Commit Graph

30456 Commits

Author SHA1 Message Date
Tobias Frauenschläger d88ac76fda F-6347 - Reject negative and oversized length in EVP_EncodeUpdate
wolfSSL_EVP_EncodeUpdate did not validate the input length. A large
inl caused the block loop and the residual copy to read far past the
caller's input buffer, and a negative inl was silently treated as
success. Reject negative lengths and lengths whose base64 output would
overflow a positive int before processing any data.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 2943ee6a69 F-6346 - Reject oversized length in EVP_EncodeBlock
wolfSSL_EVP_EncodeBlock rejected negative input lengths but passed any
large positive length straight to Base64_Encode_NoNl, which read that
many bytes from the caller input buffer and ran past its allocation.

Reject input lengths whose base64 output would overflow a positive int,
which also bounds the read against the caller allocation. The encoded
length is the int return value, so the safe maximum input is
(INT_MAX / 4) * 3.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 845a3a93b5 F-6345 - Reject oversized length in memory BIO write
wolfSSL_BIO_write rejected negative lengths but allowed a large positive
length through to wolfSSL_BIO_MEMORY_write. On a fresh buffer an INT_MAX
length overflowed the 4/3 buffer growth calculation, so the grow reported
success with a short allocation and the following copy read far past the
small source buffer.

Add an upper bound check that rejects lengths large enough to overflow the
growth math before any allocation or copy, and add a regression test that
drives a huge length through the public BIO_write entry point.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 7562ae5e37 F-6427 - Reject RC2 cipher ops when no key is set
The RC2 encrypt and decrypt operations used the expanded key schedule
without checking that a key had ever been configured. On a zeroed or
otherwise unkeyed context the ECB ops ran over an all-zero schedule and
returned success, and the CBC wrappers inherited the same behavior, so
a caller who skipped wc_Rc2SetKey received ciphertext under an
unintended key with no error signalled.

Guard wc_Rc2EcbEncrypt and wc_Rc2EcbDecrypt on a zero keylen and return
MISSING_KEY when no key has been set. The CBC wrappers call these and
propagate the error. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed path for all four ops.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 5cf136d15a F-6426 - Reject Camellia cipher ops when no key is set
The Camellia encrypt and decrypt operations used the key schedule
without checking that a key had ever been configured. A zeroed or
otherwise unkeyed context has a keySz that does not match 128, 192,
or 256, so the underlying block transform hit the default no-op case
and CBC emitted an easily reversible XOR chain while still returning
success. A caller who forgot wc_CamelliaSetKey received a success
code with effectively unencrypted output.

Add a key-state check that accepts only valid Camellia key sizes and
have wc_CamelliaEncryptDirect, wc_CamelliaDecryptDirect,
wc_CamelliaCbcEncrypt, and wc_CamelliaCbcDecrypt return MISSING_KEY
when no key has been set. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed and garbage key-size paths.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 4de819075f Merge pull request #10835 from yosuke-wolfssl/fix/cert
certs: re-sign orphaned rsapss/mldsa leaves and add chain guard
2026-07-02 11:34:59 +02:00
Yosuke Shimizu b87edc2040 certs: re-sign orphaned rsapss/mldsa leaves and add chain guard 2026-07-02 10:34:06 +09:00
Daniel Pouzzner 076dc5a206 Merge pull request #10773 from rlm2002/coverity
24062026 Coverity fixes
2026-07-01 17:59:19 -05:00
Daniel Pouzzner fd3b489ea5 Merge pull request #10787 from stenslae/update-wolfssl-email
Updated email to facts@wolfssl.com
2026-07-01 17:52:20 -05:00
Daniel Pouzzner 7dd269fc52 Merge pull request #10793 from embhorn/gh10790
Restore error code from DecodeGeneralName
2026-07-01 17:49:37 -05:00
Daniel Pouzzner beca44b2fb Merge pull request #10795 from embhorn/gh10791
Fix to send record_overflow alert
2026-07-01 17:45:43 -05:00
Daniel Pouzzner 22b552c668 Merge pull request #10809 from aidangarske/fenrir-6558-nameconstraints-minmax
Reject name constraint subtree with non-zero minimum or maximum
2026-07-01 17:38:28 -05:00
Daniel Pouzzner fed8d6a57e Merge pull request #10814 from kojiws/fix_ecc_31bytes_on_test
Fix ECC buffer test by correcting message length
2026-07-01 17:35:47 -05:00
Daniel Pouzzner 0703dc9c6e Merge pull request #10815 from SparkiDev/tls13_test_cv_sig_alg
TLSv1.3 test: CertificateVerify signature algorithm test
2026-07-01 17:27:48 -05:00
Daniel Pouzzner 7afcc3eef6 Merge pull request #10687 from rlm2002/zd-NameConstraints
Name Constraints cert chain walk
2026-07-01 17:24:52 -05:00
Daniel Pouzzner 9f48aef47f Merge pull request #10638 from rizlik/nc_uri_trailing_dot
NameConstraints fixes
2026-07-01 17:14:08 -05:00
Daniel Pouzzner d733f203fa Merge pull request #10663 from rizlik/pubkey_ecc_operation_cb
Introduce ECC Make PUB and ECC Check Pub crypto callbacks
2026-07-01 16:53:24 -05:00
Daniel Pouzzner fb54c0a56e Merge pull request #10734 from philljj/bsdkm_fixes
bsdkm: fenrir and misc cleanup.
2026-07-01 16:48:29 -05:00
Daniel Pouzzner 5a9a49d5d5 Merge pull request #10730 from rizlik/dtlsv13_interop
dtlsv13: fix: send correct CH2 when server do not send HRR
2026-07-01 16:40:29 -05:00
Daniel Pouzzner 64a0f384a4 Merge pull request #10780 from holtrop-wolfssl/rust-rename-dilithium-mldsa
Rust wrapper: rename dilithium to mldsa
2026-07-01 16:30:28 -05:00
Daniel Pouzzner 36437417b6 Merge pull request #10703 from holtrop-wolfssl/rust-validate-prefix-env-var
Rust wrapper: validate WOLFSSL_PREFIX in build.rs
2026-07-01 16:29:36 -05:00
Daniel Pouzzner a66b87b926 Merge pull request #10645 from holtrop-wolfssl/rust-ed-verify-result-codes
Rust wrapper: fix signature incorrect return value from Ed448 and Ed25519 verify functions.
2026-07-01 16:28:44 -05:00
David Garske c9e4b13be4 Merge pull request #10829 from douzzer/20260630-various-fixes
20260630-various-fixes
2026-07-01 14:28:27 -07:00
Daniel Pouzzner 323027d1d2 Merge pull request #10820 from lealem47/dh_min_sz
FIPS: Default to 2048 bit min DH crypto
2026-07-01 14:40:04 -05:00
Daniel Pouzzner ed4fb32c92 fixes from Fenrir review:
linuxkm/linuxkm_wc_port.h: strcpy() takes 2 args.

wolfcrypt/src/aes.c: add VECTOR_REGISTERS_PUSH2() and use it to free tmp in smallstack path if the push fails.
2026-07-01 13:46:11 -05:00
Josh Holtrop 1e73f8e387 0 memset kop in devcrypto_x25519 before use 2026-07-01 11:35:55 -07:00
Daniel Pouzzner 8b29a95da4 * add WC_MAYBE_UNUSED attribute to AesEcbEncryptBlocks(), AesEcbDecryptBlocks(),
AesCbcEncryptBlocks(), AesCbcDecryptBlocks(), and AesCtrEncryptBlocks(), to
  fix -Wunused-functions in default build with --enable-aesni under clang.

* in AesCfbDecrypt_C(), add smallstack implementation for fast inner loop on
  intelasm/armasm.
2026-07-01 12:54:35 -05:00
Daniel Pouzzner bb7b4ccc77 wolfcrypt/src/port/kcapi/kcapi_aes.c: add backward-compat code paths for authTagSz validation on old FIPS. 2026-07-01 12:48:02 -05:00
Daniel Pouzzner 41daf899b3 linuxkm/linuxkm_wc_port.h:
* when including kernel headers with gcc-17+, ignore -Wconstant-logical-operand.

* when CONFIG_KMSAN, explicitly map memcpy(), memset(), memmove(), strcpy(),
  strncpy(), and strncat(), to clang builtins, to get proper __msan
  interception.

* genericize WC_SANITIZE_DISABLE() and WC_SANITIZE_ENABLE() to cover both KASAN
  and KMSAN, and use the generic macros in wc_linuxkm_stack_hwm_prepare() and
  wc_linuxkm_stack_hwm_measure_rel().
2026-07-01 12:35:21 -05:00
JacobBarthelmeh 64a4c7a7ae Merge pull request #10750 from night1rider/SHAKE-Callbacks
SHAKE 128/256 callback wiring and tests, along with fix to devCTX initialization
2026-07-01 10:53:57 -06:00
Lealem Amedie f15681a6c1 Remove 9-bit prime generation testing, disallowed with DH_MIN_SIZE 2026-07-01 08:26:23 -06:00
Lealem Amedie 53fe0b3fc1 Adjust test.c for dh_min_sz 2026-07-01 08:26:23 -06:00
Lealem Amedie d6a8e387c8 Fix syntax issue 2026-07-01 08:26:23 -06:00
Lealem Amedie 277bd66624 FIPS: Default to 2048 bit min DH crypto 2026-07-01 08:26:23 -06:00
Tobias Frauenschläger 9e71da21ac Merge pull request #10751 from aidangarske/tinytls13
Add --enable-tinytls13 TLS 1.3-only footprint profile.

Merging with PRB-master-job failing. Failures are unrelated to this PR.
2026-07-01 15:21:04 +02:00
Kaleb Himes 6dae0c9dd4 Merge pull request #10818 from dgarske/dh_checkprivkey_prime
DH: honor explicit prime in wc_DhCheckPrivKey_ex (Fenrir F5317)
2026-07-01 05:34:47 -06:00
Koji Takeda b98e43eeca Fix wrong length on test message 2026-07-01 11:06:09 +09:00
philljj 3fa342a76c Merge pull request #10812 from douzzer/20260629-linuxkm-fixes
20260629-linuxkm-fixes
2026-06-30 13:36:04 -05:00
philljj b5636ffaf9 Merge pull request #10696 from douzzer/20260615-linuxkm-fixes
20260615-linuxkm-fixes
2026-06-30 12:00:25 -05:00
Daniel Pouzzner 8820b810f2 Merge pull request #10725 from SparkiDev/aes_x25519_arm32_thumb2_fixes
ARM32/Thumb2: generated asm fixes
2026-06-30 10:47:03 -05:00
David Garske 07b677edba Merge pull request #10744 from SparkiDev/arm64_asm_opt
ARM64 ASM: optimizations
2026-06-30 08:42:23 -07:00
David Garske 5fa08e767b DH: honor explicit prime in wc_DhCheckPrivKey_ex (Fenrir F5317) 2026-06-30 07:49:00 -07:00
David Garske 8d63afab99 Merge pull request #10767 from SparkiDev/ppc64_ppc32_asm_1
PPC64/PPC32 ASM: AES, SHA-2, SHA-3
2026-06-30 07:13:35 -07:00
Sean Parkinson 95e798e897 TLSv1.3 test: CertificateVerify signature algorithm test
F-2917
Added test for signature algorithms sent not matching available.
2026-06-30 15:51:51 +10:00
Daniel Pouzzner 2af2a2967f fix F-3085 "Base64_Decode silently returns success with outLen=0 when input is a 1-3 byte truncated base64 fragment, violating decode(encode(x)) roundtrip for inputs producing 2-3 base64 chars without padding"
wolfcrypt/src/coding.c: in Base64_Decode() and Base64_Decode_nonCT(), check for non-whitespace characters past the end and return ASN_INPUT_E if found;

wolfcrypt/test/test.c: in base64_test(), remove ';' from goodChar[], and add trailing*[] test strings and N_BYTE_TRAILING_TEST(), for positive and negative testing of new checks.
2026-06-29 23:48:36 -05:00
Daniel Pouzzner 6560777d05 linuxkm/linuxkm_wc_port.h: fix F-6395 "WC_LINUXKM_ROUND_UP_P_OF_2(1) invokes undefined behavior via __builtin_clzl(0)".
linuxkm/lkcapi_rsa_glue.c: fix F-6120 "RSA PKCS#1 verify paths omit the digest-encode bounds check present in the sign paths (potential heap overflow with sub-default RSA key sizes)".
2026-06-29 19:09:20 -05:00
Daniel Pouzzner 155e5822a7 wolfssl/wolfcrypt/settings.h: move ML-KEM/ML-DSA/SLH-DSA inhibition of
DEBUG_VECTOR_REGISTER_ACCESS_FUZZING from the WOLFSSL_LINUXKM section to top
  level (the exceptions are generally applicable, and needed for user-mode SVR
  fuzzing).  also add a DEBUG_FORCE_VECTOR_REGISTER_ACCESS_FUZZING flag.
2026-06-29 19:06:13 -05:00
aidan garske 2124a1075f F-6558 - Reject name constraint subtree with non-zero minimum or maximum 2026-06-29 16:10:15 -07:00
Sean Parkinson 3e99430671 PPC64/PPC32 ASM: AES, SHA-2, SHA-3
PPC64:
  - Added AES-ECB/CBC/CTR/GCM/XTS using crypto instructions
  - Added SHA-256/512 using base scalar and crypto instructions
  - Added SHA-3 using base scalar and POWER8 VSX
  - Added SHA-3 x2/x3 but disabled compilation.
  - Added CPU id flags.
  - Changed the constant data format to be consistent with other platforms.
PPC32:
  - Added AES-ECB/CBC/CTR/GCM/XTS using base scalar
  - Added SHA-256/512 using base scalar
  - Added SHA-3 using base scalar
2026-06-30 08:52:45 +10:00
aidan garske fef29abf0e certs: regenerate ecc-leaf-mldsa44 and ecc-leaf-rsapss from renew scripts 2026-06-29 13:46:14 -07:00