Commit Graph

11722 Commits

Author SHA1 Message Date
David Garske 675d5df2cd Merge pull request #10833 from kareem-wolfssl/zd22079
Add some missing PKCS7 length checks and bound DTLS 1.3 ACK list.
2026-07-06 17:28:22 -07:00
David Garske b560973780 Merge pull request #10825 from SparkiDev/aes_x64_perf_1
AES Intel x64: improve performance
2026-07-06 08:04:19 -07:00
Tobias Frauenschläger d40aeeabc0 Fix ret check in test.c 2026-07-03 09:15:26 +02:00
Daniel Pouzzner 8847cf2aa4 Merge pull request #10768 from Frauschi/altNames_API
Add public alt-name list APIs
2026-07-03 01:14:57 -05:00
Daniel Pouzzner f22ec4ccae Merge pull request #10804 from Frauschi/pkcs7_no_eContent
PKCS#7: support SignedData with absent eContent
2026-07-03 01:14:05 -05:00
Daniel Pouzzner cce3f2571e Merge pull request #10803 from Frauschi/fenrir
Fenrir fixes
2026-07-03 01:11:03 -05:00
Daniel Pouzzner d638d2afd7 Merge pull request #10209 from ColtonWilley/harden-chain-depth-and-parser-bounds
Harden chain depth bounds and parser input validation
2026-07-03 01:03:36 -05:00
Daniel Pouzzner ec37935a1f Merge pull request #10697 from Frauschi/zd21977
Even more missing ForceZero in ML-KEM / ML-DSA
2026-07-03 00:47:57 -05:00
Daniel Pouzzner 460b7ad041 Merge pull request #10742 from tjko/rpi_compile
Fix compiler error when WOLFSSL_RPIPICO is used.
2026-07-03 00:45:19 -05:00
Sean Parkinson 3a6717e7c2 AES Intel x64: improve performance
wolfcrypt/src/aes.c - hand‑written: CFB‑decrypt fast path rewritten (ECB straight from in, E(reg) once, carry E(last), direct AesEcbEncryptBlocks); dropped 6 redundant XTS sz checks; WC_VAES_ECB_MIN_BLOCKS 8→2.
wolfcrypt/src/aes_x86_64_asm.S/.asm - regenerated from aes_avx512.rb/aes_vaes.rb (small power‑of‑2 tiers).
wolfcrypt/src/aes_gcm_asm.S/.asm - regenerated from the GCM generators (8‑block tier, 2‑way GHASH, aggregated aad_update/calc_aad).
2026-07-03 11:44:25 +10:00
David Garske 0ecc0c5973 Merge pull request #10828 from SparkiDev/sp_func_block_comment_1
SP: fix function block comments
2026-07-02 15:53:03 -07:00
Daniel Pouzzner 9d3152cae2 Merge pull request #10708 from rlm2002/support-fixes
Support fixes - various reports
2026-07-02 12:51:11 -05:00
David Garske d390a98f64 Merge pull request #10754 from SparkiDev/arm64_asm_c_fallback
Aarch64 asm: Have software fallback and CPU id checks
2026-07-02 09:30:19 -07:00
Tobias Frauenschläger 11f71108ba PKCS#7: support SignedData with absent eContent
Allow encoding and verifying a CMS SignedData whose encapContentInfo
carries no eContent, that is, a signed-attributes-only signature over
empty content (RFC 5652 makes eContent OPTIONAL). This is required for
SCEP CertRep PENDING and FAILURE messages (RFC 8894 section 3.2.2),
which must omit the pkcsPKIEnvelope entirely.

Encode: wc_PKCS7_EncodeSignedData computes the messageDigest over the
empty content when detached is set and contentSz is 0, since there is no
eContent to drive the normal content-hashing pass.

Verify: PKCS7_VerifySignedData no longer rejects an absent eContent when
no external content or hash was supplied. It is processed as a detached
signature over empty content, and wc_PKCS7_VerifyContentMessageDigest
computes the digest of zero-length content using the parsed digest
algorithm. The messageDigest comparison still rejects a stripped
non-empty eContent.

Add pkcs7_signed_no_content_test, a round-trip over a CMS SignedData
whose encapContentInfo carries no eContent (a detached signature over
empty content, signed-attributes-only), as produced by SCEP CertRep
PENDING/FAILURE messages. The encode omits the eContent and the verify
accepts it without any caller-supplied content or hash, checking the
messageDigest against the hash of empty content. Run for RSA/SHA-256.
2026-07-02 14:17:20 +02:00
Tobias Frauenschläger d88ac76fda F-6347 - Reject negative and oversized length in EVP_EncodeUpdate
wolfSSL_EVP_EncodeUpdate did not validate the input length. A large
inl caused the block loop and the residual copy to read far past the
caller's input buffer, and a negative inl was silently treated as
success. Reject negative lengths and lengths whose base64 output would
overflow a positive int before processing any data.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 2943ee6a69 F-6346 - Reject oversized length in EVP_EncodeBlock
wolfSSL_EVP_EncodeBlock rejected negative input lengths but passed any
large positive length straight to Base64_Encode_NoNl, which read that
many bytes from the caller input buffer and ran past its allocation.

Reject input lengths whose base64 output would overflow a positive int,
which also bounds the read against the caller allocation. The encoded
length is the int return value, so the safe maximum input is
(INT_MAX / 4) * 3.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 7562ae5e37 F-6427 - Reject RC2 cipher ops when no key is set
The RC2 encrypt and decrypt operations used the expanded key schedule
without checking that a key had ever been configured. On a zeroed or
otherwise unkeyed context the ECB ops ran over an all-zero schedule and
returned success, and the CBC wrappers inherited the same behavior, so
a caller who skipped wc_Rc2SetKey received ciphertext under an
unintended key with no error signalled.

Guard wc_Rc2EcbEncrypt and wc_Rc2EcbDecrypt on a zero keylen and return
MISSING_KEY when no key has been set. The CBC wrappers call these and
propagate the error. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed path for all four ops.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 5cf136d15a F-6426 - Reject Camellia cipher ops when no key is set
The Camellia encrypt and decrypt operations used the key schedule
without checking that a key had ever been configured. A zeroed or
otherwise unkeyed context has a keySz that does not match 128, 192,
or 256, so the underlying block transform hit the default no-op case
and CBC emitted an easily reversible XOR chain while still returning
success. A caller who forgot wc_CamelliaSetKey received a success
code with effectively unencrypted output.

Add a key-state check that accepts only valid Camellia key sizes and
have wc_CamelliaEncryptDirect, wc_CamelliaDecryptDirect,
wc_CamelliaCbcEncrypt, and wc_CamelliaCbcDecrypt return MISSING_KEY
when no key has been set. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed and garbage key-size paths.
2026-07-02 11:36:01 +02:00
Daniel Pouzzner 076dc5a206 Merge pull request #10773 from rlm2002/coverity
24062026 Coverity fixes
2026-07-01 17:59:19 -05:00
Daniel Pouzzner fd3b489ea5 Merge pull request #10787 from stenslae/update-wolfssl-email
Updated email to facts@wolfssl.com
2026-07-01 17:52:20 -05:00
Daniel Pouzzner 7dd269fc52 Merge pull request #10793 from embhorn/gh10790
Restore error code from DecodeGeneralName
2026-07-01 17:49:37 -05:00
Daniel Pouzzner 22b552c668 Merge pull request #10809 from aidangarske/fenrir-6558-nameconstraints-minmax
Reject name constraint subtree with non-zero minimum or maximum
2026-07-01 17:38:28 -05:00
Daniel Pouzzner fed8d6a57e Merge pull request #10814 from kojiws/fix_ecc_31bytes_on_test
Fix ECC buffer test by correcting message length
2026-07-01 17:35:47 -05:00
Daniel Pouzzner 7afcc3eef6 Merge pull request #10687 from rlm2002/zd-NameConstraints
Name Constraints cert chain walk
2026-07-01 17:24:52 -05:00
Daniel Pouzzner 9f48aef47f Merge pull request #10638 from rizlik/nc_uri_trailing_dot
NameConstraints fixes
2026-07-01 17:14:08 -05:00
Daniel Pouzzner d733f203fa Merge pull request #10663 from rizlik/pubkey_ecc_operation_cb
Introduce ECC Make PUB and ECC Check Pub crypto callbacks
2026-07-01 16:53:24 -05:00
Kareem eb7ebfa222 Validate IV length in the non-streaming path in wc_PKCS7_DecodeEnvelopedData.
Reported by: Jorge Milla (Pig-Tail) <jorge@jmilla.es>
2026-07-01 14:32:58 -07:00
David Garske c9e4b13be4 Merge pull request #10829 from douzzer/20260630-various-fixes
20260630-various-fixes
2026-07-01 14:28:27 -07:00
Kareem 6409a9e9a2 Fix two issues with the authTag length in wc_PKCS7_DecodeAuthEnvelopedData.
Reported by: Jorge Milla (Pig-Tail) <jorge@jmilla.es>
2026-07-01 14:15:29 -07:00
Daniel Pouzzner 323027d1d2 Merge pull request #10820 from lealem47/dh_min_sz
FIPS: Default to 2048 bit min DH crypto
2026-07-01 14:40:04 -05:00
Daniel Pouzzner ed4fb32c92 fixes from Fenrir review:
linuxkm/linuxkm_wc_port.h: strcpy() takes 2 args.

wolfcrypt/src/aes.c: add VECTOR_REGISTERS_PUSH2() and use it to free tmp in smallstack path if the push fails.
2026-07-01 13:46:11 -05:00
Josh Holtrop 1e73f8e387 0 memset kop in devcrypto_x25519 before use 2026-07-01 11:35:55 -07:00
Daniel Pouzzner 8b29a95da4 * add WC_MAYBE_UNUSED attribute to AesEcbEncryptBlocks(), AesEcbDecryptBlocks(),
AesCbcEncryptBlocks(), AesCbcDecryptBlocks(), and AesCtrEncryptBlocks(), to
  fix -Wunused-functions in default build with --enable-aesni under clang.

* in AesCfbDecrypt_C(), add smallstack implementation for fast inner loop on
  intelasm/armasm.
2026-07-01 12:54:35 -05:00
Daniel Pouzzner bb7b4ccc77 wolfcrypt/src/port/kcapi/kcapi_aes.c: add backward-compat code paths for authTagSz validation on old FIPS. 2026-07-01 12:48:02 -05:00
JacobBarthelmeh 64a4c7a7ae Merge pull request #10750 from night1rider/SHAKE-Callbacks
SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization
2026-07-01 10:53:57 -06:00
Lealem Amedie f15681a6c1 Remove 9-bit prime generation testing, disallowed with DH_MIN_SIZE 2026-07-01 08:26:23 -06:00
Lealem Amedie 53fe0b3fc1 Adjust test.c for dh_min_sz 2026-07-01 08:26:23 -06:00
Lealem Amedie 277bd66624 FIPS: Default to 2048 bit min DH crypto 2026-07-01 08:26:23 -06:00
Kaleb Himes 6dae0c9dd4 Merge pull request #10818 from dgarske/dh_checkprivkey_prime
DH: honor explicit prime in wc_DhCheckPrivKey_ex (Fenrir F5317)
2026-07-01 05:34:47 -06:00
Sean Parkinson 9104a0d2d7 SP: fix function block comments 2026-07-01 19:35:30 +10:00
Koji Takeda b98e43eeca Fix wrong length on test message 2026-07-01 11:06:09 +09:00
Sean Parkinson 6315f95378 Aarch64 asm: Have software fallback and CPU id checks
cpuid.h — added CPUID_ASIMD flag + IS_AARCH64_ASIMD() macro (NEON detection).
cpuid.c — added NEON/ASIMD detection fixed FreeBSD/OpenBSD to use HWCAP_*
sha256.c — runtime dispatch SHA256-crypto → NEON → software
sha512.c — replaced the #error with the same crypto → NEON → software dispatch.
chacha.c: add AArch64 runtime fallback to C.
poly1305.c: add AArch64 runtime fallback to C.

Fixes
test_tls.c: don't memcpy into buffer if length is too long.
sha256.c: even if data is not NULL, return immediately when length is 0.
2026-07-01 09:32:28 +10:00
philljj 3fa342a76c Merge pull request #10812 from douzzer/20260629-linuxkm-fixes
20260629-linuxkm-fixes
2026-06-30 13:36:04 -05:00
philljj b5636ffaf9 Merge pull request #10696 from douzzer/20260615-linuxkm-fixes
20260615-linuxkm-fixes
2026-06-30 12:00:25 -05:00
Daniel Pouzzner 8820b810f2 Merge pull request #10725 from SparkiDev/aes_x25519_arm32_thumb2_fixes
ARM32/Thumb2: generated asm fixes
2026-06-30 10:47:03 -05:00
David Garske 07b677edba Merge pull request #10744 from SparkiDev/arm64_asm_opt
ARM64 ASM: optimizations
2026-06-30 08:42:23 -07:00
David Garske 5fa08e767b DH: honor explicit prime in wc_DhCheckPrivKey_ex (Fenrir F5317) 2026-06-30 07:49:00 -07:00
David Garske 8d63afab99 Merge pull request #10767 from SparkiDev/ppc64_ppc32_asm_1
PPC64/PPC32 ASM: AES, SHA-2, SHA-3
2026-06-30 07:13:35 -07:00
Daniel Pouzzner 2af2a2967f fix F-3085 "Base64_Decode silently returns success with outLen=0 when input is a 1-3 byte truncated base64 fragment, violating decode(encode(x)) roundtrip for inputs producing 2-3 base64 chars without padding"
wolfcrypt/src/coding.c: in Base64_Decode() and Base64_Decode_nonCT(), check for non-whitespace characters past the end and return ASN_INPUT_E if found;

wolfcrypt/test/test.c: in base64_test(), remove ';' from goodChar[], and add trailing*[] test strings and N_BYTE_TRAILING_TEST(), for positive and negative testing of new checks.
2026-06-29 23:48:36 -05:00
aidan garske 2124a1075f F-6558 - Reject name constraint subtree with non-zero minimum or maximum 2026-06-29 16:10:15 -07:00