Commit Graph

29552 Commits

Author SHA1 Message Date
David Garske dfe03ff538 Merge pull request #10381 from kareem-wolfssl/zd21694
Validate DSA parameters when verifying DSA key.
2026-05-12 16:29:29 -07:00
Andrew Hutchings 90359f90e1 Add STM32 emulator from simulators repo
This tests a lot more than the Renode STM32H753 test, so this PR removes
that and adds our own emulator for STM32H753 and STM32U585. This
includes testing the v1 and v2 HAL CRYP / HASH / PKA functionality.
2026-05-12 20:17:11 +02:00
David Garske eecb8cc601 Merge pull request #10461 from SparkiDev/tls13_cipher_fuzzing
TLSv1.3 testing: add fuzz test of decryption
2026-05-12 09:26:53 -07:00
David Garske 32439c975f Merge pull request #10448 from SparkiDev/lms_fixes_1
LMS: fixes and improvements
2026-05-12 09:26:42 -07:00
David Garske 2239fc336b Merge pull request #10430 from SparkiDev/mlkem_avx2_fixes
ML-KEM: fix AVX2 assembly
2026-05-12 09:25:54 -07:00
David Garske f8bc0ce95a Merge pull request #10457 from danielinux/iotsafe-fix-tls-wrapper
IDE/iotsafe: fix memory TLS wrapper and example build
2026-05-12 09:23:28 -07:00
David Garske 15f3f7b102 Merge pull request #10439 from ejohnstown/octeon-fix
port/cavium: fix Octeon AES-GCM AAD GHASH bug
2026-05-12 09:22:10 -07:00
David Garske 3e6efbac52 Merge pull request #9567 from jackctj117/serial-0
Allow serial number 0 for root CA certificates
2026-05-12 09:19:56 -07:00
David Garske 33efd8c9b3 Merge pull request #10050 from anhu/pbkdf_max
Add upper limit to PBKDF iteration count
2026-05-12 09:10:54 -07:00
Daniel Pouzzner 7cfc9e9103 Merge pull request #10465 from Frauschi/slhdsa_pre_hash
SLH-DSA fixes
2026-05-12 10:38:49 -05:00
Sean Parkinson d7bdfd3e90 Merge pull request #10349 from rizlik/dtls13_rtx_fixes
DTLS13:  Fixes unnecessary client rtx and increase server robustness
2026-05-12 22:19:56 +10:00
Sean Parkinson 6942797cd3 Merge pull request #10301 from julek-wolfssl/openssh-10.3p1
ci: add OpenSSH 10.3p1 to CI matrix
2026-05-12 22:10:10 +10:00
Sean Parkinson f436fb858e Merge pull request #10437 from gasbytes/CertManagerLoadCABufferType_MoveXMemset
zero-initialize DecodedCert immediately after allocation in wolfSSL_CertManagerCABufferType
2026-05-12 22:08:53 +10:00
Sean Parkinson 2c4f854962 Merge pull request #10447 from mattia-moffa/20260508-blake2-long-key-fix
Fix Blake2 oversized key path
2026-05-12 22:07:16 +10:00
Sean Parkinson 443861563d Merge pull request #10453 from LinuxJedi/fix-memtrack
Fix mem_track.h compile failure on multi-threaded non-Linux builds
2026-05-12 22:01:21 +10:00
Tobias Frauenschläger bec6c0fef2 SLH-DSA fixes
Follow up to PR #10450 with some minor fixes:

* FIPS 205 numbering: slh_sign is §10.2.1 Alg 22; slh_verify is Alg 24;
  hash_slh_verify is Alg 25 (impl comments and doxygen).
* Widen wc_SlhDsaKey_SignHashWithRandom's addRnd to const byte* to
  match wc_SlhDsaKey_SignWithRandom.
* Make the SLHDSA_PHMSG_MAX_LEN invariant explicit with a named
  SLHDSA_LARGEST_APPROVED_PHM_LEN constant and a wc_static_assert.
* SHAKE128/SHAKE256 round-trip and length-rejection coverage for both
  SignHash and VerifyHash.
* Doxygen: briefs for the five DER encode/decode APIs; accurate
  decoder failure-rollback wording; tighter return-code lists for
  Verify and VerifyMsg.
* ChangeLog: silent-failure caveat for raw messages whose length
  happens to equal the digest size of the chosen hashType.
2026-05-12 13:24:24 +02:00
Sean Parkinson c1cf8ffb2e TLSv1.3 testing: add fuzz test of decryption
Fixes F-3478
Add a fuzzing test for each cipher that modifies a random byte at a
random offset of an encrypted message and checks that the reading fails
with an appropriate return and error code.
Fuzzes both sides 5 times each for each cipher suite.
2026-05-12 15:59:28 +10:00
David Garske a2b054e3b8 Merge pull request #10155 from aidangarske/fenrir-fixes-2
Add Negative Testing and Zeroization
2026-05-11 21:07:53 -07:00
Sean Parkinson 3c9423257f ML-KEM: fix AVX2 assembly
AVX2 not decompressing 5-bit values correctly.
AVX2 not comparing last 32 bytes of ciphertext.
Protect mlkemkey_get_k to only be compiled when make key is compiled in.
2026-05-12 13:32:19 +10:00
Sean Parkinson 218ddb449e Merge pull request #10394 from dgarske/sp_nonblock_rsa_dh
Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096
2026-05-12 13:25:43 +10:00
John Safranek 82b30797a1 port/cavium: fix Octeon AES-GCM AAD GHASH bug
Octeon_AesGcm_SetAAD unconditionally ran XOR0/XORMUL1 on the partial-block
buffer after the main loop, which processed an extra all-zero block when
aadSz was a non-zero multiple of 16, corrupting the GCM tag. Guard the
trailing XOR/MUL with `if (remainder > 0)`.

Issue: F-3335
2026-05-11 14:39:06 -07:00
Daniel Pouzzner 3afa9018f4 Merge pull request #10450 from Frauschi/slhdsa_pre_hash
HashSLH-DSA APIs take the pre-hashed digest, not the raw message
2026-05-11 16:29:32 -05:00
Daniel Pouzzner 717ce03614 .wolfssl_known_macro_extras: clean up unneeded and out-of-order ents. 2026-05-11 16:24:09 -05:00
Daniel Pouzzner 0470910acb wolfcrypt/test/test.c: fix unused-result warnings and unencoded result codes in pwdbased_test(). 2026-05-11 16:23:39 -05:00
Daniel Pouzzner b2a56e7947 wolfcrypt/src/pwdbased.c:
* fix typography of wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() (peer review).
* refactor overflow prevention in wc_PKCS12_PBKDF_ex() to use WC_SAFE_SUM_UNSIGNED().

wolfcrypt/test/test.c: in pwdbased_test(), omit "INT_MAX MAC iterations" test if WOLFSSL_NO_MALLOC (uses wc_PKCS12_new_ex()).
2026-05-11 15:57:23 -05:00
Daniel Pouzzner 5b687baa94 wolfcrypt/test/test.c and wolfcrypt/test/test.h:
* add correct gating around pbkdf1_test(), pkcs12_pbkdf_test(), and scrypt_test() prototypes;
* add unit tests for wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get() in pbkdf2_test();
* fix pkcs12_test() to skip the evilPkcs12 test if evil_p12 can't be parsed for any reason, mirroring the new stanza around evil_p12 in pwdbased_test().
2026-05-11 15:57:22 -05:00
Daniel Pouzzner f248b272db rename WC_PBKDF_MAX_ITERATIONS to WC_PBKDF_DEFAULT_MAX_ITERATIONS, raise it to 10000000, add wc_PBKDF_max_iterations_set() and wc_PBKDF_max_iterations_get(), and restore new negative tests in pwdbased_test(). 2026-05-11 15:57:22 -05:00
Anthony Hu c4be7f3f59 API Docs 2026-05-11 15:57:22 -05:00
Anthony Hu 03ef4562e8 Known macros 2026-05-11 15:57:22 -05:00
Anthony Hu 1cd9caca02 Line length fixup and repro in second impl. 2026-05-11 15:57:22 -05:00
Anthony Hu e0e6610503 Comment fixup. 2026-05-11 15:57:22 -05:00
Anthony Hu 79b4efb9ea Limit was too low 2026-05-11 15:57:22 -05:00
Anthony Hu 0e7a094e83 get rid of bad tests 2026-05-11 15:57:22 -05:00
Anthony Hu 421826ed18 better macro gating in tests 2026-05-11 15:57:22 -05:00
Anthony Hu 685a6fee6d simplify the tests. 2026-05-11 15:57:22 -05:00
Anthony Hu 3f6c8316c7 Add upper limit to PBKDF iteration count
Add WC_PBKDF_MAX_ITERATIONS (default 100000) to cap the iteration
count in wc_PBKDF1_ex(), wc_PBKDF2_ex(), and wc_PKCS12_PBKDF_ex().
2026-05-11 15:57:22 -05:00
Daniele Lacamera 7003f6bee2 Addressed copilot's comments 2026-05-11 20:55:25 +02:00
Daniele Lacamera 84955e457c IDE/iotsafe: fix memory TLS wrapper and example build 2026-05-11 20:31:30 +02:00
Reda Chouk 54bb2c2caf zero-initialize DecodedCert immediately after allocation in
wolfssl_certmanagerloadcabuffertype to prevent cleanup on an
uninitialized struct on the pem error path.
2026-05-11 20:12:19 +02:00
Kareem a12ccca612 Fully exclude the wc_DsaCheckPubKey function when building with NO_DSA_PUBKEY_CHECK. 2026-05-11 10:05:45 -07:00
Kareem b79870e1ba Add opt-out macro NO_DSA_PUBKEY_CHECK to allow skipping the newly added DSA public key check. 2026-05-11 10:05:45 -07:00
Kareem 367bd173d1 Reword comment to hopefully fix clang-tidy test. 2026-05-11 10:05:45 -07:00
Kareem 44d3659244 Code review feedback 2026-05-11 10:05:45 -07:00
Kareem ea67ace873 Validate DSA parameters when verifying DSA key.
Thanks to Kr0emer for the report.
2026-05-11 10:05:45 -07:00
Andrew Hutchings 7b89d82b35 Fix mem_track.h compile failure on multi-threaded non-Linux builds
The memLock mutex and #include <pthread.h> in mem_track.h were
declared under #ifdef DO_MEM_LIST (Linux/macOS/Zephyr only), but
referenced under the broader guard

    !defined(SINGLE_THREADED) && \
    (defined(DO_MEM_LIST) || defined(DO_MEM_STATS))

Since DO_MEM_STATS is defined whenever WOLFSSL_TRACK_MEMORY +
USE_WOLFSSL_MEMORY are set without WOLFSSL_STATIC_MEMORY, any
non-Linux/Mac/Zephyr multi-threaded build failed to compile with
implicit pthread_mutex_lock declarations and undeclared memLock.

Replace the raw pthread mutex with wolfSSL's portable mutex API
(wc_InitMutex / wc_LockMutex / wc_UnLockMutex / wc_FreeMutex) so
locking works on every platform wolfSSL already ports to.
InitMemoryTracker now calls wc_InitMutex before
wolfSSL_SetAllocators installs TrackMalloc, guarded by a
memLockInit flag for idempotency. CleanupMemoryTracker calls
wc_FreeMutex after restoring the default allocators so no
in-flight allocation races a freed mutex. The four mutex guards
in TrackMalloc/TrackFree and the two in InitMemoryTracker/
ShowMemoryTracker are unified on the same condition as the
memLock declaration itself.

ZD #21763
2026-05-11 16:20:35 +01:00
David Garske 01ba609f0d Merge pull request #9702 from danielinux/ta100_2025
[Microchip TA-100] Fix port + update to cryptoauthlib v3.6.0
2026-05-11 07:26:43 -07:00
Tobias Frauenschläger f16216e5b8 HashSLH-DSA APIs now take the pre-hashed digest, not the raw message
wc_SlhDsaKey_{Sign,Verify}Hash* previously accepted the raw message and
performed the pre-hash internally. They now require the caller to hash the
message first and pass the resulting digest -- the functions no longer call
wc_*Hash() themselves and feed the supplied digest directly into the M'
construction. Parameters are renamed from msg/msgSz to hash/hashSz to reflect
this, and hashSz is validated against wc_HashGetDigestSize(hashType) per
FIPS 205 Section 10.2.2 (32 for SHAKE128, 64 for SHAKE256), returning
BAD_LENGTH_E on mismatch.

This matches ML-DSA's wc_dilithium_{sign,verify}_ctx_hash, NIST ACVP
signatureInterface=external / preHash=preHash vectors, and other libraries
(OpenSSL HASH-ML-DSA, leancrypto, mldsa-native). It also enables distributed
signers and HSM-style flows where the digest is computed separately from the
signing operation.

Migration: callers must now hash the message before invoking these APIs;
passing the raw message will either fail length validation or produce
signatures over the wrong input. The M'-supplied wc_SlhDsaKey_SignMsg* /
VerifyMsg family (FIPS 205 internal interface, Algorithms 19/20) is
unchanged but gains stricter input validation and doxygen coverage.
2026-05-11 10:14:13 +02:00
Sean Parkinson 69027c2445 LMS: fixes and improvements
Remove WC_LMS_PARM_NONE as it serves no purpose.
Change sig_len from a 16-bit value to a 32-bit value in the parameters.
Added wc_LmsKey_SetParameters_ex() and wc_LmsKey_GetParameters_ex() to
handle hash algorithm.
Change mass ForceZeros to smaller amounts with XMEMSET and setting to
NULL or default valus.
Allow signing of empty message.
Other minor fixes.

Fix API tests to work when WOLFSSL_LMS_MAX_HEIGHT/WOLFSSL_LMS_MAX_LEVELS
are/is defined.
2026-05-11 16:18:12 +10:00
Mattia Moffa 5aa8e6aa2b Fix Blake2 oversized key path
- Reduce long keys in a separate state rather than reusing the state used
for the HMAC inner hash.
- Pad the rest of the buffer with zeros as required by the spec.
- Add regression tests
2026-05-11 04:56:16 +02:00
Daniel Pouzzner 9f759fa1e0 Merge pull request #10446 from kaleb-himes/quickfix
Fix private key lock issues in master
2026-05-09 09:17:53 -05:00