Commit Graph

11631 Commits

Author SHA1 Message Date
Eric Blankenhorn e1a2ba3b02 Restore error code from DecodeGeneralName 2026-06-26 11:11:22 -05:00
David Garske 0cecccdf6e Merge pull request #10756 from SparkiDev/aes_asm_ymm_zmm
Intel x64 ASM: Add new assembly for AES
2026-06-25 21:41:17 -07:00
David Garske 39c0336cb1 Merge pull request #10728 from SparkiDev/intel_asm_fixup
Intel x86/x64 assembly fixes
2026-06-25 21:41:08 -07:00
David Garske 23bfe9b65e Merge pull request #10775 from SparkiDev/regression_fixes_26
Regression testing fixes: ARM/PP64 asm fixes, plus more
2026-06-25 14:47:08 -07:00
David Garske c3366597b3 Merge pull request #10707 from SparkiDev/mlkem_mldsa_unaligned
ML-KEM/ML-DSA: unaligned reads
2026-06-25 13:00:18 -07:00
twcook86 6ef3df248a Merge pull request #10598 from twcook86/hkdf_cryptocb_split
Create individual crypto callbacks for hkdf extract and hkdf expand
2026-06-25 14:58:15 -04:00
David Garske cee4b2bb47 Merge pull request #10713 from SparkiDev/curve25519_hibit_mask
X25519: standard requires masking of top bit
2026-06-25 10:34:49 -07:00
Sean Parkinson cb11e2ff28 Regression testing fixes: ARM/PP64 asm fixes, plus more
ARM64/ARM32/Thumb2:
  - Inline-asm use param names not registers.
  - Return value through first parameter and not first register
  - 32-bit values zero extended when loaded off stack
aes.c: Aligned-accedd GHASH for 32-bit CPUs.
test.c: #ifdef protection update.
sha3.h: make digest and block size constants defines for use in hash.h
sha512.h: internal Transform_Sha512* functions declared when only SHA-384.
sp_int.h: include WOLFSSL_SP_MATH_ALL in SP_INT_BITS selection
memory.c: fix printf format to be compatible with more platforms
2026-06-25 17:33:49 +10:00
Juliusz Sosinowicz dbd495dacb sha512: free SHA-512/384 W cache with its allocated memory type
With WOLFSSL_SMALL_STACK_CACHE, wc_Sha512Free and wc_Sha384Free freed the
cached W buffer as DYNAMIC_TYPE_TMP_BUFFER, but it is allocated as
DYNAMIC_TYPE_DIGEST in InitSha512_Family/InitSha384 and the Copy functions
(the in-Init error cleanup already frees it as DYNAMIC_TYPE_DIGEST).

The mismatch is flagged by the memusage test (DHE_RSA TLS1.2 reports
Errors: 2) and matters for type-bucketed static memory pools. SHA-256/224
already use DYNAMIC_TYPE_DIGEST consistently. Free W as DYNAMIC_TYPE_DIGEST.
2026-06-24 22:50:29 +00:00
Daniel Pouzzner 18c2329167 wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c: for 16 bit portability,
use target native int for WC_ATOMIC_INT_ARG, add user overrideability, and
  adjust WC_INIT_STATE_COUNT_BITS to depend on sizeof(WC_ATOMIC_UINT_ARG).  add
  a wc_static_assert to sanity-check WC_INIT_STATE_STATE_BITS, and use CHAR_BIT
  opportunistically in the other wc_static_assert to sanity check that CHAR_BIT
  is at least 8.
2026-06-23 11:24:51 -05:00
Sean Parkinson a342eba578 Intel x64 ASM: Add new assembly for AES
Support AES-XTS AVX512/VAES
Support AES-GCM AVX512/VAES
Support AES-ECB/CBC/CTR AVX512/VAES/AVX1/AES-NI.
Remove code from aes_asm.S/aes_asm.asm
Add CPU defines for AVX512 and VAES
Updated ASM files with new defines for AVX512.
Added support for printing out the new CPU Id flags in benchmark.
Added new files to Windows projects.
aes.c: Supports ECB/CBC/CTR in assembly. Supports calling AVX512/VAES assembly.
2026-06-23 20:54:59 +10:00
JacobBarthelmeh dd6da70d39 Merge pull request #10732 from douzzer/20260618-FORCE_FAILURE_RDSEED-fixes
20260618-FORCE_FAILURE_RDSEED-fixes
2026-06-18 15:30:54 -06:00
Daniel Pouzzner 296bfc8a83 wolfcrypt/src/random.c:
* in USE_WINDOWS_API wc_GenerateSeed(), recognize HAVE_AMD_RDSEED, and properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;

* in WOLFSSL_LINUXKM wc_GenerateSeed(), initialize ret to RNG_FAILURE_E, and properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;

* in WOLFSSL_BSDKM wc_GenerateSeed(), properly enforce FORCE_FAILURE_RDSEED when CPU support is missing;
2026-06-18 11:53:44 -05:00
Sean Parkinson fc946d6327 Intel x86/x64 assembly fixes
Allow x86 to build with assembly for enable all - disable assembly when x86 and not assembly code available. Add file fe_operations.c when assembly and x86.
x86: fix ECB decrypt to use corect offsets for parameters
     fix AES-NI and AVX1 assembly code
     fix sp_int with assembly to compile
     minor optimizations of AES-GCM
x64: Don't emit move instruction if source and destination are the same reg
     Use xor instead of mov 0
     minor optimizations of AES-GCM for AES-NI
2026-06-18 21:03:50 +10:00
Sean Parkinson ad85f49926 Thumb2 X25519: Fix to do full reduction
This fix when into ARM32 assembly it is now being added to Thumb2 assembly.
Full reduction to ensure the number is in range at end of work.
2026-06-18 20:34:11 +10:00
JacobBarthelmeh 633784e91b Merge pull request #10714 from Frauschi/zd21992_2
Some more fixes
2026-06-17 17:34:15 -06:00
JacobBarthelmeh 3f9ae22010 Merge pull request #10709 from douzzer/20260616-aes-fixes
20260616-aes-fixes
2026-06-17 15:58:23 -06:00
JacobBarthelmeh aec9b202c9 Merge pull request #10702 from Frauschi/zd21992
Various fixes
2026-06-17 13:22:05 -06:00
Daniel Pouzzner 881fe769a3 wolfcrypt/src/aes.c, wolfcrypt/test/test.c: use WOLFSSL_MAX_32BIT rather than magic 0xffffffff;
wolfcrypt/test/test.c: in aesgcm_stream_test(), implement tests for sSz overflow, and in aesccm_128_badarg_test(), fix line length.
2026-06-17 13:55:10 -05:00
Daniel Pouzzner 9d15bc707c wolfcrypt/src/aes.c, wolfcrypt/src/port/caam/caam_aes.c, wolfcrypt/src/port/riscv/riscv-64-aes.c, wolfcrypt/src/port/silabs/silabs_aes.c, wolfcrypt/src/port/ti/ti-aes.c: implement AES-CCM counter overflow checks for ports;
wolfcrypt/test/test.c: add missing !HAVE_SELFTEST gate around AES-CCM counter overflow test in aesccm_128_badarg_test();

wolfcrypt/src/error.c and wolfssl/wolfcrypt/error-crypt.h: update messages for AES_{GCM,CCM}_OVERFLOW_E.
2026-06-17 13:18:46 -05:00
Tobias Frauenschläger dedba75ad4 Reject duplicate certificatePolicies extension in WOLFSSL_CERT_EXT builds
DecodeExtensionType() guarded the certificatePolicies duplicate check
(VERIFY_AND_SET_OID) under WOLFSSL_SEP only, because the extCertPolicySet
tracking bit was SEP-only. In a WOLFSSL_CERT_EXT-without-WOLFSSL_SEP build a
cert with two certificatePolicies extensions was accepted and the second
silently overwrote the first (RFC 5280 4.2 forbids repeats). Make the bit and
the guard available under WOLFSSL_CERT_EXT too, matching every other
non-repeatable extension.

Add test_DecodeCertExtensions_dup_certpol (DecodeExtensionType now
WOLFSSL_TEST_VIS).
2026-06-17 19:14:21 +02:00
Daniel Pouzzner 1070384034 wolfcrypt/src/aes.c and wolfcrypt/test/test.c: fixes from review, re "catch and error on total length overflow". 2026-06-17 12:01:06 -05:00
Daniel Pouzzner 5def276e07 wolfcrypt/src/aes.c: catch and error on total length overflow in wc_AesGcmEncryptUpdate(), wc_AesGcmDecryptUpdate(), wc_AesCcmEncrypt(), and wc_AesCcmEncrypt(). 2026-06-17 12:01:06 -05:00
JacobBarthelmeh 7aed5ac316 Merge pull request #10698 from Frauschi/slhdsa_fixes
SLH-DSA fixes
2026-06-17 10:36:58 -06:00
Sean Parkinson e017e6cba7 X25519: standard requires masking of top bit
Instead of failing when top bit is set, the standard and current research says to mask it.
WOLFSSL_X25519_NO_MASK_PEER is added to allow the rejection when required.
2026-06-17 15:37:26 +10:00
Sean Parkinson bce9fdda68 ML-KEM/ML-DSA: unaligned reads
Use readUnaligned32/64 to ensure no unaligned read faults.
Updated implementations of read/write unaligned 32/64 to not worry about alignment on CPUs that are known to not care.
2026-06-17 10:30:33 +10:00
Chris Conlon 6ebc379f31 Renesas TSIP: skip XMEMCPY on MEMORY_E from tsip_StoreMessage() 2026-06-16 13:58:52 -06:00
Tobias Frauenschläger 8f55480a1d SP math: validate ECDH shared-secret output buffer against the field size
Regenerate the SP backends so the ECDH secret generators check the caller's
buffer against the number of bytes actually written. Adds a P-384/P-521
buffer-size regression test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger 266e07e58d SLH-DSA: zeroize secret WOTS+/FORS material and fix alloc-failure paths
Zeroization:
- Add missing ForceZero on the PRF outputs and WOTS+ chain state that hold
  secret key material.
- Route the WOTS sign leaf through a temp so secret chain values never touch
  the public signature buffer.
- Add SLHDSA_SHAKE_X4_STATE_W so buffer and wipe sizes stay in sync.

Leak / alloc-failure fixes:
- Fix chain_idx_x4 returning on SAVE_VECTOR_REGISTERS2 failure without freeing
  state/fixed (memory leak, and the secret was left unzeroized); break to the
  cleanup path instead.
- Guard all function-scope wipes with WC_VAR_OK to avoid a NULL deref when an
  allocation fails under WOLFSSL_SMALL_STACK.
2026-06-16 15:48:39 +02:00
Tobias Frauenschläger d4eedf8af8 Add missing ForceZero call for ML-DSA 2026-06-15 12:07:00 +02:00
Tobias Frauenschläger e43281b2dc Add missing ForceZero calls for ML-KEM 2026-06-15 12:06:55 +02:00
David Garske f42a698c59 Merge pull request #10668 from holtrop-wolfssl/f-5394
Force-zero wc_AesSivDecrypt*() output buffer on authentication failure
2026-06-12 16:35:31 -07:00
JacobBarthelmeh 86ba8f7770 Merge pull request #10652 from SparkiDev/regression_fixes_25
Regression testing fixes - memory allocation failure testing
2026-06-12 16:30:57 -06:00
Josh Holtrop 445b8b272c Document PUBLIC_KEY_E return value for wc_ed448_export_public() in source comment 2026-06-12 15:58:27 -04:00
Josh Holtrop 8c1e3a261f Fix Ed448/25519 export private-only key unit tests for FIPS pre-v7 2026-06-12 15:58:27 -04:00
Josh Holtrop 3d517841d5 Ed448: check for public key presence on export
Return PUBLIC_KEY_E for wc_ed25519_export_key if public key is not
present.
Return PUBLIC_KEY_E for wc_ed448_export_key if public key is not
present.
Rename several inLen parameters to outLen for consistency.

Fix F-4427
2026-06-12 15:58:27 -04:00
Josh Holtrop f420c66c38 Fix aes_siv_negative_test unit test style for skoll 2026-06-12 14:46:43 -04:00
Josh Holtrop 5bc5251c3e Dynamically find AES-SIV test vector index instead of hardcoding in unit test 2026-06-12 13:50:47 -04:00
Josh Holtrop 7064eeca89 Force-zero output buffer for AES-SIV decrypt for other AES errors as well 2026-06-12 12:19:06 -04:00
David Garske 6081106ae3 Merge pull request #10647 from philljj/misc_fixes
Misc wolfcrypt fixes
2026-06-12 09:13:26 -07:00
Josh Holtrop 20571a9beb Force-zero wc_AesSivDecrypt*() output buffer on authentication failure 2026-06-12 08:07:46 -04:00
Juliusz Sosinowicz 3a6c31a51e CI: pool the per-config runner matrices into parallel make-check jobs
Replace the one-runner-per-configuration matrices across the
make-check workflow family with a generic pooled runner,
.github/scripts/parallel-make-check.py. Each workflow keeps its
configuration list as JSON next to the invocation; one runner (or a
small fixed set of shards, balanced by measured per-config minutes)
builds every config in its own out-of-tree (VPATH) build directory off
a single checkout/autogen, on a pool of one-per-CPU worker threads,
longest first. Concurrent checks are isolated with bubblewrap network
namespaces, compilations are cached with ccache, the first failure
aborts the rest (fail-fast, with --no-fail-fast to run everything),
and per-config timings plus pool efficiency land in the step summary.
Failure logs upload as artifacts. smoke-test.yml is likewise reworked
into a single pooled job that runs its nine configs on one runner.

Converted workflows (runner jobs per full pass):
  os-check.yml             101 -> 8  (92 Ubuntu configs -> 4 shards;
                           the macOS matrix, the user-settings jobs and
                           the standalone
                           macos-apple-native-cert-validation.yml fold
                           into one macOS runner; Windows unchanged)
  pq-all.yml                21 -> 2 shards
  disable-pk-algs.yml       15 -> 1
  wolfCrypt-Wconversion.yml 11 -> 1
  trackmemory.yml            7 -> 1
  cryptocb-only.yml          8 -> 1  (incl. the two new SHA512 entries)
  multi-compiler.yml         6 -> 1
  smallStackSize.yml         6 -> 1
  multi-arch.yml             6 -> 1
  async.yml                  5 -> 1
  psk.yml                    5 -> 1
  no-malloc.yml              3 -> 1
  wolfsm.yml                 3 -> 1
  opensslcoexist.yml         2 -> 1

Measured against current upstream passing runs (job execution time,
queue excluded): ~200 runner jobs / ~374 runner-minutes per full pass
become 23 jobs / ~168 runner-minutes, with more coverage than before.
multi-arch's old matrix combined an "include" list of four
architectures with an "opts" axis; GitHub's include-merge rules made
each arch entry overwrite the previous one, so only the armel
combinations actually ran. The pooled list restores the intended
aarch64/armhf/riscv64 coverage (23 combinations; riscv64 x sp-math is
omitted as invalid - configure rejects sp-math without SP, and
--enable-riscv-asm, unlike --enable-sp-asm, does not bring SP in).

Out-of-tree build fixes this depends on:
- Makefile.am: symlink the read-only test data (certs/, tests/ config
  files, sniffer captures and helpers, examples/crypto_policies,
  input, quit) into the build tree via a BUILT_SOURCES stamp, removed
  again in distclean-local. ChangeToWolfRoot() and the script tests
  resolve everything relative to the working directory, so out-of-tree
  make check and make distcheck now pass.
- scripts/multi-msg-record.py: locate the client binary from the build
  tree working directory rather than the script's source directory.
- configure.ac + wolfssl/include.am: run
  support/gen-debug-trace-error-codes.sh from $srcdir; it reads the
  error-code headers from the source tree and generates into the build
  tree.
- tests/swdev: a WOLFBUILD variable points the sub-make at the build
  tree for the configure-generated headers (wolfssl/options.h,
  wolfssl/version.h); the in-tree-only guards are dropped.

Portions of PR #10649 are incorporated: the cross-platform
ccache-setup composite action, repository_owner gates on check-headers
and check-source-text, the docs-only paths-ignore on os-check, and the
libspdm timeout bumps.
2026-06-12 09:47:13 +00:00
Tobias Frauenschläger 351b775fd4 Merge pull request #10665 from anhu/mlkem-keygen-zeroize
Zeroize some private data before releasing memory
2026-06-12 08:41:16 +02:00
jordan ab09d0c95b misc_fixes: cleanup for skoll review. 2026-06-12 00:12:45 -05:00
Daniel Pouzzner 3e390b1b29 Merge pull request #10666 from douzzer/20260611-AES-XTS-key-half-inequality
20260611-AES-XTS-key-half-inequality

approved by @dgarske and @kareem-wolfssl, final by @SparkiDev.
2026-06-11 21:55:37 -05:00
Sean Parkinson 3c34a97164 Merge pull request #10603 from aidangarske/pqc-decode-validation
PQC enforce modulus and eta range checks in DecodePrivateKey
2026-06-12 09:22:12 +10:00
Aidan Keefe 744d25fdc3 Merge pull request #10648 from aidankeefe2022/fix-Der-to-Oid-coversion
Fix EncodedDottedForm to handle when first arc is 2
2026-06-11 15:12:53 -06:00
Daniel Pouzzner 0097739dd8 fixes for F-3325:
wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:

tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;

wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;

linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.

wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.

linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
2026-06-11 15:38:28 -05:00
Anthony Hu 0eea017a8b Zeroize some private data before releasing memory 2026-06-11 14:05:37 -04:00
aidan garske 514e39e2f5 test: wrap PUBLIC_KEY_E comparisons in WC_NO_ERR_TRACE for ML-KEM/ML-DSA decode tests 2026-06-11 09:35:03 -07:00