loop change to tsp-staticmemory to make more sense.
2026-07-09 09:59:01 +10:00
Anthony Hu d52ff68832 bit of back and forth 2026-07-08 19:50:38 -04:00
Zackery Backman e2f1c54ab4 Add workflows to check other wolfSSL products still build
For each product (wolfSSH, wolfCLU, wolfTPM, wolfMQTT, wolfPKCS11, wolfProvider) this builds wolfSSL and then builds the product against it, at both the product's latest release tag and its master branch. It only checks that they compile, it does not run any tests. If a wolfSSL change breaks a product's latest release on purpose, you say so in a commit message with breaks-<product>=<tag>. A break on a product's master is not allowed and has to be fixed.

breaks-wolfssh=v1.5.0-stable

Note: wolfSSH v1.5.0-stable does not currently compile against wolfSSL. This commit did not break it, it adds the cross-library check that discovered the break. The token above declares it so the new check tracks it as a known break instead of failing red, until wolfSSH ships a fixed release.
2026-07-08 16:39:00 -06:00
David Garske a4aab71ffe Merge pull request #10861 from padelsbach/asn-integer-overflow-copy
Fix possible memcpy length overflow in wolfSSL_d2i_ASN1_INTEGER
2026-07-08 15:20:05 -07:00
Daniel Pouzzner a5dbbf80f5 Merge pull request #10864 from danielinux/riscv-port-null-checks
Riscv port bug fixes
2026-07-08 17:06:56 -05:00
David Garske 95f337ada4 Merge pull request #10831 from padelsbach/ci-json-dry
CI: unify repeated flags using existing python script
2026-07-08 14:00:05 -07:00
David Garske fdfba83c38 Merge pull request #10788 from aidangarske/fenrir-tls-batch-2026-06
Various hardening fixes across sniffer, QUIC, PKCS#11, TLS and tooling
2026-07-08 13:58:14 -07:00
David Garske 1e6f266e47 Merge pull request #10760 from Frauschi/pkcs7-server-encode
PKCS#7 improvements
2026-07-08 13:55:52 -07:00
Anthony Hu 93722d0aab whitespace 2026-07-08 15:51:19 -04:00
Anthony Hu 8ef5536cae Created the new macro W64LIT_FORCE_LONG_LONG 2026-07-08 15:48:52 -04:00
Anthony Hu 230278bcd8 Add WOLF_ENUM_DUMMY_LAST_ELEMENT to WOLF_STACK_TYPE 2026-07-08 15:26:25 -04:00
HAJA MOHIDEEN M c2b9cc55fb Merge pull request #10408 from hmohide/master
Add UDP support to NetX sockets for DTLS sessions
2026-07-08 12:24:31 -07:00
David Garske b4d51dbbda Merge pull request #10607 from julek-wolfssl/evp-pkey-encoded-public-key
Add EVP_PKEY encoded public key get/set compatibility functions
2026-07-08 12:20:33 -07:00
David Garske 4d3d2318f6 Merge pull request #10628 from yosuke-wolfssl/fix/f_4226
Reject CR/LF in OCSP/CRL URLs to block HTTP injection
2026-07-08 11:54:00 -07:00
David Garske 922e126423 Merge pull request #10693 from padelsbach/crl-use-after-free
Fix use-after-free possibility in GetCRLInfo
2026-07-08 11:37:41 -07:00
David Garske 9395547299 Merge pull request #10716 from padelsbach/crl-reentrancy-uaf
Address possible UAF in BufferLoadCRL
2026-07-08 11:35:29 -07:00
Anthony Hu 80d4c28c39 WC_FLEXIBLE_ARRAY_MEMBER to WC_FLEXIBLE_ARRAY_SIZE 2026-07-08 14:07:44 -04:00
David Garske b29e3a1a11 Merge pull request #10863 from holtrop-wolfssl/zd22109
Fix use-after-free in some TLS shutdown/ReceiveData sequences
2026-07-08 10:54:52 -07:00
David Garske 76491e6b60 Merge pull request #10661 from yosuke-wolfssl/fix/f_5808
Enable SCSV check unconditionally
2026-07-08 10:52:59 -07:00
David Garske 6b1bf6b81b Merge pull request #10551 from julek-wolfssl/dtls-perf-benchmark
Add DTLS throughput benchmark tool and optimize send path
2026-07-08 10:31:11 -07:00
David Garske 16a2681ca4 Merge pull request #10604 from AlexLanzano/cryptocb-getdevice
Expose wc_CryptoCb_GetDevice and add CryptoCb API test coverage
2026-07-08 10:30:59 -07:00
David Garske a6ee818b27 Merge pull request #10781 from julek-wolfssl/parallel-make-check-status-emoji
.github/scripts/parallel-make-check.py: emit literal status emoji, not :shortcodes:
2026-07-08 10:25:29 -07:00
David Garske 67ca317097 Merge pull request #10737 from kareem-wolfssl/zd21998
X509 validation fixes
2026-07-08 09:48:26 -07:00
JacobBarthelmeh 7c085837ae Merge pull request #10772 from dgarske/qat_review
Intel QuickAssist: multi-device utilization + software-fallback / Cavium fixes
2026-07-08 10:39:24 -06:00
Daniele Lacamera fc1bb6395d riscv: return KEYUSAGE_E for AES use without a key schedule
The generic wc_AesEncrypt/wc_AesDecrypt (aes.c) reject an AES object
whose key schedule was never set (rounds outside 1..7 after halving)
with KEYUSAGE_E, and every mode inherits that through their int return.
The RISC-V port's block helpers are void, so nothing reported unkeyed
use: wc_AesEncryptDirect and wc_AesCcmEncrypt/Decrypt silently
processed with a garbage schedule, and wc_AesCtrEncrypt classified it
as BAD_FUNC_ARG instead of KEYUSAGE_E.

Align the port with the generic error contract:
* wc_AesEncryptDirect / wc_AesDecryptDirect: add the generic rounds
  check (also fixes wc_CmacUpdate error reporting, which goes through
  wc_AesEncryptDirect on this port)
* wc_AesCcmEncrypt / wc_AesCcmDecrypt: same check after the argument
  sanity block
* wc_AesCtrEncrypt (both variants): the existing rounds switch now
  returns KEYUSAGE_E instead of BAD_FUNC_ARG

Found by the ISO 26262 MC/DC campaign argument-matrix tests
(test_wc_AesSetKeyArgMcdc, test_wc_AesModesArgMcdc, test_wc_AesCcmArgMcdc,
test_wc_CmacArgMcdc) under qemu-riscv64.
2026-07-08 18:29:52 +02:00
David Garske 59e942b07a Merge pull request #10844 from SparkiDev/windows_arm64_1
ARM64 Windows: Add assembly
2026-07-08 09:28:41 -07:00
David Garske 0d02f2fe2f Merge pull request #10816 from kojiws/fix_mem_cast_on_mldsa
Fix unaligned memory access in ML-DSA
2026-07-08 09:28:28 -07:00
David Garske 60085b0e48 Merge pull request #10837 from rlm2002/zd-NameConstraints
DNS name constraint fix
2026-07-08 09:21:52 -07:00
Tobias Frauenschläger 673d8d00bb Merge pull request #10778 from SparkiDev/time_stamp_protocol
Time-Stamp Protocol (RFC 3161)
2026-07-08 17:43:38 +02:00
David Garske b19f00a736 Merge pull request #10807 from SparkiDev/aes_gcm_siv_asm
AES-GCM-SIV: Add implementation in C and assembly
2026-07-08 08:30:02 -07:00
David Garske a8d223b308 Merge pull request #10834 from SparkiDev/cmake_update_1
cmake: add more build options in line with automake
2026-07-08 08:29:11 -07:00
David Garske 7f441a687a Merge pull request #10748 from night1rider/AES-Callbacks
AES callbacks for CFB and OFB
2026-07-08 08:25:23 -07:00
Daniele Lacamera 7b72cf6acf riscv: add missing argument checks in AES port
Align the RISC-V AES port's argument validation with the generic aes.c
implementations (and with the port's own vector/scalar-crypto siblings):

* wc_AesSetKey (base assembly variant, i.e. neither
  WOLFSSL_RISCV_VECTOR_CRYPTO_ASM nor WOLFSSL_RISCV_SCALAR_CRYPTO_ASM):
  reject key == NULL. The vector and scalar-crypto variants of the same
  function already check it; the base variant passed NULL through to the
  key expansion and wc_AesGcmSetKey then dereferenced the uninitialized
  schedule, crashing on e.g. wc_AesGcmSetKey(aes, NULL, 16).

* wc_AesCcmEncrypt / wc_AesCcmDecrypt: reject authIn == NULL when
  authInSz > 0, as the generic implementation does. The port otherwise
  walks the NULL authIn buffer while computing the CBC-MAC.

Found by the ISO 26262 per-module MC/DC campaign's argument-matrix tests
(test_wc_AesGcmSetKey, test_wc_AesCcmArgMcdc) running the RISC-V port
under qemu-riscv64: upstream CI only exercises this port with the KAT
suite, which never passes invalid arguments.
2026-07-08 16:37:08 +02:00
Josh Holtrop 07d41740de Fix use-after-free in some TLS shutdown/ReceiveData sequences 2026-07-08 08:14:39 -04:00
Tobias Frauenschläger 366000eec2 PKCS#7: support degenerate certs-only encode and harden signed-attribute handling
Server-side PKCS#7 encode improvements that let downstream EST/SCEP enrollment
code (wolfCert) drive the existing encoder through the public API rather than
hand-rolling DER. Everything is gated under the existing HAVE_PKCS7 — no new
build options and no new public functions; the convenience wrappers live
caller-side.

Allow degenerate (certs-only) SignedData encode
  Relax the hashOID != 0 requirement in PKCS7_EncodeSigned() when
  sidType == DEGENERATE_SID, so a caller can produce a certs-only bundle (no
  signer, attributes, or eContent — the form used by EST /cacerts and SCEP
  GetCACert) by selecting DEGENERATE_SID via wc_PKCS7_SetSignerIdentifierType()
  and calling wc_PKCS7_EncodeSignedData(). The output round-trips through
  wc_PKCS7_VerifySignedData().

Size the signed-attribute array to the actual count
  The SignerInfo attribute working array is now sized to the real attribute
  count instead of a fixed [7] array. An inline buffer (sized
  MAX_SIGNED_ATTRIBS_SZ, the historical footprint) covers the common
  allocation-free case; a heap buffer is used only when the count exceeds it.
  The default-attribute count comes from a single helper
  (wc_PKCS7_GetDefaultSignedAttribCount) so the sizing matches the emission
  logic exactly, and the canned-attribute write is bound-checked against the
  array capacity. This also fixes a latent overflow where the backing array was
  hardcoded [7] while the bound check used MAX_SIGNED_ATTRIBS_SZ. The macro is
  retained for source compatibility but no longer caps the count.

Document the decoded-attribute value shape
  Documented the stable shape of PKCS7DecodedAttrib.value (the contents of the
  SET OF AttributeValue, outer SET tag stripped) so callers can rely on it. No
  behavior change.

Fix multi-certificate decode in non-streaming builds
  Bound the additional-certificate loop in wc_PKCS7_VerifySignedData against the
  absolute end of the certificate set (idx + length) rather than the relative
  length. In NO_PKCS7_STREAM builds the old bound dropped trailing certificates
  (all but the first when a large eContent preceded the set), failing
  verification when the signer cert was among those dropped. Streaming builds
  were unaffected.

Tests
  Added coverage in pkcs7signed_test: degenerate certs-only encode via the
  public API, nine-attribute encode (beyond the inline capacity), decoded
  attribute value shape for PrintableString and OCTET STRING, and a
  multi-certificate decode regression with large content that triggers the
  bound bug under NO_PKCS7_STREAM. Added a signed-attribute selection
  round-trip covering a messageDigest-only subset and the no-attributes case
  via wc_PKCS7_SetDefaultSignedAttribs/wc_PKCS7_NoDefaultSignedAttribs, a
  WOLFSSL_NO_MALLOC over-capacity case that must return BUFFER_E instead of
  overrunning the inline buffer, and a malformed certificate-set length that
  exercises the certSetEnd clamp in the verifier. Config-sensitive cases are
  guarded.
2026-07-08 12:33:38 +02:00
Tobias Frauenschläger dcc2b23b1a Merge pull request #10852 from stenslae/fix-mldsa-privkeydecode-no-asn1
Fix ML-DSA level auto-detection in WOLFSSL_MLDSA_NO_ASN1 builds
2026-07-08 10:03:34 +02:00
Tobias Frauenschläger 3b07f7df34 Merge pull request #10855 from philljj/misc_fixes
wolfcrypt: fix several redefinition of typedef errors.
2026-07-08 09:56:45 +02:00
David Garske 3cc69f0fae Merge pull request #10839 from kojiws/fix_arm64_macro_name
ML-DSA: Fix misspelled `__arch64__` macro to `__aarch64__`
2026-07-07 21:55:46 -07:00
Paul Adelsbach f842e33145 Fix possible memcpy length overflow in wolfSSL_d2i_ASN1_INTEGER 2026-07-07 17:41:49 -07:00
David Garske e0a8f3f475 Merge pull request #10706 from JacobBarthelmeh/dev
defense in depth hardening for x509 extension create by OBJ and EVP decode update
2026-07-07 16:41:15 -07:00
Sean Parkinson ae023a5643 Time-Stamp Protocol (RFC 3161)
Implementation in wolfCrypt
OpenSSL compatibility layer in wolfSSL
Added tests, certificates, examples.
2026-07-08 09:33:47 +10:00
David Garske a296ac07fc Merge pull request #10842 from miyazakh/f6162_tsiphash
[Renesas RX72N] RX72N TSIP fixes and command-line build/flash/UART tooling
2026-07-07 16:17:30 -07:00
Sean Parkinson 7a1513468d cmake: add more build options in line with automake
Updates
  - ~100 individual options added (ciphers, TLS features, debug/test, caches,
  kernel-module, key-size numerics, asm) + fixed WOLFSSL_32BIT's missing define.
  - 37 app-integration bundles (openssh, nginx, haproxy, openvpn, wpas,
  apachehttpd, jni, wolfclu, wolfsentry, ...) - each force-enables its
  sub-options and emits its defines; all build clean and match ./configure
  --enable-X exactly (miss=0/extra=0).
  - Each option wired in 3 places: add_option + define in CMakeLists.txt,
  #cmakedefine in options.h.in, source selection where needed. Verified by real
  libwolfssl.so builds.
2026-07-08 09:11:14 +10:00
philljj 2f2ffbac04 Merge pull request #10856 from douzzer/20260702-linuxkm-various
20260702-linuxkm-various
2026-07-07 17:44:50 -05:00
David Garske 6d38bc12e8 Merge pull request #10854 from rlm2002/gi10846-7
IDE resource handling and error-path improvements
2026-07-07 15:13:28 -07:00