.github/workflows/pq-all.yml: for the --enable-sp-math scenario, --disable-quic (QUIC unit tests fail on that combo);
wolfcrypt/test/test.c: add WC_MAYBE_UNUSED to ecdsa_test_deterministic_k_rs(), to fix armel sp-math build.
Add SRAM PUF (Physically Unclonable Function) support to wolfCrypt. Derives device-unique cryptographic keys from the power-on state of SRAM memory using a BCH(127,64,t=10) fuzzy extractor with HKDF key derivation.
- **wolfCrypt PUF API** (`wolfcrypt/src/puf.c`, `wolfssl/wolfcrypt/puf.h`)
- `wc_PufInit`, `wc_PufReadSram`, `wc_PufEnroll`, `wc_PufReconstruct`
- `wc_PufDeriveKey` (HKDF-SHA256), `wc_PufGetIdentity` (SHA-256 device fingerprint)
- `wc_PufZeroize` (secure context cleanup)
- `wc_PufSetTestData` (synthetic SRAM for testing without hardware)
- **BCH(127,64,t=10) error-correcting codec** - corrects up to 10 bit flips per 127-bit codeword across 16 codewords
- **`WC_PUF_SHA3` build option** - select SHA3-256 instead of SHA-256 for identity hash and HKDF (default: SHA-256)
- **Precomputed GF(2^7) tables** - `const` arrays in `.rodata` (no runtime init, thread-safe, flash-resident on embedded)
- `./configure --enable-puf` (auto-enables HKDF dependency)
- CMake: `WOLFSSL_PUF=yes`
- `WOLFSSL_USER_SETTINGS`: define `WOLFSSL_PUF` and `WOLFSSL_PUF_SRAM`
- See wolfssl-examples/puf for example implementation on STM32 NUCLEO-H563ZI (Cortex-M33, STM32H563ZI)
- Supports test mode (synthetic SRAM)
- Builds to ~13KB `.elf`
- Tested on NUCLEO-H563ZI: enrollment, noisy reconstruction, key derivation all pass
- `.github/workflows/puf.yml`: host build + test workflow for PUF feature
- Doxygen API docs for all 8 public functions
- PUF group added to `doxygen_groups.h`
Follow-up to #7731 ("Changes needed for default TLS support in zephyr
kernel"). Zephyr 4.3's TLS socket integration uses three additional
wolfSSL features that were not needed by the 3.7 integration, plus an
extension to the native_sim time-source gates introduced in #7731.
native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c):
Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the
CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover
CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from
native_posix to native_sim; without this, k_cpu_idle() on native_sim
advances simulated time during DTLS retransmit loops and the RTC path
falls through to uptime-since-boot. Behavior on native_posix is
unchanged.
New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h):
CONFIG_WOLFSSL_SESSION_EXPORT -> HAVE_EXT_CACHE
Required by consumers that serialize TLS session state across
connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION.
CONFIG_WOLFSSL_KEEP_PEER_CERT -> KEEP_PEER_CERT
Retain the peer certificate after handshake so the application
layer can inspect it via wolfSSL_get_peer_certificate.
CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB
Invoke an application-set verify callback on successful chain
validation in addition to validation failures.
All three are default-off; customers opt in the same way they do for
the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options.
.wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
Two follow-ups raised by Copilot review on PR #10247:
src/pk_rsa.c: Make derAllocSz a word32 instead of int and only assign
it after a successful XMALLOC, so the cleanup path can never call
ForceZero with a wrapped-around size derived from a negative derSz.
src/pk.c: Capture allocSz at the XMALLOC call site (and clear it back
to 0 on allocation failure) so the relationship between the buffer
allocation and the recorded size is explicit and cannot drift if the
surrounding control flow changes.
When WOLF_CRYPTO_CB_AES_SETKEY is enabled and a CryptoCB callback
imports the AES key into a Secure Element (aes->devCtx != NULL), the
TLS-layer copy in keys->{client,server}_write_key has no further
consumer: the software key schedule is not populated on offload.
ForceZero it in SetKeysSide() per provisioned side.
The static IVs (keys->{client,server}_write_IV and
keys->aead_{enc,dec}_imp_IV) are left intact because BuildTls13Nonce()
reads aead_{enc,dec}_imp_IV on every record (RFC 8446 Section 5.3).
Scope: TLS 1.3, non-DTLS, non-QUIC. DTLS 1.3 needs the write keys
in Dtls13EpochCopyKeys; TLS 1.2 needs them for rehandshake; QUIC is
untouched pending audit.
Add two memio tests (test_wc_CryptoCb_Tls13_Key_{Zero_After_Offload,
No_Zero_Without_Offload}) that pin AES-GCM and check key / IV state
after the handshake and a KeyUpdate round.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
F-2148
The prior fix zeroed the computed DER staging area, but PEM output from
wc_DerToPemEx fills most of the buffer and overlaps that region,
corrupting the valid PEM. Preserve the allocation size and zero only
the bytes beyond the actual PEM length, or the whole buffer on failure.
F-2148
pem_write_mem_pkcs8privatekey stages the PKCS#8 DER encoded private key
at the tail of the PEM buffer, then writes the shorter PEM output at
the head of the same buffer. The DER tail is not overwritten, leaking
the plaintext private key to heap memory after the callers free. Zero
the DER staging area before returning.
F-2147
The error path in wolfSSL_i2d_ECPrivateKey could free an EC private key
DER staging buffer that may contain a partial private scalar. Zeroize
before XFREE.
F-2146
wolfSSL_d2i_RSAPrivateKey_bio read PKCS#1-encoded RSA private key DER
from a BIO into a heap buffer and freed it without ForceZero. Zeroize
before XFREE on both success and error paths.
F-2145
wolfSSL_CTX_use_RSAPrivateKey staged the RSA private key DER (PKCS#1:
n, e, d, p, q, dP, dQ, qInv) in a heap buffer and freed it without
ForceZero. Zeroize before XFREE.
F-2144
SetStaticEphemeralKey loaded a private key file into keyBuf and freed it
without ForceZero. Static ephemeral keys are long-lived, so zeroize the
buffer before XFREE.
F-2143
ssl_SetWatchKey_file loaded a private key file into a heap buffer and
freed it without ForceZero on both error and success paths. Zeroize
before XFREE.
F-2142
wolfSSL_RSA_To_Der could free a buffer holding RSA private key material
when the DER encoding step failed. Record the allocation size and
ForceZero the buffer before XFREE on the private key path.
F-2140
wolfSSL_PEM_write_mem_DSAPrivateKey serializes the DSA private key to a
heap DER buffer and freed it on five paths without ForceZero. Zeroize
the buffer before each XFREE.
F-2139
Previously the plaintext private key DER buffer was freed via XFREE
without a preceding ForceZero when no password encryption was requested.
Track the actual allocation size and zeroize the buffer before release.
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.
Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.