Commit Graph

11799 Commits

Author SHA1 Message Date
David Garske feb357db09 Merge pull request #10675 from kareem-wolfssl/f5393
Fenrir Fixes
2026-07-09 12:07:11 -07:00
Tobias Frauenschläger bc3288204e PKCS#7: add ML-DSA (FIPS 204) SignedData support
Add ML-DSA signing and verification for CMS/PKCS#7 SignedData, following
RFC 9882. ML-DSA is used in CMS "pure" mode: the signature is computed
over the complete message (the DER SET OF signed attributes, or the
eContent when none are present) with an empty context string and absent
signatureAlgorithm parameters, rather than over a pre-computed DigestInfo
as with RSA/ECDSA.

wolfcrypt/src/pkcs7.c:
- New ML-DSA helpers: wc_PKCS7_MlDsaLevelFromOID, wc_PKCS7_BuildPureSigMessage,
  wc_PKCS7_MlDsaSign and wc_PKCS7_MlDsaVerify, wired into the per-algorithm
  switch sites (GetSignSize, SignedDataGetEncAlgoId, SetPublicKeyOID,
  CheckPublicKeyDer) and the sign/verify dispatchers. Only the final FIPS 204
  ML-DSA OIDs are accepted; pre-standard draft Dilithium OIDs are not.
- GetSignSize derives the ML-DSA signature length from the parameter set.
- InitWithCert copies the signer public key into the RSA-sized publicKey buffer
  only for RSA/ECC certs (the raw-sign callback consumers); large PQC keys such
  as ML-DSA would overflow it and are never read back, so publicKeySz stays 0.
- wc_MlDsaKey is always heap allocated (it embeds multi-KB key buffers); the
  accompanying DecodedCert uses the WC_DECLARE_VAR/WC_ALLOC_VAR_EX macros for
  stack-vs-heap handling under WOLFSSL_SMALL_STACK.
- wc_PKCS7_SignedDataBuildSignature skips building the DigestInfo for ML-DSA,
  which signs the full message in pure mode and never consumes it.
- wc_PKCS7_MlDsaSign wraps the ML-DSA private-key decode in
  PRIVATE_KEY_UNLOCK/PRIVATE_KEY_LOCK. Unlike RSA/ECC, the FIPS module gates
  wc_MlDsaKey_PrivateKeyDecode behind the private-key read lock, so signing
  would otherwise fail with FIPS_PRIVATE_KEY_LOCKED_E under --enable-fips. The
  macros are no-ops in non-FIPS builds.

wolfssl/wolfcrypt/pkcs7.h:
- Document that the fixed-size signer public key buffer (publicKey/publicKeySz)
  holds only RSA/ECC keys; it stays RSA-sized.

wolfcrypt/src/hash.c:
- Map the SHAKE128/SHAKE256 OIDs to their hash types in wc_OidGetHash().

certs/mldsa:
- Add expanded-only PKCS#8 DER private keys (mldsa44/65/87-key.der) matching
  the self-signed ML-DSA certificates, with README and include.am updates.
  The expanded-only shape (no seed) decodes via wc_MlDsaKey_ImportPrivRaw
  without keygen-from-seed or the ASN template, so pkcs7signed_mldsa_test also
  passes in WOLFSSL_MLDSA_NO_MAKE_KEY and non-WOLFSSL_ASN_TEMPLATE builds.

certs/renewcerts.sh:
- Generate the mldsa<N>-key.der files from the matching mldsa<N>-key.pem in the
  expanded-only shape (openssl pkey -provparam ml-dsa.output_formats=priv), so
  a regeneration keeps the DER key in step with the cert. The OpenSSL detection
  probe now requires both ML-DSA keygen and that conversion across all three
  levels, so the block runs fully (matched cert+key) or is skipped entirely
  rather than aborting mid-way.

wolfcrypt/test/test.c:
- Add pkcs7signed_mldsa_test(): round-trip encode/verify of SignedData across
  ML-DSA-44/65/87, with and without signed attributes, including a check that
  the digest algorithm parameters are encoded as expected. The message-digest
  OID is selected from the enabled hash set (SHA-512, else SHA-256, else SHA-1)
  so the test builds when SHA-512 is disabled. A negative case confirms ML-DSA
  rejects a caller-supplied pre-computed content hash with BAD_FUNC_ARG.
2026-07-09 18:09:03 +02:00
David Garske f430d5b472 Merge pull request #10251 from MarkAtwood/fix/aes-eax-empty-plaintext
fix: AES-EAX allow empty plaintext
2026-07-09 08:24:55 -07:00
Daniel Pouzzner 5caa3565b8 Merge pull request #10858 from anhu/89compl
C89 compliance items
2026-07-09 10:14:16 -05:00
Sean Parkinson b3a9c18839 Time-Stamping Protocol testing: fix CI loop static-memory
Static-memory CI loop failed as tests were using too much memory.
Tests changed.
Name of loop change to tsp-staticmemory to make more sense.
2026-07-09 09:59:01 +10:00
Anthony Hu d52ff68832 bit of back and forth 2026-07-08 19:50:38 -04:00
Daniel Pouzzner a5dbbf80f5 Merge pull request #10864 from danielinux/riscv-port-null-checks
Riscv port bug fixes
2026-07-08 17:06:56 -05:00
David Garske fdfba83c38 Merge pull request #10788 from aidangarske/fenrir-tls-batch-2026-06
Various hardening fixes across sniffer, QUIC, PKCS#11, TLS and tooling
2026-07-08 13:58:14 -07:00
David Garske 1e6f266e47 Merge pull request #10760 from Frauschi/pkcs7-server-encode
PKCS#7 improvements
2026-07-08 13:55:52 -07:00
David Garske b4d51dbbda Merge pull request #10607 from julek-wolfssl/evp-pkey-encoded-public-key
Add EVP_PKEY encoded public key get/set compatibility functions
2026-07-08 12:20:33 -07:00
David Garske 16a2681ca4 Merge pull request #10604 from AlexLanzano/cryptocb-getdevice
Expose wc_CryptoCb_GetDevice and add CryptoCb API test coverage
2026-07-08 10:30:59 -07:00
JacobBarthelmeh 7c085837ae Merge pull request #10772 from dgarske/qat_review
Intel QuickAssist: multi-device utilization + software-fallback / Cavium fixes
2026-07-08 10:39:24 -06:00
Daniele Lacamera fc1bb6395d riscv: return KEYUSAGE_E for AES use without a key schedule
The generic wc_AesEncrypt/wc_AesDecrypt (aes.c) reject an AES object
whose key schedule was never set (rounds outside 1..7 after halving)
with KEYUSAGE_E, and every mode inherits that through their int return.
The RISC-V port's block helpers are void, so nothing reported unkeyed
use: wc_AesEncryptDirect and wc_AesCcmEncrypt/Decrypt silently
processed with a garbage schedule, and wc_AesCtrEncrypt classified it
as BAD_FUNC_ARG instead of KEYUSAGE_E.

Align the port with the generic error contract:
* wc_AesEncryptDirect / wc_AesDecryptDirect: add the generic rounds
  check (also fixes wc_CmacUpdate error reporting, which goes through
  wc_AesEncryptDirect on this port)
* wc_AesCcmEncrypt / wc_AesCcmDecrypt: same check after the argument
  sanity block
* wc_AesCtrEncrypt (both variants): the existing rounds switch now
  returns KEYUSAGE_E instead of BAD_FUNC_ARG

Found by the ISO 26262 MC/DC campaign argument-matrix tests
(test_wc_AesSetKeyArgMcdc, test_wc_AesModesArgMcdc, test_wc_AesCcmArgMcdc,
test_wc_CmacArgMcdc) under qemu-riscv64.
2026-07-08 18:29:52 +02:00
David Garske 59e942b07a Merge pull request #10844 from SparkiDev/windows_arm64_1
ARM64 Windows: Add assembly
2026-07-08 09:28:41 -07:00
David Garske 0d02f2fe2f Merge pull request #10816 from kojiws/fix_mem_cast_on_mldsa
Fix unaligned memory access in ML-DSA
2026-07-08 09:28:28 -07:00
David Garske 60085b0e48 Merge pull request #10837 from rlm2002/zd-NameConstraints
DNS name constraint fix
2026-07-08 09:21:52 -07:00
Tobias Frauenschläger 673d8d00bb Merge pull request #10778 from SparkiDev/time_stamp_protocol
Time-Stamp Protocol (RFC 3161)
2026-07-08 17:43:38 +02:00
David Garske b19f00a736 Merge pull request #10807 from SparkiDev/aes_gcm_siv_asm
AES-GCM-SIV: Add implementation in C and assembly
2026-07-08 08:30:02 -07:00
David Garske 7f441a687a Merge pull request #10748 from night1rider/AES-Callbacks
AES callbacks for CFB and OFB
2026-07-08 08:25:23 -07:00
Daniele Lacamera 7b72cf6acf riscv: add missing argument checks in AES port
Align the RISC-V AES port's argument validation with the generic aes.c
implementations (and with the port's own vector/scalar-crypto siblings):

* wc_AesSetKey (base assembly variant, i.e. neither
  WOLFSSL_RISCV_VECTOR_CRYPTO_ASM nor WOLFSSL_RISCV_SCALAR_CRYPTO_ASM):
  reject key == NULL. The vector and scalar-crypto variants of the same
  function already check it; the base variant passed NULL through to the
  key expansion and wc_AesGcmSetKey then dereferenced the uninitialized
  schedule, crashing on e.g. wc_AesGcmSetKey(aes, NULL, 16).

* wc_AesCcmEncrypt / wc_AesCcmDecrypt: reject authIn == NULL when
  authInSz > 0, as the generic implementation does. The port otherwise
  walks the NULL authIn buffer while computing the CBC-MAC.

Found by the ISO 26262 per-module MC/DC campaign's argument-matrix tests
(test_wc_AesGcmSetKey, test_wc_AesCcmArgMcdc) running the RISC-V port
under qemu-riscv64: upstream CI only exercises this port with the KAT
suite, which never passes invalid arguments.
2026-07-08 16:37:08 +02:00
Tobias Frauenschläger 366000eec2 PKCS#7: support degenerate certs-only encode and harden signed-attribute handling
Server-side PKCS#7 encode improvements that let downstream EST/SCEP enrollment
code (wolfCert) drive the existing encoder through the public API rather than
hand-rolling DER. Everything is gated under the existing HAVE_PKCS7 — no new
build options and no new public functions; the convenience wrappers live
caller-side.

Allow degenerate (certs-only) SignedData encode
  Relax the hashOID != 0 requirement in PKCS7_EncodeSigned() when
  sidType == DEGENERATE_SID, so a caller can produce a certs-only bundle (no
  signer, attributes, or eContent — the form used by EST /cacerts and SCEP
  GetCACert) by selecting DEGENERATE_SID via wc_PKCS7_SetSignerIdentifierType()
  and calling wc_PKCS7_EncodeSignedData(). The output round-trips through
  wc_PKCS7_VerifySignedData().

Size the signed-attribute array to the actual count
  The SignerInfo attribute working array is now sized to the real attribute
  count instead of a fixed [7] array. An inline buffer (sized
  MAX_SIGNED_ATTRIBS_SZ, the historical footprint) covers the common
  allocation-free case; a heap buffer is used only when the count exceeds it.
  The default-attribute count comes from a single helper
  (wc_PKCS7_GetDefaultSignedAttribCount) so the sizing matches the emission
  logic exactly, and the canned-attribute write is bound-checked against the
  array capacity. This also fixes a latent overflow where the backing array was
  hardcoded [7] while the bound check used MAX_SIGNED_ATTRIBS_SZ. The macro is
  retained for source compatibility but no longer caps the count.

Document the decoded-attribute value shape
  Documented the stable shape of PKCS7DecodedAttrib.value (the contents of the
  SET OF AttributeValue, outer SET tag stripped) so callers can rely on it. No
  behavior change.

Fix multi-certificate decode in non-streaming builds
  Bound the additional-certificate loop in wc_PKCS7_VerifySignedData against the
  absolute end of the certificate set (idx + length) rather than the relative
  length. In NO_PKCS7_STREAM builds the old bound dropped trailing certificates
  (all but the first when a large eContent preceded the set), failing
  verification when the signer cert was among those dropped. Streaming builds
  were unaffected.

Tests
  Added coverage in pkcs7signed_test: degenerate certs-only encode via the
  public API, nine-attribute encode (beyond the inline capacity), decoded
  attribute value shape for PrintableString and OCTET STRING, and a
  multi-certificate decode regression with large content that triggers the
  bound bug under NO_PKCS7_STREAM. Added a signed-attribute selection
  round-trip covering a messageDigest-only subset and the no-attributes case
  via wc_PKCS7_SetDefaultSignedAttribs/wc_PKCS7_NoDefaultSignedAttribs, a
  WOLFSSL_NO_MALLOC over-capacity case that must return BUFFER_E instead of
  overrunning the inline buffer, and a malformed certificate-set length that
  exercises the certSetEnd clamp in the verifier. Config-sensitive cases are
  guarded.
2026-07-08 12:33:38 +02:00
Tobias Frauenschläger dcc2b23b1a Merge pull request #10852 from stenslae/fix-mldsa-privkeydecode-no-asn1
Fix ML-DSA level auto-detection in WOLFSSL_MLDSA_NO_ASN1 builds
2026-07-08 10:03:34 +02:00
Tobias Frauenschläger 3b07f7df34 Merge pull request #10855 from philljj/misc_fixes
wolfcrypt: fix several redefinition of typedef errors.
2026-07-08 09:56:45 +02:00
Kareem 910daaf658 Code review feedback 2026-07-07 16:49:58 -07:00
Kareem dba0ba5a07 Code review feedback 2026-07-07 16:49:58 -07:00
Kareem 511f6e1bf0 Zero out the aead in wc_ChaCha20Poly1305_Encrypt/Decrypt before freeing it.
Fixes F-4023.
2026-07-07 16:47:44 -07:00
Kareem c677768375 Zero out buffer on error in AES_GCM_decrypt_C.
Fixes F-5393.
2026-07-07 16:47:44 -07:00
David Garske e0a8f3f475 Merge pull request #10706 from JacobBarthelmeh/dev
defense in depth hardening for x509 extension create by OBJ and EVP decode update
2026-07-07 16:41:15 -07:00
Sean Parkinson ae023a5643 Time-Stamp Protocol (RFC 3161)
Implementation in wolfCrypt
OpenSSL compatibility layer in wolfSSL
Added tests, certificates, examples.
2026-07-08 09:33:47 +10:00
David Garske a296ac07fc Merge pull request #10842 from miyazakh/f6162_tsiphash
[Renesas RX72N] RX72N TSIP fixes and command-line build/flash/UART tooling
2026-07-07 16:17:30 -07:00
philljj 2f2ffbac04 Merge pull request #10856 from douzzer/20260702-linuxkm-various
20260702-linuxkm-various
2026-07-07 17:44:50 -05:00
Sean Parkinson 2bcb4efb5b ARM64 Windows: Add assembly
Add assembly generated for Windows ARM64.
Add build option to project files.
Add CI loops.
2026-07-08 08:04:24 +10:00
David Garske d805c804b9 Merge pull request #10733 from mattia-moffa/20260617-max32666-sha-streaming-old
MAX32666 fixes for old SDK
2026-07-07 14:54:34 -07:00
Sean Parkinson af3befef80 ARM66 Windows: Add assembly
Add assembly generated for Windows ARM64.
Add build option to project files.
Add CI loops.
2026-07-08 07:53:53 +10:00
Sean Parkinson cf7319062b Add Windows assembly files to the build
Windows ASM files generated along side the ATT assembly files.
Adding them to the build so they can be used.
2026-07-08 07:53:53 +10:00
David Garske bee18d122d Merge pull request #10801 from SparkiDev/windows_asm_1
Add Windows assembly files to the build
2026-07-07 14:26:31 -07:00
Sean Parkinson 2c0e235bd1 AES-GCM-SIV: Add implementation in C and assembly
Added assembly for Intel x64, ARM64, ARM32, Thumb2.
2026-07-08 07:15:26 +10:00
David Garske 5ebc44ee4e Merge pull request #10848 from SparkiDev/wycheproof_fixes_5
Wycheproof: fixes for various platforms
2026-07-07 14:10:07 -07:00
night1rider 2c6261d1a8 Add testing for cryptocb only for aes ofb and cfb 2026-07-07 14:20:29 -06:00
night1rider d09803154b Adding callbacks for AES mode OFB and CFB, along with callback testing/coverage for the callback paths 2026-07-07 14:20:26 -06:00
Anthony Hu bf3103c336 C89 compliance items
- Flexible array members ("type name[];") fixup
- avoid empty asn_orig.c when building standalone
- avoid trailing comma on the last enumerator
- drop some consts to match function prototypes
2026-07-07 14:06:41 -04:00
David Garske e1ff608876 Intel QAT: add async hybrid PQC server key share regression test 2026-07-07 09:54:04 -07:00
David Garske d929c9b88a Intel QAT: serialize build/check under --with-intelqa; update port README 2026-07-07 09:54:04 -07:00
David Garske 673a6703b1 Intel QAT: interleave instances across devices for multi-device utilization 2026-07-07 09:54:04 -07:00
David Garske f7c5256d36 Intel QAT: fix heap argument in RSA public free 2026-07-07 09:54:04 -07:00
David Garske fa9dd0a671 Intel QAT: fall back to regular memory when crypto service not started 2026-07-07 09:54:04 -07:00
David Garske cf8048baab Fix Cavium async event queue req_count buffer overflow 2026-07-07 09:54:03 -07:00
Daniel Pouzzner 833e360ccd fixes for issues identified by CI tests and AI review:
tests/api/api.h: always use FIPS 186-4 settings if defined(HAVE_SELFTEST).

wolfssl/wolfcrypt/settings.h: if defined(HAVE_SELFTEST), #define WC_FIPS_186_4.
2026-07-07 02:35:51 -05:00
Daniel Pouzzner 5cee8bec39 wolfcrypt/src/rng_bank.c:
* refactor rng_bank.refcount management using wolfSSL_RefInc_IfAtLeast() and wolfSSL_RefDec_IfEquals(), to mitigate deallocation races.
* in wc_rng_bank_init(), fail fast for non-retryable errors.
* in wc_rng_bank_init(), wc_rng_bank_checkout(), and wc_rng_bank_inst_reinit(), consistently treat timeout_secs==0 as dont-wait, and timeout_secs<0 as wait-forever if wc_rng_bank_init() or flags & WC_RNG_BANK_FLAG_CAN_WAIT.
* in wc_rng_bank_checkout(), fix affinity dynamics to recompute after possible sleep, or drop affinity attempts entirely if using WC_RNG_BANK_FLAG_CAN_FAIL_OVER_INST strategy.
2026-07-07 00:19:48 -05:00
Daniel Pouzzner 0fdceafe6b wolfcrypt/src/wc_port.c, wolfssl/wolfcrypt/wc_port.h:
* implement wolfSSL_RefInc_IfAtLeast() and wolfSSL_RefDec_IfEquals().
* implement wolfSSL_RefWithMutexInc_IfAtLeast() and wolfSSL_RefWithMutexDec_IfEquals().

wolfssl/wolfcrypt/wc_port.h: for old FIPS when __GNUC__ or __clang__, always map __FUNCTION__ to __func__ for pedantic conformance.
2026-07-07 00:19:48 -05:00