scripts/pem.test:
* add setup for WOLFSSL_NO_DER_TO_PEM,
* exit early with skip code if executable dependencies are missing or WOLFSSL_NO_PEM or NO_CODING, and
* add clean skip clauses to convert_to_pem(), compare_pem(), and pem_der_exp(), if WOLFSSL_NO_DER_TO_PEM.
Two follow-ups raised by Copilot review on PR #10247:
src/pk_rsa.c: Make derAllocSz a word32 instead of int and only assign
it after a successful XMALLOC, so the cleanup path can never call
ForceZero with a wrapped-around size derived from a negative derSz.
src/pk.c: Capture allocSz at the XMALLOC call site (and clear it back
to 0 on allocation failure) so the relationship between the buffer
allocation and the recorded size is explicit and cannot drift if the
surrounding control flow changes.
F-2148
The prior fix zeroed the computed DER staging area, but PEM output from
wc_DerToPemEx fills most of the buffer and overlaps that region,
corrupting the valid PEM. Preserve the allocation size and zero only
the bytes beyond the actual PEM length, or the whole buffer on failure.
F-2148
pem_write_mem_pkcs8privatekey stages the PKCS#8 DER encoded private key
at the tail of the PEM buffer, then writes the shorter PEM output at
the head of the same buffer. The DER tail is not overwritten, leaking
the plaintext private key to heap memory after the callers free. Zero
the DER staging area before returning.
F-2147
The error path in wolfSSL_i2d_ECPrivateKey could free an EC private key
DER staging buffer that may contain a partial private scalar. Zeroize
before XFREE.
F-2146
wolfSSL_d2i_RSAPrivateKey_bio read PKCS#1-encoded RSA private key DER
from a BIO into a heap buffer and freed it without ForceZero. Zeroize
before XFREE on both success and error paths.
F-2145
wolfSSL_CTX_use_RSAPrivateKey staged the RSA private key DER (PKCS#1:
n, e, d, p, q, dP, dQ, qInv) in a heap buffer and freed it without
ForceZero. Zeroize before XFREE.
F-2144
SetStaticEphemeralKey loaded a private key file into keyBuf and freed it
without ForceZero. Static ephemeral keys are long-lived, so zeroize the
buffer before XFREE.
F-2143
ssl_SetWatchKey_file loaded a private key file into a heap buffer and
freed it without ForceZero on both error and success paths. Zeroize
before XFREE.
F-2142
wolfSSL_RSA_To_Der could free a buffer holding RSA private key material
when the DER encoding step failed. Record the allocation size and
ForceZero the buffer before XFREE on the private key path.
F-2140
wolfSSL_PEM_write_mem_DSAPrivateKey serializes the DSA private key to a
heap DER buffer and freed it on five paths without ForceZero. Zeroize
the buffer before each XFREE.
F-2139
Previously the plaintext private key DER buffer was freed via XFREE
without a preceding ForceZero when no password encryption was requested.
Track the actual allocation size and zeroize the buffer before release.
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.
Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
Refactors the output format of generated assembly files across all
platforms
(x86_64, ARM AArch64, ARMv8-32, Thumb2, PowerPC) for consistency and
correctness.
Changes
Data constant consolidation
- Pack multiple values per directive line (e.g., 4× .long or 8× .short
per
line) instead of one value per line, reducing file sizes significantly
- Normalize hex literal formatting: 64-bit values use full 8-byte
zero-padded
form (e.g., 0x0000000003ffffff instead of 0x3ffffff)
x86_64 assembly
- Use decimal immediate values for shift counts (e.g., $1 instead of
$0x01)
- .asm (MASM): use hex notation consistently for data constants;
update ALIGN
values to match data width (e.g., ALIGN 32 for 256-bit aligned data)
ARM .S files
- Move .type directive before .section for data objects (correct
ordering per
ELF convention)
ARM/Thumb2 inline C (_c.c) files
- Replace asm( with __asm__( for register variable constraints (better
portability)
- Add XALIGNED(8) attribute to constant lookup tables used in inline
asm
- Remove redundant #include <stdint.h> and
<wolfssl/wolfcrypt/libwolfssl_sources.h> headers
Files affected: 71 assembly and companion C files across
wolfcrypt/src/,
wolfcrypt/src/port/arm/, covering AES, ChaCha, Poly1305,
SHA-256/512/3,
Curve25519, ML-KEM, ML-DSA, and SP math routines.