Commit Graph

134 Commits

Author SHA1 Message Date
Ruby Martin 3137d62cf3 fix issue where ToTraditional_ex may assign negative value to *pkeySz 2026-05-01 14:06:51 -06:00
Ruby Martin 00e1fa651f Adds tmpSz so int is not cast to word32 in wc_d2i_PKCS12 2026-05-01 13:36:33 -06:00
Ruby Martin c2d44b4359 Bound by curSz in PKCS12 ContentInfo parsing 2026-05-01 09:37:45 -06:00
Ruby Martin 1bf33bcc0b PKCS12 and unicode password size check improvement 2026-04-30 16:30:29 -06:00
Ruby Martin 3ff02a7a95 Zero byte array buffer before free 2026-04-30 15:10:03 -06:00
Tobias Frauenschläger 847f3d6bab Make sure large buffers are on the heap with SMALL_STACK 2026-04-19 20:38:41 +02:00
Jeremiah Mackey e182645d20 zero PKCS12 key bag buffers before free 2026-04-15 16:59:18 +00:00
Mattia Moffa 9c304bdc09 PKCS12: check mismatch between hash algo and hash size
ZD#21457 (27)
2026-04-15 03:08:50 +02:00
Eric Blankenhorn 863db50318 Fix word32 truncation and add true regression test for PKCS12 OOB read 2026-04-13 16:05:51 -05:00
Eric Blankenhorn 4cb016f434 Fix pkcs12 parse issue 2026-04-13 15:11:15 -05:00
Daniel Pouzzner 7a6e37d697 Merge pull request #10064 from julek-wolfssl/master
Fixes for wolfclu
2026-04-02 22:54:10 -05:00
Daniel Pouzzner 21c6568883 Fixes for -Wcast-qual hygiene in wolfCrypt.
.github/workflows/wolfCrypt-Wconversion.yml: Add -Wcast-qual to all scenarios.

wolfssl/wolfcrypt/signature.h, wolfcrypt/src/signature.c, doc/dox_comments/header_files/signature.h:

  Remove incorrect const qualifier on the key argument in

  * wc_SignatureVerifyHash()
  * wc_SignatureVerify()
  * wc_SignatureGenerateHash()
  * wc_SignatureGenerateHash_ex()
  * wc_SignatureGenerate()
  * wc_SignatureGenerate_ex()

  This fixes UB code patterns throughout signature.c.  key is inherently
  accessed readwrite by the underlying low level crypto.  Fortunately, wolfCrypt
  has no APIs/methods to allow actual const MPI key objects, therefore these
  seeming breaking API changes can't actually break any users.

globally:

  * Add const qualifiers to all struct pointer members that are assigned values
    computed from const pointers.

  * Add const qualifiers to intermediate casts for accessors and read-only
    dereference constructs, as needed for -Wcast-qual hygiene, e.g. for a macro
    GET_U16(a), use (*(const word16*)(a)) rather than (*(word16*)(a)).

  * Add const qualifiers to internal declarations, and remove illegal casts, as
    needed for -Wcast-qual hygiene.

  * Add missing const qualifiers to all casts for argument, operand, and
    assignment type agreement, as needed for -Wcast-qual hygiene, e.g.
    "*data = (const byte*)dataASN->data.ref.data" rather than
    "*data = (byte*)dataASN->data.ref.data".

wolfssl/wolfcrypt/asn.h, wolfssl/wolfcrypt/asn_public.h, wolfcrypt/src/asn.c, wolfcrypt/src/asn_orig.c:

  * Add additional lifecycle management for object members that are only sometimes locally allocated:

    DNS_entry.nameStored
    DNS_entry.ipStringStored
    DNS_entry.ridStringStored

wolfssl/wolfcrypt/types.h: add WC_BARRIER() macro -- a portable construct that
   prevents compiler optimizers from reordering operations across the barrier.

wolfssl/wolfcrypt/blake2-impl.h, wolfcrypt/src/blake2s.c, wolfcrypt/src/blake2b.c:

  * In blake2b_init(), blake2b_init_key(), blake2s_init(), and
    blake2s_init_key(), refactor blake2b_param initialization using WC_BARRIER()
    (fixes volatile abuse that triggered -Wcast-qual).

  * Remove the residual and unused WOLFSSL_BLAKE2[BS]_INIT_EACH_FIELD code.

wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h:

  Remove incorrect const qualifier on curve arg to wc_ecc_free_curve() (internal function).
2026-04-01 14:12:02 -05:00
Juliusz Sosinowicz 6a1db27bae Fix type casting for psk_keySz in MakePSKPreMasterSecret and initialize newSz in PKCS12_ConcatenateContent 2026-04-01 14:00:27 +02:00
Eric Blankenhorn b4d2cd6d9c Fix feedback from review 2026-03-19 15:22:39 -05:00
Eric Blankenhorn e0a19a798e Fix GetSafeContent to check length 2026-03-19 15:09:02 -05:00
aidan garske 3295a6521c Fix Fenrir issues in wolfcrypt 2026-02-24 18:51:58 -08:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Andrew Hutchings 54e8e80e81 Added integer overflow protection to PKCS12
PKCS12_ConcatenateContent() could overflow.
2026-02-10 15:53:29 +00:00
Andrew Hutchings 6b4fd431da Fix leak in PKCS12 error path 2026-02-10 15:47:10 +00:00
Daniel Pouzzner 6ee660841b fixes/workarounds for -Wnull-dereferences, some true positive, some false
positive:
* src/pk.c:wolfSSL_RSA_meth_new()
* tests/api.c:test_wolfSSL_PKCS7_certs()
* tests/api.c:test_wolfSSL_X509V3_EXT_get()
* wolfcrypt/src/asn.c:EncodeName()
* wolfcrypt/src/pkcs12.c:wc_i2d_PKCS12()
* wolfcrypt/src/port/af_alg/afalg_aes.c
2025-10-16 15:10:16 -05:00
effbiae 7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Koji Takeda ff1baf0ae7 Apply stronger salt length for PBES2 2025-06-14 00:45:03 +09:00
Koji Takeda 0260ff789b Clarify supported PKCS12 encryption algorithms 2025-06-09 12:03:47 +09:00
Koji Takeda 7c33096398 Support PBE_AES256_CBC and PBE_AES128_CBC cert encryption on wc_PKCS12_create() 2025-06-04 16:43:30 +09:00
Koji Takeda 3666851589 Support PBE_AES256_CBC and PBE_AES128_CBC key encryption on wc_PKCS12_create() 2025-05-19 22:26:46 +09:00
Sean Parkinson 112351667a ASN.1 OIDs and sum: Change algorithm for sum
New sum algorithm has no clashes at this time.
Old algorithm enabled by defining: WOLFSSL_OLD_OID_SUM.
New oid_sum.h file generated with scripts/asn1_oid_sum.pl.

Added bunch of OID names into asn1 example.
2025-05-07 08:32:08 +10:00
Eric Blankenhorn 66b9256f86 Fixes from CodeSonar report 2025-04-22 14:43:01 -05:00
Koji Takeda 039ff1b460 Add wc_PKCS12_parse_ex() 2025-04-18 06:39:16 +09:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
Daniel Pouzzner 7cd2fd3617 numerous fixes for memory errors reported by clang-tidy, most of them true positives, unmasked by CPPFLAGS=-DNO_WOLFSSL_MEMORY: clang-analyzer-unix.Malloc, clang-analyzer-core.NullDereference, clang-analyzer-core.uninitialized.Assign, clang-analyzer-core.UndefinedBinaryOperatorResult, and clang-analyzer-optin.portability.UnixAPI (re malloc(0)).
several fixes for defects reported by cppcheck:

wolfcrypt/src/ecc.c: fix for cppcheck oppositeInnerCondition from cppcheck-2.16.0 in _ecc_make_key_ex(), and fixes for related unhandled errors discovered by manual inspection;

wolfcrypt/test/test.c: fix XREALLOC call in memcb_test() to resolve cppcheck-detected memleak.
2025-01-10 14:30:42 -06:00
Daniel Pouzzner 8d85ab964d wolfcrypt/src/pkcs12.c: fix resource leak in PKCS12_CoalesceOctetStrings(). 2025-01-08 13:39:33 -06:00
Daniel Pouzzner d6ead1b3e5 src/tls.c: fix possible null deref in TLSX_UseCertificateStatusRequestV2().
wolfcrypt/src/pkcs12.c: fix possible null deref in PKCS12_CoalesceOctetStrings(), and fix spelling of PKCS12_ConcatenateContent().
2025-01-07 00:00:48 -06:00
Daniel Pouzzner 122502e2b1 wolfCrypt -Wconversion expansion: fix numerous warnings, all benign, from -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion. 2024-12-18 11:51:06 -06:00
JacobBarthelmeh 8fda4ce147 use heap hint with wolfSSL_CTX_check_private_key 2024-10-21 08:53:15 -06:00
Daniel Pouzzner c81c9be9ce error code fixes:
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
2024-09-06 19:33:48 -05:00
Andras Fekete f419e2351b Remove NULL test with 'ptr = NULL' at the end 2024-08-06 10:55:37 -04:00
Andras Fekete d350ba6c41 remove NULL test with XFREE arguments with dereference 2024-08-06 10:44:59 -04:00
Andras Fekete d6a7187538 Programmatically remove NULL test with { XFREE() } 2024-08-06 10:37:43 -04:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
Marco Oliverio fe932b893c fixup! csrv2multi: pending ca list 2024-07-04 10:21:20 +02:00
Daniel Pouzzner b3e8f0ad24 add --enable-debug-trace-errcodes, WOLFSSL_DEBUG_TRACE_ERROR_CODES, WC_ERR_TRACE(), WC_NO_ERR_TRACE(), support/gen-debug-trace-error-codes.sh. also add numerous deployments of WC_NO_ERR_TRACE() to inhibit frivolous/misleading errcode traces when -DWOLFSSL_DEBUG_TRACE_ERROR_CODES. 2024-06-08 16:39:53 -05:00
Juliusz Sosinowicz 7ed5e0b3ba zephyr no malloc
- cert gen
- csr gen
- pkcs12
- Compiles for Zephyr 3.4.0 and 2.7.4
- Add support for CONFIG_POSIX_API
2024-05-07 10:38:01 +02:00
Tobias Frauenschläger 136eaae4f1 Improvements to dual alg certificates
* Support for external keys (CryptoCb interface)
* Support for usage in mutual authentication
* better entity cert parsing
* Fix for Zephyr port to support the feature
* Check key support
* Proper validation of signatures in certificate chains
* Proper validation of peer cert with local issuer signature
	(alt pub key is cached now)
* Support for ECC & RSA as alt keys with PQC as primary
* Support for PQC certificate generation
* Better support for hybrid signatures with variable length signatures
* Support for primary and alternative private keys in a single
  file/buffer
* More API support for alternative private keys

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-04-01 17:37:03 -04:00
JacobBarthelmeh bf23357c8c refactor streaming and additional comments 2024-02-01 11:50:51 -07:00
Dimitri Papadopoulos 50752f5a2b Fix typos found by codespell 2023-07-04 07:21:27 +02:00
Sean Parkinson 5be883a995 ASN: fix so that NO_CERTS configurations work
Moved code around and update #ifdefs so that --enable-cryptonly
CFLAGS=-DNO_CERTS compiles.
2023-07-03 09:16:44 +10:00
Daniel Pouzzner da9cda7eae wolfcrypt/src/pkcs12.c: fix non-portable casts;
wolfcrypt/src/sp_int.c: use unsigned int, not word32, for sign variables, to match type in header file.
2023-04-19 21:22:34 -05:00