jackctj117
ee744b1f0b
Allow serial number 0 for root CA certificates
2026-05-05 13:44:47 -06:00
David Garske
c73f431687
Merge pull request #10392 from JeremiahM37/fenrir-5
...
wolfCrypt input validation and side-channel hardening
2026-05-05 12:24:17 -07:00
Daniel Pouzzner
c1b2660a08
Merge pull request #10396 from douzzer/20260501-fips-v7-fixes
...
20260501-fips-v7-fixes -- reviewed+approved by @Frauschi
2026-05-05 14:20:49 -05:00
David Garske
b47f71678d
Merge pull request #10363 from MarkAtwood/fix/curve25519-clamp-check-rule3
...
fix: curve25519 clamp check missing rule 3 (bit 6 of byte 31) (ZD-21731)
2026-05-05 12:16:06 -07:00
David Garske
00abce3474
Merge pull request #10310 from cconlon/d2iMLDSA
...
Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey
2026-05-05 12:11:49 -07:00
David Garske
7de26312e6
Merge pull request #10378 from rlm2002/fenrir
...
Various PKCS12 Fixes
2026-05-05 12:07:17 -07:00
David Garske
3a1f51d2e6
Merge pull request #10388 from Frauschi/slh-dsa_Wconversion
...
SLH-DSA Wconversion fixes
2026-05-05 12:04:22 -07:00
David Garske
15b10454bc
Merge pull request #10340 from JeremiahM37/fenrir-3
...
harden falcon key handling
2026-05-05 11:57:41 -07:00
David Garske
c3cd71ea02
Merge pull request #9965 from kojo1/mldsa
...
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-05 11:57:06 -07:00
David Garske
519c08ae32
Merge pull request #10121 from JacobBarthelmeh/bench
...
use heap hints where possible in benchmark
2026-05-05 11:56:04 -07:00
David Garske
d4d1f03fef
Merge pull request #10333 from JacobBarthelmeh/oss-fuzz
...
change call to GetSigAlg in ASN original to sanity check length
2026-05-05 11:55:21 -07:00
David Garske
87536214bf
Merge pull request #10375 from LinuxJedi/STSAFEA120Sim
...
Add STSAFE A120 CI support
2026-05-05 11:53:29 -07:00
David Garske
5074cf3726
Merge pull request #10366 from embhorn/zd21744
...
Fix CUDA with WOLFSSL_AES_SMALL_TABLES
2026-05-05 11:51:01 -07:00
David Garske
5266329c9a
Merge pull request #10352 from embhorn/zd21724
...
Fix static / mem tracker build error
2026-05-05 11:48:16 -07:00
David Garske
9b1167772d
Merge pull request #10350 from LinuxJedi/ATECC608Sim
...
Add ATECC608 CI tests
2026-05-05 11:45:45 -07:00
David Garske
678ddd6c73
Merge pull request #10339 from embhorn/zd21707
...
Fix handling of otherName in ConfirmNameConstraints
2026-05-05 11:41:28 -07:00
David Garske
b0fca9df10
Merge pull request #10276 from padelsbach/asn1-time-chars-check
...
Add checks for ascii digits in time decode functions
2026-05-05 11:38:47 -07:00
David Garske
aaca0948e8
Merge pull request #10335 from julek-wolfssl/pkcs11-hmac-session
...
wolfcrypt/src/wc_pkcs11.c: cache PKCS#11 session across multi-call HMAC
2026-05-05 11:33:10 -07:00
David Garske
04984a5d5e
Merge pull request #10346 from Frauschi/ecc_leak_fix
...
Prevent ECC tmp key leak and UB
2026-05-05 11:32:48 -07:00
David Garske
7e9635df19
Merge pull request #10208 from ColtonWilley/bio-io-negative-length-checks
...
Guard against negative length in BIO, I/O callbacks and PKCS12 PBKDF
2026-05-05 11:32:21 -07:00
David Garske
d793452264
Merge pull request #10353 from julek-wolfssl/dtls-13-client-only
...
DTLS 1.3 client-only minimum: WOLFSSL_DTLS_ONLY + autoconf cascade
2026-05-05 11:24:44 -07:00
David Garske
80c9d3f048
Merge pull request #10183 from douzzer/20260409-IsValidFQDN
...
20260409-IsValidFQDN
2026-05-05 11:22:51 -07:00
David Garske
c0bc5efe31
Merge pull request #10307 from padelsbach/nxp-aes-multiblock
...
Fix AES multiblock issues for NXP DCP
2026-05-05 10:56:21 -07:00
Daniel Pouzzner
610b109241
fixes for fips#379 and related:
...
linuxkm/Makefile, linuxkm/linuxkm-fips-hash-wrapper.sh, linuxkm/linuxkm_memory.c: refactor coreKey extraction to use ELF tools rather than WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE and user_settings.h.
linuxkm/module_hooks.c: add stack measurement for wc_RunAllCast_fips().
tests/api/test_slhdsa.c: frivolous initialization to work around a false positive -Wmaybe-uninitialized in slhdsa_der_roundtrip_one().
wolfcrypt/src/wc_slhdsa.c, wolfssl/wolfcrypt/wc_slhdsa.h:
* refactor lifecycle management for SHA-2 objects to fix a leak via wc_SlhDsaKey_CheckKey().
* add support for WC_SLHDSA_NO_ASM.
* add WOLFSSL_SLHDSA_VERIFY_ONLY gates around prototypes, to get compile-time failures for misuse.
wolfcrypt/test/test.c:
* clean up myFipsCb() and restore usability of TEST_ALWAYS_RUN_TO_END with bad FIPS hash (useful test coverage).
* add wc_RunAllCast_fips() to wolfcrypt_test().
* when WOLFSSL_KERNEL_MODE or BENCH_EMBEDDED, force on WOLFSSL_SLHDSA_VERIFY_ONLY unless WOLFSSL_SLHDSA_FORCE_FULL_TESTS is defined.
wolfssl/wolfcrypt/settings.h:
* add WC_MLKEM_NO_ASM to WOLFSSL_LINUXKM section to work around asm bug.
* remove clause in WOLFSSL_KERNEL_MODE section that forced on WOLFSSL_SLHDSA_VERIFY_ONLY.
2026-05-05 11:02:13 -05:00
Jeremiah Mackey
6a1b737dae
PKCS7 PWRI decrypt: parse PBKDF2 prf
2026-05-05 04:36:16 +00:00
Jeremiah Mackey
9f79f79d86
wc_Entropy_GetRawEntropy: hold entropy_mutex
2026-05-05 04:36:16 +00:00
Jeremiah Mackey
19ff338be9
mp_cond_swap_ct: branchless masked XOR
2026-05-05 04:36:16 +00:00
David Garske
02dfd12466
Merge pull request #10376 from rlm2002/coverity
...
20260501 Coverity Fixes
2026-05-04 15:15:11 -07:00
Jeremiah Mackey
f3c3687efc
wc_hash2sz: fix SHA-224 size to 28
2026-05-04 17:18:39 +00:00
Jeremiah Mackey
cf9f852db6
validate preconditions at public API boundary
2026-05-04 17:18:39 +00:00
Chris Conlon
fe4473fbea
Add ML-DSA SPKI/PKCS#8 DER support to d2i_PUBKEY and d2i_PrivateKey.
2026-05-04 09:24:02 -06:00
Tobias Frauenschläger
bbcfa97144
SLH-DSA Wconversion fixes
2026-05-04 13:58:00 +02:00
Takashi Kojo
1a6dee2bb3
Add ML-DSA to X509_get_pubkey and EVP_PKEY_base_id
2026-05-02 08:13:08 +09:00
Takashi Kojo
4c04ba306b
fix error case in d2iTryAltDhKey
2026-05-02 08:13:08 +09:00
Daniel Pouzzner
7b5330391b
Merge pull request #10051 from anhu/mp_int_bounds
...
Add bounds checks for MP integer size in SizeASN_Items
2026-05-01 15:32:18 -05:00
Ruby Martin
3137d62cf3
fix issue where ToTraditional_ex may assign negative value to *pkeySz
2026-05-01 14:06:51 -06:00
Ruby Martin
00e1fa651f
Adds tmpSz so int is not cast to word32 in wc_d2i_PKCS12
2026-05-01 13:36:33 -06:00
Ruby Martin
001939d663
Call ForceZero on sensitive buffers
2026-05-01 13:36:33 -06:00
JacobBarthelmeh
5b4ad8690e
update function comments
2026-05-01 09:43:52 -06:00
JacobBarthelmeh
d9361e2d8c
use INVALID_DEVID in benchmark and copy over heap hint with XMSS export pub
2026-05-01 09:43:51 -06:00
JacobBarthelmeh
78564f0c78
fix XMSS heap hint use
2026-05-01 09:43:25 -06:00
JacobBarthelmeh
e5d27b61dc
use heap hints where possible in benchmark
2026-05-01 09:43:24 -06:00
Ruby Martin
c2d44b4359
Bound by curSz in PKCS12 ContentInfo parsing
2026-05-01 09:37:45 -06:00
Ruby Martin
3a799bd451
zeroize unicodePasswd before breaking
2026-05-01 09:21:04 -06:00
Tobias Frauenschläger
5151a695bc
Merge pull request #10373 from douzzer/20260430-ecc_test_vector_item-WC_MIN_DIGEST_SIZE
...
20260430-ecc_test_vector_item-WC_MIN_DIGEST_SIZE
2026-05-01 08:57:53 +02:00
Andrew Hutchings
a4b754ab5d
Add STSAFE A120 CI support
...
Adds our STSAFE A120 simulator to the CI, adds STSAFE to configure.ac
and fix missing required header.
2026-05-01 07:12:55 +01:00
Daniel Pouzzner
d8797f59c4
Merge pull request #10261 from Frauschi/slh-dsa
...
Replace liboqs SPHINCS+ with SLH-DSA in certificate layer
2026-04-30 23:52:36 -05:00
Ruby Martin
1bf33bcc0b
PKCS12 and unicode password size check improvement
2026-04-30 16:30:29 -06:00
Daniel Pouzzner
70d5d86dda
wolfcrypt/test/test.c: in ecc_test_vector_item(), don't attempt wc_ecc_verify_hash() if the test vector's message (hash) is shorter than WC_MIN_DIGEST_SIZE.
2026-04-30 17:00:40 -05:00
Ruby Martin
3ff02a7a95
Zero byte array buffer before free
2026-04-30 15:10:03 -06:00