Commit Graph

27823 Commits

Author SHA1 Message Date
JacobBarthelmeh ee616b4774 Merge pull request #9828 from rizlik/sigalgofix
tls13: don't create a new suite in CertificateRequest, fallback to WOLFSSL_SUITES(sa->ssl)
2026-02-25 14:08:09 -07:00
JacobBarthelmeh b5b7dc89ac Merge pull request #9819 from holtrop-wolfssl/rust-ml-dsa
Rust wrapper: add dilithium module
2026-02-25 10:18:03 -07:00
JacobBarthelmeh b63f878300 Merge pull request #9742 from sameehj/pkcs7-rsa-pss
pkcs7: add RSA-PSS support for SignedData
2026-02-25 09:55:00 -07:00
Daniel Pouzzner c962b8cd8f Merge pull request #9832 from JacobBarthelmeh/arduino
reduce arduino coverage to avoid tests failing from external changes
2026-02-25 10:11:23 -06:00
Marco Oliverio 20eeba3d89 test: tls13: add wolfSSL_set1_sigalgs_list test 2026-02-25 12:10:48 +01:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
JacobBarthelmeh 3f3bf7501c reduce arduino coverage to avoid tests failing from external changes 2026-02-24 16:35:10 -07:00
JacobBarthelmeh 47033c4b3e Merge pull request #9826 from Frauschi/declaration-after-statement
Wdeclaration-after-statement fixes
2026-02-24 16:14:00 -07:00
Josh Holtrop 7af0fa497a Rust wrapper: update dilithium module after review 2026-02-24 14:23:59 -05:00
Marco Oliverio d72fcb1d27 tls13: avoid to create a new suite in CertificateRequest
This way the ssl object honour the HasSigAlgo list set by
wolfSSL_set1_sigalgs_list.
2026-02-24 18:02:26 +01:00
Tobias Frauenschläger 96fc896265 Wdeclaration-after-statement fixes 2026-02-24 16:20:10 +01:00
Kaleb Himes a08efc9b0a Merge pull request #9821 from douzzer/20260223-fix2-configure-kernel-mode-defaults
20260223-fix2-configure-kernel-mode-defaults
2026-02-23 16:33:03 -07:00
Daniel Pouzzner 1270733838 configure.ac: fix typo, $enabled_rng for $enable_rng, in KERNEL_MODE_DEFAULTS setup added in a21dad9555. 2026-02-23 16:05:24 -06:00
Kaleb Himes 9b10357e78 Merge pull request #9820 from douzzer/20260223-fix-configure-kernel-mode-defaults
20260223-fix-configure-kernel-mode-defaults
2026-02-23 14:46:45 -07:00
JacobBarthelmeh 505d170631 Merge pull request #9812 from rlm2002/coverity
02202026 Coverity changes
2026-02-23 14:42:48 -07:00
David Garske c3bc68806c Merge pull request #9811 from julek-wolfssl/ntp-4.2.8p18
Add changes for ntp 4.2.8p18
2026-02-23 10:46:11 -08:00
Daniel Pouzzner a21dad9555 configure.ac: fixes for 47dd864f32 (#9815) -- in KERNEL_MODE_DEFAULTS setup, add additional conditions for automatic activation of AES modes and CMAC, ECC options, and SHAKE, to avoid configuration conflicts in barebones configurations. 2026-02-23 12:31:37 -06:00
Josh Holtrop 504617bbe9 Rust wrapper: add dilithium module 2026-02-23 10:54:21 -05:00
Kaleb Himes 9ed2f4bad1 Merge pull request #9815 from douzzer/20260221-configure-kernel-mode-defaults
20260221-configure-kernel-mode-defaults
2026-02-22 11:19:07 -07:00
Daniel Pouzzner 47dd864f32 configure.ac:
* add a kernel-appropriate subset of enable-all-crypto to enable whenever KERNEL_MODE_DEFAULTS (almost all of these overlap with FIPS v5/v6 settings);
* move ocspstapling features from enable-all-crypto to enable-all.
2026-02-21 15:09:30 -06:00
David Garske f9572880bf Merge pull request #9813 from embhorn/tlsanvil-fixes
Extend timeout for tls13-client
2026-02-21 12:13:27 -08:00
Kaleb Himes f60beb6c7c Merge pull request #9814 from douzzer/20260221-configure-all-crypto-fpecc
20260221-configure-all-crypto-fpecc
2026-02-21 11:16:19 -07:00
Daniel Pouzzner ff7bc11774 configure.ac: restore fpecc to enable-all-crypto, accidentally removed in f376ae210e. 2026-02-21 10:48:14 -06:00
philljj 1a0549fe5a Merge pull request #9800 from douzzer/20260204-linuxkm-fips-hash
20260204-linuxkm-fips-hash
2026-02-20 18:39:25 -06:00
Ruby Martin d85387b84c set s = NULL to prevent use object after free error 2026-02-20 15:44:47 -07:00
Ruby Martin c17217ce31 add null check in test_wolfSSL_X509_CRL_sign_large()
init revoked
2026-02-20 15:44:45 -07:00
Eric Blankenhorn 4f8fc76d9d Extend timeout for tls13-client 2026-02-20 16:35:52 -06:00
Daniel Pouzzner 9ca32e23d4 linuxkm/linuxkm-fips-hash.c: cosmetic bikeshedding (AI-prompted);
linuxkm/linuxkm_memory.c and linuxkm/linuxkm_memory.h: set up and use WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ.
2026-02-20 15:45:27 -06:00
Daniel Pouzzner 10ba02fe40 linuxkm/lkcapi_sha_glue.c: add -wolfentropy and/or -rdseed to WOLFKM_STDRNG_DRIVER to advertise the seed source. 2026-02-20 15:44:54 -06:00
Ruby Martin 00c773e1b5 remove dead code in MakeSignature() 2026-02-20 14:38:12 -07:00
David Garske 9641ab4b68 Merge pull request #9805 from julek-wolfssl/openldap-2.6.9-testing
Add openldap 2.6.9 testing
2026-02-20 11:16:44 -08:00
David Garske 1e544b303f Merge pull request #9810 from julek-wolfssl/rng-tools-6.17
Add rng-tools 6.17 testing
2026-02-20 11:16:18 -08:00
David Garske 670aa59dee Merge pull request #9809 from holtrop-wolfssl/cmake-null-cipher
Add CMake support for NULL_CIPHER
2026-02-20 10:59:17 -08:00
David Garske e34e679766 Merge pull request #9804 from embhorn/tls-anvil-workflow
TLS Anvil workflow
2026-02-20 10:59:05 -08:00
David Garske 940ac7093f Merge pull request #9808 from holtrop-wolfssl/rust-no-std
Rust wrapper: fix no_std support
2026-02-20 10:55:01 -08:00
Juliusz Sosinowicz a9f23ad140 Add changes for ntp 4.2.8p18
Depends on https://github.com/wolfSSL/osp/pull/319
2026-02-20 19:06:55 +01:00
Daniel Pouzzner f84377ed69 linuxkm/linuxkm-fips-hash-wrapper.sh: make sure awk is gawk. 2026-02-20 11:35:47 -06:00
Daniel Pouzzner 70aa3dc5b1 20260204-linuxkm-fips-hash: more fixes+improvements from peer and AI review:
linuxkm/linuxkm_memory.c:
* fix straddle check in wc_reloc_normalize_text();
* fix seg_map bounds checks in wc_fips_generate_hash();

linuxkm/linuxkm_memory.h: fix initializer for wc_reloc_table_segments.bss_end;

wolfssl/wolfcrypt/settings.h: add WC_BITS_TO_BYTES() and WC_BITS_FULL_BYTES() and deploy opportunistically to wolfssl/internal.h, wolfssl/wolfcrypt/{asn.h,dh.h,rsa.h,types.h}, wolfcrypt/src/sakke.c, and wolfcrypt/test/test.c.
2026-02-20 11:09:37 -06:00
Daniel Pouzzner 9443f59db1 linuxkm/linuxkm-fips-hash.c: fix overlong lines;
.wolfssl_known_macro_extras: fix lexical order.
2026-02-20 11:09:37 -06:00
Daniel Pouzzner db7a04a626 improvements spurred by peer review for 20260204-linuxkm-fips-hash:
configure.ac: add --enable-kernel-verbose-debug and --enable-kernel-stack-debug;

linuxkm/Makefile:
* add QFLAG and VFLAG setup, and pass their values appropriately;
* add missing `@set -e` and `-Wall -Wextra` to the linuxkm-fips-hash recipe;
* use +$(MAKE), not @$(MAKE), for proper dry run recursion.

linuxkm/README.md: update to reflect new goodies, and generally revise+extend remarks.

linuxkm/linuxkm-fips-hash-wrapper.sh: add copyright header; pass through extra caller arguments to ./linuxkm-fips-hash.

linuxkm/linuxkm-fips-hash.c:
* add copyright header;
* fix code around user_coreKey;
* add explicit wolfCrypt_Cleanup() and cleanup of mod_fd and mod_map at end;
* remove unused reloc_tab_len
* fix a couple -Wsign-compares;
* add missing fprintf arguments
* properly set ret = -1 in a couple failure paths.

linuxkm/linuxkm_wc_port.h: set WOLFSSL_LINUXKM_VERBOSE_DEBUG when WOLFSSL_KERNEL_VERBOSE_DEBUG, and recognize WOLFSSL_KERNEL_STACK_DEBUG as a synonym for WC_LINUXKM_STACK_DEBUG.

linuxkm/linuxkm_memory.c and linuxkm/linuxkm_memory.h: add brief explanatory comments.
2026-02-20 11:09:37 -06:00
Daniel Pouzzner f376ae210e Implement Linux kernel module offline integrity hash calculation:
Add:

* linuxkm/linuxkm-fips-hash.c
* linuxkm/linuxkm-fips-hash-wrapper.sh
* linuxkm/linuxkm_memory.h

Move from linuxkm/module_hooks.c to linuxkm/linuxkm_memory.c:
* reloc_layouts[]
* find_reloc_tab_offset()
* the body of wc_linuxkm_normalize_relocations() as wc_reloc_normalize_text()
* most of updateFipsHash() as wc_fips_generate_hash()

Move from linuxkm/linuxkm_wc_port.h to linuxkm/linuxkm_memory.h:
* struct wc_linuxkm_pie_reloc_tab_ent
* enum wc_reloc_dest_segment
* enum wc_reloc_type

linuxkm/Makefile:
* Update GENERATE_RELOC_TAB recipe to populate new fields in struct wc_reloc_table_ent.
* Add targets:
  * libwolfssl-user-build/src/.libs/libwolfssl.so
  * linuxkm-fips-hash
  * module-with-matching-fips-hash
  * module-with-matching-fips-hash-no-sign
* Add support for alternate target module name, via LIBWOLFSSL_NAME make variable.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:
* Fixes to make linuxkm-pie work with CONFIG_KASAN.
* Implement WC_LINUXKM_STACK_DEBUG:
  * wc_linuxkm_stack_bottom()
  * wc_linuxkm_stack_top()
  * wc_linuxkm_stack_current()
  * wc_linuxkm_stack_left()
  * wc_linuxkm_stack_hwm_prepare()
  * wc_linuxkm_stack_hwm_measure_rel()
  * wc_linuxkm_stack_hwm_measure_total()

wolfssl/wolfcrypt/settings.h:
* When WOLFSSL_KERNEL_MODE, make sure WOLFSSL_GENERAL_ALIGNMENT is at least SIZEOF_LONG.
* When WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE, make sure WOLFSSL_BASE16 is defined.

configure.ac and wolfcrypt/benchmark/benchmark.c: Disable scrypt when KERNEL_MODE_DEFAULTS, due to excessive memory requirements.
2026-02-20 11:09:37 -06:00
Juliusz Sosinowicz ec5a901c33 Add rng-tools 6.17 testing
Depends on https://github.com/wolfSSL/osp/pull/318
2026-02-20 16:11:11 +01:00
Andrew Hutchings 0c19fb17d6 Merge pull request #9745 from dgarske/stm32_hmac
Support for STM32 HMAC hardware
2026-02-20 14:30:31 +00:00
Josh Holtrop 616f1eec75 Add CMake support for NULL_CIPHER 2026-02-20 07:50:36 -05:00
Josh Holtrop 3da3e12edc Rust wrapper: fix no_std support
Generate bindgen API with core instead of std
Replace C types using std:: with core::
Replace std::mem usage with core::mem
2026-02-20 07:10:01 -05:00
David Garske 9e5d03b23e Merge pull request #9803 from holtrop-wolfssl/rust-fips-v5
Rust wrapper: add compatibility with older FIPS v5 package
2026-02-19 13:40:21 -08:00
Eric Blankenhorn c2b5f29d5c Replace em dashes with hyphens in tls-anvil workflow
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 14:16:29 -06:00
Juliusz Sosinowicz 77dcf3587e Add openldap 2.6.9 testing
Depends on https://github.com/wolfSSL/osp/pull/315
2026-02-19 19:18:34 +01:00
Josh Holtrop 2ada1a3629 Rust wrapper: add compatibility with older FIPS v5 package 2026-02-19 12:50:05 -05:00
David Garske 41614d10ed Add STM32 hardware HMAC support 2026-02-19 09:11:02 -08:00