Commit Graph

9635 Commits

Author SHA1 Message Date
Daniel Pouzzner d8797f59c4 Merge pull request #10261 from Frauschi/slh-dsa
Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
2026-04-30 23:52:36 -05:00
JacobBarthelmeh fc51a38094 Merge pull request #10135 from lealem47/nid_ED
Add Ed25519/Ed448 support to EVP layer
2026-04-30 14:16:05 -06:00
Tobias Frauenschläger 9393d62591 Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate / ASN.1 / X.509 layers, and add SLH-DSA-rooted test
certificates plus TLS 1.3 .conf scenarios that exercise the new
verification path. All liboqs SPHINCS+ code is removed.

This enables SLH-DSA for certificate chain authentication: CA
certificates signed with SLH-DSA, certificate signature verification
against an SLH-DSA root. TLS 1.3 entity authentication via
CertificateVerify with SLH-DSA will be added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA) and
NIST FIPS 205. Supports both SHAKE and SHA-2 parameter families
across all twelve standardized variants.

DER codec:
- New PrivateKeyDecode, PublicKeyDecode, KeyToDer, PrivateKeyToDer,
  PublicKeyToDer with RFC 9909 encoding (bare OCTET STRING containing
  4*n raw bytes = SK.seed || SK.prf || PK.seed || PK.root, no nested
  wrapper). OID auto-detection across all twelve SHAKE / SHA-2 variants.
- PublicKeyDecode raw-bytes fast path mirrors wc_Falcon_PublicKeyDecode
  and wc_Dilithium_PublicKeyDecode so callers (notably
  wolfssl_x509_make_der and ConfirmSignature, which pass the raw
  BIT STRING contents stashed by StoreKey) decode correctly. Honours
  the caller's *inOutIdx start offset.
- Error paths in Private/PublicKeyDecode preserve params/flags/
  inOutIdx and only ForceZero the buffer half each helper actually
  writes; skip the wipe entirely on BAD_LENGTH_E (no bytes touched).
- ImportPublic uses |= on flags so a Private-then-Public import
  sequence retains FLAG_PRIVATE.

OID dispatch:
- 12 standardized NIST OIDs (6 SHAKE + 6 SHA-2) per RFC 9909. The
  pre-standardization OID-collision mechanism is removed since NIST
  OIDs do not collide.
- wc_SlhDsaOidToParam / wc_SlhDsaOidToCertType return NOT_COMPILED_IN
  (rather than -1) for recognised SLH-DSA OIDs whose parameter set
  isn't built; wc_IsSlhDsaOid recognises both. The x509 dispatch
  surfaces this as a precise diagnostic instead of the generic
  "No public key found".
- wc_GetKeyOID picks a placeholder parameter from whatever variant is
  compiled in and #errors at compile time if none is.
- asn_orig.c EncodeCert / EncodeCertReq accept SHA-2 SLH-DSA keyTypes
  alongside SHAKE.

Tests and fixtures:
- Test cert chain in certs/slhdsa/: SLH-DSA-SHAKE-128s and
  SLH-DSA-SHA2-128s self-signed roots that sign reused ML-DSA-44
  entity keys (server + client), plus the gen script
  (gen-slhdsa-mldsa-certs.sh, OpenSSL >= 3.5).
- New TLS 1.3 .conf scenarios under tests/suites.c dispatch:
  test-tls13-slhdsa-shake.conf, test-tls13-slhdsa-sha2.conf, and a
  wrong-CA negative test test-tls13-slhdsa-fail.conf.
- DER round-trip and on-disk decode tests; bench_slhdsa_*_key.der
  fixtures regenerated with wolfSSL's own encoder so the codec is
  pinned to RFC 9909.
- New unit test test_wc_slhdsa_x509_i2d_roundtrip exercises the raw
  PublicKeyDecode entry point that wolfssl_x509_make_der relies on.
- test_wc_slhdsa_check_key now tests both Public-then-Private and
  Private-then-Public import orderings.

Build / ABI:
- DYNAMIC_TYPE_SPHINCS = 98 kept as RESERVED with a tombstone comment
  for ABI stability; new code should use DYNAMIC_TYPE_SLHDSA (107).
- All build system / IDE project files updated; SPHINCS+ sources,
  headers, and test data removed.
- Dead bench_slhdsa_*_key arrays removed from gencertbuf.pl and
  certs_test.h; the .der files on disk drive the decode tests.
2026-04-30 18:32:07 +02:00
Daniel Pouzzner a057975347 Merge pull request #10293 from Frauschi/liboqs_removal
Remove liboqs for ML-KEM and ML-DSA, update for Falcon
2026-04-30 09:04:11 -05:00
Daniel Pouzzner 76080d0b19 Merge pull request #10292 from Frauschi/liblms_libxmss_removal
Remove deprecated liblms and libxmss
2026-04-30 09:01:24 -05:00
Tobias Frauenschläger 7a2cf5b655 Remove liboqs for ML-KEM and ML-DSA, update for Falcon 2026-04-30 11:03:06 +02:00
Daniel Pouzzner c782db3cc9 Merge pull request #10158 from Roy-Carter/feature/libevent_integration
Libevent integration for OpenSSL compatibility layer
2026-04-29 18:22:07 -05:00
Tobias Frauenschläger e1fefcca4f Remove deprecated liblms and libxmss 2026-04-29 19:52:09 +02:00
David Garske 07ea48673a Merge pull request #10073 from anhu/certmgr
Ensure certificates are getting into cert manager
2026-04-29 09:58:45 -07:00
Daniel Pouzzner df486d8cd5 src/ssl_load.c: fix -Wnull-dereference in wolfssl_ctx_set_tmp_dh() (detected by armel build);
.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);

wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
2026-04-25 11:47:25 -05:00
David Garske 21921408b9 Merge pull request #10216 from ColtonWilley/add-null-checks-public-api
Add missing NULL checks in public API functions
2026-04-24 14:42:24 -07:00
JacobBarthelmeh 734a71180c Merge pull request #10220 from embhorn/zd21596
Fix TLS ext bounds checking
2026-04-24 15:10:05 -06:00
JacobBarthelmeh 46cedcf0f6 Merge pull request #10268 from ColtonWilley/zephyr-4.3-default-tls-support
zephyr: changes needed for Zephyr 4.3 default TLS support
2026-04-24 14:30:59 -06:00
JacobBarthelmeh 0c9a496215 Merge pull request #10162 from embhorn/gh9753
Use O_CLOEXEC to avoid race conditions
2026-04-24 14:28:00 -06:00
JacobBarthelmeh a20c391b84 Merge pull request #10282 from kareem-wolfssl/zd21527
Fix W560 "possible truncation at implicit conversion to type unsigned char" warnings raised by Tasking compiler.
2026-04-24 14:11:41 -06:00
JacobBarthelmeh b9514e70be Merge pull request #10148 from julek-wolfssl/openvpn-master-bn2binpad
Add BN_bn2binpad API and enable OpenVPN master CI testing
2026-04-24 13:54:06 -06:00
Eric Blankenhorn 6f2d48cd4c Fix from review 2026-04-24 07:54:52 -05:00
kaleb-himes 08fd7bde58 PQ FIPS v7.0.0 Phase 2 & 3: All changes
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Eric Blankenhorn 412c428b0a Fix TLS ext bounds checking 2026-04-24 07:23:07 -05:00
Juliusz Sosinowicz 31278ee8bd Merge pull request #10296 from JacobBarthelmeh/hostap 2026-04-24 14:13:02 +02:00
JacobBarthelmeh 29f674e5b6 avoid glitch hardening false positive byte collision with small messages and adjust test case 2026-04-24 01:08:00 -06:00
Sean Parkinson 936f8e5423 Merge pull request #10203 from Frauschi/pkcs7_fixes
PKCS#7 fixes
2026-04-24 10:13:43 +10:00
JacobBarthelmeh 90366b747f Merge pull request #10142 from kareem-wolfssl/variousFixes2
Various fixes
2026-04-23 16:47:21 -06:00
JacobBarthelmeh 6a0303e299 Merge pull request #10066 from dgarske/wc_puf
wolfCrypt SRAM PUF Support
2026-04-23 14:28:37 -06:00
JacobBarthelmeh 53e352181e Merge pull request #10058 from julek-wolfssl/hostap-ec-generate.sh
Re-enable hostap tests and remove some flaky tests
2026-04-23 14:09:09 -06:00
JacobBarthelmeh 2ba4d7e6c9 Merge pull request #10210 from ColtonWilley/fix-scr-dangling-ptr-after-tlsx-freeall
Fix dangling secure_renegotiation pointer after TLSX_FreeAll
2026-04-23 13:58:24 -06:00
Daniel Pouzzner 9d46b57af3 Merge pull request #10246 from sameehj/aes-gcm-fix
Zero TLS 1.3 traffic keys after AES SE offload
2026-04-23 13:26:59 -05:00
Tobias Frauenschläger b7f6e77a95 Reject PKCS#7 SignedData signer-identity forgery 2026-04-23 09:36:32 +02:00
Kareem c69d9693f0 Fix code review feedback and test failure. 2026-04-22 16:33:07 -07:00
Kareem 9fef016106 Fix W560 "possible truncation at implicit conversion to type unsigned char" warnings raised by Tasking compiler. 2026-04-22 15:47:48 -07:00
JacobBarthelmeh b5738236d9 Merge pull request #10187 from embhorn/zd21587
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
JacobBarthelmeh bc4bec63fc Merge pull request #10094 from sebastian-carpenter/GH-10068
Fixes: for GH #10068
2026-04-22 14:24:25 -06:00
David Garske e05ce26fc9 wolfCrypt SRAM PUF Support
Add SRAM PUF (Physically Unclonable Function) support to wolfCrypt. Derives device-unique cryptographic keys from the power-on state of SRAM memory using a BCH(127,64,t=10) fuzzy extractor with HKDF key derivation.

- **wolfCrypt PUF API** (`wolfcrypt/src/puf.c`, `wolfssl/wolfcrypt/puf.h`)
  - `wc_PufInit`, `wc_PufReadSram`, `wc_PufEnroll`, `wc_PufReconstruct`
  - `wc_PufDeriveKey` (HKDF-SHA256), `wc_PufGetIdentity` (SHA-256 device fingerprint)
  - `wc_PufZeroize` (secure context cleanup)
  - `wc_PufSetTestData` (synthetic SRAM for testing without hardware)
- **BCH(127,64,t=10) error-correcting codec** - corrects up to 10 bit flips per 127-bit codeword across 16 codewords
- **`WC_PUF_SHA3` build option** - select SHA3-256 instead of SHA-256 for identity hash and HKDF (default: SHA-256)
- **Precomputed GF(2^7) tables** - `const` arrays in `.rodata` (no runtime init, thread-safe, flash-resident on embedded)
- `./configure --enable-puf` (auto-enables HKDF dependency)
- CMake: `WOLFSSL_PUF=yes`
- `WOLFSSL_USER_SETTINGS`: define `WOLFSSL_PUF` and `WOLFSSL_PUF_SRAM`
- See wolfssl-examples/puf for example implementation on STM32 NUCLEO-H563ZI (Cortex-M33, STM32H563ZI)
- Supports test mode (synthetic SRAM)
- Builds to ~13KB `.elf`
- Tested on NUCLEO-H563ZI: enrollment, noisy reconstruction, key derivation all pass
- `.github/workflows/puf.yml`: host build + test workflow for PUF feature
- Doxygen API docs for all 8 public functions
- PUF group added to `doxygen_groups.h`
2026-04-22 11:39:39 -07:00
JacobBarthelmeh c098e53948 Merge pull request #10247 from julek-wolfssl/fenrir/20260417
Fenrir fixes
2026-04-21 16:26:38 -06:00
Roy Carter 6353ad3683 Feat: support openssl compatibility layer functionality for libevent integration
Cosmetic: remove empty whitespace
2026-04-21 19:05:26 +03:00
Mattia Moffa 6f37b17757 Address Copilot suggestions 2026-04-21 02:56:36 +02:00
JacobBarthelmeh ad8b6dbc32 Merge pull request #10217 from ColtonWilley/null-checks-evp-ocsp-x509
Fix NULL derefs, buffer overflow, and i2d contract in EVP/OCSP/X509
2026-04-20 17:27:19 -06:00
Colton Willey c950a6aa46 zephyr: changes needed for Zephyr 4.3 default TLS support
Follow-up to #7731 ("Changes needed for default TLS support in zephyr
kernel"). Zephyr 4.3's TLS socket integration uses three additional
wolfSSL features that were not needed by the 3.7 integration, plus an
extension to the native_sim time-source gates introduced in #7731.

native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c):
  Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the
  CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover
  CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from
  native_posix to native_sim; without this, k_cpu_idle() on native_sim
  advances simulated time during DTLS retransmit loops and the RTC path
  falls through to uptime-since-boot. Behavior on native_posix is
  unchanged.

New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h):
  CONFIG_WOLFSSL_SESSION_EXPORT   -> HAVE_EXT_CACHE
    Required by consumers that serialize TLS session state across
    connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION.
  CONFIG_WOLFSSL_KEEP_PEER_CERT   -> KEEP_PEER_CERT
    Retain the peer certificate after handshake so the application
    layer can inspect it via wolfSSL_get_peer_certificate.
  CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB
    Invoke an application-set verify callback on successful chain
    validation in addition to validation failures.

All three are default-off; customers opt in the same way they do for
the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options.

.wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
2026-04-20 12:29:26 -07:00
Juliusz Sosinowicz a010825bb0 Address review comments on Fenrir zeroization fixes
Two follow-ups raised by Copilot review on PR #10247:

src/pk_rsa.c: Make derAllocSz a word32 instead of int and only assign
it after a successful XMALLOC, so the cleanup path can never call
ForceZero with a wrapped-around size derived from a negative derSz.

src/pk.c: Capture allocSz at the XMALLOC call site (and clear it back
to 0 on allocation failure) so the relationship between the buffer
allocation and the recorded size is explicit and cannot drift if the
surrounding control flow changes.
2026-04-20 16:12:30 +00:00
Mattia Moffa fc63047411 Additional related minor fixes 2026-04-20 18:11:16 +02:00
Lealem Amedie 8b762301ef Add EVP_PKEY_new_raw_public_key and EVP_PKEY_new_raw_private_key 2026-04-20 09:31:42 -06:00
Eric Blankenhorn fb7e1aa396 Fix from review 2026-04-20 10:12:40 -05:00
Eric Blankenhorn 1b5d77e53f Fix from review 2026-04-20 08:22:53 -05:00
Sameeh Jubran ba51fbd30b Zero TLS 1.3 traffic keys after AES SE offload
When WOLF_CRYPTO_CB_AES_SETKEY is enabled and a CryptoCB callback
imports the AES key into a Secure Element (aes->devCtx != NULL), the
TLS-layer copy in keys->{client,server}_write_key has no further
consumer: the software key schedule is not populated on offload.
ForceZero it in SetKeysSide() per provisioned side.

The static IVs (keys->{client,server}_write_IV and
keys->aead_{enc,dec}_imp_IV) are left intact because BuildTls13Nonce()
reads aead_{enc,dec}_imp_IV on every record (RFC 8446 Section 5.3).

Scope: TLS 1.3, non-DTLS, non-QUIC.  DTLS 1.3 needs the write keys
in Dtls13EpochCopyKeys; TLS 1.2 needs them for rehandshake; QUIC is
untouched pending audit.

Add two memio tests (test_wc_CryptoCb_Tls13_Key_{Zero_After_Offload,
No_Zero_Without_Offload}) that pin AES-GCM and check key / IV state
after the handshake and a KeyUpdate round.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-04-20 10:45:23 +03:00
Tobias Frauenschläger 847f3d6bab Make sure large buffers are on the heap with SMALL_STACK 2026-04-19 20:38:41 +02:00
Anthony Hu 7718510a29 Add a debug message. 2026-04-17 15:10:56 -04:00
Mattia Moffa 807214dc55 Avoid unneeded temporary stack buffer; remove redundant check 2026-04-17 19:32:23 +02:00
Eric Blankenhorn e26ab427a5 Use O_CLOEXEC to avoid race conditions 2026-04-17 11:14:31 -05:00
Juliusz Sosinowicz 1e040923c6 Only zero unused tail of PKCS#8 PEM buffer
F-2148

The prior fix zeroed the computed DER staging area, but PEM output from
wc_DerToPemEx fills most of the buffer and overlaps that region,
corrupting the valid PEM. Preserve the allocation size and zero only
the bytes beyond the actual PEM length, or the whole buffer on failure.
2026-04-17 17:02:58 +02:00
Juliusz Sosinowicz 00fff0f3fc Zeroize PKCS#8 DER staging area in PEM write helper
F-2148

pem_write_mem_pkcs8privatekey stages the PKCS#8 DER encoded private key
at the tail of the PEM buffer, then writes the shorter PEM output at
the head of the same buffer. The DER tail is not overwritten, leaking
the plaintext private key to heap memory after the callers free. Zero
the DER staging area before returning.
2026-04-17 16:48:06 +02:00