Commit Graph

28228 Commits

Author SHA1 Message Date
sebastian-carpenter cbb7bfc53a improved ifdef's for hpke 2026-03-19 13:59:57 -06:00
sebastian-carpenter fcedc91d38 touch-ups:
- shrink ech interop workflow
- x448 macro now unused in hpke WOLFSSL_LOCAL functions
- bug fixes in added tests
2026-03-18 15:47:52 -06:00
sebastian-carpenter 7e9f9dc140 refactor openssl-ech workflow + add suite testing 2026-03-17 16:29:58 -06:00
sebastian-carpenter 8445493dd9 hpke snake_case to camelCase 2026-03-17 14:43:06 -06:00
sebastian-carpenter 36580b0ae8 move hpke-esque code out of tls 2026-03-17 14:43:06 -06:00
sebastian-carpenter 5acdcf6ad7 hpke uses wrong kdf/kem digest 2026-03-17 14:42:57 -06:00
JacobBarthelmeh 7ad9c25a5b Merge pull request #9978 from SparkiDev/xmss_sign_idx_fix
XMSS: Fix index copy for signing.
2026-03-16 09:20:38 -06:00
JacobBarthelmeh f8dda213b0 Merge pull request #9972 from cconlon/getCiphersCompatFix
Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list
2026-03-16 08:29:00 -06:00
Sean Parkinson 9590255ceb XMSS: Fix index copy for signing.
The index is already big-endian encoded but it needs to be front padded
with zeros instead of back end padded.
2026-03-16 21:24:08 +10:00
JacobBarthelmeh a6195c30c1 Merge pull request #9947 from kareem-wolfssl/zd21325
Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
2026-03-13 15:37:24 -06:00
Chris Conlon 428030a3e8 Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available 2026-03-13 15:07:25 -06:00
Chris Conlon aa9ee8b4fa Merge pull request #9963 from JacobBarthelmeh/caam
fixes for CAAM port without hash store
2026-03-13 13:45:08 -06:00
JacobBarthelmeh 73eb8f933b Merge pull request #9967 from Frauschi/pqc_cmake
Move PQC algos out of experimental in CMake
2026-03-13 13:12:53 -06:00
Kareem 94b370f5e2 Rework check to compare only ints. 2026-03-13 11:42:12 -07:00
Kareem 19b99f8072 Ensure the length computed by CheckHeaders in the SSL sniffer does not exceed the actual size of the packets.
Thanks to Haruto Kimura (Stella) for the report.
2026-03-13 11:42:12 -07:00
Tobias Frauenschläger da94ea6265 Move PQC algos out of experimental in CMake
This has already been done long time in autoconf. User
now does not have to enable experimental features to use
PQC.
2026-03-13 17:53:54 +01:00
JacobBarthelmeh 156db7dd2d Merge pull request #9831 from julek-wolfssl/pytho-3.13.4
Fixes to run python with --enable-all
2026-03-13 10:50:23 -06:00
David Garske 0792c674c5 Merge pull request #9960 from philljj/fix_coverity
asn: fix coverity null deref warnings.
2026-03-13 06:58:41 +01:00
David Garske 00cd1a7c22 Merge pull request #9962 from night1rider/ecc-dilithium-callback-free-fix
Fix expected callback behavior for ECC/Dilithium for Free Callbacks
2026-03-13 06:19:31 +01:00
David Garske cdacf3a53e Merge pull request #9964 from SparkiDev/asm_gen_fixes_1
SP fixes: 32-bit ARM assembly fixes
2026-03-13 06:16:57 +01:00
Sean Parkinson bac0563669 Merge pull request #9919 from anhu/lms-leaf-idx
Fix buffer-overflow in LMS leaf cache indexing
2026-03-13 10:02:50 +10:00
Sean Parkinson d23cb79f18 SP fixes: 32-bit ARM assembly fixes
mod_exp: subtract from 32 instread of 64 as n is 32 bits
sp_521_ecc_mulmod_fast: look up the last point in constant time when
required.
2026-03-13 09:37:28 +10:00
JacobBarthelmeh 424af6eb5b Merge pull request #9956 from rlm2002/coverity
20260311 Coverity changes
2026-03-12 16:53:39 -06:00
JacobBarthelmeh 357c2ad8e9 fixes for CAAM port without hash store 2026-03-12 15:55:19 -06:00
night1rider cdbd19551e Have ret initialized to 0 in wc_ecc_free() and wc_dilithium_free() 2026-03-12 15:40:38 -06:00
night1rider 2626f976f5 Update the PKCS11 ECC and dilithium free handlers so they will now return CRYPTOCB_UNAVAILABLE after attempting the context free so the caller still does software cleanup on the rest of the context that the callback does not handle. 2026-03-12 15:18:56 -06:00
JacobBarthelmeh e5594a6366 Merge pull request #9889 from rlm2002/F29
remove word16 cast, add WOLFSSL_MAX_16BIT check
2026-03-12 14:54:19 -06:00
JacobBarthelmeh 80ba723e16 Merge pull request #9943 from philljj/fix_evp_set_iv_length
evp: check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length.
2026-03-12 14:47:32 -06:00
night1rider 5ff2b55345 Fix Free Callback Behavior for Dilithium's free callback path so that it respects the return code of the callback 2026-03-12 14:45:33 -06:00
JacobBarthelmeh 67abcc6f2d Merge pull request #9949 from philljj/fix_d2i_SSL_SESSION
ssl_sess: check fields in wolfSSL_d2i_SSL_SESSION.
2026-03-12 14:45:29 -06:00
JacobBarthelmeh c1f71fcf33 Merge pull request #9959 from philljj/fix_wolfboot_build
asn: add HAVE_OCSP_RESPONDER guard, to fix wolfboot build.
2026-03-12 14:44:29 -06:00
JacobBarthelmeh 351d2594ac Merge pull request #9938 from SparkiDev/regression_fixes_23
Fixes from regression testing
2026-03-12 14:41:18 -06:00
night1rider e766b8f0af Update the wolfCrypt test so that Dilithium init so that devID will get passed to hit callback paths when configured and that Dilithium will be retested in the callback section of the wolfCrypt test. 2026-03-12 14:31:05 -06:00
night1rider 9d65982d80 Fix Free Callback Behavior for ECC's free callback path so that it respects the return code of the callback 2026-03-12 14:24:10 -06:00
night1rider 352daa085b Add test case for free ecc/dilithum callback for expected behavior to match existing free callback code paths 2026-03-12 14:18:31 -06:00
jordan 02bdde0264 asn: fix coverity null deref warnings. 2026-03-12 14:28:24 -05:00
JacobBarthelmeh a05a3ed1c2 Merge pull request #9940 from cconlon/pathLenSet
Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext
2026-03-12 10:34:58 -06:00
JacobBarthelmeh 2831a1e864 Merge pull request #9958 from julek-wolfssl/ocsp-responder-follow-up
Address final comments from #9761
2026-03-12 10:29:56 -06:00
Ruby Martin d359f420ab set *inLen = outLen if output == NULL, if != NULL, check that outLen <= *inLen before assigning *inLen = outLen 2026-03-12 10:25:14 -06:00
Ruby Martin 6ebd967345 bounds check on ext_dump 2026-03-12 09:53:35 -06:00
Ruby Martin d432759fdd verify algoSz is <= MAX_ALGO_SZ 2026-03-12 09:53:34 -06:00
Ruby Martin 8314aa56ae catch MEMORY_E from CALLOC_ASNSETDATA() 2026-03-12 09:53:34 -06:00
jordan d67c034b14 asn: add HAVE_OCSP_RESPONDER guard, to fix wolfboot build. 2026-03-12 10:50:18 -05:00
Juliusz Sosinowicz 4fbc81916c Address final comments from #9761
- Fix line length
- Remove duplicate comment
- Check return of `wc_HashGetDigestSize`
- Use constant instead of magic number
2026-03-12 12:30:13 +01:00
JacobBarthelmeh 0de6e8fd50 Merge pull request #9950 from douzzer/20260311-bench_slhdsa-smallstack
20260311-bench_slhdsa-smallstack
2026-03-11 17:30:08 -06:00
JacobBarthelmeh a8dfa59bbe Merge pull request #9761 from julek-wolfssl/ocsp-responder
Implement OCSP responder
2026-03-11 17:27:33 -06:00
Sean Parkinson bbd2f6f898 Fixes from regression testing
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
JacobBarthelmeh c15715ed54 Merge pull request #9737 from sebastian-carpenter/tls-ech-confirmation-fix
TLS ECH Testing Improvements
2026-03-11 15:11:13 -06:00
Anthony Hu 00d0b09401 Fix buffer-overflow in LMS leaf cache indexing
wc_lms_treehash_init() writes leaf node hashes into the leaf cache
using an absolute index (i * hash_len), but the cache is only
max_cb entries starting from leaf->idx. When leaf->idx > 0 (which
occurs when wc_LmsKey_Reload is called after signing more than
max_cb times), the write goes past the end of the cache buffer.

Fix by using the relative offset (i - leaf->idx) * hash_len instead.

Added unit tests (test_lms.c):
  - test_wc_LmsKey_sign_verify: basic sign/verify sanity check
  - test_wc_LmsKey_reload_cache: (TDD) reproduces the overflow by
    signing 33 times then reloading the key
2026-03-11 16:58:48 -04:00
sebastian-carpenter bb7c6a13c8 ECH tidying 2026-03-11 12:07:20 -06:00