Commit Graph

11156 Commits

Author SHA1 Message Date
David Garske c3cd71ea02 Merge pull request #9965 from kojo1/mldsa
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-05 11:57:06 -07:00
David Garske 519c08ae32 Merge pull request #10121 from JacobBarthelmeh/bench
use heap hints where possible in benchmark
2026-05-05 11:56:04 -07:00
David Garske d4d1f03fef Merge pull request #10333 from JacobBarthelmeh/oss-fuzz
change call to GetSigAlg in ASN original to sanity check length
2026-05-05 11:55:21 -07:00
David Garske 87536214bf Merge pull request #10375 from LinuxJedi/STSAFEA120Sim
Add STSAFE A120 CI support
2026-05-05 11:53:29 -07:00
David Garske 5074cf3726 Merge pull request #10366 from embhorn/zd21744
Fix CUDA with WOLFSSL_AES_SMALL_TABLES
2026-05-05 11:51:01 -07:00
David Garske 5266329c9a Merge pull request #10352 from embhorn/zd21724
Fix static / mem tracker build error
2026-05-05 11:48:16 -07:00
David Garske 9b1167772d Merge pull request #10350 from LinuxJedi/ATECC608Sim
Add ATECC608 CI tests
2026-05-05 11:45:45 -07:00
David Garske 678ddd6c73 Merge pull request #10339 from embhorn/zd21707
Fix handling of otherName in ConfirmNameConstraints
2026-05-05 11:41:28 -07:00
David Garske b0fca9df10 Merge pull request #10276 from padelsbach/asn1-time-chars-check
Add checks for ascii digits in time decode functions
2026-05-05 11:38:47 -07:00
David Garske aaca0948e8 Merge pull request #10335 from julek-wolfssl/pkcs11-hmac-session
wolfcrypt/src/wc_pkcs11.c: cache PKCS#11 session across multi-call HMAC
2026-05-05 11:33:10 -07:00
David Garske 04984a5d5e Merge pull request #10346 from Frauschi/ecc_leak_fix
Prevent ECC tmp key leak and UB
2026-05-05 11:32:48 -07:00
David Garske 7e9635df19 Merge pull request #10208 from ColtonWilley/bio-io-negative-length-checks
Guard against negative length in BIO, I/O callbacks and PKCS12 PBKDF
2026-05-05 11:32:21 -07:00
David Garske d793452264 Merge pull request #10353 from julek-wolfssl/dtls-13-client-only
DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
2026-05-05 11:24:44 -07:00
David Garske 80c9d3f048 Merge pull request #10183 from douzzer/20260409-IsValidFQDN
20260409-IsValidFQDN
2026-05-05 11:22:51 -07:00
David Garske c0bc5efe31 Merge pull request #10307 from padelsbach/nxp-aes-multiblock
Fix AES multiblock issues for NXP DCP
2026-05-05 10:56:21 -07:00
David Garske 02dfd12466 Merge pull request #10376 from rlm2002/coverity
20260501 Coverity Fixes
2026-05-04 15:15:11 -07:00
Takashi Kojo 1a6dee2bb3 Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id 2026-05-02 08:13:08 +09:00
Takashi Kojo 4c04ba306b fix error case in d2iTryAltDhKey 2026-05-02 08:13:08 +09:00
Daniel Pouzzner 7b5330391b Merge pull request #10051 from anhu/mp_int_bounds
Add bounds checks for MP integer size in SizeASN_Items
2026-05-01 15:32:18 -05:00
JacobBarthelmeh 5b4ad8690e update function comments 2026-05-01 09:43:52 -06:00
JacobBarthelmeh d9361e2d8c use INVALID_DEVID in benchmark and copy over heap hint with XMSS export pub 2026-05-01 09:43:51 -06:00
JacobBarthelmeh 78564f0c78 fix XMSS heap hint use 2026-05-01 09:43:25 -06:00
JacobBarthelmeh e5d27b61dc use heap hints where possible in benchmark 2026-05-01 09:43:24 -06:00
Tobias Frauenschläger 5151a695bc Merge pull request #10373 from douzzer/20260430-ecc_test_vector_item-WC_MIN_DIGEST_SIZE
20260430-ecc_test_vector_item-WC_MIN_DIGEST_SIZE
2026-05-01 08:57:53 +02:00
Andrew Hutchings a4b754ab5d Add STSAFE A120 CI support
Adds our STSAFE A120 simulator to the CI, adds STSAFE to configure.ac
and fix missing required header.
2026-05-01 07:12:55 +01:00
Daniel Pouzzner d8797f59c4 Merge pull request #10261 from Frauschi/slh-dsa
Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
2026-04-30 23:52:36 -05:00
Daniel Pouzzner 70d5d86dda wolfcrypt/test/test.c: in ecc_test_vector_item(), don't attempt wc_ecc_verify_hash() if the test vector's message (hash) is shorter than WC_MIN_DIGEST_SIZE. 2026-04-30 17:00:40 -05:00
JacobBarthelmeh fc51a38094 Merge pull request #10135 from lealem47/nid_ED
Add Ed25519/Ed448 support to EVP layer
2026-04-30 14:16:05 -06:00
Ruby Martin fb69662262 consolidate duplicate shakeType classification, clears logically dead code 2026-04-30 14:00:15 -06:00
Eric Blankenhorn fdac63cd29 Fix CUDA with WOLFSSL_AES_SMALL_TABLES 2026-04-30 14:06:18 -05:00
Eric Blankenhorn 0d392a6e61 Fix from review 2026-04-30 13:57:21 -05:00
Eric Blankenhorn 13afb8f8a0 Fix static / mem tracker build error 2026-04-30 13:57:21 -05:00
Andrew Hutchings 9e7c2d19c7 Add ATECC608 CI tests
Also fix issues found with ATECC608
2026-04-30 18:01:42 +01:00
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
lealem47 d00a137de0 Merge pull request #10344 from douzzer/20260416-linuxkm-fips-rodata-canonify
20260416-linuxkm-fips-rodata-canonify
2026-04-30 10:19:43 -06:00
JacobBarthelmeh a478029083 change call to GetSigAlg in ASN original to sanity check length 2026-04-30 09:03:52 -06:00
Daniel Pouzzner a057975347 Merge pull request #10293 from Frauschi/liboqs_removal
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 09:04:11 -05:00
Daniel Pouzzner 76080d0b19 Merge pull request #10292 from Frauschi/liblms_libxmss_removal
Remove deprecated liblms and libxmss
2026-04-30 09:01:24 -05:00
Juliusz Sosinowicz a012a8f3ec DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
* configure.ac: --enable-dtls13 auto-enables --enable-dtls and TLS 1.3,
  with a targeted error if either is explicitly --disabled, plus a
  post-finalization sanity check that errors out if a later
  prerequisite test forces ENABLED_TLS13 back to "no" while
  ENABLED_DTLS13 is yes.
* src/internal.c, src/wolfio.c, wolfssl/wolfio.h: new WOLFSSL_DTLS_ONLY
  compile-time flag elides the EmbedReceive / EmbedSend default
  callbacks. The DTLS_MAJOR runtime check stays in SetSSL_CTX so a
  TLS-method ctx in a DTLS-only build doesn't get datagram callbacks
  by default, and WriteSEQ keeps its ssl->options.dtls branch. A
  #error in settings.h refuses WOLFSSL_DTLS_ONLY without WOLFSSL_DTLS.
* wolfcrypt/src/aes.c: add HAVE_AES_DECRYPT to the inv_col_mul
  definition gate to match its only caller; without it the function is
  emitted dead under WOLFSSL_AES_DIRECT && NO_AES_DECRYPT and
  -Werror=unused-function fails the build.
* .github/workflows/os-check.yml: matrix entry for a minimal DTLS 1.3
  client-only build.
2026-04-30 11:40:22 +00:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Tobias Frauenschläger e1fefcca4f Remove deprecated liblms and libxmss 2026-04-29 19:52:09 +02:00
Daniel Pouzzner 9aec51d00b Merge pull request #10334 from lealem47/acme
Add TLS-ALPN-01 challenge cert support (RFC 8737 acmeId extension)
2026-04-29 12:16:15 -05:00
Tobias Frauenschläger 71a8a55654 Merge pull request #10345 from douzzer/20260428-SLHDSA-fixes
20260428-SLHDSA-fixes
2026-04-29 16:44:02 +02:00
Tobias Frauenschläger 0dd6aa3704 Prevent ECC tmp key leak and UB in wc_ecc_mulmod_ex
ecc_key_tmp_final was guarded by `if (err == MP_OKAY)`, leaking
key->t1/t2 (and x/y/z under ALT_ECC_SIZE) whenever an allocation or
mulmod step after ecc_key_tmp_init failed.

Simply removing the guard is unsafe here: unlike wc_ecc_mulmod_ex2
(whose arg checks `return` directly), this function XMALLOC'd `key`
before the arg checks and used `goto exit`, so a bad-arg call would
hand uninitialized memory to ecc_key_tmp_final and XFREE garbage
pointers.

Defer the XMALLOC until after the arg/range checks so `key` is NULL
on the early-error paths, then call ecc_key_tmp_final unconditionally
to plug the leak on the late-error paths.
2026-04-29 09:19:58 +02:00
Daniel Pouzzner f81f8479d5 fixes for SLH-DSA verifyonly:
wolfssl/wolfcrypt/wc_slhdsa.h: implement WOLFSSL_SLHDSA_NO_SHAKE and WOLFSSL_SLHDSA_NO_SHA2, and fix WC_SLHDSA_MAX_SIG_LEN setup to reflect SHA2 variants;

wolfssl/wolfcrypt/settings.h: if WOLFSSL_KERNEL_MODE, set WOLFSSL_SLHDSA_VERIFY_ONLY unless WOLFSSL_SLHDSA_NO_VERIFY_ONLY;

wolfcrypt/src/wc_slhdsa.c: fix WOLFSSL_SLHDSA_VERIFY_ONLY to work with --enable-slhdsa=sha2,verifyonly;

fix -Wunused-variables in slhdsakey_wots_pk_from_sig_x4();

wolfcrypt/test/test.c: in slhdsa_test(), fix gating for compatibility with --enable-slhdsa=sha2,verifyonly;

tests/api/test_slhdsa.c: fix gating in test_wc_slhdsa() and test_wc_slhdsa_sizes().
2026-04-28 18:06:00 -05:00
Daniel Pouzzner b7ed413571 wolfcrypt/src/wc_lms_impl.c: work around false-positive -Wmaybe-uninitialized in wc_lms_treehash_update(). 2026-04-28 15:05:30 -05:00
Eric Blankenhorn 98ffce9a69 Fix from review 2026-04-28 14:46:07 -05:00
Daniel Pouzzner d218d3fbdd wolfcrypt/src/ge_operations.c and wolfssl/wolfcrypt/ge_operations.h: when ge_tobytes_nct and ge_tobytes have identical definitions, map the former to the latter using a macro and omit the latter definition, to avoid problematic R_ARM_THM_JUMP11 tail call. 2026-04-28 12:58:32 -05:00
Lealem Amedie 82b15efebc Add acmeIdentifier to asn=original 2026-04-28 11:51:40 -06:00
Eric Blankenhorn 262737d63f Fixes from review 2026-04-28 11:54:46 -05:00