Compare commits

...

6614 Commits

Author SHA1 Message Date
JacobBarthelmeh
9ca379f3bb Merge pull request #9719 from dgarske/usersettings_expand
Improve user_settings.h examples and add validation rules
2026-01-29 15:35:12 -07:00
David Garske
7077a7bdd8 Fix for macros not longer needed in .wolfssl_known_macro_extras 2026-01-29 09:28:23 -08:00
David Garske
c2a987595f Add new user_settings.h templates for tls13, dtls13, pq, openssl_compat, baremetal, rsa_only, pkcs7, ca 2026-01-28 11:27:01 -08:00
David Garske
3946ba8de3 Improve user_settings.h examples and add validation rules
- Standardize header guards to WOLFSSL_USER_SETTINGS_H across all files
  - Add #if 0/1 gates with labels for easy feature toggling
  - Fix bugs: typos in eccnonblock (WOLFSL_SHA*), duplicates in fipsv5/all
  - Add NO_DES3_TLS_SUITES alongside NO_DES3 where needed
  - Update wolfboot_keytools with upstream PQ algorithms (ML-DSA, LMS, XMSS)
  - Add settings.h validation rules with descriptive error messages
  - Auto-define NO_DES3_TLS_SUITES when NO_DES3 is set (instead of error)
  - Update README.md and add missing files to CI tests
2026-01-28 09:52:24 -08:00
JacobBarthelmeh
a6316114bd Merge pull request #9716 from SparkiDev/regression_fixes_22
Regression test fixes
2026-01-27 22:07:50 -07:00
JacobBarthelmeh
ba3653d8d0 Merge pull request #9717 from dgarske/config_rules
Make sure all configure.ac rules are also enforced in settings.h
2026-01-27 21:53:51 -07:00
Sean Parkinson
eb2fb4a9ce Merge pull request #9699 from anhu/downg
Add cipher suite filtering when downgrade is disabled
2026-01-28 08:59:06 +10:00
David Garske
46251bb401 Fix issue with NO_DES3_TLS_SUITES 2026-01-27 14:42:41 -08:00
Sean Parkinson
bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
JacobBarthelmeh
f7b5f00973 Merge pull request #9710 from rlm2002/xChaCha20_Poly1305_unitTest
Unit test updates for XChacha20-Poly1305
2026-01-27 13:56:16 -07:00
JacobBarthelmeh
4f84be8e66 Merge pull request #9715 from dgarske/rsa_key_parsing
Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support
2026-01-27 13:11:14 -07:00
David Garske
74a4bcb546 Enforce all configure.ac rules in settings.h also. Keeping configure.ac for early error checking. 2026-01-27 10:46:29 -08:00
Anthony Hu
3aa758c615 renegotiation indication changes number of ciphersuites so gate on that 2026-01-27 12:57:31 -05:00
JacobBarthelmeh
3e7efe8be2 Merge pull request #9705 from cconlon/nameConstraints
Support for extracting and validating X.509 Name Constraints extensions
2026-01-27 10:01:48 -07:00
Anthony Hu
9a53125794 Simplify testing gating logic. 2026-01-27 11:19:50 -05:00
David Garske
c8fa1e915b Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support. 2026-01-26 16:06:05 -08:00
Ruby Martin
38cb14f2a9 add API unit test for XChacha20-Poly1305
Expand XChacha20-Poly1305 unit test
2026-01-26 15:33:35 -07:00
Chris Conlon
610d530e45 Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name() 2026-01-26 10:36:05 -07:00
David Garske
eeaa3a7160 Merge pull request #9596 from kareem-wolfssl/zd19378
Add a runtime option to enable or disable the secure renegotiation check.
2026-01-26 08:34:57 -08:00
Anthony Hu
d6985a6ee3 AES-GCM guard. 2026-01-23 16:23:44 -05:00
Kaleb Himes
4574a0c10e Merge pull request #9706 from miyazakh/selftest_pqc
Enable kyber and dilithium in selftest
2026-01-23 13:41:44 -07:00
David Garske
6ae5555718 Merge pull request #9704 from douzzer/20260122-toolchain-workarounds
20260122-toolchain-workarounds
2026-01-23 12:39:05 -08:00
David Garske
cd88ec57b0 Merge pull request #9685 from kareem-wolfssl/gh7735
Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed.
2026-01-23 12:38:46 -08:00
JacobBarthelmeh
2f388dde4c Merge pull request #9703 from dgarske/stsafe-a120-ecdhe
Fixes for STSAFE-A120 ECDHE
2026-01-23 10:59:45 -07:00
David Garske
4773ea6d44 Merge pull request #9637 from Frauschi/test_coverage
Increase test coverage for PQC and CMake
2026-01-23 07:51:40 -08:00
David Garske
b5209344e0 Merge pull request #9707 from danielinux/enable_stm32g0_AES_only
Add STM32G0 hardware crypto support
2026-01-23 07:50:30 -08:00
Michal Jahelka
269c28be16 Add STM32G0 hardware crypto support 2026-01-23 11:09:08 +01:00
Tobias Frauenschläger
14ce7956f1 Increase test coverage
* More PQC configurations
* More CMake setups
* Fix various bugs uncovered by these tests

Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.
2026-01-23 09:27:16 +01:00
Anthony Hu
2616fe3ff1 Better guards around tests 2026-01-22 22:17:59 -05:00
Hideki Miyazaki
0f72d2eafe enable kyber and dilithium in selftest 2026-01-23 11:59:46 +09:00
Sean Parkinson
27df554e99 Merge pull request #9701 from Frauschi/brainpool-tls13
Add support for TLS 1.3 Brainpool curves
2026-01-23 10:42:32 +10:00
Sean Parkinson
baaa368a61 Merge pull request #9668 from kaleb-himes/PQ-FS-2026-Part1
PQ FS 2026 part1
2026-01-23 10:30:47 +10:00
David Garske
2c83711319 Merge pull request #9693 from kareem-wolfssl/zd21012
Use MinGW XINET_PTON definition for 32-bit MinGW as well as 64-bit.
2026-01-22 15:24:31 -08:00
Daniel Pouzzner
a1b43ab3fa wolfssl/wolfcrypt/dilithium.h: add a check for whether all supported levels are disabled, in WOLFSSL_WC_DILITHIUM setup. 2026-01-22 17:20:46 -06:00
Daniel Pouzzner
71bffcc5eb linuxkm/Kbuild: move FORCE_GLOBAL_OBJTOOL_OFF setup outside ENABLED_LINUXKM_PIE setup, i.e. always usable. 2026-01-22 17:20:46 -06:00
David Garske
a17f68f036 Merge pull request #9587 from kareem-wolfssl/zd20850
Add duplicate entry error to distinguish cases where a duplicate CRL is rejected.
2026-01-22 15:07:19 -08:00
David Garske
2fb19f84e5 Fixes for STSAFE-A120 ECDHE 2026-01-22 22:46:35 +00:00
Kareem
1103552c37 Code review feedback 2026-01-22 15:46:13 -07:00
Kareem
d60dd53165 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19378 2026-01-22 15:37:30 -07:00
Kareem
4c0c51fdff Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-22 15:13:15 -07:00
Kareem
baedba6a58 Force client haveDH to true in wolfSSL_set_options. haveDH won't be set to true on the client as the server side is what calls DH param generation APIs which set this to true, but we still want the client to support DH cipher suites if enabled. This matches behavior from InitSSL_EitherSide. 2026-01-22 15:13:08 -07:00
kaleb-himes
20fc2de29d Restore sanity to < SEED_BLOCK_SZ 2026-01-22 09:09:29 -07:00
kaleb-himes
20b2fd200f Address failure rates from FIPS CRNGT test by implementing alternate RCT/ADP tests
Update ret code to match docs and update docs

Replace magic numbers with appropriate define

Define MAX_ENTROPY_BITS when MEMUSE not enabled

Fix type cast windows detection

Older FIPS modules still need the old check

CodeSpell you're wrong, that is what I want to name my variable

Turn the hostap into a manual dispatch until it gets fixed

Upon closer review we can not skip the test when memuse enabled

Fix whitespace stuff found by multitest

More syntax things

Correct comments based on latest findings
2026-01-22 09:06:17 -07:00
Tobias Frauenschläger
bde1bf6ce7 Fix user_settings ASM multiple define 2026-01-22 14:14:15 +01:00
Tobias Frauenschläger
eb8ba6124e Support TLS 1.3 ECC Brainpool authentication
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
2026-01-22 14:14:09 +01:00
Tobias Frauenschläger
a462398387 Support Brainpool ECC curve TLS 1.3 key exchange
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)

Also ensure that the existing TLS 1.2 curves are sent properly.

The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
2026-01-22 14:14:09 +01:00
David Garske
62ca34497c Merge pull request #9633 from douzzer/20260108-DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS
20260108-DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS
2026-01-21 17:39:56 -08:00
David Garske
baeffb2f6a Merge pull request #9692 from anhu/aead
wc_XChaCha20Poly1305_Init: NULL check aead, not ad
2026-01-21 17:22:32 -08:00
Daniel Pouzzner
142f493964 configure.ac: if ENABLED_32BIT, add -DWC_32BIT_CPU to AM_CFLAGS, and don't add WOLFSSL_X86_64_BUILD to AM_CFLAGS; fix handling for --enable-bump;
wolfssl/wolfcrypt/settings.h: classify OPENSSL_EXTRA as "desktop type system" in bump up of default FP_MAX_BITS and SP_INT_BITS;

wolfssl/wolfcrypt/types.h: if WC_32BIT_CPU, don't define WC_64BIT_CPU.
2026-01-21 18:21:16 -06:00
David Garske
e4e79dd8a3 Merge pull request #9694 from SparkiDev/tls_msg_sanity_fix
TLS: more sanity checks on message order
2026-01-21 15:11:11 -08:00
Anthony Hu
d088fee72c Add cipher suite filtering when downgrade is disabled
When wolfSSL_SetVersion() is called to set a specific TLS version,
the downgrade flag is now set to 0. This causes wolfSSL_parse_cipher_list()
to no longer preserve cipher suites from the other TLS version group.

Previously, when using SSLv23 method and setting cipher suites for only
one TLS version (e.g., TLS 1.2), the library would preserve any existing
cipher suites from the other version (e.g., TLS 1.3) for OpenSSL API
compatibility. With this change, if a specific version is set via
wolfSSL_SetVersion(), only the cipher suites for that version are kept.
2026-01-21 18:01:01 -05:00
Anthony Hu
7d7299e254 Do not allow NULL with non-zero length. 2026-01-21 17:49:30 -05:00
David Garske
11ddec3f69 Merge pull request #9681 from tmael/wfb1_
Fix cert SW issues in Aes and rng
2026-01-21 13:41:01 -08:00
David Garske
e1e7c4d9f0 Merge pull request #9695 from miyazakh/fix_qt_unittest
Include `asn.h` for SN_xxx definitions from `openssl/obj_mac.h`
2026-01-21 12:56:53 -08:00
David Garske
47ff34b503 Merge pull request #9696 from SparkiDev/mldsa_max_vals_from_avail
ML-DSA: max values based on available parameters
2026-01-21 12:56:07 -08:00
David Garske
758d74f51f Merge pull request #9687 from holtrop-wolfssl/rust-hmac-blake2
Rust wrapper: add HMAC-BLAKE2[bs] wrappers
2026-01-21 12:55:48 -08:00
Tesfa Mael
1c3816d7d8 Use seedSz < SEED_BLOCK_SZ 2026-01-21 12:09:53 -08:00
Tesfa Mael
d3d2105035 Fix cert SW issues 2026-01-21 12:09:53 -08:00
Daniel Pouzzner
418a3bff32 Merge pull request #9698 from dgarske/rsa_no_rng2
More fixes for NO RNG and NO check key
2026-01-21 14:01:10 -06:00
David Garske
f52930b844 More fixes for NO RNG and NO check key (broken in #9606 and #9576) 2026-01-21 10:31:57 -08:00
David Garske
2a449ebfdf Merge pull request #9673 from holtrop-wolfssl/update-github-workflows-ubuntu
Update from Ubuntu 22.04 to Ubuntu 24.04 for github workflows
2026-01-21 09:14:39 -08:00
Daniel Pouzzner
cc7897be0d Merge pull request #9689 from dgarske/rsa_no_rng
Fixes for RSA with no RNG
2026-01-21 11:13:03 -06:00
David Garske
98dbc56daa Merge pull request #9691 from douzzer/20260120-linuxkm-RHEL9v6-and-RDSEED-sanity-check
20260120-linuxkm-RHEL9v6-and-RDSEED-sanity-check
2026-01-21 09:03:32 -08:00
JacobBarthelmeh
685bacc917 Merge pull request #9614 from dgarske/stsafe-a120
Add STSAFE-A120 Support
2026-01-21 09:12:23 -07:00
Josh Holtrop
69fd8dc01f Update from Ubuntu 22.04 to Ubuntu 24.04 for several github workflows 2026-01-20 21:44:56 -05:00
Sean Parkinson
88593f8dcd ML-DSA: max values based on available parameters
When building wolfSSL implementation, make maximum sizes based on
available parameter sets.

Add wc_MlDsaKey_SignCtx and wc_MlDsaKey_VerifyCtx macros.
2026-01-21 12:04:28 +10:00
David Garske
38b0fe19a1 Improvements to code for ECDHE and peer review fixes. 2026-01-21 00:03:26 +00:00
David Garske
16fb84d0d1 Peer review fixes. Tested with brainpool. 2026-01-21 00:03:26 +00:00
David Garske
54f0ecb536 Fix for ephemeral key usage limit. 2026-01-21 00:03:26 +00:00
David Garske
384eaa48b3 Peer review fixes (thank you copilot) 2026-01-21 00:03:26 +00:00
David Garske
654901782c Peer review cleanups. ECDHE improvements. 2026-01-21 00:03:26 +00:00
David Garske
02c3086e00 Added ECDHE support 2026-01-21 00:03:26 +00:00
David Garske
09c75f25de Fixes for peer review. 2026-01-21 00:03:26 +00:00
David Garske
c7ca035baf Cleanup WOLFSL_STSAFE and fix issue with multi-test macros 2026-01-21 00:03:26 +00:00
David Garske
a4c2398265 Add STSAFE-A120 Support 2026-01-21 00:03:26 +00:00
Sean Parkinson
8902afdcea TLS: more sanity checks on message order
Add more checks on message ordering for TLS 1.2 and below.
Reformat code.
2026-01-21 10:00:38 +10:00
Hideki Miyazaki
22ed7472b4 fix qt unit test
include asn.h for SN_xxx definitions
2026-01-21 08:59:28 +09:00
Kareem
832bcd7f4b Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20850 2026-01-20 15:59:05 -07:00
Kareem
549f106907 Use MinGW XINET_PTON definition for 32-bit MinGW as well as 64-bit. 2026-01-20 15:55:19 -07:00
Daniel Pouzzner
7048fa80d4 wolfcrypt/src/random.c and wolfssl/wolfcrypt/settings.h: fixes from CI and peer review:
* in wc_GenerateSeed_IntelRD(), use stack/register allocation for sanity_word{1,2}, and
* don't set WC_VERBOSE_RNG if WOLFSSL_DEBUG_PRINTF is missing.
2026-01-20 16:48:21 -06:00
Kareem
0f0163d888 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into gh7735 2026-01-20 15:18:26 -07:00
Anthony Hu
4550814e66 wc_XChaCha20Poly1305_Init: NULL check aead, not ad 2026-01-20 16:37:20 -05:00
Daniel Pouzzner
b91272c9a5 wolfcrypt/src/random.c: add sanity check in wc_GenerateSeed_IntelRD() to work around buggy RDSEED by disabling it if it generates three identical 64 bit words consecutively;
wolfssl/wolfcrypt/settings.h: if DEBUG_WOLFSSL && !WC_NO_VERBOSE_RNG, set WC_VERBOSE_RNG, and add WOLFSSL_NO_DEBUG_CERTS to allow inhibition of WOLFSSL_DEBUG_CERTS.
2026-01-20 15:24:43 -06:00
Daniel Pouzzner
ba53051457 add linuxkm/patches/5.14.0-570.58.1.el9_6/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v14-570v58v1-el9_6.patch 2026-01-20 15:07:44 -06:00
Josh Holtrop
4a92ee31bb Rust HMAC-BLAKE2: require exact output buffer size 2026-01-20 15:31:58 -05:00
Josh Holtrop
e59ddb95c7 Rust blake2: remove unnecessary cfg guards 2026-01-20 14:56:55 -05:00
David Garske
91d9389b9f Fixes for RSA with no RNG 2026-01-20 11:05:10 -08:00
David Garske
c8867d8c52 Merge pull request #9688 from padelsbach/login-live-com-cert
Address connection issues in ocsp-stapling test
2026-01-20 11:04:51 -08:00
David Garske
17401da6ae Merge pull request #9678 from cconlon/otherNameSan
Fix GENERAL_NAME memory management for otherName and RID SANs
2026-01-20 10:56:37 -08:00
David Garske
3520b4c9a1 Merge pull request #9636 from julek-wolfssl/zephyr-fixes-202601
Address Zephyr and C++ compatibility issues
2026-01-20 10:52:27 -08:00
David Garske
6bdc6a7550 Merge pull request #9618 from SparkiDev/volatile_multi_statement
Multiple volatile variables in a C statement undefined
2026-01-20 10:42:49 -08:00
Kareem
d505c0b7c5 Only reinitialize suites in InitSSL_Side if they were not set by the user. Always allocate suites in InitSSL_Side if they're NULL so InitSSL_Suites will set them. 2026-01-20 11:40:37 -07:00
David Garske
26b8795a3f Merge pull request #9682 from JacobBarthelmeh/lic
add RPCS3 to GPLv2 exception list
2026-01-20 10:38:32 -08:00
Paul Adelsbach
2325c68d4e Address connection issues in ocsp-stapling test 2026-01-20 09:46:35 -08:00
Josh Holtrop
af0fd013a1 HMAC-BLAKE2b: avoid coverity complaints about accessing x_key out of range 2026-01-20 08:14:02 -05:00
Josh Holtrop
a555d5290a Rust wrapper: add HMAC-BLAKE2[bs] wrappers 2026-01-20 08:10:16 -05:00
Kareem
89931bd884 Always reinitialize the SSL cipher suites in InitSSL_Side as the side and enabled algos have likely changed. 2026-01-19 17:50:26 -07:00
Sean Parkinson
c71a4dd66f Merge pull request #9662 from AlexLanzano/tls1.2-empty-cert-fix
[TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond
2026-01-20 09:45:29 +10:00
Chris Conlon
0f395a5f9d Fix memory management in wolfssl_dns_entry_othername_to_gn() and
wolfSSL_X509_get_ext_d2i() for otherName SAN handling, add ASN_RID_TYPE case to wolfSSL_X509_get_ext_d2i()
2026-01-19 16:39:33 -07:00
Daniel Pouzzner
4ce6c4c262 Merge pull request #9623 from julek-wolfssl/dtls-1.3-ms-interval
dtls 1.3: allow rtx interval to be less than a second
2026-01-19 17:01:23 -06:00
Daniel Pouzzner
e465f92905 Merge pull request #9642 from holtrop-wolfssl/hmac-blake2
Add HMAC-BLAKE2b and HMAC-BLAKE2s API functions
2026-01-19 16:49:08 -06:00
Daniel Pouzzner
c2cf8b1545 Merge pull request #9659 from holtrop-wolfssl/improve-error-for-invalid-helloretryrequest
Improve log message and error code for invalid HelloRetryRequest - fix #9653
2026-01-19 16:23:59 -06:00
Juliusz Sosinowicz
f9aec60e0d Restore previous includes but add more externs 2026-01-19 22:02:26 +01:00
JacobBarthelmeh
1e9d71af42 add RPCS3 to GPLv2 exception list 2026-01-19 13:48:16 -07:00
Daniel Pouzzner
bfc4f6bb01 Merge pull request #9677 from dgarske/riscv_sha512
Fix for building RISC-V 64-bit without SHA512
2026-01-19 12:57:59 -06:00
Juliusz Sosinowicz
77e1fb662b Remove circular dependency between ssl.h and wolfio.h 2026-01-19 11:21:14 +01:00
Juliusz Sosinowicz
e86ceb2ad9 zephyr: define missing posix network funcs 2026-01-19 11:21:14 +01:00
Juliusz Sosinowicz
b6f0139d63 zephyr: Fix more C++ linkage 2026-01-19 11:21:14 +01:00
Juliusz Sosinowicz
bba4671042 wolfSSL_dtls13_use_quick_timeout: check for NULL input 2026-01-19 10:13:23 +01:00
Juliusz Sosinowicz
429b690370 Address code review 2026-01-19 09:38:17 +01:00
Juliusz Sosinowicz
48067f1fa7 dtls 1.3: allow rtx interval to be less than a second 2026-01-19 09:32:09 +01:00
Josh Holtrop
e90429dbb8 HMAC-BLAKE2: avoid clang-analyzer warnings about x_key being uninitialized 2026-01-18 22:20:14 -05:00
David Garske
d98bbf1bc4 Merge pull request #9679 from douzzer/20260117-fix-test_wolfSSL_EVP_sm3
20260117-fix-test_wolfSSL_EVP_sm3
2026-01-17 11:47:51 -08:00
Daniel Pouzzner
467d6dd338 tests/api/test_evp_digest.c: fix for copy-paste error in test_wolfSSL_EVP_sm3(), introduced in 43d831ff06. 2026-01-17 09:58:21 -06:00
Josh Holtrop
90c8b5c80d HMAC-BLAKE2: Use uppercase U for unsigned integer constants 2026-01-17 09:15:47 -05:00
Daniel Pouzzner
1e51938965 Merge pull request #9675 from embhorn/zd21049
Doc fixes for ecc
2026-01-17 00:03:46 -06:00
Daniel Pouzzner
84bca62ace Merge pull request #9667 from bigbrett/ancv-verify-callback-fix
Apple Cert Fix: Prevent verify callback from blocking ANCV invocation
2026-01-17 00:02:42 -06:00
Daniel Pouzzner
9ae87e2a48 Merge pull request #9657 from embhorn/gh9655
Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3
2026-01-16 23:59:31 -06:00
Daniel Pouzzner
5c7f986925 Merge pull request #9670 from miyazakh/fix_selftest
Fix compilation, crypt test and unit test failures when selftest is enabled
2026-01-16 23:57:27 -06:00
Daniel Pouzzner
0ceed2d832 Merge pull request #9664 from padelsbach/hmac-update-len-check
Add length check to Hmac_UpdateFinal_CT to prevent build error
2026-01-16 15:35:58 -06:00
David Garske
214b3c2dd7 Fix for building RISC-V 64-bit without SHA512 2026-01-16 13:07:08 -08:00
Daniel Pouzzner
9aabef04ba Merge pull request #9641 from SparkiDev/api_c_split_evp
API testing: split out more test cases
2026-01-16 14:58:15 -06:00
Daniel Pouzzner
d18b4b28e0 Merge pull request #9676 from night1rider/fix-sha256-inter-init
initialize i_shaCopy to prevent undefined behavior
2026-01-16 14:14:45 -06:00
Josh Holtrop
b1086a1dbc HMAC-BLAKE2[bs] - remove some spaces per review feedback 2026-01-16 10:38:49 -05:00
Zackery Backman
7a894515cb initialize i_shaCopy to prevent undefined behavior 2026-01-15 18:00:27 -07:00
David Garske
f58787259c Merge pull request #9674 from douzzer/20260115-PQC-WOLFSSL_NO_MALLOC
20260115-PQC-WOLFSSL_NO_MALLOC
2026-01-15 16:18:34 -08:00
Hideki Miyazaki
8ad73d8ac1 Fix compile and crypt test failures when selftest is enabled 2026-01-16 08:55:06 +09:00
Sean Parkinson
9427f9f26c Merge pull request #9665 from dgarske/cleanup_20260114
Remove Devin Lifeguard
2026-01-16 09:22:47 +10:00
Sean Parkinson
fabe0c090a Merge pull request #9646 from rlm2002/coverity
20260112 Coverity: update macros and add length checks
2026-01-16 09:20:01 +10:00
Eric Blankenhorn
b3bb8edf45 Fix doc for wc_ecc_verify_hash / _ex 2026-01-15 17:01:24 -06:00
Eric Blankenhorn
8316a4080d Fix doc for wc_ecc_mulmod 2026-01-15 16:45:48 -06:00
Daniel Pouzzner
eb65361281 wolfcrypt/test/test.c:
* tweaks to xmss_test() for compatibility with WOLFSSL_NO_MALLOC && NO_WOLFSSL_MEMORY;
* fixes for return codes in dilithium_test().

wolfssl/wolfcrypt/dilithium.h: add !WC_NO_CONSTRUCTORS gate around wc_dilithium_new() and wc_dilithium_delete() prototypes, to match gating in implementation.
2026-01-15 16:04:36 -06:00
Brett
65a2b06d89 ANCV: support server-side policy creation 2026-01-15 11:59:59 -07:00
Brett
22a9665e6d Prevent verify callback from blocking ANCV invocation when verify
callback is registered. Reverts behavior to pre-PR#9144
2026-01-15 11:59:59 -07:00
Ruby Martin
b4344c17cc add cleanup logic to sakke_kat_derive_test() 2026-01-15 10:58:26 -07:00
Ruby Martin
2596d56802 verify length limit for supported version ext
add length check to tls extensions
2026-01-15 10:58:26 -07:00
Josh Holtrop
e7612ff36f Improve log message and error code for invalid HelloRetryRequest - fix #9653 2026-01-15 12:55:17 -05:00
David Garske
20c4e2760b Remove Devin Lifeguard 2026-01-15 09:50:34 -08:00
David Garske
16e45f94ae Merge pull request #9672 from holtrop-wolfssl/fix-hostap-git-url
Fix hostap repo clone URL
2026-01-15 09:49:45 -08:00
David Garske
7370e3145d Merge pull request #9666 from padelsbach/arduino-esp32-space
Experimental: Reduce disk space for esp32 Arduino builds
2026-01-15 09:49:27 -08:00
Josh Holtrop
a4a24ad2fe Fix hostap repo clone URL 2026-01-15 09:30:27 -05:00
Eric Blankenhorn
3c5b8f900e Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3 2026-01-15 07:36:52 -06:00
Paul Adelsbach
c193c4c64f Reduce disk space for esp32 Arduino builds 2026-01-14 20:02:50 -08:00
David Garske
0f3c769c44 Merge pull request #9660 from douzzer/20260114-fixes
20260114-fixes
2026-01-14 20:00:27 -08:00
David Garske
f0d3957aa9 Merge pull request #9643 from mattia-moffa/20260112-sniffer-fixes
More sniffer length checks
2026-01-14 17:00:12 -08:00
Daniel Pouzzner
96f8eb01f9 wolfssl/wolfcrypt/asn.h and wolfssl/openssl/obj_mac.h: add shortname and longname mappings for ASN subject fields. 2026-01-14 18:03:32 -06:00
Daniel Pouzzner
8d3adfad44 wolfssl/wolfcrypt/falcon.h and wolfssl/wolfcrypt/sphincs.h: in falcon_key and sphincs_key, use WC_BITFIELD foo:1, not bool, to fix readability-implicit-bool-conversion. 2026-01-14 18:03:32 -06:00
Daniel Pouzzner
f738e44e39 wolfcrypt/test/test.c: in random_bank_test(), fix position of a misplaced WC_DRBG_BANKREF gate. 2026-01-14 18:03:32 -06:00
Sean Parkinson
9b5cbbc3fb Merge pull request #9663 from embhorn/zd21045
Resolve unused var warning in oss-fuzz
2026-01-15 08:36:17 +10:00
Josh Holtrop
b432ee93a5 Add incremental API for HMAC-BLAKE2[bs] computation 2026-01-14 16:12:42 -05:00
Daniel Pouzzner
e8934f7a9e Merge pull request #9661 from JacobBarthelmeh/lic
add SWUpdate to GPLv2 exception list
2026-01-14 14:39:49 -06:00
Josh Holtrop
74c79dab1e Update constants in BLAKE2 doxygen documentation 2026-01-14 15:37:29 -05:00
Josh Holtrop
2b3c02531c Use ForceZero to clean up HMAC-BLAKE2[bs] 2026-01-14 15:37:29 -05:00
Josh Holtrop
ee708dc457 Update README and doxygen for BLAKE2b/BLAKE2s 2026-01-14 15:37:29 -05:00
Josh Holtrop
92b57d7e34 Add HMAC-BLAKE2b and HMAC-BLAKE2s API functions 2026-01-14 15:37:28 -05:00
Ruby Martin
e32ac6ffb7 XMEMSET with WC_CALLOC_VAR_EX
switch WC_ALLOC_VAR_EX with XMEMSET to WC_CALLOC_VAR_EX

fix XMEMSET call for WC_CALLOC_VAR_EX
2026-01-14 11:27:21 -07:00
Paul Adelsbach
f3fb63aea7 Add length check to Hmac_UpdateFinal_CT to prevent build error 2026-01-14 09:31:35 -08:00
Eric Blankenhorn
625a3cd250 Resolve unused var warning in oss-fuzz 2026-01-14 11:23:19 -06:00
David Garske
2a5256ba18 Merge pull request #9654 from embhorn/zd21038
Fix DecodeAuthKeyInternal not clearing cert->extAuthKeyIdSet
2026-01-14 09:19:24 -08:00
JacobBarthelmeh
32d33f2a53 add SWUpdate to GPLv2 exception list 2026-01-14 09:42:39 -07:00
Alex Lanzano
bdc525dd6d [TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond 2026-01-14 11:30:13 -05:00
David Garske
35f6910186 Merge pull request #9649 from douzzer/20260112-fixes
20260112-fixes
2026-01-13 15:03:43 -08:00
Daniel Pouzzner
1d247b744c wrapper/rust/: fix unit tests to avoid out-of-order wolfCrypt_Cleanup(). 2026-01-13 14:43:50 -06:00
Daniel Pouzzner
f878c43814 wolfcrypt/src/wc_port.c: in wolfCrypt_Cleanup(), return error if called with initRefCount <= 0. 2026-01-13 14:42:27 -06:00
Daniel Pouzzner
627f51632b configure.ac: add -Wno-deprecated-enum-enum-conversion to CFLAGS to suppress C++20 default if applicable. 2026-01-13 12:41:53 -06:00
Daniel Pouzzner
366f5fe411 src/ssl.c: refactor initRefCount increment/decrement to avoid -Wvolatile. 2026-01-13 11:21:40 -06:00
Daniel Pouzzner
f6fbd2a3b7 wolfcrypt/test/test.c: in random_bank_test(), add a missing WC_DRBG_BANKREF gate, and fix wc_rng_bank_init(bank, ...) to pass _FLAG_NO_VECTOR_OPS to set up .sha_method test. 2026-01-13 11:21:40 -06:00
Daniel Pouzzner
b195628204 wolfcrypt/src/sha512.c: fix underinitialization and config-dependent leak paths in InitSha512_Family(). 2026-01-13 11:21:40 -06:00
Daniel Pouzzner
fc68137b47 wolfcrypt/src/wc_port.c:
* fixes for readability-implicit-bool-conversion in wolfSSL_Atomic_Ptr_CompareExchange().
* refactor initRefCount as a wolfSSL_Atomic_Int, unless !WOLFSSL_ATOMIC_OPS, for thread safety.
2026-01-13 11:21:39 -06:00
Daniel Pouzzner
e0db99218f wolfcrypt/src/asn.c: fix -Wstringop-truncation from gcc-16.0.0_p20260104 in KeyPemToDerPassCb(). 2026-01-13 11:21:39 -06:00
Daniel Pouzzner
6f48e0613e Merge pull request #9647 from SparkiDev/sp_volatile_op_fix
SP volatile op fix
2026-01-13 11:20:13 -06:00
Sean Parkinson
37b20fabdc SP volatile op fix
Performing a non-atomic operation on a volatile.
Deprecated in C++20 and checked by new versions of compilers.
2026-01-14 02:17:20 +10:00
Eric Blankenhorn
4e419938a7 Fix DecodeAuthKeyInternal not clearing cert->extAuthKeyIdSet 2026-01-13 08:09:10 -06:00
Daniel Pouzzner
caa6429242 Merge pull request #9624 from holtrop-wolfssl/rust-xchacha20-poly1305
Rust wrapper: add one-shot XChaCha20-Poly1305 encrypt/decrypt functions
2026-01-13 00:51:15 -06:00
Sean Parkinson
1aa79af41e Multiple volatile variables in a C statement undefined
Undefined behaviour when there are multiple volatile variables accessed
in the one C statement.
Changes to introduce non-volatile temporaries, split statement or make
variable non-volatile.
2026-01-13 15:08:50 +10:00
Daniel Pouzzner
05e480f14f Merge pull request #9644 from philljj/bsdkm_time
bsdkm: sys time wrapper.
2026-01-12 22:01:33 -06:00
Daniel Pouzzner
48cb84df0d Merge pull request #9645 from SparkiDev/curve25519_invert_nct_x64_asm_fix
Curve25519 x64 ASM: nct invert needs vzeroupper
2026-01-12 16:57:00 -06:00
Sean Parkinson
ffe304643e Curve25519 x64 ASM: nct invert needs vzeroupper
When ymm registers used, vzeroupper is required at end.
2026-01-13 08:38:23 +10:00
jordan
268fc98a9a bsdkm: cleanup for multi-test. 2026-01-12 15:17:34 -06:00
Sean Parkinson
43d831ff06 API testing: split out more test cases
EVP into test_evp_cipher, test_evp_digest, test_evp_pkey and test_evp.
OBJ into test_ossl_obj.
OpenSSL RAND into test_ossl_rand.
OpenSSL PKCS7 and PKCS12 tests into test_ossl_p7p12.
CertificateManager into test_certman.

Move some BIO tests from api.c into test_evp_bio.c.

Fix line lengths.
2026-01-13 06:34:49 +10:00
jordan
1ed6e41d16 bsdkm: sys time wrapper. 2026-01-12 13:51:22 -06:00
Mattia Moffa
100d765b0c More sniffer length checks 2026-01-12 18:25:27 +01:00
David Garske
7e0a8551e9 Merge pull request #9638 from douzzer/20260109-rng_bank-fixes
20260109-rng_bank-fixes
2026-01-12 08:25:23 -08:00
Sean Parkinson
3f8efdc802 Merge pull request #9600 from padelsbach/addcrl-cleanup
Cleanup AddCRL mutex and alloc/free
2026-01-12 09:11:20 +10:00
Sean Parkinson
ce69f1cec0 Merge pull request #9635 from miyazakh/x509errstr_handling
Fix OpenSSL error code handling in ERR_reason_error_string()
2026-01-12 08:57:17 +10:00
Sean Parkinson
84ca4a05fa Merge pull request #9628 from miyazakh/fix_crlnumber
Fix CRL Number hex string buffer overflow in CRL parser
2026-01-12 08:52:57 +10:00
Hideki Miyazaki
8571a67f13 fix PR test 2026-01-10 14:53:23 +09:00
Hideki Miyazaki
0e8af03f1d OpenSSL error code handling in reason_error_string 2026-01-10 13:50:08 +09:00
Daniel Pouzzner
902164ca03 wolfcrypt/src/rng_bank.c: fixes for typography and s/wc_FreeRng(rng2)/wc_rng_free(rng2)/ in random_bank_test();
wolfcrypt/src/rng_bank.c: tweaks to silence benign Coverity CHECKED_RETURN.
2026-01-09 18:17:09 -06:00
Daniel Pouzzner
d0e32f82b7 .wolfssl_known_macro_extras: fix for lexical order. 2026-01-09 17:52:37 -06:00
Daniel Pouzzner
a043b7a8d6 wolfcrypt/src/rng_bank.c, wolfssl/wolfcrypt/rng_bank.h, wolfcrypt/test/test.c:
* add WC_RNG_BANK_STATIC to WC_RNG_BANK_SUPPORT, supporting WOLFSSL_NO_MALLOC;

* in random_bank_test(), fix gate around _NO_VECTOR_OPS sha256.sha_method test (WOLFSSL_SMALL_STACK_CACHE, and USE_INTEL_SPEEDUP not WC_HAVE_VECTOR_SPEEDUPS);

* in definition of struct wc_rng_bank_inst, accommodate WOLFSSL_NO_ATOMICS builds;

wolfssl/wolfcrypt/random.h: in definition of struct WC_RNG, add gate to avoid empty union in !HAVE_HASHDRBG configs.
2026-01-09 17:52:37 -06:00
Daniel Pouzzner
a091ed9151 Merge pull request #9590 from philljj/fips_bsdkm
Fips bsdkm
2026-01-09 17:51:11 -06:00
Hideki Miyazaki
7b577f8914 change byte to char 2026-01-10 07:32:21 +09:00
Paul Adelsbach
e62c94d5e3 Cleanup AddCRL mutex and alloc/free 2026-01-09 10:44:06 -08:00
David Garske
2d3941056b Merge pull request #9630 from gasbytes/signedAttribsCount-fix
Increment signedAttribsCount with the right number of attributes it encoded
2026-01-09 10:06:01 -08:00
jordan
99527be3bf bsdkm: review cleanup. 2026-01-09 08:07:28 -06:00
Hideki Miyazaki
d4760b148d addressed review comments 2026-01-09 09:10:49 +09:00
Sean Parkinson
819eab8b46 Merge pull request #9609 from Frauschi/memory_leak_fix
Fix memory leak in case of handshake error
2026-01-09 10:10:31 +10:00
Hideki Miyazaki
d052128830 addressed review comments 2026-01-09 09:01:14 +09:00
Daniel Pouzzner
d555c1aaaa Merge pull request #9619 from rlm2002/coverity
20260106 Coverity fixes
2026-01-08 15:03:43 -06:00
David Garske
f8b5352e50 Merge pull request #9612 from Frauschi/zephyr_track_memory
Add Zephyr support for TRACK_MEMORY
2026-01-08 13:01:18 -08:00
David Garske
9fe3b195e1 Merge pull request #9605 from Frauschi/build_system_fixes
Build systems improvements
2026-01-08 13:00:57 -08:00
David Garske
7258697b0c Merge pull request #9629 from per-allansson/fix-ios-xcode-builds
IDE/XCODE: fix file types for asm.S files
2026-01-08 12:27:44 -08:00
Reda Chouk
9c7b586565 Increment signedAttribsCount with the right number of attributes it
encoded
2026-01-08 20:46:47 +01:00
David Garske
4f1d578212 Merge pull request #9610 from Frauschi/pre_master_secret_size
Remove PQC-based buffer size increase for PreMasterSecret
2026-01-08 11:18:19 -08:00
David Garske
198eac24d3 Merge pull request #9606 from Frauschi/cleanup_decode_private_key
Cleanup for DecodePrivateKey() functionality
2026-01-08 11:09:44 -08:00
David Garske
d25f98fd82 Merge pull request #9584 from miyazakh/fix_qtfail
Fix qt jenkins nightly test failure
2026-01-08 10:58:20 -08:00
David Garske
133d29dcef Merge pull request #9626 from rizlik/name_contraints_fixes
asn: MatchBaseName fixes
2026-01-08 10:56:53 -08:00
David Garske
f57484d1b3 Merge pull request #9616 from douzzer/20251230-persistent-drbg
20251230-persistent-drbg
2026-01-08 10:54:45 -08:00
David Garske
b609fe28ca Merge pull request #9611 from Frauschi/psk_compile_fix
Fix for PSK compile option
2026-01-08 10:52:57 -08:00
Tobias Frauenschläger
b934d9587a Add Zephyr support for TRACK_MEMORY 2026-01-08 19:27:24 +01:00
David Garske
97d9bfcea6 Merge pull request #9601 from rizlik/early_data_client_side_fixes
check that we are resuming in write_early_data + minor fixes
2026-01-08 10:26:48 -08:00
David Garske
71f3bd4cd3 Merge pull request #9627 from SparkiDev/aarch64_asm_chacha20_256
ChaCha20 Aarch64 ASM fix: 256-bit case fixed
2026-01-08 10:24:48 -08:00
David Garske
d290caa848 Merge pull request #9608 from Frauschi/typo_fix
Fix for WOLFSSL_BLIND_PRIVATE_KEY and WOLFSSL_DUAL_ALG_CERTS
2026-01-08 10:23:30 -08:00
Tobias Frauenschläger
05dc9f0449 Fix memory leak in case of handshake error
Make sure peer dilithium key is properly freed in case the handshakes fails.
2026-01-08 16:50:28 +01:00
Per Allansson
c979f95648 IDE/XCODE: fix file types for asm.S files 2026-01-08 16:47:04 +01:00
Hideki Miyazaki
08876e278a Fix CRL Number hex string buffer overflow in CRL parser 2026-01-08 17:25:19 +09:00
Sean Parkinson
883ceecf8a ChaCha20 Aarch64 ASM fix: 256-bit case fixed
Fixed the 256-bits at a time crypt assembly code.

Add a chunking test for ChaCha20.
2026-01-08 18:01:15 +10:00
Daniel Pouzzner
0059f1647e move WC_RNG_BANK_SUPPORT implementation from wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h to new files wolfcrypt/src/rng_bank.c and wolfssl/wolfcrypt/rng_bank.h;
wolfcrypt/src/rng_bank.c:

  * add wc_local_rng_bank_checkout_for_bankref, wc_BankRef_Release(), wc_rng_bank_new(), and wc_rng_bank_free();

  * in wc_rng_bank_checkin(), take a struct wc_rng_bank_inst **rng_inst and NULL it before return;

  * in wc_rng_bank_init(), add a devId arg, and handle devId in wc_rng_bank_inst_reinit();

  * add WC_RNG_BANK_INST_LOCK_* and use them in wc_rng_bank_checkout() and wc_rng_bank_checkin();

  * fix order of operations in wc_rng_bank_checkout() re DISABLE_VECTOR_REGISTERS();

wolfcrypt/src/random.c:

  * refactor per-instance salting for wc_rng_bank_inst: remove changes in Hash_df(), Hash_DRBG_Instantiate(), and _InitRng(), and in wc_rng_bank_init() and wc_rng_bank_inst_reinit(), use wc_InitRngNonce_ex() and pass the wc_rng_bank_inst pointer as the nonce;

  * simplify the WC_RNG_BANK_SUPPORT variant of wc_RNG_GenerateBlock() -- delegate to wc_local_rng_bank_checkout_for_bankref() and remove supplementary error checking;

  * in wc_FreeRng(), call wc_BankRef_Release() when WC_DRBG_BANKREF, and in wc_BankRef_Release(), fix refcount flub (not wolfSSL_RefFree, rather wolfSSL_RefDec);

  * streamline the WOLFSSL_LINUXKM wc_GenerateSeed();

wolfcrypt/test/test.c: add random_bank_test();

linuxkm/lkcapi_sha_glue.c: use WC_RNG_BANK_INST_TO_RNG() opportunistically;

configure.ac: add --enable-amdrdseed as a synonym for --enable-amdrand;

linuxkm/linuxkm_wc_port.h: when LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT, don't include get_random_bytes() in struct wolfssl_linuxkm_pie_redirect_table;

add various comments for clarity.
2026-01-07 22:54:07 -06:00
Daniel Pouzzner
1e0351a69b wolfssl/wolfcrypt/random.h and wolfssl/wolfcrypt/async.h: use #ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES, not #if HAVE_ANONYMOUS_INLINE_AGGREGATES. 2026-01-07 22:54:07 -06:00
Daniel Pouzzner
98ffc519b4 wolfssl/wolfcrypt/types.h: if _MSC_VER, disable HAVE_ANONYMOUS_INLINE_AGGREGATES by default. 2026-01-07 22:54:07 -06:00
Daniel Pouzzner
c1d2828daf wolfcrypt/src/random.c, wolfssl/wolfcrypt/random.h, wolfssl/wolfcrypt/wc_port.h, linuxkm/lkcapi_sha_glue.c: fixes from autotesting:
* refactor to eliminate recursion in wc_RNG_GenerateBlock();
* refactor enum wc_rng_bank_flags as word32 and macros;
* fix -Wconversions, -Wunused, and stray EINVAL in wc_rng_bank_init();
* make struct wc_rng_bank_inst a top-level definition for C++ compat;
* fix several bugprone-macro-parentheses.
2026-01-07 22:54:07 -06:00
Daniel Pouzzner
b87af914bc configure.ac: add handling for --enable-rng-bank, and add it to the all-crypto feature set. 2026-01-07 22:54:07 -06:00
Daniel Pouzzner
b2199e9862 linuxkm/{lkcapi_dh_glue.c,lkcapi_ecdh_glue.c,lkcapi_rsa_glue.c}: use LKCAPI_INITRNG() rather than wc_InitRng(), and remove calls to LKCAPI_INITRNG_FOR_SELFTEST(). also, in km_rsa_ctx_init_rng(), recognize WC_DRBG_BANKREF as a usable RNG status. 2026-01-07 22:54:07 -06:00
Daniel Pouzzner
1c6ef8b621 linuxkm/lkcapi_sha_glue.c:
* refactor to use new wc_rng_bank facility:
  * wc_linuxkm_drbg_init_tfm()
  * wc_linuxkm_drbg_exit_tfm()
  * get_drbg() (renamed to linuxkm_get_drbg())
  * put_drbg() (renamed to linuxkm_put_drbg())
  * wc_linuxkm_drbg_generate()
  * wc_linuxkm_drbg_seed()
  * wc_mix_pool_bytes()
  * wc_crng_reseed()
* add:
  * linuxkm_affinity_lock()
  * linuxkm_affinity_get_id()
  * linuxkm_affinity_unlock()
  * linuxkm_InitRng_DefaultRef()
* remove:
  * get_drbg_n()
  * drbg_init_from()
  * fork_default_rng()
  * LKCAPI_INITRNG_FOR_SELFTEST.
* when LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT, define LKCAPI_INITRNG to linuxkm_InitRng_DefaultRef, else define it to wc_InitRng().
2026-01-07 22:54:07 -06:00
Daniel Pouzzner
3c15be6610 wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h: implement WC_RNG_BANK_SUPPORT:
* add WC_DRBG_BANKREF status code;
* add `struct wc_rng_bank *bankref` to struct WC_RNG, and move status slot out from HAVE_HASHDRBG gate;
* add WC_DRBG_MAX_SALT_SZ, and add saltSz and salt slots to struct DRBG_internal;
* add salt handling to Hash_df(), Hash_DRBG_Instantiate(), and _InitRng();
* add types:
  * enum wc_rng_bank_flags
  * struct wc_rng_bank
* add implementations:
  * wc_rng_bank_init()
  * wc_rng_bank_set_affinity_handlers()
  * wc_rng_bank_fini()
  * wc_rng_bank_checkout()
  * wc_rng_bank_checkin()
  * wc_rng_bank_inst_reinit()
  * wc_rng_bank_seed()
  * wc_rng_bank_reseed()
  * wc_InitRng_BankRef()
  * wc_rng_new_bankref()
  * WC_RNG_BANK_INST_TO_RNG()
* in wc_RNG_GenerateBlock() and wc_FreeRng(), add WC_RNG_BANK_SUPPORT sections;

wolfcrypt/src/random.c: in WC_VERBOSE_RNG messages, add "ERROR: " prefixes to text to assure pickup by autotesting.  also fixed line lengths.
2026-01-07 22:54:07 -06:00
Daniel Pouzzner
6c8ff6dfa9 linuxkm/x86_vector_register_glue.c: in wc_save_vector_registers_x86(), don't render warning of call while non-preemptible if WC_SVR_FLAG_INHIBIT was passed in. 2026-01-07 22:54:07 -06:00
Daniel Pouzzner
dd158b073c linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: remove WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES gate around setup for wolfssl_linuxkm_pie_redirect_table.dump_stack.
linuxkm/module_hooks.c: in wc_linuxkm_relax_long_loop(), use cpu_relax() as a fallback when non-preemptible.
2026-01-07 22:54:07 -06:00
Daniel Pouzzner
500c790b18 wolfssl/wolfcrypt/settings.h:
* add FIPS_VERSION_NE();
* move more generic setup code from WOLFSSL_LINUXKM/WOLFSSL_BSDKM to kernel-generic WOLFSSL_KERNEL_MODE; fix WOLFSSL_OLD_PRIME_CHECK setup to exclude FIPS.
2026-01-07 22:54:06 -06:00
Daniel Pouzzner
32b1598db1 wolfcrypt/src/wc_port.c and wolfssl/wolfcrypt/wc_port.h: in wolfSSL_RefFree() and wolfSSL_RefWithMutexFree(), zero the refcount (valid refcount objects are initialized to count of 1); add wolfSSL_RefCur(). 2026-01-07 22:54:06 -06:00
Daniel Pouzzner
f1dd234ac9 wolfcrypt/src/error.c, wolfssl/wolfcrypt/error-crypt.h: add BUSY_E and ALREADY_E. 2026-01-07 22:54:06 -06:00
Hideki Miyazaki
cdd75ff5ef fix indent 2026-01-08 08:46:22 +09:00
Ruby Martin
6090ddb3f3 initialize hmac_copy
add WC_CALLOC_VAR_EX function, replace WC_ALLOC_VAR_EX in tests
2026-01-07 15:43:16 -07:00
Hideki Miyazaki
6392c2b420 undo changes
fix indentation
2026-01-08 07:10:25 +09:00
David Garske
6264c115cc Merge pull request #9563 from LinuxJedi/renode
Add Renode GH Action for STM32H753
2026-01-07 09:51:30 -08:00
David Garske
5c2c4599ed Merge pull request #9537 from SparkiDev/aarch64_darwin_addr_calc_fix
ARM64 ASM: Darwin specific address calc fix
2026-01-07 09:50:05 -08:00
Marco Oliverio
94dc7ae9ad asn: MatchBaseName fixes 2026-01-07 17:53:43 +01:00
Josh Holtrop
a9b2e83d1c Rust wrapper: add one-shot XChaCha20-Poly1305 encrypt/decrypt functions 2026-01-07 11:43:08 -05:00
David Garske
cf9016b29f Merge pull request #9622 from SparkiDev/rsa_pkcs15_verify_bounds_check
RSA PKCS#1.5 verify: bounds check input
2026-01-07 08:26:24 -08:00
David Garske
84aeeb655f Merge pull request #9580 from SparkiDev/curve25519_smul_improv
Curve25519 improvements
2026-01-07 08:25:41 -08:00
David Garske
19f7b946f5 Merge pull request #9621 from SparkiDev/mlkem_check_pub
MLKEM: check public key when decoding
2026-01-07 08:24:51 -08:00
David Garske
dd8d2a2d4d Merge pull request #9575 from SparkiDev/dilithium_16_bit_fixes
MLDSA/Dilithium: fix 16-bit int issues
2026-01-07 08:24:22 -08:00
David Garske
b5d3c87876 Merge pull request #9603 from SparkiDev/ppc32_sha256_asm_reg
PPC32 ASM: alternative C code with registers prepended
2026-01-07 08:23:55 -08:00
David Garske
315ebf5be6 Merge pull request #9615 from SparkiDev/arm32_aes_block_inline
AES ARM32/Thumb2: option to inline block
2026-01-07 08:21:51 -08:00
Tobias Frauenschläger
87182992b8 Fix for PSK compile option
The derivation of the ResumptionSecret is only necessary in case SessionTickets are enabled.
2026-01-07 16:58:52 +01:00
Marco Oliverio
50b39c91da fixup! (d)tls13: check if early data is possible in write_early_data 2026-01-07 14:30:16 +01:00
Tobias Frauenschläger
b8cb5bee87 Cleanup for DecodePrivateKey() functionality
* Create a new method DecodePrivateKey_ex() that gets the key to decode as parameters
* Adapt DecodePrivateKey() and DecodeAltPrivateKey() to use this new method
* Fix unblinding for TLS 1.3 Dual Algorithm Certificate alternative keys

This removes a lot of nearly duplicate code and simplifies maintenance.
2026-01-07 13:45:11 +01:00
Takashi Kojo
5f68ea087a Merge pull request #9562 from kojiws/sync_ja_doc_rsa
[JA] Sync Japanese RSA Part with English on API Document
2026-01-07 18:18:53 +09:00
Sean Parkinson
80a0f6bb32 RSA PKCS#1.5 verify: bounds check input
As long as NO_RSA_BOUNDS_CHECK is not defined, the input range is
checked for verification.
2026-01-07 17:49:50 +10:00
Sean Parkinson
2a08fbe3ed MLKEM: check public key when decoding
Check that the public key values are less than Q when decoding.
2026-01-07 13:11:15 +10:00
Hideki Miyazaki
c6dd1a745e boundary check 2026-01-07 09:19:43 +09:00
Hideki Miyazaki
c923c4c026 fix compile error 2026-01-07 07:16:28 +09:00
Hideki Miyazaki
30fe079763 Addressed review comments 2026-01-07 06:55:22 +09:00
Hideki Miyazaki
10d3e251fd fix qt jenkins nightly test failure 2026-01-07 06:55:22 +09:00
Sean Parkinson
eab58ae226 Merge pull request #9599 from holtrop-wolfssl/rust-chacha20-poly1305
Rust wrapper: add wolfssl_wolfcrypt::chacha20_poly1305 module
2026-01-06 20:28:24 +10:00
Sean Parkinson
b293a1cc5c Merge pull request #9591 from rlm2002/coverity
20251229 Coverity Dereference before Null check
2026-01-06 20:25:01 +10:00
Sean Parkinson
5343cb386a Merge pull request #9588 from kareem-wolfssl/ghAlerts
Fix incorrect alerts.
2026-01-06 20:22:51 +10:00
Sean Parkinson
a1089ba9f2 AES ARM32/Thumb2: option to inline block
Branching to a common block encrypt/decrypt may work for assembly but
not always for C code.
Added option, for assembly and inline assembly, to inline block
encrypt/decrypt: WOLFSSL_ARMASM_AES_BLOCK_INLINE.
2026-01-06 11:24:21 +10:00
Sean Parkinson
38241227a2 Curve25519 improvements
Add non-constant time implemenations of mod_inv for x64 and Aarch64
assembly.

Generate base point table, with better formatting, for double smul with
a script.
Increase Bi table size to 32 entries for 64-bit asm.
Minor improvements to double smul.

WOLFSSL_CURVE25519_NOT_USE_ED25519 to not use ed25519 base smul in
curve25519 base smul.
2026-01-06 10:24:21 +10:00
Daniel Pouzzner
83f7204f99 Merge pull request #9597 from sameehj/rhel9_linuxkm_sign
linuxkm: handle RHEL9 disabled akcipher sign/decrypt ops
2026-01-05 17:23:45 -06:00
Sean Parkinson
a20d5f7b9d Merge pull request #9613 from philljj/fix_ecc_test_name
wolfcrypt test: fix ecc521 err msg.
2026-01-06 08:49:01 +10:00
jordan
842511b0ef wolfcrypt test: fix ecc521 err msg. 2026-01-05 12:25:53 -06:00
Sameeh Jubran
d27c04bbca linuxkm: handle RHEL9 disabled akcipher sign/decrypt ops
RHEL9 kernels (9.6+) disable RSA signing and decryption in the kernel
crypto API for security reasons (CVE-2023-6240). The kernel forcibly
overwrites akcipher sign/decrypt callbacks to return -ENOSYS, regardless
of what the driver provides.

Commit 3709c35c in the RHEL kernel:
"crypto: akcipher - Disable signing and decryption"

This affects our self-tests which call crypto_akcipher_sign() and
crypto_akcipher_decrypt(). On RHEL9, these operations return -ENOSYS
even though our driver correctly implements them.

Add compile-time checks for RHEL_RELEASE_CODE >= 9.6 to detect this
scenario and skip the affected self-tests gracefully. The tests pass
since the algorithms are registered correctly; the kernel simply
refuses to execute sign/decrypt operations as a matter of policy.

Note: encrypt and verify operations are unaffected and continue to be
tested normally.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-01-05 19:42:29 +02:00
Tobias Frauenschläger
116260762f Fix for WOLFSSL_BLIND_PRIVATE_KEY and WOLFSSL_DUAL_ALG_CERTS 2026-01-05 17:26:11 +01:00
Tobias Frauenschläger
62764d08e4 Remove PQC-based buffer size increase for PreMasterSecret
The size of the PreMasterSecret buffer is based on the ENCRYPT_LEN
constant, which has been increased to 5kB for PQC support (Dilithium and
Falcon, as their signatures are that large).

However, only in the TLS 1.2 case, the PreMasterSecret buffer is used to
store signatures. In the TLS 1.3 path, only actual symmetric secrets are
stored in that buffer, which are much smaller in size (the "old" size of
the constant without the PQC increase).

As PQC is only allowed in TLS 1.3 and NOT in TLS 1.2, we can revert
that size increase, saving around 4,5kB of dynamic memory during the
handshake.
2026-01-05 15:58:53 +01:00
Tobias Frauenschläger
99bde324aa Build systems improvements
* Add `WOLFSSL_USER_SETTINGS` to CMake `options.h.in`
* Add CMake support for Dilithium
* Add user_settings.h support for aes_asm.S
* Add PKCS#11 support to CMake
* Minor ARM assembly port fixes
2026-01-05 15:46:58 +01:00
Josh Holtrop
9007d12d2a Rust wrapper: add wolfssl_wolfcrypt::chacha20_poly1305 module 2026-01-05 08:44:34 -05:00
Andrew Hutchings
4b606ebbeb Fix trailing whitespace and flush-left 2026-01-05 13:39:43 +00:00
Andrew Hutchings
0c4ca257a0 Add Renode GH Action for STM32H753
This adds bare metal wolfCrypt test with hardware RNG and AES-GCM for
STM32H753 using Renode.

Renode does not support HASH HAL at this time.
2026-01-05 13:39:43 +00:00
Sean Parkinson
99692003d4 PPC32 ASM: alternative C code with registers prepended
C implementation with registers prepended with letter 'r'.
2026-01-05 21:12:10 +10:00
Marco Oliverio
7b9d3748cf tls13: early_data: prevent earlyData reset on re-entry
Avoid resetting ssl->earlyData in wolfSSL_write_early_data when the
function is re-entered due to WC_PENDING_E, WANT_WRITE, or WANT_READ.
2026-01-05 10:40:34 +01:00
Marco Oliverio
29941d5645 (d)tls13: check if early data is possible in write_early_data 2026-01-05 10:35:02 +01:00
Marco Oliverio
d9bba72b8c tls13: merge guarded code in a single section 2026-01-05 09:04:36 +01:00
David Garske
80c1228a38 Merge pull request #9594 from holtrop-wolfssl/rust-curve25519
Rust wrapper: add wolfssl_wolfcrypt::curve25519 module
2025-12-31 12:45:43 -08:00
Daniel Pouzzner
bbd3d4f55d Merge pull request #9579 from dgarske/coding_standard_20251223
Add new coding standard for local (internal) function names
2025-12-31 11:55:58 -06:00
philljj
776512846f Merge pull request #9598 from fabiankeil/unbreak-freebsd-build
tests: Unbreak the build on FreeBSD-based systems
2025-12-31 10:31:52 -06:00
Fabian Keil
21f35137a1 tests: Unbreak the build on FreeBSD-based systems
... by using the same additional includes as on Linux.

Fixes:

      CC       tests/api/unit_test-test_rsa.o
    tests/api.c:19554:9: error: call to undeclared function 'waitpid'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
     19554 |         waitpid(pid, &waitstatus, 0);
	   |         ^

Tested on ElectroBSD amd64 14.3-STABLE.
2025-12-31 14:48:06 +01:00
Daniel Pouzzner
cb78341886 Merge pull request #7586 from kareem-wolfssl/gh7197
Keep RNG seed file descriptor open until the RNG is freed.
2025-12-30 15:57:25 -06:00
philljj
5fa06818c0 Merge pull request #9595 from douzzer/20251229-linuxkm-rng-wolfentropy
20251229-linuxkm-rng-wolfentropy
2025-12-30 14:50:53 -06:00
Kareem
ddb2fb628e Add a runtime option to enable or disable the secure renegotation check. 2025-12-30 13:19:04 -07:00
Kareem
1773a4ab41 Send no_renegotiation alert when rejecting renegotation attempt as defined in RFC 5246 section 7.2.2. 2025-12-30 13:18:48 -07:00
Daniel Pouzzner
0621615b15 wolfcrypt/src/random.c: remove WC_VERBOSE_RNG messaging from wc_RNG_TestSeed(), which is called by test code with expected failure, and move it to _InitRng() and PollAndReSeed(), where it's always expected to succeed. 2025-12-30 13:27:31 -06:00
Daniel Pouzzner
299ca1cfef fixes from peer review: added comments for clarity, and remove errant condition added in _InitRng(). 2025-12-30 12:13:15 -06:00
JacobBarthelmeh
7a2e1c1dd0 Merge pull request #9585 from dgarske/add-missing-api-docs
Add missing API documentation
2025-12-30 09:37:22 -07:00
Josh Holtrop
8c125df85e Rust wrapper: ensure curve25519_key struct will have free called after init 2025-12-30 10:46:44 -05:00
Daniel Pouzzner
d504baaf3a linuxkm/lkcapi_sha_glue.c and .wolfssl_known_macro_extras: fixes from check-source-text. 2025-12-29 20:55:36 -06:00
Daniel Pouzzner
450b0b46c6 wolfcrypt/src/random.c and wolfssl/wolfcrypt/settings.h: add WC_VERBOSE_RNG messages, and activate by default when WOLFSSL_KERNEL_MODE. 2025-12-29 20:55:36 -06:00
Daniel Pouzzner
fecc1cffe7 linuxkm/lkcapi_sha_glue.c: add retry loop around wc_InitRng(), and allow interrupt in preemptible threads, in wc_linuxkm_drbg_init_tfm(). 2025-12-29 20:55:36 -06:00
Daniel Pouzzner
1844b8e3ac linuxkm/Makefile: fix bash cleanup in recipe for libwolfssl.ko -- new trap for an event replaces previous trap rather than adding to it. 2025-12-29 20:55:36 -06:00
David Garske
d39b0e6f82 Fixes from peer review. 2025-12-29 17:30:23 -08:00
David Garske
0d44018627 Merge pull request #9593 from julek-wolfssl/copilot/changes-20251229
Add AGENTS.md to .gitignore
2025-12-29 17:22:39 -08:00
Anthony Hu
48ebe99372 Validate asn date based on position of Z (#8603) 2025-12-29 16:01:22 -06:00
Josh Holtrop
e971cb6942 Rust wrapper: avoid warning when neither blake2b nor blake2s is enabled 2025-12-29 14:33:25 -05:00
Josh Holtrop
0a834bed7a Rust wrapper: add wolfssl_wolfcrypt::curve25519 module 2025-12-29 14:33:25 -05:00
Juliusz Sosinowicz
730b0d3e38 Add AGENTS.md to .gitignore 2025-12-29 19:01:50 +01:00
David Garske
5dee8ddfcb Merge pull request #9586 from holtrop-wolfssl/rust-blake2
Rust wrapper: add wolfssl_wolfcrypt::blake2 module
2025-12-29 09:55:58 -08:00
Ruby Martin
39056bb262 move null check to prevent dereference before null check issue
add new scope, whitespace
2025-12-29 10:55:13 -07:00
David Garske
ea8af7ae71 Merge pull request #9592 from julek-wolfssl/fix/coverity-tls-frag
Fix Coverity (D)TLS fragmentation size checks
2025-12-29 09:54:32 -08:00
David Garske
17e992ab3f Merge pull request #9589 from douzzer/20251226-fixes
20251226-fixes
2025-12-29 09:20:16 -08:00
David Garske
8bcac03086 Fix duplicated wc_rng_free and wc_rng_new 2025-12-29 08:52:17 -08:00
David Garske
5b5686c53c Peer review improvements. 2025-12-29 08:37:51 -08:00
Juliusz Sosinowicz
f2d24404c8 Fix Coverity (D)TLS fragmentation size checks
Add MAX_RECORD_SIZE-based bounds checks in SendHandshakeMsg and Dtls13SendFragmentedInternal to prevent negative/overflowed fragment sizes from reaching memcpy/BuildMessage/DtlsMsgPoolSave.
2025-12-29 17:16:04 +01:00
jordan
b33a8568c3 bsdkm: small cleanup. 2025-12-28 10:32:18 -06:00
jordan
e4996c317e bsdkm: fips support. 2025-12-28 10:16:53 -06:00
Daniel Pouzzner
7bbd28d369 wolfcrypt/src/aes.c: fix clang-diagnostic-unreachable-code in AesSetKey_C(). 2025-12-26 18:13:44 -06:00
Daniel Pouzzner
283792c207 linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_startup(), deinstall the callbacks and stdrng first before checking refcnt. 2025-12-26 16:41:43 -06:00
Kareem
7d04a53a6c Update X509_get_default_cert_* stubs to return empty strings.
According to the documentation, these functions must return static strings, so NULL was not valid.

Fixes #6474.
2025-12-26 15:26:05 -07:00
Kareem
6145f3aba2 Fix incorrect alert being sent when wolfSSL receives unexpected PSK extension.
Fixes #9503.
2025-12-26 15:24:14 -07:00
Kareem
a7b83b06c1 Alert on out of order message with unexpected_message.
Fixes #9531.
2025-12-26 15:23:23 -07:00
Daniel Pouzzner
3b3ddd1fb4 wolfcrypt/src/random.c: in wc_GenerateSeed(), move the gate closures for !FORCE_FAILURE_RDSEED and !ENTROPY_MEMUSE_FORCE_FAILURE to follow the /dev/urandom fallback method. 2025-12-26 14:16:11 -06:00
Kareem
17b6ce7b7b Add parenthesis around XBADFD. 2025-12-26 12:38:54 -07:00
Kareem
d09b5ee1f1 Add duplicate entry error to distinguish cases where a duplicate CRL is rejected. 2025-12-26 12:02:35 -07:00
Daniel Pouzzner
b487287abf wolfcrypt/benchmark/benchmark.c: smallstack refactor of bench_mlkem_encap() 2025-12-26 12:45:26 -06:00
Josh Holtrop
bbac280890 Rust wrapper: add wolfssl_wolfcrypt::blake2 module 2025-12-26 13:02:27 -05:00
David Garske
77d9410aa0 Add missing API documentation for Doxygen:
This PR adds Doxygen documentation for native wolfSSL API functions that were previously undocumented. It includes documentation notes for APIs gated on specific preprocessor macros:

- WOLF_PRIVATE_KEY_ID: _Id and _Label init helpers (wc_AesInit_Id, wc_AesInit_Label, wc_ecc_init_id, wc_ecc_init_label, wc_InitRsaKey_Id, wc_InitRsaKey_Label) require this for PKCS11 support

- WC_NO_CONSTRUCTORS: New/Delete constructor functions (wc_AesNew/Delete, wc_curve25519_new/delete, wc_ed25519_new/delete, wc_NewRsaKey/DeleteRsaKey) are only available when this is not defined. WC_NO_CONSTRUCTORS is automatically defined when WOLFSSL_NO_MALLOC is defined.

- WOLFSSL_PUBLIC_ASN: ASN functions marked with WOLFSSL_ASN_API include  notes indicating they are not public by default

- WOLFSSL_DUAL_ALG_CERTS: wc_GeneratePreTBS and wc_MakeSigWithBitStr for Post-Quantum dual algorithm certificate signing

The New/Delete functions are documented as being exposed to support allocation of structures using dynamic memory to provide better ABI compatibility.
2025-12-26 08:41:56 -08:00
David Garske
73ee89a2fc Improve no-void-functions rule 2025-12-26 08:06:37 -08:00
David Garske
e70e7cb144 Merge pull request #9583 from kareem-wolfssl/gh8152_2
Update CMake logic to allow WOLFSSL_SYS_CA_CERTS without filesystem support on Windows/Mac.
2025-12-26 07:48:43 -08:00
David Garske
1744c11686 Merge pull request #9570 from kareem-wolfssl/variousFixes
Add SSL_get_rfd and SSL_get_wfd.  Various documentation updates.
2025-12-26 07:47:17 -08:00
David Garske
c3e65153cc Improve the Devin lifeguard coding standard rules 2025-12-26 07:39:37 -08:00
David Garske
48d6811e04 Merge pull request #9582 from douzzer/20251224-wc_GenerateSeed-unreachable-code
20251224-wc_GenerateSeed-unreachable-code
2025-12-26 07:38:07 -08:00
Koji Takeda
51d49658d4 Update Japanese RSA API document 2025-12-26 09:16:33 +09:00
Kareem
0a02f5ef6b Code review feedback 2025-12-24 17:12:40 -07:00
Kareem
496d124736 Merge remote-tracking branch 'upstream/master' into gh7197 2025-12-24 17:05:04 -07:00
Kareem
f98229554b Update CMake logic to allow WOLFSSL_SYS_CA_CERTS without filesystem support on Windows/Mac. 2025-12-24 17:02:25 -07:00
Daniel Pouzzner
f4f4c7cfae src/ssl.c: fix clang-analyzer-deadcode.DeadStores in check_cert_key(). 2025-12-24 17:49:33 -06:00
Daniel Pouzzner
a944575e4b wolfcrypt/src/random.c: fix clang-diagnostic-unreachable-code in wc_GenerateSeed(). 2025-12-24 17:48:37 -06:00
Takashi Kojo
ff14797c3a Merge pull request #9552 from tamasan238/pr9458
[JA] Fix issues with the API documentation
2025-12-25 08:28:21 +09:00
Daniel Pouzzner
019a420187 Merge pull request #9568 from kareem-wolfssl/zd20947
Add a flag which allows requesting exactly SEED_SZ and using the full seed to instantiate the DRBG during RNG init.
2025-12-24 17:03:26 -06:00
Takashi Kojo
09ce46e2d5 Merge pull request #9581 from tamasan238/pr9578
[JA] Correct the API docs for wolfSSL_write_early_data()
2025-12-25 07:34:57 +09:00
Masaki I.
ee8fcf9d36 [JA] Correct the API docs for wolfSSL_write_early_data() 2025-12-24 14:53:10 +09:00
David Garske
2354ea196b Merge pull request #9513 from rizlik/dtls_header_fix
fix DTLS header headroom accounting
2025-12-23 17:20:12 -08:00
David Garske
0fae0a7ba6 Merge pull request #9397 from rizlik/earlydata_want_write_fixes
wolfssl: preserve early-data handling across WANT_WRITE retries
2025-12-23 17:19:39 -08:00
David Garske
d885749c09 Merge pull request #9561 from miyazakh/renesas_ssp_upgrade
add Renesas SK-S7G2 support
2025-12-23 15:15:45 -08:00
David Garske
57ef8a7caf Merge pull request #9574 from anhu/dtls_guard
Guard a bit of DTLS code.
2025-12-23 15:03:46 -08:00
David Garske
18176392fa Merge pull request #9576 from douzzer/20251222-linuxkm-PK-initrng-optimize
20251222-linuxkm-PK-initrng-optimize
2025-12-23 15:02:53 -08:00
Marco Oliverio
149bf19b4c split overlong line 2025-12-23 23:41:52 +01:00
Marco Oliverio
2e63845531 use wolfssl_local as local functions prefix 2025-12-23 23:39:07 +01:00
David Garske
96e2e80108 Add new coding standard for local (internal) function names. 2025-12-23 14:32:08 -08:00
Marco Oliverio
bafb8e56d5 use wolfssl_local_ as local functions prefix 2025-12-23 23:32:08 +01:00
Kareem
06d8f69dac Separate new /dev/urandom opening logic into a new section in wc_GenerateSeed. 2025-12-23 14:52:52 -07:00
Kareem
cb81cc8ce6 Merge remote-tracking branch 'upstream/master' into gh7197 2025-12-23 14:43:57 -07:00
Hideki Miyazaki
ba63d81441 add .gitignore to include.am 2025-12-24 06:36:08 +09:00
Hideki Miyazaki
75fad16f20 addressed code review comments 2025-12-24 05:59:09 +09:00
Anthony Hu
40327b7fe3 Binary consts to hexidecimal. C2X feature. 2025-12-23 14:45:36 -05:00
Daniel Pouzzner
b66f1b78a7 peer/Devin review:
* in get_crypto_default_rng() (linuxkm/lkcapi_sha_glue.c), sanity check that crypto_default_rng isn't null;
* in wc_InitRsaKey_ex(), remove frivolous NULL/zero assignments (XMEMSET clears them implicitly);
* in wc_CheckRsaKey(), check ret from wc_InitRng() and short circuit return if failed.
2025-12-23 13:05:40 -06:00
Daniel Pouzzner
da4fc4921e tests/api/test_ed25519.c: in test_wc_Ed25519PublicKeyToDer(), on old FIPS, tolerate old error code from wc_Ed25519PublicKeyToDer(). 2025-12-23 12:25:10 -06:00
Daniel Pouzzner
cd88a8ae88 peer review -- add !WC_NO_RNG gates around WC_RNG changes in wolfcrypt/src/rsa.c and wolfssl/wolfcrypt/rsa.h. 2025-12-23 11:41:59 -06:00
David Garske
d36bfabe18 Merge pull request #9560 from JacobBarthelmeh/clang
fix for shadows global declaration warning
2025-12-23 08:54:50 -08:00
David Garske
9de98cee73 Merge pull request #9569 from kareem-wolfssl/gh8152
Only enforce !NO_FILESYSTEM for WOLFSSL_SYS_CA_CERTS on non Windows/Mac systems.
2025-12-23 08:53:51 -08:00
Anthony Hu
c03c2dd541 Add tests 2025-12-23 11:48:57 -05:00
David Garske
70165c517b Merge pull request #9571 from mattia-moffa/20251222-sniffer-uint-underflow-vuln
Add missing length check in sniffer for AES-GCM/AES-CCM/ARIA-GCM
2025-12-23 08:37:50 -08:00
David Garske
776b31267c Merge pull request #9466 from SparkiDev/tls13_pt_alert_when_enc
TLS 1.3, plaintext alert: ignore when expecting encrypted
2025-12-23 08:37:00 -08:00
David Garske
86808b8a9b Merge pull request #9578 from anhu/early_data_doc
Correct the API docs for wolfSSL_write_early_data()
2025-12-23 08:14:10 -08:00
David Garske
8f089cdcfe Merge pull request #9508 from SparkiDev/ppc32_sha256_asm_pic
PPC32 SHA-256 ASM: support compiling for PIC
2025-12-23 08:12:50 -08:00
Anthony Hu
0b5e9c76ed Correct the API docs for wolfSSL_write_early_data() 2025-12-23 10:08:02 -05:00
Daniel Pouzzner
b087533fdf linuxkm/lkcapi_sha_glue.c:
* add drbg_init_from() and fork_default_rng(), and
* use the latter to define LKCAPI_INITRNG_FOR_SELFTEST() opportunistically (with fallback to plain wc_InitRng());

linuxkm/lkcapi_rsa_glue.c:
* add km_rsa_ctx_init_rng(),
* remove wc_InitRng() from km_rsa_ctx_init(),
* remove the WC_RSA_BLINDING gates around calls to wc_RsaSetRNG(), and
* call km_rsa_ctx_init_rng() before each call that needs an initialized RNG;

linuxkm/lkcapi_dh_glue.c and linuxkm/lkcapi_ecdh_glue.c: in km_ffdhe_init() and km_ecdh_init(), if linuxkm_lkcapi_registering_now, use LKCAPI_INITRNG_FOR_SELFTEST() to initialize ctx->rng;

linuxkm/lkcapi_glue.c: add notes that lkcapi_sha_glue inclusion and registrations must precede PK, and move declaration of linuxkm_lkcapi_registering_now to precede lkcapi glue inclusions.
2025-12-22 22:58:29 -06:00
Daniel Pouzzner
5030484bcf wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h:
* add WC_DRBG_{NOT_INIT,OK,FAILED,CONT_FAILED} in public header file, and
* move setup for RNG_SECURITY_STRENGTH, ENTROPY_SCALE_FACTOR, SEED_BLOCK_SZ, SEED_SZ, MAX_SEED_SZ, and RNG_HEALTH_TEST_CHECK_SIZE from random.c to random.h, with public WC_DRBG_SEED_SZ and WC_DRBG_MAX_SEED_SZ.
2025-12-22 22:58:29 -06:00
Daniel Pouzzner
b2ef89b2db wolfcrypt/src/rsa.c and wolfssl/wolfcrypt/rsa.h: make RsaKey.rng and wc_RsaSetRNG() available unconditionally, rather than only if WC_RSA_BLINDING, for use by wc_CheckRsaKey(). 2025-12-22 22:58:29 -06:00
Sean Parkinson
21c86682e0 MLDSA/Dilithium: fix 16-bit int issues
Need to cast byte or number to ensure it is large enough to shift left
by required value.
2025-12-23 09:51:38 +10:00
Sean Parkinson
b766f11e7b TLS 1.3, plaintext alert: ignore when expecting encrypted
In TLS 1.3, ignore valid unencrypted alerts that appear after encryption
has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.
2025-12-23 09:09:06 +10:00
Sean Parkinson
59f84355a5 Merge pull request #9573 from night1rider/aes-free-callbacks
Aes Free callback support
2025-12-23 08:47:05 +10:00
Sean Parkinson
c8f2cc5b43 Merge pull request #9566 from dgarske/ca_skid_cert_akid
Added build option to allow certificate CA matching using AKID with signers SKDI
2025-12-23 08:40:14 +10:00
Anthony Hu
cb2a80bf53 Guard a bit of DTLS code. 2025-12-22 17:05:47 -05:00
night1rider
afbc65a6c3 Aes Free callback support 2025-12-22 12:39:41 -07:00
Kareem
8de470b436 Add new WOLFSSL_RNG_USE_FULL_SEED macro to known macros. 2025-12-22 11:49:27 -07:00
Kareem
fe45b74921 Add trailing newline back to ssl.h. 2025-12-22 11:45:25 -07:00
Mattia Moffa
ca78994298 Add missing length check in sniffer for AES-GCM/AES-CCM/ARIA-GCM 2025-12-22 16:13:27 +01:00
Marco Oliverio
29d8fa7cb6 tls13: fix indentation alignment 2025-12-22 13:45:34 +01:00
Marco Oliverio
540fae80ab test_dtls: test payload split when WOLFSSL_NO_DTLS_SIZE_CHECK 2025-12-22 13:41:33 +01:00
Marco Oliverio
8cbc4047df internal: rename to use wolfssl internal prefix 2025-12-22 13:41:33 +01:00
Marco Oliverio
aa4fb5d3e5 internal: GetMaxPlainTextSize: precise pad size when adjusting for MTU 2025-12-22 13:41:33 +01:00
Marco Oliverio
1200efdeb3 internal: GetRecordSize: precise header computation on fallback path 2025-12-22 13:41:33 +01:00
Marco Oliverio
75e7d5e9bd fix: split message > MTU on WOLFSSL_NO_DTLS_SIZE_CHECK 2025-12-22 12:49:31 +01:00
Sean Parkinson
da06e1aeea Merge pull request #9558 from kareem-wolfssl/zd20944_2
Move Curve25519 public key check to make_pub/make_pub_blind to cover the case where they are called directly by an application.
2025-12-22 19:38:42 +10:00
Sean Parkinson
7a326ef43f Merge pull request #9553 from julek-wolfssl/ed25519-export-key-check
ed25519: validate presence of keys in export functions
2025-12-22 19:31:14 +10:00
Marco Oliverio
14b124769a use wolfssl internal prefix for MaybeCheckAlertOnErr 2025-12-22 10:04:50 +01:00
Marco Oliverio
12c2cdafaf rename wolfSSL_MaybeCheckAlertOnErr in wolfMaybeCheckAlertOnErr 2025-12-22 09:51:06 +01:00
Marco Oliverio
f4c48c19c1 fix: abide unused arguments when WOLFSSL_CHECK_ALER_ON_ERR is disabled 2025-12-22 09:51:06 +01:00
Marco Oliverio
38d8eb6f0d address reviewer's comments 2025-12-22 09:51:06 +01:00
Marco Oliverio
950c074c25 test: fix typo in structure field 2025-12-22 09:51:06 +01:00
Marco Oliverio
8de68decd2 test: tls13_early_data: test WANT_WRITE in early data 2025-12-22 09:51:06 +01:00
Marco Oliverio
609e30a69c test: tls13_early_data: refactor splitEarlyData test option 2025-12-22 09:51:06 +01:00
Marco Oliverio
57282140a9 WOLFSSL_CHECK_ALERT_ON_ERR: ignore non fatal errors 2025-12-22 09:51:06 +01:00
Marco Oliverio
093d77727b early_data: avoid resetting ssl->earlyData after WANT_WRITE retry 2025-12-22 09:51:06 +01:00
Marco Oliverio
a1c8790039 wolfssl: preserve early-data handling across WANT_WRITE retries
The early-data logic setups "early" exits in Accept/Connect state machine so
that the data exchanged during the handshake can be delivered to the
caller.

After the caller process the data, it usually calls Accept/Connect again
to cotinue the handshake.

Under non-blocking I/O there is the chance that these early exits are
skipped, this commit fixes that.

Server-side accept (TLS 1.3/DTLS 1.3) could skip the early-data shortcut
whenever sending the Finished flight first hit WANT_WRITE: when Accept
is called again and the data is eventually flushed into the I/O layer
the accept state is advanced past TLS13_ACCEPT_FINISHED_SENT, so the
next wolfSSL_accept() call skipped the block that marks
SERVER_FINISHED_COMPLETE and lets the application drain 0-RTT data. By
keeping the FALL_THROUGH into TLS13_ACCEPT_FINISHED_SENT and only
returning early while that handshake flag is still unset, we revisit the
shortcut immediately after the buffered flight is delivered, preserving
the intentional behaviour even under non-blocking I/O.

On the client, the same pattern showed up after SendTls13ClientHello()
buffered due to WANT_WRITE: after flushing, the connect state is already
CLIENT_HELLO_SENT so the early-data exit is no longer executed. We now
fall through into the CLIENT_HELLO_SENT case and only short-circuit once
per handshake, ensuring the reply-processing loop still executes on the
retry.
2025-12-22 09:51:05 +01:00
Hideki Miyazaki
fc583d068f add SK-S7G2 support
Update README based on copilot suggestion
2025-12-20 10:32:09 +09:00
Kareem
adf38007f4 Document wolfSSL_CTX_New's behavior on failure around WOLFSSL_METHOD.
Fixes #9517.
2025-12-19 17:19:45 -07:00
Kareem
ac98505204 Document wolfSSL_CTX_set_default_passwd_cb and wolfSSL_CTX_set_default_passwd_cb_userdata.
Fixes #6008.
2025-12-19 17:18:45 -07:00
Kareem
7c4feb5e87 Improve the error message returned by BAD_KEY_SHARE_DATA.
Fixes #9084.
2025-12-19 17:17:33 -07:00
Kareem
5b473f6b9b Add SSL_get_rfd and SSL_get_wfd.
Fixes https://github.com/wolfSSL/wolfssl-nginx/issues/25.
2025-12-19 17:16:35 -07:00
Kareem
b6766106c8 Add documentation for Base16_Encode and Base64_Encode's behavior of adding a NULL terminator byte.
Fixes #5602
2025-12-19 17:15:44 -07:00
Kareem
a1999d29ed Only enforce !NO_FILESYSTEM for WOLFSSL_SYS_CA_CERTS on non Windows/Mac systems.
wolfSSL's support for WOLFSSL_SYS_CA_CERTS uses APIs which don't depend on !NO_FILESYSTEM
on Windows/Mac.

Fixes #8152.
2025-12-19 16:37:50 -07:00
JacobBarthelmeh
0a0c43054f Merge pull request #9564 from douzzer/20251219-fixes
20251219-fixes
2025-12-19 16:24:20 -07:00
Kareem
3e59b83727 Only keep /dev/urandom open, close /dev/random after each use.
Improve logic for opening RNG seed FD.
2025-12-19 15:57:49 -07:00
Kareem
fe105d4b48 Add a flag which allows requesting exactly SEED_SZ and using the full seed to instantiate the DRBG during RNG init.
This flag can not be used with FIPS.
2025-12-19 15:25:15 -07:00
David Garske
1cb2231ff5 Added build option to allow certificate CA matching using AKID with signers SKID ( WOLFSSL_ALLOW_AKID_SKID_MATCH). Fixed issue with cert->extAuthKeyIdSz not being set with ASN template code. 2025-12-19 14:14:39 -08:00
Daniel Pouzzner
a7550346dd wolfcrypt/test/test.c: in rng_seed_test(), fix gates for FIPS 5.2.4. 2025-12-19 15:50:27 -06:00
Daniel Pouzzner
d3f74557fe wolfcrypt/src/wolfentropy.c: add volatile attribute to entropy_memuse_initialized declaration; in wc_Entropy_Get(), if HAVE_FIPS, call Entropy_Init() if necessary, to accommodate FIPS KATs; in Entropy_Init(), add thread safety. 2025-12-19 15:45:17 -06:00
JacobBarthelmeh
d5723d0d89 Merge pull request #9544 from julek-wolfssl/gh/9362
Check KeyShare after HRR
2025-12-19 14:36:31 -07:00
David Garske
1825bd86f5 Merge pull request #9550 from JacobBarthelmeh/caam
sanity checks on buffer size with AES and CAAM Integrity use
2025-12-19 11:03:40 -08:00
JacobBarthelmeh
d26c11c626 Merge pull request #9551 from josepho0918/iar
Add IAR support to WC_OFFSETOF macro
2025-12-19 11:36:33 -07:00
JacobBarthelmeh
8153ea6189 Merge pull request #9559 from cconlon/pkcs7SignedNonOctet
Fix PKCS#7 SignedData parsing for non-OCTET_STRING content types
2025-12-19 11:12:06 -07:00
Daniel Pouzzner
6f95a9c58e wolfcrypt/src/random.c: in _InitRng(), remove "drbg_instantiated" conditional cleanup logic (Coverity true-benign-positive: DEADCODE because drbg_instantiated is always false when ret != DRBG_SUCCESS). 2025-12-19 10:30:14 -06:00
Daniel Pouzzner
fb26b2dfe1 wolfcrypt/test/test.c: in HMAC tests, initialize ret, to silence uninitvar from cppcheck-force-source. 2025-12-19 09:07:14 -06:00
Daniel Pouzzner
96c47cd18c wolfcrypt/test/test.c: in _rng_test(), inhibit the WC_RESEED_INTERVAL subtest if an rng callback is installed. 2025-12-19 08:55:35 -06:00
Juliusz Sosinowicz
dd35f10b57 ed25519: validate presence of keys in export functions 2025-12-19 10:14:26 +01:00
JacobBarthelmeh
a3072c7a8d fix for shadows global declaration warning 2025-12-18 17:18:39 -07:00
Chris Conlon
afe82b9512 Fix PKCS#7 degenerate detection based on signerInfos length 2025-12-18 16:28:03 -07:00
Chris Conlon
d6dcd30736 Fix PKCS#7 streaming for non OCTET STRING content types 2025-12-18 16:28:01 -07:00
JacobBarthelmeh
bbc3a72ea8 Merge pull request #9556 from julek-wolfssl/rng-tools-timeout-fix
rng-tools: increase jitter timeout
2025-12-18 15:59:42 -07:00
Kareem
b0b840aa0f Rename fdOpen to seedFdOpen to avoid potential conflicts.
Gate keeping the seed FD open behind WOLFSSL_KEEP_RNG_SEED_FD_OPEN and only
enable by default for HAProxy.  It is causing issues on OS X and may
cause issues on other OSes, and is generally a major behavior change.
2025-12-18 15:55:35 -07:00
Kareem
c238defe23 Add cast for public_size 2025-12-18 15:32:59 -07:00
Kareem
755097d512 Track if RNG seed FD was opened and only close it if it was already open. This fixes the case where wc_FreeRng is called when _InitRng was not called on the RNG. Since the FD value defaults to 0 before _InitRng was called, and 0 is potentially a valid FD, it was being closed. 2025-12-18 15:27:00 -07:00
JacobBarthelmeh
4162f24434 Merge pull request #9555 from embhorn/zd20964
Null deref check in Pkcs11ECDH
2025-12-18 15:14:35 -07:00
Chris Conlon
5eef52c6fa Add test for PKCS#7 SignedData with non-OCTET_STRING content 2025-12-18 15:02:02 -07:00
Kareem
81d32f4fe6 Move Curve25519 public key check to make_pub/make_pub_blind to cover the case where they are called directly by an application. 2025-12-18 14:37:59 -07:00
David Garske
4e96b11cce Merge pull request #9557 from douzzer/20251218-fixes
20251218-fixes
2025-12-18 12:35:44 -08:00
Kareem
0420c942a0 Only use -1 for uninitialized fds as 0 is a valid fd. 2025-12-18 11:22:22 -07:00
Kareem
2e83b97909 Only attempt to close RNG file descriptor on platforms with XCLOSE. 2025-12-18 11:15:33 -07:00
Kareem
fb880e943b Reset fd after closing it. 2025-12-18 11:15:33 -07:00
Kareem
6bcbfec200 Initalize RNG seed fd in _InitRng. 2025-12-18 11:15:33 -07:00
Kareem
ea43bcba72 Keep RNG seed file descriptor open until the RNG is freed. 2025-12-18 11:15:33 -07:00
Daniel Pouzzner
8a8ef3512e src/internal.c: in FreeSSL_Ctx(), use wolfSSL_RefWithMutexFree(&ctx->ref), matching refactor in #8187. 2025-12-18 11:48:31 -06:00
Juliusz Sosinowicz
4e15ccec35 rng-tools: increase jitter timeout 2025-12-18 18:40:54 +01:00
Daniel Pouzzner
83e9a0780f wolfcrypt/src/wc_lms.c: fix leak in wc_LmsKey_Reload(). 2025-12-18 11:09:37 -06:00
Daniel Pouzzner
59b3219c0f wolfcrypt/test/test.c: fix memory leaks in Hmac tests. 2025-12-18 10:47:21 -06:00
Eric Blankenhorn
d1a4677a8a Null deref check in Pkcs11ECDH 2025-12-18 10:10:57 -06:00
Marco Oliverio
988ba340ba address reviewer's comments 2025-12-18 10:28:54 +01:00
Masaki I.
42e324e545 [JA] Fix issues with the API documentation 2025-12-18 18:08:59 +09:00
Joseph Chen
1484fb5069 Add IAR support to WC_OFFSETOF macro 2025-12-18 15:46:35 +08:00
Sean Parkinson
a103f5af8b Merge pull request #9545 from douzzer/20251211-DRBG-SHA2-smallstackcache-prealloc
20251211-DRBG-SHA2-smallstackcache-prealloc
2025-12-18 10:07:37 +10:00
Sean Parkinson
b7e69fb2f3 Merge pull request #9543 from kareem-wolfssl/zd20944
Check Curve25519 public key after generating one to avoid generating invalid keys.
2025-12-18 09:29:58 +10:00
JacobBarthelmeh
911e996a8d Merge pull request #9546 from SparkiDev/curve25519_base_smul_improv
Curve25519: improved smul
2025-12-17 15:28:56 -07:00
JacobBarthelmeh
498b86fabd Merge pull request #9542 from holtrop-wolfssl/rust-wolfssl-wolfcrypt-crate
Create wolfssl-wolfcrypt Rust crate
2025-12-17 12:17:51 -07:00
Daniel Pouzzner
b23f59f137 Merge pull request #9540 from sameehj/linuxkm_tegra_fips_fixes
linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
2025-12-17 12:49:23 -06:00
JacobBarthelmeh
04a06fee0f Merge pull request #9535 from philljj/kernel_readme
linuxkm: add a readme.
2025-12-17 11:32:58 -07:00
JacobBarthelmeh
a2ab7b3e80 Merge pull request #9548 from julek-wolfssl/fix-os-check-cflags
Fix incorrect use of CFLAGS in os-check
2025-12-17 10:37:44 -07:00
JacobBarthelmeh
39a903b30c Merge pull request #9549 from embhorn/zd20965
Fix MQX example null deref
2025-12-17 10:35:43 -07:00
JacobBarthelmeh
16e035d692 Merge pull request #9547 from SparkiDev/aesgcm_ossl_arm32_asm_fix
AES-GCM ARM32/Thumb2 ASM: don't change aes->reg in decrypt
2025-12-17 10:33:38 -07:00
JacobBarthelmeh
393dab2151 Merge pull request #9524 from julek-wolfssl/zephyr-cpp
Updates for latest zephyr with cpp
2025-12-17 10:30:18 -07:00
JacobBarthelmeh
e93835acd9 sanity checks on buffer size with AES and CAAM Integrity use 2025-12-17 10:15:32 -07:00
Daniel Pouzzner
fc7d4ffad4 PR#9545 20251211-DRBG-SHA2-smallstackcache-prealloc addressing peer review: clear dest if necessary in InitHandshakeHashesAndCopy(), style tweaks in random.c, explanatory comments in sha512.c. 2025-12-17 11:07:22 -06:00
Daniel Pouzzner
33fc601011 tweaks from PRBs results:
tests/api.c:
* remove inapt SSL_library_init() in test_wolfSSL_EVP_Cipher_extra();
* move TEST_X509_DECLS to follow TEST_DECL(test_wolfSSL_Init);

tests/api/test_random.c: enlarge seed buffer in test_wc_RNG_TestSeed() to accommodate amdrand block size;

tests/quic.c: wrap exercises in wolfSSL_Init()...wolfSSL_Cleanup();

tests/unit.c: in unit_test(), add several more fflush(stdout)s, report error from wolfSSL_Cleanup(), and fix line length;

wolfcrypt/test/test.c: omit reseed test in _rng_test() if HAVE_INTEL_RDRAND or old FIPS, and use simplified random_test() if HAVE_INTEL_RDRAND;

wolfssl/wolfcrypt/mem_track.h: add memList pointer in struct memoryStats, and set it in InitMemoryTracker();

wolfssl/wolfcrypt/settings.h: undefine WOLFSSL_SMALL_STACK_CACHE if WOLFSSL_SMALL_STACK is undefined;

.github/workflows/trackmemory.yml: add --enable-intelrdseed scenario.
2025-12-17 11:01:11 -06:00
Daniel Pouzzner
e159c650ea .wolfssl_known_macro_extras: add CONFIG_CRYPTO_DRBG. 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
79d1e6b295 .github/workflows/trackmemory.yml: new workflow testing various configs with -DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY. 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
fb82bdbc35 wolfcrypt/test/test.c:
* in wolfcrypt_test_main(), when WOLFSSL_TRACK_MEMORY, check and error if wc_MemStats_Ptr->currentBytes > 0;
  * don't call the hash initialization APIs for hash structs that are later copied over with the hash copy API (sha224_test(), sha256_test(), sha512_test(), etc)
  * in hash_test(), either wc_HashNew() or wc_HashInit(), not both (fixes leaks);
  * in hmac_*_test(), add test coverage for wc_HmacCopy();
  * in _rng_test(), when WOLFSSL_TRACK_MEMORY && WOLFSSL_SMALL_STACK_CACHE, check that wc_MemStats_Ptr->totalAllocs doesn't increase when wc_RNG_GenerateBlock() is called, and if HAVE_HASHDRBG) && !CUSTOM_RAND_GENERATE_BLOCK, check that forcing a reseed doesn't result in an increase.
  * add missing context cleanups in openSSL_evpMD_test().
2025-12-17 11:01:10 -06:00
Daniel Pouzzner
8bd0fb0e4b wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h: refactor WOLFSSL_SMALL_STACK_CACHE support to eliminate all heap calls after init and before cleanup.
* add DRBG_internal.{seed_scratch,digest_scratch}
  * add WC_RNG.{drbg_scratch,health_check_scratch,newSeed_buf}
  * refactor to implement new WOLFSSL_SMALL_STACK_CACHE dynamics:
    * wc_RNG_HealthTestLocal()
    * Hash_df()
    * Hash_gen()
    * Hash_DRBG_Generate()
    * Hash_DRBG_Instantiate()
    * _InitRng()
    * PollAndReSeed()
    * wc_FreeRng()
    * wc_RNG_HealthTest_ex_internal()
    * wc_RNG_HealthTest_ex()
    * wc_RNG_HealthTestLocal()
  * refactor out WOLFSSL_KERNEL_MODE gates (now all WOLFSSL_SMALL_STACK_CACHE)
2025-12-17 11:01:10 -06:00
Daniel Pouzzner
2b28931855 wolfcrypt/src/sha256.c and wolfcrypt/src/sha512.c: in WOLFSSL_SMALL_STACK_CACHE builds, allocate shafoo->W at init or context copy time, rather than in the transform function. for the SHA512 family, allocate additional space in W for "buffer" in wc_Sha512Transform(). 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
525266c467 wolfssl/wolfcrypt/mem_track.h and wolfcrypt/src/memory.c: add WOLFSSL_API extern memoryStats *wc_MemStats_Ptr, set by InitMemoryTracker() and cleared by CleanupMemoryTracker(), allowing public access to the memory statistics.
tests/unit.c: at end of unit_test(), when WOLFSSL_TRACK_MEMORY, explicitly wolfSSL_Cleanup() then check and error if wc_MemStats_Ptr->currentBytes > 0.
2025-12-17 11:01:10 -06:00
Daniel Pouzzner
1e38a1011e wolfcrypt/src/wolfentropy.c: in wc_Entropy_Get():
* use a bss segment allocation for noise, to avoid a heap allocation (access is already mutex-protected), and
  * in the loop, WC_CHECK_FOR_INTR_SIGNALS() and WC_RELAX_LONG_LOOP().
2025-12-17 11:01:10 -06:00
Daniel Pouzzner
38b675ef68 linuxkm/lkcapi_sha_glue.c:
* as for other glue families, when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm;
  * in km_hmac_init(), use wc_HmacCopy() to copy p_ctx->wc_hmac to t_ctx->wc_hmac;
  * in get_drbg(), when tfm == crypto_default_rng, only migrate_disable() and local_bh_disable() if preempt_count() == 0, i.e. if not in already in an uninterruptible context;
  * add can_spin argument to get_drbg_n() -- wc_linuxkm_drbg_seed() can_spin, wc_mix_pool_bytes() !can_spin, and wc_crng_reseed() can_spin;
  * add compile-time assert that WOLFSSL_SMALL_STACK_CACHE is defined if LINUXKM_DRBG_GET_RANDOM_BYTES;

.wolfssl_known_macro_extras: add CONFIG_CRYPTO_DRBG.
2025-12-17 11:01:10 -06:00
Daniel Pouzzner
50b51adc93 wolfcrypt/src/hmac.c and wolfssl/wolfcrypt/hmac.h: implement WOLFSSL_API wc_HmacCopy(), and remove the WOLFSSL_HMAC_COPY_HASH gate on HmacKeyCopyHash(). 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
8090817c11 configure.ac: when KERNEL_MODE_DEFAULTS, set ENABLED_SMALL_STACK_CACHE_DEFAULT=yes regardless of FIPS/version. 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
8e03d0523c wolfssl/test.h: add missing wc_HmacFree()s in myMacEncryptCb(), myDecryptVerifyCb(), myEncryptMacCb(), myVerifyDecryptCb(). 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
15fcf7095f linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa,aes}_glue.c: when LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG, don't "#error Config conflict" if explicit LINUXKM_LKCAPI_DONT_REGISTER_foo is defined for the missing algorithm. 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
dc0fe803a5 src/internal.c: in InitHandshakeHashesAndCopy(), don't call InitHandshakeHashes(), to avoid leaking in the later wc_FooCopy() operation. 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
918b6973bd tests/api.c: in test_wolfSSL_dtls_stateless_HashWOLFSSL(), when WOLFSSL_SMALL_STACK_CACHE, omit ssl->hsHashes from the comparison (init-time heap pointers destabilize its bit signature). 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
2802e2d82b wolfcrypt/src/rsa.c: in RsaUnPad_OAEP(), refactor volatile-based constant time mitigation to fix "using value of assignment with ‘volatile’-qualified left operand is deprecated [-Werror=volatile]" (new warning from gcc-16.0.0_p20251207, not reported by gcc-16.0.0_p20251116-r1). 2025-12-17 11:01:10 -06:00
Daniel Pouzzner
cd3e81a656 src/ssl_load.c: in ProcessBufferCert(), check ctx for nullness before accessing ctx->verifyNone (fixes -Wnull-dereference reported by multi-test dtls-no-rsa-no-dh after merge of 36e66eb763). 2025-12-17 11:01:10 -06:00
Eric Blankenhorn
d5691fe849 Fix MQX example null deref 2025-12-17 09:35:01 -06:00
Eric Blankenhorn
5aa2840bed Fix MQX example null deref 2025-12-17 09:33:21 -06:00
Sameeh Jubran
a5f1fde955 linuxkm: fix Tegra Yocto FIPS build issues (ARM64, RT, PIE)
Fix multiple build and runtime issues when building wolfSSL LinuxKM FIPS
on NVIDIA Tegra (ARM64) kernels under Yocto.

- Disable ARM64 LSE atomics for out-of-tree modules to avoid jump_table
  asm constraints
- Handle PREEMPT_RT mutex and spinlock differences correctly
- Avoid alt_cb_patch_nops / queued_spin_lock_slowpath on Tegra
- Remove conflicting compiler auto-var-init flags for PIE objects
- Align PIE symbol redirection with RT and Tegra kernels

This restores successful LinuxKM FIPS builds on Tegra-based Yocto systems.

Signed-off-by: Sameeh Jubran <sameeh.j@gmail.com>
2025-12-17 14:32:26 +02:00
Juliusz Sosinowicz
432f0e33f6 Fix incorrect use of CFLAGS in os-check 2025-12-17 10:28:43 +01:00
Juliusz Sosinowicz
f61bfd7805 Check KeyShare after HRR 2025-12-17 10:27:04 +01:00
Sean Parkinson
af2c6cc932 AES-GCM ARM32/Thumb2 ASM: don't change aes->reg in decrypt
OpenSSL compatability layer expects aes->reg to be unmodified by AES-GCM
decrypt call. ARM32/Thumb2 assembly implementation  modifies buffer.
Keep a copy and restore aes->reg after call.
2025-12-17 16:04:25 +10:00
Sean Parkinson
f54266c2c6 Curve25519: improved smul
Use the Ed25519 base smul in Curve25519 base mul and covert to
Montogmery curve for a faster implementation.
Only when Ed25519 is compiled in or WOLFSSL_CURVE25519_USE_ED25519 is
defined.
When compiling Intel x64 assembly and Aarch64 assembly, always define
WOLFSSL_CURVE25519_USE_ED25519.
Can't use with blinding - normal C implementation.

Optimized the Curve25519 smul slightly for Intel x64 and Aarch64.
Improved the conditional table lookup on Intel x64 to use AVX2 when
available.
2025-12-17 13:25:36 +10:00
JacobBarthelmeh
b42e9a9410 Merge pull request #9529 from SparkiDev/dsa_pg_sp_int_fix
DSA Parameter Generation: init g earlier
2025-12-16 14:52:45 -07:00
JacobBarthelmeh
75fdf959c1 Merge pull request #9514 from kareem-wolfssl/zd20936
Fix uninitialized variable, fix potentially undefined printf reference in HASH_DRBG_Generate.
2025-12-16 14:48:17 -07:00
JacobBarthelmeh
9156b50bbc Merge pull request #9538 from SparkiDev/tls13_dup_ext_alert_code_fix
TLS 1.3: duplicate extension alert code fix
2025-12-16 14:43:19 -07:00
JacobBarthelmeh
95afe9ca06 Merge pull request #9539 from julek-wolfssl/APP_DATA_READY-docs
Update APP_DATA_READY doc string
2025-12-16 14:42:39 -07:00
Juliusz Sosinowicz
ac84464140 Updates for latest zephyr with cpp 2025-12-16 17:25:18 +01:00
Josh Holtrop
9020373405 Rust crate: update CHANGELOG for v1.0.0 2025-12-16 10:08:10 -05:00
Josh Holtrop
37fa1581d3 Rust crate: bump version to 1.0.0 2025-12-16 10:04:32 -05:00
Josh Holtrop
95e8276d55 Rust crate: add CHANGELOG.md 2025-12-16 09:06:07 -05:00
Josh Holtrop
52e7801939 Rust crate: bump version 2025-12-16 09:03:10 -05:00
Josh Holtrop
357b8952c6 Rust crate: only set link-search and link-arg for local repo build 2025-12-16 09:02:34 -05:00
Marco Oliverio
0fa0fd2317 (d)tls: refactor wolfSSL_GetMaxFragSize(), simplify length computations 2025-12-16 10:46:29 +01:00
Marco Oliverio
e9f3bd5ddd dtls: test precise header headroom computation 2025-12-16 10:00:30 +01:00
Kareem
36eda9fb75 Check Curve25519 public key after generating one to avoid generating invalid keys.
Thanks to Kr0emer for the report.
2025-12-15 16:31:29 -07:00
Sean Parkinson
5512c2d0b4 Merge pull request #9541 from jackctj117/empty-hash-comment
Added comment with empty hash use
2025-12-16 08:34:16 +10:00
Sean Parkinson
85d40c8e9b Merge pull request #9522 from JacobBarthelmeh/time
tie in use of check_time with x509 store
2025-12-16 08:24:49 +10:00
Josh Holtrop
a3cc7214e7 Update include.am for Rust crate rename 2025-12-15 16:28:26 -05:00
Kareem
968662063d Merge remote-tracking branch 'upstream/master' into zd20936 2025-12-15 14:06:18 -07:00
Josh Holtrop
447ba11379 Add README.md in wolfssl-wolfcrypt crate directory 2025-12-15 15:22:44 -05:00
Josh Holtrop
0a469d4a4d Avoid unused variable warning in ECCPoint test 2025-12-15 13:02:55 -05:00
Sean Parkinson
d3863e5fa3 TLS 1.3: duplicate extension alert code fix
The specification states to return illegal_parameter when a message is
syntactically correct but semantically invalid. (RFC 8446 section 6,
Paragraph 5)
2025-12-15 10:00:56 -08:00
Josh Holtrop
8cd0c9bd11 Rust wrapper: rename wolfssl crate to wolfssl-wolfcrypt 2025-12-15 13:00:51 -05:00
jackctj117
585a8d22aa Added comment with empty hash imofrmation 2025-12-15 10:52:24 -07:00
Daniel Pouzzner
52ee00132d Merge pull request #9528 from SparkiDev/tls13_missing_ext_fix
TLS 1.3 missing extension: return correct alert code
2025-12-15 11:05:02 -06:00
Daniel Pouzzner
901ddab007 Merge pull request #9534 from rlm2002/coverity
20251212 Coverity fix for CID 524467
2025-12-15 11:03:18 -06:00
Daniel Pouzzner
b9368d7a3d Merge pull request #9516 from embhorn/gh3665
Add checking of size param and clarify usage in doc
2025-12-15 10:49:57 -06:00
Daniel Pouzzner
7e5d1d3d6d Merge pull request #9523 from JacobBarthelmeh/bio
remove unimplemented function macro
2025-12-15 10:39:55 -06:00
Daniel Pouzzner
61c72d2406 Merge pull request #9525 from JacobBarthelmeh/docs
public disclosure of CVE-2025-13912
2025-12-15 10:34:39 -06:00
Daniel Pouzzner
a379797482 Merge pull request #9526 from holtrop/rust-wrapper-notes
Rust wrapper: update crate metadata and README
2025-12-15 09:58:25 -06:00
Juliusz Sosinowicz
c73de0d133 Update APP_DATA_READY doc string 2025-12-15 12:18:10 +01:00
Sean Parkinson
dacb3425cd DSA Parameter Generation: init g earlier
Ensure dsa->g is initialized with other mp_ints so that it can be
cleared at the end regardless of failures.

Don't clear tmp or tmp2 if allocation or initialization failed as you
will access uninitialized data.
2025-12-15 09:12:11 +10:00
Sean Parkinson
44be44a509 TLS 1.3 missing extension: return correct alert code
Change TLS 1.3 handling to return missing_extension alert code when
 - KeyShare is present but SupportedGroups is missing and
 - SupportedGroups is present but KeyShare is missing

Added tests for this.
2025-12-15 09:07:13 +10:00
Sean Parkinson
6e94381149 ARM64 ASM: Darwin specific address calc fix
Don't use ':lo12:' in Darwin specific address calculation code.
@PAGEOFF is indicating this.
2025-12-15 08:46:24 +10:00
Sean Parkinson
19cba1c462 Merge pull request #9527 from night1rider/CMAC-Compile-Issue
Fix wc_CmacFree() to use correct heap pointer from internal Aes structure
2025-12-15 08:34:11 +10:00
jordan
d52eb8f4d0 linuxkm: readme patch description. 2025-12-12 18:58:10 -06:00
JacobBarthelmeh
5099e6e315 add macro guard on use of time_t 2025-12-12 16:42:19 -07:00
jordan
9736427e7a linuxkm: add a readme. 2025-12-12 17:07:07 -06:00
Kaleb Himes
6475106ce7 Merge pull request #9449 from lealem47/hash_script
Use only the first 64 bytes of hash output in fips-hash.sh
2025-12-12 14:47:12 -07:00
Ruby Martin
27b5ac9f84 sanitize loop bound in tls_multi_handshakes_one_record() unit test
add additional check for breaking while loop
2025-12-12 14:18:25 -07:00
JacobBarthelmeh
01442a1460 adjust macro guard around test case 2025-12-12 13:36:14 -07:00
Lealem Amedie
61e58f0f04 Fix for analyzer null dereference 2025-12-12 12:31:07 -07:00
Lealem Amedie
afa56497a8 Use cut command for portability 2025-12-12 12:31:07 -07:00
Lealem Amedie
7e26bc06c5 Use only the first 64 bytes of hash output in fips-hash.sh 2025-12-12 12:31:07 -07:00
Kareem
2d4e589a8d Merge remote-tracking branch 'upstream/master' into zd20936 2025-12-12 11:37:45 -07:00
Kareem
3797c03e6c Merge remote-tracking branch 'upstream/master' into zd20936 2025-12-12 11:37:34 -07:00
night1rider
cf42d14e10 Fix wc_CmacFree() and wc_CMAC_Grow() to use correct heap pointer from internal Aes structure 2025-12-12 11:14:16 -07:00
JacobBarthelmeh
e1bbb71878 tie in use of check_time with x509 store 2025-12-12 09:22:23 -07:00
Daniel Pouzzner
ab2196b4ca Merge pull request #9530 from SparkiDev/arm64_asm_deadcode_fix
Aarch64 AES ASM no hw crypto: no dead code
2025-12-11 23:41:30 -06:00
Sean Parkinson
8e14d4a774 Aarch64 AES ASM no hw crypto: no dead code
Fix code so that there is no dead code compiled.
That is, change if checks to #ifdef checks.
2025-12-12 12:31:36 +10:00
Daniel Pouzzner
38d5dc6c7a Merge pull request #9510 from embhorn/gh7981
Fix test when ECH and harden are enabled
2025-12-11 13:07:29 -06:00
Daniel Pouzzner
3e8c6811c7 Merge pull request #9518 from SparkiDev/api_c_split_3
api.c: Split out more functions
2025-12-11 13:06:58 -06:00
Daniel Pouzzner
2ffa5be427 Merge pull request #9511 from jackctj117/CertGenCache
Added --enable-certgencache to os-check
2025-12-11 13:03:31 -06:00
Daniel Pouzzner
9201b4e5eb Merge pull request #9515 from anhu/salt_len_min
Note that HMAC_FIPS_MIN_KEY is also salt len min for HKDF
2025-12-11 13:03:06 -06:00
Daniel Pouzzner
ebbfc2e413 Merge pull request #9507 from miyazakh/add_tools_includeam
Add RA6M4/tools folder to include.am
2025-12-11 12:46:37 -06:00
Daniel Pouzzner
ef8bf55528 Merge pull request #9495 from SparkiDev/aarch64_no_hw_crypto_asm_aes
Aarch64 no harware crypto assembly AES
2025-12-11 12:46:07 -06:00
Daniel Pouzzner
f26a52e2dd Merge pull request #9494 from SparkiDev/benchmark_ecdsa_p521
Benchmark ECDSA: use digest size instead of key size
2025-12-11 12:43:58 -06:00
Daniel Pouzzner
093f15ca4f Merge pull request #9496 from embhorn/zd20913
Enable wolfSSL_i2d_X509_NAME_canon to handle blank optional fields
2025-12-11 12:43:32 -06:00
Daniel Pouzzner
8c839b1ffc Merge pull request #9502 from rlm2002/x509_addressIsIP
Run check for IP address in wolfSSL_X509_check_host()
2025-12-11 12:41:54 -06:00
Daniel Pouzzner
90521b09a4 Merge pull request #9500 from holtrop/fix-rust-eccpoint-import-tests
Rust wrapper: fix ECCPoint import_der_ex unit tests
2025-12-11 12:41:19 -06:00
Daniel Pouzzner
f07e379d6d Merge pull request #9456 from anhu/test_inits
Initialize test variables; avoid false warnings.
2025-12-11 12:40:44 -06:00
Josh Holtrop
31f6dd7039 Rust wrapper: update crate metadata and README 2025-12-11 12:50:30 -05:00
Anthony Hu
cd4f96924b Better error message too. 2025-12-11 12:23:38 -05:00
JacobBarthelmeh
1d448ec3b4 public disclosure of CVE-2025-13912 2025-12-11 10:22:22 -07:00
JacobBarthelmeh
d7a852af82 remove unimplemented function macro 2025-12-11 09:32:57 -07:00
cwilley
2d9d399a50 Merge pull request #9519 from douzzer/20251210-linuxkm-get_drbg-local_bh_disable
20251210-linuxkm-get_drbg-local_bh_disable
2025-12-11 08:02:34 -08:00
Eric Blankenhorn
67b6b284d6 Add checking of size param and clarify usage in doc 2025-12-11 08:27:57 -06:00
Sean Parkinson
b4b617de49 api.c: Split out more functions
More X509 function testing.
X509 store function testing.
X509 lookup function testing.
2025-12-11 19:00:19 +10:00
Sean Parkinson
0b2fb66af6 api.c: Split out more functions
wolfSSL_PEM, wolfSSL_X509, wolfSSL_X509_NAME, wolfSSL_X509_PUBKEY API
testing moved out to separate files.
2025-12-11 15:32:09 +10:00
Daniel Pouzzner
fe33bb9bd9 linuxkm/lkcapi_sha_glue.c:
* in get_drbg(), call local_bh_disable() for the crypto_default_rng, and in put_drbg(), call local_bh_enable() if needed.
* re-gate migrate_disable() and migrate_enable() so they're called for any SMP kernel >= 5.7, regardless of CONFIG_PREEMPT_COUNT.
* in get_drbg_n(), if the caller can't sleep, return immediately if the requested DRBG is busy, to avoid priority inversions and deadlocks.
2025-12-10 20:33:48 -06:00
Sean Parkinson
569a5e0388 Merge pull request #9509 from rizlik/comment_fix
internal.c: fix comment to be more precise
2025-12-11 10:26:52 +10:00
Sean Parkinson
b69ce5a568 Merge pull request #9506 from rlm2002/coverity
check if ctx and ssl are null when checking public key in certificate
2025-12-11 08:30:58 +10:00
Sean Parkinson
1faf740f10 Merge pull request #9505 from douzzer/20251209-linuxkm-GENERATE_SECTION_MAP--sections
20251209-linuxkm-GENERATE_SECTION_MAP--sections
2025-12-11 08:03:44 +10:00
Sameeh Jubran
4d4751bff3 Merge pull request #9512 from douzzer/20251210-linuxkm-5.17-ubuntu-jammy-tegra-patches
20251210-linuxkm-5.17-ubuntu-jammy-tegra-patches
2025-12-10 22:46:12 +02:00
Anthony Hu
008132c33b Note that HMAC_FIPS_MIN_KEY is also salt len min for HKDF 2025-12-10 15:05:25 -05:00
Kareem
63976cb09b Fix uninitialized variable, use WOLFSSL_DEBUG_PRINTF macro in Hash_DRBG_Generate to avoid undefined printf reference. 2025-12-10 12:28:54 -07:00
Daniel Pouzzner
650990e1e2 add linuxkm/patches/5.17-ubuntu-jammy-tegra/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-5v17-ubuntu-jammy-tegra.patch 2025-12-10 11:51:29 -06:00
Daniel Pouzzner
ba861971eb wolfssl/wolfcrypt/wc_port.h: don't attempt to define WC_DEPRECATED() for _MSC_VER < 1400 -- still causing error on old MSVC (now C2085 rather than C2485). 2025-12-10 11:15:55 -06:00
jackctj117
9db4aad468 Added --enable-certgencache to os-check 2025-12-10 10:14:39 -07:00
Eric Blankenhorn
8053e8f9b3 Fix test when ECH and harden are enabled 2025-12-10 08:14:59 -06:00
Marco Oliverio
33a518958c internal.c: fix comment to be more precise 2025-12-10 14:11:07 +01:00
Takashi Kojo
6c5e84178e Merge pull request #9371 from tamasan238/doc
[ja] update docs - part 1
2025-12-10 18:16:12 +09:00
Masaki Iwai
d100ff81ba Merge branch 'master' into doc 2025-12-10 16:07:30 +09:00
Takashi Kojo
a555e211d4 Merge pull request #9405 from tamasan238/doc-2
[ja] update docs - part 2
2025-12-10 15:58:57 +09:00
Sean Parkinson
0ab09ab147 PPC32 SHA-256 ASM: support comnpiling for PIC
When compiling for PIC, 30 and 31 are not always available.
Alternative implementation added not using them that puts registers on
the stack.
Small code size version implemented as well.
2025-12-10 16:20:49 +10:00
Hideki Miyazaki
090d89acbc add RA6M4/tools folder to include.am 2025-12-10 10:18:26 +09:00
Ruby Martin
36e66eb763 check if ctx and ssl are null when checking public key in certificate 2025-12-09 17:04:05 -07:00
David Garske
f18fdcae91 Merge pull request #9501 from JacobBarthelmeh/xcode
Fix for XCODE build with ARM assembly
2025-12-09 15:38:31 -08:00
Daniel Pouzzner
41b2fc28b3 wolfssl/wolfcrypt/wc_port.h: add WC_DEPRECATED() definitions for _MSC_VER < 1400. 2025-12-09 17:15:48 -06:00
Daniel Pouzzner
d210b92a16 linuxkm/Makefile: tweak GENERATE_SECTION_MAP recipe to expect --sections output from readelf, and feed that to it, to work around missing section names in --symbols output on binutils <2.36. 2025-12-09 17:03:16 -06:00
Sean Parkinson
80b7ea638e Aarch64 no harware crypto assembly AES
Implementations of AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-XTS with base
instructions and NEON but not using crypto instructions.

Benchmark of AES-ECB added.
Updated AES tests.
2025-12-10 08:55:58 +10:00
David Garske
c9fbad2bc3 Merge pull request #9504 from julek-wolfssl/cov-20251203
Fix uninit variables
2025-12-09 09:24:05 -08:00
Juliusz Sosinowicz
24b35badb4 Fix uninit variables 2025-12-09 17:07:40 +01:00
JacobBarthelmeh
c05f0680c6 remove trailing whitespace 2025-12-09 07:00:50 -07:00
JacobBarthelmeh
5873142403 add xcode github actions build test 2025-12-08 14:42:51 -07:00
JacobBarthelmeh
ea058c6e85 xcode set correct file type for assembly files with project 2025-12-08 14:42:19 -07:00
Josh Holtrop
b5bea05c55 Rust wrapper: fix ECCPoint import_der_ex unit tests 2025-12-08 13:28:48 -05:00
Ruby Martin
edbca503be Run check for IP address in wolfSSL_X509_check_host() 2025-12-08 11:04:45 -07:00
David Garske
ab1a738859 Merge pull request #9499 from holtrop/rust-32-bit-fixes
Rust wrapper: fix "e" param type for wc_MakeRsaKey() on 32-bit targets
2025-12-08 07:58:32 -08:00
Josh Holtrop
1b4d09d752 Rust wrapper: fix "e" param type for wc_MakeRsaKey() on 32-bit targets 2025-12-08 10:02:25 -05:00
Sean Parkinson
5a89ef9f76 Merge pull request #9497 from douzzer/20251206-old-fips-test_wc_RsaPublicEncryptDecrypt
20251206-old-fips-test_wc_RsaPublicEncryptDecrypt
2025-12-08 20:32:21 +10:00
Daniel Pouzzner
12d07c4d43 tests/api/test_rsa.c: in test_wc_RsaPublicEncryptDecrypt(), add FIPS gate around new test coverage from #9454 (23c5678797). 2025-12-06 10:20:45 -06:00
Eric Blankenhorn
83f6fe1a1a Enable wolfSSL_i2d_X509_NAME_canon to handle blank optional fields 2025-12-05 15:12:29 -06:00
Sean Parkinson
886b0c2ec6 Benchmark ECDSA: use digest size instead of key size
The key size can be larger than the maximum digest size supported by the
sign and verify APIs.
Calculate a reasonable digest size for the key size and bound it on the
maximum digest size.
2025-12-05 09:01:12 +10:00
David Garske
1b7072b739 Merge pull request #9493 from holtrop/build-rust-wrappers-on-arm
Rust wrapper: run CI tests on ARM
2025-12-04 13:54:28 -08:00
Josh Holtrop
379ec8a23e Rust wrapper: run CI tests on ARM 2025-12-04 15:49:55 -05:00
David Garske
fd58885887 Merge pull request #9490 from douzzer/20251202-linuxkm-old-kernel-fixes
20251202-linuxkm-old-kernel-fixes
2025-12-04 11:42:00 -08:00
JacobBarthelmeh
5b7480486e Merge pull request #9487 from dgarske/qathash
Fix QAT hash final with no update and fix g++ warnings
2025-12-04 11:35:46 -07:00
David Garske
f01c4f10fa Merge pull request #9454 from SparkiDev/rsa_dec_too_small_output_fix
RSA decrypt: don't write past buffer end on error
2025-12-04 10:06:37 -08:00
David Garske
1dfa4d1bcf Merge pull request #9488 from SparkiDev/aes_gcm_4bit_be
AES-GCM, 4-bit table, Big Endian: fast impl of GMULT
2025-12-04 10:06:06 -08:00
David Garske
003f2385b9 Merge pull request #9491 from SparkiDev/sha256_armasm_small
ARM32/Thumb2 ASM SHA-256: provide small code size option
2025-12-04 10:05:01 -08:00
David Garske
1ebecb68c8 Merge pull request #9484 from holtrop/add-rust-wrapper-build-configs
Add several library configurations from os-check.yml to the Rust wrapper CI build
2025-12-04 08:00:24 -08:00
Daniel Pouzzner
e225bf80af linuxkm/linuxkm_wc_port.h: move WOLFSSL_API_PREFIX_MAPping of GetCAByAKID to wolfSSL_GetCAByAKID from wolfssl/internal.h to wolfssl/wolfcrypt/asn.h, with an additional needed early mapping in linuxkm/linuxkm_wc_port.h. 2025-12-04 09:58:52 -06:00
Daniel Pouzzner
690cce67d1 linuxkm/linuxkm_wc_port.h: add -Wattributes to suppression list while including kernel headers. 2025-12-04 09:34:22 -06:00
Daniel Pouzzner
64ebc342a1 linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_generate(), generate randomness in batches that fit in RNG_MAX_BLOCK_LEN. 2025-12-04 09:34:22 -06:00
Daniel Pouzzner
aad0f7f184 linuxkm: move definition of WOLFSSL_DEBUG_PRINTF_FN from wolfssl/wolfcrypt/logging.h to linuxkm/linuxkm_wc_port.h. 2025-12-04 09:34:22 -06:00
Daniel Pouzzner
783e583169 linuxkm/linuxkm_wc_port.h:
* add backported definition of static_assert();
* add version-gated include for asm-generic/simd.h;
* add version gate for crypto/internal/simd.h.
2025-12-04 09:34:22 -06:00
Josh Holtrop
10a12b76e6 Rust wrapper: support more wolfcrypt build configurations 2025-12-04 09:09:04 -05:00
Sean Parkinson
bff29a8535 ARM32/Thumb2 ASM SHA-256: provide small code size option
WOLFSSL_ARMASM_SHA256_SMALL for Thumb2 and ARM32 using base instructions
compiles implementations that are smaller but slower.
2025-12-04 16:44:37 +10:00
Sean Parkinson
2b726ebf0b Merge pull request #9386 from sebastian-carpenter/oss-fuzz-fix-442261624
fixed oss-fuzz warnings
2025-12-04 15:28:18 +10:00
Masaki Iwai
42990f7eec Merge branch 'master' into doc 2025-12-04 13:38:25 +09:00
David Garske
0aa789a289 Merge pull request #9458 from LinuxJedi/doc_fixes
Fix issues with the API documentation
2025-12-03 09:23:23 -08:00
David Garske
45b7fb9e39 Merge pull request #9489 from julek-wolfssl/zd/20860
Fix AKID CA lookup
2025-12-03 08:16:51 -08:00
Andrew Hutchings
2376e484d8 Fix return values 2025-12-03 15:21:11 +00:00
Andrew Hutchings
590a02e541 Fix Doxygen parameters 2025-12-03 15:15:32 +00:00
Andrew Hutchings
c4e9ca4eca Fix some errors in the doc edits 2025-12-03 14:56:52 +00:00
Juliusz Sosinowicz
22eedeea86 fixup! tests: add unit coverage for GetCAByAKID 2025-12-03 13:26:12 +01:00
Juliusz Sosinowicz
32c6f8f2a0 Fix prefix errors 2025-12-03 11:36:39 +01:00
Juliusz Sosinowicz
995e63f6e1 Fix AKID CA lookup
The `authorityCertIssuer` field refers to the Issuer field of the CA being looked up and not its Subject field.
2025-12-03 10:47:40 +01:00
Juliusz Sosinowicz
7b82224462 tests: add unit coverage for GetCAByAKID 2025-12-03 10:47:40 +01:00
Masaki I.
0c9a5620d7 add ending newline 2025-12-03 13:39:09 +09:00
Masaki I.
65d844dba2 [ja] update docs 2 2025-12-03 13:22:16 +09:00
Sean Parkinson
697bc47d8e AES-GCM, 4-bit table, Big Endian: fast impl of GMULT
Add fast implementation GMULT for big-endian platforms like PowerPC and
PowerPC64.
Speeds up AES-GCM.
2025-12-03 11:22:49 +10:00
Daniel Pouzzner
3062d15240 Merge pull request #9485 from philljj/bsdkm_cleanup
bsdkm: return cleanup.
2025-12-02 16:47:26 -06:00
David Garske
628c1e5225 Fix g++ compiler implicit cast warnings 2025-12-02 10:54:16 -08:00
David Garske
6deef7c14a QAT fix to properly handle a finish with no update 2025-12-02 09:57:12 -08:00
David Garske
6d55b42cf6 Merge pull request #9483 from josepho0918/mqx
Enhance MQX platform support and integration
2025-12-02 07:58:49 -08:00
David Garske
dd40417fca Merge pull request #9479 from josepho0918/aes-cbc-mmcau
Prefer ARMASM over MMCAU for AES CBC when both enabled
2025-12-02 07:58:17 -08:00
Josh Holtrop
08f2b36678 Add several library configurations from os-check.yml to the Rust wrapper CI build 2025-12-02 10:52:05 -05:00
Daniel Pouzzner
bc615a26e9 Merge pull request #9478 from sameehj/fix-tegra
linuxkm: Fix spinlock initialization on Tegra kernels for __SPIN_LOCK…
2025-12-02 09:24:00 -06:00
David Garske
2f1be0f0d4 Merge pull request #9486 from julek-wolfssl/hostap-sha-cert-update
Update sha384 and sha512 certs
2025-12-02 06:55:35 -08:00
Juliusz Sosinowicz
c63df82f0d Update sha384 and sha512 certs
- Print errors in logs on failure
2025-12-02 10:46:43 +01:00
Masaki Iwai
801d9bfa3d Merge branch 'master' into doc 2025-12-02 14:14:01 +09:00
David Garske
8741805e9d Merge pull request #9476 from embhorn/zd20515
Fix Coverity dead code report
2025-12-01 13:59:21 -08:00
David Garske
a2f46cd9b0 Merge pull request #9470 from lealem47/MLKEM_PUB_HASH_E
ML-KEM: Add check for Pubkey hash mismatch on decoding the dk
2025-12-01 12:49:48 -08:00
jordan
cd99aa2f0e bsdkm: return cleanup. 2025-12-01 09:43:15 -06:00
Sameeh Jubran
9a699c04ea linuxkm: Fix spinlock initialization on Tegra kernels for __SPIN_LOCK_UNLOCKED macro incompatibility
Tegra vendor kernels (L4T / NVIDIA Yocto BSP) fail to compile the
wolfSSL Linux kernel module due to the use of the legacy assignment form
of the spinlock initializer:

    m->lock = __SPIN_LOCK_UNLOCKED(m);

On Tegra, __SPIN_LOCK_UNLOCKED() expands to a braced-struct initializer
that is *not* valid as an assignment expression, causing:

    error: expected expression before '{' token

This patch applies a Tegra-specific workaround by replacing the
assignment with the stable kernel API:

    spin_lock_init(&m->lock);

This is guarded behind CONFIG_ARCH_TEGRA so that non-Tegra platforms
retain the current initialization behavior until further validation is
completed.

This fix restores successful kernel module builds on NVIDIA Tegra-based
Yocto images without modifying behavior on other architectures.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2025-11-27 10:08:55 +02:00
Joseph Chen
10efcd9787 Enhance MQX platform support and integration 2025-11-27 10:03:04 +08:00
Sean Parkinson
93944d289f Merge pull request #9482 from anhu/move_the_sigalg_check
Need to move sigalg check down because it does not consider hybrids.
2025-11-27 09:42:18 +10:00
Sean Parkinson
e30e9b7e09 Merge pull request #9473 from holtrop/rust-cargo-clippy
Rust wrapper: enable cargo clippy and fix several clippy warnings
2025-11-27 09:18:51 +10:00
Sean Parkinson
6c8b9054a0 Merge pull request #9443 from holtrop/report-rsa_pss_pss-sig-algo
TLSv1.3 certificate verify: report rsa_pss_pss_* signature algorithm when supported
2025-11-27 09:12:58 +10:00
Sean Parkinson
6a5e29e21d Merge pull request #9477 from douzzer/20251125-linuxkm-arm-fips-tweaks
20251125-linuxkm-arm-fips-tweaks
2025-11-27 09:03:36 +10:00
Anthony Hu
a02b61a9db Merge pull request #9475 from douzzer/20251125-aes-arm-fixes
20251125-aes-arm-fixes
2025-11-26 14:11:23 -05:00
Anthony Hu
a765bbdb79 Need to move sigalg check down because it does not consider hybrids. 2025-11-26 13:31:21 -05:00
Josh Holtrop
36418aca76 Set useRsaPss flag in both SSL and CTX structures 2025-11-26 10:30:38 -05:00
Joseph Chen
26206821ff Prefer ARMASM over MMCAU for AES CBC when both enabled 2025-11-26 16:05:05 +08:00
Daniel Pouzzner
be1f916028 wolfcrypt/src/aes.c: in the WOLFSSL_ARMASM && GCM_SMALL && !__aarch64__ static C implementation of GCM_gmult_len(), rename to GCM_gmult_len_armasm_C() (incompatible with other implementations);
wolfcrypt/src/aes.c: move FREESCALE_MMCAU implementations later (minimum precedence) for wc_AesEncrypt(), wc_AesDecrypt(), wc_AesSetKeyLocal(), wc_AesSetKey(), and wc_AesSetKeyDirect() (fixes ZD#20862).
2025-11-25 23:01:05 -06:00
Daniel Pouzzner
f5543f6b95 wolfcrypt/test/test.c: in wolfcrypt_test_main(), install myFipsCb if applicable, and save failed wolfCrypt retvals to args.return_code to assure error exit. fixes FIPS integrity failure message with wolfEntropy. 2025-11-25 20:21:37 -06:00
Daniel Pouzzner
4fda0883a4 globally rename WC_PIE_RELOC_TABLES to WC_SYM_RELOC_TABLES;
globally replace defined(__PIE__) with defined(WC_CONTAINERIZE_THIS) to decouple containerization from -fPIE;

configure.ac:
* add --enable-kernel-reloc-tables as an alias for --enable-linuxkm-pie;
* always activate ENABLED_ENTROPY_MEMUSE_DEFAULT when KERNEL_MODE_DEFAULTS and not RDSEED/RDRAND, regardless of FIPS presence/version;

linuxkm/Kbuild:
* add -DWC_CONTAINERIZE_THIS to PIE_FLAGS;
* add support for NO_PIE_FLAG, which inhibits -fPIE on ENABLED_LINUXKM_PIE builds, and adds -DWC_NO_PIE_FLAG to PIE_FLAGS;

linuxkm/linuxkm_wc_port.h: add setup for WC_LINUXKM_WOLFENTROPY_IN_GLUE_LAYER;

linuxkm/module_hooks.c: add wc_linuxkm_GenerateSeed_wolfEntropy().
2025-11-25 18:01:25 -06:00
David Garske
0aaa31c438 Merge pull request #9459 from JacobBarthelmeh/async
fix small stack define and warnings for g++ build with async
2025-11-25 14:22:24 -08:00
David Garske
6fc99ac6d8 Merge pull request #9431 from Pushyanth-Infineon/psoc6_aes_support
Enable hardware acceleration for AES on PSoC6.
2025-11-25 13:31:23 -08:00
Eric Blankenhorn
6de31e95fc Fix Coverity dead code report 2025-11-25 13:53:36 -06:00
Josh Holtrop
bfce171836 Rust wrapper: enable cargo clippy and fix several clippy warnings 2025-11-25 08:22:02 -05:00
Sean Parkinson
0afbc1ef08 Merge pull request #9471 from douzzer/20251124-memory_test-wolfSSL_Atomic_Ptr_CompareExchange
20251124-memory_test-wolfSSL_Atomic_Ptr_CompareExchange
2025-11-25 19:22:22 +10:00
JacobBarthelmeh
a83fb4fc42 revert 6bda10a forcing small stack with async 2025-11-25 00:43:04 -07:00
Daniel Pouzzner
e459b21744 wolfcrypt/src/wc_port.c and wolfssl/wolfcrypt/wc_port.h: add volatile attribute to wolfSSL_Atomic_Uint_CompareExchange() first arg, for pedantic accuracy;
wolfssl/internal.h and src/ssl.c: add volatile attribute to WOLFSSL_CTX.privateKeyPKey pointer, for pedantic accuracy;

wolfcrypt/test/test.c: in memory_test(), use compatible pointers for all operands in the wolfSSL_Atomic_Ptr_CompareExchange() test, to avoid undefined behavior.
2025-11-24 18:21:09 -06:00
Lealem Amedie
eace02115b Address review feedback 2025-11-24 16:57:52 -07:00
Sean Parkinson
ea0793f0af Merge pull request #9428 from dgarske/qat_v5.8.4
Migrate wolfAsyncCrypt repo into wolfSSL proper
2025-11-25 09:33:31 +10:00
Sean Parkinson
7c8d7dff5e Merge pull request #9348 from effbiae/ExportEccTempKey
Refactor: Extract ExportEccTempKey, DhSetKey, and other helper functions from SendServerKeyExchange
2025-11-25 09:31:20 +10:00
Sean Parkinson
ed7ace504f Merge pull request #9434 from embhorn/zd20802
Clarify return value of wc_RsaSSL_Verify/Inline
2025-11-25 09:28:26 +10:00
Sean Parkinson
9c467a916a Merge pull request #9437 from rlm2002/coverity
20251114 Coverity change
2025-11-25 09:26:17 +10:00
Sean Parkinson
86789f92c0 Merge pull request #9446 from dgarske/stm32_castwarn
Fix stm32.c type warnings
2025-11-25 09:22:58 +10:00
Sean Parkinson
76fec60754 Merge pull request #9448 from anhu/p7_unknownExt
unknown extension support in wc_PKCS7_EcdsaVerify
2025-11-25 09:21:47 +10:00
Sean Parkinson
c6ecafced2 Merge pull request #9451 from kaleb-himes/ESV-DRBG-Decouple
Esv drbg decouple
2025-11-25 09:19:52 +10:00
Sean Parkinson
89f27ceb19 Merge pull request #9453 from holtrop/rust-wc-random-additions
Rust wrapper: add HAVE_HASHDRBG RNG functions
2025-11-25 09:18:12 +10:00
Sean Parkinson
eac5c29fdb Merge pull request #9455 from holtrop/rust-wc-init-cleanup
Rust wrapper: wrap wolfCrypt_Init() and wolfCrypt_Cleanup()
2025-11-25 09:17:23 +10:00
David Garske
4ccad17a39 Merge pull request #9465 from SparkiDev/aesgcm_small_armasm
AES-GCM small ARM asm: add back implementation
2025-11-24 15:06:49 -08:00
David Garske
0786aa2585 Merge pull request #9464 from SparkiDev/sp_384_sub_fix
SP Thumb2/ARM32: P-384 sub not needed for small builds
2025-11-24 15:05:43 -08:00
Sean Parkinson
d49c76945a Merge pull request #9468 from josepho0918/mmcau
Correct SHA256 final endianness on MMCAU platforms
2025-11-25 08:38:21 +10:00
Josh Holtrop
d766b82bac Remove conditional and just assign boolean result 2025-11-24 15:55:32 -05:00
Lealem Amedie
f5cb791e39 ML-KEM: Add check for Pubkey hash mismatch on decoding the dk 2025-11-24 10:22:40 -07:00
Joseph Chen
7752df3340 Correct SHA256 final endianness on MMCAU platforms 2025-11-24 16:48:35 +08:00
Sean Parkinson
ba47f7f333 AES-GCM small ARM asm: add back implementation
Implementation of GCM mult with length for ARM asm and small GCM was
added to armv8-aes.c but got lost when code pulled back to aes.c.
2025-11-24 11:08:18 +10:00
Sean Parkinson
46c704f51f SP Thumb2/ARM32: P-384 sub not needed for small builds
Don't have an implementation of sp_384_sub when building for small code
size.
2025-11-24 10:45:36 +10:00
JacobBarthelmeh
c5fb83f52d fix warnings for g++ build with async 2025-11-21 14:38:40 -07:00
Andrew Hutchings
026fa2dd4e Fix issues with the API documentation 2025-11-21 17:43:55 +00:00
Anthony Hu
cf8b729bae Initialize test variables; avoid false warnings. 2025-11-21 11:59:07 -05:00
Josh Holtrop
09e223baf3 Rust wrapper: wrap wolfCrypt_Init() and wolfCrypt_Cleanup() 2025-11-21 08:48:22 -05:00
Josh Holtrop
15b55ef279 Rust wrapper: add HAVE_HASHDRBG RNG functions 2025-11-21 08:31:27 -05:00
Sean Parkinson
23c5678797 RSA decrypt: don't write past buffer end on error
When the decrypted data is bigger than the buffer, the one extra bytes
was being written to.
2025-11-21 12:12:14 +10:00
David Garske
59f4fa5686 Merge pull request #9452 from JacobBarthelmeh/release
prepare for release 5.8.4
2025-11-20 13:05:19 -08:00
JacobBarthelmeh
91f3d90f82 Update version .rc files too 2025-11-20 13:10:38 -07:00
JacobBarthelmeh
ab98c150c6 prepare for release 5.8.4 2025-11-20 10:57:50 -07:00
kaleb-himes
176801a21b Include new header in the template file also 2025-11-20 09:40:18 -07:00
kaleb-himes
eeb2b09b23 Address linuxkm builds and the new header 2025-11-20 09:38:13 -07:00
kaleb-himes
4da42ffae9 Fix typo in header include (capital E) 2025-11-20 09:38:13 -07:00
kaleb-himes
301a4a554b Add header to make install set 2025-11-20 09:38:13 -07:00
kaleb-himes
dc6fa0ad4e De-couple ESV from DRBG 2025-11-20 09:38:13 -07:00
Josh Holtrop
80d3037332 Use more uppercase U's 2025-11-20 08:34:54 -05:00
Josh Holtrop
bb8673070a Use uppercase U 2025-11-19 23:52:21 -05:00
Josh Holtrop
2c4b6f46b7 Add scripts/rsapss.test to test RSA-PSS signature algorithm negotiation 2025-11-19 23:05:31 -05:00
JacobBarthelmeh
b6adf12f83 Merge pull request #9438 from douzzer/20251113-linuxkm-aarch64-fips-tweaks
20251113-linuxkm-aarch64-fips-tweaks
2025-11-19 17:42:45 -07:00
Daniel Pouzzner
bea6bcbba9 Merge pull request #9450 from JacobBarthelmeh/xilinx
adjust test case to account for AES-GCM key size support with Xilinx …
2025-11-19 18:14:10 -06:00
Daniel Pouzzner
30487ad236 linuxkm/: fixes for ARMv7, and miscellaneous fixes for Makefile and FIPS logic. 2025-11-19 17:21:29 -06:00
Daniel Pouzzner
06d3d6d3df linuxkm/Kbuild and linuxkm/module_hooks.c: refactor wc_linuxkm_pie_reloc_tab to include ground truth segment tag from ELF metadata.
tweaks for ARM32: recognize R_ARM_* relocations, and add -fno-unwind-tables to PIE_FLAGS.

linuxkm/linuxkm_wc_port.h:
* __PIE__: don't declare static pmd_to_page() unless USE_SPLIT_PMD_PTLOCKS.
* add wc_lkm_refcount_to_int() helper with -Wnested-externs suppressed.

wolfcrypt/src/fe_operations.c: in fe_frombytes() and fe_sq2(), use explicit XMEMSET()s to initialize working vars, rather than implicit, to avoid implicit (unshimmable) memset() calls.

wolfcrypt/src/ge_operations.c: fix gate on _wc_curve25519_dummy() to require CURVED25519_ASM.
2025-11-19 17:21:29 -06:00
JacobBarthelmeh
23a6edcc89 adjust test case to account for AES-GCM key size support with Xilinx afalg 2025-11-19 23:00:13 +00:00
JacobBarthelmeh
96dde5b4a8 Merge pull request #9392 from philljj/bsdkm
bsdkm: initial wolfcrypt FreeBSD kernel module support.
2025-11-19 15:25:21 -07:00
Anthony Hu
668602016c Allow user to prevent wc_PKCS7_EcdsaVerify from erroring out due to extentions we do not know about 2025-11-19 14:36:04 -05:00
Josh Holtrop
268b81c29e TLSv1.3 certificate verify: report rsa_pss_pss_* signature algorithm when supported 2025-11-19 09:47:05 -05:00
JacobBarthelmeh
8d357de6d8 Merge pull request #9444 from dgarske/macros_explicit
Fix issue with poorly written macros
2025-11-18 17:28:12 -07:00
David Garske
64c03fa9ee Fix stm32.c type warnings 2025-11-18 14:33:11 -08:00
David Garske
658ea305d1 Fix issue with poorly written macros 2025-11-18 14:15:22 -08:00
JacobBarthelmeh
10c5baec1a Merge pull request #9442 from SparkiDev/lms_192_8bit_checksum
LMS - check sum fix for SHA-256-192
2025-11-18 14:57:21 -07:00
sebastian-carpenter
7fdd177233 fixed oss-fuzz warnings 2025-11-18 13:28:51 -07:00
jordan
631a28fccc bsdkm: better with-bsd-export-syms description in configure.ac. 2025-11-18 12:59:51 -06:00
jordan
0458fba394 bsdkm: add atomic_fcmpset_ptr. 2025-11-18 10:12:28 -06:00
jordan
551f90414c bsdkm: review cleanup. 2025-11-18 09:02:45 -06:00
Sean Parkinson
da0e4f59ec LMS - check sum fix for SHA-256-192
Only 8 bits needed of checksum whem doing 192-bit hashes with Winternitz
of 1 (9 for 256-bit hashes).
Cleanup code around checksum.
2025-11-18 21:20:02 +10:00
jordan
28e4fe3b6c bsdkm: initial wolfcrypt FreeBSD kernel module support. 2025-11-18 01:28:08 -06:00
Daniel Pouzzner
46a7719e2d Merge pull request #9441 from gojimmypi/pr-arduino-examples
Update Arduino workflow with parameterized matrix
2025-11-17 17:58:13 -06:00
JacobBarthelmeh
8e38e3bb5e Merge pull request #9433 from holtrop/rust-conditional-compilation
Rust wrapper: enable conditional compilation based on C library build options
2025-11-17 15:03:17 -07:00
JacobBarthelmeh
35374a16fe Merge pull request #9436 from douzzer/20251114-WOLFSSL_BLIND_PRIVATE_KEY-thread-safety
20251114-WOLFSSL_BLIND_PRIVATE_KEY-thread-safety
2025-11-17 15:01:13 -07:00
JacobBarthelmeh
2be7482210 Merge pull request #9439 from SparkiDev/mlkem_derive_secret_fix
ML-KEM: derive secret fix
2025-11-17 10:29:56 -07:00
gojimmypi
d2c0901e80 Update Arduino workflow with parameterized matrix 2025-11-17 08:41:28 -08:00
Sean Parkinson
074a3dbcc1 ML-KEM: derive secret fix
Fixes for deriving secret for ML-KEM.
2025-11-17 10:01:19 +10:00
Kamatham Pushyanth
9bc259ae6f Enable hardware acceleration for AES on PSoC6.
- Implemented AES ECB, CBC, CFB, and GCM modes with hardware acceleration.
- Ensured proper mutex locking for concurrent access to hardware resources during
- Adjusted the aes.h header to include PSoC6 specific definitions and structures.
- Updated README for PSoC6 port.
2025-11-16 00:12:09 +05:30
Daniel Pouzzner
c29abccc9f src/internal.c: peer review: refactor wolfssl_priv_der_unblind() and wolfssl_priv_der_unblind_free() to use AllocDer() and FreeDer(). 2025-11-14 18:13:44 -06:00
Daniel Pouzzner
dee0658e8a fix races around WOLFSSL_CTX.{privateKey,privateKeyMask,altPrivateKey,altPrivateKeyMask} in WOLFSSL_BLIND_PRIVATE_KEY code paths:
* rename wolfssl_priv_der_unblind() to wolfssl_priv_der_blind_toggle(),
* add wolfssl_priv_der_unblind() that allocates a temp copy,
* add wolfssl_priv_der_unblind_free(),
* in wolfssl_priv_der_blind_toggle(), make mask a const arg;

restore const attribute to ctx arg to wolfSSL_CTX_get0_privatekey(), and add explanatory comment.
2025-11-14 18:13:43 -06:00
David Garske
5c421a152d Merge pull request #9429 from JacobBarthelmeh/certs
renew example certificates
2025-11-14 16:02:55 -08:00
JacobBarthelmeh
a68da8d2d5 update pksc7 decode test for new ca-cert.pem size 2025-11-14 14:53:48 -07:00
JacobBarthelmeh
3f441ef1a5 update tests after certificate renewal 2025-11-14 14:45:37 -07:00
JacobBarthelmeh
6c74098be5 run renewcerts.sh, gencertbuf.pl, and create_ocsp_test_blobs.py 2025-11-14 14:45:37 -07:00
JacobBarthelmeh
d18b251f54 Merge pull request #9420 from wolfSSL/TLS13-cipher-suite-fix
Fix TLS 1.3 cipher suite when TLS 1.2 ciphers precede TLS 1.3 ciphers
2025-11-14 16:42:05 -05:00
David Garske
46a2234c61 Merge pull request #9425 from JacobBarthelmeh/pkcs7_stream
with decode enveloped data track total encrypted content size
2025-11-14 12:59:09 -08:00
JacobBarthelmeh
30baf0a2e0 Merge pull request #9435 from dgarske/hmac_zerolen
Improve wc_HmacUpdate to return early if input length == 0
2025-11-14 15:49:04 -05:00
Ruby Martin
59800d8bb7 additional index checks, handle when j is 0 or 1 2025-11-14 12:19:58 -07:00
David Garske
a071426bc8 Migrate wolfAsyncCrypt repo into wolfSSL proper 2025-11-14 09:43:59 -08:00
David Garske
4e1b719236 Improve wc_HmacUpdate to return early if input length == 0. Fixes QAT issue with HKDF test. 2025-11-14 09:40:56 -08:00
Eric Blankenhorn
fda674a48a Clarify return value of wc_RsaSSL_Verify/Inline 2025-11-14 11:06:26 -06:00
jackctj117
0767cb84bf Removed trailing white space 2025-11-14 09:03:51 -07:00
Josh Holtrop
c61ac22e89 Rust wrapper: enable conditional compilation based on C library build options 2025-11-14 10:44:25 -05:00
Josh Holtrop
dd3b9260f9 Rust wrapper: merge wolfssl-sys crate into wolfssl crate 2025-11-14 10:44:06 -05:00
philljj
50c5028c5a Merge pull request #9432 from douzzer/20251114-atomic-default-c
20251114-atomic-default-c
2025-11-14 10:34:24 -05:00
Daniel Pouzzner
135bb66352 wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c: use stdatomic.h implementation as C default when available, as before, for proper type annotation in objects. 2025-11-14 07:54:14 -06:00
Sean Parkinson
10a60fc41b Merge pull request #9427 from douzzer/20251113-ZD20815
20251113-ZD20815
2025-11-14 11:50:16 +10:00
jackctj117
5e2fd78113 Suppress unused parameter warning 2025-11-13 18:32:00 -07:00
Daniel Pouzzner
7916db78e8 wolfcrypt/src/wc_port.c and wolfssl/wolfcrypt/wc_port.h: change precedence of atomic implementations, and don't use the stdatomic.h in C++ builds (not compatible);
fix the name of the wolfSSL_Atomic_Ptr_CompareExchange() implementation in the _MSC_VER code path.
2025-11-13 17:28:19 -06:00
Daniel Pouzzner
c430cc75ea src/ssl.c and wolfssl/ssl.h: fix signature on wolfSSL_CTX_get0_privatekey() -- ctx is not const;
wolfcrypt/src/wc_port.c and wolfssl/wolfcrypt/wc_port.h: tweak gates on atomic implementations to maximize availability within currently supported targets;

fix some whitespace.
2025-11-13 17:11:52 -06:00
Daniel Pouzzner
26ba6344f2 add wolfSSL_Atomic_Ptr_CompareExchange(); mitigate race on ctx->privateKeyPKey in wolfSSL_CTX_get0_privatekey(). 2025-11-13 16:25:49 -06:00
JacobBarthelmeh
c63ca04228 convert to type int for return value 2025-11-13 12:17:04 -07:00
JacobBarthelmeh
d06221c16e with decode enveloped data track total encrypted content size 2025-11-13 12:08:46 -07:00
jackctj117
29c2f15a8f Add #ifdef guards to cipher suite checks 2025-11-13 10:06:07 -07:00
David Garske
6ff57b8045 Merge pull request #9419 from rlm2002/coverity
Uninitialized variable fix
2025-11-13 08:58:00 -08:00
David Garske
4f3586fe58 Merge pull request #9421 from SparkiDev/mlkem_to_bytes_fix
ML-KEM to bytes C: not reducing all values
2025-11-13 08:57:31 -08:00
David Garske
082943649b Merge pull request #9422 from SparkiDev/ecc_sign_hash_inlen_check
ECC sign hash: only allow up to max digest size
2025-11-13 08:55:53 -08:00
effbiae
de0d3e610d refactor to ExportEccTempKey, DhSetKey and others 2025-11-13 14:49:26 +11:00
Sean Parkinson
6c30186168 ECC sign hash: only allow up to max digest size
Validate that the hash passed in is of an appropriate length - not
greater than the maximum digest size.
2025-11-13 11:53:51 +10:00
Sean Parkinson
b272f784ec ML-KEM to bytes C: not reducing all values
Call to mlkem_csubq_c was only called on first array.
Fixed to do it for all.
2025-11-13 10:42:07 +10:00
David Garske
5a8411a1ad Merge pull request #9418 from SparkiDev/tls13_ks_dup_check_fix
TLS 1.3 duplicate KeyShare entry fix
2025-11-12 16:09:11 -08:00
David Garske
f53191bae2 Merge pull request #9416 from julek-wolfssl/priv-key-blinding
Fix errors when blinding private keys
2025-11-12 16:09:03 -08:00
jackctj117
c56ea55f89 Fix TLS 1.3 cipher suite selection when TLS 1.2 ciphers precede TLS 1.3 ciphers 2025-11-12 17:03:06 -07:00
Ruby Martin
b2336c57ce initialize ctype variable 2025-11-12 16:48:52 -07:00
Sean Parkinson
1ec18949bc TLS 1.3 duplicate KeyShare entry fix
Fix comparison to be greater than or equal in case count is incremented
after maxing out.
2025-11-13 08:23:19 +10:00
David Garske
e78752f3b2 Merge pull request #9407 from holtrop/rust-heap-devid-cleanup
Rust wrapper: support optional heap and dev_id parameters
2025-11-12 13:50:45 -08:00
David Garske
7cfffd5bbc Merge pull request #9308 from kareem-wolfssl/zd20603
Add IPv6 support to wolfSSL_BIO_new_accept and wolfIO_TcpBind.
2025-11-12 11:09:17 -08:00
Josh Holtrop
40c471e20d Rust wrapper: fix cmac documentation 2025-11-12 13:41:08 -05:00
David Garske
92fffa166b Merge pull request #9413 from JacobBarthelmeh/lic
update to GPLv3 exception list, add Fetchmail and OpenVPN
2025-11-12 10:12:29 -08:00
David Garske
3fe534e3a2 Merge pull request #9403 from gojimmypi/pr-lms-unary-fix
Fix LMS C4146 unary minus warning in MSVC, new param check
2025-11-12 08:40:33 -08:00
Juliusz Sosinowicz
32911dc6b8 Add blinding to CI 2025-11-12 17:12:35 +01:00
Juliusz Sosinowicz
4b7c052ee9 test_wolfSSL_inject: don't call accept on completed handshake 2025-11-12 17:12:22 +01:00
Juliusz Sosinowicz
d1c321abdc Don't override errors when blinding the priv key 2025-11-12 17:12:22 +01:00
Josh Holtrop
df99227dc8 Rust wrapper: use _ex APIs for heap and dev_id variants 2025-11-12 09:50:20 -05:00
gojimmypi
ca920edbd0 Fix LMS C4146 unary minus warning in MSVC, new param check 2025-11-11 19:26:52 -08:00
Kareem
fbb7ae2257 Add NULL check to wolfSSL_BIO_new_accept. 2025-11-11 16:20:09 -07:00
Kareem
3296e6a1f0 Merge remote-tracking branch 'upstream/master' into zd20603 2025-11-11 16:15:22 -07:00
David Garske
6914f08f5e Merge pull request #9391 from holtrop/check-dup-extensions-fix
Check for duplicate extensions in client hello when HAVE_TLS_EXTENSIONS is not set - fix #9377
2025-11-11 14:05:14 -08:00
Josh Holtrop
798b16dcef Address more code review feedback for PR 9391 2025-11-11 15:36:28 -05:00
Josh Holtrop
32b00fd10b Address code review feedback for PR 9391 2025-11-11 14:06:44 -05:00
David Garske
4c273a6f3f Merge pull request #9404 from cconlon/jniNoQuicEch
Fixes for "--enable-jni --enable-all" with WOLFSSL_TLS13_MIDDLEBOX_COMPAT
2025-11-11 09:42:38 -08:00
David Garske
e323fb9675 Merge pull request #9410 from SparkiDev/multi_arch_opt
Workflow: multiple architectures with different -O levels
2025-11-11 09:42:21 -08:00
David Garske
2db1c7a522 Merge pull request #9395 from SparkiDev/tls12_cv_sig_check
TLS 1.2 CertificateVerify: validate sig alg matches peer key
2025-11-11 09:18:11 -08:00
JacobBarthelmeh
4da365214a Merge pull request #9412 from SparkiDev/regression_fixes_21
Regression testing fixes
2025-11-11 09:32:43 -07:00
Sean Parkinson
d84564217c Regression testing fixes
Fix #ifdef protection for AES tests.
2025-11-11 21:46:04 +10:00
Sean Parkinson
702f6ce94f Workflow: multiple architectures with different -O levels
Test configurations with different optimization levels: -O2, -O3, -O1,
-O0, -Os, -Ofast
2025-11-11 17:50:48 +10:00
Sean Parkinson
f54ca0d481 TLS 1.2 CertificateVerify: req sig alg to have been in CR
The signature algorithm specified in CertificateVerify must have been in
the CertificateRequest. Add check.

The cipher suite test cases, when client auth and RSA are built-in and
use the default client certificate and use the *-ECDSA-* cipher
suites, no longer work. The client certificate must be ECC when the
cipher suite has ECDSA. Don't run them for that build.
2025-11-11 13:20:46 +10:00
David Garske
967f520c28 Merge pull request #9408 from anhu/stateful_integ_deprecate
Deprecate LMS and XMSS integrations.
2025-11-10 15:17:51 -08:00
JacobBarthelmeh
0fa2274a16 Merge pull request #9406 from SparkiDev/sp_label_noinline
SP label noinline: function inlined even when asked not to
2025-11-10 14:52:14 -07:00
Anthony Hu
0771bc42d6 Deprecate LMS and XMSS integrations. 2025-11-10 15:13:06 -05:00
Josh Holtrop
4102f8272e Rust wrapper: support optional heap and dev_id parameters 2025-11-10 13:53:51 -05:00
David Garske
2c47675194 Merge pull request #9333 from gojimmypi/pr-msvc-random
Conditional wolfcrypt-only wc_RNG_GenerateBlock for MSVC
2025-11-10 08:33:54 -08:00
Josh Holtrop
3af60ff85d Check for duplicate extensions in client hello when HAVE_TLS_EXTENSIONS is not set - fix #9377 2025-11-10 10:06:07 -05:00
Sean Parkinson
b7ade58c52 SP label noinline: function inlined even when asked not to
The label L_521_mont_reduce_9_nomask is therefore appearing more than
once in the compiled code.
Adding '%=' to the end of the label ensure it has a unique number
appended to it even when inlined.
2025-11-10 20:05:41 +10:00
Daniel Pouzzner
9c1526c90d Merge pull request #9401 from cconlon/jniPublicMp
Add WOLFSSL_PUBLIC_MP to --enable-jni for wolfJCE RSA KeyFactory support
2025-11-08 11:07:54 -06:00
Daniel Pouzzner
f977004dca Merge pull request #9400 from cconlon/ocspStaplingTls13MultiMktemp
Use portable mktemp syntax in ocsp-stapling_tls13multi.test
2025-11-08 11:07:28 -06:00
Daniel Pouzzner
9e9a7392d4 Merge pull request #9373 from julek-wolfssl/WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
Add missing WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY guards
2025-11-08 11:04:43 -06:00
Daniel Pouzzner
ea4311666e Merge pull request #9367 from julek-wolfssl/wolfDTLS_accept_stateless-early-data
wolfDTLS_accept_stateless: Fix handling for early data
2025-11-08 11:04:19 -06:00
Daniel Pouzzner
8b3eaa0eff Merge pull request #9370 from gojimmypi/pr-watcom-update
Update and pin Watcom to 2025-11-03-Build release
2025-11-08 09:31:22 -06:00
Chris Conlon
fdec53c4c9 skip test_tls13_hrr_different_cs() test when WOLFSSL_TLS13_MIDDLEBOX_COMPAT is defined 2025-11-07 17:09:30 -07:00
Chris Conlon
0cf3728ca0 update "--enable-jni --enable-all" combo to exclude QUIC and ECH, not compatible with WOLFSSL_TLS13_MIDDLEBOX_COMPAT 2025-11-07 16:50:41 -07:00
David Garske
b45217db00 Merge pull request #9402 from anhu/stsafe_doc
Correction about how to get interface files.
2025-11-07 13:59:45 -08:00
Anthony Hu
22ab16df97 Correction about how to get interface files. 2025-11-07 16:53:30 -05:00
Chris Conlon
88373d8cb5 add WOLFSSL_PUBLIC_MP to --enable-jni for wolfJCE RSA KeyFactory support 2025-11-07 14:14:51 -07:00
JacobBarthelmeh
4f4826ae92 Merge pull request #9385 from anhu/not_len
Use suites->hashSigAlgoSz when calling TLSX_SignatureAlgorithms_MapPss
2025-11-07 13:49:30 -07:00
gojimmypi
8654599e61 Conditional wolfcrypt-only wc_RNG_GenerateBlock for MSVC 2025-11-07 11:08:44 -08:00
JacobBarthelmeh
0d49df7735 update to GPLv3 exception list, add Fetchmail and OpenVPN 2025-11-07 12:06:29 -07:00
JacobBarthelmeh
4c5bc5f8fe Merge pull request #9387 from SparkiDev/tls12_cr_order
TLS 1.2: client message order check
2025-11-07 10:00:39 -07:00
JacobBarthelmeh
222f6084f8 Merge pull request #9399 from douzzer/20251106-linuxkm-PIE-inline-thunks
20251106-linuxkm-PIE-inline-thunks
2025-11-07 08:33:53 -07:00
Sean Parkinson
58bd6a8d94 TLS 1.2 CertificateVerify: validate sig alg matches peer key
Don't proceed with parsing CertificateVerify message in TLS 1.2 if the
signature algorithm doesn't match the peer's key (key from client
certificate).
2025-11-07 13:26:26 +10:00
JacobBarthelmeh
a96b35c0ff Merge pull request #9398 from toddouska/master
Add GPLv2 exception list to LICENSING
2025-11-06 17:19:59 -07:00
Chris Conlon
f208716b80 use portable mktemp syntax in scripts/ocsp-stapling_tls13multi.test for macOS compatibility 2025-11-06 16:54:23 -07:00
Daniel Pouzzner
53a20f4928 linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use inline thunks on all objects, not just PIE objects, to resolve false-positive "unpatched thunk" warnings on some kernels/configs. also cleans up flag setup more generally. 2025-11-06 17:37:07 -06:00
Sean Parkinson
f376c8d910 Merge pull request #9388 from lealem47/scan_build
Various fixes for nightly tests
2025-11-07 09:30:08 +10:00
Sean Parkinson
3416a0f70e Merge pull request #9393 from rlm2002/zd20756
Integer overflow and dead code removal
2025-11-07 09:27:05 +10:00
Todd Ouska
e02de78507 Add GPLv2 exception list to LICENSING 2025-11-06 15:18:57 -08:00
Sean Parkinson
98d84eb435 Merge pull request #9396 from julek-wolfssl/fil-c-674
Updates the Fil-C version to 0.674
2025-11-07 08:39:38 +10:00
JacobBarthelmeh
ca51fda3bb Merge pull request #9372 from SparkiDev/curve25519_no_lshift_neg_val
Curve25519: lshift of a negative value is undefined in C
2025-11-06 15:22:38 -07:00
Lealem Amedie
15ecc2e4da Update Rowley settings to define WOLFSSL_NO_SOCK 2025-11-06 15:11:49 -07:00
Ruby Martin
ec60d88f82 remove deadcode else statement when computing kid_type 2025-11-06 15:04:37 -07:00
Ruby Martin
9b2f7a371f remove duplicate keylen check (deadcode)
wrap if statement in macro guard
2025-11-06 15:04:37 -07:00
Ruby Martin
78f2e65da6 add cast to int64_t 2025-11-06 14:58:37 -07:00
Lealem Amedie
2b8f83fd8d Fixes for getrandom detection 2025-11-06 14:16:38 -07:00
Lealem Amedie
d3de6305e8 Exit wolfcrypt test if wolfCrypt_Init fails 2025-11-06 10:24:44 -07:00
Lealem Amedie
eecf82362e Check for getrandom declaration 2025-11-06 10:24:20 -07:00
Juliusz Sosinowicz
bd2cc5ba5c fixup! DTLS: Introduce custom I/O callbacks API and structure 2025-11-06 18:07:18 +01:00
Juliusz Sosinowicz
c2377fd266 DTLS: Clear userSet when peer is set in EmbedReceiveFrom
This allows us to differentiate between the user explicitly setting a peer and wolfio setting it. When wolfio sets the peer, we want to be able to update the peer address while in stateless parsing (governed by the `newPeer` variable).
2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
975033c64f DTLS: Introduce returnOnGoodCh option for early ClientHello processing return 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
6e826583a3 DTLS: Add tests for custom I/O callbacks and stateless handling with wolfio 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
0d7fe2f0a4 DTLS: Introduce custom I/O callbacks API and structure 2025-11-06 17:13:45 +01:00
Juliusz Sosinowicz
3ebc0c5f99 Update logs 2025-11-06 16:39:48 +01:00
Juliusz Sosinowicz
ed970e7cd8 Add missing WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY guards 2025-11-06 16:35:11 +01:00
Juliusz Sosinowicz
0355a31192 Updates the Fil-C version to 0.674 2025-11-06 13:48:32 +01:00
Lealem Amedie
08db159c5d Fixes for minor scan-build warnings 2025-11-05 21:27:06 -07:00
lealem47
9780137962 Merge pull request #9394 from JacobBarthelmeh/caam
avoid warning when building without user_settings.h and options.h
2025-11-05 17:24:19 -07:00
Sean Parkinson
3ec882cd66 Merge pull request #9380 from julek-wolfssl/ip-addr-check
Improve domain and IP address matching in certificate verification
2025-11-06 09:49:07 +10:00
Sean Parkinson
aba0246550 Merge pull request #9389 from holtrop/rust-wc-pbkdf2
Rust wrapper: add PBKDF2 and PKCS #12 PBKDF wrappers
2025-11-06 09:46:04 +10:00
Sean Parkinson
b0a7f5938c Merge pull request #9379 from holtrop/rust-wc-ed448
Rust wrapper: add wolfssl::wolfcrypt::ed448 module
2025-11-06 09:38:32 +10:00
JacobBarthelmeh
8077551ba8 avoid warning when building without user_settings.h and options.h for QNX CAAM 2025-11-05 16:03:09 -07:00
Sean Parkinson
aa0b37a7e5 Merge pull request #9384 from night1rider/crypto-callback-return-fix
Reset Return to Success if fallback to software Copy Callbacks Sha
2025-11-06 08:50:00 +10:00
Sean Parkinson
fe69a7cf5a Merge pull request #9390 from kaleb-himes/test-code-bug-fix
Addressing a bug in the test logic
2025-11-06 08:49:15 +10:00
Sean Parkinson
97e9fa09bd Merge pull request #9330 from rizlik/dtls13_want_write_fix
Dtls13: Fix handshake hangs on WANT_WRITE I/O error
2025-11-06 08:31:29 +10:00
Daniel Pouzzner
3d99090bcb Merge pull request #9374 from philljj/spelling_cleanup
wolfcrypt test: tiny spelling correction.
2025-11-05 13:44:44 -06:00
kaleb-himes
b379de4119 Addressing a bug in the test logic 2025-11-05 10:28:19 -07:00
philljj
d73af7ab77 Merge pull request #9383 from douzzer/20251104-linuxkm-Kbuild-EXPORT_SYMBOL
20251104-linuxkm-Kbuild-EXPORT_SYMBOL
2025-11-05 11:08:49 -06:00
Josh Holtrop
797194f85b Rust wrapper: add PBKDF2 and PKCS #12 PBKDF wrappers 2025-11-05 09:25:52 -05:00
Sean Parkinson
958fa1af60 TLS 1.2: client message order check
Error when client receives CertificateRequest out of order: not after
Certificate and not after ServerKeyExchange if being sent.
2025-11-05 10:00:11 +10:00
Anthony Hu
6e583a01f1 Use suites->hashSigAlgoSz instead of len in call to TLSX_SignatureAlgorithms_MapPss 2025-11-04 15:36:33 -05:00
night1rider
572776e685 Reset return value to success when copy callback requests to use software function instead 2025-11-04 13:25:16 -07:00
Daniel Pouzzner
6885573d3d linuxkm/Kbuild: add helper variable EXPORT_SYMBOL to facilitate export attribute control. 2025-11-04 14:00:58 -06:00
philljj
9fdcd2e72a Merge pull request #9382 from douzzer/20251104-WC_MUTEX_OPS_INLINE
20251104-WC_MUTEX_OPS_INLINE
2025-11-04 13:00:08 -06:00
Josh Holtrop
7f0e575ed7 Rust wrapper: fix ed448 documentation issues from code review 2025-11-04 13:49:06 -05:00
Daniel Pouzzner
54dc060579 implement WC_MUTEX_OPS_INLINE and WC_RWLOCK_OPS_INLINE gates. 2025-11-04 12:01:58 -06:00
philljj
4b93e3ecf7 Merge pull request #9381 from douzzer/20251104-fixes
20251104-fixes
2025-11-04 11:41:23 -06:00
Juliusz Sosinowicz
f95cb4e9bf Improve domain and IP address matching in certificate verification
- Distinguish between domain and IP address checks.
- Update curl action to test with httpd server
2025-11-04 18:36:29 +01:00
Daniel Pouzzner
abec842c59 wolfcrypt/src/asn.c: in wc_Ed25519PublicKeyToDer(), when old FIPS, cast "key" arg to wc_ed25519_export_public(). 2025-11-04 09:38:50 -06:00
Daniel Pouzzner
656fe3da7c linuxkm/{module_hooks.c,linuxkm_wc_port.h}: in wc_lkm_LockMutex(), when interruptible, check for signals, and add __must_check attribute. 2025-11-04 09:37:37 -06:00
Josh Holtrop
b82cccce21 Rust wrapper: add wolfssl::wolfcrypt::ed448 module 2025-11-04 08:34:46 -05:00
Daniel Pouzzner
d47108c97f Merge pull request #9368 from holtrop/rust-wc-ed25519
Rust wrapper: add wolfssl::wolfcrypt::ed25519 module
2025-11-03 22:40:43 -06:00
Sean Parkinson
e4d47fb5c7 Curve25519/448: lshift of negative is undefined in C
Change all left shifts to be of unsigned values.
In some cases the values were negative.

Changed 128-bit variable implementation of Curve25519. (generated)
Changed Ed25519 C implementation.
Changed Curve448 C implementation. (generated)
Changed Ed448 C implementation. (generated)
2025-11-04 10:40:23 +10:00
philljj
e0eac95fc9 Merge pull request #9375 from douzzer/20251103-linuxkm-Makefile-bash-workaround
20251103-linuxkm-Makefile-bash-workaround
2025-11-03 18:13:45 -06:00
gojimmypi
0714c535f1 Update and pin Watcom to 2025-11-03-Build release 2025-11-03 10:42:18 -08:00
Daniel Pouzzner
a43e416f66 linuxkm/Makefile: work around bash pecularity in libwolfssl.ko recipe ( [[ -f foo ]] is true even if foo is a symbolic link). 2025-11-03 12:00:40 -06:00
jordan
720b8e117c wolfcrypt test: tiny spelling correction. 2025-11-03 10:06:47 -06:00
philljj
9a4fa0df2c Merge pull request #9369 from douzzer/20251027-linuxkm-aarch64-fips
20251027-linuxkm-aarch64-fips
2025-11-03 09:45:16 -06:00
Marco Oliverio
33be31aeea test: dtls: add description for WANT_WRITE tests 2025-11-03 13:43:33 +01:00
Marco Oliverio
bb284247b3 test_dtls: change approach in want_write hs testing 2025-11-03 13:43:33 +01:00
Marco Oliverio
412a78261d test_dtls: increase coverage for non-blocking I/O 2025-11-03 13:43:33 +01:00
Marco Oliverio
6855325bf8 test: memio: simulate_want_write: block client on is_client == true 2025-11-03 13:43:33 +01:00
Marco Oliverio
0127571238 dtls13: advance buffer index on error 2025-11-03 13:43:33 +01:00
Marco Oliverio
17a08b9e36 test_dtls: return WANT_WRITE in DTLSv1.3 CH parsing 2025-11-03 13:43:33 +01:00
Sean Parkinson
574067e204 Curve25519: lshift of a negative value is undefined in C
Change all left shifts to be of unsigned values.
In some cases the values were negative.

Added macros to make the code easier to be consistent.
2025-11-03 22:08:52 +10:00
Masaki I.
87c4646e97 [ja] update docs 2025-11-02 19:07:26 +09:00
Daniel Pouzzner
5922b5def5 Merge pull request #9363 from julek-wolfssl/refactor-zero-return
Improve TLS 1.3 early data handling.
2025-10-31 17:39:11 -05:00
Daniel Pouzzner
78ff20569e linuxkm:
globally rename+unify:
* HAVE_LINUXKM_PIE_SUPPORT and USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE under gate WC_PIE_RELOC_TABLES
* WC_LKM_INDIRECT_SYM_BY_FUNC_ONLY as WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY
* WC_LKM_INDIRECT_SYM_BY_DIRECT_TABLE_READ as WC_PIE_INDIRECT_SYM_BY_DIRECT_TABLE_READ
* WC_LKM_INDIRECT_SYM() as WC_PIE_INDIRECT_SYM;

linuxkm/linuxkm_wc_port.h:
* implement pointer-caching inline wolfssl_linuxkm_get_pie_redirect_table_local() for the WC_PIE_INDIRECT_SYM_BY_FUNC_ONLY path;
* for FIPS_VERSION3_GE(6,0,0), add wolfCrypt_FIPS_*_ro_sanity pointers to struct wolfssl_linuxkm_pie_redirect_table, and corresponding ad hoc prototypes;

linuxkm/Makefile and linuxkm/module_hooks.c: move wc_linuxkm_pie_reloc_tab into the wolfCrypt PIE container;

linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: harmonize the types of __wc_{text,rodata}_{start,end} with wolfCrypt_FIPS_{first,last,ro_start,ro_end} to allow drop-in use of the all-inclusive ELF fenceposts, activated by WC_USE_PIE_FENCEPOSTS_FOR_FIPS.
2025-10-31 16:03:51 -05:00
Josh Holtrop
7cbcd0b00d Rust wrapper: add wolfssl::wolfcrypt::ed25519 module 2025-10-31 11:03:15 -04:00
David Garske
b6cfdcb758 Merge pull request #9366 from douzzer/20251030-linuxkm-amd64-vec-op-sunrise
20251030-linuxkm-amd64-vec-op-sunrise
2025-10-31 07:32:41 -07:00
David Garske
f07cd264fe Merge pull request #9365 from douzzer/20251030-wc_linuxkm_normalize_relocation-straddle-math
20251030-wc_linuxkm_normalize_relocation-straddle-math
2025-10-31 07:31:50 -07:00
Daniel Pouzzner
9273c00566 Merge pull request #9364 from dgarske/silabs_ecb
Fixed issue with AES ECB offloading to hardware to use full size
2025-10-30 23:55:31 -05:00
Daniel Pouzzner
643cbe127d Merge pull request #9354 from rlm2002/coverity
20251027 Coverity fixes
2025-10-30 23:54:18 -05:00
Daniel Pouzzner
7085421dd0 Merge pull request #9340 from julek-wolfssl/tls13-hrr-cs-change
Validate cipher suite after HelloRetryRequest
2025-10-30 23:46:50 -05:00
Daniel Pouzzner
299257eae9 Merge pull request #9360 from SparkiDev/aarch64_sha256_vreg_fix
Aarch64 ASM: missing push and pop of vector regs
2025-10-30 23:46:11 -05:00
Daniel Pouzzner
bac055dc14 Merge pull request #9357 from holtrop/rust-wc-srtp-kdf
Rust wrapper: add SRTP/SRTCP KDF functions to kdf module
2025-10-30 23:45:48 -05:00
Daniel Pouzzner
a2b3af095d Merge pull request #9339 from effbiae/EcMakeKey
refactor to EcMakeKey
2025-10-30 23:45:22 -05:00
Daniel Pouzzner
9c031608ef Merge pull request #9349 from effbiae/EcExportHsKey
refactor to EcExportHsKey
2025-10-30 23:44:58 -05:00
Daniel Pouzzner
f1f2423f3c linuxkm/x86_vector_register_glue.c: remove static assert on kernel >= 5.4.0 -- current implementation is unaffected by the noted bugs on < 5.4.0. 2025-10-30 18:08:54 -05:00
Daniel Pouzzner
5425894127 linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocation(), when the
relocation straddles the buffer at end, return the exact offset of the next
   relocation, rather than blindly backing up sizeof reloc_buf - 1, otherwise
   byte(s) in a relocation immediately preceding will be denormalized.
2025-10-30 17:38:10 -05:00
David Garske
c5ae76e40d Fixed issue with AES ECB offloading to hardware to use full size, not
just block
2025-10-29 15:52:33 -07:00
Juliusz Sosinowicz
3209d264b8 Improve TLS 1.3 early data handling.
Introduce `clientInEarlyData` to only return when in `wolfSSL_read_early_data`. This makes sure that other API don't return `ZERO_RETURN` when not in `wolfSSL_read_early_data`. Chose `APP_DATA_READY` as it won't result in a false positive return from `wolfSSL_read_early_data`.
2025-10-29 19:04:36 +01:00
David Garske
d45678472d Merge pull request #9361 from douzzer/20251029-NullPointerArithm-fixes
20251029-NullPointerArithm-fixes
2025-10-29 09:12:40 -07:00
Daniel Pouzzner
d260493642 src/internal.c: in HashOutput(), check for null output pointer;
examples/pem/pem.c: in main(), add missing check that ret == 0 in _DER_TO_PEM code path.
2025-10-29 10:04:24 -05:00
Juliusz Sosinowicz
7b7f9a4fe0 dtls: Check PSK ciphersuite against local list 2025-10-29 13:14:50 +01:00
Juliusz Sosinowicz
c14b1a0504 Validate cipher suite after HelloRetryRequest
- Add validation to ensure the cipher suite in the ServerHello matches the one specified in the HelloRetryRequest.
- test_TLSX_CA_NAMES_bad_extension: use the same ciphersuite in HRR and SH
2025-10-29 13:14:50 +01:00
David Garske
df79b1062f Merge pull request #9359 from douzzer/20251028-fixes
20251028 fixes
2025-10-28 16:57:43 -07:00
Sean Parkinson
d7807d39e0 Aarch64 ASM: missing push and pop of vector regs
Generated code wasn't pushing and poping vector registers when they were
64-bit.
Generation code fixed and SHA-256 ASM code fixed.
2025-10-29 09:15:32 +10:00
Daniel Pouzzner
8c60b7b250 src/internal.c and tests/api.c: fix clang-analyzer-core.NullPointerArithms. 2025-10-28 16:42:14 -05:00
Daniel Pouzzner
9b90ea83eb src/x509.c: in wolfSSL_X509_get_ext_by_OBJ() and wolfSSL_X509_load_cert_crl_file(), add local protection from null derefs (fixes -Wnull-dereferences);
wolfcrypt/src/chacha.c and wolfssl/wolfcrypt/chacha.h: implement USE_ARM_CHACHA_SPEEDUP gate;

wolfcrypt/src/kdf.c: in wc_SSH_KDF(), add early return if _HashInit() fails (fixes _HashFree() of uninited _hash);

wolfcrypt/src/sha256.c: initialize sha256->W in ARMASM variant of wc_InitSha256_ex(), and pass sha256->heap to XMALLOC/XFREE consistently.
2025-10-28 16:42:14 -05:00
Daniel Pouzzner
097cd576ff linuxkm/module_hooks.c: in wc_linuxkm_GenerateSeed_IntelRD(), log when RDSEED support is missing, and add verbose logging for generation failures. 2025-10-28 16:42:14 -05:00
Ruby Martin
e546d319c1 Fix Coverity INTEGER_OVERFLOW in sp_to_unsigned_bin, avoid unsigned underflow 2025-10-28 11:12:19 -06:00
Ruby Martin
7aec2a8280 separate BAD_FUNC_ARG error from ASN_NO_PEM_HEADER 2025-10-28 10:01:10 -06:00
David Garske
1d64a4ed8f Merge pull request #9352 from holtrop/rust-wc-cmac
Rust wrapper: add wolfssl::wolfcrypt::cmac module
2025-10-28 08:58:06 -07:00
David Garske
a4be322fd6 Merge pull request #9356 from SparkiDev/sp_asm_add_sub_p384_arm
SP ASM ARM32/Thumb2: inline asm for add and subs
2025-10-28 08:55:54 -07:00
effbiae
1c8e7885b4 refactor to EcMakeKey 2025-10-28 08:46:47 -07:00
Josh Holtrop
bc72ac375e Rust wrapper: fix minor typo in srtcp_kdf_label example 2025-10-28 11:43:06 -04:00
Josh Holtrop
ef92114347 Rust wrapper: cmac: consume CMAC in finalize() 2025-10-28 08:41:28 -04:00
Josh Holtrop
bfa04ca5be Rust wrapper: cmac: fix "success" typo 2025-10-28 08:32:12 -04:00
Josh Holtrop
2e281ae2c6 Rust wrapper: add SRTP/SRTCP KDF functions to kdf module 2025-10-28 07:34:11 -04:00
Sean Parkinson
50521699af SP ASM ARM32/Thumb2: inline asm for add and subs
Implement add, sub, double and triple in assembly for P384.
2025-10-28 17:49:40 +10:00
effbiae
993ecad16a refactor to EcExportHsKey 2025-10-28 16:01:39 +11:00
Daniel Pouzzner
85bfc49711 Merge pull request #9355 from SparkiDev/aes_arm_asm_fix
AES ARM ASM: user data loaded 1 reg at a time
2025-10-27 23:06:17 -05:00
Sean Parkinson
d883a950d2 ML-KEM SHA-3: fix r
Constant r wasn't being loaded into register in all assembly functions
that use it - it just got lucky most of the time.
2025-10-28 12:04:12 +10:00
Sean Parkinson
070923a373 AES ARM ASM: user data loaded 1 reg at a time
User key may not be aligned and need to use instructions that don't
require alignment. Change to use ldr instead of ldp or ldrd.
2025-10-28 11:03:58 +10:00
David Garske
e6af5bcd4f Merge pull request #9353 from embhorn/gh9347
Build errors in memtest config and sniffer
2025-10-27 13:15:00 -07:00
JacobBarthelmeh
a1d000cede Merge pull request #9343 from dgarske/silabs_aesdirect
Fixed issue with SiLibs AES Direct (required by DTLS v1.3)
2025-10-27 13:04:12 -06:00
David Garske
76abc43812 Put unused fix in correct location. 2025-10-27 10:25:31 -07:00
David Garske
c825d0b34c Merge pull request #9345 from JacobBarthelmeh/devid
fix for passing devId from WOLFSSL_CTX down to hash operation
2025-10-27 08:47:51 -07:00
Eric Blankenhorn
7ef560c188 Fix build error with memtest and memorylog 2025-10-27 10:47:13 -05:00
David Garske
594a3bc963 Merge pull request #9350 from SparkiDev/split_ssl_sk
Stack API: Pull out implementation into separate file
2025-10-27 08:46:43 -07:00
David Garske
4669aaeaed Merge pull request #9342 from julek-wolfssl/filc
Adds fil-c workflow for testing
2025-10-27 08:46:31 -07:00
David Garske
7bbe15936d Merge pull request #9290 from effbiae/make-pre-master-secret
refactor to Make(Dhe)PSKPreMasterSecret
2025-10-27 08:39:17 -07:00
Eric Blankenhorn
2f2d5b37fd Fix undeclared var use in sniffer 2025-10-27 10:33:25 -05:00
Josh Holtrop
a6cb6170b6 Rust wrapper: add wolfssl::wolfcrypt::cmac module 2025-10-27 10:41:26 -04:00
Sean Parkinson
91a526c218 fixup 2025-10-27 18:02:49 +10:00
Sean Parkinson
093cc04076 Stack API: Pull out implementation into separate file
General stack APIs pulled out into ssl_sk.c.
Other simple APIs also pulled out into ssl_sk.c.
wolfSSL_lh_retrieve also pulled out into ssl_sk.c.

Added tests of public APIs that weren't already tested.
2025-10-27 17:08:41 +10:00
David Garske
d54f5e7c6a Merge pull request #9346 from douzzer/20251025-fix-clang-tidy-all-crypto-no-sha-1
20251025-fix-clang-tidy-all-crypto-no-sha-1
2025-10-25 08:46:31 -07:00
Daniel Pouzzner
c9cc701097 src/internal.c: suppress clang-analyzer-deadcode.DeadStores in ImportPeerECCKey() introduced by 4964a1760a. 2025-10-25 08:55:23 -05:00
JacobBarthelmeh
1a779b3f73 fix for passing devId from WOLFSSL_CTX down to hash operation 2025-10-24 16:39:25 -06:00
David Garske
7524552b1a Merge pull request #9344 from douzzer/20251024-fixes
20251024-fixes
2025-10-24 14:45:44 -07:00
Daniel Pouzzner
c145b7ee81 wolfcrypt/src/aes.c: define GCM_GMULT_LEN() when WOLFSSL_ARMASM, and fix gating on wolfCrypt_FIPS_AES_sanity (always gate in for FIPS v7+);
wolfcrypt/src/port/af_alg/afalg_aes.c: check for null key arg;

configure.ac: rename BUILD_FIPS_CURRENT to BUILD_FIPS_V2_PLUS (no functional change), and remove unused ARMASM_DIST_SOURCES set up code added in #9332;

src/include.am:
* set up $(ARMASM_SHA256_C), and use it to properly include wolfcrypt/src/sha256.c alongside armasm when appropriate;
* fix gating on Curved25519 armasm (BUILD_FIPS_V6_PLUS, not BUILD_FIPS_V6);

tests/api/test_aes.c and wolfcrypt/test/test.c: gate out incompatible coverage for WOLFSSL_AFALG and WOLFSSL_KCAPI (test_wc_AesCbcEncryptDecrypt_MultiBlocks(), test_wc_AesCtrSetKey*(), test_wc_AesCtrEncrypt*(), test_wc_AesGcmEncryptDecrypt_Sizes()).
2025-10-24 15:08:56 -05:00
David Garske
d62b1068d2 Fixed issue with SiLibs AES Direct (required by DTLS v1.3). ZD 20695 2025-10-24 11:58:56 -07:00
Juliusz Sosinowicz
1ed1b83aa5 Adds fil-c workflow for testing 2025-10-24 20:14:57 +02:00
JacobBarthelmeh
a28e107722 Merge pull request #9336 from holtrop/rust-wc-kdf-prf
Rust wrapper: add wolfssl::wolfcrypt::kdf, wolfssl::wolfcrypt::prf
2025-10-24 09:27:56 -06:00
JacobBarthelmeh
62deeedb52 Merge pull request #9335 from cconlon/jniAesCts
Define HAVE_CTS for JNI build, used by JCE AES/CTS/NoPadding
2025-10-24 09:20:02 -06:00
David Garske
4282ad38ec Merge pull request #9300 from effbiae/ImportPeerECCKey
refactor to ImportPeerECCKey
2025-10-24 08:17:54 -07:00
David Garske
c354202f11 Merge pull request #9341 from holtrop/rust-dh-test-fix
Rust wrapper: fix intermittent test_dh failure
2025-10-24 08:17:35 -07:00
Josh Holtrop
2127365559 Rust wrapper: fix intermittent test_dh failure 2025-10-24 09:05:19 -04:00
effbiae
f087b1300c refactor to MakePSKPreMasterSecret 2025-10-24 12:03:16 +11:00
David Garske
67c2d80470 Merge pull request #9337 from douzzer/20251023-FIPS-autotools-fix
20251023-FIPS-autotools-fix
2025-10-23 15:44:53 -07:00
Daniel Pouzzner
6ff47a7a4c src/include.am: fix gate flub, !BUILD_FIPS_V6 -> !BUILD_FIPS_V6_PLUS, around sp-asm files (covered earlier for FIPS). 2025-10-23 16:57:39 -05:00
Josh Holtrop
61a277c262 Rust wrapper: Use core::ptr instead of std::ptr 2025-10-23 16:30:03 -04:00
Josh Holtrop
b75be94f0d Rust wrapper: use SHA256::DIGEST_SIZE instead of WC_SHA256_DIGEST_SIZE 2025-10-23 16:24:09 -04:00
Josh Holtrop
5b8115ed8f Rust wrapper: add wolfssl::wolfcrypt::kdf, wolfssl::wolfcrypt::prf 2025-10-23 16:05:07 -04:00
JacobBarthelmeh
33b08ed136 Merge pull request #9328 from holtrop/rust-wc-hmac
Rust wrapper: add wolfssl::wolfcrypt::hmac module
2025-10-23 14:02:11 -06:00
Chris Conlon
3e85b572f3 define HAVE_CTS for --enable-jni build, used by JCE AES/CTS/NoPadding mode 2025-10-23 12:46:59 -06:00
JacobBarthelmeh
985a090adc Merge pull request #9334 from julek-wolfssl/wolfSSL_PEM_X509_X509_CRL_X509_PKEY_read_bio-len
x509: make sure pem buffer will be large enough to hold pem header
2025-10-23 09:36:46 -06:00
JacobBarthelmeh
7f5d02c36b Merge pull request #9317 from SparkiDev/benchmark_asym_cc
Benchmark: add cycle counts for asym ops
2025-10-23 09:31:30 -06:00
David Garske
f376512692 Merge pull request #9332 from douzzer/20251022-FIPS-armasm-autotools-fixup
20251022-FIPS-armasm-autotools-fixup
2025-10-23 07:45:32 -07:00
Josh Holtrop
27212312f1 Rust wrapper: Remove unnecessary double casts in hmac 2025-10-23 09:46:05 -04:00
Josh Holtrop
df4a2120c2 Rust wrapper: add wolfssl::wolfcrypt::hkdf module 2025-10-23 09:41:12 -04:00
Josh Holtrop
b801396d52 Rust wrapper: HMAC::get_hmac_size does not need mut ref 2025-10-23 09:32:37 -04:00
Juliusz Sosinowicz
36b64fb5ae x509: make sure pem buffer will be large enough to hold pem header
Found with Fil-C compiler
2025-10-23 13:28:07 +02:00
Daniel Pouzzner
3bd5a30a77 .wolfssl_known_macro_extras: snip out a couple no-longer-needed extras. 2025-10-22 22:54:51 -05:00
Daniel Pouzzner
b1f2ff73ed wolfcrypt/src/sha256.c: in wc_Sha256HashBlock(), use ByteReverseWords() rather than a series of ByteReverseWord32() to get WOLFSSL_USE_ALIGN. 2025-10-22 22:54:20 -05:00
Daniel Pouzzner
be301f93da fixes for autotools config around armasm AES/SHA refactor in #9284: in configure.ac, add BUILD_FIPS_V5_PLUS and BUILD_FIPS_V6_PLUS conditionals, and fix BUILD_FIPS_V6 conditional to match v6 only;
in src/include.am, add LEGACY_ARMASM_foo and NEW_ARMASM_foo helper variables, restore pre-PR9284 armasm clauses, and add or update several FIPS gates as needed;

add empty wolfcrypt/src/port/arm/{armv8-aes.c,armv8-sha256.c,armv8-sha512.c} to mollify autotools, and in wolfcrypt/src/include.am, restore them to EXTRA_DIST if FIPS v5 or v6.
2025-10-22 22:52:24 -05:00
Sean Parkinson
dc45a6f340 Benchmark: add cycle counts for asym ops
Added million of cycles per op information.
Getting cycle count for Aarch64 now too.
2025-10-23 08:43:05 +10:00
JacobBarthelmeh
4daab8a813 Merge pull request #9284 from SparkiDev/aarch64_asm_gen
Aarch64 asm: convert to generated
2025-10-22 11:10:27 -06:00
JacobBarthelmeh
520d9501af Merge pull request #9322 from SparkiDev/crldist_reason_fix
X.509 cert: crl distribution point reasons is IMPLICIT
2025-10-22 09:33:08 -06:00
JacobBarthelmeh
d60e4ddbd1 Merge pull request #9329 from SparkiDev/regression_fixes_20
Regression testing fixes
2025-10-22 09:12:58 -06:00
JacobBarthelmeh
58e37067ef Merge pull request #9315 from SparkiDev/aes_cfb_ofb_improv
AES: Improve CFB and OFB and add tests
2025-10-22 09:06:46 -06:00
Sean Parkinson
821dc5cb13 Regression testing fixes
Adding protection to tests that use RSA and ECC.
2025-10-22 18:33:44 +10:00
Sean Parkinson
8533bc803b AES: Improve CFB and OFB and add tests
Improve performance of CFB and OFB.
Only have one implementation that is used by OFB encrypt and decrypt.

Update AES testing in unit.test.

Update benchmarking of CFB and OFb to include decrypt.
2025-10-22 12:19:56 +10:00
effbiae
4964a1760a refactor to ImportPeerECCKey 2025-10-22 13:03:55 +11:00
Josh Holtrop
ce610db4e8 Rust wrapper: add wolfssl::wolfcrypt::hmac module 2025-10-21 16:59:32 -04:00
philljj
7e6c86a6c3 Merge pull request #9326 from douzzer/20251021-KDF-FIPS-gate-tweaks
20251021-KDF-FIPS-gate-tweaks
2025-10-21 12:49:21 -05:00
David Garske
9c3a0e3a67 Merge pull request #9324 from douzzer/20251020-coverity-WC_SAFE_foo
20251020-coverity-WC_SAFE_foo
2025-10-21 09:41:25 -07:00
JacobBarthelmeh
936e350c63 Merge pull request #9325 from LinuxJedi/zp-fixes
Fix things found with ZeroPath
2025-10-21 10:19:01 -06:00
Brett Nicholas
1134d246f7 Merge pull request #9309 from night1rider/CryptoCbCopy
Add crypto callback support for copy/free operations (SHA-256)
2025-10-21 09:45:18 -06:00
Daniel Pouzzner
b07bc74a71 wolfcrypt/test/test.c: skip nist_sp80056c_kdf_test() and nist_sp800108_cmac() on FIPS <7.0.0. 2025-10-21 10:38:55 -05:00
JacobBarthelmeh
818d1e37eb Merge pull request #9321 from anhu/no_conv_ems
Prevent a conversion warning
2025-10-21 09:38:00 -06:00
David Garske
c1339abc05 Merge pull request #9323 from philljj/fix_coverity_onestep
KDF onestep: hashOutSz err check.
2025-10-21 08:23:05 -07:00
David Garske
6f9ca6cb52 Merge pull request #9294 from LinuxJedi/benchmark-ram
Benchmark memory tracking
2025-10-21 08:15:28 -07:00
David Garske
0eb7ad0ead Merge pull request #9320 from holtrop/rust-wc-sha
Rust wrapper: add wolfssl::wolfcrypt::sha module
2025-10-21 08:15:01 -07:00
Andrew Hutchings
90e0857d2d Validate LinuxKM I/O lengths
Reject negative lengths and normalize to size_t before calling kernel_sendmsg/kernel_recvmsg so the kernel transport can’t be tricked into huge or wrapped iov_len values.
2025-10-21 14:40:36 +01:00
Andrew Hutchings
259670055a Bound buffered HTTP body size
Clamp per-chunk and aggregated HTTP response sizes before allocating in wolfIO_HttpProcessResponseBuf so untrusted Content-Length or chunk headers can’t overflow the arithmetic or force giant buffers.
2025-10-21 14:13:41 +01:00
Andrew Hutchings
be1428d108 Validate AF_ALG RSA inputs
Require the ciphertext length to match the RSA modulus before copying into the AF_ALG Xilinx stack buffer, preventing oversized inputs from overflowing the aligned scratch space.
2025-10-21 13:57:36 +01:00
Andrew Hutchings
11d2f4894e Guard ProcessKeyShare against truncated key shares
Add bounds check before reading named_group so malformed TLS 1.3 key share data cannot read past the supplied buffer.
2025-10-21 13:40:00 +01:00
Andrew Hutchings
8b4f816ae7 BioReceiveInternal: allow NULL write BIO
Some callers, such as the OCSP request context, only supply a read BIO. Guard the write-BIO pending check so a read error or EOF does not dereference NULL.
2025-10-21 13:12:52 +01:00
Andrew Hutchings
e6ca4d15e2 MicriumReceiveFrom: tighten peer validation
Reject DTLS datagrams when the stored peer is missing, the address length changes, or the address bytes differ. The old check required both the length and byte comparisons to fail, letting spoofed peers through when only one mismatch occurred.
2025-10-21 13:10:04 +01:00
Sean Parkinson
9c1462a9ec Aarch64 asm: convert to generated
Algorithms now generated:
  SHA-256
  SHA-512
  ChaCha20
  Poly1305
  AES-ECB
  AES-CBC
  AES-CTR
  AES-GCM + streaming
  AES-XTS
  AES SetKey

ARM32 asm algorithms generated now too:
  SHA-256
  SHA-512
  ChaCha20
  AES-ECB
  AES-CBC
  AES-CTR
  AES-GCM
  AES-XTS
  AES SetKey

Removed use of ARM specific implementations of algorithms. (armv8-aes.c)
2025-10-21 17:03:39 +10:00
Daniel Pouzzner
ca552cc345 src/internal.c: work around false positive "C4701: potentially uninitialized local variable" in GrowOutputBuffer(). 2025-10-20 23:54:15 -05:00
Daniel Pouzzner
279238ce63 wolfssl/wolfcrypt/types.h:
* fix WC_MIN_SINT_OF().
* add outer cast back to target type in WC_MAX_UINT_OF() and WC_MAX_SINT_OF().
* rename WC_SAFE_SUM_*_NO_WUR to WC_SAFE_SUM_*_CLIP().
* remove clipping assignments from failure paths in WC_WUR_INT() variants.
* add WC_SAFE_SUB_UNSIGNED_CLIP(), WC_SAFE_SUB_UNSIGNED(), WC_SAFE_SUB_SIGNED_CLIP(), and WC_SAFE_SUB_SIGNED().
* add Coverity-specific annotations in WC_SAFE_*() to suppress false-positive overflow warnings.

wolfcrypt/test/test.c:
* implement macro_test().
* fix stray uint32_t's in crypto_ecc_verify() and crypto_ecc_sign() arg lists.

wolfssl/wolfcrypt/ext_xmss.h: fix stray uint32_t.
2025-10-20 23:27:09 -05:00
jordan
c1032a8cb6 KDF onestep: hashOutSz err check. 2025-10-20 22:05:41 -05:00
Sean Parkinson
5adf392d56 Merge pull request #9281 from effbiae/tlsx-with-ech
refactor to TLSX_ChangeSNIBegin/End
2025-10-21 10:58:33 +10:00
Sean Parkinson
3f9e2e5baa X.509 cert: crl distribution point reasons is IMPLICIT
The reasons field is IMPLICIT meaning that the value is directly under
the context-specific tag. That is context-specific tag is not
constructed.
2025-10-21 09:30:45 +10:00
Andrew Hutchings
00c936c29e Only change WC_BENCH_MAX_LINE_LEN when we need to 2025-10-20 18:58:16 +01:00
night1rider
f1faefed91 Added callbacks for copy and free to SHA, 224, 384, 512, and SHA3. Also split macros for FREE and COPY Callbacks, and add configure.ac option. 2025-10-20 11:09:35 -06:00
Anthony Hu
26ba17b48e Prevent a conversion warning 2025-10-20 12:20:59 -04:00
David Garske
d86575c766 Merge pull request #9312 from night1rider/FixCallbackRngInit
Refactor wc_rng_new to use wc_rng_new_ex, and to use WC_USE_DEVID as the devId if set at compile time
2025-10-20 09:19:17 -07:00
night1rider
0dca3bc24d Setup to be opt-in for copy callback, and also added a outline for a free callback 2025-10-20 10:07:24 -06:00
night1rider
4d6418f31a Add crypto callback support for copy operations (SHA-256) 2025-10-20 10:06:30 -06:00
David Garske
7fa53c8c71 Merge pull request #9289 from philljj/cmac_kdf
cmac kdf: add NIST SP 800-108, and NIST SP 800-56C two-step.
2025-10-20 08:33:30 -07:00
night1rider
bd4099d2d7 Update test.c tests to use global devId instead of INVALID_DEVID 2025-10-20 09:16:23 -06:00
night1rider
28c78b5c0c Use global devId for RNG initialization in tests: mlkem_test, dilithium_test, xmss_test, lms_test 2025-10-20 09:16:23 -06:00
night1rider
fba8cab200 Refactor wc_rng_new to use wc_rng_new_ex, and to use WC_USE_DEVID as the devId if set at compile time 2025-10-20 09:16:23 -06:00
jordan
525c212d1c cmac kdf: add NIST SP 800-108, and NIST SP 800-56C two-step. 2025-10-20 08:20:23 -05:00
Josh Holtrop
987bf2fe2e Rust wrapper: fix test_ecc sig_to_rs() check 2025-10-20 09:09:53 -04:00
Josh Holtrop
714abfa1c0 Rust wrapper: add wolfssl::wolfcrypt::sha module 2025-10-20 08:44:07 -04:00
philljj
aba9ee4015 Merge pull request #9319 from douzzer/20251018-linuxkm-gdwarf-4-g1
20251018-linuxkm-gdwarf-4-g1
2025-10-18 14:35:46 -05:00
Daniel Pouzzner
9881c95c46 linuxkm/Kbuild: refactor RENAME_PIE_TEXT_AND_DATA_SECTIONS to automatically derive the list of all ELF sections to rename, rather than enumerating them staticly in the objcopy recipe (motivated by changes expected in kernel 6.19). 2025-10-18 12:07:35 -05:00
Daniel Pouzzner
a36dd35e59 linuxkm: rename FIPS container segments from foo.wolfcrypt to foo_wolfcrypt to avoid getting rearranged by kernel scripts/module.lds klp/kpatch clauses expected in kernel 6.19. 2025-10-18 03:23:38 -05:00
Daniel Pouzzner
2bbc3a0ae2 wolfcrypt/test/test.c: fixes for --disable-sha256, --disable-hmac, --disable-rng, and FIPS gating on RSA-PSS. 2025-10-18 02:05:55 -05:00
Daniel Pouzzner
08f5c3e8b9 configure.ac: in linuxkm setup, use -g1 explicitly unless --enable-debug, whereupon use -g3. also, add -gdwarf-4 to AM_CCASFLAGS. 2025-10-18 01:56:48 -05:00
Andrew Hutchings
d87ca70048 Fix mixed declaration / code 2025-10-18 06:18:29 +01:00
Andrew Hutchings
01dc28ad31 Seperate AES alloc / dealloc phases 2025-10-18 06:13:40 +01:00
Andrew Hutchings
65bb68b6c0 Move heap/stack tracking to before init phase
Start tracking during the setup of the algo, so we can capture the
memory usage of the algo init functions.
2025-10-18 06:13:36 +01:00
Andrew Hutchings
036c66c777 Benchmark memory tracking
This adds heap and stack tracking to wolfCrypt bench so that it is
possible to see RAM usage. It also adds support for stack tracking in
microcontrollers (tested on STM32).
2025-10-18 06:09:01 +01:00
philljj
c091c8b7ba Merge pull request #9318 from douzzer/20251017-linuxkm-signal-handling-tweaks
20251017-linuxkm-signal-handling-tweaks
2025-10-17 21:17:20 -05:00
Daniel Pouzzner
69f236be0a linuxkm/linuxkm_wc_port.h: suppress -Wformat-nonliteral while including kernel headers (needed for kernel <=4.9). 2025-10-17 19:31:17 -05:00
Daniel Pouzzner
6a0be6a7f7 configure.ac: remove -g0 from, and always add -DHAVE_REPRODUCIBLE_BUILD to, reproducible-build AM_CFLAGS, and always add -gdwarf-4 to AM_CFLAGS when ENABLED_LINUXKM;
.github/workflows/linuxkm.yml: restore as-was, but change from oldconfig to olddefconfig.
2025-10-17 18:24:32 -05:00
Daniel Pouzzner
d2f819a2f6 linuxkm/module_hooks.c and linuxkm/lkcapi_glue.c: check retval from WC_SIG_IGNORE_BEGIN(). 2025-10-17 18:23:25 -05:00
David Garske
d475985062 Merge pull request #9306 from holtrop/rust-wc-dh
Rust wrapper: add wolfssl::wolfcrypt::dh module
2025-10-17 15:41:58 -07:00
Daniel Pouzzner
e142a9629f linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c: tweak gating for verifyCore and my_kallsyms_lookup_name, and use the latter to reach verifyCore on old FIPS. also tweak the In-core integrity hash check failure." message to supply module-update-fips-hash instructions. 2025-10-17 17:12:37 -05:00
Daniel Pouzzner
354c576c96 .github/workflows/linuxkm.yml: comment out --enable-linuxkm-pie config, pending resolution of "dwarf_get_units failed" on Azure kernel 6.14 image. 2025-10-17 15:00:04 -05:00
Daniel Pouzzner
7a43732daa linuxkm/linuxkm_wc_port.h, wolfssl/wolfcrypt/types.h, linuxkm/module_hooks.c, linuxkm/lkcapi_glue.c:
* add WC_SIG_IGNORE_BEGIN(), WC_SIG_IGNORE_END(), wc_linuxkm_sig_ignore_begin(), wc_linuxkm_sig_ignore_end();
* move WC_CHECK_FOR_INTR_SIGNALS() and WC_RELAX_LONG_LOOP() definitions outside the BUILDING_WOLFSSL gate;
* refactor linuxkm_lkcapi_registering_now as a wolfSSL_Atomic_Int and use it as a mutex for linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister();
* add WC_SIG_IGNORE_BEGIN()...WC_SIG_IGNORE_END() wrappers around all relevant critical spans in linuxkm glue.
2025-10-17 14:58:21 -05:00
Josh Holtrop
4faa21a74a Rust wrapper: Fix DH::FFDHE_* constant values 2025-10-17 14:46:15 -04:00
Josh Holtrop
8e7f77db76 Rust wrapper: add wolfssl::wolfcrypt::dh module 2025-10-17 14:46:15 -04:00
lealem47
5280bfb89a Merge pull request #9297 from douzzer/20251011-more-fips-optest-tweaks
20251011-more-fips-optest-tweaks
2025-10-17 12:44:25 -06:00
David Garske
f492abfe9e Merge pull request #9314 from SparkiDev/silabs_no_hash_raw
SHA-2: No hash raw
2025-10-17 10:19:01 -07:00
effbiae
8969e5f36a refactor to TLSX_EchChangeSNI 2025-10-17 13:51:42 +11:00
Daniel Pouzzner
9cf08afbbb fixes for --disable-tls. 2025-10-16 18:50:06 -05:00
Daniel Pouzzner
f508b44f0f configure.ac: in setup for cryptonly, don't set enable_tls13=no or enable_tlsv12=no -- they're needed for crypto-layer KDFs. 2025-10-16 18:50:06 -05:00
Daniel Pouzzner
b924e9a905 linuxkm/module_hooks.c: add sanity check for compiled-in verifyCore, and fix linuxkm_op_test_1() call to use argc==3 arg list. 2025-10-16 18:50:06 -05:00
Daniel Pouzzner
5ee42402ae wolfssl/wolfcrypt/types.h: fix whitespace around WC_SAFE_SUM_*(). 2025-10-16 18:50:06 -05:00
Daniel Pouzzner
6fb547a1ae linuxkm/module_hooks.c: purge fipsMode override (fipsEntry() takes care of this), and add explicit fipsCastStatus[] reset code. 2025-10-16 18:50:06 -05:00
Daniel Pouzzner
e8d9f91868 linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: finish implementation of
FIPS_OPTEST glue code, including /sys/module/libwolfssl/FIPS_optest_run_code
(FIPS_optest_trig_handler(), plus my_kallsyms_lookup_name() helper).
2025-10-16 18:50:05 -05:00
Daniel Pouzzner
581e86c178 wolfcrypt/test/test.c: fix error-path uninitialized access defect in ecc_test_buffers(). 2025-10-16 18:50:05 -05:00
Zackery
0d588b446c Merge pull request #9313 from douzzer/20251016-Wnull-dereference
20251016-Wnull-dereference
2025-10-16 17:47:23 -06:00
Sean Parkinson
d0909991fb SHA-2: No hash raw
Implementation of FinalRaw for SE050 was not usable - TLS_hmac did not
produce valid results.
Removed implementations and defining WOLFSSL_NO_HASH_RAW to compile to
not require FinalRaw APIs.
2025-10-17 07:46:50 +10:00
Daniel Pouzzner
0c4feb0aa6 wolfcrypt/src/asn.c: revert earlier changes in EncodeName(), and add local S390-specific pragma to inhibit false-positive -Wnull-dereference. 2025-10-16 16:10:54 -05:00
Daniel Pouzzner
d6aa157187 fixes for OPENSSL_COEXIST covering OPENSSL_COMPATIBLE_DEFAULTS and WOLFSSL_WPAS:
* src/ssl.c:wolfSSL_CTX_new_ex()
* src/x509.c:wolfSSL_X509_PUBKEY_set()
2025-10-16 15:10:16 -05:00
Daniel Pouzzner
6ee660841b fixes/workarounds for -Wnull-dereferences, some true positive, some false
positive:
* src/pk.c:wolfSSL_RSA_meth_new()
* tests/api.c:test_wolfSSL_PKCS7_certs()
* tests/api.c:test_wolfSSL_X509V3_EXT_get()
* wolfcrypt/src/asn.c:EncodeName()
* wolfcrypt/src/pkcs12.c:wc_i2d_PKCS12()
* wolfcrypt/src/port/af_alg/afalg_aes.c
2025-10-16 15:10:16 -05:00
David Garske
0727bae09e Merge pull request #9310 from SparkiDev/lms_cast_16bit
LMS: Cast constants before shifting left
2025-10-16 12:16:05 -07:00
David Garske
a22d239bfd Merge pull request #9301 from effbiae/set_srp_username
refactor wolfSSL_CTX_set_srp_username
2025-10-16 11:32:24 -07:00
David Garske
d88ab84b9f Merge pull request #9311 from SparkiDev/regression_fixes_19
Regression testing
2025-10-16 10:56:27 -07:00
Daniel Pouzzner
058686b829 Merge pull request #9305 from dgarske/bench_rsapub
Fix for benchmark with key gen and "out" not being allocated
2025-10-16 12:23:23 -05:00
Sean Parkinson
c111c5bacc Regression testing
x509.c: realloc may fail and therefore need to store result in a
temporary so the old pointer is not lost.

tls.c: free the name if it is not pushed on to the stack of peer CA
names. Failure to push can be from memory allocation failure.

aes.c: Don't compile XTS decrypt functions without HAVE_AES_DECRYPT.

Fix tests to have better pre-processor protection.
2025-10-16 12:13:32 +10:00
Sean Parkinson
36c953dd8f LMS: Cast constants before shifting left
Compiling for 16-bit results in some constants type being too small for
shift amount without cast.
2025-10-16 09:24:48 +10:00
Kareem
88a55cdb71 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20603 2025-10-15 15:48:16 -07:00
Kareem
8d41d1ca65 Add IPv6 support to wolfSSL_BIO_new_accept and wolfIO_TcpBind. 2025-10-15 15:47:22 -07:00
lealem47
832e23a5f7 Merge pull request #9307 from douzzer/20251015-linuxkm-fixes
20251015-linuxkm-fixes
2025-10-15 16:26:00 -06:00
Daniel Pouzzner
3746164d60 linuxkm/linuxkm_wc_port.h: don't include wolfssl/wolfcrypt/memory.h (unneeded and out of order). 2025-10-15 17:06:31 -05:00
Zackery
790808b172 Merge pull request #9303 from dgarske/silabs_series2
Support for detecting SILABS ERF32 Series 2 ECDSA support for P384/P521
2025-10-15 12:46:44 -06:00
David Garske
0c4f5879d8 Fix for benchmark with key gen and "out" not being allocated because of typo between WOLFSSL_RSA_VERIFY_INLINE and WOLFSSL_RSA_VERIFY_ONLY.
Reproduced with: `./configure --enable-keygen CFLAGS="-DWOLFSSL_RSA_VERIFY_INLINE" --disable-examples && make && ./wolfcrypt/benchmark/benchmark -rsa`
2025-10-15 11:25:49 -07:00
Daniel Pouzzner
250e19a682 Merge pull request #9299 from dgarske/bench_rsasz
Fix for improper sizing on `bench_rsa_helper`
2025-10-15 11:55:48 -05:00
Eric Blankenhorn
f9b666dd8a Merge pull request #9298 from douzzer/20251014-WC_SAFE_SUM
20251014-WC_SAFE_SUM
2025-10-15 11:44:04 -05:00
David Garske
53bbf7f2d7 Merge pull request #9302 from effbiae/wc_FreeRng
wc_FreeRng called multiple times in wolfSSL_CTX_set_srp_password
2025-10-15 08:48:17 -07:00
David Garske
91bf738025 Support for detecting SILABS ERF32 Series 2 ECDSA support for P384/P521 2025-10-15 08:33:37 -07:00
effbiae
1de2ad48bd wc_FreeRng called multiple times in wolfSSL_CTX_set_srp_password 2025-10-15 17:43:53 +11:00
effbiae
cadea76e43 refactor wolfSSL_CTX_set_srp_username 2025-10-15 17:15:07 +11:00
Daniel Pouzzner
c771167127 add WC_ prefixes to MAX_UINT_OF() and friends, to avoid collision with wolfSentry macros. 2025-10-14 19:16:21 -05:00
Daniel Pouzzner
21a66ec36b wolfssl/wolfcrypt/types.h: add missing static attribute to WC_WUR_INT(). 2025-10-14 19:10:15 -05:00
David Garske
75097f3e09 Fix for improper sizing on bench_rsa_helper 2025-10-14 16:41:27 -07:00
Daniel Pouzzner
1602ed2f3a wolfcrypt/src/asn.c: rearrange check for null cname in EncodeName() to fix false positive -Wnull-dereference.
src/internal.c: suppress -Wnull-dereference locally in ProcessPeerCertParse() to fix false positive.
2025-10-14 18:27:02 -05:00
Daniel Pouzzner
7c7040da24 src/internal.c: fix -Wnull-dereference in LoadCertByIssuer(). 2025-10-14 17:38:12 -05:00
Daniel Pouzzner
204eb96d2f src/ssl.c: fix overflow/overrun defect in wolfSSL_writev(). 2025-10-14 16:29:15 -05:00
Daniel Pouzzner
014f55fe10 wolfssl/wolfcrypt/types.h: add WC_WUR_INT(), MAX_UINT_OF(), MAX_SINT_OF(), MIN_SINT_OF(), WC_SAFE_SUM_UNSIGNED(), and WC_SAFE_SUM_SIGNED(). 2025-10-14 16:28:32 -05:00
David Garske
3534fad3ee Merge pull request #9295 from rizlik/shutdown_nonblocking_fix
wolfSSL_shutdown: handle non-blocking I/O
2025-10-14 12:50:57 -07:00
Marco Oliverio
4280b52bff test: increase coverage for multiple wolfSSL_shutdown test 2025-10-14 10:05:11 +02:00
Marco Oliverio
4b7a2b677b wolfSSL_shutdown: fix non-blocking retry after WANT_WRITE.
1. Send buffered message in case SendAlert_ex returned WANT_WRITE.
2. If pending messages are sent successfully return SHUTDOWN_NOT_DONE as
   current API behavior.
3. Propagate WANT_READ error for ProcessReply if waiting for other peer
   shutdown (when invoking wolfSSL_shutdown for the second time)
2025-10-14 10:05:11 +02:00
Sean Parkinson
77dcbb5603 Merge pull request #9293 from dgpighin/docstrings_update
Some updates to the docstrings
2025-10-14 16:14:15 +10:00
Daniel Pouzzner
b2c105d5f7 Merge pull request #9292 from embhorn/zd20626
Fix GCC warnings
2025-10-13 23:17:13 -05:00
Daniel Pouzzner
6fbd101f7d Merge pull request #9153 from effbiae/wc-small-stack
Small stack compress -- 3000line reduction
2025-10-13 23:12:01 -05:00
David Garske
e877fa747d Merge pull request #9185 from Pushyanth-Infineon/psoc6_sha1_sha2_sha3_support
Enable hardware acceleration for SHA1, SHA384 and SHA3 algorithms on PSoC6
2025-10-13 13:29:52 -07:00
Eric Blankenhorn
dd22fa3243 Fix from testing 2025-10-13 15:27:01 -05:00
Eric Blankenhorn
f3428295f6 Clarify use of static ciphers in readme files (#9283)
embhorn : Clarify use of static ciphers in readme files
2025-10-13 11:38:11 -07:00
David Garske
4f0836eb73 Merge pull request #9291 from JacobBarthelmeh/csharp
Fixes for Ed25519 raw key import with C# wrapper
2025-10-13 11:35:44 -07:00
David Garske
9872207702 Merge pull request #9285 from SparkiDev/sp_small_stack_macros
SP: macros for variables that may be allocated
2025-10-13 11:12:24 -07:00
Eric Blankenhorn
e67b85724e Fix from testing 2025-10-13 12:57:47 -05:00
Eric Blankenhorn
bae25afa40 Fix from testing 2025-10-13 12:42:01 -05:00
Eric Blankenhorn
adc9146035 Fix from testing 2025-10-13 12:33:40 -05:00
Eric Blankenhorn
83336e3436 Fix from testing 2025-10-13 12:15:39 -05:00
Marco Oliverio
6b0e24eed2 test_memio: support WANT_WRITE simulation 2025-10-13 16:27:55 +02:00
David Garske
610d8e5366 Merge pull request #9275 from SparkiDev/xtensa_ct_x25519
Xtensa: mitigate potential non-CT assembly output
2025-10-13 07:13:53 -07:00
effbiae
f4b8f844b2 indent {.*;} macro args 2025-10-13 14:04:06 +11:00
Sean Parkinson
fac53abc14 SP: macros for variables that may be allocated
Add macros to make the code simpler around allocating from dynamic
memory when WOLFSSL_SP_SMALL_STACK is defined.
Change over to using macros where it makes sense.
2025-10-13 11:48:07 +10:00
Sean Parkinson
c161cbd9f3 Xtensa: mitigate potential non-CT assembly output
Compilers for Xtensa have been seen to produce non-constant time code.
Force small code size builds for X25519, Ed25519, X448 and Ed448.
2025-10-13 10:24:01 +10:00
Dario Pighin
a61d79d154 Some updates to the docstrings 2025-10-11 16:43:05 +02:00
effbiae
b5c5854064 fix for cppcheck defect in src/ssl.c 2025-10-11 11:40:30 +11:00
effbiae
6bda10abd0 define WOLFSSL_SMALL_STACK in tests and benchmark for ASYNC 2025-10-11 11:40:30 +11:00
effbiae
3921362250 WC_VAR macros 2025-10-11 11:40:30 +11:00
effbiae
75a6621c63 hand edits for small stack compress 2025-10-11 11:40:30 +11:00
effbiae
7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
Kamatham Pushyanth
b2c5eb51d8 Enable hardware acceleration for SHA algorithms on PSoC6.
- Introduced conditional compilation for PSoC6 crypto support across SHA1, SHA2, SHA3 implementations.
- Ensured proper mutex locking for concurrent access to hardware resources during hash operations.
- Added public key creation functionality if only private key is provided in ECDSA verify function (psoc6_ecc_verify_hash_ex).
- Updated ECC parameter size handling to fix incorrect endianness conversions in psoc6_ecc_verify_hash_ex().
- Added README for PSOC6 port.
2025-10-11 05:23:40 +05:30
Eric Blankenhorn
e47be2163a Fix buffer warnings in x509 2025-10-10 15:33:53 -05:00
Eric Blankenhorn
f713cdb5e0 Fix evp const warning and pk buffer warning 2025-10-10 15:14:56 -05:00
JacobBarthelmeh
9debdda1fa fix for C# wrapper Ed25519 import raw key and fix Curve25519 private key decode 2025-10-10 12:32:14 -06:00
JacobBarthelmeh
a081a033fd add C# raw public Ed25519 key export/import test 2025-10-10 12:29:05 -06:00
David Garske
e4b7f66927 Merge pull request #9286 from holtrop/rust-wc-ecc
Rust wrapper: add wolfssl::wolfcrypt::ecc module
2025-10-10 10:26:47 -07:00
David Garske
8a6297d42b Merge pull request #9267 from julek-wolfssl/dtls-stricter-ordering
Add message order sanity checks
2025-10-10 10:26:34 -07:00
Eric Blankenhorn
aa56c40d30 Fix / suppress GCC warnings 2025-10-10 11:56:03 -05:00
David Garske
f8c2e9c000 Merge pull request #9134 from JacobBarthelmeh/csharp
update mono build README instructions
2025-10-10 09:21:07 -07:00
Josh Holtrop
dbc1ecc376 Rust wrapper: remove a couple mut ptr casts 2025-10-10 11:07:19 -04:00
David Garske
d9f8e15fff Merge pull request #9288 from mattia-moffa/20251010-python-new-oid-sum
Disable WOLFSSL_OLD_OID_SUM on Python builds
2025-10-10 08:05:17 -07:00
David Garske
46281a2c17 Merge pull request #9287 from douzzer/20251009-more-WOLFSSL_API_PREFIX_MAP
20251009-more-WOLFSSL_API_PREFIX_MAP
2025-10-10 08:05:05 -07:00
Josh Holtrop
a986b03f53 Rust wrapper: Address code review feedback for ECC 2025-10-10 06:56:46 -04:00
Juliusz Sosinowicz
42238c57b7 Improve documentation and add comments to test_memio buffer utilities 2025-10-10 11:52:47 +02:00
JacobBarthelmeh
7502cbaa3e remove trailing white space in mono.yml 2025-10-10 00:50:46 -06:00
Mattia Moffa
490f20d8f8 Disable WOLFSSL_OLD_OID_SUM on Python builds 2025-10-10 01:25:03 +02:00
David Garske
9633248b49 Merge pull request #9276 from SparkiDev/kapi_ecc_init
KCAPI ECC: initialize mp_ints
2025-10-09 15:40:04 -07:00
Daniel Pouzzner
f767bd2851 .github/workflows/symbol-prefixes.yml: add PQC, --enable-acert, and --with-sys-crypto-policy to configuration;
wolfssl/ssl.h: make sure WOLFSSL_NO_TLS12 is defined in the TLS layer when NO_TLS.
2025-10-09 17:33:14 -05:00
Daniel Pouzzner
d1ba8eb9d0 configure.ac: don't add PQC to --enable-all-crypto -- not ready yet.
.github/workflows/symbol-prefixes.yml: count and report total_public_symbols, and use a better pattern to classify refs as defs.
2025-10-09 16:36:14 -05:00
Daniel Pouzzner
f1d014aecd add .github/workflows/symbol-prefixes.yml.
configure.ac:
* add ML-KEM, ML-DSA, XMSS, and LMS to --enable-all-crypto when !ENABLED_FIPS.
* swap order of --enable-kyber and --enable-mlkem handler code to put mlkem first.
* add --enable-mldsa hander code.
* remove setup code that was adding -DWOLFSSL_NO_TLS12 and -DNO_OLD_TLS to
  AM_CFLAGS when ENABLED_CRYPTONLY -- NO_OLD_TLS is already defined earlier for
  when ENABLED_CRYPTONLY, and WOLFSSL_NO_TLS12 breaks wc_PRF_TLS(), which is
  inside-the-FIPS-boundary crypto.

linuxkm/linuxkm_wc_port.h:
* adopt the WC_SANITIZE_DISABLE and WC_SANITIZE_ENABLE setup code from
  settings.h (where it didn't belong).
* fix FIPS remapping of wc_InitMutex&friends to InitMutex&friends -- inhibit
  when WOLFSSL_API_PREFIX_MAP.

wolfcrypt/src/ge_operations.c: add _wc_curve25519_dummy() to fix visibility of
curve25519().

wolfcrypt/src/poly1305.c: fix visibility of several unprefixed helper routines.

wolfcrypt/test/test.c: fix gating on tls12_kdf_test() and prf_test() (both
  require !WOLFSSL_NO_TLS12).

wolfssl/internal.h, wolfssl/wolfio.h: add several WOLFSSL_API_PREFIX_MAPs.

wolfssl/wolfcrypt/ge_operations.h: fix visibility of several internal asm
  functions.

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM setup, add gates to avoid redef
  warnings for various settings, and remove the setup for
  WC_SANITIZE_{DISABLE,ENABLE} (moved to linuxkm_wc_port.h as noted above).

wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API_PREFIX_MAPs for InitMutex() and
  friends.
2025-10-09 15:34:08 -05:00
David Garske
f070ae1024 Merge pull request #9237 from gojimmypi/pr-max-error-sz
Detect if WOLFSSL_MAX_ERROR_SZ is too small
2025-10-09 13:09:51 -07:00
Josh Holtrop
883da3dd35 Rust wrapper: add wolfssl::wolfcrypt::ecc module 2025-10-09 14:58:07 -04:00
Juliusz Sosinowicz
5efdc6b7b6 Make mutual auth side check more robust 2025-10-09 20:23:56 +02:00
gojimmypi
ed506a5e4d Detect if WOLFSSL_MAX_ERROR_SZ is too small 2025-10-09 09:48:10 -07:00
Juliusz Sosinowicz
bd9f7b5b87 Clarify return values in wolfSSL_mutual_auth documentation 2025-10-09 00:57:08 +02:00
David Garske
3f460b40bc Merge pull request #9258 from kareem-wolfssl/zd19563_4
Fix potential memory leak in wolfSSL_X509_verify_cert.
2025-10-08 13:59:58 -07:00
David Garske
29e2f21fff Merge pull request #9224 from kareem-wolfssl/zd20527
Fix swapped WOLFSSL_SILABS_SHA384/SHA512 defines in sha512.c.
2025-10-08 13:19:05 -07:00
David Garske
db4d2af935 Merge pull request #9257 from kareem-wolfssl/zd20595
Fix running tests in FIPS mode with hash DRBG disabled.
2025-10-08 12:57:46 -07:00
Kaleb Himes
38df498db0 Merge pull request #9282 from douzzer/20250926-fips-optest-tweaks
20250926-fips-optest-tweaks
2025-10-08 13:19:27 -06:00
Daniel Pouzzner
f4d929593f add WOLFSSL_API_PREFIX_MAP -- when defined, exported symbols otherwise missing wc_ or wolfSSL_ prefixes are remapped with the appropriate prefix;
define WOLFSSL_API_PREFIX_MAP in WOLFSSL_LINUXKM setup in settings.h;

fix gates on WOLFSSL_HAVE_PRF and WOLFSSL_NO_CT_OPS setup in settings.h;

linuxkm/: add support for FIPS_OPTEST.
2025-10-08 13:15:56 -05:00
David Garske
7c64292851 Merge pull request #9277 from danielinux/pkcs11-aes-ctr
Added support for AES-CTR in PKCS11 driver
2025-10-08 08:32:57 -07:00
Juliusz Sosinowicz
8233d0d8a2 test_memio_move_message: add docs 2025-10-08 16:20:39 +02:00
Juliusz Sosinowicz
13f8f66281 Add docs 2025-10-08 13:43:35 +02:00
Juliusz Sosinowicz
b32c1aa15c fixup! Add message order sanity checks 2025-10-08 13:33:09 +02:00
Juliusz Sosinowicz
10365d6082 Allow clearing group messages flag 2025-10-08 11:11:03 +02:00
Juliusz Sosinowicz
6fbbdf9324 Add message order sanity checks
Reorganize test_dtls tests to use TEST_DECL_GROUP
Reorganize test_tls tests to use TEST_DECL_GROUP
2025-10-08 11:11:03 +02:00
Kaleb Himes
4dbf96b7bc Merge pull request #9280 from douzzer/20251007-linuxkm-fortify-source-sunrise
20251007-linuxkm-fortify-source-sunrise
2025-10-07 17:31:45 -06:00
JacobBarthelmeh
459a4be339 add SNI support by default to user_settings.h with C# wrapper 2025-10-07 16:43:30 -06:00
JacobBarthelmeh
b179f0d267 copy over library since mono CI build is having trouble finding it 2025-10-07 16:38:18 -06:00
JacobBarthelmeh
f5898d5f5d no need to run make check with wolfSSL build, this test is checking C# wrapper tests 2025-10-07 16:31:43 -06:00
JacobBarthelmeh
33030c2862 fix for macro guard in dtls test case 2025-10-07 16:27:18 -06:00
JacobBarthelmeh
5c4801fca1 update mono build README instructions and add test case 2025-10-07 15:51:02 -06:00
David Garske
a3af514b65 Merge pull request #8927 from JacobBarthelmeh/usersettings
Fix for user_settings.h build with configure.ac and HAVE_CURVE25519
2025-10-07 14:41:29 -07:00
David Garske
9d72337a25 Merge pull request #9273 from holtrop/rust-wc-rsa
Rust wrapper: add wolfssl::wolfcrypt::rsa module
2025-10-07 14:39:11 -07:00
Kareem
b564138490 Merge remote-tracking branch 'upstream/master' into zd19563_4 2025-10-07 14:23:45 -07:00
Kareem
233e574f32 Merge remote-tracking branch 'upstream/master' into zd20595 2025-10-07 14:23:21 -07:00
Kareem
8fbc39ea6c Merge branch 'master' into zd20527 2025-10-07 14:22:55 -07:00
Kareem
14e1d2eec3 Merge branch 'master' into zd20527 2025-10-07 14:22:08 -07:00
Kareem
931384a117 Merge branch 'master' into zd20595 2025-10-07 14:21:46 -07:00
David Garske
1d67e5551b Merge pull request #9279 from julek-wolfssl/testsuite_test-ready
testsuite_test: reset `ready` in between uses
2025-10-07 13:26:59 -07:00
Josh Holtrop
4fba5f8679 Rust wrapper: add license comments to Rust source files 2025-10-07 16:02:36 -04:00
Josh Holtrop
cf9014dce5 Rust wrapper: document more directories in README.md 2025-10-07 15:59:54 -04:00
Daniel Pouzzner
e4f0acdc1d linuxkm/linuxkm_wc_port.h: disable CONFIG_FORTIFY_SOURCE module-wide on kernels <5.18 (shim conflicts), and add WC_FORCE_LINUXKM_FORTIFY_SOURCE for future use. 2025-10-07 12:49:54 -05:00
David Garske
b75af93a05 Merge pull request #9278 from JacobBarthelmeh/pkcs7_stream
coverity warnings on test case, CID 549270 and 549271
2025-10-07 10:19:01 -07:00
JacobBarthelmeh
2445af9308 compile both fe_operations.c and low_mem version and rely on macro defines to choose which code gets compiled 2025-10-07 10:42:08 -06:00
Juliusz Sosinowicz
5069d977ed testsuite_test: reset ready in between uses
This should fix the constant intermittent failures in GH CI.
2025-10-07 18:30:36 +02:00
David Garske
b3031d25ca Merge pull request #9255 from SparkiDev/tls13_cookie_hash
TLS 1.3 Cookie Hash: use stronger hash if no SHA-256
2025-10-07 08:51:26 -07:00
JacobBarthelmeh
1237a5468f coverity warnings on test case, CID 549270 and 549271 2025-10-07 09:35:37 -06:00
David Garske
d9b52d832c Merge pull request #9259 from julek-wolfssl/dtls13-timeout
Reset DTLS 1.3 timeout
2025-10-07 07:57:17 -07:00
Daniele Lacamera
ea300985e0 Added support for AES-CTR in PKCS11 driver 2025-10-07 13:03:24 +02:00
Sean Parkinson
abfcb7122c KCAPI ECC: initialize mp_ints
Was not initializing mp_ints and it is needed now.
2025-10-07 20:59:27 +10:00
Sean Parkinson
9d546acd03 Merge pull request #9200 from effbiae/build-msg-or-hash-output
refactor to BuildMsgOrHashOutput()
2025-10-07 08:20:20 +10:00
David Garske
92a47829fa Merge pull request #8674 from JacobBarthelmeh/pkcs7_stream
Fix to advance past multiple recipients
2025-10-06 11:27:03 -07:00
Josh Holtrop
ab5d9ad1b8 Rust wrapper: add wolfssl::wolfcrypt::rsa module 2025-10-06 14:10:53 -04:00
David Garske
d4242fa026 Merge pull request #9272 from julek-wolfssl/cov-20251006
Handle coverity reported errors
2025-10-06 10:57:20 -07:00
JacobBarthelmeh
68eb8b70d1 Merge pull request #9271 from rizlik/cryptocb_sha512_family_fix
cryptocb: sha512_family: try specific digest length hashtype first
2025-10-06 11:38:57 -06:00
Daniel Pouzzner
f854795c02 Merge pull request #9263 from holtrop/rsa-const-pointers
RSA API: use const pointers and clean up some comments
2025-10-06 11:55:04 -05:00
JacobBarthelmeh
7128932eff avoid attempt of key decode and free buffer if incorrect recipient found 2025-10-06 10:48:59 -06:00
David Garske
dcafe9adf2 Add STM32H5 PKA support. 2025-10-06 18:38:09 +02:00
David Garske
fe7b6f1651 Add missing TimeNowInMilliseconds for FreeRTOS 2025-10-06 18:38:09 +02:00
David Garske
c349001d94 Move the STM32 hash options into STM32_HASH. Fix for realloc. Improve docs for hcom_uart. Fix issue with detecting RTC and incorrectly setting NO_ASN_TIME. 2025-10-06 18:38:09 +02:00
David Garske
ee77094dd6 Fixes to get STM32N6 hash and GMAC working 2025-10-06 18:38:09 +02:00
Juliusz Sosinowicz
f6be6c8b6d Add timeout assertions to DTLS test 2025-10-06 18:23:16 +02:00
Juliusz Sosinowicz
cd0d986016 Reset DTLS 1.3 timeout 2025-10-06 18:23:16 +02:00
David Garske
874633da38 Merge pull request #9270 from effbiae/sm3-free-x2
double free -- should be o_hash
2025-10-06 08:41:30 -07:00
Juliusz Sosinowicz
32e24e8199 Suppress Coverity deadcode warning in test_ocsp_tls_cert_cb 2025-10-06 16:26:45 +02:00
Juliusz Sosinowicz
a9ad5181e6 tls13: remove dead code in SetupOcspResp csr assignment 2025-10-06 16:21:47 +02:00
Juliusz Sosinowicz
303401b047 Refactor certificate status handling to use word32 2025-10-06 16:19:54 +02:00
Marco Oliverio
fc348da28f fix: escape error code operands 2025-10-06 14:47:13 +02:00
Marco Oliverio
9cbc3f97e5 cryptocb: sha512_family: try specific digest length hashtype first
If the cryptocb provider supports specific SHA512/224 and SHA512/256
hashtype, this commit allows to:

1. avoid a copy
2. do not touch the output buffer outside of the cryptocb handler

2 might be important for cryptocb provider that needs special handling
of memory buffer (DMA, memory mapping).
2025-10-06 11:42:23 +02:00
effbiae
a53f0cd3fa double free -- should be o_hash 2025-10-05 19:13:50 +11:00
Kaleb Himes
99c983d44f Merge pull request #9269 from douzzer/20251002-linuxkm-fencepost-and-fortify-tweaks
20251002-linuxkm-fencepost-and-fortify-tweaks
2025-10-03 17:01:45 -06:00
JacobBarthelmeh
fca3028395 advance index past recipent set in non stream case too 2025-10-03 15:55:35 -06:00
Daniel Pouzzner
781c9bb990 Merge pull request #9268 from dgarske/cryptocb_only
Remove the `NO_WRITE_TEMP_FILES` test.c logic added in #9194
2025-10-03 16:39:59 -05:00
Daniel Pouzzner
46fd3d60f9 linuxkm/Kbuild: activate linker script with backward-compatible construct (tests good on 4.4);
linuxkm/linuxkm_wc_port.h: completely inhibit CONFIG_FORTIFY_SOURCE across the module when HAVE_LINUXKM_PIE_SUPPORT, for fidget-free backward compat;

linuxkm/module_hooks.c:
* add startup-time sanity check on fenceposts,
* enhance DEBUG_LINUXKM_PIE_SUPPORT with coverage for WOLFSSL_TEXT_SEGMENT_CANONICALIZER on the entire text segment,
* compute and report a hash on the stabilized text segment,
* fix wc_linuxkm_normalize_relocations() to allow span end == __wc_text_end, and
* add numerous verbose pr_err()s when DEBUG_LINUXKM_PIE_SUPPORT.
2025-10-03 15:07:56 -05:00
JacobBarthelmeh
4e92920a7f cast variable to word32 for compare 2025-10-03 13:51:15 -06:00
JacobBarthelmeh
12cfca4060 account for no AES build and add err trace macro 2025-10-03 13:51:15 -06:00
JacobBarthelmeh
328f505702 add pkcs7 test with multiple recipients 2025-10-03 13:51:15 -06:00
JacobBarthelmeh
7a5e97e30e adjustment for recipient index advancement 2025-10-03 13:51:15 -06:00
JacobBarthelmeh
6987304f42 Fix to advance past multiple recipients 2025-10-03 13:51:15 -06:00
David Garske
d2be867b51 Remove the NO_WRITE_TEMP_FILES test.c logic added in #9194 2025-10-03 10:40:11 -07:00
David Garske
ac23b48283 Merge pull request #9144 from julek-wolfssl/ocsp-callbacks
tls ocsp: support lazy cert loading with ocsp stapling
2025-10-03 09:47:55 -07:00
Juliusz Sosinowicz
f9063c406b Enables dynamic TLS cert loading with OCSP
Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.

The server no longer needs to load the CA to staple OCSP responses.

Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
2025-10-03 13:08:11 +02:00
effbiae
2adae90a5d refactor to BuildMsgOrHashOutput 2025-10-03 11:41:57 +10:00
Sean Parkinson
ea4554c941 Merge pull request #9234 from effbiae/TLSX_WriteWithEch
restore inner server name in TLSX_WriteWithEch
2025-10-03 09:20:40 +10:00
Sean Parkinson
d8d3a7a22d Merge pull request #9190 from colmenero/hmacCopy-sm3-issue-9187
Add SM3 in wolfSSL_HmacCopy
2025-10-03 09:10:03 +10:00
Sean Parkinson
e14cc3a34e TLS 1.3 Cookie Hash: use stronger hash if no SHA-256
Order of preference, based on algorithms compiled in, to use with HMAC
for TLS 1.3 cookie:
  1. SHA-256
  2. SHA-384
  3. SHA-512
  4. SM3

Make code compile and unittest pass when SHA-256 not compiled in.
Certificates used for testing require SHA-256 so handshake testing
fails.
2025-10-03 08:28:02 +10:00
Daniel Pouzzner
5804ba759a Merge pull request #9194 from dgarske/cryptocb_only_test
Fixes for crypto callback only (no filesystem and keygen)
2025-10-02 16:52:31 -05:00
David Garske
5501111e77 Merge pull request #9265 from douzzer/20251002-misc-clang-tidy-and-fips-fixes
20251002-misc-clang-tidy-and-fips-fixes
2025-10-02 14:38:14 -07:00
Daniel Pouzzner
408e6f79f9 tests/api/test_dtls.c: add missing ExpectIntEQ() around wolfSSL_connect() in test_dtls_bogus_finished_epoch_zero();
wolfcrypt/test/test.c: fix gate for wc_DhGeneratePublic() test in dh_ffdhe_test() to properly exclude 5.3.0.
2025-10-02 14:38:05 -05:00
Josh Holtrop
c36c39af0a RSA API: use const pointers and clean up some comments 2025-10-02 15:28:43 -04:00
David Garske
db6a4dfedb Merge pull request #9238 from effbiae/X509PrintSubjAltName
refactor X509PrintSubjAltName
2025-10-02 11:53:22 -07:00
David Garske
6de0b93a08 Merge pull request #9262 from julek-wolfssl/ascon-h-comment
ascon.h: Correct the placement of the AsconAEAD API comment
2025-10-02 11:11:01 -07:00
David Garske
6430a123fd Merge pull request #9264 from gojimmypi/pr-espressif-workflow
Update Espressif workflow to pin latest to ESP-IDF v5.5
2025-10-02 11:05:15 -07:00
gojimmypi
b4b9bee950 Update workflow to pin latest to ESP-IDF v5.5 2025-10-02 10:25:25 -07:00
David Garske
36ce93d409 Merge pull request #9225 from gojimmypi/pr-espidf-v6-sha-fix
Add fix for SHA HW on ESP-IDF v6
2025-10-02 09:50:46 -07:00
Juliusz Sosinowicz
31db2b9e08 ascon.h: Correct the placement of the AsconAEAD API comment 2025-10-02 10:22:16 +02:00
effbiae
c3c7b11cfc refactor X509PrintSubjAltName 2025-10-02 15:36:36 +10:00
Kareem
abaf57d049 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20595 2025-10-01 15:53:57 -07:00
Kareem
d53beb0f9d Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19563_4 2025-10-01 15:53:35 -07:00
Kaleb Himes
018af47f49 Merge pull request #9260 from douzzer/20251001-wc_DhGeneratePublic-ungate
20251001-wc_DhGeneratePublic-ungate
2025-10-01 14:38:39 -06:00
Kareem
992dfecc11 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19563_4 2025-10-01 11:15:46 -07:00
Daniel Pouzzner
2ca9f66579 wolfcrypt/test/test.c: add FIPS gate around wc_DhGeneratePublic() test in dh_ffdhe_test(). 2025-10-01 10:23:49 -05:00
Daniel Pouzzner
477d7fae54 remove WOLFSSL_DH_GEN_PUB, WOLFSSL_NO_DH_GEN_PUB, and WOLFSSL_DH_EXTRA gating re wc_DhGeneratePublic(), consistent with recent FIPS changes. 2025-10-01 09:38:27 -05:00
Daniel Pouzzner
56524a3169 Merge pull request #9226 from philljj/tiny_curl_config
curl: document tiny-curl config a bit more.
2025-09-30 20:45:15 -05:00
Daniel Pouzzner
b3a5c96c56 Merge pull request #9205 from gasbytes/issue-9188
Prevent replaying ClientHello messages when Finished message are epoch 0
2025-09-30 20:44:09 -05:00
Daniel Pouzzner
88075664dc Merge pull request #9252 from bigbrett/kdf-cryptocb
HKDF cryptocb
2025-09-30 20:37:11 -05:00
Daniel Pouzzner
d5750ac7ca Merge pull request #9250 from gasbytes/issue-9247
Added check in TLX_Parse to check if KeyShare extension is present SupportedGroups must be present too (and viceversa)
2025-09-30 20:36:50 -05:00
Daniel Pouzzner
c893191577 Merge pull request #9253 from julek-wolfssl/gh/9245
DTLS SRTP should also do a cookie exchange since it uses UDP
2025-09-30 20:36:27 -05:00
Daniel Pouzzner
55a19da4c6 Merge pull request #9178 from SparkiDev/ed448_no_large_code
Ed448: No large code option with fast code
2025-09-30 20:36:10 -05:00
Daniel Pouzzner
234ba7780a Merge pull request #9148 from SparkiDev/ct_volatile
Mark variables as volatile
2025-09-30 20:35:52 -05:00
Daniel Pouzzner
b4ee8869c8 Merge pull request #9246 from julek-wolfssl/gh/9240
Abort connection if we are about to send the same CH
2025-09-30 20:35:32 -05:00
Daniel Pouzzner
1932c5a96d Merge pull request #9196 from kareem-wolfssl/zd20038_3
Fix building and running tests and examples with coding/PEM support disabled.
2025-09-30 20:34:46 -05:00
Daniel Pouzzner
2172a4dea9 Merge pull request #9248 from holtrop/rust-wc-aes
Rust wrapper: Add aes module
2025-09-30 20:34:25 -05:00
Daniel Pouzzner
4a176d175a Merge pull request #9137 from kareem-wolfssl/gh8354
Fix documentation typo for wc_ed25519_export_public.
2025-09-30 20:34:06 -05:00
Daniel Pouzzner
c7cd3b6c6d Merge pull request #8543 from JacobBarthelmeh/fsl_caam
handle unsupported fsl algo
2025-09-30 20:33:34 -05:00
Daniel Pouzzner
42d2b81231 Merge pull request #9209 from mattia-moffa/20250910-certauth-clienthello
Add support for certificate_authorities extension in ClientHello
2025-09-30 20:33:16 -05:00
Daniel Pouzzner
f869daafa2 Merge pull request #9037 from night1rider/issue-9009-cmake-options
Updating configure/Cmake to track Apple options for resulting wolfssl.pc file that is generated
2025-09-30 20:32:52 -05:00
Kareem
0efc8118d3 Fix potential memory leak in wolfSSL_X509_verify_cert. 2025-09-30 17:39:33 -07:00
Kareem
a3a08e81a9 Fix running tests in FIPS mode with hash DRBG disabled. 2025-09-30 16:15:21 -07:00
Daniel Pouzzner
b56cafdd25 Merge pull request #8692 from kareem-wolfssl/zd19563_verify
Update wolfSSL_X509_verify_cert to retry all certs until a valid chain is found.
2025-09-30 16:22:41 -05:00
David Garske
50f25c5849 Merge pull request #9254 from douzzer/20250929-WOLFSSL_KERNEL_MODE
20250929-WOLFSSL_KERNEL_MODE
2025-09-30 09:04:13 -07:00
Sean Parkinson
4719fd5e80 Ed448: No large code option with fast code
Make from bytes, to bytes and mod top half use for loops when no large
code.
Make generation script generate casting changes.
2025-09-30 09:38:06 +10:00
Daniel Pouzzner
7ea66aeffe refactor WOLFSSL_LINUXKM gates as generic WOLFSSL_KERNEL_MODE gates where appropriate:
rename WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS to WOLFSSL_USE_SAVE_VECTOR_REGISTERS, and wherever appropriate, replace defined(WOLFSSL_LINUXKM) with defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS).

rename WC_WANT_FLAG_DONT_USE_AESNI to WC_WANT_FLAG_DONT_USE_VECTOR_OPS.

rename lkm_printf() to wc_km_printf().

replace WOLFSSL_LINUXKM gates on kernel-incompatible includes with header-specific gates NO_STRING_H, NO_STDINT_H, NO_LIMITS_H, NO_CTYPE_H, NO_STDLIB_H

remove low level threading setup section of wolfssl/internal.h, which duplicated existing logic in wc_port.h, except for off-topic WOLFSSL_APACHE_MYNEWT TLS-layer setup, which is preserved, and a defined(__NT__) clause, which is now merged into the existing section in wc_port.h.
2025-09-29 16:59:12 -05:00
David Garske
6698cb7616 Fix for crypto callback only 2025-09-29 12:37:57 -07:00
Brett Nicholas
5121847728 add HAVE_SELFTEST protection 2025-09-29 12:00:41 -06:00
Daniel Pouzzner
1247d2b5ed Merge pull request #9249 from lealem47/wg_enable_encoding
Enable base16 & 64 encoding when wolfGuard is enabled
2025-09-29 12:49:36 -05:00
Brett Nicholas
7b67dbaa31 add FIPS protection to test.c usage of wc_HKDF_ex() 2025-09-29 11:36:18 -06:00
philljj
436a06e864 Merge pull request #9251 from douzzer/20250928-linuxkm-krealloc_node_align_noprof
20250928-linuxkm-krealloc_node_align_noprof
2025-09-29 12:16:10 -05:00
Brett Nicholas
26ed835ca1 fix HKDF test macro protection 2025-09-29 10:52:22 -06:00
Juliusz Sosinowicz
d8fd19feb8 DTLS SRTP should also do a cookie exchange since it uses UDP 2025-09-29 18:27:36 +02:00
Brett Nicholas
3c81fffedd Add HKDF cryptoCb and test 2025-09-29 10:16:01 -06:00
Reda Chouk
be02b1ea72 Added check in TLX_Parse to check if KeyShare extension is present
SupportedGroups must be present too (and viceversa).
From RFC 8446 Section 9.2.
2025-09-29 13:10:32 +02:00
Daniel Pouzzner
97c094f802 linuxkm/: accommodate API change from k[v]realloc_noprof() to k[v]realloc_node_align_noprof() expected in 6.18+ (current linux-next). 2025-09-28 11:46:17 -05:00
David Garske
eda6c184bb Merge pull request #9219 from kareem-wolfssl/zd20538
Fix building with --enable-keygen --enable-rsavfy.
2025-09-26 14:08:33 -07:00
Lealem Amedie
224dbb75d0 Enable base16 & 64 encoding when wolfGuard is enabled 2025-09-26 14:49:51 -06:00
Kareem
ef989a4241 Merge remote-tracking branch 'upstream/master' into zd19563_verify 2025-09-26 11:13:28 -07:00
Kareem
d2537a883f Always add failed certs back to cert store. 2025-09-26 11:13:19 -07:00
Kareem
b302e8edd0 Move CERT_FILETYPE definition, use it in echoserver. 2025-09-26 10:58:51 -07:00
Kareem
28aef2f4dd Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20038_3 2025-09-26 10:56:42 -07:00
Josh Holtrop
f336e8fc5a Rust wrapper: Add aes module 2025-09-26 13:18:51 -04:00
Juliusz Sosinowicz
f798a585d9 Abort connection if we are about to send the same CH 2025-09-26 12:08:53 +02:00
Sean Parkinson
b982f86d2f Merge pull request #8818 from JacobBarthelmeh/tx
fix for threadx warning and add compile test
2025-09-26 08:33:38 +10:00
Kareem
af9a06e9bf Merge remote-tracking branch 'upstream/master' into zd19563_verify 2025-09-25 10:39:11 -07:00
Kareem
3a4472f5da Merge remote-tracking branch 'upstream/master' into zd20527 2025-09-25 10:37:22 -07:00
Kareem
a3b29ed99f Merge remote-tracking branch 'upstream/master' into zd20038_3 2025-09-25 10:32:13 -07:00
Kareem
193e5205ed Fix documentation typo for wc_ed25519_export_public. 2025-09-25 10:31:18 -07:00
Kaleb Himes
cac309d0d8 Merge pull request #9244 from douzzer/20250924-configure-fips-and-linuxkm-and-rdseed-options
20250924-configure-fips-and-linuxkm-and-rdseed-options
2025-09-25 11:03:22 -06:00
JacobBarthelmeh
54a52f0482 remove sed command for -Werror and refactor threadx.yml workflow 2025-09-25 09:27:16 -06:00
JacobBarthelmeh
677eeb31e4 add netxduo compile test 2025-09-25 09:27:16 -06:00
JacobBarthelmeh
50835c14a2 fix warning of const char* passed as char* 2025-09-25 09:27:16 -06:00
JacobBarthelmeh
40b9fc35f9 handle unsupported fsl algo 2025-09-25 09:14:59 -06:00
JacobBarthelmeh
65d4e01ad6 Merge pull request #9212 from holtrop/rust-wc-random
Rust wrapper: add wolfssl::wolfcrypt::random module
2025-09-25 09:10:07 -06:00
Daniel Pouzzner
8516411ff2 configure.ac: add --enable-wolfguard, --enable-intelrdseed, --enable-fips=v5.2.3, and --enable-fips=v5.2.4;
remove obsolete/wrong linuxkm incompatible-feature tests and errors for enable_compkey/ENABLED_COMPKEY/HAVE_COMP_KEY;

tweak ENABLED_ENTROPY_MEMUSE_DEFAULT logic to check for RDRAND/RDSEED.
2025-09-24 22:39:12 -05:00
Sean Parkinson
561fead861 Merge pull request #9235 from anhu/rpi_WC_RESEED_INTERVAL
Fixing up a small documentation omission.
2025-09-25 10:48:37 +10:00
Daniel Pouzzner
b5a914b6c2 Merge pull request #9239 from SKlimaRA/SKlimaRA/zd20556
fixes zd20556.
2025-09-24 13:53:18 -05:00
Stanislav Klima
1cfafc2a52 fixes from zd20556 2025-09-24 12:03:39 +02:00
Sean Parkinson
e168714123 Merge pull request #9236 from douzzer/20250923-wc_XChaCha20Poly1305_crypt_oneshot-empty-message
20250923-wc_XChaCha20Poly1305_crypt_oneshot-empty-message
2025-09-24 11:59:12 +10:00
Sean Parkinson
ae760923e3 Merge pull request #9208 from effbiae/set-cert-type
refactor to WOLFSSL_SET_CERT_TYPE
2025-09-24 10:00:03 +10:00
Sean Parkinson
9cf91e157c Merge pull request #9218 from gojimmypi/pr-server-sm2-cert
Generate server-sm2-cert.der
2025-09-24 09:47:56 +10:00
Sean Parkinson
aa87b35964 Mark variables as volatile
Ensures compiler optimizers don't stop code from being constant time.
2025-09-24 08:47:20 +10:00
Sean Parkinson
51a7531b6a Merge pull request #9232 from LinuxJedi/fix-deb-builds
Cleanup debian build
2025-09-24 08:24:51 +10:00
Mattia Moffa
26c9908504 Use string literals in tests, fix add CA functions 2025-09-24 00:11:55 +02:00
Daniel Pouzzner
4af6eb4f2b wolfcrypt/src/chacha20_poly1305.c: in wc_XChaCha20Poly1305_crypt_oneshot(), allow empty message. 2025-09-23 17:06:22 -05:00
Anthony Hu
93955a2ba7 Fixing up a small documentation omission. 2025-09-23 15:24:50 -04:00
Kareem
0fcfade6a0 Add missing aes NULL check to SI Labs wc_AesSetKey. 2025-09-23 10:16:47 -07:00
Kaleb Himes
7084728482 Merge pull request #9230 from douzzer/20250922-linuxkm-ignore-WOLFSSL_DH_GEN_PUB
20250922-linuxkm-ignore-WOLFSSL_DH_GEN_PUB
2025-09-23 10:07:03 -06:00
gojimmypi
a4d0a777bc Generate server-sm2-cert.der 2025-09-23 08:32:21 -07:00
effbiae
a8fb94b425 restore inner server name in TLSX_WriteWithEch 2025-09-23 23:30:25 +10:00
Mattia Moffa
4535572428 Use memio in tests, fix ifdef, fix typos 2025-09-23 11:50:21 +02:00
effbiae
b20f3dac57 refactor to set_cert_type 2025-09-23 19:27:22 +10:00
Andrew Hutchings
b8df4d84e9 Cleanup debian build
* CFLAGS get pulled in anyway with configure options, or part of the
  env, we don't need to add them
* Path handling went wrong in one specific platform test run
2025-09-23 06:39:04 +01:00
Sean Parkinson
e763dcc33b Merge pull request #9228 from LinuxJedi/stm32-rtc
Fix STM32 benchmark endless loop after 1 hour
2025-09-23 12:05:52 +10:00
Sean Parkinson
e497d28ae1 Merge pull request #9223 from kareem-wolfssl/zd20543_4
Fix non constant compare of TLS 1.3 binder, check for negative dst_len in wc_XChaCha20Poly1305_crypt_oneshot.
2025-09-23 09:09:33 +10:00
Kareem
1c7fe06322 Also gate out wc_Sha512Final for SILabs. 2025-09-22 15:45:37 -07:00
Daniel Pouzzner
006fe05305 linuxkm/lkcapi_dh_glue.c: don't test for WOLFSSL_DH_GEN_PUB -- assume that wc_DhGeneratePublic() will be available when defined(WOLFSSL_DH_EXTRA), and fail at compile time if not. 2025-09-22 14:06:07 -05:00
night1rider
4dfa75fbfa Updating support/wolfssl.pc.in, CMakelist.txt, and configure.ac to track missing apple options in the resulting wolfssl.pc file by adding new PC_LIBS_PRIVATE to track options 2025-09-22 12:00:33 -06:00
Reda Chouk
e3fbb24713 Fix malformed DTLS comment syntax 2025-09-22 12:59:30 +02:00
Andrew Hutchings
504c51f354 Fix STM32 benchmark endless loop after 1 hour
If the STM32 has an RTC, this is used to time the execution of each
benchmark item. It was only multiplying hours by 24 to get seconds, so
after one hour the amount of seconds went to less than 3600. Therefore
the benchmark thought negative time elapsed and would never end.
2025-09-21 08:19:16 +01:00
JacobBarthelmeh
4ca5c315fc Merge pull request #9222 from douzzer/20250919-GetEcDiffieHellmanKea-clang-analyzer-deadcode.DeadStores
20250919-GetEcDiffieHellmanKea-clang-analyzer-deadcode.DeadStores
2025-09-19 22:01:31 -06:00
jordan
fa4312edef curl: document tiny-curl config a bit more. 2025-09-19 15:56:51 -05:00
gojimmypi
d50593834b Add fix for SHA HW on ESP-IDF v6 2025-09-19 12:04:46 -07:00
Kareem
f4d9c90827 Fix swapped WOLFSSL_SILABS_SHA384/SHA512 defines in sha512.c. 2025-09-19 11:45:22 -07:00
Kareem
7afcf20077 Fix non constant compare of TLS 1.3 binder, check for negative dst_len in wc_XChaCha20Poly1305_crypt_oneshot. 2025-09-19 11:39:46 -07:00
Daniel Pouzzner
4174f554be src/internal.c: fix clang-analyzer-deadcode.DeadStores in GetEcDiffieHellmanKea(). 2025-09-19 11:22:19 -05:00
Mattia Moffa
5efc4a7cd0 Fix tests 2025-09-19 16:45:15 +02:00
Josh Holtrop
821758a73c Rust wrapper: set rpath for unit test binaries 2025-09-19 07:48:36 -04:00
Josh Holtrop
ed46357fe1 Rust wrapper: Run unit tests in github workflow 2025-09-19 07:34:37 -04:00
Kareem
23f595586d Fix building with --enable-keygen --enable-rsavfy. 2025-09-18 16:21:08 -07:00
Sean Parkinson
b90720c6be Merge pull request #9176 from effbiae/do-server-key-exchange
refactor parts of DoServerKeyExchange()
2025-09-19 08:36:07 +10:00
JacobBarthelmeh
5d9c608ed6 Merge pull request #9195 from rlm2002/zd20508
address undefined shift behavior and overflow
2025-09-18 15:34:32 -06:00
JacobBarthelmeh
f143dbb858 Merge pull request #9217 from douzzer/20250918-25519-low-mem-gates
20250918-25519-low-mem-gates
2025-09-18 14:34:13 -06:00
JacobBarthelmeh
1f33b9910c Merge pull request #9215 from LinuxJedi/fix-ACVP_VECTOR_TESTING
Fix a test when using `ACVP_VECTOR_TESTING`
2025-09-18 11:47:02 -06:00
JacobBarthelmeh
beaf16b9e8 Merge pull request #9216 from philljj/log_mem_err_msg
ssl internal: log preMasterSecret Memory error msg.
2025-09-18 11:45:03 -06:00
Daniel Pouzzner
d15523a6df fix gating in wolfssl/wolfcrypt/fe_operations.h -- gate out load_3() and load_4() when !(CURVE25519_SMALL || ED25519_SMALL);
harmonize low-mem outer gate in wolfcrypt/src/fe_operations.c with outer gate in wolfcrypt/src/fe_low_mem.c.
2025-09-18 12:27:37 -05:00
jordan
0231f33b2e ssl internal: log preMasterSecret Memory error msg. 2025-09-18 09:26:10 -05:00
Reda Chouk
8f47b4bb08 Prevent DTLS clients from replaying ClientHello
messages when receiving bogus Finished messages in epoch 0 by
ensuring Finished messages are only ignored in encrypted epochs (1).
2025-09-18 14:41:12 +02:00
Andrew Hutchings
b7679dbe96 Fix a test when using ACVP_VECTOR_TESTING
The `ACVP_VECTOR_TESTING` blocks the clearing of the output when an auth
tag check fails. This causes a test for that scenario to fail, so don't
do that test whcn `ACVP_VECTOR_TESTING` is defined.
2025-09-18 11:37:06 +01:00
Josh Holtrop
2819e5c4cc Rust wrapper: add wolfssl::wolfcrypt::random module 2025-09-17 17:11:47 -04:00
philljj
7a0c40ee16 Merge pull request #9210 from douzzer/20250916-linuxkm-fixes
20250916-linuxkm-fixes
2025-09-17 15:50:03 -05:00
JacobBarthelmeh
05bcd82adc Merge pull request #9191 from holtrop/rust-wrapper
Create initial Rust wrapper structure
2025-09-17 14:20:34 -06:00
Daniel Pouzzner
66ee2c2ef3 linuxkm/Makefile and linuxkm/Kbuild:
* refactor .PHONY Kbuild target rename-pie-text-and-data-sections into macro RENAME_PIE_TEXT_AND_DATA_SECTIONS, and execute it conditional on module_exports.c regeneration;

* use .ONESHELL in the wrapper Makefile too, and rework the changes in bf5536d6b8 such that the recursive make is always executed, but will leave the target untouched if it was already up-to-date relative to its dependencies.

these tweaks fix the module build to restore automatic rebuild when dependencies are updated.
2025-09-17 13:10:16 -05:00
Daniel Pouzzner
7ddf263199 linuxkm/Kbuild: add support for FORCE_GLOBAL_OBJTOOL_OFF. 2025-09-17 13:10:16 -05:00
JacobBarthelmeh
72ae012ace Merge pull request #9202 from gojimmypi/pr-apple-workflow-update
Remove missing workflow strategy, run only for wolfssl owner
2025-09-17 11:44:34 -06:00
JacobBarthelmeh
b8b35e25e6 Merge pull request #9204 from gojimmypi/pr-test-order
Change test order: random_test after SHA tests
2025-09-17 10:43:30 -06:00
JacobBarthelmeh
377d238457 Merge pull request #9207 from embhorn/zd20520
Check for NO_THREAD_LS before assigning THREAD_LS_T
2025-09-17 10:38:48 -06:00
JacobBarthelmeh
5b864657b7 Merge pull request #9175 from SparkiDev/sm2_cert_vfy_fix
SM2 TLS1.3: Fix certificate verify
2025-09-17 10:16:44 -06:00
Josh Holtrop
d2c16bacb6 Rust wrapper: add include.am to include files in distribution 2025-09-17 10:44:40 -04:00
Mattia Moffa
3bdb43eb6a Add support for certificate_authorities extension in ClientHello 2025-09-17 15:33:05 +02:00
philljj
5cb2103feb Merge pull request #9206 from douzzer/20250916-linuxkm-module-update-fips-hash
20250916-linuxkm-module-update-fips-hash
2025-09-16 19:06:06 -05:00
JacobBarthelmeh
65108beee8 Merge pull request #9201 from julek-wolfssl/debian-rules
Ignore `debian/rules`
2025-09-16 17:50:57 -06:00
JacobBarthelmeh
b591b52ab2 Merge pull request #9182 from douzzer/20250910-wc_ecc_export_x963-no-PRIVATE_KEY_UNLOCK
20250910-wc_ecc_export_x963-no-PRIVATE_KEY_UNLOCK
2025-09-16 17:15:24 -06:00
Eric Blankenhorn
600058529c Check for NO_THREAD_LS before assigning THREAD_LS_T 2025-09-16 16:17:49 -05:00
Daniel Pouzzner
bf5536d6b8 linuxkm/Makefile:
* add module-update-fips-hash rule, for in-place FIPS hash update without rebuild;
* improve PIE sequence in module build rule to double-check stability of the relocation table after final rebuild;

Makefile.am: add a module-update-fips-hash passthrough target.
2025-09-16 14:38:51 -05:00
gojimmypi
152075848c Change test order: random_test after SHA tests 2025-09-16 10:48:14 -07:00
Ruby Martin
a8fca08b7e add edge case unit test where cost=22, block=8 2025-09-16 11:04:43 -06:00
Ruby Martin
86abe793d7 address undefined shift behavior and overflow 2025-09-16 11:03:21 -06:00
gojimmypi
01178b325e Remove missing strategy, run only for wolfssl owner 2025-09-16 08:50:14 -07:00
Juliusz Sosinowicz
c2a3a37c1e Ignore debian/rules 2025-09-16 16:08:01 +02:00
effbiae
7da0b54d32 refactor DoServerKeyExchange() 2025-09-16 12:02:38 +10:00
JacobBarthelmeh
d4f8c9c754 Merge pull request #9189 from julek-wolfssl/hostap-vm.yml-cache-check
Fix: Avoids hostap checkout on cache hit
2025-09-15 13:21:54 -06:00
Chris Conlon
aa8151dc4b Merge pull request #9186 from miyazakh/fsp_ra6m3_up2
Renesas RA6M3 : Minor README update
2025-09-15 10:10:50 -06:00
Kareem
989a9da65a Move CERT_FILETYPE definition. 2025-09-12 16:33:29 -07:00
Kareem
ec92f76dec Fix tests when building with PEM support disabled by using DER certs/keys. 2025-09-12 16:11:07 -07:00
Kareem
a216ea170c Add test case for --enable-coding=no. 2025-09-12 16:11:07 -07:00
Kareem
5226b1b410 Fix building with --coding=no/WOLFSSL_PEM_TO_DER undefined. 2025-09-12 16:11:07 -07:00
Josh Holtrop
167e76add4 Create initial Rust wrapper structure
Generate bindings to C library with bindgen
Add github CI workflow to build Rust wrapper
2025-09-12 15:49:56 -04:00
Juliusz Sosinowicz
98ac98db9a Fix: Avoids hostap checkout on cache hit
This change prevents the hostap repository from being cloned
unnecessarily when the cache is hit, improving workflow efficiency.
2025-09-12 17:10:13 +02:00
Luis Colmenero
b146c4e417 Add SM3 in wolfSSL_HmacCopy 2025-09-12 16:44:40 +02:00
Hideki Miyazaki
13809256ef minor update README 2025-09-12 17:54:49 +09:00
Sean Parkinson
dc421a0d4c Merge pull request #9164 from dgarske/keytoder
Add support for enabling RSA private key to DER without keygen
2025-09-12 10:36:34 +10:00
Sean Parkinson
a17b10ef10 Merge pull request #9171 from effbiae/ss-callback
refactor SessionSecret_callback*
2025-09-12 08:02:51 +10:00
JacobBarthelmeh
f5a735a184 Merge pull request #9180 from dgarske/stsafe-pad
Fix for ST-Safe issue with ECC signature R/S needing leading zero pad
2025-09-11 14:47:49 -06:00
philljj
a7cb64fcc0 Merge pull request #9184 from douzzer/20250910-linuxkm-even-more-OBJECT_FILES_NON_STANDARD
20250910-linuxkm-even-more-OBJECT_FILES_NON_STANDARD
2025-09-11 15:18:52 -05:00
Daniel Pouzzner
20d7650edf linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, always set "$(WOLFCRYPT_PIE_FILES): OBJECT_FILES_NON_STANDARD := y", as before. completes reversion of 04834680d5. 2025-09-11 13:53:59 -05:00
David Garske
f0b35d18a0 Merge pull request #9174 from philljj/tiny_curl
curl: support --enable-curl=tiny option.
2025-09-11 10:39:56 -07:00
David Garske
3e63bc68d4 Add support for enabling RSA private key to DER without keygen. ( new macro WOLFSSL_KEY_TO_DER) 2025-09-11 10:29:31 -07:00
David Garske
c397a27897 Appease IAR compiler possible use of uninitialized variables 2025-09-11 10:27:01 -07:00
David Garske
88586a5a47 Fix for ST-Safe issue with ECC signature R/S parsing needing leading zero pad (ZD 20504) 2025-09-11 10:27:01 -07:00
philljj
472605fb54 Merge pull request #9183 from douzzer/20250911-linuxkm-dont-undefine-CONFIG_OBJTOOL
20250911-linuxkm-dont-undefine-CONFIG_OBJTOOL
2025-09-11 12:24:05 -05:00
Daniel Pouzzner
de50268dfd linuxkm/Kbuild: don't undefine CONFIG_OBJTOOL (breaks FIPS hash stability on some target kernels/configs);
add config-based gate on "$(WOLFCRYPT_PIE_FILES): OBJECT_FILES_NON_STANDARD := y".
2025-09-11 10:24:53 -05:00
philljj
edf3c3158c Merge pull request #9181 from douzzer/20250910-linuxkm-more-OBJECT_FILES_NON_STANDARD
20250910-linuxkm-more-OBJECT_FILES_NON_STANDARD
2025-09-10 22:03:10 -05:00
effbiae
2332347ca1 refactor SessionSecret_callback* 2025-09-11 11:54:40 +10:00
Daniel Pouzzner
2028d1f0f4 doc/dox_comments/header_files/ecc.h: add docs for wc_ecc_make_pub() and wc_ecc_make_pub_ex(), and update docs for wc_ecc_export_x963() and wc_ecc_export_x963_ex() to reflect that they export the public key, and add see-alsos to wc_ecc_make_pub. 2025-09-10 17:02:57 -05:00
Daniel Pouzzner
04834680d5 linuxkm/Kbuild: when ENABLED_LINUXKM_PIE, use "undefine CONFIG_OBJTOOL" to inhibit false-positive "unannotated intra-function call" due to inline retpolines;
linuxkm/Makefile, linuxkm/include.am, linuxkm/module_hooks.c: remove linuxkm/pie_first.c, linuxkm/pie_last.c, and references to them (replaced by fenceposts in linuxkm/wolfcrypt.lds).
2025-09-10 15:08:41 -05:00
David Garske
484f35244e Merge pull request #9179 from wolfSSL/revert-9145-zd20038_2
Revert "Fix building with --coding=no/WOLFSSL_PEM_TO_DER undefined."
2025-09-10 12:33:31 -07:00
Juliusz Sosinowicz
74c7115cc1 Revert "Fix building with --coding=no/WOLFSSL_PEM_TO_DER undefined." 2025-09-10 18:07:57 +02:00
Daniel Pouzzner
e3423d0922 Merge pull request #9163 from kaleb-himes/Batch2-WinCE
Add the updated WinCE settings for FIPS 140-3 submission
2025-09-10 09:57:59 -05:00
Daniel Pouzzner
92d504f726 Merge pull request #9161 from LinuxJedi/enhance-debian
Make Debian packaging more Debian-like
2025-09-10 09:49:43 -05:00
David Garske
ce5878fb8d Merge pull request #9162 from embhorn/zd18673
Fixes for INTIME RTOS
2025-09-10 07:44:19 -07:00
David Garske
71068a42a9 Merge pull request #9172 from douzzer/20250908-WOLFSSL_TEXT_SEGMENT_CANONICALIZER
20250908-WOLFSSL_TEXT_SEGMENT_CANONICALIZER
2025-09-10 07:44:02 -07:00
David Garske
2a1df11327 Merge pull request #9145 from kareem-wolfssl/zd20038_2
Fix building with --coding=no/WOLFSSL_PEM_TO_DER undefined.
2025-09-09 16:24:21 -07:00
Sean Parkinson
1dc40c5129 Merge pull request #9165 from effbiae/key-present
align two portions of src/internal.c prior to refactor
2025-09-10 07:44:41 +10:00
Eric Blankenhorn
2179dccb1d Fix VS proj 2025-09-09 15:36:55 -05:00
David Garske
f1ef484076 Merge pull request #9150 from miyazakh/update_fsp_v610
Update Renesas FSP version on RA6M4
2025-09-09 12:26:03 -07:00
David Garske
b3aa39ddad Merge pull request #9138 from JacobBarthelmeh/sgx
update for SGX CPU ID to follow atomics refactor
2025-09-09 12:18:51 -07:00
David Garske
5957afb8b5 Merge pull request #9158 from miyazakh/update_fsp_v610_ra6m3
Update Renesas FSP version on RA6M3 example
2025-09-09 12:18:17 -07:00
David Garske
3e3b673ea7 Merge pull request #9123 from gojimmypi/pr-espressif-certs-test
Exclude wolfssl certs_test.h from Espressif user_settings.h
2025-09-09 12:17:00 -07:00
Eric Blankenhorn
a3a21fac3c Fix Makefile 2025-09-09 11:56:10 -05:00
Eric Blankenhorn
b6bb43e9bc Fix Makefile 2025-09-09 11:39:40 -05:00
Sean Parkinson
b4f1abe0f4 SM2 TLS1.3: Fix certificate verify
Code to verify with SM2/SM3 was not able to be reached.
The check of hsType (which was ECC for both ECC and SM2/SM3) was
replaced with a check of peerSigAlgo for ecc_dsa_sa_algo which is
different for ECDSA and SM2/SM3.
2025-09-09 21:30:37 +10:00
Sean Parkinson
342c37d8a3 Merge pull request #9159 from kareem-wolfssl/zd20378
Allow the keyCertSign bit to be asserted specifically for self-signed CAs.
2025-09-09 21:01:21 +10:00
jordan
c60553da66 curl: support --enable-curl=tiny option. 2025-09-08 17:03:35 -05:00
Daniel Pouzzner
ae4b33c997 linuxkm/linuxkm_wc_port.h: when HAVE_LINUXKM_PIE_SUPPORT, map
WOLFSSL_TEXT_SEGMENT_CANONICALIZER() to wc_linuxkm_normalize_relocations(), and
  define WOLFSSL_TEXT_SEGMENT_CANONICALIZER_BUFSIZ to 8192.

linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocations(), add checks for
  out-of-order offsets.
2025-09-08 16:43:34 -05:00
Eric Blankenhorn
5fd5ff89c3 Changes from customer 2025-09-08 13:20:13 -05:00
Kareem
f772aad95a Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20378 2025-09-08 10:16:14 -07:00
philljj
bdc1f890c8 Merge pull request #9168 from douzzer/20250905-linuxkm-pie-cst32
20250905-linuxkm-pie-cst32
2025-09-06 11:25:33 -05:00
Hideki Miyazaki
815f2ce9db Update Renesas FSP version on RA6M3 example 2025-09-06 19:12:24 +09:00
Andrew Hutchings
0a4ce40eb8 Make Debian packaging more Debian-like
When you do `./configure`, the options are stored in the rules file.
This then means you can use the normal Debian packaging methods.

`make deb` also now uses `dpkg-buildpackage`.
2025-09-06 06:22:54 +01:00
effbiae
8e9a04c55f align two portions of src/internal.c prior to refactor 2025-09-06 13:55:44 +10:00
gojimmypi
c22354e2f5 Exclude wolfssl certs_test.h from Espressif user_settings.h 2025-09-05 17:08:04 -07:00
Daniel Pouzzner
8a7331776a linuxkm/Kbuild: for PIE containerization, add .rodata.cst32 to the move list. 2025-09-05 17:55:24 -05:00
kaleb-himes
7c2fc506b5 Fix trailing whitespace in new user_settings.h 2025-09-05 15:36:21 -06:00
kaleb-himes
3f7ba638dd Add the updated WinCE settings for FIPS 140-3 submission
Add the missing README.md
2025-09-05 15:36:21 -06:00
Eric Blankenhorn
c1b4af2dd7 Fix parenthesis issue 2025-09-05 16:35:41 -05:00
Eric Blankenhorn
b4a82877b8 Remove *.filters file 2025-09-05 16:23:26 -05:00
Eric Blankenhorn
53ee6d3a0b Fixes for INTIME RTOS 2025-09-05 16:23:26 -05:00
David Garske
48385884c0 Merge pull request #9167 from gojimmypi/pr-fix-watcom-setld80bit
Pin Watcom compiler in workflow to 2025-09-01-Build
2025-09-05 13:33:31 -07:00
gojimmypi
5c2f90968f Pin Watcom compiler in workflow to 2025-09-01-Build 2025-09-05 12:57:58 -07:00
Kareem
8e7bcfc5c2 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20378 2025-09-04 10:16:53 -07:00
Kareem
562ee21d36 Add ALLOW_SELFSIGNED_INVALID_CERTSIGN to known macros. 2025-09-04 10:16:41 -07:00
David Garske
4d1fa1b012 Merge pull request #9160 from douzzer/20250903-PR8329-rework
20250903-PR8329-rework
2025-09-04 09:43:53 -07:00
Daniel Pouzzner
ee2e63444d wolfcrypt/src/sha512.c: don't remap ByteReverseWords64(), remove ByteReverseWords64_1() inline asm macro, and refactor Sha512FinalRaw() and wc_Sha384FinalRaw() to write directly to the output buffer when possible. 2025-09-03 22:16:15 -05:00
Sean Parkinson
5108dcd0d6 Merge pull request #9157 from rlm2002/coverity
move pathLengthSet assignment
2025-09-04 08:35:16 +10:00
lealem47
e29b65d22b Merge pull request #9140 from dgarske/sniffer_partialoverlap
Improve sniffer detection of partial overlap
2025-09-03 14:12:44 -06:00
Kareem
37fc63ca39 Allow the keyCertSign bit to be asserted specifically for self-signed CAs. 2025-09-03 11:43:15 -07:00
David Garske
095fd88cbe Merge pull request #9091 from gojimmypi/pr-arduino-testing
Improve Arduino Examples
2025-09-03 11:09:13 -07:00
Kareem
183aa7a214 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd20038_2 2025-09-02 16:17:18 -07:00
gojimmypi
0065d9a0dd Improve Arduino Examples, add workflow testing 2025-09-02 11:45:28 -07:00
philljj
f33814b377 Merge pull request #9151 from douzzer/20250830-linuxkm-fix-get_drbg
20250830-linuxkm-fix-get_drbg
2025-09-02 11:39:25 -05:00
Ruby Martin
4d5e1d0dfe move pathLegthSet assignment 2025-09-02 10:09:11 -06:00
David Garske
6dd626de0c Improve detection of partial overlap (ZD 20369) 2025-09-02 07:51:30 -07:00
Daniel Pouzzner
aa96c352d4 add !WC_SKIP_INCLUDED_C_FILES gates in indirectly compiled files in linuxkm/, to avoid false positive unknownMacro reports from cppcheck-force-source. 2025-08-30 14:15:55 -05:00
Daniel Pouzzner
f8e4feb633 wolfssl/wolfcrypt/error-crypt.h: in WC_ERR_TRACE() definition, use WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS, not WOLFSSL_DEBUG_PRINTF(, for compatibility with WOLF_NO_VARIADIC_MACROS. 2025-08-30 12:54:22 -05:00
Daniel Pouzzner
7df8ee4081 linuxkm/linuxkm_wc_port.h: add default setup for LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT, to make visibility in random.c;
linuxkm/lkcapi_sha_glue.c: revert f7c7ac275a (get_drbg() DISABLE_VECTOR_REGISTERS() for crypto_default_rng) -- compiler/inlining bug makes it break on at least one target, so caller needs to retain responsibility;

linuxkm/x86_vector_register_glue.c: in wc_save_vector_registers_x86(), always return WC_ACCEL_INHIBIT_E if already fpu_state & WC_FPU_INHIBITED_FLAG, for safe+correct dynamics on recursive calls.
2025-08-30 12:08:57 -05:00
Hideki Miyazaki
e2fe74502f Add wolfSSL/Debug folder as include
- remove BSP_WarmStart() due to duplicate
2025-08-30 09:28:09 +09:00
Hideki Miyazaki
295a11d0f7 update Readme 2025-08-30 09:24:46 +09:00
David Garske
7ef94284cc Merge pull request #9149 from douzzer/20250829-_mlkem_decompress_5_avx2-movzwq
20250829-_mlkem_decompress_5_avx2-movzwq
2025-08-29 16:23:16 -07:00
Daniel Pouzzner
8ed1ce6a8b wolfcrypt/src/wc_mlkem_asm.S: in _mlkem_decompress_5_avx2, use movzwq, not movzxw, for portability. 2025-08-29 14:42:48 -05:00
David Garske
330d6ad5a6 Merge pull request #9083 from mgrojo/bugfix/ada-overflow-check-error-string
Ada: fix wrapping of `wolfSSL_ERR_error_string_n`
2025-08-29 11:28:16 -07:00
David Garske
24bbb38a9a Merge pull request #9120 from effbiae/print-debug
replace (f)printf with WOLFSSL_DEBUG_PRINTF
2025-08-29 11:26:44 -07:00
David Garske
c2885cf0b9 Merge pull request #9147 from douzzer/20250828-WC_SVR_FLAG_INHIBIT-recursive
20250828-WC_SVR_FLAG_INHIBIT-recursive
2025-08-29 11:25:03 -07:00
mgrojo
cdbad34284 Ada: include use of WolfSSL.Get_Error in the example 2025-08-29 09:57:04 -07:00
mgrojo
a0c8efdffe Ada: fix wrapping of wolfSSL_ERR_error_string_n
Use unchecked conversion instead of type conversion to mimic C style
conversion from int to unsigned long, avoiding the Ada overflow check that is raised when a negative value is converted to an unsigned type.
2025-08-29 09:57:04 -07:00
effbiae
44c403f4c7 replace (f)printf with WOLFSSL_DEBUG_PRINTF 2025-08-29 12:34:22 +10:00
Daniel Pouzzner
f7c7ac275a linuxkm/linuxkm_wc_port.h and linuxkm/x86_vector_register_glue.c: refactor
wc_save_vector_registers_x86() and wc_restore_vector_registers_x86() to allow
  recursive WC_SVR_FLAG_INHIBIT while already in a vector save context;

linuxkm/lkcapi_sha_glue.c: in get_drbg() and put_drbg(),
  DISABLE_VECTOR_REGISTERS()...REENABLE_VECTOR_REGISTERS() if tfm ==
  crypto_default_rng.
2025-08-28 11:02:45 -05:00
Sean Parkinson
0224ef3d2e Merge pull request #9146 from rlm2002/gh9128_MEM_ZERO
ForceZero change for WOLFSSL_CHECK_MEM_ZERO
2025-08-28 22:37:55 +10:00
JacobBarthelmeh
9774e4959f change sgx script to create options.h if none exists 2025-08-27 16:44:47 -06:00
JacobBarthelmeh
ccf8eebc5f update for cpuid atomic refactor 2025-08-27 16:44:46 -06:00
Ruby Martin
8b1422a869 add configuration for WOLFSSL_MEM_CHECK_ZERO 2025-08-27 16:12:57 -06:00
Ruby Martin
11942e774c do not abort MEM_ZERO check if TEST_ALWAYS_RUN_TO_END is defined 2025-08-27 15:04:49 -06:00
Ruby Martin
1ad8b2897a Force zero with bufferSize instead of length. add void prototype to definitions 2025-08-27 14:56:51 -06:00
Kareem
87f99ea824 Add test case for --enable-coding=no. 2025-08-27 12:02:25 -07:00
Kareem
e25bd603ed Fix building with --coding=no/WOLFSSL_PEM_TO_DER undefined. 2025-08-27 11:53:22 -07:00
David Garske
344f127e64 Merge pull request #9129 from effbiae/wolfSSL_read_ex
SSL_read_ex() ... will return 1 for success or 0 for failure
2025-08-27 07:33:29 -07:00
David Garske
dac80aad58 Merge pull request #9142 from SparkiDev/mlkem_dec5_oor_fix
ML-KEM/Kyber: fix out of bouds read
2025-08-27 07:05:29 -07:00
effbiae
934364b8e1 wolfSSL_read_ex returns {0,1} 2025-08-27 15:35:17 +10:00
Sean Parkinson
4ff6f5f10c ML-KEM/Kyber: fix out of bouds read
Decompose 5-bit values: Don't read 15 bytes when only have 10 bytes
available.
2025-08-27 14:49:24 +10:00
David Garske
c78bb1cd42 Merge pull request #9141 from gojimmypi/espressif-latest-debug
Fix workflow for latest ESP-IDF for espressif examples
2025-08-26 15:48:05 -07:00
gojimmypi
797c1d00ac Fix workflow for latest ESP-IDF for espressif examples 2025-08-26 14:38:23 -07:00
Sean Parkinson
02cba85856 Merge pull request #9135 from douzzer/20250825-linuxkm-IntelRDseed64_r-burn-buf
20250825-linuxkm-IntelRDseed64_r-burn-buf
2025-08-27 07:22:25 +10:00
David Garske
71581e321e Merge pull request #9098 from julek-wolfssl/fix-test_wolfSSL_tls_export
Fix test_wolfSSL_tls_export
2025-08-26 12:11:49 -07:00
philljj
00860baddf Merge pull request #9136 from douzzer/20250826-more-wc_linuxkm_normalize_relocations
20250826-more-wc_linuxkm_normalize_relocations
2025-08-26 14:04:14 -05:00
David Garske
1ce13fc3ee Merge pull request #9118 from SparkiDev/api_c_split_tls13
api.c: pull out TLS 1.3 specific tests
2025-08-26 09:23:56 -07:00
Daniel Pouzzner
79a75d1ef2 linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocations(), allow non-text
relocations 1 byte outside the destination segment, and when
  DEBUG_LINUXKM_PIE_SUPPORT, tally the relocation counts by segment for final info
  report;

linuxkm/module_hooks.c and linuxkm/linuxkm_wc_port.h: tweak gating on
  wc_linuxkm_normalize_relocations() and related -- ifdef
  HAVE_LINUXKM_PIE_SUPPORT, not ifdef USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE --
  for consistency+clarity.
2025-08-26 11:07:40 -05:00
David Garske
c7d1673948 Merge pull request #9132 from anhu/dup_CKS
Properly detect duplicate CKS extensions.
2025-08-26 09:07:04 -07:00
Juliusz Sosinowicz
d26b2811e0 test_wolfSSL_tls_export_run: silence unused cmpSess warning 2025-08-26 16:40:17 +02:00
Juliusz Sosinowicz
5934c1eece Fix test_wolfSSL_tls_export
- Add TLS_EXPORT_OPT_SZ_4 to specify previous option size
- Actually pick up failures in the tests and propagate them to the top level
- Tests v4 and v5 sessions
Fixes https://github.com/wolfSSL/wolfssl/issues/9081 and https://github.com/wolfSSL/wolfssl/pull/9082
2025-08-26 11:04:54 +02:00
Daniel Pouzzner
fa61187f2e linuxkm/module_hooks.c: in IntelRDseed64_r(), burn buf after each use to protect against info leakage. 2025-08-25 21:59:32 -05:00
Sean Parkinson
115d4d88c0 api.c: pull out TLS 1.3 specific tests 2025-08-26 09:05:46 +10:00
philljj
7aab2f3b47 Merge pull request #9126 from douzzer/20250823-linuxkm-reloc-bikeshedding
20250823-linuxkm-reloc-bikeshedding
2025-08-25 16:53:36 -05:00
lealem47
1c2fb10007 Merge pull request #9124 from dgarske/sniffer_partial_overlap
Fix for sniffer partial segment overlap that can occur when a TCP win…
2025-08-25 15:15:48 -06:00
David Garske
6ae0ecc5f3 Merge pull request #9133 from AlexLanzano/log-fix
Fix value comparison typo in if statement
2025-08-25 14:09:20 -07:00
David Garske
cfee026f98 Merge pull request #9131 from embhorn/zd20429
Fix markdown in docs
2025-08-25 14:08:30 -07:00
JacobBarthelmeh
e0913c47ef Merge pull request #9039 from tamasan238/for-pr-1
Add _new/_delete API for ML-KEM/ML-DSA
2025-08-25 14:47:07 -06:00
Kareem
623c593210 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into zd19563_verify 2025-08-25 11:36:12 -07:00
Alex Lanzano
8207053636 Fix value comparison typo in if statement 2025-08-25 13:56:35 -04:00
Anthony Hu
2885df68b4 Properly detect duplicate CKS extensions. 2025-08-25 12:01:50 -04:00
Eric Blankenhorn
6ab6634efc Fix markdown in docs 2025-08-25 09:28:08 -05:00
Sean Parkinson
ffbcd4f86c Merge pull request #9125 from douzzer/20250819-linuxkm-fips-v5-wc_GenerateSeed_IntelRD
20250819-linuxkm-fips-v5-wc_GenerateSeed_IntelRD
2025-08-25 21:37:35 +10:00
Daniel Pouzzner
a67d1a84f5 configure.ac: for linuxkm with PIE, don't include enable-fpcc in enable-all-crypto (the compiler generates a weird out-of-bounds bss reference for find_hole());
linuxkm/Makefile: in recipe (awk script) for wc_linuxkm_pie_reloc_tab.c, report and error on unexpected relocation types;

linuxkm/module_hooks.c: in wc_linuxkm_normalize_relocations():
* fix bounds checking on the input,
* recognize references pointing at the first byte after the end of the segment,
* and mask out pad bytes when rendering the 32 bit addresses;

linuxkm/wolfcrypt.lds: add 4k alignment directives just before the segment end fenceposts, to make the fenceposts more inclusive.
2025-08-23 17:21:24 -05:00
Daniel Pouzzner
d9467db007 wolfssl/wolfcrypt/types.h: fix bugprone-macro-parentheses in definition of DISABLE_VECTOR_REGISTERS. 2025-08-22 23:43:36 -05:00
Daniel Pouzzner
e0383b496a linuxkm/module_hooks.c: implement wc_linuxkm_GenerateSeed_IntelRD, gated on WC_LINUXKM_RDSEED_IN_GLUE_LAYER;
add WC_GENERATE_SEED_DEFAULT, which defaults to wc_GenerateSeed if not overridden, and replace wc_GenerateSeed with WC_GENERATE_SEED_DEFAULT in various calls to wc_SetSeed_Cb();

linuxkm/linuxkm_wc_port.h: if FIPS <v6 and RDSEED, define WC_LINUXKM_RDSEED_IN_GLUE_LAYER and define WC_GENERATE_SEED_DEFAULT wc_linuxkm_GenerateSeed_IntelRD;

wolfcrypt/test/test.c: update rng_seed_test() with gating and vectors for FIPS v5 with HAVE_AMD_RDSEED or HAVE_INTEL_RDSEED;

wolfssl/wolfcrypt/types.h: add WC_HAVE_VECTOR_SPEEDUPS helper macro, and enlarge fallthrough definition coverage for DISABLE_VECTOR_REGISTERS.
2025-08-22 21:58:00 -05:00
David Garske
8dd43077fd Fix for sniffer partial segment overlap that can occur when a TCP window is full and a TCP retransmission occurs. 2025-08-22 14:29:18 -07:00
JacobBarthelmeh
6f567bbca2 Merge pull request #9122 from julek-wolfssl/hostap-fix-cert-update
Fix hostap cert update
2025-08-22 15:28:19 -06:00
JacobBarthelmeh
9575c69d3b Merge pull request #9121 from douzzer/20250819-linuxkm-pie-normalize_relocs
20250819-linuxkm-pie-normalize_relocs
2025-08-22 15:11:48 -06:00
Kareem
c2eeeafdbe Merge remote-tracking branch 'upstream/master' into zd19563_verify 2025-08-22 13:56:44 -07:00
JacobBarthelmeh
bc5b297d33 Merge pull request #9046 from kareem-wolfssl/zd20038
Allow setting the CA type when loading into cert manager and unloading specific CA types from the cert manager.
2025-08-22 14:43:46 -06:00
David Garske
1f579afc66 Merge pull request #9117 from SparkiDev/tls13_ks_fix
TLS 1.3 KeyShare: error on duplicate group
2025-08-22 12:54:54 -07:00
David Garske
0d1e9c3264 Fix whitespace issue and known macros list 2025-08-22 12:48:55 -07:00
Kareem
4a067fa1bc Don't enforce test_wolfSSL_X509_STORE_CTX_ex12 return code as it
may be skipped, modifying the return code.
2025-08-22 11:29:21 -07:00
Juliusz Sosinowicz
4043dc2dd0 Fix hostap cert update
Update the `rsa3072-*` certs to get `suite_b_192_*` tests passing
2025-08-22 17:24:49 +02:00
Daniel Pouzzner
af4e2d127f linuxkm/: implement wc_linuxkm_pie_reloc_tab and wc_linuxkm_normalize_relocations(), and integrate with updateFipsHash(). 2025-08-22 00:38:06 -05:00
Kareem
077beaecd8 Fix memory leak in unit test, fix for loop syntax. 2025-08-21 16:33:57 -07:00
Kareem
b53db94f1e x509_verify_cert: Code review feedback. 2025-08-21 15:35:29 -07:00
David Garske
7ab4c6fa14 Merge pull request #9087 from JacobBarthelmeh/dhuk
initial SAES and DHUK support
2025-08-21 14:32:20 -07:00
David Garske
da8ffd5762 Merge pull request #8463 from JacobBarthelmeh/sgx
updating the build with SGX
2025-08-21 11:06:35 -07:00
JacobBarthelmeh
42c5324962 SAES does not have GCM support, added IV option for CBC wrapping of key 2025-08-21 09:26:40 -06:00
Sean Parkinson
d66c69eaec Merge pull request #9079 from holtrop/error-getshortint-on-negative-values
Error from GetShortInt with negative INTEGER values
2025-08-21 08:35:17 +10:00
Sean Parkinson
b3366acdaf Merge pull request #9103 from rlm2002/zd20314-reduce-binary-footprint
Exclude assembly files when WOLFSSL_ARMASM_INLINE is defined
2025-08-21 08:33:39 +10:00
Sean Parkinson
b1cdf0b214 TLS 1.3 KeyShare: error on duplicate group
Don't allow a KeyShare extension from the client to have more
than one entry for any group.
2025-08-21 08:23:31 +10:00
JacobBarthelmeh
658c3d69fb use memset, fix unlock, adjust return value checks 2025-08-20 13:53:27 -06:00
JacobBarthelmeh
993099e47e Merge pull request #9114 from douzzer/20250819-debug-trace-errcodes-dist-artifacts
20250819-debug-trace-errcodes-dist-artifacts
2025-08-20 10:48:38 -06:00
David Garske
79fe6e467b Merge pull request #9112 from SparkiDev/tls13_onlyDhePskKe_fix
TLS 1.3: Fix for onlyDhePskKe
2025-08-20 06:44:08 -07:00
David Garske
596e211a97 Merge pull request #9113 from SparkiDev/tls13_certvfy_sigalg_check
TLS 1.3: CertificateVerify - check sig alg was sent
2025-08-20 06:44:03 -07:00
Josh Holtrop
d2f139c9b0 Error from GetShortInt with negative INTEGER values - Add WORD8 case 2025-08-20 09:34:19 -04:00
Ruby Martin
0e6e040039 formatting remove whitespace
format whitespace so tabs are 4 spaces

format character count to be 80 characters or less per line

remove bracket
2025-08-19 17:08:53 -06:00
Daniel Pouzzner
5f7e2389d9 wolfssl/include.am: include wolfssl/debug-trace-error-codes.h and wolfssl/debug-untrace-error-codes.h in dist archives. 2025-08-19 17:09:58 -05:00
JacobBarthelmeh
8119034555 work around for shellcheck warning 2025-08-19 14:32:34 -06:00
JacobBarthelmeh
23498c293e cpuid dummy call with sgx and fix assembly SP + SGX build 2025-08-19 14:32:33 -06:00
JacobBarthelmeh
44784729c0 touch up clean script and comment out sp-asm for now 2025-08-19 14:32:33 -06:00
JacobBarthelmeh
59ac260ae8 add option for building sgx with assembly optimizations 2025-08-19 14:32:33 -06:00
JacobBarthelmeh
9cdbc03a23 Merge pull request #9111 from douzzer/20250818-configure-linuxkm-fips-v5
20250818-configure-linuxkm-fips-v5
2025-08-19 14:31:08 -06:00
Josh Holtrop
98b6b92a76 Error from GetShortInt with negative INTEGER values 2025-08-19 12:40:48 -04:00
Sean Parkinson
2810656242 TLS 1.3: CertificateVerify - check sig alg was sent
Check that the signature algorithm used in the CertificateVerify message
was one that was sent in the SignatureAlgorithm extension.
2025-08-19 16:27:19 +10:00
Sean Parkinson
cd55fe6135 TLS 1.3: Fix for onlyDhePskKe
Make client enforce onlyDhPskKe flag.
2025-08-19 14:29:30 +10:00
Daniel Pouzzner
b9cc060340 configure.ac: tweaks for ENABLED_LINUXKM_DEFAULTS and FIPS v5. 2025-08-18 18:21:57 -05:00
JacobBarthelmeh
c089abe92f add macro to list 2025-08-18 16:47:30 -06:00
Ruby Martin
27d03fce7a additional check for ARM ASM Inline option
append thumb2 files, append inline c files with BUILD_ARMASM_INLINE

add all asm files. move curve25519 files under BUILD_CURVE25519

include remaining files
2025-08-18 15:41:43 -06:00
David Garske
f114f2cde2 Merge pull request #9093 from kareem-wolfssl/zd20372
Multiple fixes to wolfSSL_CIPHER_description to match documentation.
2025-08-18 13:43:53 -07:00
JacobBarthelmeh
fb6375551b updating unwrap/wrap with use of DHUK 2025-08-18 13:38:26 -06:00
Kareem
aa6f1b231a Fix memory leak in X509StoreRemoveCa. 2025-08-18 10:21:54 -07:00
Kareem
19b778dda0 Protect against exceeding original depth, fix overlong lines. 2025-08-18 10:21:54 -07:00
Kareem
cb985dcfa8 ECC required for newly added unit test. 2025-08-18 10:21:54 -07:00
Kareem
60c84744c8 Fix memory leak in x509_verify_cert itself, the failed certs need a pop_free call so the reference is properly decremented, as they are no longer in the X509_STORE. 2025-08-18 10:21:53 -07:00
Kareem
1e367597b6 Fix memory leak in newly added unit test. 2025-08-18 10:21:53 -07:00
Kareem
6b01053d98 Add test case for new x509_verify_cert retry functionality.
Add CA cert with the same SKI and intentionally invalid AKI as part of x509_verify_cert test case.
2025-08-18 10:21:53 -07:00
Kareem
027f0891f4 Don't fail out if X509StoreRemoveCa fails, since adding the temp CA was optional, it is possible there is no temp CA to remove. 2025-08-18 10:21:53 -07:00
Kareem
aaadb7971d Fix narrowing conversion of type in RemoveCa. 2025-08-18 10:21:53 -07:00
Kareem
7b4a50b701 Add missing XFREE for dCert. 2025-08-18 10:21:53 -07:00
Kareem
d6f603b661 Add X509StoreRemoveCa wrapper around RemoveCa
WOLFSSL_X509's calculated subject key hash is not guaranteed to match the cert's,
ie. in the case that NO_SHA is defined.  Use the same logic as AddCa,
parsing the DER cert and using the decoded cert's subject key hash.
2025-08-18 10:21:53 -07:00
Kareem
15a147d957 Remove incorrectly added NULL check, add debug logging to RemoveCA. 2025-08-18 10:21:53 -07:00
Kareem
f9eda18445 Fix missing cast and correct freeing of certs. 2025-08-18 10:21:53 -07:00
Kareem
946f20ccc7 Add type parameter to RemoveCA to avoid removing CAs of the wrong type. 2025-08-18 10:21:53 -07:00
Kareem
025dbc3454 Retry all certificates passed into wolfSSL_X509_verify_cert until a valid chain is found, rather than failing out on the first invalid chain. This allows for registering multiple certs with the same subject key, ie. alt cert chains. 2025-08-18 10:21:52 -07:00
Sean Parkinson
43f94a5d7d Merge pull request #9107 from douzzer/20250816-cpuid_get_flags_ex-optimize
20250816-cpuid_get_flags_ex-optimize
2025-08-18 22:13:44 +10:00
Sean Parkinson
0ba16a9c5b Merge pull request #9104 from kojiws/export_long_key_orig_asn
Improve original implementation on SetAsymKeyDer() and the test
2025-08-18 22:11:25 +10:00
Daniel Pouzzner
39c6c5af6f wolfcrypt/src/cpuid.c, wolfssl/wolfcrypt/cpuid.h: change cpuid_flags_t to a
regular word32, and use non-atomics for general flag checking, with a new
  implementation of cpuid_get_flags_ex() that is threadsafe by idempotency;

rename strictly-threadsafe cpuid_get_flags_ex() as cpuid_get_flags_atomic()
  (strictly accurate return value), and add cpuid_flags_atomic_t and
  WC_CPUID_ATOMIC_INITIALIZER, used only for internal manipulation of flags in
  cpuid.c where atomicity matters.
2025-08-16 13:04:28 -05:00
lealem47
b096d9b250 Merge pull request #9106 from dgarske/zd20399
Fix sniffer issue handling TLS records with multiple handshake messages to be skipped
2025-08-15 15:57:00 -06:00
David Garske
32b0bd963b Fix issue introduced in PR #9051 causing TLS records with multiple handshake messages to be skipped (ZD 20399) 2025-08-15 10:08:28 -07:00
David Garske
a98006eca9 Merge pull request #9105 from douzzer/20250815-dilithium-dilithium_expand_s-UndefinedBinaryOperatorResult
20250815-dilithium-dilithium_expand_s-UndefinedBinaryOperatorResult
2025-08-15 09:07:38 -07:00
Daniel Pouzzner
10a05ad839 wolfcrypt/src/dilithium.c: fix dilithium_expand_s() to fall through to dilithium_expand_s_c() for s1Len not implemented for USE_INTEL_SPEEDUP. 2025-08-15 09:48:55 -05:00
Juliusz Sosinowicz
ffe3d80f8d Merge pull request #9097 from douzzer/20250812-atomic-cmpxchg
20250812-atomic-cmpxchg
2025-08-15 01:14:45 +02:00
Sean Parkinson
5b1302e4df Merge pull request #9094 from dgarske/zd20369
Fix to better detect sniffer invalid spurious re-transmissions
2025-08-15 09:01:02 +10:00
Sean Parkinson
228ede7495 Merge pull request #9102 from rlm2002/zd20212
Remove dead code and check return values.
2025-08-15 08:21:38 +10:00
Daniel Pouzzner
c5bbf4c7e0 Merge pull request #9085 from effbiae/while-pending
`wolfSSL_AsyncPoll` calls refactor
2025-08-14 14:51:05 -05:00
David Garske
e00fd2fd70 Fix to better detect invalid spurious retransmission. 2025-08-14 12:19:39 -07:00
Kareem
c535e281c6 Skip unit test when using Apple native cert validation. 2025-08-14 11:34:15 -07:00
Kareem
cb3f7de3f7 Fix issues found by CI/CD tests. 2025-08-14 11:34:15 -07:00
Kareem
3bcbbd2924 Fix issue with loading PEM certs. Address code review feedback.
Add tests.
2025-08-14 11:34:15 -07:00
Kareem
a652b733e4 Fix conversion warning. 2025-08-14 11:34:15 -07:00
Kareem
ab342978d7 Fix implicit conversion warning. 2025-08-14 11:34:14 -07:00
Kareem
61ccea55ac Allow setting the CA type when loading into cert manager
and unloading specific CA types from the cert manager.
2025-08-14 11:34:14 -07:00
Kareem
cb623dc9ea Multiple fixes to wolfSSL_CIPHER_description to match documentation.
Add "any" value for TLS 1.3 cipher suites.
Fix key size comparison for enc bits.
Output AEAD as MAC if cipher suite is using it, otherwise output hash MAC.
2025-08-14 11:27:10 -07:00
Koji Takeda
0a9356e645 Improve original implementation on SetAsymKeyDer() and the test 2025-08-15 00:04:01 +09:00
Daniel Pouzzner
cefeb4cd7e atomics/cpuid_flags fixes from peer review:
wolfcrypt/src/cpuid.c: cpuid_set_flag() and cpuid_clear_flag() thread safety;

wolfcrypt/src/wc_port.c: comments re __ATOMIC_SEQ_CST and __ATOMIC_ACQUIRE;

wolfssl/wolfcrypt/wc_port.h: single overrideable definitions for WOLFSSL_ATOMIC_COERCE_[U]INT(), and comment cleanup.

also added WOLFSSL_USER_DEFINED_ATOMICS.
2025-08-14 09:33:14 -05:00
Daniel Pouzzner
bd4e723f9d add cpuid_flags_t, WC_CPUID_INITIALIZER, and cpuid_get_flags_ex();
refactor all static flag initializations to use cpuid_get_flags_ex() for race-free dynamics;

refactor cpuid_set_flags() to be race-free;

wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c: add
* WOLFSSL_ATOMIC_COERCE_INT()
* WOLFSSL_ATOMIC_COERCE_UINT()
* wolfSSL_Atomic_Uint
* wolfSSL_Atomic_Uint_Init()
* wolfSSL_Atomic_Int_AddFetch()
* wolfSSL_Atomic_Int_SubFetch()
* wolfSSL_Atomic_Int_CompareExchange()
* wolfSSL_Atomic_Uint_FetchAdd()
* wolfSSL_Atomic_Uint_FetchSub()
* wolfSSL_Atomic_Uint_AddFetch()
* wolfSSL_Atomic_Uint_SubFetch()
* wolfSSL_Atomic_Uint_CompareExchange()

wolfcrypt/test/test.c: add to memory_test() tests for all atomic macros and APIs;

.github/workflows/pq-all.yml: don't use -Wpedantic for CC=c++ scenario.
2025-08-14 08:44:28 -05:00
Sean Parkinson
a1dd7dae6f Merge pull request #9095 from miyazakh/add_sha512_typeproperty
Add hashtype property to wc_Sha512 structure
2025-08-14 21:43:06 +10:00
Sean Parkinson
102525c9c9 Merge pull request #9100 from dgarske/cryptocb_only
Improve some of the build cases around crypto callback only
2025-08-14 21:41:26 +10:00
Sean Parkinson
034df3d28f Merge pull request #9101 from dgarske/asm_introspection
Add assembly introspection for RISC-V and PPC32
2025-08-14 21:38:42 +10:00
Daniel Pouzzner
a64c719fd2 Merge pull request #9092 from douzzer/20250812-Base64_Decode-outLen-bounds-fix
20250812-Base64_Decode-outLen-bounds-fix

reviewed+approved by @dgarske and @SparkiDev
2025-08-13 23:15:04 -05:00
effbiae
0e3f877326 WOLFSSL_ASYNC_WHILE_PENDING refactor 2025-08-14 12:03:13 +10:00
JacobBarthelmeh
8458b5ec1d Merge pull request #9053 from rlm2002/sessionTickets
update wolfSSL_get_SessionTicket to be able to return ticket length
2025-08-13 17:19:52 -06:00
Ruby Martin
18f3f22a7e add option for WOLFSSL_ARMASM_INLINE to CMake 2025-08-13 17:05:48 -06:00
Daniel Pouzzner
7fe890d5e7 wolfcrypt/src/coding.c: clean up comment in Base64_Decode(), per peer review. 2025-08-13 18:00:36 -05:00
Daniel Pouzzner
344db9d7f7 wolfcrypt/src/coding.c: in Base64_Decode_nonCT() and Base64_Decode(), remove overly restrictive preamble check on outLen; return BUFFER_E, not BAD_FUNC_ARG, when output buffer is too short (similarly fixed in Base16_Decode());
wolfcrypt/test/test.c: add N_BYTE_TEST() and test vectors to test all input and output length scenarios.
2025-08-13 17:43:33 -05:00
Ruby Martin
dc18f404ca remove dead code in fe_operations.c 2025-08-13 16:34:14 -06:00
Ruby Martin
71c2878780 verify previously unchecked return values 2025-08-13 16:28:36 -06:00
David Garske
53c36f8529 Add assembly introspection for RISC-V and PPC32. 2025-08-13 22:30:15 +01:00
David Garske
d79ca8a746 Improve some of the build cases around crypto callback only 2025-08-13 21:58:53 +01:00
Hideki Miyazaki
b67e063535 add hashtype property to wc_Sha512 2025-08-14 05:37:40 +09:00
Daniel Pouzzner
22b221a8be Merge pull request #9099 from gojimmypi/pr-cert-test-sizeof
Change certs_test sizeof const to define for Watcom
2025-08-13 14:41:21 -05:00
gojimmypi
f279f9cd71 Change certs_test sizeof const to define for Watcom 2025-08-13 11:58:59 -07:00
Ruby Martin
a725f4d7ac update wolfSSL_get_SessionTicket() function dox comment 2025-08-13 08:29:30 -06:00
Ruby Martin
a02025d0c9 add session ticket length return check to api tests 2025-08-13 08:29:30 -06:00
Ruby Martin
31bf1b90b4 update wolfSSL_get_SessionTicket to be able to return ticket length 2025-08-13 08:29:30 -06:00
Daniel Pouzzner
8d24a30996 Merge pull request #9096 from julek-wolfssl/libssh2-tests-fix
Fix libssh2 tests
2025-08-13 08:42:24 -05:00
Juliusz Sosinowicz
c8c93d2218 Fix libssh2 tests 2025-08-13 14:44:40 +02:00
David Garske
3289b6b3da Merge pull request #9089 from douzzer/20250811-linuxkm-and-other-fixes
20250811-linuxkm-and-other-fixes
2025-08-12 11:40:36 -07:00
Daniel Pouzzner
e24f76bb1e Merge pull request #9057 from SparkiDev/mldsa_x64_asm
ML-DSA/Dilithium: Intel x64 ASM
2025-08-11 23:12:44 -05:00
Daniel Pouzzner
2d1c797b64 fixes from cppcheck-force-source: in src/bio.c:wolfSSL_BIO_vprintf() and
wolfcrypt/src/logging.c:WOLFSSL_MSG_CERT_EX(), add missing gating on
  defined(XVSNPRINTF);

in src/crl.c:CRL_Entry_new(), fix true-positive nullPointerRedundantCheck;

in src/pk.c:_DH_compute_key(), add bounds checking to ForceZero(priv).
2025-08-11 18:12:44 -05:00
Daniel Pouzzner
11d84bea86 wolfcrypt/src/rsa.c: fix improperly handled SAVE_VECTOR_REGISTERS() retval in
wc_CheckProbablePrime_ex(), and in wc_MakeRsaKey(), make sure not to
  RESTORE_VECTOR_REGISTERS() if SAVE_VECTOR_REGISTERS() failed.
2025-08-11 16:14:32 -05:00
Daniel Pouzzner
7b077737a9 src/crl.c: fix nullPointerRedundantCheck in CRL_Entry_free(). 2025-08-11 16:14:32 -05:00
Daniel Pouzzner
29dd6cce98 wolfssl/wolfcrypt/logging.h: add WOLFSSL_MSG_CERT_LOG_EX, give
WOLFSSL_DEBUG_CERTS definitions priority when defining WOLFSSL_MSG_CERT_LOG()
  and WOLFSSL_MSG_CERT_LOG_EX, update documentation in preamble, and fix the
  WOLFSSL_ANDROID_DEBUG definition of WOLFSSL_DEBUG_PRINTF_FIRST_ARGS and the
  WOLFSSL_ESPIDF definition of WOLFSSL_DEBUG_PRINTF();

src/ssl_load.c: use WOLFSSL_MSG_CERT_LOG_EX(), not WOLFSSL_DEBUG_PRINTF(), in
  ProcessFile().
2025-08-11 16:14:32 -05:00
Daniel Pouzzner
f4fefcbd5e configure.ac: for linuxkm, don't set ENABLED_ENTROPY_MEMUSE_DEFAULT to yes on FIPS v5-;
linuxkm/linuxkm_wc_port.h: add WC_SVR_FLAG_NONE;

wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM setup for WC_RESEED_INTERVAL,
  use UINT_MAX if FIPS v5-;

wolfssl/wolfcrypt/types.h: add definitions for SAVE_NO_VECTOR_REGISTERS2, and
  map no-op SAVE_VECTOR_REGISTERS2() to it.
2025-08-11 16:14:32 -05:00
Daniel Pouzzner
6617f2edf8 wolfcrypt/src/memory.c, wolfcrypt/src/misc.c, and wolfssl/wolfcrypt/misc.h: move
the new implementation of wc_ForceZero from wolfcrypt/src/memory.c to inline in
  wolfcrypt/src/misc.c replacing old ForceZero() implementation, and add a wrapper
  wc_ForceZero() to wolfcrypt/src/memory.c.
2025-08-11 16:14:32 -05:00
Albert Ribes
e36daf41a4 Store in extensions the full octet string (#8967)
* Store in extensions the full octet string

Store in WOLFSSL_X509_EXTENSION.value always the full contents of the
OCTET STRING of the extension, instead of different type of data
depending on the type of extension. Previously this was only done for
unknown extensions.

* Avoid local variables in 'DecodeExtKeyUsageInternal'

There is a great performance loss on configs using 'WOLFSSL_NO_MALLOC',
'WOLFSSL_STATIC_MEMORY' and 'USE_FAST_MATH' if function
'DecodeExtKeyUsageInternal' uses intermediate variables. This can be
observed running the Zephyr test 'wolfssl_test/prj-no-malloc.conf'.

Avoid using intermediate variables, and use raw pointers to the final
destination instead.

* Add missing calls to 'FreeDecodedCert'

* Return error code from 'wolfSSL_ASN1_STRING_into_old_ext_fmt'

* Fix lines larger than 80

* Allow NULL parameters for 'DecodeAuthKeyId'

* Add comment explaining build option '--enable-old-extdata-fmt'

* Test full OCTET STRING in tests/api.c

* wolfSSL_X509V3_EXT_d2i: Honor 'WOLFSSL_SMALL_STACK'

* zephyr/wolfssl_test_no_malloc: Increase test timeout

* wolfSSL_X509V3_EXT_d2i: Extract repeated code into common part

* wolfcrypt: Remove 'WOLFSSL_LOCAL' from .c files

* wolfcrypt: Change location of functions to make diff easier
2025-08-11 10:33:15 -07:00
JacobBarthelmeh
9ad7e79dfc initial SAES and DHUK support 2025-08-11 08:46:29 -06:00
Sean Parkinson
55f30adb3e Merge pull request #9077 from douzzer/20250807-wc_ForceZero-and-linuxkm-RHEL9v6
20250807-wc_ForceZero-and-linuxkm-RHEL9v6
2025-08-11 21:06:51 +10:00
Daniel Pouzzner
5a402b2254 Merge pull request #9076 from gojimmypi/pr-fence-atomics
Disallow atomics during fence & WOLFSSL_NO_ATOMIC
2025-08-08 23:46:30 -05:00
Daniel Pouzzner
260fca600a Merge pull request #8902 from gojimmypi/pr-cert-logging
Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages
2025-08-08 23:44:03 -05:00
Daniel Pouzzner
9236b81ade Merge pull request #9078 from rlm2002/cppCheck
Changes for cppcheck=force-source errors and warnings
2025-08-08 23:29:30 -05:00
Daniel Pouzzner
46394f3da3 Merge pull request #9075 from gojimmypi/pr-small-oids
Force old OID values: WOLFSSL_OLD_OID_SUM for WC_16BIT_CPU
2025-08-08 23:29:09 -05:00
Daniel Pouzzner
db7702f66c Merge pull request #9065 from rlm2002/zd20212
Update fe_448.c from script
2025-08-08 23:28:52 -05:00
Daniel Pouzzner
b3496a04d6 Merge pull request #9073 from holtrop/fix-inconsistent-prototype-parameter-names-wolfssl
Fix inconsistent function prototype parameter names for wolfssl
2025-08-08 23:28:33 -05:00
Daniel Pouzzner
9dc4b71112 Merge pull request #9069 from holtrop/fix-inconsistent-prototype-parameter-names
Fix inconsistent function prototype parameter names for wolfcrypt
2025-08-08 23:28:10 -05:00
Daniel Pouzzner
e6c6ef64df Merge pull request #9047 from miyazakh/rz_update
Update Renesas RZ examples
2025-08-08 23:27:35 -05:00
Daniel Pouzzner
2960844c3e Merge pull request #9068 from holtrop/fix-misra-3.1-violations
Fix MISRA rule 3.1 violations
2025-08-08 23:27:04 -05:00
Ruby Martin
6070ca8499 remove nested check for ssl->options.dtls
move cidSz declaration
2025-08-08 10:46:35 -06:00
Ruby Martin
e631f2e56e add ret check before assigning row value 2025-08-08 10:40:09 -06:00
Ruby Martin
1cfbc92ce2 initialize info var 2025-08-08 10:40:09 -06:00
Ruby Martin
9e3f726b0e add null checks for function arguments that return BAD_FUNC_ARG
update function comment
2025-08-08 10:40:09 -06:00
Ruby Martin
f5a4b13391 initialize lpMsgBuf 2025-08-08 10:40:09 -06:00
Ruby Martin
35ea769c9f add null check to CRL_Entry_free() 2025-08-08 10:40:09 -06:00
Daniel Pouzzner
a821e4cfa2 wolfcrypt/src/memory.c and wolfssl/wolfcrypt/memory.h: add WOLFSSL_API void wc_ForceZero(). 2025-08-07 21:57:56 -05:00
Ruby Martin
948f90251a clear invalidPrintfArgType warnings. initialize wc_Memory* pt to null 2025-08-07 16:48:46 -06:00
Ruby Martin
cf3f7b9911 modify argument for unsigned int
adjust warning for invalidPrintfArgType
2025-08-07 16:48:46 -06:00
gojimmypi
e6ffbfb601 Disallow atomics during fence & WOLFSSL_NO_ATOMIC 2025-08-07 15:18:42 -07:00
Sean Parkinson
9470668538 Merge pull request #9074 from douzzer/20250807-redo-PR8900
20250807-redo-PR8900
2025-08-08 08:12:42 +10:00
Daniel Pouzzner
a01d4c2d5f linuxkm/module_hooks.c: suppress -Wunused-parameter when including crypto/hash.h (for RHEL 9.6). 2025-08-07 17:09:10 -05:00
Takashi Kojo
8bd4fb52c8 Merge pull request #9072 from julek-wolfssl/dtls-replay-test
Test DTLS replay protection
2025-08-08 06:26:15 +09:00
gojimmypi
256836fe6f Force WOLFSSL_OLD_OID_SUM for WC_16BIT_CPU 2025-08-07 11:23:34 -07:00
Juliusz Sosinowicz
0d532cc3f2 Test DTLS replay protection 2025-08-07 19:52:05 +02:00
Daniel Pouzzner
2dfc7eee89 wolfcrypt/src/sp_int.c: in _sp_exptmod_nct(), use 2 bit window if bits <= 21. 2025-08-07 10:26:34 -05:00
Daniel Pouzzner
40506a6ddf Revert "SP int: modular exponentiation constant time" (fixes regression in benchmark "RSA,2048,public").
This reverts commit 219509d7d9.
2025-08-07 10:14:02 -05:00
David Garske
5a8b86da5d Merge pull request #9054 from gojimmypi/pr-please-use-debug-wolfssl
Please use DEBUG_WOLFSSL not WOLFSSL_DEBUG
2025-08-07 07:42:42 -07:00
Ruby Martin
782d0b9828 remove casts 2025-08-07 08:23:38 -06:00
David Garske
b4d186004c Merge pull request #9070 from miyazakh/cb_sha224
Support sha224 cryptocb
2025-08-07 07:07:05 -07:00
Josh Holtrop
e6eac9b920 Fix inconsistent function prototype parameter names for wolfssl 2025-08-07 09:28:50 -04:00
Josh Holtrop
61f1223f1d Fix inconsistent function prototype parameter names for wolfcrypt 2025-08-07 08:02:56 -04:00
Sean Parkinson
648a057147 ML-DSA/Dilithium: Intel x64 ASM
Optimize code knowing it is for Intel x64.
Change signing to calculate one polynomial at a time so that if it isn't
valid then we fail early.
Other minor improvements.
Move the SHA-3 4 blocks at a time assembly into SHA-3 asm file.
Make constants in assembly the same length (front pad with zeros).
2025-08-07 14:01:50 +10:00
Hideki Miyazaki
07b3695b98 wc_Sha224Final also needs to call cb 2025-08-07 09:50:06 +09:00
Hideki Miyazaki
d1bf35b209 add sha224_test() call to cryptocb test 2025-08-07 08:14:26 +09:00
Hideki Miyazaki
ccdef57e8e add sha224 cryptcb 2025-08-07 07:49:53 +09:00
gojimmypi
d64ef34ef8 Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages 2025-08-06 13:57:53 -07:00
Josh Holtrop
33d0e1e51c Fix MISRA rule 3.1 violations 2025-08-06 12:08:15 -04:00
Daniel Pouzzner
339f7efbf4 Merge pull request #9066 from holtrop/fix-misra-8.2-violations
fe_operations.h: fix MISRA rule 8.2 violations by naming function prototype parameters
2025-08-06 11:04:44 -05:00
Daniel Pouzzner
cc137e99fe Merge pull request #8900 from SparkiDev/rsa_mod_exp_nct
SP int: modular exponentiation constant time
2025-08-06 11:04:28 -05:00
Daniel Pouzzner
753a6b1083 Merge pull request #9063 from SparkiDev/sha3_xorbuf
SHA-3 C code: use xorbuf for little-endian builds
2025-08-06 11:04:10 -05:00
Daniel Pouzzner
76c4ee9ff5 Merge pull request #9056 from SparkiDev/asn_orig_decrypt_content_fix
ASN.1 original: Fix DecryptContent to check sequence len
2025-08-06 11:03:49 -05:00
Daniel Pouzzner
b8463dc5c1 Merge pull request #9062 from kareem-wolfssl/gh9059
Fix wolfSSL_i2d_PublicKey not returning SPKI format for ECC keys.
2025-08-06 11:03:28 -05:00
Daniel Pouzzner
8e5e273aca Merge pull request #9044 from JacobBarthelmeh/docs
add static memory doxygen comments for APIs
2025-08-06 11:02:57 -05:00
Daniel Pouzzner
8e77ee5c2a Merge pull request #9064 from SparkiDev/test_api_c_split_2
api.c: split out more tests into separate files
2025-08-06 10:51:25 -05:00
Daniel Pouzzner
53eedd4b38 Merge pull request #9041 from julek-wolfssl/zero-sha->buffer
Zero sha->buffer
2025-08-06 10:50:53 -05:00
David Garske
8ff0f455f8 Merge pull request #9067 from douzzer/20250805-clang-and-linuxkm-fixes
20250805-clang-and-linuxkm-fixes
2025-08-06 05:59:49 -07:00
Hideki Miyazaki
53ae865184 Addressed code review 2025-08-06 19:13:20 +09:00
Masaki Iwai
e9292e301f add _new/_delete API for ML-KEM/ML-DSA 2025-08-06 16:52:15 +09:00
Kareem
36e0e3aa53 Fix wolfSSL_i2d_PublicKey not returning SPKI format for ECC keys. 2025-08-05 17:20:47 -07:00
Daniel Pouzzner
034cbb9b97 tests/api.c: fix -Wuninitialized-const-pointer in test_wolfSSL_CertManagerAPI();
wolfcrypt/benchmark/benchmark.c:

* use WC_RELAX_LONG_LOOP() as default definition of TEST_SLEEP(), and remove WC_RELAX_LONG_LOOP() from bench_stats_sym_finish()/bench_stats_asym_finish_ex();
* when WOLFSSL_LINUXKM but !WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS., properly wrap kernel_fpu_begin...end around floating point ops.
2025-08-05 17:05:36 -05:00
Sean Parkinson
dbb75c46c9 ASN.1 original: Fix DecryptContent to check sequence len
Original ASN.1 code wasn't checking that data in a sequence didn't
exceed the length of the sequence.
In particular, the contents of the parameters and the PKCS#5 parameters.
2025-08-06 07:42:09 +10:00
Sean Parkinson
d0f8493c6a SHA-3 C code: use xorbuf for little-endian builds
Instead of loading 64-bits with alignment protection, use xorbuf which
has built in protection.
Only XOR in as much data as cached and XOR padding and rate bit directly
rather than XORing maximum amount after clearing out rest of array and
adding in padding and rate bit.
2025-08-06 07:39:53 +10:00
Sean Parkinson
219509d7d9 SP int: modular exponentiation constant time
Using a 1-bit window size for small exponentsisn't useful.
2025-08-06 07:38:37 +10:00
gojimmypi
7c9327a36b Please use DEBUG_WOLFSSL not WOLFSSL_DEBUG 2025-08-05 12:19:30 -07:00
Josh Holtrop
90d4efa1e6 fe_operations.h: fix MISRA rule 8.2 violations by naming function prototype parameters 2025-08-05 13:09:42 -04:00
David Garske
1693f72af7 Fixes for issues copilot found. 2025-08-05 07:22:04 -07:00
David Garske
649b6ede69 Merge pull request #9058 from kojiws/fix_cid_535964
Fix CID 535964
2025-08-05 07:08:59 -07:00
Sean Parkinson
b40e3d479f api.c: split out more tests into separate files
wolfCrypt PKCS7
wolfCrypt PKCS12
OpenSSL compat ASN.1
OpenSSL compat BN
OpenSSL comppat BIO
OpenSSL comppat Digest
OpenSSL comppat MAC
OpenSSL comppat Cipher
OpenSSL comppat RSA
OpenSSL comppat DH
OpenSSL comppat EC
OpenSSL comppat ECX
OpenSSL comppat DSA
2025-08-05 19:32:56 +10:00
Koji Takeda
bfb2a817e3 Fix CID 535964 2025-08-05 13:25:42 +09:00
David Garske
8e52978153 Merge pull request #9061 from gojimmypi/pr-fix-haproxy-workflow
Update HAProxy build-vtest: fix v3.1.0 and add v3.2.0
2025-08-04 19:57:15 -07:00
gojimmypi
6e795f149c Update HAProxy build-vtest: fix v3.1.0 and add v3.2,0 2025-08-04 12:38:27 -07:00
JacobBarthelmeh
c22c37df09 Merge pull request #9055 from rlm2002/zd20212
Coverity changes
2025-08-04 10:34:29 -06:00
Ruby Martin
598a3e6232 check return value of wc_DhGetNamedKeyParamSize 2025-08-01 14:56:35 -06:00
JacobBarthelmeh
040e2102a8 Merge pull request #9049 from kojiws/import_mldsa_seed_pkcs8_reapply
Reapply - Import ML-DSA's seed from PKCS8 file
2025-08-01 14:34:09 -06:00
JacobBarthelmeh
367e3e4246 fix for wolfSSL_StaticBufferSz_ex function signature 2025-08-01 10:32:41 -06:00
JacobBarthelmeh
0392ee009f Merge pull request #9033 from anhu/mlkem-hybrid-draft-names-wolfssl
Rename ML-KEM hybrids to match IETF Draft.
2025-08-01 10:21:54 -06:00
Hideki Miyazaki
8e6b13822b fix trailing whitespace, adding files to am and know macro 2025-08-01 17:36:23 +09:00
Hideki Miyazaki
a63bb12f6b Move devId from internal to public
- addressed code review by devin
2025-08-01 16:58:16 +09:00
JacobBarthelmeh
65e7f2c40f Merge pull request #9051 from lealem47/zd20288
Sniffer: Fix infinite recursion caused by an OOO appData packet
2025-07-31 14:50:36 -06:00
JacobBarthelmeh
86adcd6c8e Merge pull request #9048 from douzzer/20250730-linuxkm-tweaks
20250730-linuxkm-tweaks
2025-07-31 14:36:56 -06:00
Daniel Pouzzner
1152d612a6 wolfcrypt/benchmark/benchmark.c: smallstack refactors for bench_mlkem() and bench_dilithiumKeySign(), and globally replace stray uses of fprintf(stderr, ...) with printf(...) for portability. 2025-07-31 11:30:42 -05:00
Daniel Pouzzner
bbd606538a linuxkm/linuxkm_wc_port.h, linuxkm/x86_vector_register_glue.c, linuxkm/Kbuild:
* rename can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), with wc_ prefix, and properly export them;
* move setup for WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS outside BUILDING_WOLFSSL gate;
* fix !BUILDING_WOLFSSL bindings for DISABLE_VECTOR_REGISTERS() to properly fall through to no-ops in !WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS configs, and properly #error if WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS but !CONFIG_X86;

.github/workflows/linuxkm.yml: --enable-linuxkm-benchmarks for additional coverage.
2025-07-31 10:37:39 -05:00
Lealem Amedie
0e8aab241d Sniffer: Fix infinte recursion caused by an OOO appData packet 2025-07-31 09:31:59 -06:00
Anthony Hu
6f66f4fda3 Use correct string in the unit tests. 2025-07-31 10:35:32 -04:00
Koji Takeda
2891815965 Fix errors on #9000 2025-07-31 16:04:22 +09:00
Koji Takeda
09deacbe8f Revert "Merge pull request #9045 from douzzer/20250730-revert-PR9000"
This reverts commit 70af2be5ab, reversing
changes made to 46347173b2.
2025-07-31 14:14:51 +09:00
Daniel Pouzzner
c353052e54 linuxkm/linuxkm_wc_port.h:
* move enum wc_svr_flags out of BUILDING_WOLFSSL guard;
* add DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS() definitions for !BUILDING_WOLFSSL;
* add #include <linux/spinlock.h> to !WOLFSSL_LINUXKM_USE_MUTEXES implementation to fix compilation (and add usability) to caller code;

linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_ctx_clear(), fix error-path deallocation of locked object;

wolfcrypt/benchmark/benchmark.c:

* in FIPS v6+ builds, and FIPS linuxkm v5+, check retval from wc_AesEncryptDirect() and wc_AesDecryptDirect();
* add WC_RELAX_LONG_LOOP() in bench_stats_sym_finish() and bench_stats_asym_finish_ex();

wolfcrypt/test/test.c: fix rng_seed_test() with correct test vectors for the relevant combinations of features, and gate the test out if there are user override defines for ENTROPY_SCALE_FACTOR or SEED_BLOCK_SZ.
2025-07-30 22:15:05 -05:00
Hideki Miyazaki
9b7caac3ef Update RZ examples
- Use xSPI0 boot mode
 - Update FSP from v1.3 to v2.0.0
 - Simplify UART
 - Migrate new User Ctx
 - Update README
 - Fix SCE TLS on RA6M4
2025-07-31 11:04:06 +09:00
JacobBarthelmeh
ee4e511a01 remove trailing white spaces 2025-07-30 17:02:23 -06:00
JacobBarthelmeh
70af2be5ab Merge pull request #9045 from douzzer/20250730-revert-PR9000
20250730-revert-PR9000
2025-07-30 16:59:19 -06:00
JacobBarthelmeh
6a01122c47 add static memory doxygen comments for APIs 2025-07-30 14:50:44 -06:00
Daniel Pouzzner
26806cda7b Revert "Support importing seed of ML-DSA key"
This reverts commit a82d1a6b12.
2025-07-30 15:39:57 -05:00
Daniel Pouzzner
f6437d3072 Revert "Add test data"
This reverts commit 778dcbaafb.
2025-07-30 15:39:55 -05:00
Daniel Pouzzner
d0bf9c4b3c Revert "Disable exporting dilithium DER tests without WOLFSSL_ASN_TEMPLATE"
This reverts commit bbcdfe92e0.
2025-07-30 15:39:53 -05:00
Daniel Pouzzner
40646964b4 Revert "Follow copilot review"
This reverts commit 189ba201f3.
2025-07-30 15:39:47 -05:00
JacobBarthelmeh
46347173b2 Merge pull request #9034 from holtrop/allow-pkcs7-without-x963-kdf
Allow building with HAVE_PKCS7 set and HAVE_X963_KDF unset
2025-07-30 10:05:09 -06:00
JacobBarthelmeh
09dd519764 Merge pull request #9043 from holtrop/fix-unit-test-coverity-defect
Fix unit test coverity defect in test_wc_PKCS7_SetAESKeyWrapUnwrapCb()
2025-07-30 09:59:39 -06:00
Josh Holtrop
ccb463dd1d Fix unit test coverity defect in test_wc_PKCS7_SetAESKeyWrapUnwrapCb() 2025-07-30 10:37:28 -04:00
Juliusz Sosinowicz
42e2dd9990 Zero sha->buffer
msan reported it as an uninitialized buffer
2025-07-30 14:16:52 +02:00
JacobBarthelmeh
a1e2ba2cd3 Merge pull request #9036 from kareem-wolfssl/zd20239
Fix size used by signature context struct with WOLFSSL_NO_MALLOC.
2025-07-29 17:13:34 -06:00
Sean Parkinson
d7f85c533b Merge pull request #9038 from JacobBarthelmeh/tcp
remove QEMU test host name lookup feature
2025-07-30 08:40:39 +10:00
JacobBarthelmeh
36912c3af8 Merge pull request #9000 from kojiws/import_mldsa_seed_pkcs8
Import ML-DSA's seed from PKCS8 file
2025-07-29 16:02:36 -06:00
Kareem
f130a9d44d Alias MAX_SIG_SZ to MAX_ENCODED_SIG_SZ for backwards compatibility. 2025-07-29 13:58:35 -07:00
Josh Holtrop
df7e105fb7 Allow building with HAVE_PKCS7 set and HAVE_X963_KDF unset 2025-07-29 11:46:44 -04:00
JacobBarthelmeh
26f4c968df Merge pull request #9032 from holtrop/allow-pkcs7-without-aes-keywrap
Allow building with HAVE_PKCS7 set and HAVE_AES_KEYWRAP unset
2025-07-29 09:44:07 -06:00
JacobBarthelmeh
9aace48189 remove QEMU test host name lookup feature 2025-07-28 17:04:33 -06:00
Koji Takeda
189ba201f3 Follow copilot review 2025-07-29 07:15:32 +09:00
Josh Holtrop
26a4ea93eb Allow building with HAVE_PKCS7 set and HAVE_AES_KEYWRAP unset 2025-07-28 12:40:35 -04:00
Koji Takeda
bbcdfe92e0 Disable exporting dilithium DER tests without WOLFSSL_ASN_TEMPLATE 2025-07-28 21:46:28 +09:00
Koji Takeda
778dcbaafb Add test data 2025-07-28 21:46:28 +09:00
Koji Takeda
a82d1a6b12 Support importing seed of ML-DSA key 2025-07-28 21:46:28 +09:00
philljj
cc2f7927ec Merge pull request #9035 from douzzer/20250725-wc_linuxkm_relax_long_loop
20250725-wc_linuxkm_relax_long_loop
2025-07-26 09:22:00 -05:00
Daniel Pouzzner
b0f6829614 20250725-wc_linuxkm_relax_long_loop: improvements from peer review: fix, clarify, and extend comments, improve indentation, and snip out a stray redundant preprocessor definition. 2025-07-26 08:27:43 -05:00
Kareem
5b888f809f Fix size used by signature context struct. This matches the size used by sigCpy/sigSz when building without WOLFSSL_NO_MALLOC. 2025-07-25 15:50:38 -07:00
Daniel Pouzzner
77dccc0c32 linuxkm:
* add wc_linuxkm_check_for_intr_signals(), wc_linuxkm_relax_long_loop(),
  WC_CHECK_FOR_INTR_SIGNALS(), WC_RELAX_LONG_LOOP(), SAVE_NO_VECTOR_REGISTERS(),
  RESTORE_NO_VECTOR_REGISTERS(), and new error code INTERRUPTED_E ("Process
  interrupted");

* update the no-asm remaps in the PK implementations to use
  SAVE_NO_VECTOR_REGISTERS() and RESTORE_NO_VECTOR_REGISTERS(), so that inner
  loops in them are always covered by the new logic.
2025-07-25 15:56:48 -05:00
Anthony Hu
c7e054a7a7 Rename ML-KEM hybrids to match IETF Draft. 2025-07-25 13:27:26 -04:00
David Garske
c347f75b3c Merge pull request #9029 from holtrop/extract-kari-rid
Add wc_PKCS7_GetEnvelopedDataKariRid()
2025-07-25 09:04:11 -07:00
Josh Holtrop
804c4f20b5 Explicitly initialize some unit test variables to avoid warnings 2025-07-24 18:51:58 -04:00
Josh Holtrop
1226dedeb8 Check that we don't run out of space for the RID structure 2025-07-24 15:52:34 -04:00
Josh Holtrop
71bd9e2f6e Make unit test more resilient to earlier errors 2025-07-24 15:46:01 -04:00
Josh Holtrop
6309b241cd Fix some clang-tidy warnings in unit test 2025-07-24 15:42:55 -04:00
David Garske
a06268f705 Merge pull request #9010 from miyazakh/sce_tlsproperties_uc
Make properties related to Renesas FSP Security Module TLS hidden for FSP SM context
2025-07-24 12:35:56 -07:00
David Garske
2db1669713 Merge pull request #8988 from JacobBarthelmeh/visibility
remove WOLFSSL_API in source code when already used in header file
2025-07-24 11:00:55 -07:00
David Garske
e4a9ffd00e Merge pull request #9031 from danielinux/fix-regression-rsa-verify-only
Fix warning with WOLFSSL_RSA_VERIFY_ONLY
2025-07-24 10:29:02 -07:00
JacobBarthelmeh
c25efcee92 Merge pull request #9028 from dgarske/md5_sha1
Fixes for building with MD5 and SHA1 to support Hash `WC_HASH_TYPE_MD5_SHA`
2025-07-24 10:41:22 -06:00
Josh Holtrop
cf843c8b82 Add wc_PKCS7_GetEnvelopedDataKariRid()
Allow access to recipient ID before attempting to decrypt content.
2025-07-24 11:15:30 -04:00
Daniele Lacamera
09de113145 Fix warning with WOLFSSL_RSA_VERIFY_ONLY
PR #8830 introduces a warning when WOLFSSL_NO_CT_OPS is selected.
However, in WOLFSSL_RSA_VERIFY_ONLY mode this is enforced in
wolfssl/wolfcrypt/settings.h:4035, forcing this warning to appear when
this configuration is used.

This PR takes into account the special case, allowing WOLFSSL_NO_CT_OPS
when WOLFSSL_RSA_VERIFY_ONLY, and removing the warning.
2025-07-24 16:13:00 +02:00
philljj
6750c29e67 Merge pull request #9027 from douzzer/20250723-linuxkm-fixes-and-testing-workflow
20250723-linuxkm-fixes-and-testing-workflow
2025-07-23 22:43:51 -05:00
David Garske
6aabc73845 Merge pull request #9018 from holtrop/decode-skp
Add API to decode SymmetricKeyPackage and OneSymmetricKey CMS objects
2025-07-23 16:01:58 -07:00
David Garske
44eba446ec Merge pull request #9002 from holtrop/aes-key-wrap-callbacks
Add callback functions for custom AES key wrap/unwrap operations
2025-07-23 16:01:49 -07:00
David Garske
551ff3f1b6 Fixes for building with MD5 and SHA1 to support Hash WC_HASH_TYPE_MD5_SHA. ZD 20269. 2025-07-23 15:59:08 -07:00
David Garske
e1b3c43a2b Merge pull request #8987 from gojimmypi/pr-espressif-allocators
Add wolfSSL_GetAllocators PSRAM support for Espressif ESP32
2025-07-23 15:33:53 -07:00
Daniel Pouzzner
5e57ec5c93 linuxkm/Kbuild: if ENABLED_LINUXKM_PIE, disable KASAN and UBSAN, to avoid external references (__ubsan_handle_out_of_bounds() etc.). 2025-07-23 17:30:14 -05:00
David Garske
c261bf4452 Merge pull request #9006 from rlm2002/zd20212
Coverity fixes for Zendesk issue
2025-07-23 15:29:20 -07:00
Daniel Pouzzner
ca6a12769f linuxkm/linuxkm_wc_port.h: additional fixes for version gates;
.github/workflows/linuxkm.yml: add a second scenario with --enable-linuxkm-pie.
2025-07-23 16:57:24 -05:00
Daniel Pouzzner
b7b0ab6dbf src/tls.c: fix double free just added to TLSX_KeyShare_GenPqcKeyClient(). 2025-07-23 16:18:22 -05:00
Daniel Pouzzner
53de4a582e add .github/workflows/linuxkm.yml;
linuxkm/Makefile: add support for FORCE_NO_MODULE_SIG.
2025-07-23 14:43:33 -05:00
Daniel Pouzzner
a447a991b0 linuxkm/Kbuild: add KERNEL_EXTRA_CFLAGS_REMOVE;
linuxkm/linuxkm_wc_port.h: fix version threshold for HAVE_KVREALLOC (6.12.0, not 6.11.0), and add manual overrides.
2025-07-23 14:31:52 -05:00
Daniel Pouzzner
8d7009e9de src/tls.c: in TLSX_KeyShare_GenPqcKeyClient(), add smallstack coverage to !WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ code paths. 2025-07-23 12:02:07 -05:00
Daniel Pouzzner
5360738351 wolfssl/internal.h: don't gate in prototype for sockAddrEqual() if defined(WOLFSSL_NO_SOCK). 2025-07-23 11:17:31 -05:00
Josh Holtrop
2f2f999657 Rework to remove early function returns 2025-07-22 20:35:28 -04:00
Josh Holtrop
0d48911ae4 Update style per code review comments 2025-07-22 20:30:44 -04:00
Josh Holtrop
86d7d42eb6 Comment test ASN DER sequences 2025-07-22 20:29:44 -04:00
Josh Holtrop
7762fa9b14 Update style per code review comments 2025-07-22 20:09:55 -04:00
philljj
65126352a0 Merge pull request #9025 from douzzer/20250721-wolfssl_linuxkm_pie_redirect_table-direct
20250721-wolfssl_linuxkm_pie_redirect_table-direct
2025-07-22 18:08:11 -05:00
Hideki Miyazaki
5e77253577 Addressed code review comments 2025-07-23 07:44:30 +09:00
Daniel Pouzzner
6043274d96 linuxkm/Kbuild: revert change to base PIE_FLAGS -- we need -fno-stack-protector to avoid compiler-generated references to __stack_chk_fail. 2025-07-22 16:45:06 -05:00
David Garske
c7bc6e834e Merge pull request #8996 from lealem47/match_ipv6
Add logic to match IPv6 domain addresses
2025-07-22 13:42:15 -07:00
Josh Holtrop
13fb6b83cd Update style per code review comments 2025-07-22 16:38:13 -04:00
Josh Holtrop
27f0ef8789 Combine AES key wrap/unwrap callbacks 2025-07-22 16:34:37 -04:00
Daniel Pouzzner
c26f6ded14 linuxkm/linuxkm_wc_port.h: use more flexible logic to define WC_LKM_INDIRECT_SYM(), allowing various overrides and orthogonalizing the definitions proper, and add explanatory comments. 2025-07-22 14:40:45 -05:00
Josh Holtrop
7bcb346dd7 Remove early function returns per code review comments 2025-07-22 14:58:26 -04:00
Josh Holtrop
15c8730ef7 Use wc_ prefix for IndexSequenceOf() 2025-07-22 14:50:42 -04:00
Josh Holtrop
77bace5010 Update style per code review comments 2025-07-22 14:47:22 -04:00
gojimmypi
97c2e9f973 Add wolfSSL_GetAllocators PSRAM support for Espressif ESP32 2025-07-22 11:34:47 -07:00
David Garske
357b624ca5 Merge pull request #9024 from JacobBarthelmeh/mldsa
fix mldsa test case for buffer size and expire date
2025-07-22 11:04:41 -07:00
Ruby Martin
29288640ab add additional check so dead code can be reached 2025-07-22 10:48:06 -06:00
David Garske
b0fd0296f3 Merge pull request #9026 from JacobBarthelmeh/readme
fix changelog formatting
2025-07-22 09:34:44 -07:00
Ruby Martin
01fd36b840 set a->length to 0 if old data is not kept 2025-07-22 10:33:12 -06:00
Lealem Amedie
22b01bcda9 Remove unnecessary memset 2025-07-22 10:05:36 -06:00
JacobBarthelmeh
3759c6f1a1 fix changelog formatting 2025-07-22 09:21:26 -06:00
Ruby Martin
828b9b7024 remove mac_alg check, mac_alg is always no_mac on subsequent iterations 2025-07-22 08:49:26 -06:00
Ruby Martin
42b80878d9 str_len check includes any value less than 0 2025-07-22 08:49:26 -06:00
Ruby Martin
dc345553df wrap res assignment in else statement 2025-07-22 08:49:26 -06:00
Josh Holtrop
aa986a2b24 Update doxygen comment style per code review comments 2025-07-22 08:27:00 -04:00
Josh Holtrop
e03fc6858b Update Doxygen comment style per code review comments 2025-07-22 08:24:22 -04:00
Josh Holtrop
525f1cc39e Update style per code review comments 2025-07-22 08:19:01 -04:00
Sean Parkinson
8f00fc2594 Merge pull request #8890 from kareem-wolfssl/zd20022
Allow larger pathLen values in Basic Constraints.
2025-07-22 17:16:27 +10:00
Sean Parkinson
cd7256ae63 Merge pull request #8979 from anhu/abort_on_bad_legacy
Abort TLS connection if legacy version field  is TLS 1.3 or higher
2025-07-22 17:12:39 +10:00
Sean Parkinson
1f72866489 Merge pull request #8993 from miyazakh/tsip_tlsproperties_uc
Make properties related to TLS handshake hidden for TSIP TLS user-context structure
2025-07-22 17:05:44 +10:00
Sean Parkinson
6c847b1870 Merge pull request #9013 from ColtonWilley/fix_cryptocb_rsa_pad_inline
Set out ptr properly for RSA pad crypto cb inline
2025-07-22 16:47:06 +10:00
Sean Parkinson
21f283c143 Merge pull request #9008 from gojimmypi/pr-wolfssl_user_io
Improve WOLFSSL_USER_IO defaults
2025-07-22 16:37:59 +10:00
Sean Parkinson
7417958649 Merge pull request #9015 from philljj/fix_dual_alg_build
dual alg certs: fix dual alg certs build, and asn cleanup.
2025-07-22 16:26:41 +10:00
Sean Parkinson
95768038b9 Merge pull request #9019 from ribes96/word64_literal
wolfcrypt test: Fix build on 32 bit machines
2025-07-22 16:23:02 +10:00
Sean Parkinson
0c4c156893 Merge pull request #9020 from ribes96/oldgcc_uninitialized
Avoid bogus warning on uninitialized variables on old versions of GCC
2025-07-22 16:22:00 +10:00
Sean Parkinson
f034f09bb4 Merge pull request #9021 from ribes96/fix_noshadow_overwrite
Support CFLAGS="-Wno-shadow"
2025-07-22 16:21:07 +10:00
Sean Parkinson
f1175043f3 Merge pull request #9022 from lealem47/check_rsa_u
Check that u value isn't zero in RsaFunctionPrivate
2025-07-22 16:19:12 +10:00
Daniel Pouzzner
0495f2cc20 linuxkm/linuxkm_wc_port.h: add WC_LKM_INDIRECT_SYM() macro; on x86, use wolfssl_linuxkm_pie_redirect_table directly for indirect calls from PIE container, otherwise use wolfssl_linuxkm_get_pie_redirect_table() to avoid e.g. R_AARCH64_LD64_GOT_LO12_NC relocations;
linuxkm/Kbuild: remove -fno-stack-protector from default PIE_FLAGS.
2025-07-21 19:34:00 -05:00
JacobBarthelmeh
98c70fb77e fix mldsa test case for buffer size and expire date 2025-07-21 15:15:31 -06:00
Lealem Amedie
8df20d6966 Check that u value isn't zero in RsaFunctionPrivate 2025-07-21 10:45:43 -06:00
Lealem Amedie
b306e88d1a Guard for WOLFSSL_USER_IO case 2025-07-21 10:06:19 -06:00
Lealem Amedie
f9afdfd8e2 Don't need to initialize with {0} 2025-07-21 10:06:19 -06:00
Lealem Amedie
90bd374c16 Add logic to match IPv6 domain addresses 2025-07-21 10:06:19 -06:00
Albert Ribes
6f8e0f128a Support CFLAGS="-Wno-shadow"
Avoid appending "-Wshadow" in the end of compiler flags if the user
provided CFLAGS="-Wno-shadow"
2025-07-21 12:34:39 +02:00
Albert Ribes
b2463f167c Avoid bogus warning on uninitialized variables on old versions of GCC
gcc-4.3.3 erroneously complains that some variables may be used
uninitialized. Silence it assigning NULL on declaration, as is already
done with many other variables.
2025-07-21 10:57:50 +02:00
Albert Ribes
2e25c65129 wolfcrypt test: Fix build on 32 bit machines
Declare a 64 bit variable using W64LIT to avoid warnings on 32 bit
machines
2025-07-21 10:34:19 +02:00
Josh Holtrop
06d86af67c Add API to decode SymmetricKeyPackage and OneSymmetricKey CMS objects 2025-07-19 18:28:06 -04:00
jordan
8e46687223 dual alg certs: add missing WC_ENABLE_ASYM_KEY_IMPORT guard. 2025-07-18 09:30:17 -05:00
Hideki Miyazaki
7a03b9fea6 fix trailing whitespaces 2025-07-18 07:54:45 +09:00
Hideki Miyazaki
70587dd2d5 Addressed code review by devin 2025-07-18 07:51:04 +09:00
David Garske
decea12e22 Merge pull request #9012 from JacobBarthelmeh/release
prepare for release 5.8.2
2025-07-17 14:59:24 -07:00
jordan
e571988059 dual alg certs: fix dual alg certs build, and asn cleanup. 2025-07-17 15:15:11 -05:00
Colton Willey
f3ee192a96 Set out ptr properly for RSA pad crypto cb inline 2025-07-17 12:01:39 -07:00
JacobBarthelmeh
c34e6ab8d9 prepare for release 5.8.2 2025-07-17 10:26:19 -06:00
JacobBarthelmeh
fa1842e56d Merge pull request #9011 from douzzer/20250717-linuxkm-include-am
20250717-linuxkm-include-am
2025-07-17 08:56:40 -06:00
Daniel Pouzzner
c8a9e9ea12 linuxkm/include.am: add linuxkm/wolfcrypt.lds to EXTRA_DIST. 2025-07-17 08:40:55 -05:00
Hideki Miyazaki
ba358b8fb8 Sanity check before free 2025-07-17 18:51:57 +09:00
Hideki Miyazaki
59659ef8fb fix long line and trailing whitespaces 2025-07-17 18:26:55 +09:00
Hideki Miyazaki
cc123d7c3a Make properties related to SCE TLS hidden
- Fix RSA Crypt callback
 - Eliminate WOLFSSL_LOCAL
2025-07-17 18:16:40 +09:00
philljj
8bde512676 Merge pull request #9007 from douzzer/20250715-linuxkm-portability-fixes
20250715-linuxkm-portability-fixes
2025-07-16 21:02:55 -05:00
gojimmypi
a08b93347f Revised sockets for USE_WOLFSSL_IO, USE_WOLFSSL_IO 2025-07-16 15:18:14 -07:00
Daniel Pouzzner
8d1289c1d7 linuxkm/Kbuild: --rename-section .rodata.cst16=.rodata.wolfcrypt 2025-07-16 16:54:20 -05:00
gojimmypi
66650a95d8 Improve WOLFSSL_USER_IO defaults 2025-07-16 12:04:05 -07:00
Daniel Pouzzner
01313cc0c8 linuxkm/x86_vector_register_glue.c:
* refactor the save_vector_registers_x86() algorithm to depend directly on preempt_count(), and use local_bh_enable() and preempt_disable() directly, to mitigate glitchiness around irq_fpu_usable() and crypto_simd_usable();

* eliminate the WC_FPU_ALREADY_FLAG kludge.

* improve the error and warning messages, and add some additional checks and messages for unexpected states; add VRG_PR_ERR_X and VRG_PR_WARN_X for pr_*_once() semantics on regular builds, but unlimited messages when WOLFSSL_LINUXKM_VERBOSE_DEBUG.

linuxkm/linuxkm_wc_port.h and linuxkm/module_hooks.c:

* move the spinlock-based implementation of wc_LockMutex() from linuxkm_wc_port.h to module_hooks.c, due to numerous stuboorn direct external symbol references;

* extensively refactor the kernel header #include strategy, keeping many more superfluous headers out of __PIE__ objects, and fixing unavoidable static header functions with grafted __always_inline attributes;

* add version exceptions for RHEL 9.5.

linuxkm/Kbuild:

* on x86 with CONFIG_MITIGATION_{RETPOLINE,RETHUNK}, use inline rethunks rather than none;

* refactor check for "Error: section(s) missed by containerization." using `readelf --sections --syms`, for 100% coverage, more informative error output, and suppression of false positives on printk-related cruft;

configure.ac and linuxkm/lkcapi_sha_glue.c: use LINUXKM_LKCAPI_[DONT_]REGISTER_{SHA,HMAC}_ALL to represent --enable-linuxkm-lkcapi-register=[-]all-{sha,hmac}, which allows alg families (notably SHA1) to be masked out piecemeal;

linuxkm/lkcapi_rsa_glue.c: in linuxkm_test_pkcs1pad_driver(), mitigate unused args when LINUXKM_AKCIPHER_NO_SIGNVERIFY.
2025-07-16 13:09:03 -05:00
JacobBarthelmeh
2c90d1585a Merge pull request #8897 from anhu/compat_additions
Compatibility layer additions for X.509 extensions and RSA PSS
2025-07-15 10:52:33 -06:00
Anthony Hu
c341a9fc05 FIPS > 2 2025-07-15 07:59:20 -04:00
JacobBarthelmeh
e06f1bbf02 Merge pull request #9005 from douzzer/20250714-linuxkm-MODULE_LICENSE
20250714-linuxkm-MODULE_LICENSE
2025-07-14 17:23:22 -06:00
JacobBarthelmeh
9430c8a5a1 Merge pull request #9003 from embhorn/cov_531298
Fix blake2b_final coverity reports
2025-07-14 16:20:19 -06:00
Daniel Pouzzner
049e88b525 linuxkm/module_hooks.c: use MODULE_LICENSE("GPL"). 2025-07-14 16:30:13 -05:00
Josh Holtrop
af3296a836 wc_PKCS7_KeyWrap(): mark pointers as to const and check for NULL 2025-07-14 17:28:23 -04:00
Daniel Pouzzner
2c341a5806 Merge pull request #8990 from JacobBarthelmeh/license
updating license from GPLv2 to GPLv3

(linuxkm tweak to `MODULE_LICENSE("GPL")` to follow.)
2025-07-14 16:14:39 -05:00
JacobBarthelmeh
91321fccec Merge pull request #8992 from douzzer/20250710-WC_ASN_RUNTIME_DATE_CHECK_CONTROL
20250710-WC_ASN_RUNTIME_DATE_CHECK_CONTROL
2025-07-14 15:08:35 -06:00
Eric Blankenhorn
9c2ea12563 Fix blake2 final coverity issue 2025-07-14 15:04:15 -05:00
Josh Holtrop
429ccd5456 Add callback functions for custom AES key wrap/unwrap operations 2025-07-14 15:58:14 -04:00
Eric Blankenhorn
efdca85aec Fix blake2 final coverity issue 2025-07-14 14:53:37 -05:00
philljj
1f71e6d246 Merge pull request #8998 from douzzer/20250712-linuxkm-all-aes-sha-hmac
20250712-linuxkm-all-aes-sha-hmac
2025-07-14 14:19:09 -05:00
philljj
bbc5dc528b Merge pull request #9001 from douzzer/20250714-linuxkm-fix-page-flags-h
20250714-linuxkm-fix-page-flags-h
2025-07-14 12:59:26 -05:00
Daniel Pouzzner
80c9212dd9 linuxkm/linuxkm_wc_port.h, linuxkm/lkcapi_aes_glue.c, configure.ac: fix LKCAPI on kernel 5.4 (sunrise version for LKCAPI), and add all-aes, all-sha, all-hmac, and their negations, to --enable-linuxkm-lkcapi-register. 2025-07-14 12:39:41 -05:00
Daniel Pouzzner
ee3b459e16 linuxkm/linuxkm_wc_port.h: refactor the fix for folio_flags()/const_folio_flags() text segment spam -- inhibiting inclusion of linux/page-flags.h breaks on some kernel configs. 2025-07-14 10:27:35 -05:00
JacobBarthelmeh
99d26f0347 Merge pull request #8977 from BridgerVoss/new_settings
FREESCALE forced algorithm HAVE_ECC moved to IDE/MQX/user_settings.h
2025-07-14 09:05:56 -06:00
Hideki Miyazaki
ec252a73e2 fix whitespace and long line 2025-07-12 10:26:28 +09:00
Hideki Miyazaki
eb8a3afe38 Addressed code review comments 2025-07-12 09:49:09 +09:00
Anthony Hu
dc3209b797 Add macro to .wolfssl_known_macro_extras 2025-07-11 14:59:43 -04:00
Kareem
9fa1d2e75f Enforce WOLFSSL_MAX_PATH_LEN for ASN original as well. 2025-07-11 11:53:33 -07:00
Anthony Hu
1a0a3283a0 Add a test. 2025-07-11 14:32:47 -04:00
philljj
607d5d798b Merge pull request #8994 from douzzer/20250711-linuxkm-distro-fix
20250711-linuxkm-distro-fix
2025-07-11 13:01:51 -05:00
Daniel Pouzzner
d90394efa6 wolfcrypt/src/asn.c and wolfssl/wolfcrypt/asn.h: add
WC_ASN_RUNTIME_DATE_CHECK_CONTROL, with accessors wc_AsnSetSkipDateCheck()
(WOLFSSL_TEST_VIS) and wc_AsnGetSkipDateCheck() (WOLFSSL_LOCAL).  use this to
permafix test_wolfSSL_CRL_duplicate_extensions() in api.c, which has an
expiring-soon handcrafted certificate in it.
2025-07-11 11:25:25 -05:00
David Garske
70bdd9f990 Merge pull request #8989 from rlm2002/zd20212
xmemset rng before test runs
2025-07-11 08:58:30 -07:00
David Garske
a36f9085c1 Fix for compat wolfSSL_RSA_sign and wolfSSL_RSA_verify to support RSA PSS with custom salt and mgf1 hash type. Adds compat API's for i2d_PrivateKey_bio , BN_ucmp and X509v3_get_ext_by_NID. ZD 20059 2025-07-11 08:51:51 -07:00
Daniel Pouzzner
0001bf7983 linuxkm/patches/: in regen-patches.sh, structure the pathnames to mollify kernel scripts/checkpatch.pl;
tweak WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v15.patch (mostly whitespace) to mollify scripts/checkpatch.pl.
2025-07-11 10:42:43 -05:00
Daniel Pouzzner
1e3966f06d linuxkm/include.am: add kernel patches to EXTRA_DIST. 2025-07-11 10:42:43 -05:00
Hideki Miyazaki
c4a178f029 Remove trailing whitespace 2025-07-11 22:12:49 +09:00
Hideki Miyazaki
e9def03585 Null check before accessing instance 2025-07-11 17:48:36 +09:00
Hideki Miyazaki
0a0b9a3c24 Make properties related to TLS handshake hidden for TSIP TLS user context structure 2025-07-11 14:25:06 +09:00
JacobBarthelmeh
388eea3cf2 Merge pull request #8976 from holtrop/decode-encrypted-key-package
Add wc_PKCS7_DecodeEncryptedKeyPackage()
2025-07-10 17:08:06 -06:00
JacobBarthelmeh
01cd91cbea removing more locations of WOLFSSL_API used with function implementations 2025-07-10 16:44:28 -06:00
Sean Parkinson
046e46a67f Merge pull request #8825 from kareem-wolfssl/zd19911
Fix parsing RPK with no parameters.
2025-07-11 08:36:55 +10:00
David Garske
8d68977e33 Merge pull request #8985 from sebastian-carpenter/GH-issue-8951
improper access of sp_int_minimal using sp_int
2025-07-10 15:21:20 -07:00
Ruby Martin
e65647faa8 xmemset rng before test runs 2025-07-10 16:17:53 -06:00
David Garske
4d4228caa1 Merge pull request #8815 from kareem-wolfssl/zd19929
Fix wolfSSL_BIO_new_connect's handling of IPV6 addresses.
2025-07-10 15:17:39 -07:00
JacobBarthelmeh
629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Kareem
362f0a2cfd Ensure only one of the RPK algorithm parameters are set. 2025-07-10 12:43:14 -07:00
JacobBarthelmeh
13b8a972ea remove WOLFSSL_API in source code when already used in header file for function decleration 2025-07-10 13:40:27 -06:00
Josh Holtrop
3ce8c6e4fa Remove WOLFSSL_API for wc_PKCS7_DecodeEncryptedKeyPackage() in source file 2025-07-10 15:29:31 -04:00
Josh Holtrop
f776c95e54 Remove do/while(0) loop in wc_PKCS7_DecodeEncryptedKeyPackage(); use if-else if chain 2025-07-10 15:25:57 -04:00
Kareem
f942990113 Fix building unit tests with --enable-rpk --disable-rsa.
Exact configure line used:
 ./configure --enable-kyber --enable-mlkem --enable-dilithium --enable-dtls --enable-dtls13 --enable-dtls-frag-ch --enable-debug --enable-debug-trace-errcodes \
CFLAGS="-DHAVE_RPK -DWOLFSSL_DER_LOAD -DWOLFSSL_LOGGINGENABLED_DEFAULT=1" --disable-rsa
2025-07-10 12:03:18 -07:00
Kareem
2df674bd59 Correct RPK parsing. As per RFC7250 section 3, the algorithm parameters are optional. 2025-07-10 12:03:18 -07:00
David Garske
047d1bd69f Merge pull request #8986 from kareem-wolfssl/pskYml
Fix missing comma in psk.yml
2025-07-10 11:50:08 -07:00
Kareem
bfacbf9764 Update ASN original to also allow larger pathLen values in Basic Constraints. 2025-07-10 11:47:47 -07:00
philljj
c7ff47d5ee Merge pull request #8984 from douzzer/20250710-linuxkm-crng-fixes
20250710-linuxkm-crng-fixes
2025-07-10 13:32:17 -05:00
Kareem
aa3a325add Fix missing comma in psk.yml 2025-07-10 10:52:11 -07:00
Kareem
f0459eb1cf Allow larger pathLen values in Basic Constraints. 2025-07-10 10:37:06 -07:00
Kareem
c9d451e857 Fix wolfSSL_BIO_new_connect's handling of IPV6 addresses. 2025-07-10 10:33:46 -07:00
Sebastian Carpenter
a00cfcb55f improper access of sp_int_minimal using sp_int
related thread: https://bugzilla.redhat.com/show_bug.cgi?id=2047439

also found sp_uint8 that was not updated to sp_sign_t
2025-07-10 10:42:30 -06:00
Daniel Pouzzner
b4137fe2f8 linuxkm/lkcapi_sha_glue.c: add interruptibility and additional relaxation where possible, and fix a leaked lock scenario, in get_drbg_n(), wc_linuxkm_drbg_seed(), wc_mix_pool_bytes(), and wc_crng_reseed();
wolfcrypt/src/asn.c: add a couple static attributes missed on the previous round of fixups.
2025-07-10 10:59:57 -05:00
philljj
ed6d189f1a Merge pull request #8980 from douzzer/20250706-linuxkm-fixes
20250706-linuxkm-fixes
2025-07-10 10:34:59 -05:00
Anthony Hu
4bd2835cf1 Change suggested by SparkiDev 2025-07-10 10:40:12 -04:00
Daniel Pouzzner
ae48ee408e Merge pull request #8983 from philljj/linuxkm_make_rsa_again
Linuxkm make rsa again
2025-07-10 09:29:29 -05:00
Josh Holtrop
6d51b73626 Shorten some wc_PKCS7_DecodeEncryptedKeyPackage() comment lines to less than 80 characters 2025-07-10 08:10:59 -04:00
Josh Holtrop
3f65846e67 Document BAD_FUNC_ARG return value for wc_PKCS7_DecodeEncryptedKeyPackage() 2025-07-10 08:07:32 -04:00
Sean Parkinson
783ab14afb Merge pull request #8982 from dgarske/x509_ref
Fix possible memory leak with X509 reference counter when using x509small
2025-07-10 20:37:57 +10:00
Daniel Pouzzner
f49e583721 linuxkm/Kbuild: skip "section(s) missed by containerization" test unless KERNEL_ARCH_X86;
linuxkm/linuxkm_wc_port.h: fixes for legacy kernels, particularly: when building TLS stack (!WOLFCRYPT_ONLY), use the best heap with a functioning realloc(), else use kvmalloc() and friends if available, even if kvrealloc() is unavailable.  also, provide for XMALLOC_USER and XMALLOC_OVERRIDE;

linuxkm/lkcapi_glue.c: recognize the new CONFIG_CRYPTO_SELFTESTS_FULL alongside the old CONFIG_CRYPTO_MANAGER_EXTRA_TESTS;

linuxkm/linuxkm_memory.c: restore my__show_free_areas() in case it's still needed.
2025-07-10 00:57:51 -05:00
jordan
e73fa74f14 linuxkm: misc cleanup. 2025-07-09 21:43:02 -05:00
jordan
0aacffd6a2 linuxkm rsa: retry wc_MakeRsaKey if not prime. 2025-07-09 20:55:50 -05:00
David Garske
b2143a815f Merge pull request #8965 from SparkiDev/ppc32_sha256_spe
PPC32 ARM ASM SHA-256: SPE impl, tidy up original
2025-07-09 17:00:26 -07:00
David Garske
2b07b9143b Fix issue with X509 reference counter with --enable-opensslextra=x509small or OPENSSL_EXTRA_X509_SMALL. Thank you Mohre. 2025-07-09 16:51:48 -07:00
Sean Parkinson
98adb330ef Merge pull request #8981 from dgarske/mldsa
Fix build issue with ML-DSA 44 only
2025-07-10 09:41:36 +10:00
David Garske
7ba6f836c4 Merge pull request #8972 from SparkiDev/sp_int_8_bit_fix
SP int: fix 8 bit words and sp_clamp_ct
2025-07-09 16:30:33 -07:00
David Garske
c3518e473b Merge pull request #8971 from SparkiDev/psk_build_fix
API test ASN: must not have NO_ASN defined
2025-07-09 16:30:22 -07:00
David Garske
b0a5d2fdf0 Merge pull request #8969 from SparkiDev/alpn_gcc_Os_fix
ALPN: don't use BIO
2025-07-09 16:30:12 -07:00
David Garske
cf35abccb8 Merge pull request #8963 from SparkiDev/sp_int_type_fix
CodeQL: o is larger type and could cause issues
2025-07-09 16:30:01 -07:00
David Garske
ae19c55182 Merge pull request #8966 from SparkiDev/arm32_aes_asm_fixup_bne
ARM 32-bit ASM AES: fixup 32-bit code to not use B.EQ
2025-07-09 16:29:46 -07:00
Daniel Pouzzner
01e8815762 wolfssl/wolfcrypt/settings.h: add #define WOLFSSL_NO_PUBLIC_FFDHE and #undef HAVE_PUBLIC_FFDHE to WOLFSSL_LINUXKM setup to avoid .data.rel.ro.local functions in dh.c;
linuxkm/linuxkm_wc_port.h: only use kvrealloc() on kernel >=6.11 -- the version in 5.15-6.10 is incompatible (oldsize arg).  also, restore use of kvmalloc on 4.12+, but with XREALLOC undefined, suitable for cryptonly modules; add #include <linux/sched.h> even on __PIE__ objects to make cond_sched() available;

wolfcrypt/src/asn.c: harmonize gate around definitions of BEGIN_DSA_PRIV and END_DSA_PRIV;

wolfcrypt/src/asn.c: in EccSpecifiedECDomainDecode(), work around "const char[]" types in WOLFSSL_ECC_CURVE_STATIC struct ecc_set_type on FIPS <6;

wolfcrypt/src/asn.c, wolfcrypt/src/wc_xmss.c, wolfssl/wolfcrypt/wc_lms.h: add comments to new WOLFSSL_NAMES_STATIC slots explaining where the size comes from.
2025-07-09 18:22:18 -05:00
Daniel Pouzzner
7c6afeb106 add linuxkm/wolfcrypt.lds module linker script, explicitly grouping wolfcrypt sections together;
linuxkm/Kbuild: add linker script flag, containerize several more previously-missed ELF sections, and add a test verifying no sections were missed;

linuxkm/linuxkm_memory.c: remove obsolete lkm_realloc() shim and unneeded my__show_free_areas() wrapper;

linuxkm/linuxkm_wc_port.h: add new mapping from realloc() to native kvrealloc(), and gate out a slew of headers when __PIE__ to avoid polluting wolfCrypt objects with various unneeded header-implemented functions with associated awkward symbols references;

linuxkm/lkcapi_glue.c: harmonize gate for REGISTER_ALG_OPTIONAL();

linuxkm/module_hooks.c: add "ERROR:" prefixes on pr_err()s; add wc_RunAllCast_fips() at shutdown to send confidence verification to the kernel log; remove section bounds checks now that layout is unreliable;

wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM && HAVE_LINUXKM_PIE_SUPPORT, #define WOLFSSL_ECC_CURVE_STATIC and WOLFSSL_NAMES_STATIC;

wolfssl/wolfcrypt/types.h: refactor the typedef for wcchar from a pointer to a char[];

wolfcrypt/src/wc_xmss.c and wolfssl/wolfcrypt/wc_lms.h: add WOLFSSL_NAMES_STATIC code paths for struct wc_XmssString and struct wc_LmsParamsMap;

wolfcrypt/src/asn.c: add WOLFSSL_NAMES_STATIC code paths for struct CertNameData, and add static attribute to a slew of wcchars not used or declared outside asn.c.
2025-07-09 18:22:18 -05:00
Daniel Pouzzner
f733ade6a2 linuxkm/{linuxkm_wc_port.h,module_hooks.c}: add feature gates around wolfCrypt_FIPS_*_sanity() references matching those in fips_test.c. 2025-07-09 18:22:18 -05:00
David Garske
3f83ed2815 Merge pull request #8960 from ribes96/certwrite-custext
When creating a Cert from a WOLFSSL_X509, account for custom extensions
2025-07-09 16:13:07 -07:00
David Garske
3c00e26274 Merge pull request #8974 from rlm2002/coverity_fix
Coverity: Check values
2025-07-09 16:12:42 -07:00
David Garske
5d89ca6706 Fix build issue with ML-DSA 44 only. Fix --enable-mlkem=all to enable features (keygen/enc/dec) to match --enable-dilithium behavior and allow uses like: --enable-mlkem=all,512,small. Fix issue building mem track with missing PRINT_HEAP_ADDRESS (reproduced with --enable-trackmemory=verbose --enable-stacksize=verbose).
```
wolfcrypt/src/dilithium.c:6696:21: error: expected expression before '}' token
 6696 |                     }
      |
```
2025-07-09 15:06:41 -07:00
David Garske
e37082e496 Merge pull request #8978 from gojimmypi/pr-init-var
Initialize Dilithium keyTypeTemp and keySizeTemp
2025-07-09 15:03:22 -07:00
Bridger Voss
97b3364720 FREESCALE forced algs moved to IDE/MQX/user_settings.h 2025-07-09 15:04:06 -06:00
Josh Holtrop
c83a452a3c Check for NULL pkiMsg in wc_PKCS7_DecodeEncryptedKeyPackage() 2025-07-09 14:41:58 -04:00
Josh Holtrop
d2ab6edbab Add wc_PKCS7_DecodeEncryptedKeyPackage() 2025-07-09 13:38:11 -04:00
Anthony Hu
57e2ae5a21 Abort TLS connection if legacy version field indicates TLS 1.3 or higher. 2025-07-09 12:45:04 -04:00
gojimmypi
ebeb95e47b Initialize Dilithium keyTypeTemp and keySizeTemp 2025-07-09 09:13:14 -07:00
Ruby Martin
6de2557748 check buflen is less than BLAKE2B_BLOCKBYTES * 2 2025-07-09 10:00:28 -06:00
Ruby Martin
7b7c658668 add null check to wc_Des_CbcEncrypt 2025-07-09 09:59:46 -06:00
David Garske
703bd6d0ba Merge pull request #8975 from JeremiahM37/mldsa_static_mem
ML-DSA Static Memory Fix
2025-07-09 08:22:51 -07:00
David Garske
0407ea131b Merge pull request #8970 from miyazakh/qt_jenkins_encryptedKey4PBKDF1
Fix Qt nightly Jenkins failure
2025-07-09 08:04:48 -07:00
Ruby Martin
f62d0fa256 check sigAlgs.size against WOLFSSL_MAX_SIGALGO 2025-07-09 08:57:44 -06:00
Sean Parkinson
d6a72e2480 PPC32 ARM ASM SHA-256: SPE impl, tidy up original
Implement using SPE instructions that allow for 64-bit registers as a
vector of 2 32-bit values.
Tidy up original implementation to not use stack.
2025-07-09 18:34:33 +10:00
JeremiahM37
88da86e900 ML DSA Static Memory Fix 2025-07-08 17:51:42 -06:00
David Garske
f44178ca1b Merge pull request #8973 from embhorn/zd20192
Fix curl config to set HAVE_EX_DATA and HAVE_ALPN
2025-07-08 15:48:28 -07:00
Sean Parkinson
08ec3642f0 Merge pull request #8931 from julek-wolfssl/MAX_ENCODED_SIG_SZ-detected
Detect correct `MAX_ENCODED_SIG_SZ` based on max support in math lib
2025-07-08 09:38:52 +10:00
Sean Parkinson
9b92b4c902 Merge pull request #8962 from rlm2002/coverity
Coverity: Dereference after NULL check and Use after free
2025-07-08 08:30:35 +10:00
Eric Blankenhorn
0d14ec3547 Fix curl Cmake config to set HAVE_EX_DATA and HAVE_ALPN 2025-07-07 17:15:11 -05:00
Eric Blankenhorn
de00bf259d Fix curl config to set HAVE_EX_DATA and HAVE_ALPN 2025-07-07 15:00:14 -05:00
Ruby Martin
de59e9d25e change to BIO_free_all() on EXPECT_FAIL() 2025-07-07 09:17:29 -06:00
Ruby Martin
61e4142fe0 add null check for ssl before use in wc_DhGenerateKeyPair 2025-07-07 09:17:29 -06:00
Ruby Martin
65f9cdb498 free p2 before reassigning to reEncoded value 2025-07-07 09:17:29 -06:00
Juliusz Sosinowicz
51c9448aa1 Detect correct MAX_ENCODED_SIG_SZ based on max support in math lib 2025-07-07 16:42:33 +02:00
Sean Parkinson
f0041cd761 SP int: fix 8 bit words and sp_clamp_ct
Need to cast to sp_size_t as it may be bigger than the word type
sp_int_digit.
2025-07-07 18:43:29 +10:00
Sean Parkinson
e649e1047f API test ASN: must not have NO_ASN defined
Add testing of PSK only to workflows.
2025-07-07 16:24:10 +10:00
Hideki Miyazaki
ee8be22a3f Fix Qt nightly jenkins failure
PBKDF1 encrpted key
2025-07-07 15:10:41 +09:00
Sean Parkinson
70e53d1a34 ALPN: don't use BIO
Fix wolfSSL_set_alpn_protos to not use BIO.
When compiling with -Os and newer gcc, the compiler gets confused with
the void* cast in the wolfSSL_BIO_get_mem_data call.
2025-07-07 12:59:42 +10:00
Daniel Pouzzner
a40b56ccb5 Merge pull request #8964 from douzzer/20250703-linuxkm-fixes
20250703-linuxkm-fixes

Note, final commit reviewed by @SparkiDev, and earlier commit reviewed by @philljj.
2025-07-04 08:45:55 -05:00
Daniel Pouzzner
ef3a1a28d9 linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, and wolfcrypt/src/wc_port.c: fixes for spinlocks on CONFIG_ARM64;
wolfcrypt/src/wc_port.c: include random.h, for Entropy_Init().
2025-07-03 22:09:34 -05:00
Sean Parkinson
d1893dbdec ARM 32-bit ASM AES: fixup 32-bit code to not use B.EQ
Changes made for Green Hills Aarch64 got into the 32-bit code.
2025-07-04 11:37:06 +10:00
Daniel Pouzzner
688bc168de wolfcrypt/src/random.c: small stack refactor of noise[] in wc_Entropy_Get(). 2025-07-03 18:30:46 -05:00
David Garske
fb691fac94 Merge pull request #8947 from SparkiDev/mldsa_openssl_der
ML-DSA/Dilithium: support OpenSSL format
2025-07-03 16:10:55 -07:00
Sean Parkinson
41eef2ef71 CodeQL: o is larger type and could cause issues
Make 'o' sp_size_t as the callers are passing 0 or explicit cast to
sp_size_t
2025-07-04 09:04:39 +10:00
Daniel Pouzzner
478bfafea3 linuxkm/lkcapi_sha_glue.c:
* add wc_linuxkm_drbg_ctx.n_rngs, and in wc_linuxkm_drbg_init_tfm(), set it to max(4, nr_cpu_ids), to avoid stalling on unicore targets;

* add explanatory comments re architecture to get_drbg() and get_drbg_n();

* add opportunistic cond_sched() to get_drbg_n();

* add runtime asserts in get_drbg(), wc_linuxkm_drbg_seed(), and get_default_drbg_ctx(), checking that we have the right tfm with an allocated DRBG array;

* wc_linuxkm_drbg_startup(): return failure if registering the random_bytes handlers fails;

linuxkm/patches/6.1.73/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-6v1v73.patch: fix flub.
2025-07-03 17:35:37 -05:00
David Garske
d8caa8493f Merge pull request #8959 from SparkiDev/disable_pk_algs
Testing disabling various PK algs
2025-07-03 15:20:57 -07:00
Sean Parkinson
519d1430d0 ML-DSA/Dilithium: support OpenSSL format
Support DER private key format.
2025-07-04 07:54:26 +10:00
David Garske
3fe84bf3c0 Merge pull request #8961 from douzzer/20250703-fixes-for-multi-test-reports
20250703-fixes-for-multi-test-reports
2025-07-03 11:07:46 -07:00
Albert Ribes
5615993f48 Add missing option checks 2025-07-03 19:01:50 +02:00
JacobBarthelmeh
01de7cc04b Merge pull request #8955 from anhu/signed
Explicitly declare dilithium_coeff_eta2[] as signed
2025-07-03 10:25:46 -06:00
JacobBarthelmeh
7abaa131d3 Merge pull request #8954 from dgarske/asm_introspection
Added introspection for Intel and ARM assembly speedups
2025-07-03 10:22:19 -06:00
philljj
c0837cb073 Merge pull request #8943 from douzzer/20250617-linuxkm-get_random_bytes
20250617-linuxkm-get_random_bytes
2025-07-03 11:22:08 -05:00
Albert Ribes
2ddd98927f When creating a Cert from a WOLFSSL_X509, account for custom extensions
Function 'CertFromX509' is used to convert a WOLFSSL_X509 to a Cert
structure for writing out. It didn't copy custom extensions.
2025-07-03 17:28:57 +02:00
Daniel Pouzzner
1d1a87b0a2 wolfssl/wolfcrypt/tfm.h: fix arg names in fp_to_unsigned_bin_len_ct() prototype to match tfm.c (fixes readability-inconsistent-declaration-parameter-name in clang-tidy-fips-140-3-defaults etc.). 2025-07-03 10:21:30 -05:00
Daniel Pouzzner
bdd2056645 wolfcrypt/test/test.c: fix gate in dh_test() (fixes disable-sha256). 2025-07-03 10:19:07 -05:00
Daniel Pouzzner
a1fa897572 wolfcrypt/src/dilithium.c: fix cast flubs in dilithium_encode_gamma1_19_bits() (fixes quantum-safe-wolfssl-all-gcc-latest-m32). 2025-07-03 10:17:51 -05:00
Sean Parkinson
c925ba2fe1 Testing disabling various PK algs
Fix api.c: disable test_EccSigFailure_cm and test_RsaSigFailure_cm when
the PK algorithm they use is disabled.
2025-07-03 16:38:54 +10:00
David Garske
6be8a3710d Merge pull request #8937 from miyazakh/tsip_cryptcb_ut
Fix TSIP port using crypto callback
2025-07-02 17:42:51 -07:00
Hideki Miyazaki
b60a05f45e Fix TSIP port using crypto callback
- Add unit test using cb
2025-07-03 08:23:24 +09:00
JacobBarthelmeh
c48dd28741 Merge pull request #8957 from dgarske/bench_help
Fix issue with benchmark help options and descriptions not lining up
2025-07-02 17:17:42 -06:00
David Garske
7f50cd537e Merge pull request #8956 from gojimmypi/pr-workflow-owner
Remove duplicate repository_owner check
2025-07-02 15:01:29 -07:00
David Garske
59061aebec Fix issue with benchmark help options and descriptions not lining up due to new -aead_set_key added in #8160 on April 14, 2025. 2025-07-02 14:58:11 -07:00
Daniel Pouzzner
dd69d56e33 linuxkm/linuxkm_wc_port.h: in malloc/realloc, use GFP_KERNEL if it's safe to sleep;
linuxkm/lkcapi_sha_glue.c:

* in wc_linuxkm_drbg_init_tfm(), sleep if it's safe, and observe a wc_linuxkm_drbg_init_tfm_disable_vector_registers flag;

* in wc_crng_reseed(), preemptively execute the reseed if it's safe to sleep;

* in wc_linuxkm_drbg_startup(), in LINUXKM_DRBG_GET_RANDOM_BYTES section, add reseed test sequence if defined(DEBUG_DRBG_RESEEDS).
2025-07-02 16:46:27 -05:00
gojimmypi
adc3f1b3d7 Remove duplicate repository_owner check 2025-07-02 14:32:21 -07:00
Anthony Hu
f7ea8fca67 Explicitly declare dilithium_coeff_eta2[] as signed 2025-07-02 15:50:51 -04:00
Daniel Pouzzner
0160af0a0d linuxkm/patches/: update patches to reseed the wolfCrypt DRBG array only on explicit RNDRESEEDCRNG ioctl;
linuxkm/lkcapi_sha_glue.c: add error msg in wc_linuxkm_drbg_generate() if wc_InitRng() fails, and add "libwolfssl: " prefixes in pr_info() messages.
2025-07-02 14:25:05 -05:00
Daniel Pouzzner
d2083db6de wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM && LINUXKM_LKCAPI_REGISTER setup for default WC_RESEED_INTERVAL, ignore WORD64_AVAILABLE because it isn't available at this stage of inclusion. 2025-07-02 14:25:05 -05:00
Daniel Pouzzner
6275f1f7e6 linuxkm/lkcapi_rsa_glue.c: update version threshold for the v6.16 change in crypto_sig_*size() semantics, now backported to 6.15.3. 2025-07-02 14:25:05 -05:00
Daniel Pouzzner
f0662e0578 wolfssl/wolfcrypt/settings.h: remove implicit define of WOLFSSL_NO_WORD64_OPS if !WOLFSSL_SHA384 && !WOLFSSL_SHA512 && NO_AES && !WOLFSSL_SHA3 (not compatible with word64 DRBG_internal.reseedCtr). 2025-07-02 14:25:05 -05:00
Daniel Pouzzner
dc05c4c01b wolfcrypt/src/random.c and wolfssl/wolfcrypt/random.h: refactor DRBG_internal.reseedCtr as a word64 if WORD64_AVAILABLE, to accommodate max reseed count per NIST SP 800-90A Rev. 1;
wolfssl/wolfcrypt/settings.h: if WOLFSSL_LINUXKM && LINUXKM_LKCAPI_REGISTER && WORD64_AVAILABLE, set default WC_RESEED_INTERVAL to max allowed (2^48);

linuxkm/lkcapi_sha_glue.c: handle NO_LINUXKM_DRBG_GET_RANDOM_BYTES, for build-time override control of LINUXKM_DRBG_GET_RANDOM_BYTES, and handle WOLFSSL_LINUXKM_USE_GET_RANDOM_USER_KRETPROBE, for separate opt-in control of the buggy wc_get_random_bytes_user_kretprobe_enter().
2025-07-02 14:25:05 -05:00
Daniel Pouzzner
3a43109208 configure.ac: remove automatic --enable-hmac-copy, due to unit test failures when defined(WOLFSSL_HMAC_COPY_HASH), not previously detected because of broken option processing. 2025-07-02 14:25:05 -05:00
Daniel Pouzzner
b3944a73c2 linuxkm/lkcapi_sha_glue.c:
* implement interception of _get_random_bytes() and get_random_bytes_user() (implicitly intercepts /dev/random and /dev/urandom):

    * get_crypto_default_rng()
    * get_default_drbg_ctx()
    * wc__get_random_bytes()
    * wc_get_random_bytes_user()
    * wc_extract_crng_user()
    * wc_mix_pool_bytes()
    * wc_crng_reseed()
    * wc_get_random_bytes_by_kprobe()
    * wc_get_random_bytes_user_kretprobe_enter()
    * wc_get_random_bytes_user_kretprobe_exit()

    * add LINUXKM_DRBG_GET_RANDOM_BYTES sections to wc_linuxkm_drbg_startup() and wc_linuxkm_drbg_cleanup()

    * add linuxkm/patches/*/WOLFSSL_LINUXKM_HAVE_GET_RANDOM_CALLBACKS-*.patch, initially for versions:
      * 5.10.17
      * 5.10.236
      * 5.15
      * 5.17
      * 6.1.73
      * 6.12
      * 6.15

    * remove "*.patch" from .gitignore.

    * add linuxkm/patches/regen-patches.sh.

  * in wc_linuxkm_drbg_ctx_clear(), check lock count before freeing.

  * in get_drbg() and put_drbg(), use migrate_disable(), not DISABLE_VECTOR_REGISTERS().

  * in wc_linuxkm_drbg_generate(), explicitly DISABLE_VECTOR_REGISTERS() for the crypto_default_rng.

  * in wc_linuxkm_drbg_generate(), add DRBG reinitialization code to handle RNG_FAILURE_E.  This handles the situation where a DRBG was instantiated in a vector-ops-allowed context, caching a vectorized SHA256 ethod, but later used in a no-vector-ops-allowed context.

  * in wc_linuxkm_drbg_seed(), add DISABLE_VECTOR_REGISTERS() wrapper around wc_RNG_DRBG_Reseed() for crypto_default_rng.

linuxkm/x86_vector_register_glue.c:

  * add crash recovery logic to wc_linuxkm_fpu_state_assoc_unlikely()

  * in wc_linuxkm_fpu_state_assoc(), when wc_linuxkm_fpu_states is null, don't call wc_linuxkm_fpu_state_assoc_unlikely() if !assume_fpu_began.

  * in can_save_vector_registers_x86(), save_vector_registers_x86(), and restore_vector_registers_x86(), check for hard interrupt context first, to return early failure if current->pid is unusable.

  * in save_vector_registers_x86(), tweak logic around WC_FPU_INHIBITED_FLAG, adding local_bh_disable()...local_bh_enable() to provide for safe recursion.

wolfcrypt/src/random.c: optimization: in Hash_df(), for WOLFSSL_LINUXKM, don't put digest[WC_SHA256_DIGEST_SIZE] in the heap, keep it on the stack.

wolfssl/wolfcrypt/types.h: add WOLFSSL_NO_ASM no-op definitions for DISABLE_VECTOR_REGISTERS() and REENABLE_VECTOR_REGISTERS().

configure.ac:

* move --enable-linuxkm and --enable-linuxkm-defaults initial detection early, so that HMAC_COPY_DEFAULT picks it up.

* add ENABLED_ENTROPY_MEMUSE_DEFAULT, and enable it by default when ENABLED_LINUXKM_DEFAULTS.

* update linuxkm-lkcapi-register help message.

linuxkm/linuxkm_wc_port.h:

* add my_kallsyms_lookup_name().

* add preempt_count, _raw_spin_lock_irqsave, _raw_spin_trylock, _raw_spin_unlock_irqrestore, and _cond_resched, to wolfssl_linuxkm_pie_redirect_table, and add spin_unlock_irqrestore() macro to mask native inline.

* move linuxkm mutex wrappers from wolfcrypt/src/wc_port.c to linuxkm_wc_port.h, make them inlines, and add new default spinlock-based implementation, with old method now gated on WOLFSSL_LINUXKM_USE_MUTEXES.

* change malloc() and realloc() wrappers from GFP_KERNEL to GFP_ATOMIC.

linuxkm/lkcapi_glue.c: make misc.h/misc.c inclusion unconditional, and trim now-redundant inclusions out of lkcapi_dh_glue.c and lkcapi_ecdh_glue.c.
2025-07-02 14:25:05 -05:00
Daniel Pouzzner
b25d484a4e linuxkm/lkcapi_sha_glue.c: implement mutex-free sync mechanism for wc_linuxkm_drbg_ctx in new get_drbg(), get_drbg_n(), and put_drbg();
linuxkm/x86_vector_register_glue.c: implement support for WC_FPU_INHIBITED_FLAG, and an `int inhibit_p` argument to save_vector_registers_x86();

wolfcrypt/src/random.c: implement linuxkm support for RDSEED and HAVE_ENTROPY_MEMUSE;

wolfssl/wolfcrypt/error-crypt.h and wolfcrypt/src/error.c: add WC_ACCEL_INHIBIT_E "Crypto acceleration is currently inhibited";

linuxkm/module_hooks.c and linuxkm/x86_vector_register_glue.c: remove broken and bit-rotten WOLFSSL_COMMERCIAL_LICENSE and LINUXKM_FPU_STATES_FOLLOW_THREADS code paths.
2025-07-02 14:25:05 -05:00
Daniel Pouzzner
8cc2ba7153 Merge pull request #8953 from philljj/fedora_linuxkm_uninit_errors
linuxkm fedora: fix uninitialized build errors.
2025-07-02 14:20:26 -05:00
David Garske
221330df0b Added introspection for Intel and ARM assembly speedups (useful for benchmarking output). Added STM32F439ZI benchmarks.
`--enable-armasm` : `Assembly Speedups: ARMASM ALIGN`
`--enable-intelasm` : `Assembly Speedups: INTELASM ALIGN X86_64_BUILD`
2025-07-02 10:57:24 -07:00
jordan
9e811b5bd5 wolfcrypt misc: avoid frivolous initialization. 2025-07-02 10:46:38 -05:00
David Garske
fa9e122f1c Merge pull request #8952 from SparkiDev/mem_fail_fixes_3
Unit Test: fix test case for memory allocation failure testing
2025-07-02 08:01:20 -07:00
jordan
9ac480a60d linuxkm fedora: fix uninitialized build errors. 2025-07-02 10:00:28 -05:00
Sean Parkinson
af05fa874f Unit Test: fix test case for memory allocation failure testing
test_ocsp_basic_verify() not freeing and setting pointer to NULL. Second
free occuring on freed pointer.
2025-07-02 09:27:25 +10:00
JacobBarthelmeh
ff80d62db2 Merge pull request #8942 from rlm2002/coverity
Coverity: address unresolved issue from previous change
2025-07-01 16:09:32 -06:00
David Garske
33510ad714 Merge pull request #8949 from holtrop/asn-fn-prototype-names
wc/asn: fix several inconsistent function prototype parameter names
2025-07-01 14:50:51 -07:00
Ruby Martin
c06fa48e75 return NULL on negative length 2025-07-01 14:25:35 -06:00
Kaleb Himes
f2abadb777 Merge pull request #8950 from douzzer/20250701-Hash_DRBG_Generate-DEBUG_WOLFSSL
20250701-Hash_DRBG_Generate-DEBUG_WOLFSSL
2025-07-01 14:03:59 -06:00
Daniel Pouzzner
a8fc68d81b wolfcrypt/src/random.c: in Hash_DRBG_Generate(), gate the verbose reseed message on DEBUG_WOLFSSL or DEBUG_DRBG_RESEEDS, use WOLFSSL_MSG_EX(), and refactor the condition from drbg->reseedCtr == RESEED_INTERVAL to drbg->reseedCtr >= WC_RESEED_INTERVAL.
also some unrelated cleanup in .wolfssl_known_macro_extras.
2025-07-01 13:05:00 -05:00
JacobBarthelmeh
8fa0f6b3df Merge pull request #8944 from SparkiDev/evp_hmac_copy_hash_fix
EVP HMAC: get working with WOLFSSL_HMAC_COPY_HASH
2025-07-01 09:50:53 -06:00
JacobBarthelmeh
77792ace65 Merge pull request #8945 from SparkiDev/mem_fail_fixes_2
Memory allocation failure testing fixes
2025-07-01 09:35:11 -06:00
JacobBarthelmeh
9cf5bbcd35 Merge pull request #8948 from AlexLanzano/disable-md5-cmake
Disable MD5 by default for cmake builds
2025-07-01 09:29:42 -06:00
Josh Holtrop
fd1954babf wc/asn: fix several inconsistent function prototype parameter names 2025-07-01 11:14:11 -04:00
Alex Lanzano
709581061e Disable MD5 by default for cmake builds 2025-07-01 09:27:46 -04:00
Sean Parkinson
7c4de54e73 EVP HMAC: get working with WOLFSSL_HMAC_COPY_HASH
Get the EVP layer working with the wolfSSL HMAC implementation when
WOLFSSL_HMAC_COPY_HASH is defined.
This define hashes the ipad and opad into temporary hashes and copies
the required hash into the working hash when needed. Uses more memory
but is faster when starting a new hash with the same key.
2025-07-01 13:14:26 +10:00
Sean Parkinson
574de4b234 Memory allocation failure testing fixes
Fixes for test code to cleanup on failure properly.
pkcs7.c: when streaming, free the decrypting content when adding data to
the stream fails.
2025-07-01 11:50:42 +10:00
JacobBarthelmeh
7fb750962b Merge pull request #8935 from philljj/fix_coverity
coverity: prune dead code in ssl_sess.c.
2025-06-30 13:32:34 -06:00
Sean Parkinson
5db7fc05d8 Merge pull request #8940 from rizlik/dtls_fix_record_span_tests
fix(tests): enlarge readBuf in DTLS record tests
2025-06-30 21:57:27 +10:00
Marco Oliverio
ae9ba6627c fix(tests): enlarge readBuf in DTLS record tests
Increase readBuf to 256 bytes. Guard memcpy with EXPECT_SUCCESS().
2025-06-30 09:47:38 +02:00
Daniel Pouzzner
6c8ab11f5f Merge pull request #8936 from gojimmypi/pr-workflow-owner
Ensure workflows only run for wolfssl repository_owner
2025-06-27 22:29:46 -05:00
Daniel Pouzzner
1127dabe98 Merge pull request #8926 from dgarske/various_20250625
Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT
2025-06-27 22:29:24 -05:00
Daniel Pouzzner
89148f98b0 Merge pull request #8921 from rlm2002/appleNativeCertTests
Apple native cert tests code modifications
2025-06-27 22:26:17 -05:00
Daniel Pouzzner
018ee9754f Merge pull request #8608 from anhu/2akid
Check for duplicate extensions in a CRL
2025-06-27 22:25:27 -05:00
Daniel Pouzzner
d1c1bca9e4 Merge pull request #8914 from dgarske/stm32n6
Added support for STM32N6
2025-06-27 22:19:01 -05:00
gojimmypi
7621612eb8 Ensure workflows only run for wolfssl repository_owner 2025-06-27 16:29:13 -07:00
jordan
68cf96e7f6 coverity: do not free x509 on error in wolfSSL_add0_chain_cert. 2025-06-27 17:25:28 -05:00
jordan
d998d01a0c coverity: prune dead code in ssl_sess.c. 2025-06-27 15:40:01 -05:00
David Garske
1db3dbcc28 Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. Workaround to avoid large WOLFSSL structure size with compatibility layer enabled (the struct WOLFSSL_X509 is over 5KB). Note: May investigate way to place into heap instead. Fix issues building compatibility layer without MD5. 2025-06-27 12:42:52 -07:00
Daniel Pouzzner
4421f8bd84 Merge pull request #8934 from dgarske/macos_typo
Fix minor code typos for macos signal and types.h max block size
2025-06-27 14:11:31 -05:00
David Garske
3a200387c0 Fix a copy/paste typo WC_MAX_BLOCK_SIZE from PR #8909. 2025-06-27 08:59:05 -07:00
David Garske
22c8a014e3 Merge pull request #8932 from rizlik/gaisler
Gaisler: minor doc fixes
2025-06-27 08:46:28 -07:00
David Garske
9a2c8840e2 Merge pull request #8933 from SparkiDev/armv7a_asm_branch_fix
ARMv7a ASM: fix branch instruction
2025-06-27 08:45:52 -07:00
David Garske
8b61cd6c4a Merge pull request #8895 from AlexLanzano/disable-md5
Disable MD5 by default
2025-06-27 08:45:28 -07:00
David Garske
295d90655b Merge pull request #8929 from SparkiDev/regression_fixes_18
Regression testing
2025-06-27 08:44:43 -07:00
David Garske
20a2ec0fc1 Fix typo from MacOS signal fix improvement in PR #8928. 2025-06-27 07:43:55 -07:00
Sean Parkinson
edacf0434c Merge pull request #8869 from rlm2002/coverityTests
Coverity: parameter checking and NULL assignment
2025-06-27 09:49:21 +10:00
Sean Parkinson
a7430b3f70 Merge pull request #8930 from kojiws/check_shift_counts
Clarify the len range on SetShortInt()
2025-06-27 09:46:42 +10:00
Sean Parkinson
f713882c54 Merge pull request #8928 from dgarske/macos
Implement proper MacOS dispatch for conditional signal/wait
2025-06-27 09:35:30 +10:00
Sean Parkinson
81e1eb4600 ARMv7a ASM: fix branch instruction
Branch instructions got changed for 64-bit to be B.<cond>.
32-bit must be B<cond>.
Return them to this form.
2025-06-27 09:26:28 +10:00
Ruby Martin
0302dbcb31 rename .yml file for macos-apple-native-cert-validation
WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION macro placement and comment adjustment
2025-06-26 17:07:00 -06:00
Marco Oliverio
5eceb4faf4 Gaisler: minor doc fixes 2025-06-26 23:18:40 +02:00
Anthony Hu
a0cd18daea Add back a removed comment and give RFC reference. 2025-06-26 16:08:21 -04:00
Ruby Martin
8ab08f7b17 check length in wc_oid_sum()
add MAX_OID_SZ to known macro extras
2025-06-26 09:20:26 -06:00
Ruby Martin
9b6b41627e move CFErrorRef instantiation
cleanup
2025-06-26 09:06:01 -06:00
Ruby Martin
1321e00e45 set p2 to null before next iteration 2025-06-26 08:57:56 -06:00
Ruby Martin
79b6e62668 modify check domain test
void code for unused variable warning

do not run check_domain_name test if ssl_verify_none has been set
2025-06-26 08:39:32 -06:00
Ruby Martin
7c44f14e77 add apple test to github actions 2025-06-26 08:38:30 -06:00
Ruby Martin
d3b30f8d51 Check underlying error, want only maximum validity period error
add apple test macros to tests requiring cert manager
2025-06-26 08:38:28 -06:00
Brett
877bade216 additional debugging 2025-06-26 08:38:28 -06:00
Brett
7232b3a6bb Apple native cert validation: add WOLFSSL_TEST_APPLE_CERT_VALIDATION feature macro that forces system CA certs on and makes all CA certs added to CM via xxx_load_verify_xxx APIs to instead be loaded as system trust anchors when used for TLS cert verification 2025-06-26 08:38:26 -06:00
Sean Parkinson
f1cb4d579c Regression testing
Fixes to get WOLFSSL_PUBLIC_MP testing passing.
Fix DH constant time agreement:
  - implement constant time encoding to big-endian byte array in TFM
- only force x to be zero for SP math as others implementations ensure
unused words are zero
- exponentiate in constant time to the smallest number of words
possible
- no need to encode into separate buffer anymore as encoding is
constant time and front padded
- make requested_sz be the maximum size for the parameters and check
against agreeSz
- update agreeSz to be the maximum valid size instead of filling all
the buffer which may be many times too big
- fix SP result to front pad when doing constant time
2025-06-26 21:21:05 +10:00
Koji Takeda
b734c47cc9 Check the len range stricter 2025-06-26 17:48:52 +09:00
Daniel Pouzzner
981ba4b14c Merge pull request #8925 from mattia-moffa/20250625-wolftpm-ca-false
Allow CA:FALSE on wolftpm
2025-06-25 22:27:27 -05:00
Daniel Pouzzner
41e2d920a5 Merge pull request #8924 from JacobBarthelmeh/cert_expr
regenerate intermediate and crl certs to update ca-int.pem
2025-06-25 22:26:26 -05:00
Daniel Pouzzner
d49eb5f2c4 Merge pull request #8920 from kaleb-himes/wolfEntropy-2025
Update wolfEntropy checkout with AdPr update
2025-06-25 22:21:36 -05:00
Daniel Pouzzner
6fb1c54c29 Merge pull request #8854 from dgarske/renesas_rx_tsip_aesctr
Added Renesas RX TSIP AES CTR support
2025-06-25 22:20:03 -05:00
Daniel Pouzzner
6bfd2632db Merge pull request #8917 from dgarske/various_20250623
Fix for broken `test_wolfSSL_check_domain_basic`
2025-06-25 22:15:02 -05:00
Daniel Pouzzner
23a37b2ebc Merge pull request #8916 from dgarske/revert_pr8911
Revert PR #8911
2025-06-25 21:52:34 -05:00
Daniel Pouzzner
d6d124bb85 Merge pull request #8774 from SparkiDev/armv8_ghs
Armv8 (Aarch64) ASM fixes for Green Hills compiler
2025-06-25 21:46:48 -05:00
Daniel Pouzzner
29f534f3b0 Merge pull request #8836 from SparkiDev/lms_serialize_state
LMS: Allow state to be saved with private key
2025-06-25 21:34:42 -05:00
Daniel Pouzzner
38892fdd07 Merge pull request #8757 from anhu/recalc_suites
Recalculate suites at ssl initialization.
2025-06-25 21:32:38 -05:00
David Garske
6b7fe091bf Implement proper MacOS dispatch for conditional signal/wait. Note: this logic was pulled from wolfMQTT and is well established. 2025-06-25 17:14:12 -07:00
Sean Parkinson
f119086d3e Merge pull request #8918 from kojiws/fix_asn_integer_export
Fix SetShortInt() not to export wrong DER
2025-06-26 08:16:48 +10:00
Sean Parkinson
80a234a0c5 Merge pull request #8830 from JacobBarthelmeh/rx_threadx
add option to not use CT code with min/max
2025-06-26 08:15:09 +10:00
Mattia Moffa
e9e00c47ab Allow CA:FALSE on wolftpm
The Intel CSME fTFM sets this basic constraint on their EK certificates
and by default wolfSSL fails to parse because of this.
2025-06-25 22:48:53 +02:00
Alex Lanzano
9ae221444c Enable MD5 when --enable-opensslall is set 2025-06-25 15:16:02 -04:00
JacobBarthelmeh
7b5e3e2551 regenerate intermediate and crl certs to update ca-int.pem 2025-06-25 10:00:57 -06:00
Alex Lanzano
6bba48d89c Enable MD5 when --enabled-bump is set 2025-06-25 11:47:04 -04:00
Alex Lanzano
39cef87e43 Enable MD5 when --enable-des3 is set 2025-06-25 11:42:10 -04:00
Alex Lanzano
caaa4fbc5d Enable MD5 when --enable-lighty is set 2025-06-25 11:35:35 -04:00
Alex Lanzano
3e774f8074 Enable MD5 when --enable-mcapi is set 2025-06-25 11:33:52 -04:00
Alex Lanzano
4275b66211 Enable MD5 when --enable-jni is set 2025-06-25 11:27:08 -04:00
Alex Lanzano
4fd0029f18 Enable MD5 when --enable-fortress is set 2025-06-25 11:21:00 -04:00
Alex Lanzano
f33d1d69bb Enable MD5 when --enable-asio is set 2025-06-25 11:15:50 -04:00
Alex Lanzano
495324d4dc Add the md5 dependency to options that require it 2025-06-25 11:00:41 -04:00
Alex Lanzano
07f76723e2 Disable MD5 by default
Disable the use of MD5 by default. Add the conditional use of MD5 when
--enable-all-crypto is present. Add the use of MD5 when
--enable-opensslextra is present. Add the use of MD5 when
--enable-tlsv10 is present.
2025-06-25 11:00:41 -04:00
Daniel Pouzzner
1c1c556e5e Merge pull request #8915 from philljj/linuxkm_rsa_fix_sig_callbacks
linuxkm rsa: set sig_alg max_size and digest_size callbacks.
2025-06-25 08:28:04 -05:00
Daniel Pouzzner
e223da457c Merge pull request #8922 from JacobBarthelmeh/rng
altering macro guards and test case for RNG test on alternate builds
2025-06-24 22:15:14 -05:00
Koji Takeda
d76386f38c Add tests 2025-06-25 11:27:12 +09:00
Koji Takeda
05c8bc7514 Fix SetShortInt() 2025-06-25 11:27:11 +09:00
JacobBarthelmeh
6cf3b51333 guard test that uses pipe from running with mingw 2025-06-24 17:21:24 -06:00
Sean Parkinson
5c9ad359d1 Merge pull request #8904 from anhu/bigger_header
Fix missing dashes on the end of header and footer.
2025-06-25 08:26:59 +10:00
JacobBarthelmeh
fe7d458d29 random.c is also locked in FIPS v6 2025-06-24 16:08:25 -06:00
JacobBarthelmeh
1c5e531332 add new macro to known macro list 2025-06-24 14:57:17 -06:00
JacobBarthelmeh
c33035e6a6 add conditions to constant time mask functions 2025-06-24 13:52:40 -06:00
JacobBarthelmeh
838636c76b add option to not use CT code with min/max 2025-06-24 13:52:40 -06:00
jordan
1e0e4932ca linuxkm rsa: fix km_pkcs1_key_size callback. 2025-06-24 14:41:57 -05:00
David Garske
33972e3678 Disable system CA certs for msys2 test. 2025-06-24 10:28:42 -07:00
kaleb-himes
f5f0bdf61e Update wolfEntropy checkout with AdPr update 2025-06-24 10:54:52 -06:00
David Garske
41591e7eb9 Fixes for TSIP AES CTR unit tests and handling of invalid cases. 2025-06-24 09:41:33 -07:00
David Garske
191165a021 Test case created by @miyazakh. 2025-06-24 09:41:33 -07:00
David Garske
dc57adcfed Fix to increment IV for AES CTR with TSIP (allow encrypt to be called multiple times without having to manually reset the IV). 2025-06-24 09:41:33 -07:00
David Garske
c7ff3b99b7 Allow for calling the Renesas RX TSIP AES crypto callback without a user context. 2025-06-24 09:41:33 -07:00
David Garske
ad9d068174 Fix issues with crypto callbacks and HAVE_ECC_DHE. Fix issues with ecc_onlycb_test. 2025-06-24 09:41:33 -07:00
David Garske
111feedadc Add build guards on the crypto callback ECC items. 2025-06-24 09:41:32 -07:00
David Garske
c7f6673e53 Fixup the .wolfssl_known_macro_extras 2025-06-24 09:41:32 -07:00
David Garske
ebe8816c2a Code size reductions (check RX TSIP enables). 2025-06-24 09:41:32 -07:00
David Garske
78362bc346 Changes to support Renesas RX TSIP AES CTR. 2025-06-24 09:41:32 -07:00
David Garske
33584550e8 Cleanup to support override of HAL_CONSOLE_UART. Added support for STM32F439xx. 2025-06-24 09:41:01 -07:00
David Garske
803edb0fa4 Added support for STM32N6. 2025-06-24 09:41:01 -07:00
David Garske
bfebeae533 Revert PR #8911. For TLS v1.2 RSA only is only supported with WOLFSSL_STATIC_RSA. For TLS v1.3 RSA only is not supported (must be PFS). 2025-06-24 09:40:15 -07:00
Daniel Pouzzner
b8aa4bd84b Merge pull request #8919 from philljj/fix_linuxkm_getpid
linuxkm: add WOLFSSL_NO_GETPID to wolfcrypt settings.h.
2025-06-24 11:32:56 -05:00
jordan
5503ea8e6d linuxkm: add WOLFSSL_NO_GETPID to wolfcrypt settings.h. 2025-06-24 11:12:00 -05:00
David Garske
5d7cb2ec07 Fix for new api.c test test_wolfSSL_check_domain_basic added in PR #8863 that fails with --disable-sys-ca-certs. 2025-06-24 08:25:01 -07:00
Anthony Hu
72ec4029d1 Correct the size for MLDSA PEM header 2025-06-24 11:12:27 -04:00
Anthony Hu
423ecf8b1f Try harder not to make stack increases 2025-06-24 11:12:27 -04:00
Anthony Hu
a0f6b779a5 -----BEGIN SPHINCS_SMALL_LEVEL1 PRIVATE KEY----- is the longest one at length 48 2025-06-24 11:12:27 -04:00
Anthony Hu
bf928795b3 Fix missing dashes on the end of header and footer. 2025-06-24 11:12:27 -04:00
Anthony Hu
1dff76782b Check for duplicate extensions in a CRL 2025-06-24 11:10:18 -04:00
Anthony Hu
43df11c9c1 Add gate on having DH 2025-06-24 10:37:26 -04:00
Anthony Hu
8c1298a1d8 Check if DH's P and G are set 2025-06-24 09:59:12 -04:00
Sean Parkinson
d05790ed89 LMS: Allow state to be saved with private key
Defining WOLFSSL_WC_LMS_SERIALIZE_STATE will have the state serialized
before the private key data.
Lots of memory used but means fast reload times. That means that the key
can be reloaded for each sign.
2025-06-24 20:46:41 +10:00
Sean Parkinson
fc1d281268 Green Hills compiler fixes
internal.c: Move non-enumeration value out of switch.
ssl.c: Only declare globalRNGMutex when required.
x509.c: initialize ret

armv8-aes.c, armv8-chacha.c: fix branch instructions
armv8-mlkem*: ensure only required constants are input operands and move
constants closer to first use.
armv8-poly1305.c: remove POLY1305_BLOCK_SIZE from input operands.
armv8-sha3-asm_c.c, armv8-sha512-asm_c.c: use constraint ':' instead of
'S'.
armv8-sha512.c: initialize initfp. Is always used.
2025-06-24 19:39:40 +10:00
Sean Parkinson
f8bb889712 Armv8 (Aarch64) ASM fixes for Green Hills compiler
Change branch instructions to proper form.
Use constant value rather than POLY1305_BLOCK_SIZE.
Remove duplicate clobber registers - both w and x versions.
Make clamp unconditionally compiled.
2025-06-24 19:39:39 +10:00
David Garske
978a29da0b Merge pull request #8898 from cconlon/getpidOptionsH
Add HAVE_GETPID to options.h if getpid detected
2025-06-23 17:11:55 -07:00
JacobBarthelmeh
9ee212cacc fix for free'ing memory with test case 2025-06-23 17:33:52 -06:00
David Garske
c4428a432f Merge pull request #8912 from SparkiDev/lms_sha256_192_w_fix
LMS SHA-256_192: fix parameters
2025-06-23 15:35:02 -07:00
Anthony Hu
d45e42e2e6 keySz is only in Buffers if NO_CERTS not defined. 2025-06-23 18:29:39 -04:00
Anthony Hu
6385999ae9 Recalculate suites at ssl initialization. 2025-06-23 18:29:39 -04:00
Anthony Hu
aec13923a7 Merge pull request #8913 from dgarske/pq_verifyonly
Fix for building LMS with verify only
2025-06-23 16:37:32 -04:00
David Garske
f1005c33fb Merge pull request #8905 from gojimmypi/pr-vs-cmake
Introduce CMakePresets.json and CMakeSettings.json
2025-06-23 11:18:57 -07:00
David Garske
caf8494d65 Merge pull request #8911 from gojimmypi/pr-allow-only-rsa
Allow configuration with only RSA cipher suites
2025-06-23 11:18:27 -07:00
David Garske
d4c827bc5e Fix for building LMS with verify only. Added tests for LMS/XMSS verify only. New wc_LmsKey_GetKid references key->priv_raw that is not available. 2025-06-23 11:12:53 -07:00
Daniel Pouzzner
b361c62372 Merge pull request #8903 from dgarske/cadate_calist
Expose API to access "store" error code and depth for cert failure callback
2025-06-23 10:08:41 -05:00
Daniel Pouzzner
47a8242093 Merge pull request #8868 from SparkiDev/dilithium_win_fixes_1
Dilithium/ML-DSA: Fixes for casting down and uninit
2025-06-23 09:02:35 -05:00
Daniel Pouzzner
bcdce75b08 Merge pull request #8909 from dgarske/various_20250620
Fixes with max size, openssl.test netcat and clang-tidy
2025-06-23 08:15:17 -05:00
Sean Parkinson
f36f86ee98 LMS SHA-256_192: fix parameters
Winternitz bits needs to be one larger when only 192 bit hash.
2025-06-23 08:16:05 +10:00
gojimmypi
afa22dfc2b Allow configuration with only RSA cipher suites 2025-06-21 14:54:10 -07:00
David Garske
b9455bc94b Fixes issue with cert gen, no malloc and crypto callback causing wolfssl/wolfcrypt/asn.h:1375:18: error: use of undeclared identifier 'WC_MAX_DIGEST_SIZE. Fixed netcat issue in openssl.test causing server open check to fail on some platforms. Fixed clang-tidy report in benchmark.c where XFTELL could return negative (error) and wasn't handled. 2025-06-20 16:34:46 -07:00
David Garske
1be303866e Merge pull request #8908 from douzzer/20250620-clang-tidy-and-cppcheck-fixes-and-workarounds
20250620-clang-tidy-and-cppcheck-fixes-and-workarounds
2025-06-20 15:07:09 -07:00
David Garske
f30c54abdd Merge pull request #8894 from SparkiDev/ppc32_sha256_asm
PPC 32 ASM: SHA-256
2025-06-20 14:29:47 -07:00
Daniel Pouzzner
af78ed8b6f wolfcrypt/src/wc_xmss_impl.c: in wc_xmss_bds_state_treehash_complete(), add suppression for false positive clang-analyzer-core.NullDereference from LLVM-21 pre20250523+. 2025-06-20 15:31:31 -05:00
Daniel Pouzzner
7977a605c5 src/internal.c: in FreeSskeArgs(), move nullness check on args to the start, and make it unconditional, to resolve nullPointerRedundantChecks. 2025-06-20 15:04:07 -05:00
Daniel Pouzzner
e1fe186753 wolfcrypt/src/sp_int.c: in _sp_prime_trials(), use DECL_SP_INT() not DECL_SP_INT_ARRAY() for n1 and r, to mollify a very confused clang-tidy (fixes false positive clang-analyzer-core.UndefinedBinaryOperatorResult and clang-analyzer-core.CallAndMessage). 2025-06-20 14:52:42 -05:00
David Garske
0f119ab8e2 Merge pull request #8906 from julek-wolfssl/libspdm-3.7.0
libspdm 3.3.0 -> 3.7.0
2025-06-20 11:44:53 -07:00
David Garske
b98cf8882b Remove HAVE_LIGHTY from the client_ca_names feature. 2025-06-20 11:29:02 -07:00
gojimmypi
380e068df6 Introduce CMakePresets.json and CMakeSettings.json 2025-06-20 11:24:58 -07:00
Juliusz Sosinowicz
9f900d4b8a libspdm 3.3.0 -> 3.7.0
3.3.0 pulls cmocka from https://git.cryptomilk.org/projects/cmocka.git. Update to 3.7.0 to pull from https://gitlab.com/cmocka/cmocka.git.
2025-06-20 19:55:16 +02:00
David Garske
4c6279c6c7 Good feedback about adding wolfCrypt error codes to .cs layer. Partially added useful ones. 2025-06-20 09:41:35 -07:00
Kaleb Himes
17f3da11d2 Merge pull request #8899 from SparkiDev/entropy_cont_tests_fix_2
Entropy: fix proportion health test
2025-06-20 09:10:41 -06:00
David Garske
9b50708741 Fix to expose API to access "store" error code and error depth for cert failure callback (from set_verify). Useful for C# wrapper or clients that cannot directly dereference X509_STORE. Fixes for building with WOLFSSL_EXTRA and WOLFSSL_NO_CA_NAMES (and added new tests). Added example in CSharp TLS client for overriding a begin date error (useful if date is not set). 2025-06-19 14:49:00 -07:00
David Garske
7610b4e2f5 Merge pull request #8893 from SparkiDev/asm_omit_frame_pointer
ARM32/Thumb2/RISC-V 64 ASM: omit frame pointer
2025-06-19 10:48:23 -07:00
David Garske
96a3591f98 Merge pull request #8896 from holtrop/fix-asn-memory-leak
Fix memory leak in ParseCRL_Extensions
2025-06-19 06:18:41 -07:00
David Garske
8f0106a7fe Merge pull request #8888 from julek-wolfssl/bind-v9.18.33
Add bind v9.18.33 testing
2025-06-19 06:08:13 -07:00
David Garske
64bc41a3c3 Merge pull request #8901 from SparkiDev/ecc_config_fixex_1
ECC configuration fixes
2025-06-19 06:02:33 -07:00
Sean Parkinson
f7fb68dedc Merge pull request #8884 from dgarske/enablecerts
Fix to make sure ASN.1 is enabled if just building PQ algorithms
2025-06-19 15:50:59 +10:00
Sean Parkinson
7289687b44 ECC configuration fixes
When ECC verify only and with no RNG.
2025-06-19 13:37:43 +10:00
Sean Parkinson
62721f4d51 PPC32 SHA-256 ASM: small code implementation
Slower but smaller SHA-256 assembly code implementation enabled with:
WOLFSSL_PPC32_ASM_SMALL. (--enable-ppc32=small or
--enable-ppc32=inline,small)
2025-06-19 10:51:12 +10:00
Sean Parkinson
16aab18ae9 Entropy: fix proportion health test
Update the count of entries.
2025-06-19 10:34:03 +10:00
Chris Conlon
cdd02f9665 Add check for reseed in ssl.c for HAVE_SELFTEST, similar to old FIPS bundles that do not have older random.c files 2025-06-18 17:21:55 -06:00
Chris Conlon
9c35c0de65 Add HAVE_GETPID to options.h if getpid detected, needed for apps to correctly detect size of WC_RNG struct 2025-06-18 16:08:34 -06:00
Josh Holtrop
7dfb782c9e Fix memory leak in ParseCRL_Extensions 2025-06-18 16:47:15 -04:00
David Garske
74de689941 Merge pull request #8875 from kareem-wolfssl/zd20035
Fix SRP wolfCrypt test on lower FP_MAX/SP_INT_BITS configs
2025-06-18 08:59:09 -07:00
David Garske
27176a5eeb Merge pull request #8870 from kareem-wolfssl/zd20030
Various minor fixes.
2025-06-18 08:55:07 -07:00
David Garske
e5a9c7039c Merge pull request #8889 from holtrop/remove-dtls-from-echo-examples
Remove DTLS from echo examples
2025-06-18 08:52:47 -07:00
David Garske
9528aaf238 Support WOLFSSL_TRACK_MEMORY with SINGLE_THREADED. 2025-06-18 08:37:27 -07:00
David Garske
cdbc4cb3b3 Fix to make sure certs/asn are enabled for PQ algorithms 2025-06-18 08:32:49 -07:00
Sean Parkinson
c39f1fe721 PPC 32 ASM: SHA-256
Pure and inline  ASM for the PowerPC 32-bit.
2025-06-18 21:23:15 +10:00
Sean Parkinson
dc70cfa3b3 ARM32/Thumb2/RISC-V 64 ASM: omit frame pointer
ARM32/Thumb2: Generated code now omits the frame pointer attribute on
each function. Remove global use in configure.ac.
RISC-V 64: Omit the frame pointer on the one function that uses the
register 's0'.
2025-06-18 10:20:55 +10:00
Kaleb Himes
6f78c26bff Merge pull request #8820 from SparkiDev/entropy_cont_tests_fix
Entropy - fix off by ones in continuous testing
2025-06-17 17:56:00 -06:00
Sean Parkinson
c724c6560d Entropy - fix off by ones in continuous testing
rep_cnt is count of contiguous bytes with same value.
First ever sample must set count to 1.

Wasn't filling the cache up completely.
Off by one in check for initial fill.
2025-06-18 08:10:55 +10:00
Josh Holtrop
feaae9fc58 Fix configure help to use --enable-debug instead of --enable-verbose 2025-06-17 14:38:01 -04:00
Josh Holtrop
0b6c53c8b0 Remove DTLS from echoserver/echoclient examples
This fixes some intermittent CI testsuite failures.
2025-06-17 14:38:01 -04:00
David Garske
7d77446964 Merge pull request #8882 from rizlik/dtls13_always_transmit_explicit_ack
dtls13: always send ACKs on detected retransmission
2025-06-17 11:35:07 -07:00
Daniel Pouzzner
d39295166f Merge pull request #8885 from embhorn/zd20088
Check for STDC_NO_ATOMICS
2025-06-17 13:33:39 -05:00
David Garske
6b68797b4f Merge pull request #8883 from JacobBarthelmeh/rng
account for Intel RDRAND build without HAVE_HASHDRBG
2025-06-17 11:33:16 -07:00
David Garske
7e864c177d Merge pull request #8886 from douzzer/20250617-prime_test-uninited-wc_FreeRng
20250617-prime_test-uninited-wc_FreeRng
2025-06-17 11:31:53 -07:00
Kareem
fe5ae0cbdf Restore 128-byte SRP test using safe prime N for the case where 192 bytes is too large for the fast/SP math config. 2025-06-17 11:30:11 -07:00
Kareem
a035b045a4 Only run SRP tests with at least 3072 bits.
The SRP buffers are 192 bytes, so they need a minimum of 3072 bits.
If the bit size is too low, wc_SrpGetVerifier will return MP_VAL as the buffers won't fit.
2025-06-17 11:30:11 -07:00
Kareem
7e4ec84124 Add macros for legacy get_digit functions for FIPS/selftest. 2025-06-17 10:12:06 -07:00
Kareem
9c9465aa23 Also account for selftest for mp_get_digit refactor. 2025-06-17 10:12:06 -07:00
Kareem
05aa4f5f08 Make mp_get_digit refactor FIPS friendly. 2025-06-17 10:12:06 -07:00
Kareem
2366718d5a Add args->input free in FreeSskeArgs.
This free is redundant in most cases but it covers the specific
case of using async, exiting SendServerKeyExchange early due to
WANT_WRITE or WC_PENDING_E, then later freeing the async context
without calling SendServerKeyExchange again.
2025-06-17 10:12:06 -07:00
Kareem
304019d28d Fix inclusion guard around wc_RsaSSL_Verify.
The current condition of !WOLFSSL_RSA_VERIFY_ONLY doesn't make sense,
as the verify only case will want this function.

Based on the original change and the context, it looks like this was a
typo meant to be !WOLFSSL_RSA_VERIFY_INLINE.
2025-06-17 10:12:06 -07:00
Kareem
e8c110d2ac Rename get_digit* to mp_get_digit* to avoid conflicts with other functions named get_digit. 2025-06-17 10:12:06 -07:00
Kareem
6633b52e28 Don't try to build wc_RsaSSL_Sign in asn.c MakeSignature if RSA public or verify only is enabled. 2025-06-17 10:12:06 -07:00
David Garske
83954100d6 Merge pull request #8812 from kosmax871/tropic01-dev
Added crypto callback functions for TROPIC01 secure element
2025-06-17 10:03:18 -07:00
Eric Blankenhorn
9defad0b24 Check for STDC_NO_ATOMICS 2025-06-17 11:40:07 -05:00
Juliusz Sosinowicz
9c54032159 Add bind v9.18.33 testing 2025-06-17 18:38:38 +02:00
David Garske
5e6c1ba05f Merge pull request #8879 from julek-wolfssl/openssh-10.0p2
Updates for OpenSSH 10.0p2
2025-06-17 09:36:45 -07:00
Daniel Pouzzner
d28045daa8 wolfcrypt/test/test.c: fix prime_test() uninitialized data access by wc_FreeRng(). 2025-06-17 09:31:19 -05:00
Daniel Pouzzner
3e5e470005 Merge pull request #8876 from philljj/small_drbg_cleanup
linuxkm drbg: refactor drbg_ctx clear.
2025-06-16 16:33:57 -05:00
Maxim Kostin
037ccbaa05 Update TROPIC01 integration guide and header file for key slot definitions and datasheet link 2025-06-16 21:12:19 +02:00
David Garske
842e2366e3 Merge pull request #8881 from douzzer/20250615-heapmath-FREE_MP_INT_SIZE
20250615-heapmath-FREE_MP_INT_SIZE
2025-06-16 11:46:12 -07:00
David Garske
5151a2297a Merge pull request #8880 from holtrop/fix-printing-cert-with-empty-issuer-name
Fix printing empty names in certificates
2025-06-16 11:37:02 -07:00
Maxim Kostin
cafb1f5fd7 Merge branch 'tropic01-dev' of github.com:kosmax871/wolfssl into tropic01-dev 2025-06-16 20:32:30 +02:00
Maxim Kostin
f865e0de97 improve ED25519 key handling in CryptoCb function 2025-06-16 20:27:15 +02:00
Maxim Kostin
60f442b04e Fix formatting inconsistencies in README.md 2025-06-16 20:27:15 +02:00
Maxim Kostin
bab7677273 Added AES IV retrieval from TROPIC01 and use of new R-Memory slot definitions 2025-06-16 20:27:15 +02:00
Maxim Kostin
3b198babe3 Add Tropic01_Deinit call in wolfCrypt_Cleanup for proper resource management 2025-06-16 20:27:15 +02:00
Maxim Kostin
172728bf7f Refactor Tropic01 interface: clean up code formatting and improve function declarations 2025-06-16 20:27:15 +02:00
kosmax871
5696582add Update README.md 2025-06-16 20:27:15 +02:00
Maxim Kostin
375af753aa Changes for the PR https://github.com/wolfSSL/wolfssl/pull/8812 2025-06-16 20:27:15 +02:00
Maxim Kostin
2f210b3907 Refactor TROPIC01 integration: update README, enhance pairing key handling, and improve error messages 2025-06-16 20:27:15 +02:00
Maxim Kostin
296bfd258c README.md added 2025-06-16 20:27:15 +02:00
Maxim Kostin
0eecfbfb35 ed25519 fixes 2025-06-16 20:27:15 +02:00
Maxim Kostin
cd76615e49 added support of ED25519 2025-06-16 20:27:15 +02:00
kosmax871
7c1980fe01 some fixes and updates 2025-06-16 20:27:15 +02:00
kosmax871
b13fdaa05e Draft of readme.md 2025-06-16 20:27:15 +02:00
kosmax871
5664507e65 Support for static libraries 2025-06-16 20:27:15 +02:00
Maxim Kostin
385be1c08a added support for Tropic01 crypto callbacks 2025-06-16 20:27:15 +02:00
kosmax871
3da72fb9b6 Merge branch 'wolfSSL:master' into tropic01-dev 2025-06-16 19:30:32 +02:00
Juliusz Sosinowicz
9a576d9e2e Fix CI failures 2025-06-16 19:07:58 +02:00
Marco Oliverio
e82c099bec fix indentation 2025-06-16 18:42:17 +02:00
Juliusz Sosinowicz
72db5e5108 Remove NO_FILESYSTEM for CI 2025-06-16 18:06:19 +02:00
Juliusz Sosinowicz
aca6da66f6 Set default seedCb when not FIPS 2025-06-16 17:39:22 +02:00
Josh Holtrop
3bd9b2e0bc Add generation instructions for empty issuer cert and change expiry to 100 years 2025-06-16 11:39:01 -04:00
JacobBarthelmeh
ce61f0d517 account for Intel RDRAND build without HAVE_HASHDRBG 2025-06-16 09:04:50 -06:00
Marco Oliverio
b1b49c9ffb dtls13: always send ACKs on detected retransmission
Otherwise the connection can stall due the indefinite delay of an explicit ACK,
for exapmle:

 -> client sends the last Finished message
<- server sends the ACK, but the ACK is lost
 -> client rentrasmit the Finished message
 - server delay sending of the ACK until a fast timeout
 -> client rentrasmit the Finished message quicker than the server timeout
 - server resets the timeout, delaying sending the ACK
 -> client rentrasmit the Finished...
2025-06-16 14:19:32 +02:00
Marco Oliverio
509491f554 dtls13: wolfSSL_is_init_finished true after last server ACK
Do not consider the handshake finished until the last server ACK.
This way the application knows where to switch from
wolfSSL_negotiate/wolfSSL_connect to wolfSSL_read/wolfSSL_write.
2025-06-16 14:19:31 +02:00
Daniel Pouzzner
d5ce9744a4 linuxkm/lkcapi_sha_glue.c: explicitly free hash state in wrappers. 2025-06-15 14:40:42 -05:00
Daniel Pouzzner
89e51025ab .wolfssl_known_macro_extras: snip out unneeded entries. 2025-06-15 12:46:44 -05:00
Daniel Pouzzner
e852c090c0 wolfssl/wolfcrypt/integer.h: for heapmath FREE_MP_INT_SIZE(), rather than WC_DO_NOTHING(), conditionally mp_free(), for functional isomorphism with sp_int and tfm MPI lifecycles. 2025-06-15 07:56:25 -05:00
David Garske
05ff12969e Merge pull request #8864 from kojiws/improve_pkcs12_export_params
Apply 16 bytes salt length for PBES2 key encryption on wc_PKCS12_create()
2025-06-13 14:12:37 -07:00
Juliusz Sosinowicz
37554a13db Updates for OpenSSH 10.0p2
- random.c: use getrandom when available and fall back to direct file access
- openssh.yml: run more tests
- openssh.yml: add 10.0p2 and 9.9p2
- configure.ac: detect if `getrandom` is available on the system
- configure.ac: openssh requires WC_RNG_SEED_CB to always use `getrandom` so that the RNG doesn't get killed by SECCOMP
2025-06-13 18:06:19 +02:00
Koji Takeda
ff1baf0ae7 Apply stronger salt length for PBES2 2025-06-14 00:45:03 +09:00
Josh Holtrop
8bde5e6982 Fix printing empty names in certificates
The empty-issuer-cert.pem certificate was created with:

    wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEY
    wolfssl req -new -days 3650 -key mykey.priv -out empty-issuer-cert.pem -x509

Prior to this fix this command would error printing the certificate:

    wolfssl x509 -inform pem -in empty-issuer-cert.pem -text
2025-06-13 11:22:52 -04:00
JacobBarthelmeh
e74214ded0 Merge pull request #8878 from dgarske/fix_pr8867_oscheck
Fix for syntax error in os-check.yml
2025-06-13 09:09:27 -06:00
David Garske
8181561f0f Fix for syntax error in os-check.yml added in PR #8867. 2025-06-13 07:17:37 -07:00
Daniel Pouzzner
1549425411 Merge pull request #8873 from philljj/fix_fips_enabled
linuxkm: don't toggle fips_enabled.
2025-06-13 05:56:52 -05:00
jordan
b6b58a957b linuxkm: add missing WC_NO_ERR_TRACE. 2025-06-13 01:45:47 -05:00
jordan
bb5291aa5e linuxkm: don't toggle fips_enabled. 2025-06-13 00:45:12 -05:00
jordan
41965750c8 linuxkm drbg: refactor drbg_ctx clear. 2025-06-12 19:59:19 -05:00
David Garske
6cb0c8513d Merge pull request #8874 from JacobBarthelmeh/nginx-tests
fix for perl module version used with nginx test
2025-06-12 16:09:31 -07:00
JacobBarthelmeh
b78f8a4ed6 fix for perl module version used with nginx test 2025-06-12 15:55:56 -06:00
David Garske
c5e63b84ca Merge pull request #8840 from douzzer/20250605-linuxkm-DRBG-multithread-round-1
20250605-linuxkm-DRBG-multithread-round-1
2025-06-12 13:17:54 -07:00
David Garske
2fc1110a13 Merge pull request #8587 from lealem47/gh8574
Fix bug in ParseCRL_Extensions
2025-06-12 12:09:52 -07:00
David Garske
701e3ba64e Merge pull request #8808 from rlm2002/coverity
Coverity: api.c fix
2025-06-12 12:03:14 -07:00
David Garske
bfdce3a345 Merge pull request #8832 from SparkiDev/aarch64_xfence
Aarch64 XFENCE
2025-06-12 11:53:55 -07:00
David Garske
6571f42cb9 Merge pull request #8867 from JacobBarthelmeh/rng
Improvements to RNG and compatibility layer
2025-06-11 14:31:53 -07:00
Maxim Kostin
abdcf4dbc5 improve ED25519 key handling in CryptoCb function 2025-06-11 21:09:22 +02:00
kosmax871
394a25b376 Merge branch 'wolfSSL:master' into tropic01-dev 2025-06-11 21:07:15 +02:00
JacobBarthelmeh
8ee1f8f287 add macro guard on test case 2025-06-11 10:43:47 -06:00
JacobBarthelmeh
675ff71b0b Merge pull request #8863 from rlm2002/AppleNativeCert
Add api unit test for checking domain name
2025-06-11 09:38:08 -06:00
Sean Parkinson
1c85a76ddd Dilithium/ML-DSA: Fixes for casting down and uninit 2025-06-11 11:14:49 +10:00
Sean Parkinson
d66863d0ac Aarch64 XFENCE
Use sb instruction instead of isb if available.
2025-06-11 09:29:20 +10:00
JacobBarthelmeh
ae87afa677 Merge pull request #8857 from miyazakh/tsip_fix
fix TSIP TLS example program
2025-06-10 16:26:34 -06:00
JacobBarthelmeh
47cf634965 add a way to restore previous pid behavior 2025-06-10 16:12:09 -06:00
JacobBarthelmeh
4207affc72 adding additional RAND test cases 2025-06-10 16:01:52 -06:00
Ruby Martin
d0134f2212 coverity: address reuse after free, add NULL checks 2025-06-10 15:33:47 -06:00
Ruby Martin
a7a5062c7a add api test for checking domain name
use SNI example.com in client ssl
2025-06-10 15:22:01 -06:00
JacobBarthelmeh
fbbb6b7707 add mutex locking and compat layer FIPS case 2025-06-10 14:37:11 -06:00
JacobBarthelmeh
31490ab813 add sanity checks on pid with RNG 2025-06-10 14:37:11 -06:00
Hideki Miyazaki
d138c48a00 add TSIP_RSASSA_1024 and TSIP_RSASSA_2048 to known_macro_extras 2025-06-11 04:12:54 +09:00
JacobBarthelmeh
2d892f07eb Merge pull request #8861 from gasbytes/psk-handshake-failure-fix
tls13: clear tls1_3 on downgrade
2025-06-10 10:24:17 -06:00
JacobBarthelmeh
047f0bb5fc Merge pull request #8847 from gojimmypi/pr-platformio-cert-bundles
Improve PlatformIO Certificate Bundle Support
2025-06-10 10:23:07 -06:00
JacobBarthelmeh
eb3c324ea4 Merge pull request #8852 from holtrop/reseed-drbg-in-rand-poll-test
Add additional compatibility layer RAND tests
2025-06-10 10:20:46 -06:00
JacobBarthelmeh
94f5948f20 Merge pull request #8858 from rizlik/dtls13_set_epoch_fix
dtls13: move Dtls13NewEpoch into DeriveTls13Keys
2025-06-10 09:48:58 -06:00
JacobBarthelmeh
81852e7425 Merge pull request #8865 from SparkiDev/dilithium_fixes_2
ML-DSA: fix tests for different configs
2025-06-10 09:43:13 -06:00
Sean Parkinson
cb90b78688 ML-DSA: fix tests for different configs
Setting the private key into SSL object requires signing to be
available.
Only enable the parameters that are compiled in.
2025-06-10 20:44:27 +10:00
Josh Holtrop
1c6e3d729a Check that fork() returns >= 0 in RAND_poll fork test 2025-06-10 06:23:06 -04:00
JacobBarthelmeh
106bcb22d3 Merge pull request #8860 from LinuxJedi/tls13-trusted-ca
Allow `trusted_ca_keys` with TLSv1.3
2025-06-09 17:43:44 -06:00
JacobBarthelmeh
4ae8ca03ac Merge pull request #8859 from kojiws/clarify_supported_pkcs12_enc_algos
Clarify supported encryption algorithms on wc_PKCS12_create()
2025-06-09 16:03:53 -06:00
David Garske
587d5c783b Merge pull request #8862 from JacobBarthelmeh/pqc
fix syntax error with pqc yml
2025-06-09 13:03:48 -07:00
Josh Holtrop
133e238359 Wait on child process in RAND_poll fork test 2025-06-09 15:59:22 -04:00
JacobBarthelmeh
496b0911be fix syntax error with pqc yml 2025-06-09 13:50:00 -06:00
Marco Oliverio
3e6703e1fb fixup! dtls13: move Dtls13NewEpoch into DeriveTls13Keys 2025-06-09 19:20:06 +02:00
Marco Oliverio
1024bf0109 fixup! dtls13: move Dtls13NewEpoch into DeriveTls13Keys 2025-06-09 18:00:23 +02:00
Reda Chouk
92b6e2f2e9 tls13: clear tls1_3 on downgrade
Unset ssl->options.tls1_3 whenever we drop to TLS 1.2 so PSK
handshakes don’t hit -326 VERSION_ERROR.
2025-06-09 17:12:56 +02:00
Maxim Kostin
519b314cf2 Fix formatting inconsistencies in README.md 2025-06-09 17:12:46 +02:00
Marco Oliverio
59ff71f936 fixup! dtls13: move Dtls13NewEpoch into DeriveTls13Keys 2025-06-09 16:11:17 +02:00
Maxim Kostin
7b0b2e9f0c Added AES IV retrieval from TROPIC01 and use of new R-Memory slot definitions 2025-06-09 16:06:56 +02:00
kosmax871
2da1b4e6b2 Merge branch 'wolfSSL:master' into tropic01-dev 2025-06-09 16:01:23 +02:00
Andrew Hutchings
5e6cb2b0b6 Allow trusted_ca_keys with TLSv1.3
It is possible that the client will provied `trusted_ca_keys` during a
TLSv1.3 connection with 1.2 downgrade. wolfSSL would error with
`EXT_NOT_ALLOWED`. The TLSv1.3 spec states that it can be provided and
should be ignored.

ZD 19936
2025-06-09 08:31:54 +01:00
Koji Takeda
0260ff789b Clarify supported PKCS12 encryption algorithms 2025-06-09 12:03:47 +09:00
Marco Oliverio
c1c1929e55 dtls13: move Dtls13NewEpoch into DeriveTls13Keys
Dlts13NewEpoch saves the keys currently derived in the ssl object.
Moving Dtls13NewEpoch inside DeriveTls13Keys avoid the risk of using the wrong
keys when creating a new Epoch.

This fixes at least he following scenario:

- Client has encryption epoch != 2 in the handshake (eg. due to rtx)

- Client derives traffic0 keys after receiving server Finished message

- Client set encryption epoch to 2 again to send the Finished message, this
   override the traffic key computed

- Client creates the new epoch with the wrong key
2025-06-09 02:35:29 +02:00
Hideki Miyazaki
eeb3961b6f fix trailing whitespace 2025-06-07 14:23:59 +09:00
Hideki Miyazaki
0404447bd8 fix typo 2025-06-07 12:46:22 +09:00
Hideki Miyazaki
1f8efc3c14 fix TSIP example
fix Client Certificate Verify using RSA sign/verify
2025-06-07 12:38:18 +09:00
Daniel Pouzzner
ae15693fa8 linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_generate() and wc_linuxkm_drbg_seed(), check retval from wc_LockMutex().
wolfcrypt/src/random.c: in Hash_DRBG_Generate(), restore smallstack path for digest[], but use non-smallstack path for WOLFSSL_LINUXKM.
2025-06-07 07:07:20 +04:00
Josh Holtrop
10b3cc8dd2 Add fork test for RAND_poll() 2025-06-06 20:45:01 -04:00
gojimmypi
3254f56d32 Improve PlatformIO Certificate Bundle Support 2025-06-06 15:48:07 -07:00
JacobBarthelmeh
0bac2c2b34 Merge pull request #8846 from lealem47/zd20027
Don't include AEAD nonce in decrypted data size
2025-06-06 15:43:20 -06:00
Sean Parkinson
8e9e671a5a Merge pull request #8853 from JacobBarthelmeh/pqc
add macro WOLFSSL_ML_KEM_USE_OLD_IDS to PQC CI test
2025-06-07 07:29:33 +10:00
JacobBarthelmeh
369f9f0339 Merge pull request #8849 from holtrop/reseed-drbg-in-rand-poll
Reseed DRBG in RAND_poll()
2025-06-06 11:55:46 -06:00
Maxim Kostin
0fe8fa7645 Add Tropic01_Deinit call in wolfCrypt_Cleanup for proper resource management 2025-06-06 19:46:27 +02:00
JacobBarthelmeh
ae7509e746 Merge pull request #8813 from gojimmypi/espressif-mlkem-support
Adjust Espressif Examples for Post Quantum ML-KEM
2025-06-06 11:41:59 -06:00
JacobBarthelmeh
9ffca6b39c Merge pull request #8822 from kojiws/support_cert_aes_cbc_on_pkcs12_export
Support PBE_AES(256|128)_CBC certificate encryptions on wc_PKCS12_create()
2025-06-06 11:35:13 -06:00
JacobBarthelmeh
45306e9378 Merge pull request #8845 from rlm2002/coverityTests
Coverity: test adjustments and variable checks
2025-06-06 11:29:56 -06:00
JacobBarthelmeh
8a4200eb31 add macro WOLFSSL_ML_KEM_USE_OLD_IDS to PQC CI test 2025-06-06 11:12:37 -06:00
JacobBarthelmeh
f4821eb0f4 Merge pull request #8827 from SparkiDev/ml_kem_codepoints
ML_KEM IDs backward compat
2025-06-06 11:06:15 -06:00
JacobBarthelmeh
570c1fc390 Merge pull request #8824 from JeremiahM37/tlsCurveFix
tls fix for set_groups
2025-06-06 10:47:06 -06:00
Josh Holtrop
0c12337194 Reseed DRBG in RAND_poll() 2025-06-06 12:20:58 -04:00
JacobBarthelmeh
bfc55d9016 Merge pull request #8848 from julek-wolfssl/gh/8841
dtlsProcessPendingPeer: correctly set the current peer
2025-06-06 09:52:35 -06:00
kosmax871
04a1a3fec7 Merge branch 'wolfSSL:master' into tropic01-dev 2025-06-06 17:51:29 +02:00
JacobBarthelmeh
407a1259af Merge pull request #8851 from douzzer/20250606-fixes
Adjustment for warnings with NO_TLS build and add github actions test
2025-06-06 09:46:42 -06:00
Daniel Pouzzner
efc36655e6 src/internal.c: add pedantic-compatible NO_TLS codepath for cipher_names[] and GetCipherNamesSize(). 2025-06-06 18:02:19 +04:00
Daniel Pouzzner
4572dcf9f9 tests/api/test_x509.c: in test_x509_rfc2818_verification_callback(), add dependency on HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES;
wolfcrypt/test/test.c: in lms_test(), fix -Wdeclaration-after-statement;

add .github/workflows/no-tls.yml;

.github/workflows/pq-all.yml: add smallstack scenario.
2025-06-06 17:18:50 +04:00
Sean Parkinson
7eca4fb331 ML_KEM IDs backward compat
Allow backward compatibilitly of Hybrid ML_KEM codepoints in TLS with
version before wolfSSL 5.8.0.
When WOLFSSL_ML_KEM_USE_OLD_IDS is defined, it will accept the old
codepoints for P256 with ML-KEM-512, P384 with ML-KEM-768, P521 with
ML-KEM-10124. (Others combinations were not know pre 5.8.0.)
Both old client with new server and new client with new server work with
old codepoints.
2025-06-06 09:17:40 +10:00
JacobBarthelmeh
3ecc58cc0e Merge pull request #8842 from julek-wolfssl/zd/19966
ALT_NAMES_OID: Mark IP address as WOLFSSL_V_ASN1_OCTET_STRING
2025-06-05 17:07:47 -06:00
Juliusz Sosinowicz
736a5e1f89 dtlsProcessPendingPeer: correctly set the current peer 2025-06-06 00:12:38 +02:00
Lealem Amedie
53f3e74bf1 Sniffer: Don't include AEAD nonce in decrypted data size 2025-06-05 14:13:45 -06:00
Juliusz Sosinowicz
edfc5360d4 TLSX_SupportedCurve_Parse: fix commonCurves wouldn't be free'd on error 2025-06-05 22:04:50 +02:00
Juliusz Sosinowicz
0ac6ca3cf7 Fix hard tabs and c++ style comments 2025-06-05 22:04:50 +02:00
Juliusz Sosinowicz
761f0f1d1f Simplify TLSX_SupportedCurve_Parse
Server only uses curves that are supported by both the client and the server. If no common groups are found, the connection will fail in TLS 1.2 and below. In TLS 1.3, HRR may still be used to resolve the group mismatch.
2025-06-05 22:04:49 +02:00
JeremiahM37
a160ba1379 Supported_group unit test fix 2025-06-05 22:04:49 +02:00
JeremiahM37
9d342bae83 unit tests for set_groups curve fix 2025-06-05 22:04:49 +02:00
JeremiahM37
888407e40b Updated fix for set_groups 2025-06-05 22:04:49 +02:00
JeremiahM37
3c1c4792da tls fix for set_groups 2025-06-05 22:04:49 +02:00
Ruby Martin
a413be1984 remove null assignment, add null check 2025-06-05 12:25:50 -06:00
Juliusz Sosinowicz
f2584fd5fa ALT_NAMES_OID: Mark IP address as WOLFSSL_V_ASN1_OCTET_STRING 2025-06-05 19:17:00 +02:00
JacobBarthelmeh
c207e2d198 Merge pull request #8838 from miyazakh/fsp_fix2
Fix Renesas SCE on RA6M4
2025-06-05 09:43:05 -06:00
Chris Conlon
e51702043f Merge pull request #8837 from BridgerVoss/code_cov
Unit test for Dh.c code coverage
2025-06-05 09:37:42 -06:00
Chris Conlon
a17b3b4985 Merge pull request #8831 from JeremiahM37/UnitTest
Unit test for wolfcrypt pkcs12 file to improve code coverage
2025-06-05 09:30:48 -06:00
JacobBarthelmeh
307840388b Merge pull request #8786 from SparkiDev/lms_kid
LMS: Key ID fixup
2025-06-05 09:22:48 -06:00
Daniel Pouzzner
dbc34352c7 linuxkm/lkcapi_sha_glue.c: in wc_linuxkm_drbg_seed(), prefix the supplied seed with the CPU ID of each DRBG, to avoid duplicate states;
wolfcrypt/src/random.c: in Hash_DRBG_Generate(), always put digest[] on the stack even in WOLFSSL_SMALL_STACK configuration (it's only 32 bytes);

configure.ac: default smallstackcache on when linuxkm-defaults.
2025-06-05 16:31:46 +04:00
Daniel Pouzzner
29cf3eb84e linuxkm/lkcapi_sha_glue.c: refactor DRBG wrapper to instantiate one DRBG per core, to relieve contention. 2025-06-05 09:18:18 +04:00
Sean Parkinson
fbc483e23a Merge pull request #8833 from rlm2002/AppleNativeCert
domain name policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION
2025-06-05 12:22:20 +10:00
Brett
89be92f1a8 formatting 2025-06-04 18:29:05 -06:00
Koji Takeda
1f78923590 Add a test for mixture of algorithms 2025-06-05 09:26:44 +09:00
Sean Parkinson
640b060792 LMS: Key ID fixup
Fix implementation for extracting from private key data.
Add implementation that gets Key ID from wc_LmsKey.
2025-06-05 10:25:47 +10:00
Brett
0e2a3fd0b6 add missing error trace macro 2025-06-04 16:56:16 -06:00
JeremiahM37
a6580d3916 Unit test for wolfcrypt pkcs12 file to improve code coverage 2025-06-04 16:01:35 -06:00
Bridger Voss
80c6ac141a Unit test for Dh.c wc_DhSetNamedKey code coverage 2025-06-04 15:48:52 -06:00
Brett
bc8eeea703 prevent apple native cert validation from overriding error codes other than ASN_NO_SIGNER_E 2025-06-04 15:48:15 -06:00
Chris Conlon
50471342b3 Merge pull request #8819 from sebastian-carpenter/asn-allow-0-serial-make-check-fail
WOLFSSL_ASN_ALLOW_0_SERIAL not handled in make check
2025-06-04 13:39:55 -06:00
Sebastian Carpenter
a29d12fd3f WOLFSSL_ASN_ALLOW_0_SERIAL not handled in make check
test_MakeCertWith0Ser needed an extra #define check for WOLFSSL_ASN_ALLOW_0_SERIAL. Previously, it was validating that a 0 serial should not work -> now it validates that a 0 serial does work.
2025-06-04 12:21:41 -06:00
Lealem Amedie
02a49693e2 Fix bug in ParseCRL_Extensions 2025-06-04 10:23:53 -06:00
Koji Takeda
7c33096398 Support PBE_AES256_CBC and PBE_AES128_CBC cert encryption on wc_PKCS12_create() 2025-06-04 16:43:30 +09:00
Hideki Miyazaki
e633dd7537 trailing whitespace 2025-06-04 13:41:01 +09:00
Hideki Miyazaki
4aea2a1cd2 Update README to add SEGGER_RTT control block 2025-06-04 13:41:01 +09:00
Hideki Miyazaki
8445e66ceb Update signed certificate 2025-06-04 13:41:01 +09:00
Hideki Miyazaki
6d2a8b3f4c ready-for-use flag fix 2025-06-04 13:41:01 +09:00
Sean Parkinson
7898823d42 Merge pull request #8834 from JacobBarthelmeh/sp_int
Comment to avoid older versions of clang-tidy false positive
2025-06-04 11:15:54 +10:00
JacobBarthelmeh
c1b683f307 add clang-tidy lint comment to avoid false positive 2025-06-03 14:44:01 -06:00
Ruby Martin
9864959e41 create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION, domain name
checking
2025-06-03 10:08:58 -06:00
JacobBarthelmeh
b34fd2f685 Merge pull request #8829 from gojimmypi/pr-espressif-time-correction
Correct Espressif default time setting
2025-06-02 17:03:06 -06:00
gojimmypi
a9db6d08f7 Adjust Espressif Examples for Post Quantum ML-KEM 2025-06-02 15:11:53 -07:00
gojimmypi
1aa97a9070 Correct Espressif default time setting 2025-06-02 15:04:49 -07:00
Maxim Kostin
e635afd26a Refactor Tropic01 interface: clean up code formatting and improve function declarations 2025-06-02 20:12:41 +02:00
JacobBarthelmeh
ecb8cb744e Merge pull request #8799 from dgarske/csharp_wince_unicode
Fix issue with CSharp and Windows CE with conversion of ASCII and Unicode
2025-06-02 10:39:23 -06:00
kosmax871
66b0a5bd02 Merge branch 'wolfSSL:master' into tropic01-dev 2025-06-01 09:35:34 +02:00
David Garske
30490f9650 Merge pull request #8828 from douzzer/20250531-wc_linuxkm_fpu_state_assoc-optimize
20250531-wc_linuxkm_fpu_state_assoc-optimize
2025-05-31 09:23:59 -07:00
Daniel Pouzzner
8c33f47a85 linuxkm/x86_vector_register_glue.c: fix overhead in wc_linuxkm_fpu_state_assoc() from pointless full searches of wc_linuxkm_fpu_states. 2025-05-31 00:23:32 -05:00
Daniel Pouzzner
a6e9bd73e4 Merge pull request #8803 from dgarske/csr_nomalloc
Refactor to support CSR generation and signing with `WOLFSSL_NO_MALLOC`
2025-05-30 18:05:25 -05:00
philljj
316681be2a Merge pull request #8826 from douzzer/20250530-ML-KEM-WC_SHA3_NO_ASM
20250530-ML-KEM-WC_SHA3_NO_ASM
2025-05-30 16:25:48 -05:00
Daniel Pouzzner
dd6e6015ea wolfcrypt/src/wc_mlkem.c: add setup for WC_MLKEM_NO_ASM. 2025-05-30 14:51:52 -05:00
Daniel Pouzzner
0bdf8b54db wolfssl/wolfcrypt/sha3.h: in asm prototypes section, snip out redundant prototypes for BlockSha3(), and add indentation for clarity. 2025-05-30 14:16:25 -05:00
Daniel Pouzzner
8256e42178 .github/workflows/wolfCrypt-Wconversion.yml: fix apt-get to update first. 2025-05-30 13:56:14 -05:00
Daniel Pouzzner
6a5dc482fd linuxkm/Kbuild: set OBJECT_FILES_NON_STANDARD=y for wolfcrypt/src/wc_mlkem_asm.o ("'naked' return found"). 2025-05-30 13:39:33 -05:00
Daniel Pouzzner
8f347e68f5 wolfcrypt/src/wc_mlkem_poly.c and configure.ac: add support for WC_MLKEM_NO_ASM, and add gates to support WC_SHA3_NO_ASM;
wolfcrypt/src/sha3.c and wolfssl/wolfcrypt/sha3.h: BlockSha3() now always WOLFSSL_LOCAL (never static) to support calls from MLKEM implementation.
2025-05-30 13:31:40 -05:00
Maxim Kostin
22a4cf2422 Merge branch 'tropic01-dev' of github.com:kosmax871/wolfssl into tropic01-dev 2025-05-30 15:31:47 +02:00
Maxim Kostin
698ca29326 Changes for the PR https://github.com/wolfSSL/wolfssl/pull/8812 2025-05-30 11:21:28 +02:00
Daniel Pouzzner
5c21551808 Merge pull request #8816 from philljj/crypto_sig_sign_ret_value
linuxkm rsa: fix ret value usage for crypto_sig_sign.
2025-05-29 22:44:13 -05:00
philljj
9bd58344d9 Merge pull request #8817 from douzzer/20250529-WC_SHA3_NO_ASM
20250529-WC_SHA3_NO_ASM
2025-05-29 22:24:36 -05:00
David Garske
165f868be1 Fix for warning: ‘free’ called on unallocated object ‘buf’. 2025-05-29 17:15:55 -07:00
Daniel Pouzzner
aeae9cb3b6 Merge pull request #8807 from philljj/linuxkm_ecdsa_small_cleanup
linuxkm ecdsa: small debug msg cleanup.
2025-05-29 17:16:40 -05:00
jordan
0b64a5549c linuxkm rsa: fix ret value usage for crypto_sig_sign. 2025-05-29 16:22:40 -05:00
Daniel Pouzzner
245042a342 add WC_SHA3_NO_ASM, mainly for the benefit of linuxkm-defaults and KASAN compatibility. 2025-05-29 16:21:34 -05:00
philljj
429ed8d0be Merge pull request #8814 from douzzer/20250529-linuxkm-fix-AesGcmCrypt_1-no-stream
20250529-linuxkm-fix-AesGcmCrypt_1-no-stream
2025-05-29 14:36:07 -05:00
Daniel Pouzzner
4d19f55c3f linuxkm/lkcapi_aes_glue.c: in AesGcmCrypt_1(), in !WOLFSSL_AESGCM_STREAM version, don't call skcipher_walk_done(&sk_walk, ...) -- doesn't work, and not needed. 2025-05-29 12:10:02 -05:00
kosmax871
daf5d4b015 Update README.md 2025-05-29 12:43:52 +02:00
Maxim Kostin
7e25669e6f Refactor TROPIC01 integration: update README, enhance pairing key handling, and improve error messages 2025-05-29 12:25:12 +02:00
Daniel Pouzzner
2a9269e654 Merge pull request #8796 from philljj/linuxkm_rsa_sig
linuxkm rsa: add sig_alg support for linux 6.13
2025-05-29 01:15:13 -05:00
philljj
8ce0a3bf83 Merge pull request #8810 from douzzer/20250528-linuxkm-aes-kmemleaks
20250528-linuxkm-aes-kmemleaks
2025-05-28 19:45:49 -05:00
David Garske
18aab1a883 Further improvements to MultiByte and WideChar conversions. 2025-05-28 15:35:10 -07:00
Daniel Pouzzner
5c0a278c7f linuxkm/lkcapi_aes_glue.c: add error path cleanups for dangling skcipher_walks. 2025-05-28 16:30:43 -05:00
David Garske
5c82757eb4 Merge pull request #8809 from douzzer/20250528-fix-mldsa_nosign
20250528-fix-mldsa_nosign
2025-05-28 14:12:06 -07:00
Daniel Pouzzner
b9ef6c583a wolfcrypt/test/test.c: in test_dilithium_decode_level(), on early malloc failure, stay in the flow to assure cleanup;
.wolfssl_known_macro_extras: remove unneeded entry for WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC.
2025-05-28 12:48:36 -05:00
Maxim Kostin
1c45d155d1 README.md added 2025-05-28 19:01:12 +02:00
jordan
7212fd0483 linuxkm ecdsa: small debug msg cleanup. 2025-05-28 11:43:44 -05:00
Sean Parkinson
8ea01056c3 Merge pull request #8788 from julek-wolfssl/gh/8765
tls13: handle malformed CCS and CCS before CH
2025-05-28 09:45:09 +10:00
David Garske
3032e977a8 Merge pull request #8802 from kojo1/csharp
fix C# Release build
2025-05-27 15:46:28 -07:00
David Garske
6de7bb74ed Merge pull request #8787 from julek-wolfssl/refactor-GetHandshakeHeader
Refactor GetHandshakeHeader/GetHandShakeHeader into one
2025-05-27 15:26:24 -07:00
David Garske
482f2bdd2a Refactor to support CSR generation and signing with WOLFSSL_NO_MALLOC. Also for DSA. Don't test no malloc with ECC custom curves. 2025-05-27 14:51:16 -07:00
Sean Parkinson
71a9e48701 Merge pull request #8801 from rlm2002/coverity
coverity: misc changes to api.c
2025-05-28 07:28:40 +10:00
Daniel Pouzzner
8179367412 Merge pull request #8798 from dgarske/mldsa_nosign
Fix for ML-DSA with `WOLFSSL_DILITHIUM_NO_SIGN`
2025-05-27 14:44:44 -05:00
Maxim Kostin
0f2d965d81 ed25519 fixes 2025-05-27 21:28:59 +02:00
Ruby Martin
2eddc32eed coverity: fix use after free, improper use of negative value, initialize src variable 2025-05-27 09:43:44 -06:00
Maxim Kostin
7696e33d7d added support of ED25519 2025-05-26 21:58:06 +02:00
Sean Parkinson
6c7edeba38 Merge pull request #8800 from douzzer/20250523-WC_NID_netscape_cert_type
20250523-WC_NID_netscape_cert_type
2025-05-26 08:19:22 +10:00
kosmax871
6f48851862 some fixes and updates 2025-05-25 20:43:56 +02:00
Takashi Kojo
7b8f30bb25 fix Release build 2025-05-24 14:03:55 +09:00
jordan
da9410565d linuxkm rsa: km_pkcs1_sign should return sig_len on success. 2025-05-23 22:29:16 -05:00
Daniel Pouzzner
ec842be582 wolfssl/wolfcrypt/asn.h: add a real value for WC_NID_netscape_cert_type. 2025-05-23 14:05:51 -05:00
Juliusz Sosinowicz
2ec6b92b41 tls13: handle malformed CCS and CCS before CH
- fix incorrect alert type being sent
- error out when we receive a CCS before a CH
- error out when we receive an encrypted CCS
2025-05-23 15:04:22 +02:00
Sean Parkinson
999641d9b1 Merge pull request #8642 from rizlik/dtls_no_span_records
DTLS: drop records that span datagrams
2025-05-23 14:57:24 +10:00
David Garske
db0b0e28d2 Fix issue with CSharp and Windows CE with conversion of ASCII->Unicode and Unicode->ASCII with odd length and extra null terminator. 2025-05-22 16:34:54 -07:00
Sean Parkinson
d1312c87bb Merge pull request #8792 from rlm2002/coverity-src
Coverity: remove dead code issue in ssl.c
2025-05-23 09:27:39 +10:00
Sean Parkinson
2ecd4d75e3 Merge pull request #8795 from dgarske/stm32_aes_gcm_oldcube
Fix for STM32 AES GCM and older STM32Cube HAL that does not support `HeaderWidthUnit`
2025-05-23 08:00:35 +10:00
Sean Parkinson
fb6f0c8b73 Merge pull request #8797 from douzzer/20250522-FIPS-v5-no-implicit-DES
20250522-FIPS-v5-no-implicit-DES
2025-05-23 07:50:34 +10:00
David Garske
607d7489bc Add no malloc support for Dilithium tests. Fixes for WOLFSSL_DILITHIUM_NO_ASN1. 2025-05-22 14:34:34 -07:00
Ruby Martin
5352e100db Add NO_OLD_TLS macroguard, remove dead code 2025-05-22 14:21:38 -06:00
Daniel Pouzzner
b06a921697 tests/api.c: add missing NO_SHA gates in test_wc_PKCS12_create(). 2025-05-22 14:56:31 -05:00
David Garske
d0085834cd Fix for ML-DSA with WOLFSSL_DILITHIUM_NO_SIGN. ZD 19948. 2025-05-22 12:36:46 -07:00
Daniel Pouzzner
7e9460c377 configure.ac: remove implicit enablements of DES/DES3 on FIPS v5+. 2025-05-22 14:19:28 -05:00
jordan
402ebec3b7 linuxkm rsa: comments, cleanup work buffer useage. 2025-05-22 11:07:36 -05:00
kosmax871
b366f814c7 Draft of readme.md 2025-05-22 14:40:11 +02:00
kosmax871
95007de18a Support for static libraries 2025-05-22 14:22:40 +02:00
Sean Parkinson
807e95f35f Merge pull request #8785 from julek-wolfssl/checkGroup
TLSX_UseSupportedCurve: Check group correctness outside of TLS 1.3 too
2025-05-22 14:10:14 +10:00
David Garske
cc78e3f5d1 Fix for older STM32Cube HAL that does not support hcryp->Init.HeaderWidthUnit. ZD 19926. 2025-05-21 16:42:52 -07:00
Sean Parkinson
9fdb40caa4 Merge pull request #8790 from philljj/fix_coverity
coverity: misc fixes
2025-05-22 08:40:59 +10:00
Sean Parkinson
85a4e34705 Merge pull request #8782 from kojiws/support_aes_cbc_pkcs12_export
Support PBE_AES(256|128)_CBC key encryptions on wc_PKCS12_create()
2025-05-22 08:39:11 +10:00
Sean Parkinson
2398a94cf8 Merge pull request #8784 from rlm2002/coverity
coverity: init dgst variable test_sha3.c and issues in api.c
2025-05-22 08:34:11 +10:00
Sean Parkinson
005ce08380 Merge pull request #8794 from kareem-wolfssl/multiFixes
Add missing DH_MAX_SIZE define for FIPS, correct wolfssl.rc FILETYPE to VFT_DLL
2025-05-22 08:26:24 +10:00
jordan
54104887ca linuxkm rsa: clean up duplicate code. 2025-05-21 16:59:02 -05:00
jordan
d396987863 linuxkm rsa: don't forget to unregister pkcs1pad akcipher. 2025-05-21 16:32:39 -05:00
jordan
8fef82cc59 linuxkm rsa: linux 6.13 support. 2025-05-21 16:07:46 -05:00
Kareem
08f063d8b3 Correct wolfssl.rc FILETYPE to VFT_DLL. It was previously set to 0x7L which is VFT_STATIC_LIB. 2025-05-21 12:34:09 -07:00
Kareem
4d63d7dedf Fix missing DH_MAX_SIZE define when building FIPS 140-3 with OpenSSL compatibility layer dh.h. 2025-05-21 12:33:37 -07:00
philljj
be5b62b1a1 Merge pull request #8791 from douzzer/20250521-fix-WC_SIPHASH_NO_ASM
20250521-fix-WC_SIPHASH_NO_ASM
2025-05-21 12:23:46 -05:00
Daniel Pouzzner
e2def987d4 wolfcrypt/src/siphash.c: for WC_SIPHASH_NO_ASM, don't define WOLFSSL_NO_ASM if it's already defined. 2025-05-21 10:03:10 -05:00
Ruby Martin
a170624118 coverity: init dgst variable test_sha3.c
improper use of neg val api.c

copy-paste error in test_wolfSSL_PEM_read_bio_ECPKParameters
2025-05-21 08:29:44 -06:00
Sean Parkinson
dfe0684bc7 Merge pull request #8789 from douzzer/20250520-WC_SIPHASH_NO_ASM
20250520-WC_SIPHASH_NO_ASM
2025-05-21 07:29:53 +10:00
Daniel Pouzzner
a01fb2a61c wolfcrypt/src/siphash.c: honor WC_SIPHASH_NO_ASM; configure.ac: add -DWC_SIPHASH_NO_ASM when ENABLED_LINUXKM. 2025-05-20 13:03:58 -05:00
Juliusz Sosinowicz
5e7ef142e8 Refactor GetHandshakeHeader/GetHandShakeHeader into one 2025-05-20 13:23:14 +02:00
jordan
c619c19a1d asn: add underflow check to idx. 2025-05-19 19:04:27 -05:00
Maxim Kostin
cbcd7bca2c added support for Tropic01 crypto callbacks 2025-05-19 21:41:49 +02:00
Koji Takeda
3666851589 Support PBE_AES256_CBC and PBE_AES128_CBC key encryption on wc_PKCS12_create() 2025-05-19 22:26:46 +09:00
Juliusz Sosinowicz
83ce63ac1a TLSX_UseSupportedCurve: Check group correctness outside of TLS 1.3 too 2025-05-19 14:19:59 +02:00
Marco Oliverio
cbe1fb2c62 dtls: drop DTLS messages that span across datagrams
A new macro "WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS" restores the old
behaviour.
2025-05-19 10:28:13 +02:00
Marco Oliverio
23b73bb298 test_memio: preserve write boundaries in reads 2025-05-19 10:25:24 +02:00
Marco Oliverio
80bdd1736a internal: refactor out Decryption in DoDecrypt function
To uniform error handling for the SanityCheckCipherText check.
2025-05-19 10:25:24 +02:00
JacobBarthelmeh
05bc7e0d2f Merge pull request #8783 from douzzer/20250516-remove-implicit-WOLFSSL_DEBUG_CERTIFICATE_LOADS
20250516-remove-implicit-WOLFSSL_DEBUG_CERTIFICATE_LOADS
2025-05-16 17:06:18 -06:00
Daniel Pouzzner
3ab16257b0 wolfssl/wolfcrypt/logging.h: don't define WOLFSSL_DEBUG_CERTIFICATE_LOADS just because defined(DEBUG_WOLFSSL). 2025-05-16 16:53:10 -05:00
Daniel Pouzzner
4495da457a Merge pull request #8778 from rlm2002/ghi8772
add NULL reference checks to RSA functions
2025-05-16 16:41:43 -05:00
Ruby Martin
7ae2c24ac4 add NULL reference checks to RSA functions 2025-05-16 14:00:35 -06:00
Daniel Pouzzner
91af9073b0 Merge pull request #8777 from rizlik/dtls_reject_v11
Drop DTLS packets with bogus minor version number
2025-05-16 14:45:25 -05:00
Daniel Pouzzner
e67536cb15 Merge pull request #8775 from rlm2002/coverity
Coverity: address uninitialized scalar variable issues
2025-05-16 14:44:38 -05:00
Daniel Pouzzner
56b43e5948 Merge pull request #8776 from anhu/no_server_with_opensslall
Allow tests to build with opensslall and no server.
2025-05-16 13:28:48 -05:00
Daniel Pouzzner
5abe5df498 Merge pull request #8760 from miyazakh/benchmark_up
Guard some benchmark tests by NO_SW_BENCH
2025-05-16 12:42:59 -05:00
Kaleb Himes
25e3a2d34f Merge pull request #8780 from douzzer/20250515-fips-armasm-fixes
20250515-fips-armasm-fixes
2025-05-16 11:12:16 -06:00
David Garske
69ae36a1b6 Merge pull request #8781 from night1rider/zephyr-mlkem-update
updating kyber to mlkem arm file for zephyr
2025-05-16 09:21:19 -07:00
Ruby Martin
e998a4c2fc fix off-by-one error in asn.c 2025-05-16 08:26:19 -06:00
night1rider
229141fd51 updating kyber to mlkem arm file for zephyr 2025-05-15 21:55:36 -06:00
Daniel Pouzzner
77bebff341 fixes for armasm:
configure.ac: set DEFAULT_ENABLED_ALL_ASM=no if FIPS <v6 and not on amd64 (i.e. if ARM);

tests/api/test_sha256.c: skip test_wc_Sha256_Flags() and test_wc_Sha224_Flags() if armasm and FIPS <v7;

wolfssl/wolfcrypt/settings.h: define WOLFSSL_SP_INT_DIGIT_ALIGN for ARM (needed on BE, and no effect on LE).
2025-05-15 21:20:10 -05:00
Daniel Pouzzner
8a8a2b5bb1 .github/workflows/smallStackSize.yml: don't install multilib (not needed). 2025-05-15 21:13:50 -05:00
Ruby Martin
2940a16c10 coverity: initialize variables for api.c, test_digest.h, and test_sha3.c 2025-05-15 16:55:34 -06:00
David Garske
081b8397c0 Merge pull request #8779 from douzzer/20250515-smallstack-refactors-and-tests
20250515-smallstack-refactors-and-tests
2025-05-15 15:02:58 -07:00
Daniel Pouzzner
401868908a add .github/workflows/smallStackSize.yml;
smallstack refactors in
* wolfcrypt/src/asn.c : wc_GetSubjectPubKeyInfoDerFromCert(),
* wolfcrypt/src/dilithium.c : dilithium_sign_with_seed_mu(),
* wolfcrypt/src/ecc.c : wc_ecc_mulmod_ex2(),
* wolfcrypt/src/wc_mlkem.c : mlkemkey_decapsulate(),
* and wolfcrypt/src/wc_mlkem_poly.c : mlkem_gen_matrix_k*_avx2() and mlkem_get_noise_k2_avx2();

wolfcrypt/test/test.c: in TEST_PASS(), fix STACK_SIZE_CHECKPOINT_WITH_MAX_CHECK to honor TEST_ALWAYS_RUN_TO_END.
2025-05-15 15:28:11 -05:00
David Garske
a1b644202c Merge pull request #8759 from anhu/index_idx
Rename variable index to idx to avoid conflicting declaration.
2025-05-15 11:01:27 -07:00
David Garske
63c3c547b6 Merge pull request #8768 from lealem47/zd19853
Add sniffer cleanup API's
2025-05-15 11:01:19 -07:00
David Garske
c13be21a90 Merge pull request #8755 from AlexLanzano/pqc-gcc-error
Remove redefinition of MlKemKey and Fix build issue in benchmark
2025-05-15 11:00:40 -07:00
Marco Oliverio
22f41a8dbb Drop DTLS packets with bogus minor version number 2025-05-15 19:50:36 +02:00
Andrew Hutchings
6790c95e94 Merge pull request #8745 from dgarske/stm32_crypt_header_width
Fix edge case issue with STM32 AES GCM auth padding
2025-05-15 16:51:52 +01:00
Anthony Hu
a613fc28d6 Allow tests to build with opensslall and no server. 2025-05-15 11:18:15 -04:00
David Garske
2ac4be3f22 Merge pull request #8773 from douzzer/20250514-linuxkm-and-sp-tweaks
20250514-linuxkm-and-sp-tweaks
2025-05-14 19:54:48 -07:00
Daniel Pouzzner
baaab4ccac Merge pull request #8722 from anhu/undef_def
Do not allow define of max to interfere with pthreads
2025-05-14 18:44:57 -05:00
Daniel Pouzzner
c201006a26 wolfcrypt/src/sp_int.c: move setup for -Wno-array-bounds when WOLFSSL_SP_DYN_STACK, to follow sp_int.h include. 2025-05-14 18:20:08 -05:00
Anthony Hu
a814683684 Rename variable index to idx to avoid conflicting declaration. 2025-05-14 18:26:37 -04:00
Daniel Pouzzner
c8b507d246 wolfssl/wolfcrypt/sp_int.h: refactor SP_WORD_SIZEOF as a simple numeric literal, and use them for XALIGNED() for Windows portability. 2025-05-14 16:54:49 -05:00
Daniel Pouzzner
55bbd84445 wolfssl/wolfcrypt/sp_int.h and wolfcrypt/src/sp_int.c: add WOLFSSL_SP_DYN_STACK macro to orthogonalize gnarly setup logic, and refactor to use it throughout; refactor several more sp_int stack-allocated data buffers as sp_int_digit[]s rather than char[]s. 2025-05-14 15:39:37 -05:00
Daniel Pouzzner
f0f4084f94 linuxkm/lkcapi_dh_glue.c: never install DH/FFDHE on kernel <5.18 -- DH secrets have a different format before that version, and FFDHE (CONFIG_CRYPTO_DH_RFC7919_GROUPS) was introduced in 5.18 and is the only FIPS-allowed DH variant. 2025-05-14 15:39:37 -05:00
David Garske
49d9bfa160 Merge pull request #8758 from bigbrett/exportx509pubkey-api
Added new ASN X509 API: `wc_GetSubjectPubKeyInfoDerFromCert`
2025-05-14 12:28:45 -07:00
Lealem Amedie
4af0e14e7b Add ssl_RemoveSession API 2025-05-14 12:09:41 -06:00
Brett Nicholas
40c9a03ebe rename function args to match implementation 2025-05-14 11:31:36 -06:00
David Garske
6270429089 Fix STM32MP13x STM32 AES GCM. 2025-05-14 10:27:01 -07:00
David Garske
4fd76dae95 Add portability fix for new INT_MAX required on all TLS limit checking (added in 91aad90c59 Jan 24, 2025). 2025-05-14 10:27:01 -07:00
David Garske
7a936d731d Fix edge case issue with STM32 AES GCM auth padding. Issue introduced in PR #8584. Fixes ZD 19783
Added way to override STM_CRYPT_HEADER_WIDTH.
2025-05-14 10:27:01 -07:00
David Garske
813e36a823 Merge pull request #8770 from douzzer/20250514-WOLFSSL_DEBUG_PRINTF-C89
20250514-WOLFSSL_DEBUG_PRINTF-C89
2025-05-14 08:50:46 -07:00
Alex Lanzano
88ae4266cf Don't define PQC option strings in benchmark if WOLFSSL_BENCHMARK_ALL is defined
This fixes the 'defined but not used' build issue in benchmark.c if any PQC algos are enabled
and WOLFSSL_BENCHMARK_ALL is defined.
2025-05-14 08:54:59 -04:00
Daniel Pouzzner
8035667d9b wolfssl/wolfcrypt/logging.h and wolfcrypt/src/logging.c: add WOLFSSL_DEBUG_PRINTF_FN and WOLFSSL_DEBUG_PRINTF_FIRST_ARGS, and update refactored wolfssl_log(), for C89 compat. 2025-05-14 03:21:28 -05:00
Daniel Pouzzner
c5021c0690 wolfcrypt/src/ecc.c: fix identicalInnerCondition in ecc_mulmod(). 2025-05-14 03:18:35 -05:00
Hideki Miyazaki
9b7a95e338 gurd tests NO_SW_BENCH 2025-05-14 14:52:51 +09:00
David Garske
cd79be4928 Merge pull request #8769 from douzzer/20250513-WOLFSSL_DEBUG_PRINTF-WOLFSSL_DEBUG_CERTIFICATE_LOADS
20250513-WOLFSSL_DEBUG_PRINTF-WOLFSSL_DEBUG_CERTIFICATE_LOADS
2025-05-13 21:15:43 -07:00
Daniel Pouzzner
9d722b3a6c purge baltimore-cybertrust-root.pem from certs/external/include.am and scripts/. 2025-05-13 20:52:08 -05:00
Daniel Pouzzner
55460a5261 wolfssl/wolfcrypt/logging.h and wolfcrypt/src/logging.c: add
WOLFSSL_DEBUG_PRINTF() macro adapted from wolfssl_log(), refactor
  wolfssl_log() to use it, and move printf setup includes/prototypes from
  logging.c to logging.h;

src/ssl_load.c: add source_name arg and WOLFSSL_DEBUG_CERTIFICATE_LOADS clauses
  to ProcessBuffer() and ProcessChainBuffer(), and pass reasonable values from
  callers;

remove expired "Baltimore CyberTrust Root" from certs/external/ca_collection.pem
  and certs/external/baltimore-cybertrust-root.pem.
2025-05-13 20:30:48 -05:00
Lealem Amedie
5a4c1d99a3 Expose RemoveStaleSessions sniffer API 2025-05-13 15:16:02 -06:00
JacobBarthelmeh
336b374b9c Merge pull request #8753 from dgarske/gcc4_portability
Improvements for portability using older gcc 4.8.2
2025-05-13 13:12:31 -06:00
Daniel Pouzzner
5f2a43f01f Merge pull request #8766 from dgarske/static_ephemeral
Fix for Curve25519 and static ephemeral issue with blinding
2025-05-12 15:18:37 -05:00
Brett Nicholas
2151a1b8a1 review comments 2025-05-12 11:43:56 -06:00
David Garske
e09e3f6098 Fix for Curve25519 and static ephemeral issue with curve25519 blinding. Added new test case (used by wolfKeyMgr). 2025-05-12 10:26:31 -07:00
David Garske
ed6f853b9c Merge pull request #8763 from douzzer/20250511-fixes
20250511-fixes
2025-05-12 08:48:37 -07:00
David Garske
110504acd6 Merge pull request #8761 from douzzer/20250510-SP-dyn-stack-tweaks-and-workaround
20250510-SP-dyn-stack-tweaks-and-workaround
2025-05-12 08:48:10 -07:00
Anthony Hu
af29a59325 Do not allow define of max to interfere with pthreads 2025-05-12 11:39:07 -04:00
Daniel Pouzzner
e19295bb64 wolfssl/wolfcrypt/settings.h: #define WOLFSSL_CURVE25519_BLINDING if defined(NO_CURVED25519_X64);
wolfcrypt/src/curve25519.c: if defined(NO_CURVED25519_X64), #undef USE_INTEL_SPEEDUP;

wolfcrypt/src/fe_operations.c: fixes for -m32 -Wconversions;

.github/workflows/wolfCrypt-Wconversion.yml: add -m32 scenario;

.wolfssl_known_macro_extras: remove unneeded entry for WOLFSSL_CURVE25519_BLINDING.
2025-05-11 12:06:23 -05:00
David Garske
b1cf5df2c2 Merge pull request #8762 from douzzer/20250510-testwolfcrypt-fix-exit-status
20250510-testwolfcrypt-fix-exit-status
2025-05-10 11:54:36 -07:00
Daniel Pouzzner
001a5ef897 wolfcrypt/test/test.c: in main(), return (exit with) 0 for success and 1 for failure. 2025-05-10 12:08:50 -05:00
Daniel Pouzzner
5a911f6af0 wolfssl/wolfcrypt/sp_int.h: wc_static_assert(), not static_assert(). 2025-05-10 02:16:48 -05:00
Daniel Pouzzner
8410d922db .wolfssl_known_macro_extras: remove WOLFSSL_CURVE25519_BLINDING (defined in settings.h since aa840f9c94). 2025-05-10 01:31:45 -05:00
Daniel Pouzzner
c967dd2a30 wolfcrypt/src/sp_int.c and wolfssl/wolfcrypt/sp_int.h: add
MP_INT_SIZEOF_DIGITS() macro, and use it for stack allocations in DECL_SP_INT()
  and DECL_SP_INT_ARRAY();

  refactor _sp_submod() to use DECL_SP_INT() rather than DECL_SP_INT_ARRAY() to
  work around apparent optimizer bug in gcc-15.
2025-05-10 01:28:17 -05:00
Daniel Pouzzner
d232680e9c Merge pull request #8749 from philljj/linuxkm_aes_debug_msgs
linuxkm aes: add debug msgs.
2025-05-09 16:46:44 -05:00
Brett Nicholas
79f214f73c add new X509 API: wc_Exportx509PubKeyWithSpki 2025-05-09 14:40:20 -06:00
JacobBarthelmeh
8e0aefd321 Merge pull request #8725 from AlexLanzano/no-malloc-support
Add support for no malloc with `wc_CheckCertSigPubKey`
2025-05-09 14:23:47 -06:00
philljj
3d92eb6d2e Merge pull request #8756 from douzzer/20250509-linuxkm-lkcapi-rsa-pkcs1-precedence
20250509-linuxkm-lkcapi-rsa-pkcs1-precedence
2025-05-09 13:59:09 -05:00
David Garske
68b83bfa14 Merge pull request #8711 from JacobBarthelmeh/coverity
fix for sanity check on --group with unit test app and null sanity check with des decrypt
2025-05-09 11:41:53 -07:00
David Garske
407efd3c5d Merge pull request #8710 from JacobBarthelmeh/codesonar
ech get length fix and x509 extension print temporary buffer size
2025-05-09 11:41:24 -07:00
David Garske
7cd080b421 Merge pull request #8713 from JacobBarthelmeh/scan
use proper heap hint when free'ing CRL in error case
2025-05-09 11:23:20 -07:00
David Garske
0adb6eb788 Merge pull request #8748 from ColtonWilley/pkcs7_x509_store_update
Update PKCS7 to use X509 STORE for internal verification
2025-05-09 11:22:53 -07:00
Daniel Pouzzner
b6f6d8ffda linuxkm/lkcapi_glue.c: reorder registration of AES and SHA algs to put composite first and primitive last, to prevent kernel dynamic synthesis of the composites. 2025-05-09 12:12:15 -05:00
Alex Lanzano
76fd5319d4 Remove redefinition of MlKemKey
Removes the redundant typedef of MlKemKey which will break builds on
pre-C11 compilers. KyberKey is defined as a macro for MlKemKey.
2025-05-09 10:42:15 -04:00
Sean Parkinson
9d1bf83a43 Merge pull request #8736 from JacobBarthelmeh/build
adjust default build with curve25519
2025-05-09 20:24:53 +10:00
Daniel Pouzzner
707505d31d linuxkm/lkcapi_glue.c: in linuxkm_lkcapi_register(), register PKCS1 algs before direct_rsa, to prevent kernel from synthesizing conflicting PKCS1 implementations. for good measure, move raw DH after FFDHE too. 2025-05-09 00:40:30 -05:00
David Garske
82cb83abee Improvements for portability using older gcc 4.8.2 and customer parsing tools. 2025-05-08 17:02:27 -07:00
Sean Parkinson
4f07f6a9c1 Merge pull request #8750 from anhu/crl_RefFree
Add missing call to wolfSSL_RefFree in FreeCRL
2025-05-09 08:24:10 +10:00
philljj
96c15b3a87 Merge pull request #8751 from douzzer/20250508-linuxkm-lkcapi-ECDH-never-fips_enabled
20250508-linuxkm-lkcapi-ECDH-never-fips_enabled
2025-05-08 14:59:48 -05:00
JacobBarthelmeh
77c0f79cbe adjust ech get length only case 2025-05-08 13:50:42 -06:00
JacobBarthelmeh
9fb34d76c2 adjust size of temporary buffer 2025-05-08 13:50:42 -06:00
JacobBarthelmeh
6f1fe2e4b9 add sanity check on des cbc decrypt, CID 512990 2025-05-08 13:50:02 -06:00
JacobBarthelmeh
f96e493790 help static analyzer out, CID 516263 2025-05-08 13:50:02 -06:00
JacobBarthelmeh
ea03decf60 fix for --group argument test, CID 516265 2025-05-08 13:50:02 -06:00
JacobBarthelmeh
ae4a4236cc fix for index value with curve25519 2025-05-08 13:42:02 -06:00
jordan
b3d330258f linuxkm aes: cleanup. 2025-05-08 14:32:42 -05:00
Daniel Pouzzner
0532df5ce1 configure.ac: further fixes+cleanups for curve25519/ed25519 feature setup. now recognizes =asm as an override optionally preventing implicit noasm (linuxkm), and fixes wrong -DHAVE_CURVE25519 added to flags in FIPS builds. 2025-05-08 12:20:05 -05:00
Daniel Pouzzner
ac7326d272 linuxkm/lkcapi_glue.c: for LINUXKM_LKCAPI_REGISTER_ECDH, always clear fips_enabled (see comment for details). 2025-05-08 12:13:06 -05:00
Anthony Hu
42fb041890 Add missing call to wolfSSL_RefFree in FreeCRL 2025-05-08 13:11:37 -04:00
jordan
49f1725620 linuxkm aes: add debug msgs. 2025-05-08 11:47:20 -05:00
Colton Willey
9e7a4f6518 Update PKCS7 to use X509 STORE for internal verification instead of underlying CM 2025-05-08 09:45:58 -07:00
David Garske
7ff4ada692 Merge pull request #8746 from douzzer/20250507-ed25519-noasm
20250507-ed25519-noasm
2025-05-08 08:29:04 -07:00
Daniel Pouzzner
e044ec45b7 .github/workflows/codespell.yml: in skip section, add full paths for new artifacts in examples/asn1/. 2025-05-08 00:41:35 -05:00
Daniel Pouzzner
2e0ada9836 configure.ac: implement support for --enable-ed25519=noasm, and refactor and improve existing support for --enable-curve25519=noasm. 2025-05-07 23:59:58 -05:00
David Garske
c2528d48d7 Fix liboqs builds. 2025-05-07 14:36:55 -07:00
David Garske
18818415d9 Merge pull request #8744 from douzzer/20250507-fips-all
20250507-fips-all
2025-05-07 13:56:31 -07:00
JacobBarthelmeh
3f9fe491cc adjust C# test and set rng with hpke case 2025-05-07 14:33:15 -06:00
Daniel Pouzzner
d3ce45fbfb clean up Curve25519/Curve448 dependencies in FIPS builds:
configure.ac:

* in FIPS setup, fix sensing of ENABLED_CURVE25519 and ENABLED_CURVE448 to prevent noasm sneaking through, and allow fips=dev to enable them via override;

* enable-all enables ECH only if !FIPS;

* enable-all-crypto enables curve25519/curve448 only if !FIPS;

* QUIC implication of ENABLED_CURVE25519 is inhibited if FIPS;

tests/quic.c: add !HAVE_CURVE25519 paths in test_quic_key_share() to allow FIPS QUIC.
2025-05-07 14:34:35 -05:00
David Garske
cdeac13c87 Merge pull request #8742 from gojimmypi/pr-espressif-p4-and-hkdf
Espressif HAVE_HKDF for wolfssl_test, explicit ESP32P4
2025-05-07 12:30:54 -07:00
David Garske
72bff7d01e Lint and overlong. 2025-05-07 12:06:11 -07:00
David Garske
760178c7dc Improvements to no malloc support in ConfirmSignature for async and non-blocking. Refactor DSA ASN.1 decode in ConfirmSignature. Cleanup indent in types.h. Move struct CertSignCtx to types.h. Move WC_ENABLE_ASYM_KEY_IMPORT and WC_ENABLE_ASYM_KEY_EXPORT to settings.h. 2025-05-07 12:06:09 -07:00
Alex Lanzano
bc6b5598c5 Add NO_MALLOC support for wc_CheckCertSigPugKey 2025-05-07 12:04:38 -07:00
David Garske
1e3718ea7b Merge pull request #8655 from SparkiDev/asn1_oid_update
ASN.1 OIDs and sum: Change algorithm for sum
2025-05-07 11:43:54 -07:00
philljj
36d8298602 Merge pull request #8743 from douzzer/20250807-linuxkm-lkcapi-ecdh-fips-5v15
20250807-linuxkm-lkcapi-ecdh-fips-5v15
2025-05-07 12:47:03 -05:00
JacobBarthelmeh
cbc4cba263 set rng when making a curve25519 key and cast type after shift 2025-05-07 11:45:55 -06:00
Daniel Pouzzner
060d4d5ecc linuxkm/lkcapi_glue.c: on FIPS kernels <5.15, suspend fips_enabled when registering ecdh-nist-p256 and ecdh-nist-p384 to work around wrong/missing attributes/items in kernel crypto manager. 2025-05-07 11:14:24 -05:00
JacobBarthelmeh
eae4005884 Merge pull request #8717 from dgarske/renesas_rx_api
Make wc_tsip_* API's public
2025-05-07 09:29:05 -06:00
gojimmypi
ed2c20a3b2 Espressif HAVE_HKDF for wolfssl_test, explicit ESP32P4 2025-05-07 16:38:05 +02:00
Sean Parkinson
5e5f486a4c Merge pull request #8732 from dgarske/stm32_hash_status
Fix for STM32 hash status check logic (also fix NO_AES_192 and NO_AES_256)
2025-05-07 20:56:18 +10:00
Sean Parkinson
4b73e70515 Merge pull request #8706 from dgarske/win_crypt_rng
New build option to allow reuse of the windows crypt provider handle …
2025-05-07 20:55:07 +10:00
philljj
a69039b40d Merge pull request #8740 from douzzer/20250506-linuxkm-lkcapi-default-priority-100000
20250506-linuxkm-lkcapi-default-priority-100000
2025-05-06 20:04:19 -05:00
Sean Parkinson
112351667a ASN.1 OIDs and sum: Change algorithm for sum
New sum algorithm has no clashes at this time.
Old algorithm enabled by defining: WOLFSSL_OLD_OID_SUM.
New oid_sum.h file generated with scripts/asn1_oid_sum.pl.

Added bunch of OID names into asn1 example.
2025-05-07 08:32:08 +10:00
Sean Parkinson
d100898e92 Merge pull request #8737 from julek-wolfssl/wc_HKDF_Expand_ex-fix
wc_HKDF_Expand_ex: correctly advance the index
2025-05-07 08:23:33 +10:00
Daniel Pouzzner
8a3a5929b8 linuxkm/lkcapi_glue.c: change WOLFSSL_LINUXKM_LKCAPI_PRIORITY from INT_MAX to 100000 to avoid overflows in kernel calculation of priority on constructed algs. 2025-05-06 17:21:35 -05:00
David Garske
6eb8dfb769 Merge pull request #8668 from gojimmypi/pr-arduino-print
Fix Arduino progmem print, AVR WOLFSSL_USER_IO
2025-05-06 14:51:12 -07:00
David Garske
213c43b0fc Merge pull request #8715 from padelsbach/ssl-certman-codesonar
Speculative fix for CodeSonar overflow issue in ssl_certman.c
2025-05-06 14:49:57 -07:00
David Garske
1ee954a38c Merge pull request #8738 from kaleb-himes/refine-module-boundary
Refine module boundary based on lab feedback [IG C.K.]
2025-05-06 14:42:57 -07:00
David Garske
05a3557b2b Merge pull request #8703 from lealem47/zd19592
Attempt wolfssl_read_bio_file in read_bio even when XFSEEK is available
2025-05-06 14:42:19 -07:00
David Garske
d04ab3757e New build option WIN_REUSE_CRYPT_HANDLE to allow reuse of the windows crypt provider handle. Seeding happens on any new RNG or after WC_RESEED_INTERVAL. If using threads make sure wolfSSL_Init() or wolfCrypt_Init() is called before spinning up threads. ZD 19754. Fixed minor implicit cast warnings in internal.c. Add missing hpke.c to wolfssl VS project. 2025-05-06 14:38:02 -07:00
David Garske
602f4a7b05 Merge pull request #8739 from douzzer/20250506-fixes-and-test-coverage
20250506-fixes-and-test-coverage
2025-05-06 14:27:38 -07:00
Daniel Pouzzner
982a7600c2 src/tls13.c: in DoTls13ServerHello() WOLFSSL_ASYNC_CRYPT path, fix -Wdeclaration-after-statement caused by fallthrough definition;
.github/workflows: update async.yml, multi-arch.yml, multi-compiler.yml, no-malloc.yml, opensslcoexist.yml, and os-check.yml, with -pedantic and related flags, and add --enable-riscv-asm to multi-arch.yml RISC-V scenario;

configure.ac: clarify error message for "SP ASM not available for CPU."
2025-05-06 14:49:32 -05:00
Lealem Amedie
579e22f843 Remove WOLFSSL_NO_FSEEK from known macros 2025-05-06 15:39:18 -04:00
David Garske
25db14f50c Fix macro typo. 2025-05-06 10:42:09 -07:00
kaleb-himes
654812679b Refine module boundary based on lab feedback [IG C.K.] 2025-05-06 09:33:36 -06:00
Juliusz Sosinowicz
d82d8a53ef wc_HKDF_Expand_ex: correctly advance the index 2025-05-06 13:47:54 +02:00
Sean Parkinson
1c0e5af3a4 Merge pull request #8720 from JacobBarthelmeh/xilinx
add macro guards for SHA3 test cases to unit tests
2025-05-06 10:50:01 +10:00
Sean Parkinson
428915e492 Merge pull request #8719 from philljj/coverity_april_2025
Fix coverity warnings
2025-05-06 10:11:27 +10:00
Sean Parkinson
dfec168402 Merge pull request #8721 from philljj/coverity_misc
Coverity misc
2025-05-06 10:04:53 +10:00
JacobBarthelmeh
3819c352e8 Merge pull request #8728 from dgarske/qat_4.28
Fixes for Intel QuickAssist latest driver (4.28)
2025-05-05 17:48:49 -06:00
David Garske
219902149e Fix issue with api.c test_wolfSSL_OBJ and ./certs/test-servercert.p12 that uses DES3 and AES-CBC-256. 2025-05-05 15:55:00 -07:00
David Garske
c2f1563144 Merge pull request #8726 from kareem-wolfssl/zd19786
Pass in correct hash type to wolfSSL_RSA_verify_ex.
2025-05-05 15:38:41 -07:00
Daniel Pouzzner
629d812eb3 Merge pull request #8730 from philljj/linuxkm_pkcs1pad_more
linuxkm rsa: add more pkcs1pad sha variants
2025-05-05 16:59:29 -05:00
David Garske
751dcdf3df Improve the hash wait logic by separating the data input ready from the digest calculation complete. 2025-05-05 14:36:36 -07:00
David Garske
0f4ce03c28 Fixes for NO_AES_192 and NO_AES_256. Added CI test. Fixed bad BUILD_ logic for ADH-AES256-GCM-SHA384. 2025-05-05 14:36:36 -07:00
David Garske
e487685d7d Fix for STM32 Hashing status bit checking logic. ZD 19783. The digest calculation was indicating "not busy" before digest result (DCIS) was finished. This did not show up on most systems because the computation is usually done by the time it reads. 2025-05-05 14:36:36 -07:00
philljj
6296dfdb1e Merge pull request #8735 from douzzer/20250502-linuxkm-fixes
20250502-linuxkm-fixes
2025-05-05 16:29:00 -05:00
David Garske
3d4e89c2ca Make wc_tsip_* API's public. 2025-05-05 14:02:05 -07:00
David Garske
2c0ca1cacb Fix for QAT driver QAT.L.4.28.0-00004 icp include path. Fix for CentOS 7 to allow automake 1.13.4 (works fine). 2025-05-05 13:22:54 -07:00
JacobBarthelmeh
aa840f9c94 adjust default build with curve25519 2025-05-05 14:06:44 -06:00
Daniel Pouzzner
c402d7bd94 Merge pull request #8729 from philljj/linuxkm_ecdh_decode_secret
Linuxkm ecdh decode secret
2025-05-05 14:59:51 -05:00
David Garske
d5cca9d7c9 Merge pull request #8733 from SparkiDev/riscv_hash_raw_fix
RISC-V 64-bit: fix raw hash when using crypto instructions
2025-05-05 12:44:51 -07:00
Kareem
aad15b27a2 Pass in correct hash type to wolfSSL_RSA_verify_ex. 2025-05-05 11:58:26 -07:00
jordan
a341333589 linuxkm rsa: additional pkcs1 sha variants. 2025-05-05 13:50:12 -05:00
jordan
68682f155c linuxkm ecdh: remove dependency on crypto_ecdh_decode_key. 2025-05-05 13:39:13 -05:00
jordan
efd5405d0e coverity: fix check_after_deref, assignment_where_comparison_intended, uninit vars, return values, etc. 2025-05-05 13:18:29 -05:00
Daniel Pouzzner
b9b66042d7 wolfssl/wolfcrypt/dh.h: gate in wc_DhGeneratePublic() with WOLFSSL_DH_EXTRA,
adding WOLFSSL_NO_DH_GEN_PUB in the unlikely event it needs to be disabled;

configure.ac: in --enable-linuxkm-lkcapi-register section, remove special-case
  handling for -DWOLFSSL_DH_GEN_PUB, and add support for
  --enable-linuxkm-lkcapi-register=all-kconfig, which disables registration of
  any algs that are disabled in the target kernel, and #errors if any algs or
  registrations are disabled or incompatible in libwolfssl but enabled in the
  target kernel (note, it does not #error for algorithms we don't currently
  shim/implement);

linuxkm/lkcapi_glue.c: change default WOLFSSL_LINUXKM_LKCAPI_PRIORITY from 10000
  to INT_MAX to make masking impossible;

linuxkm/lkcapi*glue.c: move all remaining algorithm-specific gate setup into the
  respective algorithm family files, and in each family file, add
  LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG logic to activate shims only if the
  corresponding algorithm is activated in the target kernel.

linuxkm/lkcapi_sha_glue.c: fix -Wunuseds in
  wc_linuxkm_drbg_default_instance_registered() and wc_linuxkm_drbg_cleanup()
  when !LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT.
2025-05-05 13:17:06 -05:00
jordan
baa7efa8af Fix coverity uninit var warnings, add missing priv key ForceZero. 2025-05-05 13:14:39 -05:00
JacobBarthelmeh
203758695f use proper heap hint when free'ing CRL in error case 2025-05-05 11:21:03 -06:00
JacobBarthelmeh
e233ead7f6 add macro guards for SHA3 test cases 2025-05-05 11:19:21 -06:00
David Garske
9587b7b12e Merge pull request #8734 from JacobBarthelmeh/libssh2
update libssh2 test to use stable-slim instead of test-slim
2025-05-05 09:55:57 -07:00
JacobBarthelmeh
5fbe23cfd9 update libssh2 test to use stable-slim instead of test-slim 2025-05-05 10:09:47 -06:00
Sean Parkinson
3acf3ef3c5 RISC-V 64-bit: fix raw hash when using crypto instructions
./configure CC=riscv64-linux-gnu-gcc --host=riscv64 --disable-shared LDFLAGS=--static --enable-riscv-asm=zvkned
Digest state is not always stored in a way that can be directly copied out.
2025-05-03 08:42:17 +10:00
philljj
1075ce8cf4 Merge pull request #8727 from douzzer/20250501-linuxkm-ecdsa-workaround
20250501-linuxkm-ecdsa-workaround
2025-05-01 22:44:48 -05:00
Sean Parkinson
aa50cfc92c Merge pull request #8723 from lealem47/zd19721
Sniffer: Add multiple sessions by removing cached check
2025-05-02 08:44:05 +10:00
Daniel Pouzzner
fea5694e1d linuxkm/lkcapi_glue.c: with kernels <6.3.0, disable kernel fips_enabled mode while registering FIPS ECDSA shims, to work around crypto manager bug (not recognized as FIPS-allowed algorithms). 2025-05-01 16:57:55 -05:00
Daniel Pouzzner
a18a8ced23 linuxkm/lkcapi_*_glue.c: in test harnesses, fix several out-of-order NULLing of PTR_ERR-type pointers in error paths. 2025-05-01 16:55:30 -05:00
philljj
937fb03f05 Merge pull request #8718 from douzzer/20250428-linuxkm-stdrng
20250428-linuxkm-stdrng
2025-05-01 15:31:15 -05:00
Lealem Amedie
ac139dfe49 Sniffer: Add multiple sessions by removing cached check 2025-05-01 14:27:35 -04:00
Daniel Pouzzner
5633a2fa76 linuxkm: in configure.ac, fix feature dependency test for --enable-linuxkm-lkcapi-register=stdrng*, and in linuxkm/lkcapi_sha_glue.c, fix PRNG quality test in wc_linuxkm_drbg_startup(). 2025-05-01 13:07:23 -05:00
Daniel Pouzzner
1b59bc25d1 linuxkm:
in lkcapi_sha_glue.c:

    in linuxkm_hmac_setkey_common(), ignore keylength even in FIPS modules (use
    wc_HmacSetKey_ex(..., 1)) on kernel < 6.0 to work around crypto manager bug;

    in wc_linuxkm_drbg_startup(), add rng workout routine using handle from
    crypto_alloc_rng();

  in lkcapi_*_glue.c: fix test routines to return valid wolfCrypt error codes
  consistently;

  in module_hooks.c, implement
    * linuxkm_lkcapi_sysfs_install_node(),
    * linuxkm_lkcapi_sysfs_deinstall_node(),
    * FIPS_rerun_self_test_handler()
  and add corresponding setup/teardown in wolfssl_init() and wolfssl_exit();

  in lkcapi_glue.c:

    refactor linuxkm_lkcapi_sysfs_install and linuxkm_lkcapi_sysfs_deinstall to
    use the new helpers;

    harden the REGISTER_ALG() and UNREGISTER_ALG() macros and the
    linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() functions, and add
    informational messages about number of algs registered/deregistered;

  in x86_vector_register_glue.c: fix gate for irq_fpu_usable() workaround to
  reflect backporting of fix in >=5.10.180 in 5.10-LTS and >=5.15.39 in 5.15-LTS
  linuxkm/lkcapi_glue.c: move WOLFSSL_DEBUG_TRACE_ERROR_CODES coverage for
  EINVAL/ENOMEM/EBADMSG to module_hooks.c.
2025-05-01 00:08:32 -05:00
Daniel Pouzzner
273b7fc0da linuxkm: support DRBG in LKCAPI shim set:
* Implement --enable-linuxkm-lkcapi-register=stdrng and =stdrng-default,
  LINUXKM_LKCAPI_REGISTER_HASH_DRBG, and
  LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT.  With "_DEFAULT", the DRBG is
  installed as the systemwide default stdrng, necessitating
  deregister-on-command, described below.  Note that get_random_bytes() and the
  associated /dev/random and /dev/urandom do not use the default stdrng, and
  their back end cannot currently be replaced by a module.

* Add control nodes /sys/module/libwolfssl/install_algs and
  /sys/module/libwolfssl/deinstall_algs.

* Add configure option --enable-linuxkm-lkcapi-register=sysfs-nodes-only, and
  macro LINUXKM_LKCAPI_REGISTER_ONLY_ON_COMMAND, to inhibit registration at
  module load time.

In configure.ac ENABLED_LINUXKM_LKCAPI_REGISTER setup, don't define
  WOLFSSL_DH_GEN_PUB in old FIPS, but do define it for =all.
2025-04-29 00:42:15 -05:00
Daniel Pouzzner
4450167ab0 Merge pull request #8707 from philljj/register_dh
linuxkm: register dh and ffdhe.
2025-04-28 23:00:17 -05:00
Sean Parkinson
bb9f3c9f9d Merge pull request #8698 from rlm2002/msys2
adjust MSYS CI Build
2025-04-29 09:03:58 +10:00
Sean Parkinson
d8ab66b39a Merge pull request #8705 from dgarske/stm32_hash
Fix for STM32 Hash with IRQ enabled
2025-04-29 09:00:42 +10:00
Sean Parkinson
03ad93f4eb Merge pull request #8709 from dgarske/win32_wince
Fixes to support _WIN32_WCE (VS 2008 with WinCE 6.0/7.0)
2025-04-29 08:59:58 +10:00
Sean Parkinson
2ce7c2ac4c Merge pull request #8714 from mgrojo/alire-inclusion
Ada: prepare inclusion of v5.8.0 in Alire index
2025-04-29 08:58:24 +10:00
jordan
f6f3b0a1ee linuxkm: register dh and ffdhe. 2025-04-25 21:21:26 -05:00
Paul Adelsbach
b4d94429d1 Speculative fix for CodeSonar overflow issue 2025-04-25 12:58:23 -07:00
mgrojo
e6e64515c7 Ada: prepare inclusion of v5.8.0 in Alire index 2025-04-25 20:56:06 +02:00
David Garske
b077c81eb6 Merge pull request #8712 from JacobBarthelmeh/release
prepare for release 5.8.0
2025-04-24 15:10:41 -07:00
JacobBarthelmeh
e4cb69caef remove trailing space character in changelog 2025-04-24 12:20:23 -07:00
JacobBarthelmeh
9be6a81bab prepare for release 5.8.0 2025-04-24 10:41:40 -07:00
David Garske
81cd5df263 Fixes to support _WIN32_WCE (VS 2008 with WinCE 6.0/7.0). Should have been part of #8621. 2025-04-24 08:18:44 -07:00
David Garske
3a1178f71c Fix for STM32 Hash with NVIC (IRQ) enabled that can cause a DINIS interrupt that does not get cleared. If the HASH NVIC tab has Interrupts enabled it can cause an IRQ to be triggered that is not cleared. This is because the wolfSSL implementation of STM32 Hash does not call the HAL HASH API's and does not use interrupts yet. ZD 19778 2025-04-23 13:55:57 -07:00
JacobBarthelmeh
c22505a71a Merge pull request #8700 from embhorn/rel_fixes_cs
Fixes from CodeSonar report
2025-04-23 11:36:15 -06:00
philljj
204d933f9f Merge pull request #8702 from douzzer/20250422-linuxkm-tweaks
20250422-linuxkm-tweaks
2025-04-22 21:34:13 -05:00
Lealem Amedie
5fe086b388 Skip PKCS8 header check in wc_CreatePKCS8Key with WOLFSSL_NO_ASN_STRICT 2025-04-22 16:58:04 -06:00
Lealem Amedie
882eaa5df8 Attempt wolfssl_read_bio_file in read_bio even when XFSEEK is available 2025-04-22 16:56:32 -06:00
David Garske
68eec91f04 Merge pull request #8701 from JacobBarthelmeh/fuzz
init buffer before creating digest value
2025-04-22 15:20:45 -07:00
Daniel Pouzzner
1f9d0b1612 linuxkm/: fix error checking on malloc()ed values (! ptr, not IS_ERR(ptr)). 2025-04-22 17:11:52 -05:00
Daniel Pouzzner
d4fc8c3791 linuxkm/: null out pointers with PTR_ERR()-encoded values before jumping to cleanup;
linuxkm/lkcapi_rsa_glue.c: in km_rsa_init(), implement error-path cleanup;

linuxkm/module_hooks.c: nix CONFIG_MODULE_SIG requirement in WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE builds;

wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM setup, define WOLFSSL_ASN_INT_LEAD_0_ANY if LINUXKM_LKCAPI_REGISTER (required for kernel 5.10 crypto manager);

wolfcrypt/src/memory.c: add WC_NO_ERR_TRACE() to mock error returns in SAVE_VECTOR_REGISTERS2_fuzzer().
2025-04-22 16:44:07 -05:00
JacobBarthelmeh
43cdc1be74 init buffer before creating digest value 2025-04-22 14:34:16 -06:00
Eric Blankenhorn
66b9256f86 Fixes from CodeSonar report 2025-04-22 14:43:01 -05:00
Daniel Pouzzner
e6f8de7d31 Merge pull request #8699 from JacobBarthelmeh/bn
revert BN_CTX_init stub for older applications
2025-04-22 14:21:01 -05:00
Ruby Martin
a1cb6e5ba5 only test msys system, add buffer typecasts 2025-04-22 12:35:12 -06:00
Daniel Pouzzner
25cd009a42 Merge pull request #8695 from JacobBarthelmeh/coverity
null derefernce sanity checks and control flow issue
2025-04-22 11:37:51 -05:00
JacobBarthelmeh
9da9817f89 move test case to the correct location for stub macro guard 2025-04-22 10:09:01 -06:00
JacobBarthelmeh
b22cc12c8d add missing BN_CTX_init define 2025-04-22 09:29:28 -06:00
JacobBarthelmeh
33da20c3ec revert BN_CTX_init stub for older applications 2025-04-22 09:22:40 -06:00
David Garske
3ca444e0e1 Merge pull request #8697 from douzzer/20250419-test_dtls13_ack_order-uninited-read
20250419-test_dtls13_ack_order-uninited-read
2025-04-19 19:44:35 -07:00
Daniel Pouzzner
bbbed009b2 tests/api/test_dtls.c: fix read of uninited data in test_dtls13_ack_order(). 2025-04-19 01:57:51 -05:00
Daniel Pouzzner
9e5c064d5d Merge pull request #8679 from kojiws/keep_header_on_pkcs12_parse
Add wc_PKCS12_parse_ex() to keep PKCS8 header
2025-04-19 01:57:21 -05:00
Daniel Pouzzner
543ba268a4 Merge pull request #8558 from julek-wolfssl/openssh-9.9-fix
wolfSSL_EVP_PKEY_cmp: only compare the public keys
2025-04-19 01:51:49 -05:00
philljj
3cdc521d33 Merge pull request #8696 from douzzer/20250418-linuxkm-lkcapi-cleanup
20250418-linuxkm-lkcapi-cleanup
2025-04-18 20:19:36 -05:00
Daniel Pouzzner
2e31cad4f6 wolfssl/internal.h: clean up WOLFSSL_TEST_VIS comments and an unneeded attr on GetOutputBuffer(). 2025-04-18 18:27:07 -05:00
Daniel Pouzzner
fe244fb41b linuxkm: clean up LKCAPI glue:
typography fixes;

static attr on const byte arrays;

refactor km_ecdsa_verify() to use a single heap allocation;

fix linuxkm_test_ecdsa_nist_driver() to copy sig and hash to a heap allocation before passing to sg_set_buf() (avoids unmapping of rodata);

in linuxkm_test_pkcs1_driver() move hash from stack to heap;

add LINUX_VERSION_CODE >= 5.4 assertion in linuxkm/lkcapi_glue.c;

streamline macro logic in linuxkm/lkcapi_sha_glue.c.
2025-04-18 18:21:57 -05:00
JacobBarthelmeh
d481086910 restore internal hashes pointer on error, CID 515542 2025-04-18 16:52:25 -06:00
JacobBarthelmeh
69a4607f84 null sanity check on arguments in wc_HpkeContextComputeNonce, CID 515543 2025-04-18 16:47:36 -06:00
JacobBarthelmeh
f834b9b08a add null sanity check to wolfSSL_SESSION_get_max_early_data, CID 516264 2025-04-18 16:31:33 -06:00
JacobBarthelmeh
73c286ae46 fix possible null dereference, CID 518681 2025-04-18 16:02:46 -06:00
JacobBarthelmeh
a21542cdfc Merge pull request #8689 from julek-wolfssl/gh/8666
dtls13: send acks with correct record number order
2025-04-18 15:50:56 -06:00
philljj
c41407111a Merge pull request #8694 from douzzer/20250411-linuxkm-SHA
20250411-linuxkm-SHA
2025-04-18 16:45:55 -05:00
Juliusz Sosinowicz
43c564d48b dtls13: send acks with correct record number order 2025-04-18 14:56:59 -05:00
Daniel Pouzzner
74232f5fe7 Merge pull request #8631 from julek-wolfssl/gh/8579-2
dtls13: additional epoch checks
2025-04-18 14:49:00 -05:00
Daniel Pouzzner
8c0b931459 Merge pull request #8652 from kareem-wolfssl/zd19563_2
Add some FPKI test OIDs which are currently being used in DoD JITC certificates.
2025-04-18 14:04:29 -05:00
Daniel Pouzzner
0430d25cfb linuxkm shims for all SHA and SHA-HMAC flavors. 2025-04-18 11:57:29 -05:00
Daniel Pouzzner
f7407e4065 20250411-linuxkm-SHA checkpoint 2025-04-18 11:57:29 -05:00
gojimmypi
1f88ab58c1 Fix Arduino progmem print, AVR WOLFSSL_USER_IO 2025-04-18 14:29:32 +02:00
Koji Takeda
2e02274be7 Add guard macro 2025-04-18 08:08:25 +09:00
David Garske
1b240e2cbc Merge pull request #8693 from kareem-wolfssl/forum8313
Fix unused function warning for wc_AesDecrypt when building with STM32.
2025-04-17 15:39:32 -07:00
Koji Takeda
039ff1b460 Add wc_PKCS12_parse_ex() 2025-04-18 06:39:16 +09:00
Kareem
645da33176 Fix unused function warning for wc_AesDecrypt when building with STM32.
This function is not needed for AES-CCM, as the AES-CCM decrypt function only calls wc_AesEncrypt.
2025-04-17 14:33:44 -07:00
Daniel Pouzzner
5e1f713995 Merge pull request #8691 from lealem47/ecc521_minSz
Fix SetMinEccKey_Sz to allow for P-521 minimum
2025-04-17 14:31:56 -05:00
Kareem
038eab61d0 Add additional FPKI test OIDs. 2025-04-17 11:29:36 -07:00
Kareem
686ae22af2 Add additional FPKI test OIDs to FPKI test cert. 2025-04-17 11:14:40 -07:00
Kareem
00a6c3953c Add some FPKI test OIDs which are currently being used in DoD JITC certificates. 2025-04-17 11:10:35 -07:00
Juliusz Sosinowicz
e709cb4cf2 _Dtls13HandshakeRecv: cast handshakeType 2025-04-17 19:21:59 +02:00
philljj
cb1a35ac7d Merge pull request #8690 from douzzer/20250417-LINUXKM_DIRECT_RSA
20250417-LINUXKM_DIRECT_RSA
2025-04-17 11:26:09 -05:00
Juliusz Sosinowicz
f6f295e29f fixup! dtls13: additional epoch checks 2025-04-17 18:18:44 +02:00
Daniel Pouzzner
775bbacce6 Merge pull request #8688 from miyazakh/client_pqc_option
Make client pqc option consistency with server
2025-04-17 11:18:41 -05:00
Juliusz Sosinowicz
3cba5c6dc1 fixup! dtls13: additional epoch checks 2025-04-17 18:18:01 +02:00
Juliusz Sosinowicz
3f560036d6 dtls13: additional epoch checks 2025-04-17 18:18:01 +02:00
Daniel Pouzzner
b533d082b0 Merge pull request #8678 from embhorn/zd19742
Fix types.h for MSVC6.0
2025-04-17 11:12:09 -05:00
Lealem Amedie
1b80c03fe9 Change to short type 2025-04-17 10:05:40 -06:00
Daniel Pouzzner
44adc4a71d linuxkm/lkcapi_rsa_glue.c: gate LINUXKM_DIRECT_RSA directly on WC_RSA_NO_PADDING;
configure.ac: always pass -DWC_RSA_NO_PADDING for --enable-linuxkm-lkcapi-register=rsa or =all.
2025-04-17 10:38:45 -05:00
JacobBarthelmeh
ce67d8cd07 Merge pull request #8687 from douzzer/20250417-fix-test_mldsa_pkcs8
20250417-fix-test_mldsa_pkcs8
2025-04-17 08:56:57 -06:00
Daniel Pouzzner
28091e8842 Merge pull request #8685 from philljj/linuxkm_ecdh_forcezero
linuxkm ecdh: force zero shared secret buffer, and clear old key.
2025-04-17 09:35:35 -05:00
Lealem Amedie
429f435593 Fix SetMinEccKey_Sz to allow P-521 minimum 2025-04-17 08:22:20 -06:00
Hideki Miyazaki
da2c48fef5 make client pqc option consistency with server 2025-04-17 15:40:27 +09:00
Daniel Pouzzner
5b3e19c1b6 Merge pull request #8686 from miyazakh/oid_collision
fix OID collision
2025-04-17 00:54:04 -05:00
Daniel Pouzzner
90f30fd15e Merge pull request #8623 from SparkiDev/lms_kid_from_privraw
LMS: add API to get Key ID from raw private key
2025-04-17 00:49:08 -05:00
Daniel Pouzzner
3fcd3cdb99 tests/api/test_mldsa.c: fix clang-analyzer-core.NullDereference in test_mldsa_pkcs8(). 2025-04-17 00:42:11 -05:00
philljj
4906974fad Merge pull request #8683 from douzzer/20250416-linuxkm-FIPS-wrappers
20250416-linuxkm-FIPS-wrappers
2025-04-16 23:18:04 -05:00
David Garske
404fafd598 Merge pull request #8677 from SparkiDev/regression_fixes_17
Regression test fixes
2025-04-16 20:20:28 -07:00
David Garske
a66fb123b4 Merge pull request #8684 from SparkiDev/lms_max_levels_1
LMS: fix for when WOLFSSL_LMS_MAX_LEVELS is 1
2025-04-16 20:19:40 -07:00
David Garske
a9e2146f06 Merge pull request #8675 from SparkiDev/entropy_memuse_fix
Entropy MemUse: fix for when block size less than update bits
2025-04-16 20:18:22 -07:00
David Garske
2ce415c464 Merge pull request #8682 from SparkiDev/sp_ecc_non_block_aligned
ECC non-blocking: make sp_ecc_ctx data aligned
2025-04-16 20:17:33 -07:00
Hideki Miyazaki
62f7ff9ec2 fix OID collision
fix qt jenkins failure
2025-04-17 11:55:03 +09:00
jordan
57ccabb25c linuxkm ecdh: force zero shared secret buffer, and clear old key. 2025-04-16 21:15:32 -05:00
Sean Parkinson
62f28759d8 LMS: fix for when WOLFSSL_LMS_MAX_LEVELS is 1 2025-04-17 11:19:41 +10:00
Sean Parkinson
4f3ce188b6 Memory Zero checks: add check call
Must check memory is zeroed after Tls13DeriveKey() call.
2025-04-17 10:53:49 +10:00
Sean Parkinson
4c7fb1f428 ECC non-blocking: make sp_ecc_ctx data aligned
Align data on 4 byte boundary for ARM chips.
2025-04-17 10:07:58 +10:00
Sean Parkinson
a34284e0a2 Entropy MemUse: support for custom hi res time
Call the custom high resolution time function when
CUSTOM_ENTROPY_TIMEHIRES is defined with the function name.
2025-04-17 09:30:29 +10:00
Daniel Pouzzner
78a9cd7c58 linuxkm/module_hooks.c: don't define FIPS_NO_WRAPPERS;
linuxkm/lkcapi_ecdh_glue.c: in km_ecdh_compute_shared_secret(), wrap wc_ecc_shared_secret() in PRIVATE_KEY_UNLOCK...PRIVATE_KEY_LOCK.
2025-04-16 18:29:43 -05:00
Daniel Pouzzner
bfab68f40c Merge pull request #8646 from philljj/register_rsa
linuxkm: register rsa
2025-04-16 17:51:20 -05:00
philljj
91cd0e96fa Merge pull request #8680 from douzzer/20250416-WC_SANITIZE_DISABLE
20250416-WC_SANITIZE_DISABLE
2025-04-16 16:56:09 -05:00
Daniel Pouzzner
049c4a8910 wolfssl/wolfcrypt/settings.h: map WC_SANITIZE_{DISABLE,ENABLE}() to kasan_{disable,enable}_current();
wolfssl/wolfcrypt/types.h: fallthrough map WC_SANITIZE_{DISABLE,ENABLE}() to WC_DO_NOTHING;

linuxkm/module_hooks.c: add WC_SANITIZE_DISABLE...WC_SANITIZE_ENABLE wrapper around critical span in updateFipsHash().
2025-04-16 15:51:47 -05:00
Juliusz Sosinowicz
257fd17ea4 fixup! wolfSSL_EVP_PKEY_cmp: only compare the public keys 2025-04-16 18:21:55 +02:00
Juliusz Sosinowicz
9b3b874aba tls13: clear resuming flag when we don't have a way to resume 2025-04-16 18:14:09 +02:00
Juliusz Sosinowicz
290dbaa18e wolfSSL_EVP_PKEY_cmp: only compare the public keys 2025-04-16 18:14:09 +02:00
jordan
ff93e6d5d4 linuxkm: register rsa. 2025-04-16 09:50:06 -05:00
Eric Blankenhorn
f7ca8237b8 Fix types.h for MSVC6.0 2025-04-16 09:24:46 -05:00
Sean Parkinson
3ac05dea09 Regression test fixes
dtls13.c: LowResTimer() not available when NO_ASN_TIME is defined.
api.c: Add certificate and key to use for when only Ed25519 or Ed448.
asn.c: Casts needed for g++ compile.
mem_track.c: Casts needed for g++ compile.
2025-04-16 21:46:48 +10:00
Sean Parkinson
5e8d018ff7 Merge pull request #8659 from kojiws/improve_mldsa_priv_key_import
Improve ML-DSA private key import and the test
2025-04-16 18:21:00 +10:00
Koji Takeda
c05c827d6b Add a space after if and for 2025-04-16 16:26:52 +09:00
Koji Takeda
1646a4b274 Reflect review 2025-04-16 13:46:39 +09:00
Sean Parkinson
f458930d24 Merge pull request #8653 from kareem-wolfssl/zd19696
Make trusted_ca_keys check opt-in.
2025-04-16 10:45:01 +10:00
Sean Parkinson
b1aa11d42e Entropy MemUse: fix for when block size less than update bits
When the block size is less than the number of update bits, adding the
update value will make the index larger than ENTROPY_NUM_WORDS.
The update bits, ENTROPY_NUM_UPDATES_BITS, should be less than or equal
to ENTROPY_BLOCK_SZ but is not practical.
Add extra elements to the entropy state to accomadate this.
2025-04-16 10:30:37 +10:00
Daniel Pouzzner
6bf93c93d4 Merge pull request #8594 from julek-wolfssl/nss
Implement AES-CTS in wolfCrypt
2025-04-15 18:35:52 -05:00
Daniel Pouzzner
fbc6190752 Merge pull request #8160 from kaleb-himes/OE8-CHECK-IN
OE8 check in
2025-04-15 18:13:44 -05:00
Daniel Pouzzner
f6434cf712 Merge pull request #8639 from anhu/cmake_pq
Fix building ML-KEM and LMS with cmake
2025-04-15 17:50:42 -05:00
JacobBarthelmeh
d9fd1072a2 Merge pull request #8672 from SparkiDev/asm_fixes_1
Various fixes for Aarch64/ARM32/Thumb2 ASM
2025-04-15 14:56:32 -06:00
David Garske
e95fb9c116 Merge pull request #8673 from douzzer/20250415-linuxkm-5v12-disable-ecdh-registration
20250415-linuxkm-5v12-disable-ecdh-registration
2025-04-15 11:20:51 -07:00
Daniel Pouzzner
10c1fc1edb linuxkm/lkcapi_glue.c: inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (currently incompatible);
.wolfssl_known_macro_extras: fix lexical order.
2025-04-15 12:00:54 -05:00
Sean Parkinson
cf1f8e14ff Various fixes for Aarch64/ARM32/Thumb2 ASM
cpuid.c: hwcaps not used.
thumb2-*: ldm -> LDM
sp_arm32.c: No register assignment, fix sp_*_from_bin
sp_armthumb.c: fix sp_*_from_bin
sp_cotexm.c: fix line lengths, fix sp_*_from_bin
2025-04-15 17:00:06 +10:00
Daniel Pouzzner
b000d7382f Merge pull request #8671 from SparkiDev/poly1305_aarch64_asm_fix
Poly1305 Aarch64 ASM: fix
2025-04-14 22:36:39 -05:00
Daniel Pouzzner
43389b248a Merge pull request #8621 from dgarske/dotnet35
Fixes for building with .NET 3.5
2025-04-14 22:35:28 -05:00
Sean Parkinson
10f0999c21 Poly1305 Aarch64 ASM: fix
r^2 may overflow after adding high bits - reduce again.
2025-04-15 11:04:47 +10:00
Anthony Hu
f987478937 github test 2025-04-14 20:53:24 -04:00
David Garske
6d3673a6ec Merge pull request #8670 from douzzer/20250414-fix-curve255519_der_test-fips-v6
20250414-fix-curve255519_der_test-fips-v6
2025-04-14 17:48:09 -07:00
Daniel Pouzzner
4ae057e79f Merge pull request #8663 from philljj/register_ecdh
linuxkm: register ecdh.
2025-04-14 19:04:33 -05:00
Daniel Pouzzner
2ec8e72579 CURVE25519_MAX_KEY_TO_DER_SZ: refactor to macro like other CURVE25519_ constants, and add FIPS clause in curve255519_der_test() to accommodate FIPS v6. 2025-04-14 18:29:22 -05:00
David Garske
42644a55fb Fixes for building with .NET 3.5 (new WindowsCE macro). Fix for build error with NO_WOLFSSL_MSG_EX. Fix for ECC TFM option (only set with TFM). 2025-04-14 16:07:03 -07:00
Sean Parkinson
9106d1275f Merge pull request #8651 from billphipps/fix_curve25519_enums
Update to expose reasonable DER buffer sizes for Curve25519
2025-04-15 08:34:12 +10:00
Kaleb Himes
6b66149edb Merge branch 'master' into OE8-CHECK-IN 2025-04-14 15:24:28 -06:00
JacobBarthelmeh
43e68add96 Merge pull request #8669 from douzzer/20250414-can_save_vector_registers_x86-recursive
20250414-can_save_vector_registers_x86-recursive
2025-04-14 15:03:33 -06:00
Daniel Pouzzner
ecf9982a0f .wolfssl_known_macro_extras: add TIF_NEED_FPU_LOAD. 2025-04-14 13:49:14 -05:00
Daniel Pouzzner
755fa1a701 linuxkm/x86_vector_register_glue.c: fix can_save_vector_registers_x86() to check wc_linuxkm_fpu_states before calling irq_fpu_usable(), needed for recursive call patterns. also, check TIF_NEED_FPU_LOAD only if it's defined. 2025-04-14 13:36:05 -05:00
Juliusz Sosinowicz
e320b3c90d fixup! Implement AES-CTS in wolfCrypt 2025-04-14 17:45:34 +02:00
David Garske
bbe956cc0c Merge pull request #8667 from douzzer/20250413-linuxkm-linux6v15-fixes
20250413-linuxkm-linux6v15-fixes
2025-04-14 07:38:20 -07:00
David Garske
b77bd78b5c Merge pull request #8664 from douzzer/20250411-more-libwolfssl_sources_h-2
20250411-more-libwolfssl_sources_h-2
2025-04-14 07:38:02 -07:00
David Garske
5f106adc14 Merge pull request #8665 from gojimmypi/pr-fix-hash-test-memory-leak
Remove unreachable test code
2025-04-14 06:58:05 -07:00
Bill Phipps
eca0318fe8 Rename to MAX_KEY_TO_DER_SZ, set to 130. Remove Curve448 changes. 2025-04-14 09:43:55 -04:00
Daniel Pouzzner
57baae90f1 linuxkm/lkcapi_glue.c: update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit 7450ebd29c (merged for Linux 6.15);
configure.ac: fix --disable-linuxkm-lkcapi-register;

.wolfssl_known_macro_extras: fix order.
2025-04-14 00:01:40 -05:00
gojimmypi
1de73200ab Remove unreachable test code 2025-04-13 09:45:08 +02:00
David Garske
b38ab8a064 Merge pull request #8514 from gojimmypi/pr-introduce-arduino-wolfssl_AES_CTR
Introduce and move new Arduino examples and configuration updates.
2025-04-12 10:06:11 -07:00
gojimmypi
241a1ed360 Introduce and move new Arduino examples and configuration updates 2025-04-12 15:38:37 +02:00
Koji Takeda
1252d69a9a Remove trailing spaces 2025-04-12 17:09:36 +09:00
Daniel Pouzzner
e7577bc2e9 wolfssl/wolfcrypt/libwolfssl_sources*.h: check if the other libwolfssl_sources*.h was included before concluding that "#error settings.h included before libwolfssl_sources.h.", and add WC_CONFIG_H_INCLUDED to inhibit multiple inclusions of config.h;
wolfcrypt/src/port/kcapi/kcapi_aes.c: restore #include <errno.h> removed incorrectly in ed5d8f8e6b;

wolfcrypt/src/port/liboqs/liboqs.c: include libwolfssl_sources.h;

wolfcrypt/src/port/riscv/*.c: include libwolfssl_sources.h;

wolfcrypt/test/test.c: fix use of WC_TEST_RET_ENC_I() where WC_TEST_RET_ENC_EC() was required.
2025-04-12 00:35:49 -05:00
Koji Takeda
29482a3e4d Fix a logic 2025-04-12 13:12:36 +09:00
Koji Takeda
770b6cb9e7 Fix too long lines 2025-04-12 10:58:13 +09:00
Koji Takeda
85c71dacb1 Update src/ssl_load.c
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-04-12 10:01:17 +09:00
David Garske
75501fd728 Merge pull request #8662 from douzzer/20250411-more-libwolfssl_sources_h
20250411-more-libwolfssl_sources_h
2025-04-11 13:39:06 -07:00
jordan
4ef7ef02d6 linuxkm ecdh: small cleanup. 2025-04-11 16:20:16 -04:00
jordan
380c3613ed linuxkm: register ecdh. 2025-04-11 15:16:09 -04:00
Daniel Pouzzner
ed5d8f8e6b update several files in wolfcrypt/src/port/arm to include libwolfssl_sources.h;
update wolfcrypt/src/port/af_alg, wolfcrypt/src/port/devcrypto, and wolfcrypt/src/port/kcapi to include libwolfssl_sources.h;

remove a slew of includes across lib sources made redundant by libwolfssl_sources.h.
2025-04-11 13:57:23 -05:00
Eric Blankenhorn
ed2122256c Merge pull request #8661 from dgarske/debug_on
Fix debug logs (disabled in PR #8616)
2025-04-11 13:21:34 -05:00
David Garske
fb4970b7e0 Fix debug logs (disabled in PR #8616) 2025-04-11 11:19:24 -07:00
David Garske
1f34b71017 Merge pull request #8660 from douzzer/20250411-fixes
20250411-fixes
2025-04-11 10:43:27 -07:00
gojimmypi
8ee7d381ec Fix hash_test() memory leak in wolfcrypt/test/test.c (#8506)
* Fix hash_test() memory leak in wolfcrypt/test/test.c
* Escape HASH_TYPE_E comparisons
* Revised hash_test() in test.c
* Use ERROR_OUT and WC_NO_ERR_TRACE patterns, polish
* Remove placeholder init, no longer needed
* remove verbose hash_test() WOLFSSL_MSG and PRINT_HEAP_CHECKPOINT
2025-04-11 10:37:55 -07:00
JacobBarthelmeh
704e97bca6 Merge pull request #8595 from dgarske/renesas_rx_tsip
Fixes for Renesas RX TSIP
2025-04-11 11:22:13 -06:00
David Garske
11001c86f0 Merge pull request #8644 from lealem47/zd19343
CMSIS: Skip Mutex calls if OS isn't running
2025-04-11 09:58:10 -07:00
Daniel Pouzzner
7acc3360fc .github/workflows/pq-all.yml: add -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE, and add a config with CC=c++. 2025-04-11 11:14:57 -05:00
Juliusz Sosinowicz
62bf90c09c Add dox comments for aes-cts 2025-04-11 16:50:25 +02:00
Daniel Pouzzner
29dcf42309 src/internal.c, tests/api.c: add missing casts for C++ compatibility (fixes "invalid conversion" errors). 2025-04-11 09:33:20 -05:00
Daniel Pouzzner
cfd93b1bd4 tests/api.c: fix error path uninited-data defects in test_wc_PKCS7_EncodeSignedData() (followup to bf95f80c6d, detected by valgrind). 2025-04-11 09:20:14 -05:00
Koji Takeda
a3862f0e59 Improve ML-DSA private key import 2025-04-11 16:28:54 +09:00
philljj
1fb8f5f0c4 Merge pull request #8658 from douzzer/20250410-linuxkm-fixes
20250410-linuxkm-fixes
2025-04-10 23:02:26 -04:00
David Garske
38f951b7a1 Merge pull request #8657 from gojimmypi/pr-revert-vis-for-tests
Revert Espressif manual WOLFSSL_VIS_FOR_TESTS settings
2025-04-10 16:32:20 -07:00
David Garske
77692a814a Merge pull request #8645 from JacobBarthelmeh/pkcs7_stream
additional PKCS7 streaming test case
2025-04-10 16:03:56 -07:00
David Garske
368dcf51af Merge pull request #8612 from JacobBarthelmeh/pkcs8
account for existing pkcs8 header
2025-04-10 16:03:49 -07:00
David Garske
e8656d0d22 Merge pull request #8616 from julek-wolfssl/zd/19589
openssl compat: Push/pop to/from the end of the list object
2025-04-10 16:02:23 -07:00
Kareem
4808ce1b8c Add new macro to known macros, reformat comment to fit in max length. 2025-04-10 15:48:50 -07:00
Daniel Pouzzner
f609d423d7 linuxkm/Kbuild: treat KERNEL_ARCH "x86_64" as "x86" and remove inapt -mpreferred-stack-boundary=4 from x86 WOLFSSL_CFLAGS;
linuxkm/linuxkm_wc_port.h: use >=6.9.0 as the gate for 5-arg fortify_panic();

in lkm_printf() definition, use _printk on >5.15.0;

linuxkm/module_hooks.c: raise MAX_FIPS_DATA_SZ and MAX_FIPS_CODE_SZ to
accommodate growth.
2025-04-10 17:23:17 +00:00
gojimmypi
8cf6195426 Revert Espressif manual WOLFSSL_VIS_FOR_TESTS settings 2025-04-10 17:13:56 +02:00
Sean Parkinson
3919491a6a Merge pull request #8589 from kareem-wolfssl/zd19572
Check if HWCAP_ASIMDRDM is defined.
2025-04-10 08:25:30 +10:00
philljj
83d134e0be Merge pull request #8654 from douzzer/20250409-linuxkm-fortify_panic-6v8
20250409-linuxkm-fortify_panic-6v8
2025-04-09 16:18:40 -04:00
David Garske
e37dc29c1c Fixed RX TSIP RSA key creation to populate the RsaKey public material.
Fixed issue with brace when using `WOLF_CRYPTO_CB_ONLY_RSA`.
Fixed mixed declaration in `wc_RsaFunction_ex`.
Fixed missing SetMyVersion with for RSA key gen with old ASN and no PKCS12.
Added gating on RSA 1024/2048 RX TSIP build macros.
2025-04-09 12:39:48 -07:00
Daniel Pouzzner
a22bcc3667 linuxkm/linuxkm_wc_port.h: on kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override macro. 2025-04-09 18:35:04 +00:00
JacobBarthelmeh
3787dbde2b fix test case, set data chunk size to use 2025-04-09 09:48:50 -06:00
David Garske
099eaf582c Merge pull request #8487 from julek-wolfssl/zd/19391
TLS EMS: Set haveEMS when we negotiate TLS 1.3
2025-04-09 08:27:33 -07:00
Juliusz Sosinowicz
56263d9577 fixup! Push/pop to/from the end of the list object 2025-04-09 14:40:00 +02:00
Juliusz Sosinowicz
8b7e1be694 Maintain backwards compatible order of SAN
Maintain previous order in X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL). Tested for in Python osp port (test_ssl.py:test_parse_all_sans).
2025-04-09 14:40:00 +02:00
Juliusz Sosinowicz
5f13aebd5f Push/pop to/from the end of the list object
The last object pushed should be visible in the highest index
2025-04-09 14:40:00 +02:00
Juliusz Sosinowicz
7cbc71b024 Refactor *_push and *_pop compat API 2025-04-09 14:40:00 +02:00
Juliusz Sosinowicz
ab64597b62 fixup! Move extended master secret testing to test_tls_ext 2025-04-09 14:36:34 +02:00
Juliusz Sosinowicz
a240a58605 fixup! TLS EMS: Set haveEMS when we negotiate TLS 1.3 2025-04-09 14:36:34 +02:00
Juliusz Sosinowicz
89e392f1e8 fixup! Move extended master secret testing to test_tls_ext 2025-04-09 14:36:34 +02:00
Juliusz Sosinowicz
f15ff6861c TLS EMS: Set haveEMS when we negotiate TLS 1.3 2025-04-09 14:36:34 +02:00
Juliusz Sosinowicz
2c585d73c8 Move extended master secret testing to test_tls_ext 2025-04-09 14:36:34 +02:00
Juliusz Sosinowicz
75ca54889c Implement AES-CTS in wolfCrypt 2025-04-09 12:11:08 +02:00
Daniel Pouzzner
6761dbb2ed Merge pull request #8637 from philljj/register_ecdsa
linuxkm: register ecdsa.
2025-04-08 23:05:00 -05:00
David Garske
16a6818614 Merge pull request #8638 from JacobBarthelmeh/ada
add a CI test for Ada build
2025-04-08 16:00:02 -07:00
David Garske
e5c275ab02 Merge pull request #8649 from julek-wolfssl/fix-multi-compiler
multi-compiler.yml: update ubuntu version
2025-04-08 15:16:35 -07:00
David Garske
a2ca1fe31f Merge pull request #8641 from gojimmypi/pr-espressif-examples-update
Espressif updates. Kconfig, WOLFSSL_VIS_FOR_TESTS, ESP32P4
2025-04-08 15:09:18 -07:00
David Garske
f29f928dee Merge pull request #8648 from julek-wolfssl/hostap-tests
hostap-vm.yml: Fix `No module named 'Crypto'` errors that were causing tests to be skipped
2025-04-08 15:08:14 -07:00
David Garske
a221b5108b Merge pull request #8647 from douzzer/20250408-libwolfssl_sources_h-fixes
20250408-libwolfssl_sources_h-fixes
2025-04-08 15:05:11 -07:00
Sean Parkinson
791bda3323 Merge pull request #8650 from douzzer/20250408-wc_static_assert_dummy_struct-gcxx-6v5
20250408-wc_static_assert_dummy_struct-gcxx-6v5
2025-04-09 07:36:28 +10:00
Kareem
de04d8a486 Make trusted_ca_keys check opt-in. It is not required according to the RFC. 2025-04-08 14:32:31 -07:00
Sean Parkinson
a1442cf3a1 Merge pull request #8643 from kaleb-himes/KH-SRTP-REVIEW-rev1
Explicit API redirects for FIPS moving forward
2025-04-09 07:08:52 +10:00
Kareem
8e1cfb8b8b Add HWCAP_ASIMDRDM to known macros 2025-04-08 13:42:05 -07:00
Kareem
1750325c0b Check if HWCAP_ASIMDRDM is defined, old hwcap.h headers do not define this. 2025-04-08 13:42:05 -07:00
Bill Phipps
e2a7f40148 Revert test Ed448 changes. 2025-04-08 16:11:40 -04:00
Bill Phipps
65b1bf2c03 Revert Ed448 and Ed25519 test changes. 2025-04-08 16:09:20 -04:00
Bill Phipps
99144ee58b Update Curve448 size to 256 and add uses in Ed 2025-04-08 15:38:49 -04:00
Bill Phipps
c3dbe29f21 Update to expose reasonable DER buffer sizes for Curve448/25519 2025-04-08 15:17:54 -04:00
Daniel Pouzzner
e1ece63942 wolfssl/wolfcrypt/types.h: refactor fallback implementation of wc_static_assert() to depend on __COUNTER__, to avoid namespace collisions on unlucky macro invocations with same line numbers. 2025-04-08 19:01:44 +00:00
Juliusz Sosinowicz
1f0a28e3f1 multi-compiler.yml: update ubuntu version
Removed clang 10 testing since it is no longer available in the latest Ubuntu release.
2025-04-08 20:24:56 +02:00
Juliusz Sosinowicz
c0f27e7066 hostap-vm.yml: Fix No module named 'Crypto' errors that were causing tests to be skipped 2025-04-08 18:53:24 +02:00
Daniel Pouzzner
831ea90c6d fix typo in arm-thumb2 include of libwolfssl_sources_asm.h. 2025-04-08 16:19:57 +00:00
JacobBarthelmeh
fb6cbdd5be free PKCS7 struct at the end of test case for loop 2025-04-08 10:15:18 -06:00
JacobBarthelmeh
0171024c4b fix for typo in comments 2025-04-08 10:02:16 -06:00
JacobBarthelmeh
bf95f80c6d additional PKCS7 streaming test case 2025-04-08 10:00:42 -06:00
Lealem Amedie
17953d064f CMSIS: Skip Mutex calls if OS isn't running 2025-04-08 10:36:22 -04:00
David Garske
6d299ea943 Merge pull request #8634 from JacobBarthelmeh/pkcs7_stream
account for edge case with pkcs7 streaming
2025-04-07 16:01:14 -07:00
jordan
35f8c3b75c linuxkm ecdsa: fix ecdsa fips define guards, and fix names. 2025-04-07 17:00:13 -04:00
David Garske
18ed67a27d Merge pull request #8640 from douzzer/20250404-WOLFSSL_SOURCES_H
20250404-WOLFSSL_SOURCES_H
2025-04-07 12:47:53 -07:00
kaleb-himes
8c0ef0b1f5 Explicit API redirects for FIPS moving forward 2025-04-07 11:06:52 -06:00
David Garske
0e27b3e8c8 Merge pull request #8613 from SparkiDev/lms_iana
LMS: change identifiers to match standard
2025-04-07 10:00:35 -07:00
jordan
69688c223b linuxkm ecdsa: fix ecc define guards. 2025-04-07 12:04:18 -04:00
Anthony Hu
a3c3996c08 256/192 2025-04-07 10:43:10 -04:00
Anthony Hu
6cd1d7f3c9 Fix building ML-KEM and LMS with cmake 2025-04-07 10:43:10 -04:00
gojimmypi
40c52bd844 Espressif updates. Kconfig, WOLFSSL_VIS_FOR_TESTS, ESP32P4 2025-04-06 16:01:35 +02:00
Daniel Pouzzner
3465dde0bb synchronize with scripts#480 (except wolfcrypt/src/sp_arm32.c and wolfcrypt/src/sp_cortexm.c, which have large unrelated desyncs). 2025-04-04 21:41:29 -05:00
Daniel Pouzzner
c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner
217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
Kareem
29ce716615 Add test case for parsing PKCS8 key with existing header. 2025-04-04 12:19:13 -06:00
JacobBarthelmeh
57e00e5147 account for existing pkcs8 header 2025-04-04 12:19:13 -06:00
JacobBarthelmeh
04dce0e223 cast for conversion warning 2025-04-04 12:18:14 -06:00
JacobBarthelmeh
8b0650d0fb account for edge case with pkcs7 streaming 2025-04-04 12:18:14 -06:00
jordan
a626ec242e linuxkm ecdsa: tiny cleanup. 2025-04-04 14:01:47 -04:00
JacobBarthelmeh
3625391589 update test to use examples.gpr instead of the old client.gpr 2025-04-04 11:33:04 -06:00
JacobBarthelmeh
bb9e6e3fd6 add a CI test for Ada build 2025-04-04 11:30:00 -06:00
JacobBarthelmeh
3ff4e5e303 Merge pull request #8606 from mgrojo/feature/alire-usability
Ada: preparation for Alire index and fixes detected by GNATprove
2025-04-04 11:07:29 -06:00
Daniel Pouzzner
10a1126624 Merge pull request #8635 from SparkiDev/asm_thumb2_fix
AES Thumb2 ASM: fix td4 variable declarations
2025-04-04 11:13:50 -05:00
jordan
d62c65231b linuxkm: register ecdsa. 2025-04-04 11:54:03 -04:00
JacobBarthelmeh
b7af89acdb Merge pull request #8619 from SparkiDev/mlkem_bigendian
ML-KEM/Kyber: fix for big-endian
2025-04-04 09:39:40 -06:00
JacobBarthelmeh
97d86b873d Merge pull request #8628 from douzzer/20250402-WOLFSSL_TEST_API
20250402-WOLFSSL_TEST_API
2025-04-04 09:37:56 -06:00
Sean Parkinson
827516c040 Merge pull request #8636 from douzzer/20250403-linuxkm-lkcapi-fixes
20250403-linuxkm-lkcapi-fixes
2025-04-04 15:45:34 +10:00
Daniel Pouzzner
2c001ccec1 linuxkm/lkcapi_glue.c: in km_AesGet(), only null aes_copy->streamData in
WOLFSSL_AESGCM_STREAM builds, and in km_AesFree(), remove ad hoc zeroization of
  (*aes)->streamData gated on FIPS_VERSION3_LT(6,0,0) because it doesn't include
  WOLFSSL_AESGCM_STREAM.
2025-04-03 21:34:11 -05:00
Daniel Pouzzner
96118b416d WOLFSSL_TEST_VIS: improved naming scheme based on peer review:
WOLFSSL_TEST_API->WOLFSSL_TEST_VIS,
  WOLFSSL_ALLOW_TEST_APIS->WOLFSSL_VIS_FOR_TESTS,
  WOLFSSL_LOCALIZE_TEST_APIS->WOLFSSL_PRIVATE_TEST_VIS.

support message argument to WC_DEPRECATED() on targets that support it

add MSVC support for WC_DEPRECATED().
2025-04-03 19:29:29 -05:00
Daniel Pouzzner
cc223d1904 tests/api.c: in test_wolfSSL_TXT_DB(), fix -Wpointer-to-int-cast detected by building --host=x86_64-w64-mingw32. 2025-04-03 19:29:29 -05:00
Daniel Pouzzner
87e63a0f21 wolfssl/wolfcrypt/wc_port.h: if WOLFSSL_ZEPHYR, don't activate WC_DEPRECATED (compat issues). 2025-04-03 19:29:29 -05:00
Daniel Pouzzner
ce73c1dfd1 Add WC_DEPRECATED, WOLFSSL_TEST_API, WOLFSSL_ALLOW_TEST_APIS, and WOLFSSL_LOCALIZE_TEST_APIS, and use them to control export and usability of internal functions needed by unit tests. 2025-04-03 19:29:29 -05:00
Sean Parkinson
0e8d3ad3d9 AES Thumb2 ASM: fix td4 variable declarations
td4 is an array of bytes and the type was wrong.
2025-04-04 09:47:59 +10:00
JacobBarthelmeh
47ed447987 Merge pull request #8632 from douzzer/20250403-fixes
20250403-fixes
2025-04-03 17:26:40 -06:00
Sean Parkinson
151b9f0e74 Merge pull request #8633 from JacobBarthelmeh/compile
do sanity check for -Wa,-mbranches-within-32B-boundaries use
2025-04-04 09:19:48 +10:00
Sean Parkinson
4f87a8980f ML-KEM/Kyber: fix for big-endian
Don't pull apart the nibbles when big-endian in reject uniform C code.
2025-04-04 09:04:05 +10:00
JacobBarthelmeh
f6894a3949 add compileharden flag 2025-04-03 15:05:24 -06:00
JacobBarthelmeh
c4fcd5fd54 do sanity check that the -Wa,-mbranches-within-32B-boundaries is supported for cases where CC=gcc is really clang 2025-04-03 13:58:43 -06:00
Daniel Pouzzner
b5d999779d wolfcrypt/src/port/arm/thumb2-aes-asm_c.c: fix a pair of -Wpointer-to-int-casts in AES_ECB_decrypt() and AES_CBC_decrypt(). 2025-04-03 14:30:22 -05:00
Daniel Pouzzner
87aa6ec977 wolfcrypt/src/wc_mlkem_poly.c: move mlkem_ntt_add_to() implementation to resolve gating inconsistency (fixes armasm on arm32). 2025-04-03 14:30:22 -05:00
Daniel Pouzzner
971dafb1c2 configure.ac: add v5-kcapi to FIPS version map, same as v5-dev, but version 5.3.0 (as v5-dev was before 9d931d45de). 2025-04-03 14:30:22 -05:00
Daniel Pouzzner
a2eddc889f tests/api.c: fix double-free()s in test_wolfSSL_FPKI(). 2025-04-03 14:30:22 -05:00
JacobBarthelmeh
5ecacfd8eb Merge pull request #8577 from SparkiDev/x64-branch-32b
Intel x86_64, gcc, icc: put branches on 32 byte boundary
2025-04-03 10:53:46 -06:00
JacobBarthelmeh
50ef56ab7a Merge pull request #8630 from kojiws/kojiws/more_strict_key_format_check
Detect unknown key format on ProcessBufferTryDecode()
2025-04-03 10:31:16 -06:00
JacobBarthelmeh
05ac52085d Merge pull request #8618 from miyazakh/renesas_csplus
Fix Renesas cs+ example failure
2025-04-03 10:02:00 -06:00
Koji Takeda
71ebad1fc7 Add test 2025-04-03 22:20:55 +09:00
Koji Takeda
2f01c9d715 Detect unknown key format 2025-04-03 18:36:05 +09:00
Sean Parkinson
c29fba5b7e Merge pull request #8614 from douzzer/20250317-linuxkm-lkcapi-aes-ctr-ofb-ecb
20250317-linuxkm-lkcapi-aes-ctr-ofb-ecb
2025-04-03 10:45:04 +10:00
Sean Parkinson
2210ec8839 Merge pull request #8617 from douzzer/20250401-Base64_Decode_nonCT
20250401-Base64_Decode_nonCT
2025-04-03 10:41:08 +10:00
David Garske
ca371b05a5 Merge pull request #8629 from douzzer/20250402-configure-copyright-year
20250402-configure-copyright-year
2025-04-02 17:38:00 -07:00
Daniel Pouzzner
3e87c4465c update copyright year in configure.ac. 2025-04-02 18:51:28 -05:00
Hideki Miyazaki
aef224d53e fix cs+ failure 2025-04-03 07:57:42 +09:00
Daniel Pouzzner
13c73a9691 linuxkm/lkcapi_glue.c: add LINUXKM_LKCAPI_NEED_AES_COMMON_FUNCS and
LINUXKM_LKCAPI_NEED_AES_SKCIPHER_COMMON_FUNCS helper macros (peer review
  suggestion).

wolfcrypt/src/aes.c: add lengthy comment in software wc_AesSetKeyLocal()
  explaining the dynamics of aes->use_aesni (peer review suggestion), and in the
  !haveAESNI && WC_C_DYNAMIC_FALLBACK case, return with immediate success rather
  than following through to the redundant AesSetKey_C().
2025-04-02 17:30:19 -05:00
Daniel Pouzzner
e0a74420f1 wolfcrypt/src/coding.c: restore support for BASE64_NO_TABLE builds. 2025-04-02 17:14:09 -05:00
Daniel Pouzzner
140e18c063 undo unnecessary change to .github/workflows/zephyr.yml. 2025-04-02 17:08:20 -05:00
Daniel Pouzzner
c2b486ce53 fix some misindentation in wolfcrypt/src/coding.c.
force lower CMAKE_POLICY_VERSION_MINIMUM to try to work around obsolete cmake config syntax in several OSP workflows.
2025-04-02 17:08:20 -05:00
Daniel Pouzzner
51c6848340 wolfcrypt/src/coding.c, wolfssl/wolfcrypt/coding.h, wolfcrypt/src/asn.c,
wolfcrypt/test/test.c: refactor Base64_Decode() with separate always-CT
  Base64_Decode() and never-CT Base64_Decode_nonCT(), and use the latter only to
  decode known-public PEM objects, otherwise use always-CT Base64_Decode().
2025-04-02 17:08:20 -05:00
Daniel Pouzzner
8705d28d48 wolfcrypt/src/aes.c: in wc_AesSetKeyLocal(), rework support for WC_FLAG_DONT_USE_AESNI (fixes WC_C_DYNAMIC_FALLBACK).
wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, #ifdef LINUXKM_LKCAPI_REGISTER, #define WOLFSSL_TEST_SUBROUTINE to nothing, and #define WC_TEST_EXPORT_SUBTESTS.

linuxkm/lkcapi_glue.c:
* add check_skcipher_driver_masking() and check_aead_driver_masking(),
* use _masking() checks in all linuxkm_test_*().
* add !WOLFSSL_AESGCM_STREAM implementation of linuxkm_test_aesgcm().
* add implementations of linuxkm_test_aesctr(), linuxkm_test_aesofb(), and linuxkm_test_aesecb()
* remove incomplete+disabled AES-CCM shim implementation.

linuxkm/module_hooks.c: pull in wolfcrypt/test/test.h if LINUXKM_LKCAPI_REGISTER.

linuxkm/Makefile: build wolfcrypt/test/test.o if ENABLED_LINUXKM_LKCAPI_REGISTER.

Makefile.am: add ENABLED_LINUXKM_LKCAPI_REGISTER to exports in BUILD_LINUXKM section.

configure.ac: add AC_SUBST([ENABLED_LINUXKM_LKCAPI_REGISTER]); in ENABLED_LINUXKM_DEFAULTS set up, remove `-DWOLFSSL_TEST_SUBROUTINE=static` from AM_CFLAGS adds; fix whitespace.

.wolfssl_known_macro_extras: add WC_WANT_FLAG_DONT_USE_AESNI.

wolfcrypt/test/test.c: add `|| defined(WC_TEST_EXPORT_SUBTESTS)` to outermost gate, add wc_test_ prefix to render_error_message() and export it,

wolfcrypt/test/test.h: add prototype for wc_test_render_error_message(), and #ifdef WC_TEST_EXPORT_SUBTESTS, add prototypes for all the subtests.
2025-04-02 17:00:48 -05:00
Daniel Pouzzner
8092ff915c linuxkm/lkcapi_glue.c: bring in wolfcrypt/src/misc.c for ForceZero if FIPS_VERSION3_LT(6,0,0). 2025-04-02 17:00:48 -05:00
Daniel Pouzzner
3c16722538 wolfcrypt/src/aes.c and wolfssl/wolfcrypt/aes.h: add support for WC_FLAG_DONT_USE_AESNI in wc_AesSetKeyLocal(); add support for USE_INTEL_SPEEDUP_FOR_AES.
linuxkm/lkcapi_glue.c: finish implementation of WC_LINUXKM_C_FALLBACK_IN_SHIMS and add TEST_WC_LINUXKM_C_FALLBACK_IN_SHIMS.

use "WC_C_DYNAMIC_FALLBACK" consistently (remove/replace uses of "WC_AES_C_DYNAMIC_FALLBACK").
2025-04-02 17:00:48 -05:00
Daniel Pouzzner
6d92dae632 configure.ac: add support for --enable-aesni-with-avx/USE_INTEL_SPEEDUP_FOR_AES (AESNI+AVX, but only for AES modes).
linuxkm/lkcapi_glue.c: implement WC_LINUXKM_C_FALLBACK_IN_SHIMS, km_AesGet(), and km_AesFree().

src/include.am: add missing gates for AES-GCM and AES-XTS asm.

wolfcrypt/src/aes_xts_asm.S and wolfssl/wolfcrypt/sp_int.h: don't redefine HAVE_INTEL_AVX2.
2025-04-02 17:00:48 -05:00
Daniel Pouzzner
9d931d45de LKCAPI checkpoint (all AES except CCM working). 2025-04-02 17:00:48 -05:00
JacobBarthelmeh
9bcb3f71d0 Merge pull request #8624 from douzzer/20250401-AEAD-WARN_UNUSED_RESULT
20250401-AEAD-WARN_UNUSED_RESULT
2025-04-02 15:08:33 -06:00
Daniel Pouzzner
91e9e8f65f update documentation for AEAD decrypt methods, specifically noting that nonzero retval means output data is undefined, and noting requirement to zeroize the output data unconditionally. 2025-04-02 13:36:59 -05:00
JacobBarthelmeh
a3d0ffb1ed Merge pull request #8622 from SparkiDev/kyber_improv_3
ML-KEM/Kyber: minor improvements
2025-04-02 09:56:32 -06:00
JacobBarthelmeh
0a4599133c Merge pull request #8599 from kareem-wolfssl/zd19563
Add support for DoD certificate policy OIDs.
2025-04-02 09:44:25 -06:00
Daniel Pouzzner
b8ece68b17 add WARN_UNUSED_RESULT to AEAD verify methods. 2025-04-02 01:15:57 -05:00
Sean Parkinson
fafc333e93 LMS: add API to get Key ID from raw private key
Always last 16 bytes of private key.
2025-04-02 16:05:11 +10:00
Sean Parkinson
8a9e125756 ML-KEM/Kyber: minor improvements
Minor improvement to SHA-3 x64 code.
Minor improvement to performance of ML-KEM/Kyber x64 code.
Minor improvement to performance of C code.
2025-04-02 13:10:44 +10:00
David Garske
dcdaeabc40 Merge pull request #8620 from lealem47/actions_cmake
Set the CMake compiler version for failing gh actions
2025-04-01 18:46:59 -07:00
Lealem Amedie
5083b41d1b Set the CMake compiler version for failin gh actions 2025-04-01 14:11:15 -10:00
Sean Parkinson
83e1cfcf01 LMS: change identifiers to match standard
Use the identifiers from IANA for LMS.
2025-04-01 12:15:20 +10:00
Sean Parkinson
c5dadd6f8d Merge pull request #8600 from JacobBarthelmeh/microchip
random implementation does not require PIC32 build macro
2025-04-01 08:36:45 +10:00
Kareem
8e9a986e0b Add comment clarifying that DoD certificate policy OIDs are not currently being parsed in the code, they are just recognized as valid OIDs. 2025-03-31 14:37:19 -07:00
mgrojo
e6f09b8372 Ada: fixes for the No_Secondary_Stack restriction
- Align README.md and GPR files with the fact that the server no longer compiles with the No_Secondary_Stack restriction.
- Fix include.am to reference the new name for the adc file.
2025-03-31 23:27:31 +02:00
JacobBarthelmeh
307d746653 Merge pull request #8590 from SparkiDev/arm32_no_assign_reg
ARM32/Thumb2 ASM: fix WOLFSSL_NO_VAR_ASSIGN_REG
2025-03-31 10:04:51 -06:00
JacobBarthelmeh
151a156581 include harmony macro check with strncasecmp and strcasecmp 2025-03-31 09:35:10 -06:00
JacobBarthelmeh
d035bfeb99 Merge pull request #8607 from embhorn/nds_doc
Update DevKitPro doc with calico dependency
2025-03-31 09:08:30 -06:00
Eric Blankenhorn
b0f65a85ab Update DevKitPro doc with calico dependency 2025-03-28 15:59:02 -05:00
Kareem
b803a03ddd Add support for ISRG domain validated certificate policy OID (used by Let's Encrypt). Fixes libspdm test failure. 2025-03-28 12:41:52 -07:00
mgrojo
98eda78857 Ada: fix issues in tls_server.adb detected by gnatprove
Checked with:
```
gnatprove -Pdefault.gpr --level=4 -j12
```
2025-03-28 19:33:42 +01:00
mgrojo
bf5009b544 Ada: fix initialization issue in examples
Detected by
```
gnatprove -Pclient.gpr --level=4 -j12
```
2025-03-28 18:38:22 +01:00
mgrojo
db4ebfb77e Allow use of the library with an Alire pin
- Allow enabling WOLFSSL_STATIC_PSK via an Alire configuration variable
 - `gnat.adc` applies unconditionally when using the library through Alire, so it has been renamed and used only in the default project file.
 - Clean-up of the Alire project file `wolfssl.gpr`.
2025-03-28 18:16:06 +01:00
Brett Nicholas
a8384bb426 Merge pull request #8602 from dgarske/cryptocb_no_hmac
Fix for crypto callback macro guards with `DEBUG_CRYPTOCB`
2025-03-28 10:51:45 -06:00
David Garske
04a3f1c206 Merge pull request #8604 from LinuxJedi/STM32MP2
Add instructions for STM32MP25 with OpenSTLinux
2025-03-28 09:37:13 -07:00
Andrew Hutchings
803a160808 Merge pull request #8601 from dgarske/stm32_pka
Fix for STM32 PKA with P521 and shared secret
2025-03-28 13:49:25 +00:00
Andrew Hutchings
5d0c3f7c27 Add instructions for STM32MP25 with OpenSTLinux 2025-03-28 09:28:49 +00:00
David Garske
e1ec90a886 Fix for crypto callback without HMAC and DEBUG_CRYPTOCB. Fix guards on crypto cb hashing. 2025-03-27 16:42:24 -07:00
Sean Parkinson
3969dd5a11 Merge pull request #8596 from dgarske/various_isacii_keylog
Various improvements to iscacii and CMake key log
2025-03-28 08:51:49 +10:00
David Garske
d235013fe9 Fix for STM32 PKA with P521 and shared secret. ZD 19422 2025-03-27 15:30:37 -07:00
JacobBarthelmeh
25dc3f08e9 random implementation does not require PIC32 build macro 2025-03-27 15:53:39 -06:00
Kareem
f313edb4cf Add a test certificate for all of the FPKI certificate policy OIDs. 2025-03-27 12:20:36 -07:00
Kareem
eb3b4751ac Handle collisions in FPKI cert policy OID sums. 2025-03-27 12:20:36 -07:00
Kareem
ac2df1420b Checked and corrected all OIDs and OID sums. 2025-03-27 12:20:36 -07:00
Devin AI
53f30b3c47 Add remaining FPKI cert policy OIDs.
Co-Authored-By: kareem@wolfssl.com <kareem@wolfssl.com>
2025-03-27 12:20:29 -07:00
Kareem
6daaaec6e2 WIP: clean up Devin's work, remove duplicate OIDs, handle OID sum collisions 2025-03-27 12:20:28 -07:00
Devin AI
a911f70049 Add other federal PKI OIDs.
Co-Authored-By: kareem@wolfssl.com <kareem@wolfssl.com>
2025-03-27 12:20:02 -07:00
Devin AI
6910f80e3d Add all DoD PKI cert policy OIDs.
Co-Authored-By: kareem@wolfssl.com <kareem@wolfssl.com>
2025-03-27 12:19:49 -07:00
Sean Parkinson
1c56a2674a Merge pull request #8521 from kaleb-himes/KH-SRTP-PORTING-OEs-phase4-rev3
Checkin XCODE settings for v6.0.0 module
2025-03-27 13:03:23 +10:00
Sean Parkinson
21c0d7803a Greenhills compiler: fix asm and volatile
Greenhills compiler doesn't accept volatile and __asm__ needs to be
__asm.
2025-03-27 10:54:19 +10:00
Sean Parkinson
ea677dd30d ARM32 inline ASM: make all vars input when not assigning regs
Compiler doesn't keep parameters in the same registers as passed if they
are output registers.
2025-03-27 10:51:01 +10:00
David Garske
a59075b908 Various improvements to iscacii and CMake key log:
* Detect 'isascii' at configuration (tested with `./configure CFLAGS="-DNO_STDLIB_ISASCII" && make check`).
* Add mew CMake option `WOLFSSL_KEYLOG_EXPORT` (fixes #8165)
Replaces PR #8174 and #8158. Thank you @redbaron.
2025-03-26 15:24:15 -07:00
Daniel Pouzzner
8b8873fb2c Merge pull request #8553 from kareem-wolfssl/zd19458
Check for whether librt is needed for clock_gettime.
2025-03-26 12:44:24 -05:00
Daniel Pouzzner
ddf7d5b6f1 Merge pull request #8584 from dgarske/stm32_aesgcm
Fixes for STM32H7S AES GCM. Cleanups for STM32 AES GCM.
2025-03-26 10:57:18 -05:00
Sean Parkinson
cfab666369 ARM32/Thumb2 ASM: fix WOLFSSL_NO_VAR_ASSIGN_REG
Thumb2 needed constants defined even with no register assignments.
ARM32 needed support added fo rnot having registers assigned to
variables.
2025-03-26 12:46:32 +10:00
Daniel Pouzzner
61cdcd71e6 Merge pull request #8588 from SparkiDev/mlkem_encapsulte_no_return
ML-KEM/Kyber: mlkem_encapsulate not to return a value
2025-03-25 00:14:41 -05:00
Sean Parkinson
50304cfb1c Intel x86_64, gcc, icc: align loops to 64 byte boundary
Improved security with compile flag.
2025-03-25 09:40:01 +10:00
Sean Parkinson
cfc774c152 Merge pull request #8581 from dgarske/no_ecc_check_public_order
Add option to disable ECC public key order checking
2025-03-25 09:13:56 +10:00
Sean Parkinson
66662bc399 ML-KEM/Kyber: mlkem_encapsulate not to return a value
Don't return a value from mlkem_encapsulate() to ensure code is just the
maths.
2025-03-25 08:11:03 +10:00
David Garske
8635014249 Fix to enable SHA384/SHA512 crypto hardware on STM32H7S. 2025-03-24 14:30:35 -07:00
David Garske
a709b16ed2 Adding option for NO_ECC_CHECK_PUBKEY_ORDER. ZD 19422 2025-03-24 14:00:23 -07:00
David Garske
0cc0bb0afe Merge pull request #8586 from douzzer/20250321-siphash-armasm
20250321-siphash-armasm
2025-03-23 14:00:17 -07:00
Daniel Pouzzner
0cea9c09f7 src/internal.c: fix -Wdeclaration-after-statement in ProcessCSR_ex(). 2025-03-22 23:51:59 -05:00
Daniel Pouzzner
29a0992ed5 wolfssl/wolfcrypt/settings.h: for WOLFCRYPT_FIPS_RAND, don't define USE_FAST_MATH, and make sure NO_BIG_INT is defined. 2025-03-22 22:21:23 -05:00
Daniel Pouzzner
3cad38a1ca wolfcrypt/test/test.c: gate wc_CmacFree()s in cmac_test() on !HAVE_FIPS || FIPS_VERSION3_GE(6,0,0); fix some return codes in hash_test(). 2025-03-22 17:19:37 -05:00
Daniel Pouzzner
60ffde6d7c wolfcrypt/test/test.c: fix error-path various uninitialized data uses and memory leaks. 2025-03-22 13:40:31 -05:00
Daniel Pouzzner
190f46ef23 wolfcrypt/test/test.c: fix -Wdeclaration-after-statement in sm3_test(). 2025-03-22 01:22:19 -05:00
Daniel Pouzzner
1587f21938 fix a couple -Wdeclaration-after-statements. 2025-03-21 22:33:45 -05:00
Daniel Pouzzner
777d42fabe wolfcrypt/src/siphash.c: gate armasm on defined(WOLFSSL_ARMASM), not !defined(WOLFSSL_NO_ASM). 2025-03-21 21:12:41 -05:00
Daniel Pouzzner
576c489b0f Merge pull request #8583 from lealem47/fips_linuxkm
Remove linuxkm-pie dependency for FIPS linuxkm
2025-03-21 21:09:04 -05:00
David Garske
defcaa192f Merge pull request #8582 from douzzer/20250321-Wdeclaration-after-statements-and-Kyber-fixes
20250321-Wdeclaration-after-statements-and-Kyber-fixes
2025-03-21 16:40:38 -07:00
David Garske
93c8d7df0d Fixes for STM32H7S AES GCM. Cleanups for STM32 AES GCM. 2025-03-21 16:17:36 -07:00
Daniel Pouzzner
e3fe575720 tests/api/test_evp.c: fix gating in test_wolfSSL_EVP_CIPHER_type_string(). 2025-03-21 17:52:33 -05:00
Daniel Pouzzner
a57326d500 fix whitespace in tests/api/test_evp.c. 2025-03-21 16:56:48 -05:00
Daniel Pouzzner
b0a16a3d94 configure.ac: remove PWDBASED and PBKDF2 from fips=lean-aesgcm. 2025-03-21 16:56:24 -05:00
Lealem Amedie
2fdac57a69 Remove linuxkm-pie dependency for FIPS linuxkm 2025-03-21 15:36:31 -06:00
Daniel Pouzzner
1e89002762 fix various -Wdeclaration-after-statements, and add
-Wdeclaration-after-statement to .github/workflows/pq-all.yml.

rearrange code/gating in wolfcrypt/src/wc_mlkem.c:mlkemkey_encapsulate() for
  clarity and to fix a -Wdeclaration-after-statement.

also, made mlkem_encapsulate_c() and mlkem_encapsulate() return error code
  (currently always zero) rather than void, for consistency.

configure.ac: fix Kyber/ML-KEM option setup.
2025-03-21 15:46:44 -05:00
David Garske
9a3ea6fd73 Merge pull request #8568 from embhorn/msvs_pqc_build
Fix MSVS build issues with PQC config
2025-03-21 12:41:19 -07:00
Kareem
91239dc42d Only search for clock_gettime when using RNG with wolfEntropy. 2025-03-21 11:05:24 -07:00
Kareem
17bb8c4c84 Check for whether librt is needed for clock_gettime. 2025-03-21 11:01:37 -07:00
David Garske
294e4c79a8 Merge pull request #8578 from philljj/coverity_unchecked_ret
Coverity unchecked return value
2025-03-21 10:05:29 -07:00
David Garske
9258fde02f Merge pull request #8570 from wolfSSL/devin/1742405136-cipherType-to-string
Add wolfSSL_EVP_CIPHER_type_string function and test
2025-03-21 10:04:41 -07:00
Eric Blankenhorn
f663ed28b6 Fix MSVS build issues with PQC config 2025-03-21 11:49:55 -05:00
Chris Conlon
7c9ecd39fe Merge pull request #8550 from lealem47/STM32WBA
Add support for STM32WBA
2025-03-21 09:58:17 -06:00
David Garske
b9aeeac58b Merge pull request #8576 from douzzer/20250319-FIPS-lean-aesgcm
20250319-FIPS-lean-aesgcm
2025-03-21 08:55:34 -07:00
jordan
8d0931df9d coverity: check mp radix ret values. 2025-03-21 10:08:13 -04:00
jordan
15ac07c9ef coverity: check correct ret value. 2025-03-21 09:25:28 -04:00
jordan
3a02ab286c coverity: unchecked return value with mp_copy. 2025-03-21 08:59:31 -04:00
jordan
7c831263c8 coverity: unchecked return value in EchHashHelloInner. 2025-03-21 08:48:45 -04:00
Sean Parkinson
295ba3b416 Intel x86_64, gcc, icc: put branches on 32 byte boundary
Improved security with compile flag.
2025-03-21 17:50:31 +10:00
Daniel Pouzzner
f14498ea6b fix a couple broken configs in examples/configs/ - simultaneous SP and NO_BIG_INT. 2025-03-20 22:40:08 -05:00
Daniel Pouzzner
57ecd4b246 configure.ac: fix -DNO_BIG_INT setup to recognize $ENABLED_SP_MATH.
wolfcrypt/test/test.c: fix gating around modLen in rsa_test().

wolfssl/openssl/bn.h: remove superfluous WOLFSSL_SP_MATH gate around mp_int mpi
  in struct WOLFSSL_BIGNUM definition.

wolfssl/wolfcrypt/wolfmath.h: add check for "Conflicting MPI settings.", add
  initial check for WOLFSSL_SP_MATH_ALL || WOLFSSL_SP_MATH to include sp_int.h,
  and remove superfluous WOLFSSL_SP_MATH gate on "common math functions".
2025-03-20 22:18:22 -05:00
Daniel Pouzzner
e870e7f6d2 configure.ac: in FIPS lean-aesgcm setup, don't lock features that are outside
the FIPS boundary, just set up appropriate defaults.

wolfssl/wolfcrypt/wolfmath.h: if legacy math back ends aren't defined, and
   NO_BIG_INT isn't defined, then always include sp_int.h, for backward compat.
2025-03-20 21:07:15 -05:00
David Garske
5f013c735e Merge pull request #8575 from ColtonWilley/fix_cryptocb_rsa_pad_ret_len
Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
2025-03-20 19:03:25 -07:00
Daniel Pouzzner
27a582829f .wolfssl_known_macro_extras: get macros back in C-lexical order. 2025-03-20 20:10:16 -05:00
Daniel Pouzzner
b544354306 wolfssl/wolfcrypt/wolfmath.h: don't include an MPI header if NO_BIG_INT is
defined, and issue a #error if no MPI backend gate is defined and NO_BIG_INT
   is not defined either.

configure.ac:
* add support for FIPS lean-aesgcm[-{ready,dev}].
* implement handler for --enable-sha256.
* move setup for WOLFSSL_FIPS_DEV and WOLFSSL_FIPS_READY into the applicable
    per-flavor sections.
* fix sensing of $ENABLED_AESGCM in FIPS setup clauses to pivot on `!= "no"`
    rather than `= "yes"`, to accommodate "4bit" and other non-"yes" values.
* fix SNI_DEFAULT to be "no" if $ENABLED_TLS = no.
* fix ENABLED_DHDEFAULTPARAMS default to be $ENABLED_DH rather than yes.

wc_encrypt.c: add missing gates in wc_CryptKey() for NO_SHA256.

wolfcrypt/test/test.c: gating fixes for NO_SHA256.

wolfcrypt/benchmark/benchmark.c: basic fixes for building/running with
  --disable-rng (-DWC_NO_RNG).

With the above additions and fixes, it's now a clean build, test, and benchmark,
  with --disable-sha256 --enable-cryptonly --disable-hashdrbg --disable-rng
  --disable-hmac, though RSA/DH/ECC benches are disabled.
2025-03-20 20:03:34 -05:00
David Garske
18ac695bb2 Merge pull request #8556 from SparkiDev/ech-config-control
ECH: generate multiple configs and rotate echConfigs
2025-03-20 17:05:43 -07:00
David Garske
2cf4997d0f Merge pull request #8565 from res0nance/correct-debug-info
random: correct debug messages
2025-03-20 17:04:47 -07:00
David Garske
86b01bddd8 Merge pull request #8428 from miyazakh/qt_jenkins
Fix Qt Nightly Jenkins failure
2025-03-20 17:03:03 -07:00
David Garske
c06df2093a Merge pull request #8548 from wolfSSL/devin/1741708186-add-cmake-wolfclu
Add WOLFSSL_CLU option to CMakeLists.txt
2025-03-20 16:50:03 -07:00
David Garske
18268a5ea9 Merge pull request #8551 from kareem-wolfssl/zd19541
Change #pragma GCC macros in sp_int.c to PRAGMA_GCC macros to avoid calling them on unsupported toolchains.
2025-03-20 16:44:10 -07:00
David Garske
7ba179f50f Merge pull request #8560 from SparkiDev/test_api_c_split_1
Split out tests: random, wolfmath, public key
2025-03-20 16:42:41 -07:00
David Garske
01910a60aa Merge pull request #8542 from anhu/dual_alg_crit_ext
Allow critical alt and basic constraints extensions
2025-03-20 16:15:42 -07:00
David Garske
23ff43f955 Testing results on the STM32WBA52 (Cortex-M33). 2025-03-20 16:02:46 -07:00
Anthony Hu
4967738044 Delete dupe line 2025-03-20 17:41:14 -04:00
Colton Willey
4290bfb9a6 Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD defined 2025-03-20 13:46:13 -07:00
David Garske
2c36ae268f Merge pull request #8536 from SparkiDev/kyber_to_mlkem
Update Kyber APIs to ML-KEM APIs
2025-03-20 11:07:53 -07:00
David Garske
2383402e10 Merge pull request #8537 from philljj/coverity_quic
coverity: tests quic cleanup.
2025-03-20 10:58:30 -07:00
David Garske
beac9cb8b8 Merge pull request #8544 from philljj/coverity_test_md5
coverity: pacify test_md5 uninitialized scalar variable warning.
2025-03-20 10:57:28 -07:00
David Garske
4c0d4a931e Merge pull request #8555 from bigbrett/default-devid-disable
Add option to disallow automatic use of "default" devId
2025-03-20 10:56:17 -07:00
Sean Parkinson
3e5ee7c142 Merge pull request #8569 from philljj/linuxkm_fedora_build
linuxkm fedora: fix uninitialized build error.
2025-03-20 08:30:16 +10:00
Sean Parkinson
cf272ba46b Merge pull request #8572 from embhorn/zd19587
Fix missing alert types in AlertTypeToString
2025-03-20 08:25:56 +10:00
Eric Blankenhorn
ffe4420d19 Fix missing alert types in AlertTypeToString 2025-03-19 16:35:50 -05:00
Devin AI
ec00f780ec Rename parameter in wolfSSL_EVP_CIPHER_type_string and add test
Co-Authored-By: lealem@wolfssl.com <lealem@wolfssl.com>
2025-03-19 17:41:51 +00:00
Devin AI
af1f6543e1 Add wolfSSL_EVP_CIPHER_type_string function to get cipher string from type
Co-Authored-By: lealem@wolfssl.com <lealem@wolfssl.com>
2025-03-19 17:29:03 +00:00
philljj
fe3c16da77 Merge pull request #8567 from douzzer/20250317-linuxkm-AES-GCM
20250317-linuxkm-AES-GCM
2025-03-19 12:48:10 -04:00
jordan
d1f94ad3e8 linuxkm fedora: fix uninitialized build error. 2025-03-19 10:47:32 -04:00
Daniel Pouzzner
ab7713676e linuxkm/lkcapi_glue.c: for AES-{CBC,CFB,GCM}, treat ctx->aes_{encrypt,decrypt}
as readonly in the encrypt/decrypt handlers -- clone them before setting the IV
-- for thread safety.  also, remove the "experimental" designation of
--enable-linuxkm-lkcapi-register=all.
2025-03-18 22:39:17 -05:00
Sean Parkinson
db3ab5a4c7 Merge pull request #8566 from kareem-wolfssl/zd19572
Only perform ARM assembly CPUID checks if support was enabled at build time.
2025-03-18 09:03:36 +10:00
Daniel Pouzzner
ac89fbc9e6 linuxkm: fix AES-GCM shim implementation and self-test. 2025-03-17 17:25:53 -05:00
Kareem
6c472496b4 Only perform ARM assembly CPUID checks if support was enabled at build time. 2025-03-17 14:25:08 -07:00
Devin AI
cf813c81b8 Revert "Enable WOLFSSL_OPENSSLEXTRA and OPENSSL_EXTRA for WOLFSSL_CLU option"
This reverts commit 16eb8d9ec9.
2025-03-17 20:30:26 +00:00
Devin AI
16eb8d9ec9 Enable WOLFSSL_OPENSSLEXTRA and OPENSSL_EXTRA for WOLFSSL_CLU option
Co-Authored-By: eric@wolfssl.com <eric@wolfssl.com>
2025-03-17 20:25:15 +00:00
Eric Blankenhorn
098358c217 Add WOLFSSL_AESCTR to WOLFSSL_CLU cmake option 2025-03-17 13:34:15 -05:00
Brett Nicholas
c7db28ef5a merge --no-default-devid configure option into --enable-cryuptocb=no-default-devid 2025-03-17 12:15:32 -06:00
res0nance
c697f87bda random: correct debug messages 2025-03-17 21:12:51 +08:00
Sean Parkinson
4e60e9fbed Merge pull request #8559 from anhu/ifndef_shake
Check if WOLFSSL_SHAKExxx is not defined
2025-03-17 09:54:36 +10:00
Sean Parkinson
663ca29a5d Split out tests: random, wolfmath, public key
Improved testing of random APIs.
wolfmath tests moved out.
Public key algorithm testing moved out: RSA, DSA, DH, ECC, SM2,
Curve25519, Ed25519, Curve448, Ed448, ML-DSA.
Signature API tests moved out.

Fix for OCSP testing to ensure RSA is available.

Added group names to API test cases.
Can select groups to run with --group <name>. --groups lists all known
group names.

Added option to stop API testing on first failure: --stopOnFail.
2025-03-17 09:32:00 +10:00
Eric Blankenhorn
e44ccda931 Fix ED25519 definition when WOLFSSL_CLU is enabled 2025-03-14 16:40:31 -05:00
Devin AI
e9fadcc86e Fix NO_DES3 definition when WOLFSSL_CLU is enabled
Co-Authored-By: eric@wolfssl.com <eric@wolfssl.com>
2025-03-14 21:12:09 +00:00
Daniel Pouzzner
bc7fbee539 Merge pull request #8528 from SparkiDev/digest_test_rework_2
Digest tests: add more tests
2025-03-14 16:11:42 -05:00
Devin AI
dbc2017cc7 Fix OPENSSL_ALL definition for WOLFSSL_CLU option
Co-Authored-By: eric@wolfssl.com <eric@wolfssl.com>
2025-03-14 20:03:00 +00:00
kaleb-himes
7a53301265 XTS fixups in optesting 2025-03-14 13:11:00 -06:00
kaleb-himes
9253d37dc9 Fix after upstream merge changed NO_MAIN_DRIVER requirements for harness 2025-03-14 13:08:57 -06:00
kaleb-himes
d274ed291f Restore default start setup 2025-03-14 13:08:57 -06:00
kaleb-himes
14bef2f6c8 Checkin XCODE settings for v6.0.0 module 2025-03-14 13:08:57 -06:00
Kaleb Himes
6188c9c342 Merge pull request #8563 from douzzer/20250313-various-fixes
20250313-various-fixes
2025-03-14 10:47:19 -06:00
Daniel Pouzzner
b9111aae99 wolfssl/wolfcrypt/types.h: refactor assert.h gate as WOLFSSL_HAVE_ASSERT_H && !WOLFSSL_NO_ASSERT_H.
wolfssl/wolfcrypt/settings.h: #ifdef WOLFSSL_LINUXKM, #undef WOLFSSL_HAVE_ASSERT_H and #define WOLFSSL_NO_ASSERT_H.
2025-03-14 02:11:58 -05:00
Daniel Pouzzner
87c0ac90b8 configure.ac:
* sense assert.h and define WOLFSSL_HAVE_ASSERT_H accordingly.
* force off enable_aesgcm_stream if 32 bit armasm or riscv-asm (not yet implemented or buildable).
* add AM_CONDITIONAL([BUILD_CHACHA_NOASM, ...]) when --enable-chacha=noasm.

src/include.am: gate armasm/riscv_asm chacha files on !BUILD_CHACHA_NOASM.

tests/api.c: add missing HAVE_CHACHA&&HAVE_POLY1305 gate around test_TLSX_CA_NAMES_bad_extension().

wolfcrypt/src/chacha.c: tweak WOLFSSL_ARMASM and WOLFSSL_RISCV_ASM codepaths to also depend on !NO_CHACHA_ASM.

wolfssl/wolfcrypt/types.h: in setup for wc_static_assert(), #include <assert.h> if WOLFSSL_HAVE_ASSERT_H, >=C11, or >=C++11.
2025-03-13 23:17:57 -05:00
Daniel Pouzzner
37909e9707 Merge pull request #8561 from SparkiDev/poly1305-arm32-asm-fix
Poly1305 ARM32 assembly code: loading with ldm
2025-03-13 22:10:41 -05:00
Sean Parkinson
97a646661f Poly1305 ARM32 assembly code: loading with ldm
Loading message with ldm, that requires aligned pointers, when 64n +
16*[1-3] bytes are to be processed.
2025-03-14 11:05:48 +10:00
Brett Nicholas
b7764e9308 add support for WC_NO_DEFAULT_DEVID to configure 2025-03-13 14:51:05 -06:00
Anthony Hu
85e9f73868 Check if WOLFSSL_SHAKExxx is not defined 2025-03-13 13:22:20 -04:00
JacobBarthelmeh
2125cbd98e Merge pull request #8552 from douzzer/20250312-linuxkm-lkcapi-aes-cfb-fixes
20250312-linuxkm-lkcapi-aes-cfb-fixes
2025-03-12 21:06:27 -06:00
Hideki Miyazaki
a18ac7c3ec fix PRB test failure 2025-03-13 11:12:26 +09:00
Hideki Miyazaki
9188e0a801 fix PR test failures 2025-03-13 09:48:34 +09:00
Hideki Miyazaki
b39c2206d7 modified client chain at server side
added unit test
2025-03-13 09:39:13 +09:00
Hideki Miyazaki
d6c0184fda fix qt jenkins failure 2025-03-13 09:39:13 +09:00
Sean Parkinson
74454715ec ECH: generate multiple configs and rotate echConfigs
Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs, add
functions to rotate the server's echConfigs.
2025-03-13 10:24:53 +10:00
Sean Parkinson
93acd466a7 Merge pull request #6805 from jpbland1/ech-hello-retry
Ech hello retry request
2025-03-13 09:17:58 +10:00
Brett Nicholas
8e3e60e4e2 adds WC_NO_DEFAULT_DEVID to disallow automatic use of "default" devId 2025-03-12 16:53:25 -06:00
Daniel Pouzzner
c80a050c29 linuxkm/lkcapi_glue.c: fix aes-cfb wrappers, and add
WOLFSSL_DEBUG_TRACE_ERROR_CODES support for EINVAL/ENOMEM/EBADMSG;

configure.ac: remove ENABLED_EXPERIMENTAL requirement for
  --enable-linuxkm-lkcapi-register=cfb(aes);

linuxkm/module_hooks.c: omit "skipping full wolfcrypt_test" message if
  wc_RunAllCast_fips() was run.
2025-03-12 17:08:04 -05:00
Kareem
88fdfdd52d Change #pragma GCC macros in sp_int.c to PRAGMA_GCC macros to avoid calling them on unsupported toolchains. 2025-03-12 12:12:24 -07:00
Lealem Amedie
950be33c57 Insert STM32WBA52xx in the right order 2025-03-12 11:58:18 -06:00
Lealem Amedie
e13bf4bd7c Add STM32WBA52xx to known macros 2025-03-12 11:08:26 -06:00
Kaleb Himes
517f4bd561 Merge pull request #8549 from douzzer/20250311-aesxts-stream-armasm-and-unit-test-wolfcrypt-test
20250311-aesxts-stream-armasm-and-unit-test-wolfcrypt-test
2025-03-12 10:18:39 -06:00
Daniel Pouzzner
d2fc77ae93 wolfcrypt/test/test.c: add missing PRIVATE_KEY_UNLOCK()s around pkcs7enveloped_test() and pkcs7authenveloped_test() exposed by "--enable-fips=ready --enable-pkcs7 --disable-harden". 2025-03-11 17:10:54 -05:00
Lealem Amedie
96b8d72c4f Add support for STM32WBA 2025-03-11 15:16:26 -06:00
Daniel Pouzzner
9a84dfc86a add wolfcrypt_test() to unit_test(); remove call to HashTest() and delete
tests/hash.c (entire file duplicates code in wolfcrypt/test/test.c, originally
  ctaocrypt/test/test.c).
2025-03-11 14:59:07 -05:00
Daniel Pouzzner
2de3d46971 wolfcrypt/test/test.c: in cryptocb_test(), fix error code from
wc_CryptoCb_RegisterDevice(), and call wc_CryptoCb_UnRegisterDevice() at
  cleanup.
2025-03-11 14:51:25 -05:00
Daniel Pouzzner
2a4dbbf545 configure.ac: remove mutual exclusion of armasm and WOLFSSL_AESXTS_STREAM --
this now works, and uses armasm-accelerated _AesEcb{En,De}crypt() via
  _AesXtsHelper().  also, add -DNO_CRYPT_TEST to CFLAGS in builds with
  $ENABLED_CRYPT_TESTS = no.
2025-03-11 14:47:32 -05:00
Devin AI
7c84200dda Add WOLFSSL_CLU option to cmake.yml workflow
Co-Authored-By: eric@wolfssl.com <eric@wolfssl.com>
2025-03-11 17:05:26 +00:00
Devin AI
60dc30326c Add WOLFSSL_CLU option to CMakeLists.txt
Co-Authored-By: eric@wolfssl.com <eric@wolfssl.com>
2025-03-11 15:50:31 +00:00
Daniel Pouzzner
fb23b487eb Merge pull request #8546 from kaleb-himes/WCv6.0.0-RC5-UPDT
Update fips-check.sh to pickup XTS streaming support on aarch64
2025-03-10 18:09:25 -05:00
Anthony Hu
b608946549 Guard fix. 2025-03-10 17:32:58 -04:00
kaleb-himes
e7b3fec1fb Update fips-check.sh to pickup XTS streaming support on aarch64 2025-03-10 13:37:42 -06:00
John Bland
c48b4f2d86 add missing echX NULL check 2025-03-10 11:11:27 -04:00
John Bland
9b65bc22f1 fix uninitialized variable error 2025-03-10 10:18:48 -04:00
John Bland
a344ba1eb2 add missing echConfigs check 2025-03-10 09:35:40 -04:00
John Bland
1fd952d6d0 fix bad ech transaction hash calculations 2025-03-10 09:12:13 -04:00
John Bland
8ff08740f8 Merge branch 'master' into ech-hello-retry 2025-03-10 03:37:27 -04:00
Sean Parkinson
a7690ca24b ML-KEM/Kyber: finish name change 2025-03-10 08:37:14 +10:00
Sean Parkinson
e7ef3ab606 Digest tests: add more tests
Add testing of MD2 and Md4.
Add more tests of functions in hash.c.
Reformat data to match what is output by PRINT_DATA macro.
2025-03-10 08:13:06 +10:00
jordan
f91f9bf037 coverity: pacify test_md5 uninitialized scalar variable warning. 2025-03-09 16:03:21 -04:00
David Garske
ad8eb760e3 Merge pull request #8540 from douzzer/20250307-misc-xorbuf-optimizer
20250307-misc-xorbuf-optimizer
2025-03-08 15:51:54 -08:00
Daniel Pouzzner
a84831c47f disable .github/workflows/msys2.yml -- failing unit test on its ucrt64 scenario, then the test script wedged on retry after successfully make checking. 2025-03-07 20:11:58 -06:00
Daniel Pouzzner
cbcca93fde configure.ac: print a warning, not an error, on "Conflicting asm settings", for backward compatibility. 2025-03-07 19:52:26 -06:00
Daniel Pouzzner
66376bed28 wolfcrypt/src/misc.c: in xorbufout() and xorbuf(), call XorWords() directly via a simplified path if all args are already aligned to WOLFSSL_WORD_SIZE (fixes performance regression from dc2e2631bc).
configure.ac: add a "Conflicting asm settings" error check at end, since our configuration currently blows up if --enable-intelasm and --disable-asm are combined.
2025-03-07 19:52:26 -06:00
Daniel Pouzzner
c3f24568ff Merge pull request #8520 from JacobBarthelmeh/pkcs7_verify_stream
PKCS7 verify and decode indefinite length support
2025-03-07 18:47:30 -06:00
Daniel Pouzzner
27ed748867 Merge pull request #8504 from rlm2002/msys2
Add MSYS2 build CI test
2025-03-07 17:58:50 -06:00
Anthony Hu
6d6c5f520b unit tests 2025-03-07 18:30:41 -05:00
JacobBarthelmeh
8dd614430a clang-tidy fixes for test case 2025-03-07 16:04:57 -07:00
David Garske
aff17b7139 Merge pull request #8541 from night1rider/zephyr-asm
Adding missing files for zephyr compile for ASM
2025-03-07 14:38:51 -08:00
msi-debian
c8eb3b07a0 Kconfig update for new setting 2025-03-07 14:19:33 -07:00
msi-debian
3587e28966 Adding missing files for zephyr compile for ASM 2025-03-07 14:16:02 -07:00
JacobBarthelmeh
09ffdeb897 fix for different reported conversion warnings 2025-03-07 11:52:01 -07:00
jordan
1b404e8449 tests quic: fix assignment where comparison intended warning. 2025-03-07 13:38:40 -05:00
Anthony Hu
f8506c3e04 Allow critical alt and basic constraints extensions
Also properly track pathlen.
2025-03-07 13:06:06 -05:00
JacobBarthelmeh
53fa4ffbaf conversion warning fixes 2025-03-07 11:03:12 -07:00
jordan
0950955b14 tests quic: fix c89 clang tidy warning. 2025-03-07 10:32:25 -05:00
jordan
40588574ce tests quic: clean up line lengths. 2025-03-07 09:19:13 -05:00
jordan
cad2189e80 tests quic: fix error handling. 2025-03-07 08:08:37 -05:00
Sean Parkinson
5729923469 Merge pull request #8538 from douzzer/20250306-Wconversion-fixes-and-tests
20250306-Wconversion-fixes-and-tests
2025-03-07 13:22:05 +10:00
Daniel Pouzzner
3ada6e29aa .github/workflows/wolfCrypt-Wconversion.yml: remove -m32 scenario due to missing dependencies, and render early the full config under test for easier debugging. 2025-03-06 17:48:03 -06:00
Daniel Pouzzner
932513a41e fixes for various -W*conversions in sp_int.c, asn.c, fe_operations.c, fe_448.c, ge_448.c. also, add support for NO_INT128, and add .github/workflows/wolfCrypt-Wconversion.yml. 2025-03-06 16:08:38 -06:00
jordan
6a45c8ee0e tests quic: fix uninitialized vars. 2025-03-06 16:14:39 -05:00
jordan
8d90e321c4 coverity: tests quic cleanup. 2025-03-06 15:32:21 -05:00
kareem-wolfssl
acc096c2ea Merge pull request #8533 from dgarske/eccnb
Fixes for ECC non-blocking tests
2025-03-06 11:08:43 -07:00
JacobBarthelmeh
8e98a41401 fix for build with NO_PKCS7_STREAM 2025-03-06 10:43:02 -07:00
David Garske
547519265a Merge pull request #8534 from douzzer/20250305-linuxkm-LKCAPI-AES-CBC-fixes
20250305-linuxkm-LKCAPI-AES-CBC-fixes
2025-03-06 08:44:05 -08:00
Daniel Pouzzner
f572cffa31 .wolfssl_known_macro_extras: remove unneeded entry. 2025-03-05 18:44:08 -06:00
JacobBarthelmeh
b039e055df clang-tidy warning of garbage value used 2025-03-05 17:19:53 -07:00
David Garske
1bd3bf1b66 Merge pull request #8531 from night1rider/zephyr-fs-rewind-fix
Fix for missing rewind function in zephyr
2025-03-05 16:04:36 -08:00
David Garske
dfc6a52db5 Fixes for ECC non-blocking tests. Added example user_settings.h build test. Demonstrate ECC 256, 384 and 521 bit. 2025-03-05 15:58:51 -08:00
Daniel Pouzzner
d82a7b10c5 wolfcrypt/src/evp.c: fix a name conflict around "cipherType" that provokes -Wshadow on gcc pre-4v8. 2025-03-05 17:56:08 -06:00
Daniel Pouzzner
dc2e2631bc linuxkm: various fixes for LKCAPI wrapper for AES-CBC (now passing kernel-native
self-test and crypto fuzzer), and de-experimentalize it.

wolfssl/wolfcrypt/types.h: add definitions for WOLFSSL_WORD_SIZE_LOG2.

wolfcrypt/src/misc.c: fix xorbuf() to make the XorWords() reachable; also,
  refactor integer division and modulus ops as masks and shifts, and add pragma
  to suppress linuxkm FORTIFY_SOURCE false positive -Wmaybe-uninitialized.
2025-03-05 17:56:08 -06:00
Daniel Pouzzner
7d102a1816 Merge pull request #8530 from SparkiDev/test_dual_alg_support_dates_fix
Test daul alg support: set before and after dates
2025-03-05 17:55:38 -06:00
JacobBarthelmeh
624233fb98 update test case to account for NO_DES3 build and resolve clang tidy warnings 2025-03-05 16:28:26 -07:00
Devin AI
c1215aa93b Fix wc_MlKemKey_Free to return int instead of void
Co-Authored-By: sean@wolfssl.com <sean@wolfssl.com>
2025-03-05 22:42:19 +00:00
Devin AI
f4b770c5ab Update Kyber APIs to ML-KEM APIs
- Change struct KyberKey to struct MlKemKey
- Add backward compatibility typedef for KyberKey
- Add function declarations for new wc_MlKemKey_ functions
- Add backward compatibility #defines to map old wc_KyberKey APIs to new wc_MlKemKey APIs
- Update wc_MlKemKey_Init to take key first and type second
- Create new files wc_mlkem.h and wc_mlkem.c with updated content
- Update internal APIs with lowercase kyberkey to lowercase mlkemkey

Co-Authored-By: sean@wolfssl.com <sean@wolfssl.com>
2025-03-05 22:38:07 +00:00
JacobBarthelmeh
68e483d196 refactor of decode envelop for edge cases 2025-03-05 15:24:02 -07:00
Daniel Pouzzner
9fc7e42554 Merge pull request #8507 from SparkiDev/ct_fixes_3
Constant time code: improved implementations
2025-03-05 15:17:23 -06:00
msi-debian
7ea89a62ba Fix for missing rewind function in zephyr 2025-03-05 12:49:58 -07:00
Sean Parkinson
eaa61c2208 Test daul alg support: set before and after dates
Must set before and after dates into certificate structure as creation
of certificate does not fill in those fields but uses the current time.
The current time may change by a second between signings.
2025-03-05 16:15:55 +10:00
David Garske
a073868cf0 Merge pull request #8527 from SparkiDev/sp_int_asm_fixes_1
SP int: inline asm improvements and mont reduce simplifications
2025-03-04 14:45:16 -08:00
JacobBarthelmeh
b75976692e spelling fix and code formatting 2025-03-04 14:31:23 -07:00
David Garske
49122f36e9 Merge pull request #8526 from gasbytes/add-middlebox-compat-to-enable-jni
Enable TLS 1.3 middlebox compatibility by default with --enable-jni
2025-03-04 09:11:28 -08:00
JacobBarthelmeh
4124c824ca refactor decrypt content init call 2025-03-04 09:29:36 -07:00
Sean Parkinson
caf801f211 SP int: inline asm improvements and mont reduce simplifications
SP int inline asm:
- allow input variables to be either registers or memory for Intel
x86/x64 (minor performance improvement)
  - don't have memory in clobber list if output variables are registers
- remove empty clobber line in arm32/thumb2 code for old versions of
gcc
_sp_mont_red():
  - simplify the code by not using extra variables
  - don't add to j in for loop check.
2025-03-04 16:16:26 +10:00
David Garske
9b16ed5da4 Merge pull request #8518 from lealem47/evp_update_null_cipher
Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate
2025-03-03 14:03:57 -08:00
David Garske
2b099daee0 Merge pull request #8511 from SparkiDev/intel_sha_not_avx1
SHA256: Intel flags has SHA but not AVX1 or AVX2
2025-03-03 13:59:10 -08:00
Ruby Martin
b64f509d1b define NO_WRITE_TEMP_FILES 2025-03-03 10:14:06 -07:00
Reda Chouk
3e5e81c45f Enable TLS 1.3 middlebox compatibility by default with --enable-jni
Adding -DWOLFSSL_TLS13_MIDDLEBOX_COMPAT flag to the default
compilation flags when --enable-jni is used.

Related PRs in other repositories:
- wolfSSL/wolfssljni#255
- wolfSSL/testing#845
2025-03-03 14:12:20 +01:00
JacobBarthelmeh
fcf88f16e6 spelling fixes and free decrypt structs on error case 2025-03-01 15:43:59 -07:00
David Garske
72d08a1a79 Merge pull request #8522 from douzzer/20250228-fixes
20250228-fixes
2025-02-28 18:17:31 -08:00
Daniel Pouzzner
058014b3eb src/ssl.c: add missing !NO_WOLFSSL_SERVER gate around wolfSSL_get_servername(). 2025-02-28 19:07:03 -06:00
Daniel Pouzzner
d6b5c8e8ee src/ssl_asn1.c: fix misspelling cause by overbroad search+replace. 2025-02-28 18:25:41 -06:00
Daniel Pouzzner
de6ac319cc .wolfssl_known_macro_extras: remove unneeded entries. 2025-02-28 18:01:49 -06:00
Lealem Amedie
59a987aa00 Remove trailing whitespace 2025-02-28 16:06:24 -07:00
JacobBarthelmeh
b781ac6c29 asn to der macro gaurds and co-exist build fix 2025-02-28 15:42:24 -07:00
Daniel Pouzzner
9c3816089c tests/api.c: disable test_wolfSSL_OCSP_parse_url() if WOLFSSL_SM2 || WOLFSSL_SM3. 2025-02-28 15:58:54 -06:00
JacobBarthelmeh
6020bf2368 initialize test variables and fix async build 2025-02-28 14:46:42 -07:00
JacobBarthelmeh
ea9f044bcc spelling fixes and return value fix 2025-02-28 14:34:51 -07:00
Daniel Pouzzner
50a3be6df7 wolfcrypt/src/sp_int.c. src/ssl_asn1.c. src/internal.c: rename several declarations to avoid shadowing global functions, for the convenience of obsolete (pre-4v8) gcc -Wshadow. 2025-02-28 15:29:58 -06:00
Daniel Pouzzner
f7b911f5cd src/ssl.c, src/internal.c: fix leak in wolfSSL_get_ciphers_compat(): fix gating (OPENSSL_EXTRA, not OPENSSL_ALL) in FreeSuites() re .suitesStack and .clSuitesStack, and similarly fix gating on the implementation of wolfSSL_sk_SSL_CIPHER_free(() and related.
src/ssl_sess: suppress false positive clang-analyzer-unix.Malloc "Argument to 'free()' is the address of a global variable".
2025-02-28 15:23:43 -06:00
JacobBarthelmeh
ea387323c3 remove white space and add macro guard around test case 2025-02-28 14:23:25 -07:00
JacobBarthelmeh
638d9961d2 passing the rest of the PKCS7 unit tests 2025-02-28 14:23:24 -07:00
JacobBarthelmeh
7c6cd1deea passing a unit test 2025-02-28 14:23:24 -07:00
JacobBarthelmeh
1e254c014d application decryption successful 2025-02-28 14:23:24 -07:00
JacobBarthelmeh
b1b1c15b35 add content stream output callback for VerifySignedData function 2025-02-28 14:23:24 -07:00
Lealem Amedie
08a314e57e Add test src file to CMake build 2025-02-28 11:54:19 -07:00
Lealem Amedie
22221e5007 Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate 2025-02-28 11:44:30 -07:00
Daniel Pouzzner
7698546531 Merge pull request #8515 from SparkiDev/test_sha512_be
Tests api.c: sha512 big endian
2025-02-28 00:51:54 -06:00
Sean Parkinson
14651edae0 Tests api.c: sha512 big endian
Don't need to reverse bytes for SHA-512 Transform API.
2025-02-28 14:58:43 +10:00
Sean Parkinson
4f8a39cbcf Merge pull request #8498 from rizlik/ocsp_fixes
OCSP openssl compat fixes
2025-02-28 13:42:50 +10:00
Daniel Pouzzner
d63a180f95 Merge pull request #8513 from SparkiDev/api_c_split_ciphers
Test api.c: split out MACs and ciphers
2025-02-27 14:00:36 -06:00
Marco Oliverio
194db7e844 tests: gate ocsp test on SM2 || SM3
we don't properly support SM2 and SM3 hash algo id properly yet
2025-02-27 19:38:46 +00:00
Marco Oliverio
83f5644549 ocsp: Fix OcspEncodeCertID SetAlgoID return check 2025-02-27 19:38:44 +00:00
Marco Oliverio
814f0f8a09 Refactor CERT_ID encoding as per review comments 2025-02-27 12:50:37 +00:00
Sean Parkinson
48300352c6 Test api.c: split out MACs and ciphers 2025-02-27 15:52:39 +10:00
Sean Parkinson
7d0ef5bd42 Merge pull request #8512 from douzzer/20250226-fixes
20250226-fixes
2025-02-27 14:48:05 +10:00
Daniel Pouzzner
f7ddc49487 linuxkm/linuxkm_wc_port.h: add #error if the user tries to use the kernel crypto fuzzer with FIPS AES-XTS (kernel bug).
src/internal.c: fix shiftTooManyBitsSigned in DefTicketEncCb().

tests/api/test_sha256.c and wolfssl/wolfcrypt/sha256.h: gate raw transform APIs (wc_Sha256Transform(), wc_Sha256FinalRaw()) and tests on !defined(WOLFSSL_KCAPI_HASH) && !defined(WOLFSSL_AFALG_HASH).

move enum wc_HashFlags from wolfssl/wolfcrypt/hash.h to wolfssl/wolfcrypt/types.h to resolve circular dependency detected by cross-armv7m-armasm-thumb-fips-140-3-dev-sp-asm-all-crypto-only.

add FIPS_VERSION_GE(7,0) gates to new null-arg tests in test_wc_Shake{128,256}_*().

optimize ByteReverseWords() for cases where only one operand is unaligned, and add correct handling of unaligned data in ByteReverseWords64() to resolve unaligned access sanitizer report in cross-aarch64_be-all-sp-asm-unittest-sanitizer.
2025-02-26 20:55:56 -06:00
Sean Parkinson
0a6a8516f9 Merge pull request #8488 from dgarske/stm32h7s
Support for STM32H7S (tested on NUCLEO-H7S3L8)
2025-02-27 10:34:41 +10:00
Sean Parkinson
a0d6afbb04 Merge pull request #8505 from jmalak/ow-fixes
various fixes for Open Watcom build
2025-02-27 10:31:19 +10:00
Daniel Pouzzner
183d9b44d1 Merge pull request #8509 from kaleb-himes/WCv6.0.0-RC4-CHECKIN
Disable XTS-384 as an allowed use in FIPS mode
2025-02-26 18:24:12 -06:00
Sean Parkinson
c290907228 Merge pull request #8510 from wolfSSL/devin-lifeguard/update-rules-d59f9c48
Update Devin Lifeguard rules
2025-02-27 09:40:48 +10:00
Sean Parkinson
99f25c6399 Merge pull request #8494 from Laboratory-for-Safe-and-Secure-Systems/various
Various fixes and improvements
2025-02-27 09:40:06 +10:00
Sean Parkinson
b104887042 SHA256: Intel flags has SHA but not AVX1 or AVX2
Reversal of bytes when IS_INTEL_SHA only is same as when AVX1 or AVX2.
2025-02-27 09:25:13 +10:00
David Garske
92ed003a58 Merge pull request #8502 from SparkiDev/pkcs_pad
PKCS Pad: public API to do PKCS padding
2025-02-26 15:17:50 -08:00
David Garske
512f928650 Fix cast warnings with g++. 2025-02-26 14:45:23 -08:00
Sean Parkinson
f204ac8363 PKCS Pad: public API to do PKCS padding
PKCS padding adds length of padding as repeated padding byte.
Use the new function in all places.
2025-02-27 08:28:53 +10:00
devin-ai-integration[bot]
615d7229b0 Update Devin Lifeguard rules 2025-02-26 22:19:57 +00:00
David Garske
307b71c0f4 Merge pull request #8508 from SparkiDev/arm_asm_sha512_384
ARM ASM: available for SHA-384 only too
2025-02-26 14:11:27 -08:00
David Garske
557abcf76a Support for STM32H7S (tested on NUCLEO-H7S3L8). It supports hardware crypto for RNG, Hash, AES and PKA. Added future config option for DTLS v1.3. Support DTLS v1.3 only reduce code size (tested with: ./configure --enable-dtls13 --enable-dtls --disable-tlsv12 CFLAGS="-DWOLFSSL_SEND_HRR_COOKIE"). 2025-02-26 14:00:48 -08:00
kaleb-himes
738462a6f0 Remove redundent gates 2025-02-26 12:03:25 -07:00
kaleb-himes
b8a383469a Disable 192-bit tests in FIPS mode 2025-02-26 11:09:31 -07:00
Ruby Martin
0c413e75c6 add environment matrix to msys workflow 2025-02-26 09:07:16 -07:00
Ruby Martin
439012dd57 adjust xfopen commands 2025-02-26 09:05:53 -07:00
Ruby Martin
6fed2fe447 include cygwin and msys2 ostypes to oscp-stapling tests 2025-02-26 09:05:53 -07:00
Ruby Martin
57646a88ff check if clientfd != SOCKET_INVALID not 0, add check if USE_WINDOWS_API
not defined
2025-02-26 09:03:55 -07:00
Ruby Martin
d37e566d5d msys2 build file 2025-02-26 08:10:59 -07:00
kaleb-himes
9063093993 Disable XTS-384 as an allowed use in FIPS mode 2025-02-26 07:38:45 -07:00
Tobias Frauenschläger
75d63071df Fix memory leak in handshake
Make sure peer dilithium keys are properly freed.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-26 15:34:00 +01:00
Tobias Frauenschläger
491e70be7a PSK fix
Fix compilation in case PSK is enabled, not Session tickets are
disabled.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-26 15:33:59 +01:00
Tobias Frauenschläger
3d4ec1464b Minor Dilithium fix
Fix compilation in case caching is enabled.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-26 15:33:59 +01:00
Tobias Frauenschläger
af4017132d LMS fixes
* Add support for CMake
* Add support for Zephyr
* Make sure the internal key state is properly handled in case a public
  key is imported into a reloaded private key.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-26 15:33:59 +01:00
Tobias Frauenschläger
9db5499dbd Update CryptoCb API for Dilithium final standard
Add context and preHash metadata.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-26 15:33:59 +01:00
Tobias Frauenschläger
be6888c589 Fixes for Dilithium in TLS handshake
Some fixes to better handle Dilithium keys and signatures in the TLS
handshake.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-26 15:33:59 +01:00
Jiri Malak
b5ba7a6fcc correct Open Watcom linker extra libraries 2025-02-26 11:03:36 +01:00
Jiri Malak
47d130440d remove now useless __WATCOMC__ macro check 2025-02-26 10:26:28 +01:00
Jiri Malak
17a0081261 correct line length to be shorter then 80 characters 2025-02-26 08:02:43 +01:00
Sean Parkinson
9e9efeda28 ARM ASM: available for SHA-384 only too
Add HAVE_SHA384 to check for whether assembly code is available.
2025-02-26 16:10:21 +10:00
Sean Parkinson
4752bd2125 Constant time code: improved implementations
Change constant time code to be faster.
2025-02-26 11:52:09 +10:00
Jiri Malak
a83cf8584d add new macro __UNIX__ to the list of known macros 2025-02-26 01:22:25 +01:00
Marco Oliverio
07c7b21b10 tests: api: fix test for d2i_CERT_ID refactor 2025-02-25 22:22:43 +00:00
Marco Oliverio
5eef98a5ea ocsp: add OCSP CERT ID encode/decode test 2025-02-25 22:22:43 +00:00
Marco Oliverio
5f05209c77 ocsp: fix wolfSSL_d2i_OCSP_CERTID 2025-02-25 22:22:43 +00:00
Jiri Malak
ddfbbc68ac various fixes for Open Watcom build
- fix build for OS/2
- fix build for Open Watcom 1.9
2025-02-25 22:52:36 +01:00
David Garske
3557cc764a Merge pull request #8501 from SparkiDev/digest_test_rework
Digest testing: improve
2025-02-25 13:03:48 -08:00
Marco Oliverio
dfc5e61508 asn: ocsp: refactor out CERT ID decoding
It will be reused in d2i_CERT_ID
2025-02-25 20:20:34 +00:00
David Garske
f2c5b4e56a Merge pull request #8500 from SparkiDev/evp_aes_gcm_test_fix
test_wolfssl_EVP_aes_gcm: fix for mem fail testing
2025-02-25 09:56:55 -08:00
David Garske
bac6771828 Merge pull request #8499 from SparkiDev/crl_list_fix
CRL: fix memory allocation failure leaks
2025-02-25 09:54:55 -08:00
David Garske
4eda5e1f7f Merge pull request #8491 from jmalak/winsock-guard
correct comment for _WINSOCKAPI_ macro manipulation
2025-02-25 09:51:23 -08:00
Daniel Pouzzner
0589a34f91 Merge pull request #8135 from gasbytes/fix-conversion
Fix conversion on various files
2025-02-25 10:01:31 -06:00
Marco Oliverio
3bd4b35657 ocsp: support CERT_ID encoding in i2d_OCSP_CERTID 2025-02-25 15:45:11 +00:00
Marco Oliverio
4016120f37 ocsp: populate digest type in cert_to_id
- Added validation for digest type in `wolfSSL_OCSP_cert_to_id` function.
- Defined `OCSP_DIGEST` based on available hash types.
- Set `hashAlgoOID` in `certId` based on `OCSP_DIGEST`.
- Updated `asn.h` to define `OCSP_DIGEST` and `OCSP_DIGEST_SIZE` based on
  available hash types.
2025-02-25 15:42:44 +00:00
Marco Oliverio
740fb6bafc test: gate ocsp test when SHA-1 is disabled
tests blobs contains sha-1 hashes in certificate status
2025-02-25 15:42:35 +00:00
Marco Oliverio
78ca784826 test: ocsp: fix output file name in script 2025-02-25 15:42:30 +00:00
Marco Oliverio
c24b7d1041 ocsp: use SHA-256 for responder name if no-sha 2025-02-25 15:42:27 +00:00
Marco Oliverio
8b80cb10d6 ocsp: responderID.ByKey is SHA-1 Digest len
Check that responderID.ByKey is exactly WC_SHA_DIGEST_SIZE as per RFC
6960. KEYID_SIZE can change across build configuration.
2025-02-25 15:42:22 +00:00
Reda Chouk
9178c53f79 Fix: Address and clean up code conversion in various files. 2025-02-25 11:17:58 +01:00
Sean Parkinson
6016cc0c97 Digest testing: improve
Make testing digests consistent.
Add KATs for all digests.
Check unaligned input and output works.
Perform chunking tests for all digests.

Fix Blake2b and Blake2s to checkout parameters in update and final
functions.
Fix Shake256 and Shake128 to checkout parameters in absorb and squeeze
blocks functions.

Add default digest size enums for Blake2b and Blake2s.
2025-02-25 19:07:20 +10:00
Sean Parkinson
6f268c4369 CRL: fix memory allocation failure leaks
On memory allocation failure, some functions were leaking memory.

Also add reference counting to CRL object so that a deep copy of a list
of CRLs doesn't leak memory.
The test was explicitly freeing each CRL in the list.
2025-02-25 09:05:03 +10:00
Sean Parkinson
ac1f25d6f4 test_wolfssl_EVP_aes_gcm: fix for mem fail testing
Fix test to not leak when memory allocation failure testing.
When not supporting AES-GCM streaming, allocation failures occur.
Always call cleanup.
2025-02-25 08:15:43 +10:00
Daniel Pouzzner
a85641574d Merge pull request #8493 from Laboratory-for-Safe-and-Secure-Systems/pqc_clang_tidy
PQC Clang-tidy fixes
2025-02-24 15:37:05 -06:00
JacobBarthelmeh
146d17d134 Merge pull request #8496 from embhorn/mosquitto_cert_update
Add cert update to workflow
2025-02-24 11:14:33 -07:00
Eric Blankenhorn
0256b426f0 Add cert update to workflow 2025-02-24 11:26:19 -06:00
Sean Parkinson
a756010a4d Merge pull request #8492 from douzzer/20250221-fix-Kbuild-EXPORT_SYMBOL_NS_GPL
20250221-fix-Kbuild-EXPORT_SYMBOL_NS_GPL
2025-02-24 22:37:29 +10:00
Tobias Frauenschläger
fd8f6e168b PQC Clang-tidy fixes
Fixes two clang-tidy warnings in error cases.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-24 09:28:23 +01:00
Daniel Pouzzner
c9cf4137e7 linuxkm/Kbuild and linuxkm/module_exports.c.template: refactor using .ONESHELL, and in recipe for generating linuxkm/module_exports.c, render the namespace with a literal, with or without quotes as dictated by target kernel version. remove EXPORT_SYMBOL_NS_Q(), which didn't work right on old (pre-6.13) kernels with namespace support.
wolfssl/wolfcrypt/settings.h: in WOLFSSL_LINUXKM section, define NO_OLD_WC_NAMES, OPENSSL_COEXIST, etc., to avoid collisions with in-tree crypto in application sources that include both wolfssl and linux kernel native headers.
2025-02-23 15:35:33 -06:00
Daniel Pouzzner
011ade4966 .wolfssl_known_macro_extras: fix unneeded and out-of-order entries (LC_ALL=C order). 2025-02-23 15:35:33 -06:00
Daniel Pouzzner
0116ab6ca2 Merge pull request #8484 from jmalak/offsetof
Rename OFFSETOF macro to WolfSSL specific WC_OFFSETOF name
2025-02-23 14:45:43 -06:00
Jiri Malak
d066e6b9a5 correct comment for _WINSOCKAPI_ macro manipulation
The issue is with MINGW winsock2.h header file which is not compatible
with Miscrosoft version and handle _WINSOCKAPI_ macro differently
2025-02-23 11:15:38 +01:00
Jiri Malak
1d1ab2d9ff Rename OFFSETOF macro to WolfSSL specific WC_OFFSETOF name
There are the following reasons for this
- it conflicts with the OFFSETOF macro in the OS/2 header (Open Watcom)
- it is compiler-specific and should use the C standard offsetof definition in the header file stddef.h
- it is more transparent unique name
2025-02-22 09:44:54 +01:00
David Garske
29c3ffb5ee Merge pull request #8435 from JacobBarthelmeh/formatting
add else case to match with other statements
2025-02-21 17:21:10 -08:00
David Garske
865f96aafd Merge pull request #7821 from Laboratory-for-Safe-and-Secure-Systems/pqc_hybrid_kex
Add more PQC hybrid key exchange algorithms
2025-02-21 11:28:55 -08:00
JacobBarthelmeh
5fc7d9f5f2 Merge pull request #8483 from gojimmypi/pr-fips-readme
Update README.md to reflect FIPS 140-3 validated Certificate #4718
2025-02-21 11:00:31 -07:00
Tobias Frauenschläger
c899f79cfa Update key share group ranking algorithm
In case no user group ranking is set, all groups are now ranked equally
instead of the order in the `preferredGroup` array. This is the
behavior already indicated in the comment header of the function.

This change is necessary for applications that do not set their own
group ranking (via `wolfSSL_CTX_set_groups()` for example). When such an
application creates a TLS server and receives a ClientHello message with
multiple key shares, now the first key share is selected instead of the
one with the lowest index in the `preferredGroup` array.

Recent browsers with PQC support place two key shares in their
ClientHello message: a hybrid PQC + X25519 one and at least one
classic-only one. The hybrid one is the first one, indicating a
preference. Without this change, however, always the classic-only key
share has been selected, as these algorithms have a lower index in the
`preferredGroup` array compared to the PQC hybrids.

Tested using a patched version of NGINX.

This change also results in a different selection of a key share group
in case of a HelloRetryRequest message. For the tests, where static
ephemeral keys are used (`WOLFSSL_STATIC_EPHEMERAL`), an additional
check is necessary to make sure the correct key is used for the ECDH
calculation.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-21 18:44:51 +01:00
Tobias Frauenschläger
89491c7e36 Improvements for PQC hybrid key exchange
Add support for X25519 and X448 based hybrid PQC + ECC key exchange
groups. Furthermore, two new combinations with SECP curves are added to
match OQS combinations.

This also incorporates the changed order of X25519 and X448 based
combinations to place the PQC material before the ECDH material. This is
motivated by the necessity to always have material of a FIPS approved
algorithm first.

Also, codepoints are updated to reflect the latest draft standards for
pure ML-KEM and some of the hybrids. With these changes and based on the
recent additions to both enable ML-KEM final and draft versions
simultaneously, a WolfSSL TLS server is now compatible with all recent
browsers that support either the draft version of ML-KEM (Chromium based
browsers and Firefox < version 132; only when the draft version is
enabled in the build) or the final version already (Firefox > version 132).

In the process of extending support, some code and logic cleanup
happened. Furthermore, some memory leaks within the hybrid code path have
been fixed.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2025-02-21 18:44:40 +01:00
David Garske
6271d5b5a4 Merge pull request #8485 from jmalak/cmake-build
fix failing build if not found standard threads support
2025-02-21 09:38:33 -08:00
JacobBarthelmeh
c3d5fa6748 Merge pull request #8481 from cconlon/jniDTLS13
Enable DTLS 1.3 by default in `--enable-jni` build
2025-02-21 10:02:49 -07:00
Jiri Malak
000f32a5a4 fix failing tests build if not found standard threads support
Threads::Threads is not defined, if support not found for some reason
if custom threads support is used then it happen always
of cause some tests relates to standard threads support then it fails during build, but build is started and only some tests fail
2025-02-21 09:24:15 +01:00
JacobBarthelmeh
8ae122584c Merge pull request #8482 from douzzer/20250220-misc-UnalignedWord64
20250220-misc-UnalignedWord64
2025-02-20 17:26:44 -07:00
gojimmypi
4c7538e5ac Update README.md to reflect FIPS 140-3 validated Certificate #4718 2025-02-20 15:12:18 -08:00
Daniel Pouzzner
a05436066d wolfcrypt/test/test.c: fix return values in camellia_test() (also fixes some false positive -Wreturn-stack-addresses from clang++). 2025-02-20 16:50:24 -06:00
Daniel Pouzzner
8aa2799aeb wolfssl/wolfcrypt/types.h: don't define HAVE_EMPTY_AGGREGATES when defined(__cplusplus) (fixes #8478). 2025-02-20 16:49:48 -06:00
JacobBarthelmeh
781d85284c Merge pull request #8479 from SparkiDev/intel_vzeroupper
Intel AVX1/SSE2 ASM: no ymm/zmm regs no vzeroupper
2025-02-20 15:37:01 -07:00
Chris Conlon
9892ae0cb3 Enable DTLS 1.3 by default in --enable-jni build 2025-02-20 15:05:56 -07:00
Daniel Pouzzner
41b4ac5599 misc.c: undo changes in 82b50f19c6 "when Intel x64 build, assume able to read/write unaligned" -- provokes sanitizer on amd64, and is not portable (e.g. different behavior on Intel vs AMD). all performance-sensitive word64 reads/writes should be on known-aligned data. 2025-02-20 15:00:22 -06:00
JacobBarthelmeh
01808bebca Merge pull request #8474 from philljj/coverity_feb_2025
coverity: fix test_dtls warnings.
2025-02-20 10:35:47 -07:00
JacobBarthelmeh
619a41f9da Merge pull request #8476 from philljj/coverity_null_check
coverity: dereference before null check.
2025-02-20 10:33:58 -07:00
Sean Parkinson
e90e3aa7c6 Intel AVX1/SSE2 ASM: no ymm/zmm regs no vzeroupper
vzeroupper instruction not needed to be invoked unless ymm or zmm
registers are used.
2025-02-20 22:35:20 +10:00
jordan
95e26f5b27 coverity: dereference before null check. 2025-02-19 23:23:41 -05:00
David Garske
93000e5f14 Merge pull request #8467 from SparkiDev/kyber_improv_2
ML-KEM/Kyber: improvements
2025-02-19 16:42:42 -08:00
Sean Parkinson
82b50f19c6 ML-KEM/Kyber: improvements
ML-KEM/Kyber:
  MakeKey call generate random once only for all data.
  Allow MakeKey/Encapsulate/Decapsulate to be compiled separately.
  Pull out public key decoding common to public and private key decode.
Put references to FIPS 140-3 into code. Rename variables to match FIPS
140-3.
  Fix InvNTT assembly code for x64 - more reductions.
  Split out ML-KEM/Kyber tests from api.c.

TLSX:
Store the object instead of the private key when WOLFSSL_MLKEM_CACHE_A
is defined or WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ. Faster decapsulation
when A is cached and object stored.
To store private key as normal define
WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY.

misc.c: when Intel x64 build, assume able to read/write unaligned
2025-02-20 08:14:15 +10:00
JacobBarthelmeh
539056e749 Merge pull request #8475 from embhorn/gh8473
Fix QUIC callback failure
2025-02-19 14:00:47 -07:00
David Garske
268326d875 Merge pull request #8408 from rizlik/ocsp-resp-refactor
OpenSSL Compat Layer: OCSP response improvments
2025-02-19 11:20:12 -08:00
Daniel Pouzzner
597b839217 Merge pull request #8468 from jmalak/fix-test-c89
correct test source file to follow C89 standard
2025-02-19 11:23:48 -06:00
Eric Blankenhorn
66ed35c910 Fix QUIC callback failure 2025-02-19 10:56:44 -06:00
JacobBarthelmeh
373a7d462a Merge pull request #8472 from SparkiDev/ed25519_fix_tests
Ed25519: fix tests to compile with feature defines
2025-02-19 09:53:10 -07:00
jordan
6f1c31a816 coverity: fix macro warning. 2025-02-19 11:29:45 -05:00
jordan
9a1d60100f coverity: fix test_dtls warnings. 2025-02-19 09:38:15 -05:00
Sean Parkinson
331a713271 Ed25519: fix tests to compile with feature defines
ge_operations.c: USe WOLFSSL_NO_MALLOC rather than WOLFSSL_SP_NO_MALLOC.
2025-02-19 17:41:03 +10:00
JacobBarthelmeh
393c92c3eb Merge pull request #8464 from kaleb-himes/SRTP-WIN-PORTING
Porting to Windows 11 MSVS 2022
2025-02-18 16:16:14 -07:00
Jiri Malak
3c74be333e correct test source file to follow C89 standard
for OpenSSL interface
2025-02-18 22:12:11 +01:00
JacobBarthelmeh
48f1c3b57d Merge pull request #8465 from douzzer/20250217-fix-test-c89
20250217-fix-test-c89
2025-02-18 08:44:17 -08:00
David Garske
ff70cdf9d8 Merge pull request #8466 from douzzer/20250217-fixes
20250217-fixes
2025-02-17 19:39:38 -08:00
Daniel Pouzzner
258afa5493 wolfcrypt/src/pkcs7.c: in PKCS7_EncodeSigned(), check for error from SetSerialNumber(). 2025-02-17 18:05:04 -06:00
Daniel Pouzzner
65f38df74d tests/api.c: refactor several C89-incompatible dynamically constructed arrays using static const. 2025-02-17 17:47:36 -06:00
kaleb-himes
e0bc6ef9df Porting to Windows 11 MSVS 2022 2025-02-17 16:18:10 -07:00
David Garske
a2c8168c96 Merge pull request #8460 from embhorn/gh8456
Fix cmake lean_tls build
2025-02-17 14:57:52 -08:00
Eric Blankenhorn
bc79803c1a Add workflow test 2025-02-17 15:16:29 -06:00
JacobBarthelmeh
3e38bdcd2c Merge pull request #8450 from dgarske/stm32_pka_ecc521
Fix for STM32 PKA ECC 521-bit support
2025-02-17 08:27:45 -08:00
Marco Oliverio
7db3c34e2b ocsp: enable OPENSSL tlsext status cb for NGINX and HAPROXY 2025-02-17 14:53:49 +00:00
Eric Blankenhorn
1970fec190 Fix cmake lean_tls build 2025-02-17 08:17:05 -06:00
Marco Oliverio
a1d1f0ddf1 ocsp: enable SSL_CTX_set_tlsext_status_cb only in OPENSSL_ALL 2025-02-17 11:29:09 +00:00
Marco Oliverio
0945101948 ocsp: fix: remove duplicated code 2025-02-17 11:25:24 +00:00
Marco Oliverio
1eecf326fd ocsp: use ocspReponse->heap in OcspFindSigner + minors 2025-02-17 08:59:29 +00:00
Marco Oliverio
0af092ec79 ocsp: minors 2025-02-17 08:59:29 +00:00
Marco Oliverio
a06a8b589c ocsp: minors 2025-02-17 08:59:29 +00:00
Marco Oliverio
4351a5dd70 ocsp/test: better test assertions 2025-02-17 08:59:29 +00:00
Marco Oliverio
69116eb05d ocsp/tests: update blobs and add license header 2025-02-17 08:59:29 +00:00
Marco Oliverio
c1c9af5cb6 minor: improve indentation of guards 2025-02-17 08:59:29 +00:00
Marco Oliverio
3724094ce2 ocsp: add test for response with unusable internal cert
- Added a new test case `resp_bad_embedded_cert` in
  `create_ocsp_test_blobs.py` to test OCSP response with an unusable
  internal cert that can be verified in Cert Manager.
- Updated `test_ocsp_response_parsing` in `ocsp.c` to include the new
  test case.
- Ensured the new test case checks for proper handling of OCSP responses
  with incorrect internal certificates.
2025-02-17 08:59:29 +00:00
Marco Oliverio
2c2eb2a285 ocsp: improve OCSP response signature validation
- search for the signer in the CertificateManager if the embedded cert
  verification fails in original asn template.
2025-02-17 08:59:29 +00:00
Marco Oliverio
3e50c79c3b tests: bind test_wolfSSL_client_server_nofail_memio HAVE_SSL_MEMIO_TESTS_DEP 2025-02-17 08:59:29 +00:00
Marco Oliverio
ae3177c439 ocsp-resp-refactor: fix tests 2025-02-17 08:59:29 +00:00
Marco Oliverio
851d74fd69 ocsp-resp-refactor: address reviewer's comments 2025-02-17 08:59:29 +00:00
Marco Oliverio
eb7904b5e5 tests/api: expose test_ssl_memio functions 2025-02-17 08:59:29 +00:00
Marco Oliverio
f782614e1e clang tidy fixes 2025-02-17 08:59:28 +00:00
Marco Oliverio
2fe413d80f ocsp: add tests 2025-02-17 08:59:23 +00:00
Marco Oliverio
3a3238eb9f ocsp: refactor wolfSSL_OCSP_response_get1_basic
The internal fields of OcspResponse refer to the resp->source buffer.
Copying these fields is complex, so it's better to decode the response again.
2025-02-17 08:58:03 +00:00
Marco Oliverio
b7f08b81a6 ocsp: adapt ASN original to new OCSP response refactor 2025-02-17 08:58:03 +00:00
Marco Oliverio
f526679ad5 ocsp: refactor OCSP response decoding and wolfSSL_OCSP_basic_verify
- Search certificate based on responderId
- Verify response signer is authorized for all single responses
- Align with OpenSSL behavior
- Separate wolfSSL_OCSP_basic_verify from verification done during
  decoding
2025-02-17 08:58:03 +00:00
Marco Oliverio
d7711f04ab openssl compat: skip OCSP response verification in statusCb
This aligns with OpenSSL behavior
2025-02-17 08:58:02 +00:00
Marco Oliverio
dedbb2526c ocsp: fix memory leaks in OpenSSL compat layer 2025-02-17 08:58:02 +00:00
Kaleb Himes
79744a7736 Merge pull request #8455 from douzzer/20250214-fix-wolfEntropy-configure-handling
20250214-fix-wolfEntropy-configure-handling
2025-02-14 17:14:29 -07:00
Daniel Pouzzner
39ed0eabff configure.ac: fix handling of --enable-wolfEntropy (don't re-default to no in following --enable-entropy-memuse clause). 2025-02-14 15:39:42 -06:00
David Garske
842b9a3709 Merge pull request #8433 from julek-wolfssl/dtls-cid-negative-tests
Update DTLS CID Tests and Reorganize Test Utilities
2025-02-14 11:26:57 -08:00
Daniel Pouzzner
c9de3d63f9 Merge pull request #8453 from kaleb-himes/SRTP-KDF-SCRIPT-UPDATE
Update tag for v6.0.0 module checkout
2025-02-14 13:24:25 -06:00
David Garske
e529ad51fc Merge pull request #8451 from douzzer/20240214-workflow-TEST_OPENSSL_COEXIST
20250214-workflow-TEST_OPENSSL_COEXIST
2025-02-14 11:12:28 -08:00
kaleb-himes
a6a15e6211 Update tag for v6.0.0 module checkout 2025-02-14 11:38:19 -07:00
Daniel Pouzzner
10d5d59977 add .github/workflows/opensslcoexist.yml. fix TEST_OPENSSL_COEXIST section of wolfssl/ssl.h for compatibility with OpenSSL <3.2. also, remove frivolous entry for WOLFSSL_HMAC_COPY_HASH in .wolfssl_known_macro_extras. 2025-02-14 12:19:12 -06:00
Daniel Pouzzner
690bb14203 tests/utils.c and tests/api/test_dtls.c: fixes for include order, re tests/unit.h. 2025-02-14 10:57:29 -06:00
David Garske
29f2767b88 Merge pull request #8441 from philljj/wolfio_comments
wolfio: comment ifdef endif blocks.
2025-02-14 08:55:31 -08:00
Juliusz Sosinowicz
cfa6fbfcef Correct wolfSSL_dtls_cid_parse declaration in docs 2025-02-14 09:51:29 -06:00
David Garske
3075e57207 Whitespace and filename comment. 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz
7380ec68bb cmake.yml: fix error and run tests with ctest 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz
825ca22bd8 Fix cmake build 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz
ede34f132b fixup! Move dtls cid tests to tests/api/dtls.c 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz
301a9a97cc Don't use buffer as it can shadow global declarations 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz
21dce84448 Add negative tests for DTLS CID 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz
68c27c4e5d Move dtls cid tests to tests/api/dtls.c 2025-02-14 09:51:29 -06:00
Juliusz Sosinowicz
e02da08192 Reorganize utility functions into tests/utils.c and testsuite/utils.c 2025-02-14 09:51:29 -06:00
jordan
f2bb063ca4 wolfio: peer review comment cleanup. 2025-02-14 08:36:26 -05:00
Daniel Pouzzner
60c1558142 Merge pull request #8447 from dgarske/memleak
Fixed possible memory leaks
2025-02-14 00:26:09 -06:00
Daniel Pouzzner
e806bd76bb Merge pull request #8445 from SparkiDev/perf_improv_1
Performance improvements
2025-02-13 23:25:47 -06:00
David Garske
86c3ee1a9d Fix for STM32 PKA ECC 521-bit support. Issue was 65 vs 66 buffer check. ZD 19379 2025-02-13 16:41:42 -08:00
David Garske
1432bd415a Merge pull request #8449 from ColtonWilley/x509_store_mem_leak
Fix memory leak in X509 STORE
2025-02-13 16:18:11 -08:00
Colton Willey
e197cdfb36 Fix memory leak in X509 STORE 2025-02-13 14:49:18 -08:00
David Garske
746aa9b171 Merge pull request #8443 from ColtonWilley/add_cert_rel_prefix
Add a cert relative prefix option for tests
2025-02-13 14:48:06 -08:00
David Garske
14d696952d Merge pull request #8448 from anhu/vuln_to_support
Point people to support@wolfssl.com for vuln reports.
2025-02-13 14:47:37 -08:00
Anthony Hu
a5ac5aff17 an -> a 2025-02-13 14:50:32 -05:00
Anthony Hu
cab376c0ce Point people to support@wolfssl.com for vuln reports. 2025-02-13 14:48:32 -05:00
Colton Willey
b119182c9d Add to known macro list 2025-02-13 09:35:39 -08:00
David Garske
f943f6ff5c Fixed possible memory leaks reported by nielsdos in PR 8415 and 8414. 2025-02-13 08:20:37 -08:00
David Garske
db0fa304a8 Merge pull request #8436 from SparkiDev/mlkem_cache_a
ML-KEM/Kyber: cache A from key generation for decapsulation
2025-02-12 17:29:38 -08:00
Sean Parkinson
896ec239c3 Merge pull request #8444 from douzzer/20250212-add-pq-and-c-fallback-workflows
20250212-add-pq-and-c-fallback-workflows
2025-02-13 10:29:15 +10:00
David Garske
846ba43a29 Merge pull request #8392 from SparkiDev/curve25519_blinding
Curve25519: add blinding when using private key
2025-02-12 16:20:51 -08:00
Sean Parkinson
365aac0306 Merge pull request #8393 from anhu/draft-tls-westerbaan-mldsa
New codepoint for MLDSA
2025-02-13 10:20:30 +10:00
Sean Parkinson
9253d1d3ac ML-KEM/Kyber: cache A from key generation for decapsulation
Matrix A is expensive to calculate.
Usage of ML-KEM/Kyber is
  1. First peer generates a key and sends public to second peer.
2. Second peer encapsulates secret with public key and sends to first
peer.
3. First peer decapsulates (including encapsulating to ensure same as
seen) with key from key generation.
Caching A keeps the matrix A for encapsulation part of decapsulation.
The matrix needs to be transposed for encapsulation.
2025-02-13 10:12:05 +10:00
Sean Parkinson
bfd52decb6 Performance improvements
AES-GCM: don't generate M0 when using assembly unless falling back to C
and then use new assembly code.
HMAC: add option to copy hashes (--enable-hash-copy
-DWOLFSSL_HMAC_COPY_HASH) to improve performance when using the same key
for multiple operations.
2025-02-13 09:55:55 +10:00
Daniel Pouzzner
5352ce06e5 add .github/workflows/{pq-all.yml,intelasm-c-fallback.yml}. 2025-02-12 17:32:41 -06:00
Sean Parkinson
bb84ebfd7a Curve25519: add blinding when using private key
XOR in random value to scalar and perform special scalar multiplication.
Multiply x3 and z3 by random value to randomize co-ordinates.

Add new APIs to support passing in an RNG.
Old APIs create a new RNG.

Only needed for the C implementations that are not small.

Modified TLS and OpenSSL compat API implementations to pass in RNG.

Fixed tests and benchmark program to pass in RNG.
2025-02-13 08:52:35 +10:00
David Garske
0e474fc673 Merge pull request #8437 from LinuxJedi/SE050-changes
Minor SE050 improvements
2025-02-12 14:50:36 -08:00
Anthony Hu
aa59eab732 More minor mods. Now interops with oqs-provider. 2025-02-12 17:17:22 -05:00
Colton Willey
ddf7bfcb8f Add a cert relative prefix option for tests 2025-02-12 13:59:23 -08:00
David Garske
828d79b64b Merge pull request #8442 from douzzer/20250212-revert-8429
20250212-revert-8429
2025-02-12 12:30:06 -08:00
Daniel Pouzzner
3856d55d9b Revert "Performance improvements"
This reverts commit ce679ef057.
2025-02-12 12:32:47 -06:00
David Garske
fe73c5e3f2 Merge pull request #8440 from douzzer/20250211-MSVC-static-assert-features
20250211-MSVC-static-assert-features
2025-02-12 08:17:02 -08:00
jordan
9dfcc6a477 wolfio: comment ifdef endif blocks. 2025-02-12 09:51:51 -05:00
Anthony Hu
db25958b42 New codepoint for MLDSA and MLKEM 2025-02-11 21:11:22 -05:00
Sean Parkinson
bcd89b0592 Merge pull request #8388 from julek-wolfssl/BN_CTX_get
Implement BN_CTX_get
2025-02-12 08:08:58 +10:00
Daniel Pouzzner
b598a06354 Merge pull request #8439 from dgarske/fix_cmake
Fix CMake build
2025-02-11 15:34:44 -06:00
Daniel Pouzzner
fc5cb737ee wolfssl/wolfcrypt/types.h: refine MSVC feature detection in setup for wc_static_assert*() macros. 2025-02-11 15:26:24 -06:00
David Garske
e6710bf483 Fix CMake build (broken with API.c refactor in PR 8413). Add GitHub CI for CMake (all). 2025-02-11 12:19:47 -08:00
Daniel Pouzzner
515bdf1320 Merge pull request #8438 from philljj/ecdsa_mldsa_test_api_fix_leak
test_dual_alg_ecdsa_mldsa: fix decoded cert leak.
2025-02-11 12:51:26 -06:00
David Garske
92e222b1ab Merge pull request #8429 from SparkiDev/perf_improv_1
Performance improvements AES-GCM and HMAC (in/out hash copy)
2025-02-11 08:32:30 -08:00
Andrew Hutchings
cb42f18a47 Minor SE050 improvements
Adds two features for SE050:

1. `WOLFSSL_SE050_AUTO_ERASE`. When enabled, this will automatically
   erase a key from the SE050 when `wc_ecc_free()` and friends are
   called.
2. `WOLFSSL_SE050_NO_RSA`. This stops RSA offloading onto the SE050,
   useful for the SE050E which does not have RSA support.
2025-02-11 16:25:06 +00:00
jordan
922cb73061 test_dual_alg_ecdsa_mldsa: fix decoded cert leak. 2025-02-11 10:58:03 -05:00
Sean Parkinson
ce679ef057 Performance improvements
AES-GCM: don't generate M0 when using assembly unless falling back to C
and then use new assembly code.
HMAC: add option to copy hashes (--enable-hash-copy
-DWOLFSSL_HMAC_COPY_HASH) to improve performance when using the same key
for multiple operations.
2025-02-11 10:26:51 +10:00
David Garske
be5f203274 Merge pull request #8425 from philljj/ecdsa_mldsa_test_api
dual alg: add ML-DSA test, and misc cleanup.
2025-02-10 15:05:44 -08:00
David Garske
ff41eee2e7 Merge pull request #8413 from SparkiDev/tests_api_digests
API test: move digest functions out
2025-02-10 14:51:19 -08:00
JacobBarthelmeh
96d9ebcfee add else case to match with other statements 2025-02-10 14:53:15 -07:00
David Garske
4373e551e7 Merge pull request #8431 from LinuxJedi/SE050-fixes
Fix SE050 Port
2025-02-10 11:33:46 -08:00
jordan
557e43bcd7 dual alg: peer review cleanup, and more function comments. 2025-02-10 10:08:35 -05:00
Andrew Hutchings
8870b76c26 Fix SE050 Port
The SE050 port won't compile in the latest wolfSSL. This patch:

* Updates the documentation
* Fixes a missing `#ifdef` that breaks the build
* Changes the use of `mp_int` to `MATH_INT_T`
* Fixes compiler error with `ecc.c`
* Adds a tiny bit of extra debugging info
2025-02-10 14:27:28 +00:00
jordan
937d6d404a dual alg: clean up comments and line lengths. 2025-02-07 09:22:16 -05:00
Juliusz Sosinowicz
e2d40288ee Remove internal use of wolfSSL_BN_CTX_new() 2025-02-07 14:45:42 +01:00
Juliusz Sosinowicz
573dea4605 fixup! Implement BN_CTX_get 2025-02-07 14:45:19 +01:00
Sean Parkinson
8f131ff3d0 Merge pull request #8424 from douzzer/20250206-winsockapi-tweaks
20250206-winsockapi-tweaks
2025-02-07 13:06:44 +10:00
Daniel Pouzzner
1e17d737c8 "#undef _WINSOCKAPI_" after defining it to "block inclusion of winsock.h header file", to fix #warning in /usr/x86_64-w64-mingw32/usr/include/winsock2.h. 2025-02-06 18:41:20 -06:00
David Garske
c668a4e5a0 Merge pull request #8426 from SparkiDev/read_der_bio_small_data_fix
Read DER BIO: fix for when BIO data is less than seq buffer size
2025-02-06 16:21:42 -08:00
David Garske
7f1952fd9b Merge pull request #8423 from douzzer/20250206-unit-test-helgrind-fixes
20250206-unit-test-helgrind-fixes
2025-02-06 16:21:03 -08:00
Sean Parkinson
3ff89f2cc2 API test: move digest functions out
Move all api.c tests of wolfCrypt APIs that are for digests out into
separate files.
2025-02-07 09:29:46 +10:00
Sean Parkinson
ae8b8c4164 Read DER BIO: fix for when BIO data is less than seq buffer size
wolfssl_read_der_bio did not not handle the length to be read from the
BIO being less than the size of the sequence buffer.
2025-02-07 08:46:49 +10:00
Daniel Pouzzner
6f044c577f tests/api.c: add a missed "#ifdef WOLFSSL_ATOMIC_INITIALIZER" in test_AEAD_limit_server(). 2025-02-06 16:32:54 -06:00
jordan
3df616ae58 dual alg: small cleanup. 2025-02-06 15:57:13 -05:00
jordan
035d4022fb dual alg: add ML-DSA test, and misc cleanup. 2025-02-06 15:50:37 -05:00
Daniel Pouzzner
40e3f03795 tests/api.c: fix data races in test_wolfSSL_CTX_add_session_ctx_ready() using a mutex, and in test_wolfSSL_dtls_AEAD_limit() using a mutex, an atomic integer, and a volatile attribute.
wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_ATOMIC_LOAD() and WOLFSSL_ATOMIC_STORE() definitions.
2025-02-06 00:55:44 -06:00
Sean Parkinson
e6ceb40187 Merge pull request #8391 from dgarske/cmake_watcom
Fixes for Watcom compiler and new CI test
2025-02-06 08:51:51 +10:00
David Garske
32263173dd Merge pull request #8421 from anhu/pq_INSTALL_update
Update INSTALL file regarding PQ
2025-02-05 11:16:49 -08:00
David Garske
0857a3e593 Merge pull request #8422 from gojimmypi/pr-add-espressif_example-setting
Add Espressif sample user_settings.h
2025-02-04 15:21:35 -08:00
David Garske
f061e19ecb Merge pull request #8403 from miyazakh/keytype_tsip
Revert TSIP_KEY_TYPE as TSIP TLS definition
2025-02-04 15:21:27 -08:00
Sean Parkinson
efd36a42cf Merge pull request #8419 from julek-wolfssl/ascon-test-kats-readability
ascon: make tests more readable by moving the kat vectors into a header
2025-02-05 09:06:50 +10:00
David Garske
60c5a0ac7f Peer review feedback. Thank you @jmalak 2025-02-04 14:32:24 -08:00
gojimmypi
0680895d7d Add Espressif sample user_settings.h 2025-02-04 14:26:15 -08:00
David Garske
743655b9ce Merge pull request #8402 from gojimmypi/pr-espressif-build-improvement
Improve Espressif make and cmake for ESP8266 and ESP32 series
2025-02-04 14:05:32 -08:00
Hideki Miyazaki
d56b623958 Trailing white-space 2025-02-05 07:03:45 +09:00
David Garske
345c969164 Fixes for Watcom compiler and new CI test
* Correct cmake script to support Open Watcom toolchain (#8167)
* Fix thread start callback prototype for Open Watcom toolchain (#8175)
* Added GitHub CI action for Windows/Linux/OS2
* Improvements for C89 compliance.
Thank you @jmalak for your contributions.
2025-02-04 12:38:52 -08:00
David Garske
f0b3c2955e Merge pull request #8412 from SparkiDev/mlkem_kyber_small_mem
ML-KEM/Kyber: small memory usage
2025-02-04 11:45:01 -08:00
David Garske
1d0855fbe0 Merge pull request #8420 from douzzer/20250204-fix-null-ptr-increments
20250204-fix-null-ptr-increments
2025-02-04 11:11:19 -08:00
Anthony Hu
41d8eabb33 Update INSTALL file regarding PQ 2025-02-04 13:28:05 -05:00
Daniel Pouzzner
b466bde5d0 src/internal.c and src/ssl.c: in CheckcipherList() and ParseCipherList(), refactor "while (next++)" to "while (next)" to avoid clang21 UndefinedBehaviorSanitizer "applying non-zero offset 1 to null pointer". 2025-02-04 12:07:29 -06:00
David Garske
6141b5060d Merge pull request #8418 from gojimmypi/pr-post-release-239b85c80-espressif
Espressif Managed Component wolfSSL 5.7.6 post-release update
2025-02-04 07:47:14 -08:00
Juliusz Sosinowicz
8b7b9636aa Remove BN_CTX_init as its no longer in OpenSSL for a long time 2025-02-04 16:37:21 +01:00
Juliusz Sosinowicz
91bffeead3 wolfSSL_BN_CTX_get: prepend to list skipping need to traverse the list 2025-02-04 16:37:21 +01:00
Juliusz Sosinowicz
841d13e81c Implement BN_CTX_get 2025-02-04 16:37:21 +01:00
Hideki Miyazaki
77f3b45af0 update key_data 2025-02-05 00:11:55 +09:00
David Garske
93cb9c4a5e Merge pull request #8417 from SparkiDev/tls13_hrr_keyshare_comments
TLS 1.3 HRR KeyShare: Improve comments
2025-02-04 06:20:24 -08:00
Juliusz Sosinowicz
db0345c009 ascon: make tests more readable by moving the kat vectors into a header 2025-02-04 12:58:51 +01:00
Sean Parkinson
316177a7f1 ML-KEM/Kyber: small memory usage
Options to compile ML-KEM/Kyber to use less dynamic memory.
Only available with C code and has small performance trade-off.
2025-02-04 10:51:56 +10:00
Sean Parkinson
92491e6368 TLS 1.3 HRR KeyShare: Improve comments
HelloRetryRequest has the key exchange group it wants to use.
A KeyShare for that group must not have been in the ClientHello.
2025-02-04 10:16:27 +10:00
gojimmypi
71a982e6b7 sync with upstream 2025-02-03 16:13:05 -08:00
gojimmypi
962260af9d Espressif Managed Component wolfSSL 5.7.6 post-release update 2025-02-03 15:34:33 -08:00
Sean Parkinson
eb15a1213c Merge pull request #8416 from embhorn/zd19323
Clear old ssl->error after retry
2025-02-04 08:54:10 +10:00
Sean Parkinson
7898cce43c Merge pull request #8407 from embhorn/zd19346
Fix compat layer ASN1_TIME_diff to accept NULL output params
2025-02-04 08:43:50 +10:00
Eric Blankenhorn
e9892c22a2 Clear old ssl->error after retry 2025-02-03 14:18:09 -06:00
Eric Blankenhorn
b488af1d34 Fix compat layer ASN1_TIME_diff to accept NULL output params 2025-01-31 15:55:35 -06:00
JacobBarthelmeh
275becab6f Merge pull request #8406 from julek-wolfssl/krb5-spake-testing
Add spake to kerberos 5 testing
2025-01-31 13:45:36 -07:00
JacobBarthelmeh
4891d1c471 Merge pull request #8400 from ColtonWilley/add_trusted_cert_pem_parsing
Add support for parsing trusted PEM certs
2025-01-31 10:53:51 -07:00
Juliusz Sosinowicz
a48f7ce276 Add spake to kerberos 5 testing 2025-01-31 18:28:31 +01:00
JacobBarthelmeh
4abba81315 Merge pull request #8405 from anhu/thanks_tobiasbrunner
Fix some typoes around Kyber and Dilithium
2025-01-31 10:05:14 -07:00
Anthony Hu
f86b19dd30 Fix some typoes around Kyber and Dilithium 2025-01-31 10:13:39 -05:00
Hideki Miyazaki
6555da9448 revert TSIP_KEY_TYPE as TSIP TLS definition 2025-01-31 14:13:36 +09:00
David Garske
e7a0340eea Merge pull request #8395 from SparkiDev/asm32_asm_older_opt
ARM32 ASM: optimize older platform alternatives
2025-01-30 15:47:25 -08:00
Colton Willey
cb0779f151 Add trusted cert to generation script and include.am 2025-01-30 15:29:59 -08:00
Sean Parkinson
3f47963802 Merge pull request #8396 from douzzer/20250129-CT-tweaks
20250129-CT-tweaks
2025-01-31 09:10:22 +10:00
JacobBarthelmeh
6181559d83 Merge pull request #8401 from douzzer/20250130-UHAVE_FFDHE_2048
20250130-UHAVE_FFDHE_2048
2025-01-30 15:55:25 -07:00
Colton Willey
a0950e97f5 Add tests for trusted certificate banner 2025-01-30 14:42:41 -08:00
Daniel Pouzzner
3a6b33c180 tests/api.c and wolfcrypt/benchmark/benchmark.c: fixes for building with HAVE_FFDHE_3072 and/or HAVE_FFDHE_4096 but without HAVE_FFDHE_2048. 2025-01-30 15:02:02 -06:00
Colton Willey
c4288cc334 Add support for parsing PEM certificates with begin trusted cert header/footer, needed for wolfProvider. 2025-01-30 11:34:02 -08:00
JacobBarthelmeh
eb7bac3cd0 Merge pull request #8399 from julek-wolfssl/cov-fixes-30-01-2025
Cov fixes
2025-01-30 11:56:36 -07:00
JacobBarthelmeh
9641dc79d9 Merge pull request #8398 from douzzer/20250130-ASCON-unit-test-fixes
20250130-ASCON-unit-test-fixes
2025-01-30 10:57:05 -07:00
Juliusz Sosinowicz
c36d23029f dtls: malloc needs to allocate the size of the dereferenced object 2025-01-30 18:32:22 +01:00
Juliusz Sosinowicz
9a8bc248de dtls: remove dead code 2025-01-30 18:32:22 +01:00
Juliusz Sosinowicz
3cd64581eb dtls: better sanitize incoming messages in stateless handling 2025-01-30 18:32:22 +01:00
JacobBarthelmeh
f7b76002c2 Merge pull request #8397 from SparkiDev/kyber_no_malloc
ML-KEM/Kyber: build with no malloc
2025-01-30 10:06:13 -07:00
Juliusz Sosinowicz
e4b7a53191 api: make sure len doesn't overrun the input buffer 2025-01-30 18:01:51 +01:00
Juliusz Sosinowicz
2865b0c79b api: check fd values as recv and send can't take in negative fd 2025-01-30 18:01:10 +01:00
Juliusz Sosinowicz
d91141fe05 api: pass in sizeof(tmp) instead of 1024 to attempt to satisfy Coverity 2025-01-30 18:00:32 +01:00
Juliusz Sosinowicz
2590aebfd9 dtls13: don't overrun hdr->epoch 2025-01-30 17:59:48 +01:00
Daniel Pouzzner
49d2beed1a fixes for gating/tooling around ASCON. 2025-01-30 10:48:23 -06:00
Sean Parkinson
b62f5ab722 ML-KEM/Kyber: build with no malloc
ML-KEM/Kyber van now be built with WOLFSSL_NO_MALLOC and all data is on
the stack.
2025-01-30 18:11:55 +10:00
Daniel Pouzzner
0de38040f4 CT tweaks:
in wolfcrypt/src/coding.c, add ALIGN64 to hexDecode[], and add hexEncode[] for use by Base16_Encode();

in wolfcrypt/src/misc.c and wolfssl/wolfcrypt/misc.h:

move ctMask*() up so that min() and max() can use them, and add ctMaskWord32GTE();

add ALIGN64 to kHexChar[];

add CT implementation of CharIsWhiteSpace();

remove min_size_t() and max_size_t() recently added, but only one user (refactored).
2025-01-30 01:24:40 -06:00
Daniel Pouzzner
dd7ec129af fixes for gating/tooling around ASCON. 2025-01-30 01:23:26 -06:00
Sean Parkinson
2d06e67a64 ARM32 ASM: optimize older platform alternatives
Make the alternative instructions for architectures less than 7 more
optimal.
2025-01-30 16:58:13 +10:00
Anthony Hu
25c8869541 Merge pull request #8390 from SparkiDev/lms_sha256_192_l1_h20
LMS: Fix SHA-256-192 level 1, height 20
2025-01-29 18:20:50 -05:00
Sean Parkinson
871c05e0e2 Merge pull request #8307 from julek-wolfssl/ascon
Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 ipd
2025-01-30 08:39:59 +10:00
Juliusz Sosinowicz
bcde4bdebb ascon: move tests to api.c and introduce framework to split up api.c 2025-01-29 15:50:00 +01:00
Juliusz Sosinowicz
cd047a35f2 fixup! Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 ipd 2025-01-29 12:21:28 +01:00
Juliusz Sosinowicz
b0ab7f0d26 ascon: use individual word64 to help compiler 2025-01-29 11:49:09 +01:00
Juliusz Sosinowicz
78a7d12955 ascon: use lowercase first letters for members 2025-01-29 11:38:31 +01:00
Juliusz Sosinowicz
f47bbfc174 ascon: error out when word64 not available 2025-01-29 11:36:33 +01:00
Juliusz Sosinowicz
76e29be1a9 ascon: remove 6 round perm as its not used 2025-01-29 11:33:11 +01:00
Juliusz Sosinowicz
028b5b3cda Fix references to match NIST draft 2025-01-29 11:31:34 +01:00
Juliusz Sosinowicz
3e65b927dd fixup! ascon: added forced permutation unroll 2025-01-29 11:26:04 +01:00
Juliusz Sosinowicz
1018144ece fixup! Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 ipd 2025-01-29 11:24:29 +01:00
Juliusz Sosinowicz
0e20cbe210 ascon: move implementation defines to source file 2025-01-29 11:10:44 +01:00
Juliusz Sosinowicz
ab5ce46bf3 ascon: move key to start of struct to avoid gaps in the struct 2025-01-29 11:08:16 +01:00
Juliusz Sosinowicz
ddcc189094 ascon: fix api naming Deinit -> Clear 2025-01-29 11:07:40 +01:00
Juliusz Sosinowicz
c5ad780798 Force experimental flag to enable ascon 2025-01-29 11:02:47 +01:00
Juliusz Sosinowicz
e4100d977c ascon: added forced permutation unroll 2025-01-29 11:02:47 +01:00
Juliusz Sosinowicz
0e7bee9577 ascon-aead: add benchmarking 2025-01-29 11:02:47 +01:00
Juliusz Sosinowicz
0309c3a084 Add docs 2025-01-29 11:02:47 +01:00
Juliusz Sosinowicz
e3a612300b Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 ipd
Implemented based on the NIST Initial Public Draft "NIST SP 800-232 ipd". Testing based on KAT's available at https://github.com/ascon/ascon-c. Added configuration for testing in github action.
2025-01-29 11:02:47 +01:00
Sean Parkinson
08a46f5431 LMS: Fix SHA-256-192 level 1, height 20
Fix parameters for SHA-256-192, Level 1, Height 20, Winternitz: 2, 4, 8
2025-01-29 08:50:43 +10:00
David Garske
45b385ade3 Merge pull request #8389 from douzzer/20250127-fix-disable-tls-config
20250127-fix-disable-tls-config
2025-01-28 09:09:08 -08:00
Daniel Pouzzner
2eb775d5c3 configure.ac: add enable_dtls_mtu, enable_dtlscid, and enable_dtls_frag_ch to features disabled when $ENABLED_TLS" = "no". 2025-01-28 09:46:39 -06:00
David Garske
d78338f485 Merge pull request #8387 from SparkiDev/code_gen_fixes_1
ASM, SP, C regeneration
2025-01-28 07:13:30 -08:00
Sean Parkinson
f8bc819fb5 ASM, SP, C regeneration
Fix spaces at start of copyright line in .asm files.
Changed generation of X25519 and Ed448 code to better match changes
already in C code. Fixed formatting in places.
2025-01-28 14:47:33 +10:00
JacobBarthelmeh
c48ba69063 Merge pull request #8377 from dgarske/cmake_win32
Fix for building wolfSSL with CMake on MINGW and MSYS
2025-01-27 16:34:36 -07:00
David Garske
c556e4305c Merge pull request #8385 from JacobBarthelmeh/spelling
add macro CONFIG_WOLFTPM to list for zephyr use
2025-01-27 14:54:03 -08:00
JacobBarthelmeh
edd8355576 Merge pull request #8326 from gasbytes/patch-rng-health-test-heap-hint
Fix missing heap hint in RNG health test XMALLOC call
2025-01-27 13:49:53 -08:00
JacobBarthelmeh
f0fdc72774 Merge pull request #8384 from gojimmypi/pr-post-release-239b85c80-arduino
Correct Arduino comments spelling
2025-01-27 13:49:00 -08:00
JacobBarthelmeh
0f0b9ef401 add macro CONFIG_WOLFTPM to list for zephyr use 2025-01-27 14:47:20 -07:00
David Garske
570fec687a Fix for building wolfSSL with CMake on MINGW and MSYS. 2025-01-27 10:43:56 -08:00
gojimmypi
6f90a473f0 Correct Arduino comments spelling 2025-01-27 10:26:11 -08:00
David Garske
127e7e9109 Merge pull request #8379 from douzzer/20250125-aarch64-armasm-AES-ECB-fix
20250125-aarch64-armasm-AES-ECB-fix
2025-01-27 10:07:36 -08:00
David Garske
8bf057c7e9 Merge pull request #8381 from gojimmypi/pr-post-release-239b85c80-arduino
Update Arduino comments for post-release publish
2025-01-27 08:31:41 -08:00
David Garske
6ed0a97fc4 Merge pull request #8382 from aidangarske/tpm_zephyr_support
Added neccesary macros when building wolfTPM Zephyr with wolfSSL
2025-01-27 08:01:57 -08:00
David Garske
e1534a3c8a Merge pull request #8344 from SparkiDev/poly1305_arm32_neon
Poly1305 ARM32 NEON: add implementation
2025-01-27 07:52:50 -08:00
David Garske
ed390e472d Merge pull request #8373 from julek-wolfssl/libimobiledevice-1.3.0
Changes for libimobiledevice 860ffb
2025-01-27 07:52:06 -08:00
David Garske
1721421d59 Merge pull request #8383 from julek-wolfssl/add-dtls-to-enable-all
Expand enable-all
2025-01-27 07:50:24 -08:00
Juliusz Sosinowicz
8ca59242a2 Expand enable-all
- Add dtls mtu to enable-all
- Add dtls 1.3 to enable-all
- Add dtls cid to enable-all
- Add dtls ch frag to enable-all
2025-01-27 13:38:00 +01:00
Juliusz Sosinowicz
89aba661fc Changes for libimobiledevice 860ffb 2025-01-27 12:56:49 +01:00
aidan garske
146080edc4 zephyr fix for failing test tpm added necessary api's when using wolftpm 2025-01-26 13:44:51 -08:00
gojimmypi
691fc2e71f Update Arduino comments for post-release publish 2025-01-26 10:49:31 -08:00
Daniel Pouzzner
34dddf0d11 wolfcrypt/src/aes.c: in _AesEcbEncrypt() and _AesEcbDecrypt(), implement missing iteration for AES_encrypt_AARCH64() and AES_decrypt_AARCH64(). 2025-01-25 16:23:41 -06:00
David Garske
337932806d Merge pull request #8378 from douzzer/20250125-fips204-fixes
20250125-fips204-fixes
2025-01-25 08:48:14 -08:00
Daniel Pouzzner
b41d46a158 src/ssl.c and src/ssl_load.c: fix syntax flubs in WOLFSSL_DILITHIUM_FIPS204_DRAFT paths. 2025-01-25 10:11:25 -06:00
David Garske
0932891b5b Merge pull request #8370 from douzzer/20250120-lean-fips
20250120-lean-fips
2025-01-24 19:13:21 -08:00
Daniel Pouzzner
f7abd7cb25 opensslcoexist fixes: add WOLFSSL_EVP_MD_FLAG_XOF, and use WC_MD4_BLOCK_SIZE, not MD4_BLOCK_SIZE. 2025-01-24 20:14:39 -06:00
Daniel Pouzzner
e6b87c2e54 src/ssl.c: work around false positive from scan-build in wolfSSL_writev(), long ago annotated with PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"").
wolfcrypt/src/misc.c: fix typo, max_size_t_() -> max_size_t().
2025-01-24 17:55:55 -06:00
Daniel Pouzzner
91aad90c59 wolfssl/internal.h and src/internal.c:
change Buffers.prevSent and .plainSz from int to word32;

change SendData() sz arg from int sz to size_t sz;

add asserts in SendData() and ReceiveData() to prevent sz > INT_MAX (assuring no overflow internally or in the returned int).

wolfssl/ssl.h and src/ssl.c:

change WOLFSSL_BUFFER_INFO.length from unsigned int to word32 (no functional change, just for consistency);

add wolfSSL_write_internal(), refactor wolfSSL_write() to call it, and fix wolfSSL_write_ex() to take size_t sz, not int sz.
2025-01-24 17:16:08 -06:00
Daniel Pouzzner
1b338abb2d fix wolfSSL_read_ex() prototype with size_t sz, not int sz, for consistency with OpenSSL;
fix internal functions wolfSSL_read_internal() and ReceiveData() to likewise accept size_t sz;

add negative sz checks where needed to other functions that call wolfSSL_read_internal() and ReceiveData();

add min_size_t() and max_size_t() to misc.c/misc.h.
2025-01-24 16:16:43 -06:00
Daniel Pouzzner
93ac482772 linuxkm/module_hooks.c: in wolfssl_init(), #ifdef HAVE_FIPS, wc_RunAllCast_fips();
wolfcrypt/src/aes.c: add missing parens in GHASH_ONE_BLOCK_SW() to mollify clang-tidy;

wolfssl/wolfcrypt/fips_test.h: add FIPS_CAST_AES_ECB;

wolfssl/wolfcrypt/settings.h: #ifdef WOLFSSL_LINUXKM, #undef HAVE_LIMITS_H.
2025-01-24 16:09:43 -06:00
Daniel Pouzzner
09ac8c69db fixes for clang-tidy complaints with NO_ERROR_STRINGS. 2025-01-24 16:09:43 -06:00
Daniel Pouzzner
0ec17dfed5 wolfssl/wolfcrypt/types.h: tweak for buildability in no-PK FIPS, re limits.h. 2025-01-24 16:09:43 -06:00
Daniel Pouzzner
bd014e02e0 configure.ac: tweaks for clarity 2025-01-24 16:09:43 -06:00
Daniel Pouzzner
ca9228467a Merge pull request #8376 from dgarske/quic_test
Fix for QUIC test `test_provide_quic_data`
2025-01-24 16:09:29 -06:00
David Garske
5d43e74167 Fix for QUIC test introduced in PR #8358. 2025-01-24 12:45:34 -08:00
David Garske
8ab85a2df7 Merge pull request #8375 from kareem-wolfssl/zd19270
Fix warning about ESP_IDF_VERSION_MAJOR not being defined when defining FREERTOS.
2025-01-24 12:16:34 -08:00
David Garske
20ae10fd8c Merge pull request #8360 from philljj/dual_alg_mldsa
Update ssl code for ML_DSA.
2025-01-24 11:55:04 -08:00
David Garske
ba88a6454c Merge pull request #8331 from julek-wolfssl/bind-9.18.28
Bind 9.18.28 fixes
2025-01-24 11:37:26 -08:00
David Garske
2e87dfc207 Merge pull request #8345 from JacobBarthelmeh/python_update
Python update to 3.12.6
2025-01-24 11:37:10 -08:00
David Garske
7ad4131b13 Merge pull request #8343 from anhu/maxq_pkcs11
New additions for MAXQ with wolfPKCS11
2025-01-24 11:34:27 -08:00
Kareem
eb64ea1fa7 Fix warning about ESP_IDF_VERSION_MAJOR not being defined when defining FREERTOS. 2025-01-24 12:01:25 -07:00
Anthony Hu
18396c4740 New additions for MAXQ with wolfPKCS11
- Support using MAXQ for:
    - AES-ECB
    - AES-CCM
    - AES-CBC
    - ECC Key Generation and ECDH
- in wc_ecc_import_private_key_ex():
    - check to make sure devId is not invalid before calling wc_MAXQ10XX_EccSetKey().
    - This is because the raspberry pi sometimes need to sign stuff.
- in aes_set_key() and ecc_set_key():
    - delete a key in case it already exists; ignore error since it might not exist.
    - unlock, lock the HW mutex around ECDSA_sign() because it needs access to rng
- in wolfSSL_MAXQ10XX_CryptoDevCb:
    - allow maxq1065 to call the crypto callback.
    - do not set the key during signing; use pre provisioned one instead (DEVICE_KEY_PAIR_OBJ_ID)
2025-01-24 13:53:27 -05:00
JacobBarthelmeh
69be9aa211 fix to not stomp on sz with XOF function, restore comment, remove early XFREE call 2025-01-24 11:40:53 -07:00
Juliusz Sosinowicz
829c2a022f Free'ing ctx->srp has to be reference counted as well 2025-01-24 18:39:11 +01:00
JacobBarthelmeh
8eb6b5a3e4 clang tidy unused parameter warning 2025-01-24 00:34:41 -07:00
JacobBarthelmeh
2526d91300 formating for line length and guard on access to EncryptedInfo struct 2025-01-23 23:56:28 -07:00
JacobBarthelmeh
52975150d4 add macro guard for shak128 to test case 2025-01-23 23:14:50 -07:00
JacobBarthelmeh
d2d664b4cc adjust test cases for different builds 2025-01-23 23:02:34 -07:00
Sean Parkinson
ecacbae3a0 Poly1305 ARM32 NEON: add implementation
Add assembly for Poly1305 using ARM32 NEON instruction set.

For Poly1305 ARM32 Base:
  Change name from poly1305_blocks_arm32_16 to poly1305_arm32_blocks_16

poly1305.c:
  ARM32 NEON - buffer up to 4 blocks
  x86_64 - only calculate powers of r once after key is set.
test.c: poly1305 testing with multiple updates.
benchmark: chacha20-poly1305 now uses AAD
2025-01-24 13:28:46 +10:00
JacobBarthelmeh
9b04a4f8d1 account for correct return value of cipher stack push and clSuite use case after rebase 2025-01-23 17:47:24 -07:00
David Garske
f1e06e1f6a Merge pull request #8371 from lealem47/fix-norealloc-crash
Fix for WOLFSSL_NO_REALLOC build crash
2025-01-23 16:08:34 -08:00
JacobBarthelmeh
41e00dc3c9 handle edge case with wolfSSL_write_ex and refactor wolfSSL_get_client_ciphers 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
1e3d3ddec7 remove attempting to load a CRL with wolfSSL_CTX_load_verify_locations_ex 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
8ca979f892 refactor clSuites internal use, and check return values with setting PARAMS 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
86ed94f2e3 change return of stub functions to be failure, pass PEM password cb and user data along 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
2eb42f1cea adjust behavior when calling non XOF digest final function with XOF digest type 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
286b9b672b increase test coverage 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
fc563f2e20 cast data input to const and resolve overlong line length 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
da7543f65b fix for macro guard with QT build 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
661f6b04a2 fix for macro guard on free of clSuites 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
2812baf5a9 fix for memory leak with new wolfSSL_get_client_ciphers function 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
49c515ac58 add some unit test cases 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
418e63e448 fix for smallstack build 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
a9efd7358a resolve memory leak on error 2025-01-23 16:30:08 -07:00
JacobBarthelmeh
363ecd3756 add macro guards to account for alternate builds 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
28bed8d634 fix for SN (short name) of digests to match expected values 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
c6974a921d fix for return values of write_ex/read_ex, propogate PARAMS, handle CRL with load_verify_locations, fix for get verified/unverified chain 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
689c61cc7e adding implementation of wolfSSL_get_client_ciphers 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
d8a9aaad16 add key mismatch error 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
7d374a2ca5 fix SSL_write_ex return value and build with extra trace debug 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
3b23a05157 flush out x509 object stack deep copy and md get flag 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
f9e289881b stub out all functions needed for Python port update 2025-01-23 16:30:07 -07:00
JacobBarthelmeh
0ebb5f7238 add short name WC_SN macros 2025-01-23 16:30:07 -07:00
Lealem Amedie
eda98712d5 Fix for NO_REALLOC build crash 2025-01-23 16:14:45 -07:00
David Garske
fee2364e04 Merge pull request #8369 from lealem47/zd18687
Fix OPENSSL_ALL build with WOLFSSL_NO_REALLOC
2025-01-23 14:29:34 -08:00
Lealem Amedie
161da6046c Skip MQX InitMutex call if FIPS module is in Init Mode 2025-01-23 14:00:00 -07:00
Lealem Amedie
49a74daebc Fix OPENSSL_ALL build with WOLFSSL_NO_REALLOC 2025-01-23 13:59:30 -07:00
jordan
2ef90b1f89 ML-DSA/Dilithium: update ssl code for ML_DSA final. 2025-01-23 15:33:26 -05:00
Kaleb Himes
dd2c5b1a4c Merge pull request #8368 from douzzer/20250122-enable-fips-requires-arg
20250122-enable-fips-requires-arg
2025-01-22 12:49:11 -07:00
Daniel Pouzzner
bcdfc5791c wolfssl/ssl.h: fix speling erorr (thanks codespell). 2025-01-22 12:49:36 -06:00
Daniel Pouzzner
6102dafa48 configure.ac: require explicit arg for --enable-fips. 2025-01-22 12:48:52 -06:00
David Garske
1729d03123 Merge pull request #8338 from julek-wolfssl/openldap-2.6.7
Add openldap 2.6.7 testing
2025-01-22 07:20:51 -08:00
David Garske
f61d276f3b Merge pull request #8362 from JacobBarthelmeh/copyright
update copyright date to 2025
2025-01-21 16:23:49 -08:00
David Garske
a7fcf419a7 Merge pull request #8366 from JacobBarthelmeh/spelling
misc. spelling fixes
2025-01-21 15:38:13 -08:00
David Garske
efb8a221d6 Merge pull request #8365 from anhu/retcode_comm
Add some comments to explain return codes.
2025-01-21 15:37:50 -08:00
JacobBarthelmeh
d94c043b09 misc. spelling fixes 2025-01-21 16:18:28 -07:00
Anthony Hu
d7a2be62a3 Add some comments to explain return codes. 2025-01-21 18:00:47 -05:00
David Garske
c456cbdfbc Merge pull request #8351 from anhu/lms_guards_256256
Better guarding for LMS SHA256_256 vs LMS SHA256_192
2025-01-21 10:56:13 -08:00
David Garske
5df6989eab Merge pull request #8350 from embhorn/zd19220
Check r and s len before copying
2025-01-21 10:36:54 -08:00
JacobBarthelmeh
a4c58614b9 Merge pull request #8324 from julek-wolfssl/ntp-4.2.8p17
ntp 4.2.8p17 additions
2025-01-21 10:02:23 -08:00
JacobBarthelmeh
78ffa54d60 fix rewrite issue from license script 2025-01-21 10:03:33 -07:00
JacobBarthelmeh
2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
David Garske
0c883391f5 Merge pull request #8327 from julek-wolfssl/libssh2
update libssh2 version to pass tests
2025-01-21 08:27:50 -08:00
David Garske
eb261836a7 Merge pull request #8358 from julek-wolfssl/gh/8156-2
quic_record_append: return correct code
2025-01-21 08:22:15 -08:00
David Garske
e5f880a119 Merge pull request #8361 from redbaron/patch-1
Link to advapi32 on Windows
2025-01-20 16:30:55 -08:00
David Garske
d6912a8451 Merge pull request #8332 from mgrojo/feature/ada-psk
Ada binding: add support  for PSK client callback
2025-01-20 10:31:04 -08:00
David Garske
98198335e6 Merge pull request #8357 from SparkiDev/entropy_memuse_apple_timer
Entropy Apple: change time function called
2025-01-20 07:58:14 -08:00
Eric Blankenhorn
9c4ef7cd30 Use BUFFER_E instead of ASN_PARSE_E when buffer is too small 2025-01-20 08:40:36 -06:00
Maxim Ivanov
aa46cd2ff3 Link to advapi32 on Windows
`rand.c` on Windows uses old CryptoAPI functions like  CryptAcquireContext , which are present in advapi32, but it wasn't linked explicitly.
2025-01-20 12:07:02 +00:00
Juliusz Sosinowicz
88c6349837 quic_record_append: return correct code
0-return from quic_record_append is an error. `quic_record_complete(qr) || len == 0` is not an error condition. We should return as normal on success.

The issue is that passing in buffers with length 1 then 3 causes `qr_length` (in `quic_record_make`) to return 0. Then when `quic_record_append` gets called the `len` gets consumed by the first `if` and `len == 0` is true. This causes the error return which is not correct behaviour.

Reported in https://github.com/wolfSSL/wolfssl/issues/8156. Reproducing is a bit tricky. I couldn't get the docker to work.

First setup ngtcp2 as described in https://github.com/ngtcp2/ngtcp2/pkgs/container/ngtcp2-interop. The Relevant steps are (I tested with master/main branches of all libs):

```
$ git clone --depth 1 -b v5.7.4-stable https://github.com/wolfSSL/wolfssl
$ cd wolfssl
$ autoreconf -i
$ # For wolfSSL < v5.6.6, append --enable-quic.
$ ./configure --prefix=$PWD/build \
    --enable-all --enable-aesni --enable-harden --enable-keylog-export \
    --disable-ech
$ make -j$(nproc)
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
    --with-wolfssl
$ make -j$(nproc) check
```

Download and unzip https://github.com/user-attachments/files/17621329/failing.pcap.zip

From the ngtcp2 dir:

```
./examples/wsslserver 127.0.0.1 44433 /path/to/wolfssl/certs/server-key.pem /path/to/wolfssl/certs/server-cert.pem
```

Then run the following python script (`failing.pcap` has to be available in the running dir) (probably needs to be run as `sudo`):

```
from scapy.utils import rdpcap, PcapNgReader
from scapy.all import *
reader = PcapNgReader("failing.pcap")
for i in reader:
    p = i[IP]
    p.dport = 44433
    p.dst = "127.0.0.1"
    p[UDP].chksum=0
    p.display()
    send(p)
```

Then observe the log line:

```
I00000000 0xa48accb7b49ec1556ac7111c64d3a4572a81 frm tx 625216795 Initial CONNECTION_CLOSE(0x1c) error_code=CRYPTO_ERROR(0x100) frame_type=0 reason_len=0 reason=[]
```

You can also use `gdb` and place a break inside the following section in `wolfssl/src/quic.c`.

```
    if (quic_record_complete(qr) || len == 0) {
        return 0;
    }
```
2025-01-16 11:39:57 -08:00
Sean Parkinson
6e383547dd Entropy Apple: change time function called
Use clock_gettime_nsec_np and get the raw monotonic counter.
2025-01-16 04:14:55 +10:00
Sean Parkinson
e76186f060 Merge pull request #8356 from kareem-wolfssl/gh8355
Properly check for signature_algorithms from the client in a TLS 1.3 server.
2025-01-15 05:54:01 +10:00
Kareem
9f5c89ab4b Properly check for signature_algorithms from the client in a TLS 1.3 server.
The server was checking ssl->extensions which will always have an entry for TLSX_SIGNATURE_ALGORITHMS
as it is unconditionally added by TLSX_PopulateExtensions earlier in the DoTls13ClientHello function.
Instead, check args->clSuites->hashSigAlgoSz which is only set if signature_algorithms is found and parsed by TLSX_Parse.
2025-01-13 16:22:28 -07:00
JacobBarthelmeh
e037e0875d Merge pull request #8352 from douzzer/20240110-revert-8340
20240110-revert-8340
2025-01-10 17:31:34 -07:00
Daniel Pouzzner
d4c654205b Revert "quic_record_append: return correct code"
This reverts commit bc12dad041.

This commit broke builds that combine QUIC and PQ -- known failures are pq-all-valgrind-unittest, pq-hybrid-all-rpk, pq-hybrid-all-rpk-valgrind-unittest, quantum-safe-wolfssl-all-gcc-latest, quantum-safe-wolfssl-all-g++-latest, quantum-safe-wolfssl-all-fortify-source-asm, quantum-safe-wolfssl-all-fortify-source-asm-noasm, and quantum-safe-wolfssl-all-intelasm-sp-asm-valgrind.

Note that the unit.test asserts added by this commit fail both before and after reversion.
2025-01-10 17:38:02 -06:00
JacobBarthelmeh
99a6e82ff8 Merge pull request #8349 from douzzer/20250109-memory-errors
20250109-memory-errors
2025-01-10 15:58:30 -07:00
Eric Blankenhorn
462aa5bec6 Exclude new test for FIPS 2025-01-10 16:47:13 -06:00
Anthony Hu
4ca65f0ce7 Better guarding for LMS SHA256_256 vs LMS SHA256_192 2025-01-10 17:24:05 -05:00
Daniel Pouzzner
dc2ada117e wolfcrypt/benchmark/benchmark.c: fix check_for_excessive_stime() to accept the algo and strength, for proper rendering on asym algs. 2025-01-10 15:48:24 -06:00
Daniel Pouzzner
b16bedf82a more fixes guided by clang-tidy heap analyzer using clang-20.0.0_pre20250104:
wolfcrypt/src/integer.c: add additional guards against OOB access from uint wraps and null derefs of mp_int.dp, and refactor mp_grow() and mp_init_size() to use XMEMSET, for the benefit of clang-tidy.  in mp_grow(), fix the condition for the realloc to assure always evaluated if a->alloc == 0.

wolfcrypt/src/asn.c: fix wc_CreatePKCS8Key() so that *outSz is always assigned when LENGTH_ONLY_E is returned.

wolfcrypt/src/pkcs7.c: remove redundant inner condition in wc_PKCS7_EncodeAuthEnvelopedData(), added in previous commit and caught on review by Jacob (thanks!).

wolfcrypt/src/sp_int.c: in sp_mont_norm(), add another suppression for the same false positive in sp_mul() suppressed in previous commit.

wolfcrypt/src/srp.c: refactor SrpHashSize() to return ALGO_ID_E rather than 0 when unknown/uncompiled alg is requested.
2025-01-10 15:48:05 -06:00
Daniel Pouzzner
7cd2fd3617 numerous fixes for memory errors reported by clang-tidy, most of them true positives, unmasked by CPPFLAGS=-DNO_WOLFSSL_MEMORY: clang-analyzer-unix.Malloc, clang-analyzer-core.NullDereference, clang-analyzer-core.uninitialized.Assign, clang-analyzer-core.UndefinedBinaryOperatorResult, and clang-analyzer-optin.portability.UnixAPI (re malloc(0)).
several fixes for defects reported by cppcheck:

wolfcrypt/src/ecc.c: fix for cppcheck oppositeInnerCondition from cppcheck-2.16.0 in _ecc_make_key_ex(), and fixes for related unhandled errors discovered by manual inspection;

wolfcrypt/test/test.c: fix XREALLOC call in memcb_test() to resolve cppcheck-detected memleak.
2025-01-10 14:30:42 -06:00
JacobBarthelmeh
21bdb76ede Merge pull request #8340 from julek-wolfssl/gh/8156
quic_record_append: return correct code
2025-01-10 12:08:27 -07:00
Reda Chouk
d491e54c98 Fix heap hint usage in wc_RNG_HealthTest
Pass provided heap hint to XMALLOC instead of NULL in RNG health test
function to ensure proper memory allocation with custom heap.
2025-01-10 19:13:53 +01:00
JacobBarthelmeh
0e3020b99b Merge pull request #8337 from julek-wolfssl/libvncserver-0.9.14
Add 0.9.14 to tested libvncserver builds
2025-01-10 10:58:12 -07:00
JacobBarthelmeh
c977d627ed Merge pull request #8303 from night1rider/ZD-19038
Extended Master Secret Generation PK Callback
2025-01-10 10:53:26 -07:00
JacobBarthelmeh
dc6669b772 Merge pull request #8321 from julek-wolfssl/fips-check-update-help
fips-check.sh: Update the help output
2025-01-10 10:48:14 -07:00
Eric Blankenhorn
53831d0f32 Add test 2025-01-10 10:06:14 -06:00
David Garske
197a7e0ba3 Merge pull request #8348 from SparkiDev/aarch64_cpuid_freebsd_fix
Aarch64 CPU Id: FreeBSD/OpenBSD fix
2025-01-10 06:59:01 -08:00
Eric Blankenhorn
139504b9fd Check r and s len before copying 2025-01-10 08:46:40 -06:00
Sean Parkinson
aa8a2144c8 Aarch64 CPU Id: FreeBSD/OpenBSD fix
Fix name and flags set.
2025-01-10 08:28:45 +10:00
David Garske
5b07d41cb3 Merge pull request #8342 from douzzer/20250108-reproducible-build-backtrace
20250108-reproducible-build-backtrace
2025-01-08 15:23:14 -08:00
mgrojo
8122181e45 Ada binding: add support for the PSK server callbacks
Plus fix location of the certificate files in the examples.

Tested with both Ada examples:
```
obj/tls_server_main --psk
obj/tls_client_main 127.0.0.1 --psk
```
2025-01-09 00:11:01 +01:00
Daniel Pouzzner
ad5018ee5d configure.ac: fix --enable-debug-trace-errcodes=backtrace with --enable-reproducible-build: don't add -g0 to CFLAGS when both are enabled, because -g0 makes backtracing impossible. 2025-01-08 15:59:11 -06:00
David Garske
5f95fe3730 Merge pull request #8341 from douzzer/20250108-PKCS12_CoalesceOctetStrings-leak
20250108-PKCS12_CoalesceOctetStrings-leak
2025-01-08 12:29:30 -08:00
Daniel Pouzzner
8d85ab964d wolfcrypt/src/pkcs12.c: fix resource leak in PKCS12_CoalesceOctetStrings(). 2025-01-08 13:39:33 -06:00
David Garske
78776ba6b3 Merge pull request #8339 from douzzer/20250107-clang-tidy-xmss
20250107-clang-tidy-xmss
2025-01-08 10:16:15 -08:00
Juliusz Sosinowicz
bc12dad041 quic_record_append: return correct code
0-return from quic_record_append is an error. `quic_record_complete(qr) || len == 0` is not an error condition. We should return as normal on success.

The issue is that passing in buffers with length 1 then 3 causes `qr_length` (in `quic_record_make`) to return 0. Then when `quic_record_append` gets called the `len` gets consumed by the first `if` and `len == 0` is true. This causes the error return which is not correct behaviour.

Reported in https://github.com/wolfSSL/wolfssl/issues/8156. Reproducing is a bit tricky. I couldn't get the docker to work.

First setup ngtcp2 as described in https://github.com/ngtcp2/ngtcp2/pkgs/container/ngtcp2-interop. The Relevant steps are (I tested with master/main branches of all libs):

```
$ git clone --depth 1 -b v5.7.4-stable https://github.com/wolfSSL/wolfssl
$ cd wolfssl
$ autoreconf -i
$ # For wolfSSL < v5.6.6, append --enable-quic.
$ ./configure --prefix=$PWD/build \
    --enable-all --enable-aesni --enable-harden --enable-keylog-export \
    --disable-ech
$ make -j$(nproc)
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/nghttp3
$ cd nghttp3
$ autoreconf -i
$ ./configure --prefix=$PWD/build --enable-lib-only
$ make -j$(nproc) check
$ make install
$ cd ..
$ git clone --recursive https://github.com/ngtcp2/ngtcp2
$ cd ngtcp2
$ autoreconf -i
$ # For Mac users who have installed libev with MacPorts, append
$ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
$ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
    --with-wolfssl
$ make -j$(nproc) check
```

Download and unzip https://github.com/user-attachments/files/17621329/failing.pcap.zip

From the ngtcp2 dir:

```
./examples/wsslserver 127.0.0.1 44433 /path/to/wolfssl/certs/server-key.pem /path/to/wolfssl/certs/server-cert.pem
```

Then run the following python script (`failing.pcap` has to be available in the running dir) (probably needs to be run as `sudo`):

```
from scapy.utils import rdpcap, PcapNgReader
from scapy.all import *
reader = PcapNgReader("failing.pcap")
for i in reader:
    p = i[IP]
    p.dport = 44433
    p.dst = "127.0.0.1"
    p[UDP].chksum=0
    p.display()
    send(p)
```

Then observe the log line:

```
I00000000 0xa48accb7b49ec1556ac7111c64d3a4572a81 frm tx 625216795 Initial CONNECTION_CLOSE(0x1c) error_code=CRYPTO_ERROR(0x100) frame_type=0 reason_len=0 reason=[]
```

You can also use `gdb` and place a break inside the following section in `wolfssl/src/quic.c`.

```
    if (quic_record_complete(qr) || len == 0) {
        return 0;
    }
```
2025-01-08 18:53:43 +01:00
Daniel Pouzzner
fd664fd597 wolfcrypt/src/integer.c: add sanity checks to mollify clang-tidy 20.0.0_pre20250104: in mp_grow(), error if the mp_int has a null .dp but nonzero .alloc; in s_mp_add() and s_mp_sub(), error if either operand has a null .dp but the constant of iteration (from .used) is positive. these fix 6 distinct clang-analyzer-core.NullDereferences, of undetermined accuracy (possibly benign). 2025-01-08 11:09:27 -06:00
Daniel Pouzzner
632d1c7ada wolfcrypt/src/wc_xmss_impl.c: fix error-checking comparisons in wc_xmss_bds_state_load() and wc_xmss_bds_state_store(), and remove no-longer-needed suppression in wc_xmss_sign().
.wolfssl_known_macro_extras: remove unneeded WOLFSSL_GAISLER_BCC and WOLFSSL_NO_AES_CFB_1_8.

wolfcrypt/src/dh.c: reformat overlong lines.
2025-01-07 17:37:11 -06:00
Daniel Pouzzner
27c37b245f tests/api.c: in test_dtls12_basic_connection_id(), add cast to fix a -Wformat on size_t j when building -m32. 2025-01-07 16:51:30 -06:00
mgrojo
815f99d0c2 Ada binding: improve comments and arguments in the PSK case
- Add comments for the PSK value in the example.
- Add runtime argument for executing the PSK test.
- Warn user that their callback implementation can't be in the SPARK subset.
2025-01-07 23:12:14 +01:00
Daniel Pouzzner
b6ce89c429 wolfcrypt/src/pkcs7.c: in wc_PKCS7_BuildSignedAttributes(), clear cannedAttribs[idx] before it's conditionally populated, to prevent possible uninited data read in subsequent EncodeAttributes(). 2025-01-07 15:03:18 -06:00
Daniel Pouzzner
8c32238733 wolfcrypt/src/wc_xmss_impl.c: guided by clang-tidy 20.0.0_pre20250104, add some error-checking to wc_xmss_bds_state_load() and wc_xmss_bds_state_store(), but ultimately, suppress a pair of stubborn apparently-false "function call argument is an uninitialized value" warnings, one in wc_xmss_bds_state_store() and one in wc_xmss_sign(). 2025-01-07 14:04:01 -06:00
Daniel Pouzzner
78c4a04cac Merge pull request #8330 from dgarske/compat
Fix for SSL_set_mtu compat function return code
2025-01-07 10:52:59 -06:00
David Garske
a3d879f1c6 Merge pull request #8336 from douzzer/20250107-clang-tidy-null-derefs
20250107-clang-tidy-null-derefs
2025-01-07 08:07:06 -08:00
David Garske
4a12351a82 Merge pull request #8335 from douzzer/20250106-_DhSetKey-FFDHE-short-circuit
20250106-_DhSetKey-FFDHE-short-circuit
2025-01-07 08:06:37 -08:00
David Garske
d2ea3c67c5 Merge pull request #8329 from douzzer/20250103-Sha512Final-no-scratch-digest
20250103-Sha512Final-no-scratch-digest
2025-01-07 08:05:31 -08:00
Juliusz Sosinowicz
d704dda47b Add openldap 2.6.7 testing 2025-01-07 13:01:56 +01:00
Juliusz Sosinowicz
cb4d161668 Add 0.9.14 to tested libvncserver builds 2025-01-07 11:45:43 +01:00
Juliusz Sosinowicz
40500e4f2b fixup! Implement wolfSSL_X509_STORE_set_default_paths 2025-01-07 10:56:34 +01:00
Daniel Pouzzner
d6ead1b3e5 src/tls.c: fix possible null deref in TLSX_UseCertificateStatusRequestV2().
wolfcrypt/src/pkcs12.c: fix possible null deref in PKCS12_CoalesceOctetStrings(), and fix spelling of PKCS12_ConcatenateContent().
2025-01-07 00:00:48 -06:00
Daniel Pouzzner
fffafe661a wolfcrypt/src/dh.c: in _DhSetKey(), add short-circuit comparisons to RFC 7919 known-good moduli, preempting overhead from mp_prime_is_prime().
wolfcrypt/test/test.c: in dh_ffdhe_test(), when defined(HAVE_PUBLIC_FFDHE), use wc_DhSetKey_ex() rather than wc_DhSetKey() to exercise the primality check in _DhSetKey().
2025-01-06 14:52:42 -06:00
David Garske
1679218a88 Merge pull request #8333 from SparkiDev/sp_int_rshb_codesonar
SP int: stop CodeSonar complaining about i being negatve
2025-01-06 11:44:32 -08:00
Daniel Pouzzner
5172ff7ee3 wolfcrypt/src/sha512.c: in Sha512FinalRaw() and wc_Sha384FinalRaw(), refactor out the scratch digest -- ByteReverseWords64() is safe in-place, and the scratch digest caused a SEGV in the XMEMCPY() on AVX512-capable targets built with gcc -march=native unless XALIGN(64), due to gcc bug(s). 2025-01-06 11:06:56 -06:00
Sean Parkinson
13ce92cc1f SP int: stop CodeSonar complaining about i being negatve
n is checked for negative and fail out in that case.
i is n devided by a positive constant and can never be negative.
2025-01-06 10:04:14 +10:00
mgrojo
11a40a610e Ada binding: add support for PSK client callback
Tested with:
`wolfSSL/wolfssl-examples/psk/server-psk.c`
after changing `DTLSv1_3_Client_Method` to `DTLSv1_2_Client_Method` to comply with the server example.
2025-01-04 20:03:04 +01:00
Juliusz Sosinowicz
341ed32223 Add bind9 CI testing 2025-01-03 20:47:51 +01:00
David Garske
d6440be4a9 Fix for SSL_set_mtu -> wolfSSL_set_mtu_compat return code. Update comment for wolfSSL_is_init_finished indicating it works for TLS and DTLS. 2025-01-03 10:10:37 -08:00
Juliusz Sosinowicz
02e942334b Define WOLFSSL_MAX_SSL_SESSION_ID_LENGTH 2025-01-03 17:09:47 +01:00
Juliusz Sosinowicz
4cc3eec587 Implement wolfSSL_X509_STORE_set_default_paths 2025-01-03 17:09:30 +01:00
Juliusz Sosinowicz
5ee8af2351 wolfSSL_i2o_ECPublicKey: use uncompressed when selected 2025-01-03 14:24:34 +01:00
David Garske
71b7d0c9de Merge pull request #8328 from douzzer/20250102-fips-v6-update-to-5v7v6
20250102-fips-v6-update-to-5v7v6
2025-01-02 16:01:05 -08:00
David Garske
5a6e92c793 Merge pull request #8325 from SparkiDev/aarch64_cpuid_aesgcm_kyber
Aarch64 ASM: Use CPU features for more
2025-01-02 14:51:35 -08:00
kaleb-himes
bb482d1881 Order into respective groups 2025-01-02 15:41:47 -07:00
Daniel Pouzzner
7d856aebd0 update FIPS v6 to point to wolfcrypt WCv6.0.0-RC3 (aka v5.7.6-stable) and fips WCv6.0.0-RC3. 2025-01-02 15:42:19 -06:00
Juliusz Sosinowicz
853c108802 update libssh2 version to pass tests 2025-01-02 17:00:57 +01:00
Juliusz Sosinowicz
353986bbf6 fips-check.sh: Update the help output 2025-01-02 12:43:43 +01:00
Sean Parkinson
7d3ee74a71 Aarch64 ASM: Use CPU features for more
AES GCM streaming - fix GHASH_ONE_BLOCK to use CPU feature information.
AES-GCM uses EOR3 (SHA-3 instruction) - split assembly code.
Kyber uses SQRDMLSH - split assembly code.

Changed define from WOLFSSL_AARCH64_NO_SQRMLSH to
WOLFSSL_AARCH64_NO_SQRDMLSH to match instruction.

Improved array data format for inline assembly code.
2025-01-02 19:56:04 +10:00
Daniel Pouzzner
239b85c804 Merge pull request #8323 from JacobBarthelmeh/release
prepare for release 5.7.6
2024-12-31 11:58:22 -06:00
Juliusz Sosinowicz
c3ada2760a Add ntp 4.2.8p17 to tested versions 2024-12-31 17:06:46 +01:00
Juliusz Sosinowicz
af96f294fa Add MD4 to EVP layer 2024-12-31 16:58:58 +01:00
JacobBarthelmeh
70e41d1ed1 prepare for release 5.7.6 2024-12-31 08:27:53 -07:00
Juliusz Sosinowicz
3cb2bb3759 OBJ_sn2nid: use correct short names 2024-12-31 12:50:04 +01:00
Daniel Pouzzner
d40698a103 Merge pull request #8322 from JacobBarthelmeh/coverity
fix for dead code warning CID444417
2024-12-30 17:56:28 -06:00
JacobBarthelmeh
c9bcbd8c52 fix for dead code warning CID444417 2024-12-30 16:14:28 -07:00
David Garske
8d7c60017c Merge pull request #8263 from JacobBarthelmeh/rsa_pss
account for rsa_pss_rsae vs rsa_pss_pss type
2024-12-28 13:47:30 -08:00
JacobBarthelmeh
af4b5c2097 only run RSA-PSS interop test if cipher suites with ephemeral keys are available 2024-12-28 11:34:17 -08:00
JacobBarthelmeh
1ae0f7c66f do not do resume with new test case
add wolfssl_no_resume flag to openssl.test

check for version of openssl testing against

check if RSA is supported for test case

guard on test case for TLS versions supported
2024-12-28 02:09:49 -08:00
David Garske
2e8f0176c9 Merge pull request #8316 from JacobBarthelmeh/x509ref
Up X509 refrence count and add test case
2024-12-27 10:37:28 -08:00
JacobBarthelmeh
3ee08d81db fix for check on number of objects when free'ing and add test case 2024-12-27 08:09:03 -08:00
David Garske
5c6fdb52f1 Merge pull request #8319 from philljj/fix_coverity
coverity: correct lock message, check fd value.
2024-12-26 12:53:36 -08:00
JacobBarthelmeh
f57f044b39 Merge pull request #8318 from dgarske/CID444418
Fix for finishedSz checking with TLSv1.3 and `WOLFSSL_HAVE_TLS_UNIQUE` (CID444418)
2024-12-24 15:41:25 -07:00
jordan
c71392bb7e coverity: correct lock message, check fd value. 2024-12-24 16:31:16 -06:00
David Garske
e1baf27831 CID444418. Fix for finishSz checking with TLSv1.3 and WOLFSSL_HAVE_TLS_UNIQUE. 2024-12-24 13:38:57 -08:00
JacobBarthelmeh
17c17cde13 Merge pull request #8317 from night1rider/CID_444416
Free Val and Oid before returning error
2024-12-24 10:38:26 -07:00
JacobBarthelmeh
838fe22e61 Merge pull request #8314 from SparkiDev/aarch64_no_crypto_fallback
Aarch64 ASM: check CPU features before hw crypto instr use
2024-12-24 10:15:23 -07:00
JacobBarthelmeh
98d212d60b Merge pull request #8315 from SparkiDev/regression_fixes_16
Regression testing fixes
2024-12-24 09:56:20 -07:00
msi-debian
545257e498 CID 444416 2024-12-24 09:35:40 -07:00
JacobBarthelmeh
3aa2881cd4 account for rsa_pss_rsae vs rsa_pss_pss type 2024-12-23 23:45:33 -07:00
Sean Parkinson
cad2ebde04 Regression testing fixes
test.c: Dilithium private key not available in cert_test.h unless
signing is enabled.
./configure --disable-shared --enable-dilithium=make,44,65,87
./configure --disable-shared --enable-dilithium=make,sign,44,65,87
./configure --disable-shared --enable-dilithium=make,verify,44,65,87
test.c: Dilithium doesn't have decode/encode when
WOLFSSL_DILITHIUM_NO_ASN1 is defined.
./configure --disable-shared --enable-dilithium=yes
CFLAGS=-DWOLFSSL_DILITHIUM_NO_ASN1
2024-12-24 13:55:21 +10:00
Sean Parkinson
e1851cd482 Aarch64 ASM: check CPU features before hw crypto instr use
For SHA-256, SHA-512 and SHA3, get the CPU features to see if hardware
crypto is available. If not then fallback to an alternate
implementation.
2024-12-24 12:08:12 +10:00
kaleb-himes
2d01363e57 Remove trailing whitespace on a line 2024-12-23 17:14:38 -07:00
Sean Parkinson
93812e4286 Merge pull request #8289 from JacobBarthelmeh/harden
add option for additional sanity checks
2024-12-24 09:17:08 +10:00
JacobBarthelmeh
ee9b88541f change default to no for --enable-faultharden 2024-12-23 13:51:30 -07:00
kaleb-himes
5ad5ba2299 Fix more overlong lines and add one more customer setting 2024-12-23 11:44:56 -07:00
Daniel Pouzzner
a13d0fdd86 Merge pull request #8311 from SparkiDev/aarch64_cpuid_fix
Aarch64 CPU id: fix for privilege instruction detection
2024-12-23 11:52:14 -06:00
JacobBarthelmeh
2409971b14 Merge pull request #8224 from julek-wolfssl/dtls-server-demux
DTLS: Add server side stateless and CID QoL API
2024-12-23 10:01:01 -07:00
JacobBarthelmeh
36d5342f6b Merge pull request #8310 from douzzer/20241221-wolfCrypt-more-AES_BLOCK_SIZE
20241221-wolfCrypt-more-AES_BLOCK_SIZE
2024-12-23 09:26:05 -07:00
Sean Parkinson
e7d7e47e07 Aarch64 CPU id: fix for privilege instruction detection
AES/PMULL is in four bits 4-7.
When value is 0b0010, this indicates both AES and PMULL. Fix code to set
both.
2024-12-23 11:23:14 +10:00
David Garske
2bcad989da Merge pull request #8309 from douzzer/20241221-fix-CEscape-bounds-check
20241221-fix-CEscape-bounds-check
2024-12-21 14:51:46 -08:00
Daniel Pouzzner
50a0773c09 Merge pull request #8285 from LinuxJedi/gaisler
Add initial support for Gaisler-BCC with Sparc
2024-12-21 11:03:39 -06:00
Daniel Pouzzner
ed18bf3deb In wolfcrypt/src/port/ and IDE/, replace remaining uses of AES_BLOCK_SIZE with WC_AES_BLOCKSIZE for compatibility with OPENSSL_COEXIST.
Automated replacement with
```
git ls-files -z wolfcrypt/src/port/ IDE/ | xargs -0 pcre2grep -l '[^_]AES_BLOCK_SIZE' | xargs sed --regexp-extended --in-place 's/([^_])AES_BLOCK_SIZE/\1WC_AES_BLOCK_SIZE/g'
```

Checked for mis-transformations with
```
git ls-files -z | xargs -0 pcre2grep '[^-[()+*/[:space:]]WC_AES_BLOCK_SIZE' | less
```

Checked for residual hits with
```
git ls-files -z | xargs -0 pcre2grep '[^_]AES_BLOCK_SIZE' | less
```

Deliberately excluded:
* ChangeLog.md -- do not alter history.
* doc/ -- do not confuse documentation with newly prefixed macro, because AES_BLOCK_SIZE is available unless -DOPENSSL_COEXIST.
* tests/api.c -- the unit tests deliberately use compatibility names, and are not compatible with -DOPENSSL_COEXIST.
* wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs -- false positive hits on C# names.
* wrapper/CSharp/wolfCrypt-Test/wolfCrypt-Test.cs -- false positive hits on C# names.
* reference in wolfssl/wolfcrypt/aes.h that defines AES_BLOCK_SIZE when -UOPENSSL_COEXIST.
* reference in wolfssl/wolfcrypt/settings.h that defines WC_AES_BLOCK_SIZE for old FIPS when -UWC_AES_BLOCK_SIZE.
2024-12-21 10:28:18 -06:00
Daniel Pouzzner
4ff73b9024 wolfssl/wolfcrypt/aes.h: fix stray reference to AES_BLOCK_SIZE in def for GHASH_ONE_BLOCK(). 2024-12-21 10:08:17 -06:00
Daniel Pouzzner
33a47c1c04 Merge pull request #8265 from JacobBarthelmeh/armasm
armasm with opensslcoexist build
2024-12-21 10:06:27 -06:00
Daniel Pouzzner
b07f2cb461 wolfcrypt/src/coding.c: fix incorrect array bounds check in CEscape(), introduced in 8bbe8a7c8a (before which there was no bounds check at all). 2024-12-21 09:47:07 -06:00
Andrew Hutchings
231cea34ef Add initial support for Gaisler-BCC with Sparc
Slight modifications and documentation to get wolfSSL working with
Gaisler Sparc CPUs and their cross-compilers.
2024-12-21 09:19:58 +00:00
Daniel Pouzzner
ad20593569 Merge pull request #8279 from LinuxJedi/sk_push_comments
Fix code comments for some x509.c functions
2024-12-21 00:09:18 -06:00
Daniel Pouzzner
67800c3a22 Merge pull request #8292 from JacobBarthelmeh/xsocktlen
set dk-s7g2 socklent
2024-12-21 00:01:33 -06:00
Daniel Pouzzner
5ef4732745 Merge pull request #8299 from JacobBarthelmeh/cert_regen
end of year test certificate renewal
2024-12-20 17:41:33 -06:00
Daniel Pouzzner
9d3e477b63 src/ssl.c: gate wolfSSL_dtls_set_pending_peer() on !defined(WOLFSSL_NO_SOCK), not just defined(WOLFSSL_DTLS_CID).
tests/api.c: in test_dtls12_basic_connection_id(), omit chacha20 suites if defined(HAVE_FIPS), and fix gate on DHE-PSK-NULL-SHA256.
2024-12-20 17:24:13 -06:00
Daniel Pouzzner
afc7e0eb8c Merge pull request #8308 from cconlon/sessTickLenCheck
Remove dead code in TLSX_PopulateExtensions() around MAX_PSK_ID_LEN check
2024-12-20 16:41:09 -06:00
JacobBarthelmeh
961453b5ee fix for free'ing up memory after use 2024-12-20 14:58:57 -07:00
JacobBarthelmeh
b273bff4e9 regenerate certs_test.h with raw dilithium keys 2024-12-20 11:50:11 -07:00
JacobBarthelmeh
67f3343a5d Merge pull request #8306 from SparkiDev/kyber_no_avx2_fix
ML-KEM/Kyber: fix kyber_prf() for when no AVX2
2024-12-20 11:40:46 -07:00
JacobBarthelmeh
7cebe95138 Merge pull request #8304 from SparkiDev/regression_fixes_15
Regression testing: fixes
2024-12-20 11:29:15 -07:00
JacobBarthelmeh
3dd9f4631d Merge pull request #8305 from kareem-wolfssl/zd19044
Fix a couple of missing bounds checks found via code analyzer.
2024-12-20 11:20:19 -07:00
JacobBarthelmeh
19e68ea71a add a faketime test and update cert buffers 2024-12-20 10:35:58 -07:00
Chris Conlon
f68f99b000 Remove dead code in TLSX_PopulateExtensions() around MAX_PSK_ID_LEN check 2024-12-20 09:48:01 -07:00
Sean Parkinson
e507c466d5 ML-KEM/Kyber: fix kyber_prf() for when no AVX2
When no AVX2 available, kyber_prf() is called to produce more than one
SHAKE-256 blocks worth of ouput. Otherwise only one block is needed.
Changed function to support an outlen of greater than one block.
2024-12-20 11:03:58 +10:00
Kareem
8bbe8a7c8a Fix a couple of missing bounds checks found via code analyzer. 2024-12-19 17:01:25 -07:00
night1rider
6617a8afca Updating Client/Server with myGenExtMaster Callback 2024-12-19 16:27:35 -07:00
Sean Parkinson
b7c1e1cf35 Regression testing: fixes
src/x509.c: wolfssl_x509_name_entry_set() ne->object is freed if call to
wolfSSL_OBJ_nid2obj_ex() fails. Always assign directly back to
ne->object.

wolfcrypt/test/test.c: aes_ctr_test() doesn't need AES decrypt
./configure '--disable-shared' '--enable-cryptonly'
'CFLAGS=-DNO_AES_DECRYPT' '--disable-aescbc' '--disable-aesofb'
'--disable-aescfb' '--disable-aesgcm' '--disable-aesccm'
'--enable-aesctr' '--disable-aesxts' '--disable-aeseax'

tests/api.c: test_X509_STORE_InvalidCa() only defined when !NO_RSA
./configure '--disable-shared' '--enable-opensslall' '--disable-rsa'

tests/api.c: test_wolfSSL_GENERAL_NAME_print() free ridObj if not
assigned into gn.
2024-12-20 09:25:03 +10:00
Sean Parkinson
00f83facb2 Merge pull request #8302 from cconlon/sessTickLenCheck
Loosen MAX_PSK_ID_LEN check in TLSX_PopulateExtensions() to only server side
2024-12-20 08:44:10 +10:00
night1rider
2f4329306b Initial Extended Master Secret PK Callback ZD#19038 2024-12-19 15:43:58 -07:00
JacobBarthelmeh
8ca790218c certs_test.h is using raw dilithium keys 2024-12-19 15:23:37 -07:00
Daniel Pouzzner
ad8f74b650 examples/client/client.c and examples/client/client.c: use XSTRLCPY() to assure proper null termination. 2024-12-19 16:14:59 -06:00
JacobBarthelmeh
8fa238e554 Merge pull request #8301 from douzzer/20241219-gating-fixes
20241219-gating-fixes
2024-12-19 14:38:55 -07:00
JacobBarthelmeh
5b6ffe0795 add *.revoked to codespell skip 2024-12-19 14:35:43 -07:00
JacobBarthelmeh
abc87f9c6f add regression test for gencertbuf.pl 2024-12-19 14:32:46 -07:00
Chris Conlon
1101841b95 Loosen MAX_PSK_ID_LEN check in TLSX_PopulateExtensions() to only server side 2024-12-19 14:26:22 -07:00
JacobBarthelmeh
e66905aaf6 fix for gencertbuf script and add dilithium public key 2024-12-19 14:25:12 -07:00
Daniel Pouzzner
994f218fcb src/ssl.c and wolfssl/internal.h: gate in wolfSSL_get_ciphers_compat() in OPENSSL_EXTRA builds, so that --with-sys-crypto-policy works with OPENSSL_EXTRA but without OPENSSL_ALL.
configure.ac: more fixes for FIPS v6 armasm settings, re ENABLED_ARMASM_CRYPTO.
2024-12-19 14:29:39 -06:00
Juliusz Sosinowicz
ca4b1667ee strcpy -> strncpy 2024-12-19 11:19:47 +01:00
Juliusz Sosinowicz
feff68d4fd Increase buffer to make room for \0 2024-12-19 11:01:27 +01:00
Daniel Pouzzner
836ee1cbd5 Merge pull request #8298 from lealem47/zd18920
Printing the rfc822Mailbox x509 attribute
2024-12-18 22:19:32 -06:00
Daniel Pouzzner
ed76d8ea10 Merge pull request #8297 from miyazakh/ra_jankins
Fix RA6M4 jankins failure
2024-12-18 22:18:43 -06:00
Daniel Pouzzner
be2e779280 Merge pull request #8205 from philljj/fedora_crypto_policy
fedora crypto-policies: initial support.
2024-12-18 20:54:36 -06:00
JacobBarthelmeh
a5f9ec67c9 Merge pull request #8251 from gojimmypi/pr-post-release-bdd62314-espressif
Espressif Managed Component wolfSSL 5.7.4 post-release update
2024-12-18 16:45:33 -07:00
JacobBarthelmeh
df3897d39f adjust tests after cert renewal 2024-12-18 16:19:51 -07:00
JacobBarthelmeh
e998dda1db update test certs to have v3 2024-12-18 16:12:08 -07:00
JacobBarthelmeh
4ed14af331 if no extensions are present a v1 certificate was generated, add a SKID extension to avoid that 2024-12-18 16:11:18 -07:00
jordan
b5c47d27e0 fedora crypto-policies: initial support. 2024-12-18 16:56:36 -06:00
JacobBarthelmeh
bf6ef15be4 update test certificates in header file 2024-12-18 14:27:26 -07:00
JacobBarthelmeh
28184dd8cc update certificates in certs directory 2024-12-18 14:26:15 -07:00
David Garske
afff48f0d6 Merge pull request #8253 from douzzer/20241204-more-C89-expansion
20241204-more-C89-expansion
2024-12-18 10:44:18 -08:00
Daniel Pouzzner
122502e2b1 wolfCrypt -Wconversion expansion: fix numerous warnings, all benign, from -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion. 2024-12-18 11:51:06 -06:00
Juliusz Sosinowicz
9cb75ef5f8 fixup! DTLS: Add server side stateless and CID QoL API 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz
fe9a5fcd42 fixup! Code review and jenkins fixes 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz
faa7b8dfaa wolfSSLReceive: Error return on interrupted connection
Interrupted connection should return control to the user since they may want to handle the signal that caused the interrupt. Otherwise, we might never give back control to the user (the timeout would error out but that causes a big delay).

socat.yml: in test 475, the test would send a SIGTERM after 3 seconds. We would continue to ignore this signal and continue to call `recvfrom`. Instead we should error out and give control back to the user.
2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz
a1ee953411 Protect peer access when WOLFSSL_RW_THREADED 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz
4795e0d920 Refactor dtls pending peer processing 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz
3ded2bc05d Code review and jenkins fixes 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz
71337d2959 Client TLS: Set traffic decrypt keys when parsing Finished 2024-12-18 09:31:25 +01:00
Juliusz Sosinowicz
daa57c492d DTLS: Add server side stateless and CID QoL API
- wolfDTLS_accept_stateless - statelessly listen for incoming connections
- wolfSSL_inject - insert data into WOLFSSL object
- wolfSSL_SSL(Enable|Disable)Read - enable/disable reading from IO
- wolfSSL_get_wfd - get the write side file descriptor
- wolfSSL_dtls_set_pending_peer - set the pending peer that will be upgraded to regular peer when we successfully de-protect a DTLS record
- wolfSSL_dtls_get0_peer - zero copy access to the peer address
- wolfSSL_is_stateful - boolean to check if we have entered stateful processing
- wolfSSL_dtls_cid_get0_rx - zero copy access to the rx cid
- wolfSSL_dtls_cid_get0_tx - zero copy access to the tx cid
- wolfSSL_dtls_cid_parse - extract cid from a datagram/message
2024-12-18 09:31:24 +01:00
Sean Parkinson
ba050d6a3f Merge pull request #8296 from douzzer/20241217-FIPS-v6-ENABLED_ARMASM_CRYPTO-fixes
20241217-FIPS-v6-ENABLED_ARMASM_CRYPTO-fixes
2024-12-18 15:27:08 +10:00
Lealem Amedie
651dab3dbf Printing the rfc822Mailbox x509 attribute 2024-12-17 15:39:23 -07:00
Hideki Miyazaki
39c11c269f Fix RA6M jankins failure 2024-12-18 07:37:21 +09:00
Daniel Pouzzner
60afdb557d Merge pull request #8273 from dgarske/no_tls
Enable support for no TLS while allowing certificate manager
2024-12-17 16:24:57 -06:00
JacobBarthelmeh
613c1aa16d fix for no malloc build 2024-12-17 14:47:45 -07:00
David Garske
356889a528 Add --disable-tls option that can be used with --enable-all to disable TLS features and set NO_TLS. Useful for allowing certificate manager and crypto compatibility API's only. 2024-12-17 13:40:03 -08:00
Daniel Pouzzner
f23a2f2f48 wolfcrypt/src/aes.c: add missing WOLFSSL_ARMASM gate clause around wolfCrypt_FIPS_aes_ro_sanity, necessitated by 514a92d6ee/#8293. 2024-12-17 14:17:52 -06:00
JacobBarthelmeh
87ae31b48f some additional sanity checks with harden build 2024-12-17 12:47:42 -07:00
Daniel Pouzzner
7b57ef4912 configure.ac: fix faulty logic in FIPS v6 feature calculation re ENABLED_ARMASM_CRYPTO, originally added in 6e0a90190f. 2024-12-17 12:21:47 -06:00
David Garske
6151160e58 Further fixes with NO_TLS to support use with compatibility layer. 2024-12-17 09:24:38 -08:00
Kaleb Himes
fcbea85ded Merge pull request #8291 from douzzer/20241213-fips-check-refactor-assoc-arrays
20241213-fips-check-refactor-assoc-arrays
2024-12-17 10:23:51 -07:00
David Garske
a2b5da8651 Fix nested NO_TLS. 2024-12-17 08:33:33 -08:00
David Garske
16b2884cf1 Fix issues in test_tls13_apis with no filesystem or no RSA/ECC. 2024-12-17 08:33:33 -08:00
David Garske
14e3372826 Enable support for using certificate manager only. Fixes for building without TLS enabled (NO_TLS). ZD 19054. Tested using ./configure --disable-tlsv12 --disable-tls13 CFLAGS="-DNO_TLS" && make check 2024-12-17 08:33:32 -08:00
Daniel Pouzzner
22e95081cd Merge pull request #8181 from gojimmypi/dev-compiler-message
Initialize vars & change types to appease Windows/VS
2024-12-16 23:19:05 -06:00
Daniel Pouzzner
058138eb00 Merge pull request #8286 from julek-wolfssl/hostap-action-update
Use source hostap repo
2024-12-16 23:07:05 -06:00
Daniel Pouzzner
5aeabbfa3c Merge pull request #8245 from julek-wolfssl/mbed-interop
Add CID interop with mbedtls
2024-12-16 23:04:19 -06:00
Daniel Pouzzner
9d7c02589f Merge pull request #8276 from SparkiDev/ed448_muladd_full_reduce
EdDSA Ed448: sc_muladd now does full reduction
2024-12-16 20:29:49 -06:00
Daniel Pouzzner
a1035cf8df Merge pull request #8294 from LinuxJedi/test_compile_issue
Fix compile issue with NO_WOLFSSL_DIR
2024-12-16 19:26:24 -06:00
Daniel Pouzzner
b5935f38d7 Merge pull request #8282 from SparkiDev/iphone_no_sha3_instrs
MacOS: allow SHA-3 instructions to be explicitly not used
2024-12-16 16:55:09 -06:00
Daniel Pouzzner
fd22bfc0b7 Merge pull request #8293 from SparkiDev/aarch64_no_crypto
Aarch64: make code compile when no hardware crypto avail
2024-12-16 14:57:53 -06:00
philljj
c5c607bc87 Merge pull request #8295 from douzzer/20241216-linuxkm-export-ns-quotes
20241216-linuxkm-export-ns-quotes
2024-12-16 12:37:21 -06:00
Daniel Pouzzner
6fbc18f0dc linuxkm/Kbuild and linuxkm/module_exports.c.template: on kernel >=6.13, add quotes around the namespace arg to EXPORT_SYMBOL_NS_GPL() (upstream change actually made in 6.13-rc2). 2024-12-16 11:43:26 -06:00
Andrew Hutchings
61cb5b479f Fix compile issue with NO_WOLFSSL_DIR
`test_wolfSSL_CTX_load_system_CA_certs()` would try to use DIR functions
when `NO_WOLFSSL_DIR` was used.
2024-12-16 17:23:49 +00:00
Sean Parkinson
514a92d6ee Aarch64: make code compile when no hardware crypto avail
Detects availability of instructions for Aarch64.
2024-12-16 17:46:08 +10:00
Sean Parkinson
e3876fcab7 Merge pull request #8287 from JacobBarthelmeh/sigfault
fix for sig fault harden build
2024-12-16 09:04:29 +10:00
Daniel Pouzzner
7c5451c742 fips-check.sh fixes + enhancements:
* change default WOLFSSL_REPO to the canonical upstream.
* refactor tag calculation without bash associative arrays, for backward compat.
* add support for fetching FIPS tags/branches into a persistent fips repo if one is found at ../fips.
* use --shared in git clones where applicable.
* always check out the master FIPS branch, for its tooling, and always make sure it's up to date with $FIPS_REPO.
* after each fetch for a previously unknown tag, explicitly associate the tag with the FETCH_HEAD.
2024-12-13 21:36:40 -06:00
Daniel Pouzzner
4bdccac584 Merge pull request #8290 from wolfSSL/revert-8277-aarch64_no_crypto
Revert "Aarch64: make code compile when no hardware crypto avail"
2024-12-13 20:43:01 -06:00
JacobBarthelmeh
ad03518aa8 armasm with opensslcoexist build 2024-12-13 17:11:32 -07:00
JacobBarthelmeh
6442689d22 set dk-s7g2 socklent 2024-12-13 17:01:58 -07:00
David Garske
71325a2a32 Revert "Aarch64: make code compile when no hardware crypto avail" 2024-12-13 13:52:53 -08:00
JacobBarthelmeh
f0f50f1837 add option for additional sanity checks 2024-12-13 14:42:51 -07:00
JacobBarthelmeh
d7e40e7413 Merge pull request #8264 from dgarske/various_20241206
Various cleanups and fixes
2024-12-13 13:48:10 -07:00
JacobBarthelmeh
68e85ef33a Merge pull request #8252 from anhu/use_srtp_retcode
wolfSSL_CTX_set_tlsext_use_srtp() should return 1 on failure and 0 up…
2024-12-13 13:35:49 -07:00
JacobBarthelmeh
e76e0e33fd Merge pull request #8283 from rlm2002/enableAlwaysKeepSNI
WOLFSSL_ALWAYS_KEEP_SNI enabled by default with --enable-jni
2024-12-13 13:32:47 -07:00
JacobBarthelmeh
a22176af40 fix for sig fault harden build 2024-12-13 10:34:23 -07:00
Juliusz Sosinowicz
3407f21e69 Use source hostap repo 2024-12-13 17:12:23 +01:00
David Garske
79d9b2d6c3 Merge pull request #8277 from SparkiDev/aarch64_no_crypto
Aarch64: make code compile when no hardware crypto avail
2024-12-12 15:49:57 -08:00
Sean Parkinson
24bb2b7fab Aarch64: make code compile when no hardware crypto avail
Detects availability of instructions for Aarch64.
2024-12-13 09:16:11 +10:00
Ruby Martin
b34a39a6bc WOLFSSL_ALWAYS_KEEP_SNI enabled by default with --enable-jni 2024-12-12 15:49:47 -07:00
Sean Parkinson
2aacc7cd87 MacOS: allow SHA-3 instructions to be explicitly not used
Some iPads and iPhones don't support SHA-3 instructions.
Allow SHA-3 instructions to explicitly not be used for these devices.
2024-12-13 08:25:39 +10:00
Sean Parkinson
65fc8f8d77 Merge pull request #8280 from kareem-wolfssl/zd19046
Add support for the RFC822 Mailbox attribute.
2024-12-13 08:07:46 +10:00
Kareem
d4af181593 Add support for the RFC822 Mailbox attribute. 2024-12-12 12:37:32 -07:00
Andrew Hutchings
8ecbd3479e Fix code comments for some x509.c functions
The return of `wolfSSL_sk_push` was changed, but some of the functions
that use it did not have their return comments updated appropriately.
2024-12-12 16:21:16 +00:00
Daniel Pouzzner
dd3012682a Merge pull request #8278 from JacobBarthelmeh/settings
adjustments on sanity check of build
2024-12-11 17:04:58 -06:00
Daniel Pouzzner
1f1e985d73 Merge pull request #8268 from bandi13/fixMemleak
Fix memory leak
2024-12-11 16:35:38 -06:00
Sean Parkinson
c9c28335ae EdDSA Ed448: sc_muladd now does full reduction
sc_muladd was reducing to word boundary and not to order.
Now reduces to order as last step.
2024-12-12 08:33:35 +10:00
Daniel Pouzzner
d825b08e16 Merge pull request #8275 from SparkiDev/aarch64_poly1305_fix
Aarch64 Poly1305: fix corner case
2024-12-11 16:24:36 -06:00
Daniel Pouzzner
88241f1a2c Merge pull request #8267 from ColtonWilley/pkcs11_cert_support
PKCS11 cert support
2024-12-11 16:04:58 -06:00
Daniel Pouzzner
ee4366acc5 Merge pull request #8162 from redbaron/find-threads
CMAKE: look for pthreads when importing wolfSSL if required
2024-12-11 14:36:04 -06:00
Colton Willey
2039d6371f Remove redundant NULL check 2024-12-11 12:25:35 -08:00
Daniel Pouzzner
2ea2e6bf59 Merge pull request #8233 from ColtonWilley/x509_store_add_cert_ref_count
Use proper ref count handling when adding to x509 store
2024-12-11 11:54:29 -06:00
JacobBarthelmeh
2749884fdc defining custom config avoids warning of library builds pulling in options.h 2024-12-11 09:50:52 -07:00
JacobBarthelmeh
45992164d6 make new sanity check be a warning 2024-12-11 09:46:39 -07:00
Sean Parkinson
c0f3b433b2 Aarch64 Poly1305: fix corner case
Don't mask top 26 bits as it may have next bit set as reduction step was
only approximate.
2024-12-11 12:49:21 +10:00
Anthony Hu
762c36687f Add a test. 2024-12-10 21:21:41 -05:00
Sean Parkinson
7ef328548d Merge pull request #8274 from douzzer/20241210-update-wolfssl_known_macro_extras
20241210-update-wolfssl_known_macro_extras
2024-12-11 10:45:11 +10:00
JacobBarthelmeh
59ea24f915 Merge pull request #8225 from gojimmypi/pr-espressif-improve-sha-msg
Improve Espressif SHA HW/SW mutex messages
2024-12-10 17:30:03 -07:00
Daniel Pouzzner
6a05ba7cce .wolfssl_known_macro_extras: regenerate 2024-12-10 17:20:24 -06:00
JacobBarthelmeh
1208a7499b Merge pull request #8272 from douzzer/20241210-fixes
20241210-fixes
2024-12-10 13:35:09 -07:00
Daniel Pouzzner
d257a59087 add support for WOLFSSL_NO_OPTIONS_H:
* activate WOLFSSL_NO_OPTIONS_H in linuxkm/Kbuild for in-module test.o and benchmark.o.
* refine explanatory comments in settings.h re WOLFSSL_USE_OPTIONS_H, WOLFSSL_NO_OPTIONS_H, and WOLFSSL_CUSTOM_CONFIG.
* add safety catch to options.h/options.h.in to inhibit inclusion if defined(WOLFSSL_NO_OPTIONS_H).
* for good measure, add explicit check for WOLFSSL_NO_OPTIONS_H to wolfcrypt/benchmark/benchmark.c and wolfcrypt/test/test.c.
2024-12-10 13:02:37 -06:00
Colton Willey
00386c76bf No redundant NULL check on free 2024-12-10 09:43:03 -08:00
JacobBarthelmeh
e443366748 Merge pull request #8270 from julek-wolfssl/actions-ubuntu-22.04
Revert to ubuntu-22.04
2024-12-10 09:14:00 -07:00
Juliusz Sosinowicz
1d2acd9de6 Revert to ubuntu-22.04 2024-12-10 16:27:41 +01:00
JacobBarthelmeh
0772cf692d Merge pull request #8262 from embhorn/zd18968
Add sanity check for configuration method
2024-12-09 21:22:54 -07:00
Colton Willey
0c20a20acc Use char instead of sword8, sanity length check on CKA_VALUE 2024-12-09 16:09:04 -08:00
Daniel Pouzzner
ba59f1af19 wolfssl/wolfcrypt/settings.h: use #warning, not #error, for "No configuration for wolfSSL detected, check header order", to avoid unnecessary breakage of old projects with nonstandard custom settings. 2024-12-09 17:04:38 -06:00
gojimmypi
7bc026540b Improve Espressif SHA HW/SW mutex messages 2024-12-09 14:51:18 -08:00
Colton Willey
0cda59e00e Add support for cert format in get cert crypto callback 2024-12-09 14:32:02 -08:00
David Garske
c4e319b092 Cleanup the gating for WOLFSSL_NO_AES_CFB_1_8. 2024-12-09 13:51:51 -08:00
Andras Fekete
ff66998575 Fix memory leak 2024-12-09 16:24:38 -05:00
Colton Willey
c83c9e68c9 Updates per review comments 2024-12-09 13:10:32 -08:00
Daniel Pouzzner
e248d8499a move !defined(EXTERNAL_OPTS_OPENVPN) assert from src/internal.c to wolfssl/wolfcrypt/types.h with refinements; refine logic+message of assert in wolfssl/wolfcrypt/settings.h re "wolfssl/options.h included in compiled wolfssl library object..". 2024-12-09 15:02:41 -06:00
Colton Willey
324b87614e Initial implementation for using PKCS11 to retrieve certificate for SSL CTX 2024-12-09 12:15:41 -08:00
Eric Blankenhorn
fcce09a4d3 Fix from review 2024-12-09 12:59:37 -06:00
Eric Blankenhorn
c77bea6691 Disable hitch OSP test 2024-12-09 12:45:54 -06:00
Eric Blankenhorn
3d0cc250b9 Add sanity check for configuration method 2024-12-09 12:03:25 -06:00
JacobBarthelmeh
67fb29a6f6 Merge pull request #8255 from julek-wolfssl/nss-interop
Add nss interop
2024-12-09 09:52:07 -07:00
David Garske
314f7575fa Fixes for macro names. 2024-12-09 08:30:47 -08:00
Juliusz Sosinowicz
aa662ad50a fix redirect order 2024-12-09 13:38:07 +01:00
Juliusz Sosinowicz
a3be826895 use unique key 2024-12-09 13:38:07 +01:00
Juliusz Sosinowicz
3275ebf54b add shebang 2024-12-09 13:37:20 +01:00
Juliusz Sosinowicz
0961be7711 Add CID interop with mbedtls 2024-12-09 13:37:18 +01:00
Juliusz Sosinowicz
ba4d1e6815 Add nss interop 2024-12-09 12:42:32 +01:00
Juliusz Sosinowicz
0e8320347c CID also supported in DTLS 1.2 2024-12-09 12:09:54 +01:00
David Garske
017f931f8b Various cleanups and fixes:
* Fix to properly set configure.ac LMS/XMSS enables and build of those code files.
* Remove duplicate aes.c `wc_AesSetKeyLocal` call to `wc_AesSetIV`. Moved earlier in function in commit a10260ca5f.
* Benchmark missing time.h with NO_ASN_TIME.
* Added option to support disabling AES CFB 1/8 `WOLFSSL_NO_AES_CFB_1_8`.
* Fixes for building with combinations of `WOLFSSL_RSA_VERIFY_ONLY` and `WOLFSSL_RSA_PUBLIC_ONLY`.
* Fix for building `--enable-stacksize=verbose` with single threaded.
* Various tab and formatting cleanups.
ZD 18996
2024-12-06 16:45:33 -08:00
JacobBarthelmeh
f764dbeee1 Merge pull request #8254 from douzzer/20241204-WOLF_AGG_DUMMY_MEMBER
20241204-WOLF_AGG_DUMMY_MEMBER
2024-12-06 14:07:32 -07:00
Daniel Pouzzner
0ad072a34b src/internal.c: in HashSkeData(), remove unneeded logically faulty nullness check around XFREE(ssl->buffers.digest.buffer, ...). 2024-12-06 13:01:40 -06:00
Daniel Pouzzner
0381a47d7e peer review: refactor HAVE_ANONYMOUS_INLINE_AGGREGATES and HAVE_EMPTY_AGGREGATES to conform to wolfssl convention -- defined() for true, !defined() for false -- while retaining ability for user override-off by passing in explicit 0 definition. 2024-12-06 13:01:40 -06:00
Daniel Pouzzner
447d5ea6ee fips-check.sh: add support for WOLFSSL_REPO and noautogen option; tweak git fetching to keep wolfssl and fips tags distinct, and fetch all needed tags by name to assure availability for checkout. also, hide stdout noise from pushd/popd. 2024-12-06 13:01:40 -06:00
Daniel Pouzzner
aec0345f90 update fips-check.sh for cert #4718: remap linuxv5 as an alias for linuxv5.2.1, and add linuxv5-RC12. 2024-12-06 13:01:40 -06:00
Daniel Pouzzner
27e0df040f src/ssl_crypto.c: revert FIPS gate threshold in wolfSSL_AES_decrypt() changed in d85c108952 -- original value was correct, misdiagnosed by faulty test. 2024-12-06 13:01:40 -06:00
Daniel Pouzzner
3dcc12b30a wolfssl/wolfcrypt/types.h and wolfssl/wolfcrypt/hash.h: define WOLF_AGG_DUMMY_MEMBER, pivoting on HAVE_EMPTY_AGGREGATES, and use WOLF_AGG_DUMMY_MEMBER in wc_Hashes. 2024-12-06 13:01:40 -06:00
Daniel Pouzzner
37acac2eb3 configure.ac: fix SC1105 ("Shells disambiguate (( differently or not at all."). 2024-12-06 13:01:40 -06:00
Daniel Pouzzner
66c874bded configure.ac: add --enable-fips=cert4718 alias for v5, and make --enable-fips=v5 set FIPS to 5.2.1; set DEF_FAST_MATH and DEF_SP_MATH to "no" when "yes" would conflict with user-supplied arguments. 2024-12-06 13:01:40 -06:00
JacobBarthelmeh
86b24ef6fa Merge pull request #8261 from julek-wolfssl/libspdm-action
Add libspdm action
2024-12-06 11:44:14 -07:00
Juliusz Sosinowicz
6cede13478 Add libspdm action
Depends on https://github.com/wolfSSL/osp/pull/217
2024-12-06 17:12:06 +01:00
David Garske
0ed187e16d Merge pull request #8256 from LinuxJedi/ADA-7461
Fix broken verify on Ada wrapper
2024-12-06 07:59:01 -08:00
Andrew Hutchings
158d62591f Fix broken verify on Ada wrapper
The Ada wrapper had an `&` operator for the verification mode. This
effectively caused the verification mode to equal `0`.

The operator has been switched to `or` now, in addition, a getter has
been added to the API. This allows for the test I've added to the server
code to verify that it is being set correctly.

`OPENSSL_ALL` flag added to Ada so that the verify mode getter function
is compiled in.

Fixes #7461

Thanks to @dalybrown for reporting it.
2024-12-06 12:44:15 +00:00
gojimmypi
06c0c09940 Espressif Managed Component wolfSSL 5.7.4 post-release update 2024-12-05 21:46:33 -08:00
JacobBarthelmeh
20643577e6 Merge pull request #8258 from dgarske/get_verify
Expose compatibility get_verify functions with openssl_extra
2024-12-05 17:08:59 -07:00
David Garske
56ed6762d8 Expose compatibility get_verify functions with openssl_extra. 2024-12-05 12:10:51 -08:00
JacobBarthelmeh
1bfbdb6c7f Merge pull request #8257 from dgarske/settings_h
Fix issue with wc_lms_impl.c or wc_lms not including settings.h
2024-12-05 11:43:43 -07:00
David Garske
1e9607b65e Fixes for ML-DSA and LMS cast warnings and spelling errors. 2024-12-05 08:34:58 -08:00
JacobBarthelmeh
aa32027c26 Merge pull request #8236 from philljj/zephyr_thread_type
wc_port: change zephyr struct k_thread tid member to pointer.
2024-12-05 09:29:30 -07:00
David Garske
19b486e1f7 Fix issue with wc_lms_impl.c or wc_lms not including settings.h. Caused issue enabling LMS from user_settings.h. 2024-12-05 08:15:11 -08:00
Anthony Hu
ab384ee945 wolfSSL_CTX_set_tlsext_use_srtp() should return 1 on failure and 0 upon success.
Same with wolfSSL_set_tlsext_use_srtp().

See https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_tlsext_use_srtp/
2024-12-05 10:40:40 -05:00
David Garske
bbf1a86c45 Merge pull request #8238 from anhu/dsa_win
build dsa in visual studio
2024-12-04 16:00:35 -08:00
JacobBarthelmeh
bdbaa525c8 Merge pull request #8248 from lealem47/comp_key_fips
Fix for Compressed Keys with FIPS
2024-12-04 13:51:06 -07:00
Colton Willey
c192cbabe8 Free x509 on fail to push 2024-12-04 10:33:58 -08:00
Daniel Pouzzner
35e50742db Merge pull request #8249 from julek-wolfssl/sessionIDSz-fix
Add size checks to sessionID
2024-12-04 10:06:25 -06:00
Juliusz Sosinowicz
8ff79dc26e Add size checks to sessionID 2024-12-04 11:56:16 +01:00
Lealem Amedie
3476425967 Fix for Compressed Keys with FIPS 2024-12-03 14:56:30 -07:00
David Garske
f7a55c6e76 Merge pull request #8247 from bandi13/fixEspressifTests
Fix test environment
2024-12-03 13:09:42 -08:00
Andras Fekete
03ece60fe3 Fix test environment 2024-12-03 15:13:53 -05:00
David Garske
fa6df90518 Merge pull request #8246 from douzzer/20241203-wolfSSL_CTX_flush_sessions-sessionIDSz
20241203-wolfSSL_CTX_flush_sessions-sessionIDSz
2024-12-03 11:26:15 -08:00
Colton Willey
c5acceca5d Dont use specific free function 2024-12-03 09:55:43 -08:00
Colton Willey
20e8ecec75 Merge branch 'master' of github.com:ColtonWilley/wolfssl into x509_store_add_cert_ref_count 2024-12-03 09:52:34 -08:00
Daniel Pouzzner
547cdeac11 src/ssl_sess.c: in wolfSSL_CTX_flush_sessions(), add missing check of s->sessionIDSz, similar to the fix to TlsSessionCacheGetAndLock() in #8182 (ef67b1c06a). also, add missing macro to .wolfssl_known_macro_extras. 2024-12-03 11:38:58 -06:00
Colton Willey
5684e56e0e Always keep original x509 pointer with proper refcounts even for self signed trusted CA 2024-12-02 12:15:33 -08:00
JacobBarthelmeh
42afede3fc Merge pull request #8235 from dgarske/fix_sp_rsa_publiconly
Fixes for building with SP RSA small and RSA Public only
2024-12-02 10:39:08 -07:00
JacobBarthelmeh
015d47b9cd Merge pull request #8231 from LinuxJedi/STM32MP13
Add STM32MP13 HAL support for more SHA types
2024-12-02 10:18:38 -07:00
David Garske
ade917a977 Merge pull request #8241 from LinuxJedi/STM32MP13-Cube
Add STM32MP13 to Cube IDE
2024-11-29 08:37:02 -08:00
Andrew Hutchings
fbdb34a6e0 Add STM32MP13 to Cube IDE 2024-11-29 11:35:38 +00:00
Anthony Hu
3737c68797 build dsa in visual studio 2024-11-28 13:11:14 -05:00
David Garske
cf450a3f37 Fix STM32 example broken in #8143. 2024-11-27 14:06:20 -08:00
jordan
a18f71c27b wc_port: change zephyr struct k_thread tid member to pointer. 2024-11-27 16:05:48 -06:00
David Garske
9bec6da2ff Merge pull request #8213 from JacobBarthelmeh/compat
adjustments to x509.h macro list
2024-11-27 13:35:14 -08:00
David Garske
57e1bf9fba Fixes for building with SP RSA small and RSA Public only. ZD 18996 2024-11-27 13:26:45 -08:00
Colton Willey
c5df3cb6b6 Use proper ref count handling when adding to x509 store 2024-11-27 10:38:32 -08:00
JacobBarthelmeh
fbaabbe2e9 Merge pull request #8230 from douzzer/20241126-FIPS-OPENSSL_COEXIST
20241126-FIPS-OPENSSL_COEXIST
2024-11-27 11:33:06 -07:00
Andrew Hutchings
f15dbb9110 Add STM32MP13 HAL support for more SHA types
This adds STM32 HAL support for:

* SHA384
* SHA512 (with -224 and -256)
* SHA3 (all variants apart from SHAKE)

The partial FIFO block calculations have been adjusted based in the
STM32 code to support the larger hash sizes.

This should work with other chips such as the STM32U5xx, but is not
enabled for that yet.
2024-11-27 15:04:45 +00:00
Juliusz Sosinowicz
e9a4f7de5f Merge pull request #8226 from ColtonWilley/x509_store_fix_get_objects
Fix wolfSSL_X509_STORE_get0_objects to handle no CA
2024-11-27 10:29:06 +01:00
Daniel Pouzzner
b65d3fff56 fixes for OPENSSL_COEXIST with FIPS and with/without TEST_OPENSSL_COEXIST. 2024-11-26 19:38:32 -06:00
JacobBarthelmeh
5e13fc2c84 Merge pull request #7410 from SparkiDev/sp_arm_big_endian
SP: big-endian support
2024-11-26 17:05:53 -07:00
JacobBarthelmeh
d620e937f0 Merge pull request #8229 from bigbrett/pqc-macro-protection-quickfix
PQC macro protection quickfixes
2024-11-26 17:02:17 -07:00
András Fekete
e7d801e8d0 Merge pull request #8228 from douzzer/20241126-WC_NO_COMPAT_AES_BLOCK_SIZE
20241126-WC_NO_COMPAT_AES_BLOCK_SIZE
2024-11-26 15:48:41 -05:00
JacobBarthelmeh
70d595478c Merge pull request #8227 from douzzer/20241125-linuxkm-aarch64-pie
20241125-linuxkm-aarch64-pie
2024-11-26 13:31:01 -07:00
Brett Nicholas
1283325f65 wolfhsm-mldsa-fixes 2024-11-26 12:26:01 -08:00
Daniel Pouzzner
c6df620f81 wolfssl/wolfcrypt/aes.h: #define WC_NO_COMPAT_AES_BLOCK_SIZE in OPENSSL_COEXIST builds. see comment in source code with usage instructions. 2024-11-26 13:09:39 -06:00
David Garske
29dc0f5d0b Merge pull request #8223 from LinuxJedi/STM32MP1
Initial support for STM32MP13 HAL
2024-11-26 09:34:04 -08:00
Andrew Hutchings
5d0ee8c9f3 Initial support for STM32MP13 HAL
This adds support for the STM32MP13 HAL, tested on the STM32MP135F MPU.

Using the HAL this modifies our previous RNG, AES-CBC, AES-GCM, HASH,
ECDSA and DES3 ST HAL acceleration to work with the MPU. It also works
around bugs found in the AES-GCM code of the HAL.

The HAL does not appear to have support for MD5 HASH at the moment, so
this has been given a flag to disable it on this MPU.
2024-11-26 14:15:57 +00:00
Daniel Pouzzner
7dcec3e62f linuxkm: work around aarch64 dependency on alt_cb_patch_nops for enable-linuxkm-pie (FIPS support). 2024-11-26 00:12:29 -06:00
JacobBarthelmeh
ea8c7c8322 Merge pull request #8214 from bandi13/fixDockerWarnings
Use proper capitalization
2024-11-25 16:43:24 -07:00
JacobBarthelmeh
02432990dc Merge pull request #8210 from night1rider/devcrypto-authtag-error
/dev/crypto auth error fix/adjustment for benchmark
2024-11-25 16:42:58 -07:00
Colton Willey
5460ba815b Fix wolfSSL_X509_STORE_get0_objects to handle case where no CA has been loaded 2024-11-25 14:51:29 -08:00
David Garske
71abfa3b15 Merge pull request #8216 from douzzer/20241122-opensslcoexist-expansion
20241122-opensslcoexist-expansion
2024-11-25 14:22:03 -08:00
night1rider
02e6ec0c86 devcrypto auth error fix/adjustment 2024-11-25 14:43:12 -07:00
Daniel Pouzzner
fc7ba562d7 Merge pull request #8215 from kaleb-himes/SRTP-KDF-SCRIPT
Add SRTP-KDF (v6.0.0) to checkout scipt
2024-11-25 13:07:05 -06:00
kaleb-himes
8fbff480d7 Pickup asm changes since 5.7.4 release 2024-11-25 10:58:04 -07:00
David Garske
40154e18ab Merge pull request #8219 from gojimmypi/pr-arduino-5.7.4
Update Arduino files for wolfssl 5.7.4
2024-11-25 09:37:21 -08:00
gojimmypi
560d89ed44 Update Arduino files for wolfssl 5.7.4 2024-11-23 13:26:46 -08:00
Daniel Pouzzner
bfeb0ad48e expand opensslcoexist to all low level crypto APIs. 2024-11-22 19:27:56 -06:00
kaleb-himes
6791d3f759 Add SRTP-KDF (v6.0.0) to checkout scipt 2024-11-22 14:01:24 -07:00
Andras Fekete
93f865f2d4 Use proper capitalization 2024-11-22 15:39:57 -05:00
JacobBarthelmeh
033a2a08e9 Merge pull request #8212 from bandi13/fixTestFailure
Fix Renesas test
2024-11-22 10:42:21 -07:00
JacobBarthelmeh
2b11bd40b3 adjustments to x509.h macro list 2024-11-22 10:40:14 -07:00
JacobBarthelmeh
6dd00abb74 Merge pull request #7771 from aidangarske/InitSuites_Orderadj
`InitSuites` changes to order making `BUILD_TLS_AES_256_GCM_SHA384` be prioritized over `BUILD_TLS_AES_128_GCM_SHA256`
2024-11-22 10:15:32 -07:00
JacobBarthelmeh
c5d7dc3df6 Merge pull request #8211 from douzzer/20241121-fixes
20241121-fixes
2024-11-22 09:49:59 -07:00
David Garske
401a64d112 Improve stdarg.h around uses of var_arg. Cleanup warning for XFREE/XMALLOC redef. 2024-11-22 08:11:32 -08:00
Andras Fekete
942c3a07ee Fix Renesas test
In PR #8182 this line was accidentally wrapped in `#ifdef OPENSSL_EXTRA`
2024-11-22 09:57:55 -05:00
Daniel Pouzzner
d85c108952 wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c: add WC_FAILURE ("wolfCrypt generic failure") with value -1, for traceable error return of -1 in wolfCrypt.
configure.ac: add OPENSSL_EXTRA to --enable-wolfsentry.

linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c, wolfssl/ssl.h: accommodate backward dependencies for wolfSSL_X509_NAME_add_entry_by_NID, wolfSSL_X509_NAME_free, and wolfSSL_X509_NAME_new_ex.

linuxkm/lkcapi_glue.c: if CONFIG_CRYPTO_MANAGER, assert match of CONFIG_CRYPTO_FIPS and HAVE_FIPS.

src/ssl_crypto.c, wolfcrypt/src/wc_lms.c, wolfcrypt/src/wc_lms_impl.c, wolfcrypt/src/wc_xmss.c, wolfcrypt/test/test.c: add missing casts for XMALLOC()s.

src/ssl_crypto.c: in wolfSSL_AES_decrypt(), fix gate for wc_AesDecryptDirect() return type.

wolfcrypt/test/test.c: smallstack refactor in test_dilithium_decode_level().

tests/api.c: fix uninited vars and "embedding a directive within macro arguments is not portable" in test_wc_dilithium_der().
2024-11-21 21:59:26 -06:00
Daniel Pouzzner
92f587c84f Merge pull request #8209 from gasbytes/patch-wc-no-err-trace
Adding missing checks missing initialization of sp_int/mp_int
2024-11-21 18:34:11 -06:00
JacobBarthelmeh
03bafdfa36 Merge pull request #8208 from dgarske/engine_compat
Fixes from compatibility header decoupling (make install)
2024-11-21 16:40:15 -07:00
Reda Chouk
378519d7fb Adding missing checks missing initialization of sp_int/mp_int initialization (
in case of MEMORY_E).

removed printf (added for previous debugging)
2024-11-21 23:55:34 +01:00
David Garske
3444d5c526 Fixes from compatibility header decoupling PR #8182. Fixes issue with wolfEngine and wolfProvider. Change behavior for openssl compatibility headers to be installed unless --enable-opensslextra=noinstall is used. Removed dependency on X509 small with SESSION_CERTS, KEEP_PEER_CERTS and KEEP_OUR_CERT. 2024-11-21 12:09:57 -08:00
David Garske
39d4832b0b Merge pull request #8207 from bigbrett/dilithium-nightly-fixes
dilithium fixes for FIPS 204 draft mode
2024-11-21 11:41:52 -08:00
Brett Nicholas
cceeb776f7 gate dilithium OID autodetection on FIPS 204 draft mode 2024-11-21 09:38:11 -08:00
Brett Nicholas
30f372ce16 add autogenerated error trace headers to gitignore 2024-11-21 09:38:11 -08:00
Brett Nicholas
e31b15875b fix buffer overflow due to uninitialized idx variable 2024-11-21 09:38:11 -08:00
JacobBarthelmeh
04932dd97d Merge pull request #8206 from dgarske/rx_tsip
Fixes for RSA TSIP RSA Sign/Verify
2024-11-21 09:30:48 -07:00
Daniel Pouzzner
2710b57df8 Merge pull request #8204 from JacobBarthelmeh/socket
change optval type to match system
2024-11-21 09:57:10 -06:00
JacobBarthelmeh
c06f65a8ac Merge pull request #8182 from dgarske/no_compat_headers
Support for building without wolfssl/openssl header files
2024-11-20 21:33:18 -07:00
David Garske
6be70f9230 Fix for size increase on X509 small. Fix for CRL test with NO_RSA. 2024-11-20 15:54:02 -08:00
David Garske
96a0619d70 Enable compat layer with HAVE_WEBSERVER (--enable-webserver). 2024-11-20 14:24:11 -08:00
David Garske
c5e43280b9 Fix for RX TSIP AES GCM 128 unit test resultP/C sizes causing failure. 2024-11-20 13:48:05 -08:00
David Garske
7bf0533c48 Fix for building with HAVE_SECRET_CALLBACK only. 2024-11-20 13:33:10 -08:00
David Garske
d109f38cbd Fixes for RSA TSIP RSA Sign/Verify. Tested on RX72N EnvisionKit. Added THREADX threading support.
```
Start wolf tsip crypt Test

 simple crypt test by using TSIP
 sha_test() passed
 sha256_test() passed
 tsip_aes_cbc_test()  passed
 tsip_aes256_test()  passed
 tsip_rsa_test(2048) passed
 tsip_rsa_SignVerify_test(2048) passed

End wolf tsip crypt Test
```
2024-11-20 13:08:26 -08:00
JacobBarthelmeh
be70bea687 Merge pull request #8202 from LinuxJedi/fix-cryptodev-debug
Fix cryptodev debug output
2024-11-20 14:00:05 -07:00
David Garske
ef67b1c06a Support for building without wolfssl/openssl header files. ZD 18465
* Fix for `TlsSessionCacheGetAndLock` that was not checking the sessionIDSz, so could return a pointer to an invalid session (if 0's). Resolves issue with `test_wolfSSL_CTX_sess_set_remove_cb` test.
* Fix cast warning with `HAVE_EX_DATA` in Windows VS.
* Fix openssl_extra without PKCS12.
* Refactor the EX data crypto and session API's to gate on `HAVE_EX_DATA_CRYPTO`.
* Grouped the EX data API's in ssl.h
* Moved API's in ssl.h to separate the compatibility ones from ours.
2024-11-20 12:32:32 -08:00
JacobBarthelmeh
b3e8fa7922 change optval type to match system 2024-11-20 09:34:11 -07:00
Andrew Hutchings
f5e6e17c7c Fix cryptodev debug output
Cryptodev has two sections for the session info struct, cipher and hash.
Our debug mode was using hash for the output even if we were using
cipher, so would output random data. Simple 'if' statement to do the
correct thing.
2024-11-20 06:41:58 +00:00
JacobBarthelmeh
42825e82d2 Merge pull request #8200 from anhu/crl-orig
Fix for github issue 8198
2024-11-19 09:35:59 -07:00
kaleb-himes
fc1390d0aa fix overlong line warning in Jenkins 2024-11-19 09:56:19 -06:00
David Garske
18f52b2573 Merge pull request #8177 from bigbrett/dilithium-get-algo-from-der
ML-DSA/Dilithium: obtain security level from DER when decoding
2024-11-19 07:32:39 -08:00
David Garske
261ddc13ad Merge pull request #8006 from ColtonWilley/crl_update_cb
CRL improvements and update callback
2024-11-18 20:11:37 -08:00
Brett Nicholas
26d3b00a9c added DER size macros to libOQS build 2024-11-18 17:53:12 -07:00
Brett Nicholas
48dcbe9caf fix typo in comment 2024-11-18 16:50:35 -07:00
Brett Nicholas
9815fcd3ea make inOutKeyType parameter mandatory for DecodeAsymKey_Assign 2024-11-18 16:46:10 -07:00
Brett Nicholas
d50fb63071 add macros for dilithium DER export buffer sizes 2024-11-18 16:14:26 -07:00
Brett Nicholas
63deea57e0 properly protect test.c calls to dilithium public/private API 2024-11-18 15:47:00 -07:00
Anthony Hu
237bb24f87 Fix for github issue 8198 2024-11-18 17:33:13 -05:00
aidan garske
43cea3e964 fix xmemset 2024-11-18 14:27:33 -08:00
aidan garske
6625d90f7f reverted xmemset changes already done 2024-11-18 14:20:14 -08:00
aidan garske
337a34246e xmemset fix for init suites changes 2024-11-18 13:54:38 -08:00
Colton Willey
d65c17b7ad Update variable name from new to avoid g++ name clash 2024-11-18 11:16:39 -08:00
kaleb-himes
9851e5d801 Restore header license 2024-11-18 12:10:02 -06:00
aidan garske
b79423fae9 Merge remote-tracking branch 'origin/master' into InitSuites_Orderadj 2024-11-18 10:07:10 -08:00
Colton Willey
55be5035a0 Merge branch 'master' of github.com:ColtonWilley/wolfssl into crl_update_cb 2024-11-18 09:52:51 -08:00
David Garske
c111bb87c9 Merge pull request #8196 from SparkiDev/pqc_kem_priv_key_fix
KeyShareEntry: include private key fields for KYBER
2024-11-18 09:46:08 -08:00
David Garske
5dabeb590c Merge pull request #8192 from bandi13/fixSocat
Simple fix for 1.8.0.0 socat regressions
2024-11-18 07:26:15 -08:00
gojimmypi
5d86031f57 Initialize vars & change types to appease Windows/VS 2024-11-17 17:50:17 -08:00
Sean Parkinson
10e8f6887e SP ARM: big-endian support
Handle reading and writing from big-endian byte array when compiling for
big endian.
Rework little endian to be more effiecient too.
2024-11-18 10:29:04 +10:00
Sean Parkinson
5d61ca94c0 KeyShareEntry: include private key fields for KYBER
Originallt HAVE_PQC and then changed to HAVE_FALCON and HAVE_DILITHIUM.
The KEM PQC algorithm is actually KYBER.
2024-11-18 08:29:16 +10:00
David Garske
5afa0566b4 Merge pull request #8195 from douzzer/20241116-fixes
20241116-fixes
2024-11-17 09:12:38 -08:00
Daniel Pouzzner
18cc3e0c92 add .wolfssl_known_macro_extras;
src/wolfio.c: #include <errno.h> if necessary;

wolfcrypt/src/asn.c: gate WOLFSSL_MSG_EX() uses on defined(DEBUG_WOLFSSL), for pedantic C89 compatibility (no variadic macros);

wolfssl/wolfcrypt/wc_port.h: refine setup for XFENCE().
2024-11-16 18:23:11 -06:00
Daniel Pouzzner
ae0d73d9fd Merge pull request #8122 from miyazakh/tsip_rsa_private_enc
Implement TSIP RSA Public Enc/Private Dec
2024-11-16 16:12:51 -06:00
Daniel Pouzzner
ff680994ba Merge pull request #8146 from julek-wolfssl/dtls13-ooo-app-data
DTLS 1.3: Don't error out on app data before finishing handshake
2024-11-16 14:56:21 -06:00
Daniel Pouzzner
49393eca3c Merge pull request #8060 from miyazakh/qt_jenkins_failure
Not add a cert to CA cache if it doesn't set "CA:TRUE" as basic constraints
2024-11-16 13:38:41 -06:00
Daniel Pouzzner
40148d3c0e Merge pull request #8170 from kaleb-himes/OE8-sync
OS_Seed declarations with legacy compilers using correct header tags
2024-11-16 12:03:11 -06:00
Daniel Pouzzner
18a72fb38c Merge pull request #7896 from kareem-wolfssl/wolfIoLogging
Log error code in TranslateIoReturnCode.
2024-11-16 11:12:02 -06:00
David Garske
649b78f460 Merge pull request #8193 from douzzer/20241115-macro-fixes
20241115-macro-fixes
2024-11-15 15:58:57 -08:00
David Garske
ada922be00 Merge pull request #8166 from philljj/fix_holder_entityname
acert: fix holder entityName parsing.
2024-11-15 14:49:00 -08:00
Andras Fekete
962b101db9 Add flaky tests to the exclusion list 2024-11-15 16:34:51 -05:00
Daniel Pouzzner
ebfde75d91 fixes for misspelled/malformed macro names, and add missing BUILD_AESCCM setup in wolfssl/internal.h 2024-11-15 15:33:51 -06:00
jordan
c71fdc3ca2 acert: review cleanup. 2024-11-15 13:48:17 -06:00
David Garske
c33d97b1ab Merge pull request #8187 from douzzer/20241114-wolfSSL_CTX_UnloadIntermediateCerts-thread-safety
20241114-wolfSSL_CTX_UnloadIntermediateCerts-thread-safety
2024-11-15 11:35:45 -08:00
Brett Nicholas
07e2715f0c update test in api.c to handle new dilithium security level DER parsing 2024-11-15 11:59:17 -07:00
Daniel Pouzzner
a95b759ffa peer review for #8187 and unrelated bug fixes:
return error code from wolfSSL_RefWithMutexUnlock() to expose result to caller;

fix endianness bug in src/x509.c:wolfSSL_X509_add_ext() (fixes failing test_wolfSSL_X509_add_ext on BE targets);

fix possible file handle leak in tests/api.c:test_wolfSSL_d2i_X509_REQ() (reported by clang-tidy);

in wolfssl/ssl.h, define CONST_NUM_ERR_WOLFSSL_SUCCESS, so that WOLFSSL_SUCCESS can be benignly miswrapped in WC_NO_ERR_TRACE().
2024-11-15 12:52:50 -06:00
Daniel Pouzzner
595f55eceb add struct wolfSSL_RefWithMutex, wolfSSL_RefWithMutexLock, and wolfSSL_RefWithMutexUnlock, and change WOLFSSL_CTX.ref from wolfSSL_Ref to wolfSSL_RefWithMutex.
in in wc_port.c, rename mutexful implementations of wolfSSL_Ref*() to wolfSSL_RefWithMutex*(), and build them even if defined(WOLFSSL_ATOMIC_OPS).

refactor wolfSSL_CTX_UnloadIntermediateCerts() to wrap the refcount check and deallocation with wolfSSL_RefWithMutexLock()...wolfSSL_RefWithMutexUnlock().

move port-specific setup for WARN_UNUSED_RESULT, WC_MAYBE_UNUSED, and WC_INLINE, from types.h to wc_port.h, to make them usable by port-specific definitions later in wc_port.h.

when defined(SINGLE_THREADED) and !defined(WOLFSSL_NO_ATOMICS), typedef int wolfSSL_Atomic_Int, so that access to wolfSSL_Atomic_Ints in SINGLE_THREADED builds is easy.

refactor fallback definitions of wolfSSL_Atomic_Int_FetchAdd and wolfSSL_Atomic_Int_FetchSub as WC_INLINE functions to avoid -Wunused-result.
2024-11-15 12:35:41 -06:00
Andras Fekete
3268df33f2 Simple fix for 1.8.0.0 socat regressions
Future versions probably won't need this.
2024-11-15 13:12:48 -05:00
Kareem
bb82be3911 Log error code in TranslateIoReturnCode. 2024-11-15 11:00:25 -07:00
David Garske
e1116e8e6b Merge pull request #8161 from ColtonWilley/update_ssl_doxy
Update doxygen to use proper types in sample code
2024-11-15 09:43:38 -08:00
David Garske
3674980387 Merge pull request #8173 from kojo1/man
add API doc: wc_ecc_set_curve
2024-11-15 09:42:12 -08:00
jordan
622fc70d1e acert: fix holder entityName parsing, light cleanup, better testing. 2024-11-15 11:38:19 -06:00
Brett Nicholas
2207791aab removed DecodeAsymKeyXXX_Assign_ex function, functionality now included in original _Assign function 2024-11-15 10:25:10 -07:00
David Garske
55d2012139 Merge pull request #8189 from gojimmypi/pr-espressif-setup
remove trailing exit code
2024-11-15 08:37:20 -08:00
David Garske
5f06a7f732 Merge pull request #8188 from douzzer/20241114-wc_mp_sign_t
20241114-wc_mp_sign_t
2024-11-15 08:36:42 -08:00
David Garske
3b8373226a Merge pull request #8191 from bandi13/fixTest
Fix missing cast
2024-11-15 08:35:55 -08:00
Andras Fekete
d99a1c6a13 Fix another compilation issue
In file included from ./wolfssl/error-ssl.h:27,
                 from ./wolfssl/ssl.h:35,
                 from ./wolfssl/internal.h:28,
                 from src/ssl.c:36:
./src/x509_str.c: In function 'int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE*, byte*, word32, int)':
./wolfssl/wolfcrypt/error-crypt.h:336:37: error: 'CONST_NUM_ERR_WOLFSSL_SUCCESS' was not declared in this scope; did you mean 'CONST_NUM_ERR_WOLFSSL_UNKNOWN'?
  336 |     #define WC_NO_ERR_TRACE(label) (CONST_NUM_ERR_ ## label)
      |                                     ^~~~~~~~~~~~~~
./src/x509_str.c:1456:15: note: in expansion of macro 'WC_NO_ERR_TRACE'
 1456 |     int ret = WC_NO_ERR_TRACE(WOLFSSL_SUCCESS);
      |               ^~~~~~~~~~~~~~~
2024-11-15 10:12:13 -05:00
Andras Fekete
ca8b465dbf Fix missing cast
Introduced in PR#8176.
2024-11-15 09:17:41 -05:00
gojimmypi
4cce3db0d5 remove trailing exit code 2024-11-15 06:05:04 +01:00
David Garske
e22d17c09f Merge pull request #8185 from SparkiDev/kyber_fixes_4
Kyber: Fix wolfSSL_get_curve_name()
2024-11-14 17:57:24 -08:00
David Garske
fcfd3be160 Merge pull request #8186 from SparkiDev/tfm_mask_cast
TFM: explicit cast of -1 to fp_digit
2024-11-14 17:57:00 -08:00
David Garske
c06b5fadc1 Merge pull request #8180 from JacobBarthelmeh/staticmemory
wc_UnloadStaticMemory should be used to free mutex
2024-11-14 17:54:56 -08:00
David Garske
21bfcaf666 Merge pull request #8136 from anhu/csr_version
Fix for setting wrong version in CSRs.
2024-11-14 17:52:58 -08:00
David Garske
54bdb39454 Merge pull request #8176 from SparkiDev/x509_coverage
X509: improve testing coverage
2024-11-14 17:49:33 -08:00
David Garske
8b1e9211b1 Merge pull request #8149 from SparkiDev/asn_getshortint
Make GetShortInt available with WOLFSSL_ASN_EXTRA
2024-11-14 17:47:11 -08:00
David Garske
8fe7d1076d Merge pull request #8184 from douzzer/20241113-WC_THREADSHARED
20241113-WC_THREADSHARED
2024-11-14 17:46:19 -08:00
Daniel Pouzzner
469c410393 src/sniffer.c: remove build-time assert on HAVE_THREAD_LS || SINGLE_THREADED, as it breaks existing build tests. fix more later. 2024-11-14 18:22:42 -06:00
Daniel Pouzzner
154c5f0b56 rename mp_sign_t to wc_mp_sign_t and mp_size_t to wc_mp_size_t. 2024-11-14 18:14:45 -06:00
Daniel Pouzzner
4ad0dce84e src/sniffer.c: revert refactor pending proper fixes. 2024-11-14 18:00:52 -06:00
Daniel Pouzzner
dd9f6378cb rename WOLFSSL_GLOBAL to WC_THREADSHARED, and refactor mutex handling in src/sniffer.c for consistency and correctness, also adding gating on !SINGLE_THREADED for efficiency;
add wc_static_assert in wolfcrypt/test/test.h to assure that WC_TEST_RET_ENC() can correctly handle all error codes.
2024-11-14 16:35:04 -06:00
Sean Parkinson
9d8a3cc352 TFM: explicit cast of -1 to fp_digit
When -1 is needed as an fp_digit, as a mask. cast to fp_digit.
2024-11-15 08:25:44 +10:00
Sean Parkinson
b98af853f2 Kyber: Fix wolfSSL_get_curve_name()
Fix protection around Kyber hybrid strings when compiling for original
with wolfSSL implementation.
2024-11-15 08:17:02 +10:00
Daniel Pouzzner
6af54d3de2 Merge pull request #8183 from SparkiDev/kyber_fixes_3
Kyber: fixes to configure and wolfSSL_get_curve_name
2024-11-14 12:47:09 -06:00
Sean Parkinson
886f5b0a5b Kyber: fixes to configure and wolfSSL_get_curve_name
Remote original-only option for kyber in configure.ac.
Default is ML-KEM only.
original is Kyber only.
ml-lem is ML-KEM.
to have both: all,original,ml-kem.

Use WOLFSSL_NO_ML_KEM* instead of WOLFSSL_WC_ML_KEM_* which requires the
inclusion of kyber headers.
2024-11-14 16:25:41 +10:00
Brett Nicholas
f672105d55 - Move automatic OID detection from Dilithium code into ASN code 2024-11-13 15:31:59 -07:00
David Garske
c8f56f035f Merge pull request #8169 from douzzer/20241108-WOLFSSL_CLEANUP_THREADSAFE
20241108-WOLFSSL_CLEANUP_THREADSAFE
2024-11-13 12:45:33 -08:00
Daniel Pouzzner
0ebd86d668 add second wolfCrypt error code span, and add DEADLOCK_AVERTED_E. 2024-11-13 13:01:00 -06:00
JacobBarthelmeh
f74e73e8ce wc_UnloadStaticMemory should be used to free mutex 2024-11-13 11:51:53 -07:00
Daniel Pouzzner
524f0f5799 peer review on "WOLFSSL_CLEANUP_THREADSAFE":
* add WOLFSSL_ATOMIC_INITIALIZER() to wc_port.h;
* rename feature macro to WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS for clarity;
* remove spin lock logic in wolfSSL_Init() and instead return DEADLOCK_AVERTED_E on contended initialization;
* unless WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS is user-defined to 0, automatically enable it when appropriate.
2024-11-12 23:57:35 -06:00
Hideki Miyazaki
fdb889303a fix qt unit test qsslcertificate
fix trusted peer cert cache
2024-11-13 08:38:51 +09:00
Daniel Pouzzner
b8aeaf4fa8 src/ssl.c: implement WOLFSSL_CLEANUP_THREADSAFE in wolfSSL_Init() / wolfSSL_Cleanup(). 2024-11-12 17:37:45 -06:00
Sean Parkinson
86ad96ca29 X509: improve testing coverage 2024-11-13 09:10:22 +10:00
Brett Nicholas
6b1b6ece00 guard use of dilithium_key->params on WC implementation 2024-11-12 16:08:11 -07:00
Anthony Hu
b1ccbbc7fa Addressing review comments from dgarske 2024-11-12 16:36:12 -05:00
Brett Nicholas
0e6ac11d15 - Add ability to obtain Dilithium security level (parameters) from a DER
encoded key based on the algorithm type OID
- Add test coverage for decoding DER keys without level specified
2024-11-12 14:19:12 -07:00
Juliusz Sosinowicz
cf80eb8788 DTLS 1.3: Don't error out on app data before finishing handshake
Check epoch for early data
2024-11-12 12:19:02 +01:00
Daniel Pouzzner
878cf3afaa Merge pull request #8155 from JacobBarthelmeh/x509_req
fix for memory leak due to missed WOLFSSL_GENERAL_NAME capability cha…
2024-11-11 23:03:52 -06:00
Daniel Pouzzner
c5f1acf960 Merge pull request #8172 from SparkiDev/kyber_bench_fix
Kyber benchmark: allow ML-KEM and Kyber
2024-11-11 23:00:51 -06:00
JacobBarthelmeh
ce935fddad cast return of XMALLOC 2024-11-11 09:57:33 -07:00
JacobBarthelmeh
4996aed166 Merge pull request #8117 from rizlik/static_mem_fix_types
memory: fix types in wc_LoadStaticMemory_ex()
2024-11-11 09:48:25 -07:00
Takashi Kojo
718b3d46b2 add API doc: wc_ecc_set_curve 2024-11-11 16:38:38 +09:00
Sean Parkinson
cadafffb71 Kyber benchmark: allow ML-KEM and Kyber
Fix benchmark to use ML-KEM/Kyber depending on how code is built.
2024-11-11 10:34:32 +10:00
Daniel Pouzzner
c08bbf0333 Merge pull request #8168 from bandi13/fixCMakeTests
Use only one or the other
2024-11-09 00:43:15 -06:00
Daniel Pouzzner
9361603d8b Merge pull request #8071 from JacobBarthelmeh/static
display heap pointer with debug enabled
2024-11-09 00:20:32 -06:00
Daniel Pouzzner
165b4afbeb Merge pull request #8143 from SparkiDev/kyber_plus_mlkem
Kyber/ML-KEM: make both available
2024-11-09 00:09:51 -06:00
Daniel Pouzzner
23f46a1c3e Merge pull request #8140 from dgarske/wildcard
Fix for building sources (wildcard *.c). Add macro guard on new files.
2024-11-08 23:36:00 -06:00
Hideki Miyazaki
2831eb3ca7 Fix TSIP TLS. Call rsa_pad crypt cb in the case of TSIP 2024-11-09 14:23:57 +09:00
kaleb-himes
309c0a8218 OS_Seed declarations with legacy compilers using correct header tags 2024-11-08 15:10:50 -07:00
kaleb-himes
47557279a2 Updates from customer feedback 2024-11-08 15:49:01 -06:00
Andras Fekete
a295aef0b2 Use only one or the other 2024-11-08 14:34:16 -05:00
David Garske
c868c3ecff Merge pull request #8164 from douzzer/20241105-c89-expansion-etc
20241105-c89-expansion-etc
2024-11-08 10:15:00 -08:00
Daniel Pouzzner
469b9efc9e wolfssl/test.h: revert heap shim refactor -- api.c relies on these being native heap allocations. 2024-11-08 01:03:44 -06:00
Daniel Pouzzner
aa18bbca55 assorted cleanups and refactors for C89 conformance, codespell and check-source-text, and consistent heap shim usage.
.github/workflows/codespell.yml: remove */README_jp.txt from "skip" list.

IDE/Renesas/cs+/Projects/t4_demo/README_jp.txt: convert from SHIFT_JIS to UTF-8.

cmake/options.h.in: use "#cmakedefine HAVE_PTHREAD 1" to avoid conflict with config.h.

configure.ac: add --enable-c89, and remove !ENABLED_OPENSSLEXTRA dependency from AM_CONDITIONAL([BUILD_CRYPTONLY],...).

wolfcrypt/src/asn.c: refactor SetOthername() for efficiency, and add PRAGMA_GCC to suppress false positive -Wstringop-overflow associated with -fstack-protector.

wolfssl/wolfcrypt/rsa.h: add WC_ prefixes to RSA_PKCS1_PADDING_SIZE and RSA_PKCS1_OAEP_PADDING_SIZE, and define unprefixed compat aliases only if !OPENSSL_COEXIST.

wolfssl/wolfcrypt/types.h:

  #ifdef WOLF_C89, #define WC_BITFIELD unsigned;
  enhance WOLF_ENUM_DUMMY_LAST_ELEMENT() to include the line number, to construct unique labels given a per-filename argument, to accommodate anonymous enums.

examples/asn1/asn1.c:
examples/client/client.c:
examples/pem/pem.c:
examples/server/server.c:
wolfcrypt/src/sp_dsp32.c:
wolfcrypt/src/wc_port.c:
wolfssl/test.h:

  use XMALLOC/XREALLOC/XFREE consistently, not malloc/realloc/free.

wolfcrypt/benchmark/benchmark.c:
wolfcrypt/src/memory.c:
wolfcrypt/test/test.c:
wolfssl/wolfcrypt/mem_track.h:
wolfssl/wolfcrypt/settings.h:
wolfssl/wolfcrypt/types.h:

  annotate intentional native heap access with "/* native heap */".

wolfcrypt/src/asn.c:
wolfssl/callbacks.h:
wolfssl/openssl/ec.h:
wolfssl/openssl/ssl.h:
wolfssl/wolfcrypt/hpke.h:
wolfssl/wolfcrypt/types.h:

  fix enum trailing commas.

wolfssl/openssl/ec.h:
wolfssl/openssl/evp.h:
wolfssl/openssl/rsa.h:
wolfssl/openssl/ssl.h:

  use WC_BITFIELD in bitfield elements, not byte or word16, to allow for pedantic C89 conformant builds.

wolfssl/openssl/ec.h:
wolfssl/openssl/evp.h:
wolfssl/openssl/pem.h:
wolfssl/openssl/ssl.h:
wolfssl/wolfcrypt/logging.h:
avoid variadic macros wherever possible, and where unavoidable, #ifdef WOLF_NO_VARIADIC_MACROS, define them with empty arg lists, rather than ..., to support Watcom compiler.

wolfssl/wolfcrypt/settings.h: if defined(__WATCOMC__), define WOLF_NO_VARIADIC_MACROS.
2024-11-07 22:36:24 -06:00
kaleb-himes
07a45ab8ef OE8 NETOS 140-3 updates check-in
Update include.am

update printf declaration in benchmark.c

Sync with version used in optesting

fix the license headers
2024-11-07 17:04:32 -06:00
Maxim Ivanov
0319eb098d CMAKE: look for pthreads when importing wolfSSL if required
All required dependencies of a package must also be found in the
package configuration file. Consumers of wolfSSL can't know
if it was built with or without threads support. This change
adds find_package(Threads) lookup in the file used for
find_package(wolfssl) if wolfSSL was built with threads support.
2024-11-07 21:42:11 +00:00
Colton Willey
dbec1b2b0d Update doxygen to use proper types in sample code 2024-11-07 12:50:55 -08:00
David Garske
b648d35449 Merge pull request #8138 from JacobBarthelmeh/wolfclu_config
wolfCLU added support for PKCS7
2024-11-07 12:44:06 -08:00
David Garske
364cd107ff Merge pull request #8151 from SparkiDev/test_fixes_3
Testing fixes
2024-11-07 12:43:12 -08:00
David Garske
79d9aab5bd Merge pull request #8159 from philljj/spelling_cleanup
spelling: tiny cleanup.
2024-11-07 12:00:04 -08:00
David Garske
1061518876 Merge pull request #8153 from LinuxJedi/Pi-pico
Add support for Raspberry Pi Pico
2024-11-07 11:59:34 -08:00
Andrew Hutchings
1d2c78e3be Add support for Raspberry Pi Pico
This adds improved support for the Raspberry Pi Pico range of
microcontrollers.

Benchmark now compiles, and added support for the RNG functions of the
Pico SDK. This gives a ~2x RNG performance improvement on the RP2040 and
over 3x improvement on the RP2350.

The accelerated SHA256 in the RP2350 unfortunately cannot be used with
wolfSSL.
2024-11-07 17:26:51 +00:00
jordan
b4e8e57b59 spelling: tiny cleanup. 2024-11-07 07:40:02 -06:00
JacobBarthelmeh
a896c16ebd fix for memory leak due to missed WOLFSSL_GENERAL_NAME capability changes 2024-11-06 17:10:54 -07:00
Anthony Hu
0508151ddf Quick fix 2024-11-06 16:07:18 -05:00
Daniel Pouzzner
c577ad78df Merge pull request #8154 from bandi13/fipsCheckAddFlag
Ability to bypass './configure' as some tests/scripts run it anyway
2024-11-06 15:07:17 -06:00
Andras Fekete
cbf4f014cd Fix false positive error on gcc 9.4.0
"error: ‘nameSz’ may be used uninitialized in this function", but it's not actually going to be used uninitialized.
2024-11-06 14:54:02 -05:00
David Garske
43879f961d Fix RSA TSIP to return the actual cipher or plain length on success. Fix crypto callback to properly support PKCSv1.5 sign/verify and encrypt/decrypt based on padding info. 2024-11-06 10:37:03 -08:00
Andras Fekete
b4f0789ce5 Ability to bypass './configure' as some tests/scripts run it anyway 2024-11-06 08:39:23 -05:00
Sean Parkinson
256c6708e0 Testing fixes
Fix header inclusion: settings.h after options.h.
pkcs8_encode(): dh is not available if NO_DH is defined.
2024-11-06 15:23:49 +10:00
David Garske
3179a2ff00 Cleanup the import function declarations. 2024-11-05 14:14:25 -08:00
David Garske
02c2f445d9 Cleanup unused variables and function (void). 2024-11-05 09:45:01 -08:00
David Garske
6b02d7879a Add public decrypt and private encrypt. Cleanups. 2024-11-05 09:24:00 -08:00
András Fekete
7e291992c0 Merge pull request #8150 from douzzer/20241104-fixes
20241104-fixes
2024-11-05 11:00:20 -05:00
Daniel Pouzzner
0f31f5bad9 codespell fixes. 2024-11-05 00:19:07 -06:00
Daniel Pouzzner
a540c6ade5 configure.ac: activate opensslextra for --enable-curl even if ENABLED_OPENSSLCOEXIST; tests/api.c: in test_wolfSSL_SESSION(), use WOLFSSL_SUCCESS, not SSL_SUCCESS, in HAVE_SESSION_TICKET span reachable in non-OPENSSL_EXTRA builds. 2024-11-05 00:15:18 -06:00
Daniel Pouzzner
8ecf064314 Merge pull request #8098 from dgarske/x86_notwindows_2
More fixes for building x86 in Visual Studio for non-windows OS
2024-11-05 00:13:13 -06:00
David Garske
92f7e91655 Merge pull request #8120 from SparkiDev/asn_templ_doc
ASN template documentation: adding basics for decoding
2024-11-04 15:25:18 -08:00
Sean Parkinson
36515e8daf Make GetShortInt available with WOLFSSL_ASN_EXTRA
Customers may need to use GetShortInt when doing custom ASN.1 parsing.
Was only available when !NO_PWDBASED.
GetShortInt is still an internal API.
2024-11-05 08:46:34 +10:00
Daniel Pouzzner
95b47714d5 Merge pull request #8147 from bandi13/regenScripts
Regen scripts
2024-11-04 16:37:24 -06:00
David Garske
aad0f6e08d Peer review feedback: Improve workaround for variadic macros and cast warnings. 2024-11-04 11:15:00 -08:00
Andras Fekete
4083afe353 Ignore file with non-UTF-8 characters 2024-11-04 13:56:07 -05:00
David Garske
9757aa0adf Merge pull request #8113 from philljj/tiny_dilithium_fix
dilithium: expose wc_MlDsaKey_GetX functions as API.
2024-11-04 10:52:30 -08:00
David Garske
8f2516c4be Merge pull request #8141 from douzzer/20241102-fixes
20241102-fixes
2024-11-04 10:47:53 -08:00
Andras Fekete
f7691febd3 Update generated code from scripts 2024-11-04 13:46:37 -05:00
Marco Oliverio
dce9b2e7bd memory: fix types in static memory functions 2024-11-04 16:21:04 +00:00
Sean Parkinson
7d42ddae48 Kyber/ML-KEM: make both available
Make Kyber and ML-KEM individually available as well as at the same
time.
Modified TLS layer to support both Kyber and ML-KEM.
Added new identifiers in TLS layer for ML-KEM.
2024-11-04 23:51:51 +10:00
Daniel Pouzzner
6f7c968c56 rename MAX_CERT_VERIFY_SZ to WC_MAX_CERT_VERIFY_SZ, and move its setup from wolfssl/internal.h to wolfssl/wolfcrypt/asn.h.
rename WOLFSSL_MAX_RSA_BITS to WC_MAX_RSA_BITS, and move its setup from wolfssl/internal.h to wolfssl/wolfcrypt/asn.h, preceding setup for WC_MAX_CERT_VERIFY_SZ.

configure.ac: restore opensslextra-linuxkm assertion, with a twist: "--enable-opensslextra with --enable-linuxkm-pie and without --enable-cryptonly is incompatible with --enable-linuxkm."

wolfcrypt/src/asn.c: fix trailing comma in enum.

wolfcrypt/src/port/arm/armv8-aes.c: fix wc_AesCcmEncrypt() and wc_AesCcmDecrypt() for test_wolfssl_EVP_aes_ccm_zeroLen().
2024-11-02 23:50:34 -05:00
Daniel Pouzzner
6119c52802 Merge pull request #8043 from bandi13/addCodespell
Add Codespell test to PRs
2024-11-01 21:20:29 -05:00
David Garske
836b741402 Merge pull request #8132 from douzzer/20241024-opensslcoexist-opensslextra
20241024-opensslcoexist-opensslextra
2024-11-01 14:34:11 -07:00
David Garske
671f93135b Fixes for consistency in ASSERT_SAVED_VECTOR_REGISTERS and RESTORE_VECTOR_REGISTERS. 2024-11-01 14:24:30 -07:00
David Garske
ca6d49da97 Merge pull request #8139 from douzzer/20241031-fixes
20241031-fixes
2024-11-01 14:03:48 -07:00
David Garske
99daac3974 Improvement for SAVE_VECTOR_REGISTERS 2024-11-01 13:57:02 -07:00
David Garske
f95c4d7b67 Fix for building sources (wildcard *.c). Add macro guard on new files. 2024-11-01 10:46:40 -07:00
Daniel Pouzzner
b41ce0427c src/pk.c: in pem_read_bio_key(), fix invalid read (ZD#18875). 2024-11-01 12:43:08 -05:00
Andras Fekete
0915012b72 Fix new spelling errors 2024-11-01 13:00:59 -04:00
Andras Fekete
8612f15d2e Don't modify Renesas config files 2024-11-01 12:59:01 -04:00
Andras Fekete
34298e8ada More spelling fixes 2024-11-01 12:59:01 -04:00
Andras Fekete
e14abbdc79 Cleanup spelling 2024-11-01 12:59:01 -04:00
Andras Fekete
9082baabd3 Change the name of the file. 2024-11-01 12:59:01 -04:00
Andras Fekete
e28316027e Cleaner way to exclude words that are considered 'misspelled' 2024-11-01 12:59:01 -04:00
Andras Fekete
552968bd5d Add explanations for excluded files 2024-11-01 12:59:01 -04:00
Andras Fekete
b8f9ac6fa5 Eliminate some UTF-8 errors 2024-11-01 12:59:01 -04:00
Andras Fekete
31d0dfb981 Add in some common code to keep Actions to a minimum 2024-11-01 12:59:01 -04:00
Andras Fekete
f4dae7cbaf Few more spelling mistakes 2024-11-01 12:59:01 -04:00
Andras Fekete
c0cb206a80 Suspicious that codespell is not checking spelling 2024-11-01 12:59:01 -04:00
Andras Fekete
8b81d6e099 Simple word fix 2024-11-01 12:59:01 -04:00
Andras Fekete
099c6e0e1f Fix multiple filenames 2024-11-01 12:59:01 -04:00
Andras Fekete
b8253ac4c5 Final set of spelling fixes 2024-11-01 12:59:01 -04:00
Andras Fekete
8ecfe311d8 More spelling fixes 2024-11-01 12:59:01 -04:00
Andras Fekete
6c4b403fa4 More exceptions 2024-11-01 12:59:01 -04:00
Andras Fekete
b3fe71d9d9 Spelling fixes 2024-11-01 12:59:01 -04:00
Andras Fekete
88d4b4c815 Few more exceptions 2024-11-01 12:59:01 -04:00
Andras Fekete
97998d0713 Spellcheck on assembly 2024-11-01 12:59:01 -04:00
Andras Fekete
631eafacb8 Fix some spelling 2024-11-01 12:59:01 -04:00
Andras Fekete
57acf721d4 Minor fixes 2024-11-01 12:59:01 -04:00
Andras Fekete
725e4323e2 Use ignore words list instead of file 2024-11-01 12:59:01 -04:00
Andras Fekete
19e9e31b7c Add Codespell test to PRs 2024-11-01 12:59:01 -04:00
Daniel Pouzzner
9db74dc128 configure.ac: add AM_MAINTAINER_MODE([disable]);
add config-time assert for "dual-alg-certs is incompatible with --enable-cryptonly.";

remove obsolete config-time check for "--enable-opensslextra without --enable-cryptonly is incompatible with --enable-linuxkm.";

linuxkm/linuxkm_wc_port.h: add fallback definitions for INT32_MAX and UINT32_MAX;

linuxkm/module_exports.c.template: add wolfssl/openssl/fips_rand.h;

wolfssl/wolfcrypt/settings.h: add #undef HAVE_ATEXIT to WOLFSSL_LINUXKM settings;

wolfssl/wolfcrypt/types.h: fix trailing comma in the DYNAMIC_TYPE_* enum.
2024-11-01 11:57:36 -05:00
Daniel Pouzzner
6b78726f13 Merge pull request #8134 from dgarske/ge448
Fix GE448 conversion warning
2024-11-01 11:55:01 -05:00
JacobBarthelmeh
13ad54cf46 wolfCLU added support for PKCS7 2024-11-01 09:44:46 -06:00
Anthony Hu
d959d9de7f cast 1 to long 2024-11-01 11:34:22 -04:00
Sean Parkinson
24003b265a Merge pull request #8129 from bigbrett/curve25519-generic-keyparsing
Curve25519 generic keyparsing
2024-11-01 09:04:50 +10:00
Sean Parkinson
76e421b557 Merge pull request #8118 from bigbrett/wc-test-ecc-zero-digest-disable
wolfcrypt tests: disable ecc sign/verify of all zero digest
2024-11-01 09:03:39 +10:00
David Garske
6e3f83d19e Sync with script. 2024-10-31 15:54:05 -07:00
David Garske
652f7059ce Merge pull request #8061 from wolfSSL/NDS_fix
Libnds : Added more descriptive README for IDE/NDS and MelonDS C-flag
2024-10-31 14:53:22 -07:00
Anthony Hu
2254ec89d3 Fix for setting wrong version in CSRs. 2024-10-31 17:08:42 -04:00
Brett Nicholas
aafd07d79a remove ECC_SHAMIR macro protection for ECC sign/verify of zero digest 2024-10-31 14:20:57 -06:00
Brett Nicholas
325221707c address review feedback 2024-10-31 13:02:21 -06:00
Daniel Pouzzner
950ee40111 additional fixes and enhancements for -DOPENSSL_EXTRA -DOPENSSL_COEXIST:
configure.ac:
* add --enable-all-osp to separate OSP meta-feature sets from --enable-all, allowing --enable-all --disable-all-osp --disable-opensslall (e.g. for testing OPENSSL_COEXIST).
* fix enable_all_crypto=yes in enable-all to be conditional on "$enable_all_crypto" = "".
* move enable_rsapss=yes from enable-all to enable-all-crypto.

examples/ and testsuite/: #undef OPENSSL_COEXIST unconditionally rather than only if defined(OPENSSL_EXTRA), to capture -DOPENSSL_EXTRA_X509_SMALL or any other such variants.
2024-10-31 13:42:04 -05:00
David Garske
0d495702e5 Fix GE448 conversion warning:
`error: conversion from ‘word32’ {aka ‘unsigned int’} to ‘byte’ {aka ‘unsigned char’} may change value`
2024-10-31 10:34:19 -07:00
Brett Nicholas
17c7b6cc3a moved some macro logic from test.c to settings.h 2024-10-31 10:51:51 -06:00
David Garske
429e7c79e3 Merge pull request #8133 from SparkiDev/asm_no_uint_t
ASM: generated code not using uint*_t types
2024-10-31 07:42:12 -07:00
Daniel Pouzzner
39e8cb55bb additional fixes and peer review for -DOPENSSL_EXTRA -DOPENSSL_COEXIST: cover -DWOLFSSL_QUIC, fix -DNO_ASN, rename WOLFSSL_ASN1_TYPE_* to WOLFSSL_V_ASN1_*, completed nativization of NID_*, and switch to prefix WC_NID_ rather than wc_NID_. 2024-10-31 00:10:21 -05:00
Daniel Pouzzner
a2bcbf7ecf additional fixes and peer review for -DOPENSSL_EXTRA -DOPENSSL_COEXIST: cover -DWOLFSSL_QUIC, fix -DNO_ASN, rename WOLFSSL_ASN1_TYPE_* to WOLFSSL_V_ASN1_*, completed nativization of NID_*, and switch to prefix WC_NID_ rather than wc_NID_. 2024-10-31 00:10:21 -05:00
Daniel Pouzzner
ca9d012a24 wolfssl/ssl.h: remove OPENSSL_EXTRA gate on definitions for WOLFSSL_ASN1_TYPE_* -- some are used in non-OPENSSL_EXTRA builds, e.g. when -DWOLFSSL_X509_NAME_AVAILABLE. 2024-10-31 00:10:21 -05:00
Daniel Pouzzner
cf95fdc071 Globally remap & refactor conflicting symbols to allow -DOPENSSL_EXTRA -DOPENSSL_COEXIST, or equivalently, --enable-opensslextra --enable-opensslcoexist.
No functional changes.

Several compat symbols that were formerly enums are now macros.

All library source is refactored to use only native symbols in all code gated in with --enable-all-crypto --enable-opensslextra.

wolfcrypt/test/test.c is similarly refactored to use only native symbols.

examples/ and tests/ are unmodified except for header setup to disable OPENSSL_COEXIST and TEST_OPENSSL_COEXIST.
2024-10-31 00:10:21 -05:00
Sean Parkinson
dcd75df852 ASN template documentation: adding basics for decoding
First draft of ASN template documentation that helps with writing
parsing code.
2024-10-31 12:08:22 +10:00
Sean Parkinson
89d2964320 Merge pull request #8115 from miyazakh/ocsp_tls13_client
Check Intermediate cert OCSP when using tls1.3 for client side
2024-10-31 11:13:01 +10:00
Daniel Pouzzner
4b8c9bbb6d Merge pull request #8130 from anhu/cks_tlsver_downgrade
Consider downgrade to TLS 1.2 when parsing CKS.
2024-10-30 19:20:24 -05:00
Sean Parkinson
26312141d8 ASM: generated code not using uint*_t types
Don't use uint*_t types as they may not be available.
2024-10-31 10:14:00 +10:00
Sean Parkinson
614a0e3f09 Merge pull request #8123 from dgarske/armasm
Fix issue with error: conflicting types for 'BlockSha3'
2024-10-31 09:37:26 +10:00
David Garske
544a7d93e1 Merge pull request #8103 from bandi13/addUncommonUtilities
Add less frequently used tools that are handy to have
2024-10-30 15:24:25 -07:00
David Garske
807975c864 Merge pull request #8127 from anhu/percentd
added a missing %d
2024-10-30 15:21:15 -07:00
David Garske
d147968aed Merge pull request #8125 from philljj/fix_acert_test_defined_not_used
tests api: fix inconsistent do_acert_verify_test guards.
2024-10-30 15:21:04 -07:00
David Garske
fc56060873 Merge pull request #8102 from embhorn/topic2203
Fix docs for invalid hash requirements.
2024-10-30 15:15:19 -07:00
Anthony Hu
69f2529aa5 Consider downgrade to TLS 1.2 when parsing CKS. 2024-10-30 16:50:59 -04:00
JacobBarthelmeh
bc56129ed8 display heap pointer with debug enabled 2024-10-30 14:39:12 -06:00
Brett Nicholas
20cf6b74c1 fix curve25519 test sanitizer errors 2024-10-30 14:02:38 -06:00
Brett Nicholas
589bcaa12a added doxygen for curve25519 DER functions 2024-10-30 12:56:14 -06:00
Brett Nicholas
62d7e90352 added additional curve25519 generic test 2024-10-30 12:56:10 -06:00
Anthony Hu
54dc8320d2 added a missing %d 2024-10-30 14:53:21 -04:00
David Garske
0669ba82c4 Avoid stdint types. 2024-10-30 10:28:45 -07:00
jordan
90648b1e79 tests api: fix inconsistent do_acert_verify_test guards. 2024-10-30 11:06:54 -05:00
Brett Nicholas
97a370ed08 added generic curve25519 encode/decode functions that can handle combined keypairs 2024-10-30 09:37:16 -06:00
David Garske
c557c6f2bd Fix issue with error: conflicting types for 'BlockSha3'.
```
[CC-AARCH64] lib/wolfssl/wolfcrypt/src/port/arm/armv8-sha3-asm_c.o
lib/wolfssl/wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:212:6: error: conflicting types for 'BlockSha3'; have 'void(long unsigned int *)'
  212 | void BlockSha3(unsigned long* state)
      |      ^~~~~~~~~
In file included from lib/wolfssl/wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:35:
lib/wolfssl/wolfssl/wolfcrypt/sha3.h:224:20: note: previous declaration of 'BlockSha3' with type 'void(word64 *)' {aka 'void(long long unsigned int *)'}
  224 | WOLFSSL_LOCAL void BlockSha3(word64 *s);
      |                    ^~~~~~~~~
```
2024-10-29 16:56:50 -07:00
Hideki Miyazaki
b409967f3b fix spaces 2024-10-30 07:47:40 +09:00
David Garske
72306b9a67 Merge pull request #7973 from bandi13/fixSniffer
Fix sniffer
2024-10-29 15:21:41 -07:00
Hideki Miyazaki
b07a372b52 Fix spaces and tabs 2024-10-30 06:42:07 +09:00
David Garske
b982314ac6 Merge pull request #8101 from miyazakh/tsip_ca_add
Check Root CA by TSIP before adding it to ca-table
2024-10-29 14:23:47 -07:00
JacobBarthelmeh
2b8d43cef2 Merge pull request #8119 from dgarske/async_20241028
Fixes for asynchronous release - SHA3/HMAC devId
2024-10-29 15:11:43 -06:00
Andras Fekete
2cdecd85a2 If we have a capture on device 'any', then we need to handle the offset
Detect reading of packet errors

--enable-all and --enable-sniffer exposed this issue

Don't need variable

Rework argument parsing

Need a way to allow arguments to be supplied more granularly. Partucilarly, I needed a "-tracefile" argument without requiring the use of a PCAP file

Fix error prints to STDERR

Fix setting of port filtering

Fix 80 char limit

Not actually a bad packet when there are no more packets

Fix strcat size

Allow the sniffer to print the trace to STDOUT

Fix indexing

Take out superfluous error which is handled later

Set default port to 11111

Single return point

Combine chain to one contiguous memory block

Fix return

Add in error handling for XMALLOC

Add in debugging output when --enable-debug

It makes no sense to allocate a ton of small buffers to process chains

Ultimately, the code is slower because of the several small memcpy instead of a single large contiguous memcpy

Pass in a device name

Fix unused variable

Fix cast

Addressing PR comments

Add new flags to --help
2024-10-29 16:55:20 -04:00
Daniel Pouzzner
0ded8ba0c7 Merge pull request #8074 from bandi13/revertGithubFix
Revert "Merge pull request #8072 from rizlik/github-fix"
2024-10-29 15:17:50 -05:00
Daniel Pouzzner
5b07d47e7b Merge pull request #8095 from embhorn/coverity-workflow
Add more configs to Coverity scan schedule.
2024-10-29 15:02:15 -05:00
David Garske
84b5d6613d More fixes for building x86 in Visual Studio for non-windows OS (Watcom C compiler). Followup to PR #7884. Fixes ZD 18465
* Consolidate the USE_WINDOWS_API to a single place.
* Expand the `WOLFSSL_NOT_WINDOWS_API` improvement for intrinsics and word sizes.
* Fix for macro variadic `...` when no variables are used (some compilers like Watcom C have issue with this).
* Fix for Watcom C compiler "long long" -> "__int64".
* Fix a couple of minor cast warnings reported from VS.
2024-10-29 11:50:24 -07:00
Hideki Miyazaki
32c1f8bbd7 implement TSIP RSA Public Enc/Private Dec 2024-10-29 20:09:22 +09:00
Daniel Pouzzner
57a5895d0e Merge pull request #8110 from philljj/fix_infer
infer: fix uninit values in pkcs8_encode.
2024-10-29 01:16:04 -05:00
Sean Parkinson
202822c655 Merge pull request #8114 from douzzer/20241025-fixes
20241025-fixes
2024-10-29 09:55:03 +10:00
David Garske
ea35b98005 Fixed SHA3 issue with possible uninitialized devId when building with async. Fixed HMAC set key issue with devId/heap getting lost. 2024-10-28 11:30:05 -07:00
Brett Nicholas
cac11e3d09 add non-feature-specific macro to disable ECC sign/verify of all-zero digest 2024-10-28 12:22:10 -06:00
Hideki Miyazaki
79a9e0a709 intermediate cert check when using tls1.3 for client side 2024-10-26 14:09:58 +09:00
Daniel Pouzzner
6f87f57d7a fixes for gating and ARM32 alignment defects:
wolfcrypt/src/port/arm/armv8-aes.c: in the WOLFSSL_ARMASM_NO_HW_CRYPTO version of wc_AesSetKey(), copy the supplied userKey to a properly aligned buffer if necessary before calling AES_set_encrypt_key();

src/dtls13.c: in Dtls13GetRnMask(), if defined(WOLFSSL_LINUXKM)), return retval of wc_AesEncryptDirect();

wolfcrypt/src/misc.c: add readUnalignedWord32(), writeUnalignedWord32(), readUnalignedWords32(), and writeUnalignedWords32();

wolfcrypt/src/siphash.c: use readUnalignedWord64(), readUnalignedWord32(), and writeUnalignedWord64(), to avoid unaligned access faults, and fix cast in byte-reversing version of GET_U32().
2024-10-25 23:52:32 -05:00
jordan
9d8c5a293f dilithium: expose wc_MlDsaKey_GetX functions as API. 2024-10-25 13:29:06 -05:00
Daniel Pouzzner
bdd62314f0 Merge pull request #8111 from JacobBarthelmeh/release
prepare for release 5.7.4
2024-10-24 16:00:03 -05:00
JacobBarthelmeh
dd2b191c36 update version listed in wolfssl-fips.rc and Ada wrapper 2024-10-24 14:19:17 -06:00
JacobBarthelmeh
8c5e188dd4 remove trailing white space in README 2024-10-24 13:04:00 -06:00
JacobBarthelmeh
8604024b95 prepare for release 5.7.4 2024-10-24 11:32:33 -06:00
Daniel Pouzzner
3f651a8dd0 Merge pull request #8109 from JacobBarthelmeh/coverity
Recent coverity warnings
2024-10-23 21:18:44 -05:00
jordan
ce31b15608 infer: fix uninit values in pkcs8_encode. 2024-10-23 20:11:51 -05:00
Hideki Miyazaki
a14d7db58c move trailing space 2024-10-24 09:31:00 +09:00
JacobBarthelmeh
52ba700eb3 CID 426426 code maintainability warning, stored NULL value overwritten before used 2024-10-23 18:05:12 -06:00
JacobBarthelmeh
077b070132 CID 426427 remove duplicate null checks 2024-10-23 17:57:14 -06:00
JacobBarthelmeh
9af8716e85 Merge pull request #8087 from ColtonWilley/x509_store_rewrite
Initial rewrite of X509 STORE to replicate openssl behavior
2024-10-23 17:14:40 -06:00
Daniel Pouzzner
e7e20532eb Merge pull request #8097 from julek-wolfssl/zd/18822
Fix TLS v1.2 session resumption edge cases
2024-10-23 18:01:35 -05:00
JacobBarthelmeh
830c5dace6 Merge pull request #8106 from douzzer/20241023-fixes
20241023-fixes
2024-10-23 16:44:09 -06:00
David Garske
25e32c2539 Fix for TLS v1.2 session resumption with tickets where the server decides to do a full handshake. The wrong sessionIDSz was being checked and should be the arrays one since it get set from the server_hello. 2024-10-23 15:14:05 -07:00
Daniel Pouzzner
cab20fbdd2 add and use WOLFSSL_PARTIAL_CHAIN as native bitmask macro for compat layer X509_V_FLAG_PARTIAL_CHAIN;
in src/x509_str.c, fix several C++ "invalid conversion" errors in X509StoreFreeObjList() and wolfSSL_X509_STORE_get0_objects().
2024-10-23 16:57:58 -05:00
Colton Willey
6f0bcac737 Address review comments, rename WOLFSSL_INTER_CA, use up_ref for get issuer 2024-10-23 16:55:34 -05:00
Colton Willey
ee4e1b6262 Properly omit self signed CA from untrusted intermediates, handle memory leak for SSL case with proper flow 2024-10-23 16:55:34 -05:00
Colton Willey
95f8d74202 Fix loop to decrement 2024-10-23 16:55:34 -05:00
Colton Willey
96138e70f8 Restore proper error code handling for self signed CA in non-trusted intermediates 2024-10-23 16:55:34 -05:00
Colton Willey
4c63668295 Small changes per review comments 2024-10-23 16:55:34 -05:00
Colton Willey
3fc3a84a6b Move X509_STORE_CTX_set_flags under OPENSSL_EXTRA 2024-10-23 16:55:34 -05:00
Colton Willey
1ddb2ce435 Properly implement set flags for X509_V_FLAG_PARTIAL_CHAIN 2024-10-23 16:55:34 -05:00
Colton Willey
87ce96527a Changes for various failing build configs 2024-10-23 16:55:34 -05:00
Colton Willey
1afbf55a80 Fix new build error after refactor 2024-10-23 16:55:34 -05:00
Colton Willey
6607314dc6 Address code comments, rewrite get issuer internals, use better internal names, get rid of all lines over 80 chars 2024-10-23 16:55:34 -05:00
Colton Willey
f0fae6506f Fix windows warnings 2024-10-23 16:55:34 -05:00
Colton Willey
98eb6b398c Fix for windows builds 2024-10-23 16:55:34 -05:00
Colton Willey
f7bfa71d9f Implement support for verify flag X509_V_FLAG_PARTIAL_CHAIN 2024-10-23 16:55:34 -05:00
Colton Willey
12f4f69fb4 Allow intermediate CA certs without keycertsign when added through X509 STORE 2024-10-23 16:55:34 -05:00
Colton Willey
38c7de1707 Fixes for CI build errors 2024-10-23 16:55:34 -05:00
Colton Willey
17c9e92b7f Initial rewrite of X509 STORE to replicate openssl behavior 2024-10-23 16:55:34 -05:00
Daniel Pouzzner
82273094e0 Merge pull request #8107 from JacobBarthelmeh/aesgcm
fix for state of aes.gcm.H on re-use
2024-10-23 16:52:42 -05:00
JacobBarthelmeh
1d25e0f89b Merge pull request #8104 from gojimmypi/pr-vs2022-wolfssl-name
Name VS2022 binary output wolfssl via project name
2024-10-23 15:36:55 -06:00
JacobBarthelmeh
8fbf6a59bc Merge pull request #8105 from kareem-wolfssl/zd18825
Fix 256-bit ECC conditional in ecc_map_ex.
2024-10-23 15:19:50 -06:00
JacobBarthelmeh
d0f5778429 fix for state of aes.gcm.H on re-use 2024-10-23 15:04:06 -06:00
Andras Fekete
7cee9faa73 Addressing PR comments 2024-10-23 16:53:10 -04:00
Andras Fekete
19d738cecf Revert "Don't need to upload/download artifacts"
This reverts commit b215398bd4.
2024-10-23 14:28:24 -04:00
Kareem
8986a9dae0 Fix 256-bit ECC conditional in ecc_map_ex. 2024-10-23 11:12:48 -07:00
Daniel Pouzzner
afa5b0168e fix HAVE_SHA* configurations in IDE/iotsafe/user_settings.h to also set WOLFSSL_SHA*, and in IDE/STM32Cube/default_conf.ftl, IDE/iotsafe/user_settings.h, and examples/configs/user_settings_stm32.h, comment HAVE_SHA* as "old freeRTOS settings.h requires this". 2024-10-23 12:46:32 -05:00
gojimmypi
e3c9c07393 Name VS2022 binary output wolfssl via project name 2024-10-23 09:51:18 -07:00
Daniel Pouzzner
6e14889758 Merge pull request #8094 from JacobBarthelmeh/coverity
minor fixes for Coverity reports
2024-10-23 11:26:33 -05:00
JacobBarthelmeh
beeda7bc6f Merge pull request #8100 from douzzer/20241022-cleanups
20241022-cleanups
2024-10-23 10:08:57 -06:00
Andras Fekete
cf6975b603 Add less frequently used tools that are handy to have 2024-10-23 11:23:46 -04:00
Eric Blankenhorn
f20f96c8a2 Fix docs for invalid hash requirements. 2024-10-23 08:43:00 -05:00
Juliusz Sosinowicz
031656ee7a Send a new ticket when rejecting a ticket and tickets enabled 2024-10-23 13:12:46 +02:00
Hideki Miyazaki
ba1cd85934 check Root CA by TSIP before adding it to ca-table 2024-10-23 18:02:56 +09:00
Daniel Pouzzner
ea491b80ef tests/api.c: gate test_GENERAL_NAME_set0_othername() on OPENSSL_ALL, not OPENSSL_EXTRA, as it fails with --enable-all-crypto --enable-opensslextra, and is commented to require --enable-opensslall. 2024-10-23 00:02:29 -05:00
Daniel Pouzzner
3bbd00f918 wolfcrypt/src/asn.c: tweak retval handling in MakeSignature() CERTSIGN_STATE_DO section for the benefit of WOLFSSL_DEBUG_TRACE_ERROR_CODES. 2024-10-23 00:02:29 -05:00
Daniel Pouzzner
508555c927 configure.ac: add several missing low level crypto algorithms to all-crypto that are already included indirectly in enable-all. 2024-10-23 00:02:29 -05:00
Daniel Pouzzner
30181f2ced configure.ac: for reproducible-build, use --build-id=sha1, not --build-id=none, to support users relying on build-id in the linked object. 2024-10-23 00:02:29 -05:00
Daniel Pouzzner
bffcfb7efc wolfcrypt/src/ecc.c: in wc_ecc_get_curve_id_from_oid(), deconditionalize guard against zero-length len added in 03a6eed037, to fix test_wc_ecc_get_curve_id_from_oid() failing in cross-mingw-all-crypto. 2024-10-23 00:02:29 -05:00
Daniel Pouzzner
6429315216 fix references to misnamed HAVE_SHA224, HAVE_SHA384, HAVE_SHA512 (correct names have WOLFSSL_ prefixes). 2024-10-23 00:02:28 -05:00
JacobBarthelmeh
43fe46cf24 Merge pull request #8099 from dgarske/armasm_aes
Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member
2024-10-22 17:29:45 -06:00
David Garske
5a0bb3a3ed Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member. ZD 18841. 2024-10-22 14:30:54 -07:00
JacobBarthelmeh
f21a763ae9 return out of test function if failing RNG init 2024-10-22 14:22:46 -06:00
Andras Fekete
d981cd5b36 Revert "Test using my branch"
This reverts commit 5a1da526da.
2024-10-22 12:22:08 -04:00
Andras Fekete
6255859925 Fix package name 2024-10-22 10:56:42 -04:00
Andras Fekete
5a1da526da Test using my branch 2024-10-22 10:27:38 -04:00
Juliusz Sosinowicz
2847cbfbad Simplify TLS 1.2 session ID logic
Optimize entropy use. Only generate the exact amount of random data that we will actually keep.

Refactor done as part of work on ZD18822
2024-10-22 14:31:46 +02:00
JacobBarthelmeh
18150a11aa CID 426062,426063 initialization and free check 2024-10-22 00:24:29 -06:00
JacobBarthelmeh
27267d7d2e CID 426066 fix check if null before free 2024-10-22 00:21:26 -06:00
Daniel Pouzzner
846ef1570d Merge pull request #8096 from philljj/fix_coverity_more
Fix more coverity errors.
2024-10-21 23:57:56 -05:00
Daniel Pouzzner
f8fc31e134 Merge pull request #8090 from gojimmypi/pr-visual-studio-2022
Add Visual Studio 2022 Project Files for wolfSSL, Test, & Benchmark
2024-10-21 23:56:57 -05:00
Daniel Pouzzner
805eaa90cc Merge pull request #7797 from julek-wolfssl/softhsm
Init SoftHSMv2 support
2024-10-21 23:56:12 -05:00
jordan
5fd9e99bbd coverity: don't overwrite obj in wolfSSL_X509_get_ext_d2i. 2024-10-21 20:49:34 -05:00
JacobBarthelmeh
b535d9f752 Merge pull request #8093 from philljj/fix_coverity
Fix coverity
2024-10-21 16:45:51 -06:00
Eric Blankenhorn
4aa3d5f8ce Add more configs to Coverity scan schedule. 2024-10-21 17:29:07 -05:00
gojimmypi
ee24446bee Add Visual Studio 2022 Project Files for wolfSSL, Test, & Benchmark 2024-10-21 14:05:51 -07:00
jordan
5690af82dc wolfcrypt test: fix double free. 2024-10-21 15:57:24 -05:00
jordan
35def11781 coverity: fix error, and cleanup. 2024-10-21 14:59:32 -05:00
JacobBarthelmeh
104c805b82 Merge pull request #8092 from douzzer/20241021-wc_FreeRsaKey-WOLFSSL_XILINX_CRYPT
20241021-wc_FreeRsaKey-WOLFSSL_XILINX_CRYPT
2024-10-21 13:26:55 -06:00
Daniel Pouzzner
38c337967e Merge pull request #8086 from bandi13/addDependency
Need 'libfile' for license.pl
2024-10-21 14:20:42 -05:00
Daniel Pouzzner
25da3bfe5f Merge pull request #8070 from JacobBarthelmeh/testing_static_memory
use heap hint with wolfSSL_CTX_check_private_key
2024-10-21 13:57:55 -05:00
JacobBarthelmeh
8a71c3b3db Merge pull request #8066 from gojimmypi/pr-espressif-wolfcrypt
Apply various Espressif compatibility updates
2024-10-21 11:36:24 -06:00
Daniel Pouzzner
f24b987f59 wolfcrypt/src/rsa.c: fix wc_FreeRsaKey() WOLFSSL_XILINX_CRYPT XFREE() call to pass key->heap as before. 2024-10-21 12:26:29 -05:00
gojimmypi
187a9b5b4d Apply various Espressif compatibility updates 2024-10-21 09:20:32 -07:00
JacobBarthelmeh
bc0a2c43e6 avoid warning for unused parameter with certain build configurations 2024-10-21 10:04:26 -06:00
JacobBarthelmeh
efff8e096c Merge pull request #8076 from gojimmypi/pr-update-espressif-examples
Update Espressif Examples
2024-10-21 09:57:29 -06:00
Juliusz Sosinowicz
901384e704 Init SoftHSMv2 support
- wolfSSL_EVP_PKEY_set1_DH: If both private and public present, output private key
- ToTraditionalInline_ex2: Add DH checking
- wc_ecc_get_curve_id: check index is not negative
- Fix i2d_PKCS8_PRIV_KEY_INFO to actually output pkcs8 instead of just der
- wolfSSL_EVP_PKEY2PKCS8: Create duplicate to avoid double free
- wolfSSL_DH_generate_key: Fix case where not enough buffer was allocated for 128 bit case
- pkcs8_encode: Add DSA and DH support
- wolfSSL_d2i_PKCS8_PKEY: Correctly advance buffer
- RSA_LOW_MEM: export all integers in compat layer
- Add softhsm action
- Define
  - OPENSSL_DH_MAX_MODULUS_BITS
  - OPENSSL_DSA_MAX_MODULUS_BITS
  - OPENSSL_RSA_MAX_MODULUS_BITS
- Implement
  - BN_mul_word
  - i2d_ECPKParameters
  - PEM_write_bio_PKCS8_PRIV_KEY_INFO
  - PEM_read_bio_PKCS8_PRIV_KEY_INFO
  - i2d_PKCS8_PRIV_KEY_INFO
  - RSA_padding_add_PKCS1_PSS_mgf1
  - RSA_verify_PKCS1_PSS_mgf1
2024-10-21 17:26:42 +02:00
JacobBarthelmeh
8fda4ce147 use heap hint with wolfSSL_CTX_check_private_key 2024-10-21 08:53:15 -06:00
JacobBarthelmeh
ef063aac2f Merge pull request #8091 from julek-wolfssl/openvpn-action-update
openvpn action: remove v2.6.0 as certs have expired
2024-10-21 08:50:53 -06:00
Juliusz Sosinowicz
e1aba52e51 openvpn action: remove v2.6.0 as certs have expired 2024-10-21 13:50:36 +02:00
philljj
ea3a79e216 Merge pull request #8089 from douzzer/20241017-wc-delete-methods
20241017-wc-delete-methods
2024-10-19 11:07:19 -05:00
Daniel Pouzzner
996986d0c1 refactor wc_AesDelete, wc_curve25519_delete, wc_ed25519_delete, wc_HashDelete, and wc_DeleteRsaKey to take two arguments, the first a required pointer to the object, the second an optional pointer to the pointer to be zeroed upon successful deletion, for the benefit of calling from C# without unsafe code.
wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs: update for new calling conventions around wc_AesNew, wc_curve25519_new, wc_ed25519_new, wc_HashNew, and wc_NewRsaKey, and the corresponding delete functions.
2024-10-18 21:13:38 -05:00
Daniel Pouzzner
f44d12026a wolfssl/wolfcrypt/{aes.h,curve25519.h,ed25519.h,hash.h,rsa.h}: remove unneeded .isAllocated member from struct definitions, and add int *result_code argument to constructor prototypes;
wolfssl/wolfcrypt/aes.h: add Aes.streamData_sz;

src/tls13.c: fix devId passed to wc_HmacInit() in CreateCookieExt() and TlsCheckCookie();

src/keys.c: in SetKeys(), call wc_HmacInit() on hmacs only if newly allocated;

wolfcrypt/src/aes.c:
* in wc_Gmac(), wc_GmacVerify(), and AesSivCipher(), use wc_AesNew() and wc_AesDelete();
* in wc_AesInit(), zero the object on entry, and remove superseded piecemeal initializations to zero;
* in wc_AesFree(), zero aes->streamData, and zero the entire object as final cleanup;

wolfcrypt/src/curve25519.c: in wc_curve25519_free(), zero the entire object rather than zeroing piecemeal;

wolfcrypt/test/test.c:
* add fallback implementations (for old FIPS) of wc_HashNew(), wc_HashDelete(), wc_curve25519_new(), wc_curve25519_delete(), wc_ed25519_new(), and wc_ed25519_delete();
* update constructor calls throughout for new semantics;
* refactor ed25519_test() for proper cleanup and error encoding.
2024-10-18 17:49:28 -05:00
Daniel Pouzzner
984d16b727 refactor wolfcrypt constructors:
add delete APIs, matching recently added wc_AesNew, wc_curve25519_new, wc_ed25519_new, wc_HashNew, and wc_NewRsaKey:
* wc_AesDelete()
* wc_HashDelete()
* wc_DeleteRsaKey()
* wc_curve25519_delete()
* wc_ed25519_delete()

* remove handling in corresponding preexisting free APIs for recently added .isAllocated member -- this restores preexisting semantics;

* add WC_NO_CONSTRUCTORS gate, and auto-activate it when NO_WOLFSSL_MEMORY && WOLFSSL_NO_MALLOC (unless preempted by XMALLOC_USER or XMALLOC_OVERRIDE);

* exclude recently added .isAllocated members from wolfcrypt structs when defined(WC_NO_CONSTRUCTORS);

* adjust wolfcrypt/test/test.c for consistency with the above, and fix cleanup codes/dynamics in several tests.
2024-10-17 18:48:07 -05:00
Andras Fekete
b215398bd4 Don't need to upload/download artifacts 2024-10-17 16:49:27 -04:00
philljj
61b726fae7 Merge pull request #8088 from douzzer/20241016-dtls13-cleanup
20241016-dtls13-cleanup
2024-10-17 15:58:07 -04:00
Andras Fekete
752b2c075c Add exception to forked repos 2024-10-17 15:09:03 -04:00
Andras Fekete
8ed406c69d Fix test issues 2024-10-17 12:08:21 -04:00
Daniel Pouzzner
06de22e72b api.c:test_wolfSSL_dtls_stateless_maxfrag(): add missing condition (clang-analyzer-core.NullDereference). 2024-10-17 10:57:19 -05:00
Daniel Pouzzner
fa65da7bb0 analyzer-driven cleanups of --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch:
Dtls13HashClientHello(): fix wc_HashType handling;

Dtls13SendFragment(): fix identicalConditionAfterEarlyExit;

GetDtlsRecordHeader(): fix error handling around GetDtls13RecordHeader() (incorrectLogicOperator);

test_wolfSSL_dtls_stateless_maxfrag(): fix a clang-analyzer-core.NullDereference,
test_dtls_frag_ch(): fix a clang-diagnostic-embedded-directive,
test_AEAD_limit_client(): fix an united-data defect found by valgrind.
2024-10-17 00:06:32 -05:00
Daniel Pouzzner
abc6edf4c7 Merge pull request #7796 from SparkiDev/dtls_read_write_threaded
SSL asynchronous read/write and encrypt
2024-10-17 00:05:47 -05:00
Daniel Pouzzner
8803f3dd70 Merge pull request #8085 from philljj/fix_coverity
Fix coverity errors
2024-10-16 17:18:31 -05:00
Daniel Pouzzner
cc421ddace Merge pull request #8075 from night1rider/MAX-HW-SHA-FIX
Fixing CB needing HAVE_AES_ECB and SHA struct issue for MAX32666/5 port
2024-10-16 17:17:01 -05:00
Daniel Pouzzner
0c640eb3c5 Merge pull request #8081 from SparkiDev/arm32_thumb2_asm_fix
Thumb2 ASM: indicated by WOLFSSL_ARMASM_THUMB2
2024-10-16 17:00:01 -05:00
Daniel Pouzzner
49ad2d5c46 Merge pull request #8079 from SparkiDev/arm32_asm_regen
ARM32 ASM: regeneration after scripts changes
2024-10-16 16:45:28 -05:00
Andras Fekete
4ca0176668 Need 'libfile' for license.pl 2024-10-16 17:37:17 -04:00
Daniel Pouzzner
9665434694 Merge pull request #8080 from SparkiDev/coverity_fix_5
Unit test: fix coverity issue
2024-10-16 16:31:27 -05:00
Daniel Pouzzner
4ed3c00b29 Merge pull request #8078 from SparkiDev/sp_c_cast_and
SP C: cast after and with constant
2024-10-16 16:30:15 -05:00
jordan
554ebc2e9e coverity: fix double free of encryptedContent. 2024-10-16 16:27:44 -05:00
Daniel Pouzzner
a833d6e9b2 Merge pull request #8084 from anhu/kyber_levels
Correct kyber levels. Was copy and paste error.
2024-10-16 15:54:18 -05:00
jordan
115507e0c0 coverity: null check. 2024-10-16 13:08:06 -05:00
Anthony Hu
db6df887a6 Correct kyber levels. Was copy and paste error. 2024-10-16 13:39:57 -04:00
jordan
d6fe15af8c coverity: check mp_sub_d return values. 2024-10-16 11:23:33 -05:00
philljj
2abbab2fd8 Merge pull request #8082 from SparkiDev/bn_bin2bn_fix
BN API: fix BN_bin2bn to handle NULL data properly
2024-10-16 12:00:41 -04:00
Sean Parkinson
64a9e6f7c4 BN API: fix BN_bin2bn to handle NULL data properly
BN_bin2bn was freeing the BN and returning it.
Added test for this.
2024-10-16 14:08:55 +10:00
Sean Parkinson
1ce90cc8a5 Thumb2 ASM: indicated by WOLFSSL_ARMASM_THUMB2
Detecting ARM or Thumb2 is not simple so making our own define that will
work: WOLFSSL_ARMASM_THUMB2 to indicate to use Thumb2 assembly code.
2024-10-16 13:56:44 +10:00
Sean Parkinson
b8d3b990ea Unit test: fix coverity issue
test_wolfSSL_i2d_ASN1_TYPE: don't use str after freeing it.
2024-10-16 12:40:02 +10:00
gojimmypi
a13f48aea0 Update Espressif Examples 2024-10-15 18:36:28 -07:00
Sean Parkinson
db6a2ccdca Merge pull request #8077 from douzzer/20241015-C89-pedantic-fixes
20241015-C89-pedantic-fixes
2024-10-16 10:47:54 +10:00
Sean Parkinson
fb8d2fc42f ARM32 ASM: regeneration after scripts changes
Scripts changed to make generated code not go over 80 characters per
line but SP not updated.
Fix input register formatting in all ARM32 C assembly code.
2024-10-16 10:25:16 +10:00
Sean Parkinson
e4a661ff6e SSL asynchronous read/write and encrypt
Add support for being able to read and write in different threads with
same SSL object.
Add support for encrypt in threads.
2024-10-16 10:14:21 +10:00
Sean Parkinson
a81aa287a5 SP C: cast after and with constant
Always cast to sp_digit after and with a constant that would convert
value to integer.
2024-10-16 09:48:10 +10:00
Daniel Pouzzner
ffc07215a4 clean up wolfcrypt code base for -std=c89 -pedantic: add WC_BITFIELD macro to avoid -Wpedantics for "type of bit-field ... is a GCC extension", with overrideable default definition "byte", and replace parent types of all bitfields with WC_BITFIELD;
fix numerous trailing commas in enums, mostly by removing them, but one (in asn.h, enum Extensions_Sum) using WOLF_ENUM_DUMMY_LAST_ELEMENT();

rearrange bitfields in struct ed25519_key for contiguity;

always define WOLFSSL_SP_NO_DYN_STACK when defined(WOLF_C89).
2024-10-15 18:24:03 -05:00
Daniel Pouzzner
4fd33b6b5d Merge pull request #8014 from SparkiDev/lms_sha256_192
LMS: SHA-256/192 parameters
2024-10-15 17:24:46 -05:00
Sean Parkinson
ae46f52a66 LMS: SHA-256/192 parameters
Add support for parameter sets with SHA-256/192.
2024-10-16 07:15:18 +10:00
philljj
6cde74436e Merge pull request #8065 from douzzer/20241010-WOLFSSL_NO_MALLOC
20241010-WOLFSSL_NO_MALLOC
2024-10-15 17:03:25 -04:00
Daniel Pouzzner
cd8d158964 Merge pull request #8073 from philljj/fix_infer_issues
infer: fix dead store, and uninitialized value errors.
2024-10-15 15:42:48 -05:00
Daniel Pouzzner
c7146640f9 Merge pull request #8055 from rizlik/ocsp-cb-ret-propagate
ocsp: propagate ocsp cb return error
2024-10-15 15:38:09 -05:00
night1rider
1449f4f4d7 Fixing CB needing HAVE_AES_ECB and SHA struct issue for MAX3266X Hardware 2024-10-15 14:18:07 -06:00
jordan
f5074772da infer: fix more uninitialized value errors. 2024-10-15 12:41:09 -05:00
Daniel Pouzzner
3e1f365e75 Merge pull request #8064 from SparkiDev/regression_fixes_14
Regression test fixes
2024-10-15 11:47:37 -05:00
Andras Fekete
a5331d406c Revert "Merge pull request #8072 from rizlik/github-fix"
This reverts commit 0f8b4dbc63, reversing
changes made to 743a78dc85.
2024-10-15 12:39:01 -04:00
Marco Oliverio
724fdae7d7 ocsp: propagate ocsp cb return error 2024-10-15 10:03:15 +00:00
jordan
e3c2c650aa infer: fix dead store, and uninitialized value errors. 2024-10-14 22:45:17 -05:00
Daniele Lacamera
cc7ccf951a Move heap variable to all sha implementations 2024-10-14 14:21:29 -05:00
Daniel Pouzzner
260a0dee47 examples/client/client.c: fix numbering annotations, and fix string literal grouping for "-H". 2024-10-14 14:21:29 -05:00
Daniel Pouzzner
0d5d05d44d more WOLFSSL_NO_MALLOC fixes:
wolfcrypt/src/dh.c: in wc_DhGenerateParams(), use named constant for buf size, and only XFREE it if !WOLFSSL_NO_MALLOC;

wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h: in wc_ecc_new_point_ex(), remove !WOLFSSL_NO_MALLOC gate around XMALLOC(), and if XMALLOC()ed, set ecc_point.isAllocated, then in wc_ecc_del_point_ex, XFREE() iff ecc_point.isAllocated;

wolfcrypt/src/pkcs7.c: in wc_PKCS7_RsaVerify(), when WOLFSSL_NO_MALLOC, jumbo-size the digest buffer to cope with in-place dynamics in RsaUnPad();

wolfcrypt/test/test.c: add !WOLFSSL_NO_MALLOC gates around various XFREE()s of objects that are on the stack in WOLFSSL_NO_MALLOC builds;

wolfssl/wolfcrypt/types.h: add an unconditional include of memory.h (itself guarded against multiple inclusion) to assure availability of WC_DEBUG_CIPHER_LIFECYCLE prototypes/macros.
2024-10-14 14:21:29 -05:00
Daniel Pouzzner
9312f3cb86 wolfssl/wolfcrypt/types.h: define USE_WOLF_STRDUP for the fallback definition of XSTRDUP regardless of WOLFSSL_NO_MALLOC (wc_strdup_ex() uses XMALLOC(), which may be a user or static pool allocator). 2024-10-14 14:21:29 -05:00
Daniel Pouzzner
0665ff9de7 wolfcrypt/src/asn.c: revert earlier WOLFSSL_NO_MALLOC changes (not needed, after proper gating in test.c). 2024-10-14 14:21:29 -05:00
Daniel Pouzzner
551eb3f44b wolfcrypt/src/ed25519.c and wolfcrypt/src/hash.c: remove gating around isAllocated XFREE()s in wc_ed25519_free() and wc_HashFree(). 2024-10-14 14:21:28 -05:00
Daniel Pouzzner
dc2a8118de Revert "Allow compiling aes.c with WOLFSSL_NO_MALLOC"
This reverts commit 56a96ba609.
2024-10-14 14:21:28 -05:00
Daniel Pouzzner
ee92f38f88 Revert "fix unused variables"
This reverts commit 06195a2e2a.
2024-10-14 14:21:28 -05:00
Daniel Pouzzner
2ca3e1100e Revert "Move heap variable to all sha implementations"
This reverts commit a3f6babfdc.
2024-10-14 14:21:28 -05:00
Daniel Pouzzner
886ebb6ec0 fixes for enable-all-crypto enable-cryptonly WOLFSSL_NO_MALLOC:
wolfcrypt/src//asn.c: add stack buffer codepaths in ParseKeyUsageStr(), SetKeyIdFromPublicKey(), and EncodePolicyOID;

wolfcrypt/src/dh.c: add stack buffer codepath in wc_DhGenerateParams();

wolfcrypt/src/ecc.c: add always-fail codepath to find_hole() to preempt heap allocation attempts;

wolfcrypt/test/test.c: gate out several heap-dependent subtests when defined(WOLFSSL_NO_MALLOC), and add a stack buffer codepath in ed448_test();

wolfssl/wolfcrypt/types.h: harmonize macro definitions of XFREE() to use do { ... } while (0) wrappers to assure syntactic indivisibility.
2024-10-14 14:21:28 -05:00
Daniel Pouzzner
0f8b4dbc63 Merge pull request #8072 from rizlik/github-fix
ci: github: fix ubuntu version to 22.04
2024-10-14 13:47:44 -05:00
Marco Oliverio
5d3f7c2528 ci: github: fix ubuntu version to 22.04 2024-10-14 16:46:45 +00:00
Juliusz Sosinowicz
743a78dc85 Merge pull request #8046 from embhorn/zd18758
Clear ctx in wolfSSL_EVP_DigestInit
2024-10-14 14:35:20 +02:00
Daniel Pouzzner
caf920100c Merge pull request #8051 from cconlon/eccOidCacheLock
Add lock around static ECC ecc_oid_cache
2024-10-11 17:34:54 -05:00
Daniel Pouzzner
dfd8ead95e Merge pull request #8050 from philljj/fix_acert_defines
Fix acert defines, add more tests, cleanup.
2024-10-11 16:22:34 -05:00
Daniel Pouzzner
f8da04d8b0 Merge pull request #7766 from miyazakh/zd18141_tls13_ocsp
Add OCSP response for intermediate cert into Certificate extension on TLS1.3
2024-10-11 15:49:19 -05:00
Sean Parkinson
65742c4a7a ARM32 ASM: regenerated with fixes
Fix thumb interwork def check to be consistent and update #endif.
Remove duplicate check in generated C files.
2024-10-11 09:07:57 +02:00
Sean Parkinson
5f1ddadf71 Regression test fixes
Fix unit tests to not compile when NO_RSA is defined and RSA used.
test_wc_PKCS7_EncodeSignedData: only RSA supported with streaming.
test_wolfSSL_RSA when SP math and SP: CRT parameters required.
test_wolfSSL_OCSP_REQ_CTX to compile with NO_ASN_TIME.
test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS: make sure all objects freed even
on memory allocation failure.
test_wolfSSL_error_cb: don't use bio if is NULL.
test_wolfSSL_BN_enc_dec: don't free a twice on memory allocation error.
test_wc_dilithium_der: remove debug printing
test_othername_and_SID_ext: make sid_oid NULL after free to ensure no
double free on later memory allocation failure.
test_wolfSSL_RSA: don't leak when BN_dup fails.
test_wolfSSL_i2d_ASN1_TYPE: free ASN1 string whn no ASN1 type to put it
into.
test_tls13_rpk_handshake: don't leak on failure
test_dtls_client_hello_timeout_downgrade: only move memory when test is

wolfSSL_certs_clear, wolfSSL_set_SSL_CTX, SetSSL_CTX: Check return from
AllocCopyDer.
d2i_generic: make sure impBuf is only freed once.
wolfSSL_BIO_write: don't dereference front unless it is not NULL.
wolfssl_dns_entry_othername_to_gn: don't free obj twice
wolfSSL_X509_REQ_add1_attr_by_NID: don't access reqAttributes if NULL.
succeeding.
2024-10-11 11:49:01 +10:00
Sean Parkinson
9c4960f3fa Merge pull request #8035 from danielinux/armv8-armasm-ARMv7-A
Allow armv8-asm on ARMv7-A with -mthumb-interwork
2024-10-11 09:49:31 +10:00
Daniel Pouzzner
daef866313 Merge pull request #8053 from danielinux/fix-no-malloc
Allow building with WOLFSSL_NO_MALLOC again
2024-10-10 16:27:28 -05:00
JacobBarthelmeh
c49f571a79 Merge pull request #8059 from douzzer/20241010-WOLFCRYPT_TEST_LINT
20241010-WOLFCRYPT_TEST_LINT
2024-10-10 14:16:51 -06:00
Jack Tjaden
864eaaeef9 Added more discriptive README for NDS and MelonDS C-flag 2024-10-10 12:50:09 -06:00
Daniel Pouzzner
bcc65a09ca wolfcrypt/test/test.c: harmonize gating for hpke_test() and berder_test(), so that --enable-all-crypto passes -DWOLFCRYPT_TEST_LINT. 2024-10-10 01:06:05 -05:00
Daniel Pouzzner
b5475f3d81 wolfcrypt/test/test.c: add WOLFSSL_WOLFCRYPT_TEST_LINT, allowing testing for -Wunused-function in enable-all configurations. No functional changes, but several missing or inconsistent gates fixed. 2024-10-10 00:25:39 -05:00
Daniel Pouzzner
8b2a26a691 Merge pull request #8054 from bandi13/fixUncalledTest
Test was never called
2024-10-10 00:00:07 -05:00
John Safranek
8d3ed05272 Merge pull request #8058 from douzzer/20241009-wolfcrypt_test-FIPS-SMALL_STACK
20241009-wolfcrypt_test-FIPS-SMALL_STACK
2024-10-09 17:52:52 -07:00
Daniel Pouzzner
12ba4355d2 configure.ac and wolfssl/wolfcrypt/settings.h: define WOLFSSL_FIPS_READY for fips=ready, WOLFSSL_FIPS_DEV for fips=dev, and add predefined override FIPS version values when defined(WOLFSSL_FIPS_READY) || defined(WOLFSSL_FIPS_DEV). 2024-10-09 17:58:31 -05:00
Daniel Pouzzner
74d14d9687 wolfcrypt/test/test.c: fix for FIPS <6.0.0 with WOLFSSL_SMALL_STACK. 2024-10-09 16:40:48 -05:00
Aidan Garske
64a359c501 Merge pull request #8057 from gojimmypi/workflow-update 2024-10-09 13:41:28 -07:00
Chris Conlon
7b805d7a7d Add lock around static ECC ecc_oid_cache 2024-10-09 14:35:14 -06:00
gojimmypi
e81ae7bcb6 Run win-csharp-test only for wolfssl owner 2024-10-09 11:14:28 -07:00
Daniel Pouzzner
10e449dc00 Merge pull request #8056 from bandi13/fixCoverity
Add several fixes to coverity scan
2024-10-09 10:59:41 -05:00
Andras Fekete
c8840a53ad Add several fixes to coverity scan 2024-10-09 11:51:56 -04:00
Andras Fekete
d3f143aa2a Test was never called 2024-10-09 09:20:17 -04:00
Daniele Lacamera
a3f6babfdc Move heap variable to all sha implementations 2024-10-09 15:11:42 +02:00
Daniele Lacamera
06195a2e2a fix unused variables 2024-10-09 14:06:38 +02:00
Daniele Lacamera
56a96ba609 Allow compiling aes.c with WOLFSSL_NO_MALLOC 2024-10-09 13:55:42 +02:00
Daniele Lacamera
43574e2255 Allow building with WOLFSSL_NO_MALLOC again 2024-10-09 13:44:03 +02:00
Daniele Lacamera
a23d384e06 Improve guards to build with -mthumb-interwork 2024-10-09 12:41:55 +02:00
jordan
244fff844f acert: pacify c++ style comment warning. 2024-10-08 21:21:25 -05:00
jordan
bed680a96c acert: line length. 2024-10-08 20:47:49 -05:00
jordan
deda512598 acert: fix unused store error. 2024-10-08 17:05:53 -05:00
jordan
410e2f148c Missing free call. 2024-10-08 16:17:16 -05:00
jordan
052cf77233 acert: fix defines, cleanup, more testing. 2024-10-08 16:11:46 -05:00
Daniel Pouzzner
ce9d0e236c Merge pull request #8047 from ColtonWilley/x509_store_free_ref
Free X509 store ref on store free
2024-10-08 15:25:16 -05:00
Daniel Pouzzner
e6dac68ce3 Merge pull request #7966 from cconlon/x509CheckHostLeftWildcardOnly
Add left-most wildcard matching support to X509_check_host()
2024-10-08 15:17:27 -05:00
Daniel Pouzzner
4a37947d8f Merge pull request #3166 from dgarske/csharp_wolfcrypt
wolfCrypt CSharp Wrapper
2024-10-08 14:52:40 -05:00
David Garske
e4f4274b4a Fix AesSivCipher heap hint on cleanup. 2024-10-08 12:11:15 -07:00
David Garske
4753e1c32e Use byte for isAllocated bit-field. Cleanup some of the "heap" hint logic. 2024-10-08 10:37:45 -07:00
Chris Conlon
f878220b81 add WOLFSSL_LEFT_MOST_WILDCARD_ONLY support to X509_check_host() 2024-10-08 10:38:14 -06:00
Colton Willey
b4146bad18 Free X509 store ref on store free 2024-10-07 13:09:47 -07:00
Eric Blankenhorn
cd5ddeb1c5 Clear ctx in wolfSSL_EVP_DigestInit 2024-10-07 14:20:50 -05:00
David Garske
bf29b68600 Merge pull request #8045 from rizlik/sniffer-fix
sniffer: set ssl->curSize before invoking Do* routines
2024-10-07 07:38:27 -07:00
Marco Oliverio
92faa915e4 sniffer: set ssl->curSize before invoking Do* routines
commit 99a99e3d6e changes DoApplication to
use ssl->curSize as the size of the current decrypted record. Fix
sniffer code to set this value.
2024-10-07 08:56:35 +00:00
David Garske
59389a0ef5 Fix possible AES leaks detected with sanitizer and clang-tidy. 2024-10-05 11:52:22 -07:00
David Garske
b9de3bbf1a Fixes for memory leaks in test.c with wc_AesNew and wc_HashNew. 2024-10-05 11:44:59 -07:00
David Garske
dbd3484fdc Fix for issue with wc_HashAlg being a union. 2024-10-05 11:44:59 -07:00
David Garske
0bb41e1eb4 Resolve hash new leak due to improper heap hint check. Make sure isAllocated is initialized to 0. 2024-10-05 11:44:58 -07:00
David Garske
7989dd8713 Refactor the AES ECB/Direct, CBC and CTR tests. 2024-10-05 11:44:58 -07:00
Aidan Garske
e10c943bf3 wolfCrypt CSharp Wrapper:
* Adds RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and Hashing to the CSharp wrapper.
* Adds GitHub action for building the CSharp wrapper solution and running wolfCrypt test and a TLS server/client example.
* Adds "new" API's for wolfCrypt for platforms that cannot tolerate the structs directly.
* Fixes for several scan-build warnings.
2024-10-05 11:44:58 -07:00
David Garske
c230e10f4a Merge pull request #8044 from douzzer/20241004-wc_static_assert
20241004-wc_static_assert
2024-10-05 09:11:11 -07:00
Hideki Miyazaki
5105082a1f addressed review comments 2024-10-05 15:25:34 +09:00
Hideki Miyazaki
b84a4e1c8d fix pr unit test 2024-10-05 15:25:34 +09:00
Hideki Miyazaki
7a1d0e0dc8 addressed review comment 2024-10-05 15:25:34 +09:00
Juliusz Sosinowicz
16dc67f421 SendTls13Certificate: set variables directly instead of incrementing 2024-10-05 15:25:32 +09:00
Juliusz Sosinowicz
29e27889ee TLSX_CSR_InitRequest_ex: decrement csr->requests when reusing 2024-10-05 15:25:08 +09:00
Hideki Miyazaki
dab764a08e fix pr test 2024-10-05 15:25:08 +09:00
Hideki Miyazaki
69e390f8b9 works OCSP Stapling with TLS1.3 like OCSPv2Multi 2024-10-05 15:25:03 +09:00
Daniel Pouzzner
e944967731 wolfssl/wolfcrypt/types.h: add WC_NO_STATIC_ASSERT path, and add C89-compatible live fallback definition for wc_static_assert().
wolfssl/internal.h: refactor WOLFSSL_ASSERT_EQ() and WOLFSSL_ASSERT_SIZEOF_GE() to use wc_static_assert(), and drop unused WOLFSSL_ASSERT_TEST() and WOLFSSL_ASSERT_SIZEOF_TEST().

src/ssl_crypto.c and wolfcrypt/src/evp.c: refactor ad hoc asserts in wolfSSL_DES_ecb_encrypt(), wolfSSL_CRYPTO_cts128_decrypt(), and wolfSSL_EVP_DigestInit(), to use wc_static_assert().
2024-10-04 21:11:25 -05:00
Daniel Pouzzner
a25c0244a7 wolfssl/wolfcrypt/types.h: refactor static_assert*() as wc_static_assert*() to avoid conflicts with target-native static_assert(), and add additional coverage for C23 and MSVC C11.
wolfcrypt/test/test.c: in render_error_message(), in tests for strerror_r(), test for __USE_GNU.
2024-10-04 16:41:33 -05:00
András Fekete
4962180a93 Merge pull request #7726 from embhorn/coverity-workflow
Add Coverity scan workflow
2024-10-04 14:06:01 -04:00
Eric Blankenhorn
f4b603fa4e test cron 2xd 2024-10-04 12:37:27 -05:00
Eric Blankenhorn
032ab3b57e Add Coverity scan workflow 2024-10-04 12:37:26 -05:00
JacobBarthelmeh
898815f11b Merge pull request #8042 from douzzer/20241004-WOLFSSL_ARM_ARCH_7M
20241004-WOLFSSL_ARM_ARCH_7M
2024-10-04 10:15:41 -06:00
Daniel Pouzzner
7ff3b9b79d wolfssl/wolfcrypt/settings.h: add setup for WOLFSSL_ARM_ARCH_7M. 2024-10-04 10:04:30 -05:00
Daniel Pouzzner
2e539ef70c Merge pull request #7983 from philljj/tiny_dilithium_cleanup
dilithium: small cleanup to support wolfboot.
2024-10-03 23:37:11 -05:00
Daniel Pouzzner
f1e6dd2bac Merge pull request #8037 from gojimmypi/pr-espressif-benchmark
Improve benchmark for Espressif devices
2024-10-03 23:36:27 -05:00
Daniel Pouzzner
ea4d6c00f6 Merge pull request #8040 from SparkiDev/kyber_arm32_asm_base
Kyber ARM32 ASM: add assembly using base instructions
2024-10-03 23:24:45 -05:00
Sean Parkinson
f7afc47d98 Kyber ARM32 ASM: add assembly using base instructions
Support ARMv4 up to ARMv8.
Base instructions only - faster implemenation will use NEON.
2024-10-04 11:06:18 +10:00
jordan
c3410f2cb8 dilithium: support building dilithium with wolfboot. 2024-10-03 16:38:12 -05:00
David Garske
d0d802a2df Merge pull request #8038 from SparkiDev/sp_math_ppc_li_fix
SP Maths: PowerPC ASM fix
2024-10-03 11:03:31 -07:00
David Garske
afe5209427 Merge pull request #7706 from SparkiDev/kyber_thumb2_asm
Kyber ASM ARMv7E-M/ARMv7-M: added assembly code
2024-10-03 10:56:42 -07:00
Sean Parkinson
0668c6ea5d Merge pull request #8039 from douzzer/20241002-fix-for-cppcheck-force-source
20241002-fix-for-cppcheck-force-source
2024-10-03 20:57:09 +10:00
Sean Parkinson
d2047986d9 Kyber ASM ARMv7E-M/ARMv7-M: added assembly code
Improved performance by reworking kyber_ntt, kyber_invtt,
kyber_basemul_mont, kyber_basemul_mont_add, kyber_rej_uniform_c to be
in assembly.
Replace WOLFSSL_SP_NO_UMAAL with WOLFSSL_ARM_ARCH_7M
2024-10-03 18:11:31 +10:00
Daniel Pouzzner
b81cc50a70 src/internal.c: in ProcessReplyEx() in the verifyMessage case, refactor some gating/conditionalization around ATOMIC_USER, HAVE_ENCRYPT_THEN_MAC, atomicUser, and ssl->options.startedETMRead, to avoid "Logical disjunction always evaluates to true" from cppcheck incorrectLogicOperator (via multi-test cppcheck-force-source) (warned code introduced by 99a99e3d6e). 2024-10-02 19:19:39 -05:00
Sean Parkinson
695914ed33 SP Maths: PowerPC ASM fix
The instruction 'li' is a pseduo instruction for 'load immediate'.
With some compilers, the immediate was interpretted R0[0].
Change to use XOR instead.
2024-10-03 09:00:06 +10:00
Daniel Pouzzner
e814d1baea Merge pull request #8016 from SparkiDev/dilithium_draft_final_fix
Dilithium: Final and draft available in one build
2024-10-02 14:02:00 -05:00
Daniel Pouzzner
24d1b11993 Merge pull request #7988 from gasbytes/fix-conversion
Fix Wconversion in the tls* and api/test* files
2024-10-02 12:26:38 -05:00
gojimmypi
cd6bea852b Improve benchmark for Espressif devices 2024-10-02 09:54:48 -07:00
Reda Chouk
ea852c1c67 missing argument 2024-10-02 17:21:50 +02:00
Reda Chouk
10f0885d88 Merge branch 'master' into fix-conversion 2024-10-02 17:14:06 +02:00
Sean Parkinson
50bbdbbe42 Dilithium: Final and draft available in one build
Make draft version of ML-DSA compiled in with final.
Use WC_ML_DSA_44_DRAFT, WC_ML_DSA_65_DRAFT and WC_ML_DSA_87_DRAFT for
the level to get the draft implementation.
2024-10-02 22:23:25 +10:00
Daniel Pouzzner
925fbf3bf7 Merge pull request #8034 from philljj/acert_fix_staticmem_build
acert: correct XFREE call.
2024-10-01 23:09:21 -05:00
jordan
1690ad7366 acert: correct XFREE call. 2024-10-01 21:57:53 -04:00
Sean Parkinson
ac788ec40d Merge pull request #7995 from julek-wolfssl/dtls12-cid
Implement DTLS 1.2 Connection ID (CID)
2024-10-02 09:00:59 +10:00
Sean Parkinson
b8dff12e06 Merge pull request #8033 from douzzer/20241001-fixes
20241001-fixes
2024-10-02 07:50:40 +10:00
Daniel Pouzzner
a04871f153 examples/pem/pem.c: fix double-free introduced in 65853a41b9;
configure.ac and src/include.am: add ENABLED_ARM_THUMB, BUILD_ARM_THUMB, BUILD_ARM_NONTHUMB, ENABLED_ARM_64, BUILD_ARM_64, ENABLED_ARM_32. and BUILD_ARM_32, and use them to gate building of ARM asm files, to fix "ISO C forbids an empty translation unit" warnings (the warning only affects inline asm files, but the gating is deployed more widely).
2024-10-01 16:03:37 -05:00
Reda Chouk
666e658398 trailing spaces and overlong lines fixes 2024-10-01 16:28:31 +02:00
David Garske
59279515f4 Merge pull request #8030 from gojimmypi/pr-fix-thread_local_start
Espressif _thread_local_start and _thread_local_end fix
2024-10-01 06:49:06 -07:00
Reda Chouk
3193ecb2c3 fixed Wconversion in the api.c file 2024-10-01 15:07:59 +02:00
Sean Parkinson
f15700f1f6 Merge pull request #8031 from douzzer/20240930-clang-tidy
20240930-clang-tidy
2024-10-01 22:38:18 +10:00
gojimmypi
75a676bc7e Espressif _thread_local_start and _thread_local_end fix 2024-10-01 03:19:31 -07:00
Marco Oliverio
7e69c2049b dtls cid: address reviewer's comments 2024-10-01 06:45:37 +00:00
Daniel Pouzzner
65853a41b9 fixes, coddling, and suppressions for clang-tidy complaints:
examples/pem/pem.c: fix stdio stream leaks.

src/ssl.c and src/ssl_load.c: suppress concurrency-mt-unsafe around getenv().  getenv() is threadsafe as long as no threads putenv() or setenv().

wolfssl/openssl/asn1.h: add parentheses to fix bugprone-macro-parentheses in ASN1_EX_TEMPLATE_TYPE(), and suppress misfiring bugprone-macro-parentheses around IMPLEMENT_ASN1_FUNCTIONS().
2024-09-30 23:19:49 -05:00
JacobBarthelmeh
984dd9146f Merge pull request #8005 from ColtonWilley/copy_key_option
New option to always copy over key to SSL object
2024-09-30 14:20:07 -06:00
JacobBarthelmeh
ee7f02bbd6 Merge pull request #8004 from SparkiDev/dilithium_fixes_1
Dilithium: fixes
2024-09-30 10:01:16 -06:00
JacobBarthelmeh
113a61c11e Merge pull request #8025 from douzzer/20240927-fixes2
20240927-fixes2
2024-09-30 09:43:12 -06:00
David Garske
2db2bedd5f Merge pull request #8027 from SparkiDev/kyber_original_fix
Kyber original: fix to work
2024-09-30 07:58:30 -07:00
David Garske
47add7e9e2 Merge pull request #8020 from SparkiDev/arm32_base_chacha20_poly1305
ARM32 ChaCha20, Poly1305: assembly code
2024-09-30 06:53:37 -07:00
Sean Parkinson
bb67069e4a Kyber original: fix to work
Encapsulate the message (hash of rand) for original.
Final of FIPS 203 uses rand.
2024-09-30 22:05:26 +10:00
Sean Parkinson
e4301bc554 ARM32 generated files: fix line lengths
Generated ARM32 assembly files no longer have lines with more than 80
characters.
2024-09-30 08:50:31 +10:00
Daniel Pouzzner
60c2499602 wolfssl/wolfcrypt/types.h: when defining fallback do-nothing SAVE_VECTOR_REGISTERS2(), also define SAVE_VECTOR_REGISTERS2_DOES_NOTHING, and likewise for fallback CAN_SAVE_VECTOR_REGISTERS, define CAN_SAVE_VECTOR_REGISTERS_ALWAYS_TRUE;
wolfcrypt/src/aes.c:
* when SAVE_VECTOR_REGISTERS2_DOES_NOTHING, define do-nothing VECTOR_REGISTERS_PUSH and VECTOR_REGISTERS_POP, to mollify Coverity CONSTANT_EXPRESSION_RESULT;
* in AesGcmDecryptUpdate_aesni(), omit " && (c != NULL)" clause from computation of endA argument to AesGcmAadUpdate_aesni(), to mollify Coverity FORWARD_NULL (impermissible nullness is already checked and BAD_FUNC_ARGed by the sole caller, wc_AesGcmDecryptUpdate());

wolfcrypt/src/misc.c: add readUnalignedWord64(), writeUnalignedWord64(), readUnalignedWords64(), and writeUnalignedWords64(), for safe word64 access to possibly-unaligned data;

wolfcrypt/src/wc_kyber_poly.c: use readUnalignedWords64() and readUnalignedWord64() to mitigate sanitizer-reported "load of misaligned address".
2024-09-27 17:15:53 -05:00
JacobBarthelmeh
b96e73f9ed Merge pull request #7936 from gojimmypi/pr-add-espressif-esp-tls-cert-bundle
Add wolfSSL esp-tls and Certificate Bundle Support
2024-09-27 15:22:49 -06:00
JacobBarthelmeh
3178ce60c6 Merge pull request #8022 from douzzer/20240927-fixes
20240927-fixes
2024-09-27 10:48:27 -06:00
Daniel Pouzzner
794f0d8d19 src/pk.c: add missing "keySz = padded_keySz" in _DH_compute_key() ct cleanup path.
wolfcrypt/src/wc_kyber_poly.c: add SAVE_VECTOR_REGISTERS2()...RESTORE_VECTOR_REGISTERS() wrappers for AVX2 implementations.

src/bio.c and src/ssl.c: add several missing WC_NO_ERR_TRACE()s, and tweak several returns to generate error traces.
2024-09-27 00:28:45 -05:00
Colton Willey
3d9a4ccddc Use GetShortInt instead for CRL number extension parsing 2024-09-26 15:43:30 -07:00
JacobBarthelmeh
dd2186f68a Merge pull request #8021 from bigbrett/cmake-curl-uintptr_t-fix
fix cmake build error for curl builds
2024-09-26 15:31:07 -06:00
Colton Willey
6414cf61a7 Update comments for new flags in settings.h 2024-09-26 13:18:06 -07:00
David Garske
2285c02f1c Merge pull request #7998 from SparkiDev/kyber_aarch64_asm
Kyber Aarch64: assembly implementations of functions
2024-09-26 11:59:06 -07:00
Brett Nicholas
32ebaea158 add uintptr_t to config.h fixing curl cmake build error 2024-09-26 10:31:31 -06:00
András Fekete
a1a3a0b04f Merge pull request #7871 from gojimmypi/pr-repo-owner-check
Add conditional repository_owner to workflow
2024-09-26 12:18:58 -04:00
David Garske
46f6a60c9e Merge pull request #8019 from JacobBarthelmeh/nds
minor adjustments for NDS port
2024-09-26 08:58:43 -07:00
Sean Parkinson
2323a5cf59 ARM32 ChaCha20, Poly1305: assembly code
Add assembly code for ChaCha20 and Poly1305 on ARM32 when no NEON
available.
2024-09-26 20:24:58 +10:00
gojimmypi
2a354905cb Add wolfSSL esp-tls and Certificate Bundle Support, improve esp32_mp RSA 2024-09-25 19:42:21 -07:00
Sean Parkinson
de657787cf Kyber Aarch64: assembly implementations of functions
Aarch64 assembly implementation of Kyber functions.
SHA-3 assembly implementations when not hardware crypto.
2024-09-26 09:10:05 +10:00
David Garske
e26ac5e122 Merge pull request #8018 from JacobBarthelmeh/ci
initialize values for -Og test
2024-09-25 15:25:03 -07:00
JacobBarthelmeh
45b88048c2 make macro unique to wolfSSL 2024-09-25 15:59:57 -06:00
JacobBarthelmeh
4893017005 feature support will be listed in the next release notes 2024-09-25 15:54:59 -06:00
JacobBarthelmeh
d72c0b372c Merge pull request #7990 from buchstabenwurst/master
Add support for (DevkitPro)libnds
2024-09-25 15:52:34 -06:00
JacobBarthelmeh
bea285c8ef initialize values for -Og test 2024-09-25 14:57:09 -06:00
JacobBarthelmeh
efd4127b84 Merge pull request #8013 from douzzer/20240924-static_assert-MSVC
20240924-static_assert-MSVC
2024-09-25 11:55:05 -06:00
JacobBarthelmeh
79b5ec86f6 Merge pull request #8015 from gojimmypi/pr-mp_read_radix
gate test mp_read_radix on OPENSSL_EXTRA or !NO_DSA or HAVE_ECC
2024-09-25 11:35:57 -06:00
JacobBarthelmeh
2328a7e407 Merge pull request #8017 from philljj/misc_cleanup
misc cleanup: extra spaces, typos.
2024-09-25 11:26:31 -06:00
JacobBarthelmeh
4db1605914 Merge pull request #8012 from rizlik/dtls13-either-side
dtls13: support either side DTLSv1_3 method
2024-09-25 11:25:19 -06:00
JacobBarthelmeh
67b0c4d03f Merge pull request #8009 from philljj/asn_cleanup
asn: cleanup around edPubKeyASN.
2024-09-25 10:09:40 -06:00
jordan
e5109b3f41 misc cleanup: extra spaces, typos. 2024-09-25 09:51:48 -05:00
Brett Nicholas
7592241a46 Merge pull request #8007 from billphipps/fix_cmac_cryptocb
Update to separate CMAC and AES conditional compiles.  Correct update.
2024-09-25 08:43:27 -06:00
gojimmypi
393072037a gate test mp_read_radix on OPENSSL_EXTRA || !NO_DSA || HAVE_ECC 2024-09-24 17:23:04 -07:00
Bill Phipps
60dbe38226 Update cmac.c to eliminate extra spaces 2024-09-24 18:34:19 -04:00
Bill Phipps
13b26bc46b Update cryptocb.c to fix comment 2024-09-24 18:27:58 -04:00
Bill Phipps
60e1c03e46 Update cmac.h to move CmacType down for build compatibility 2024-09-24 18:23:26 -04:00
Daniel Pouzzner
267add1fb3 wolfssl/wolfcrypt/types.h: in static_assert setup section, test for _MSVC_LANG >= 201103L alongside __cplusplus >= 201103L. 2024-09-24 17:14:33 -05:00
JacobBarthelmeh
72711b4e15 Merge pull request #8010 from res0nance/win-arm64-support
Add ARM64 to Visual Studio Project
2024-09-24 14:34:42 -06:00
Daniel Pouzzner
f3e41aaf3a Merge pull request #8011 from ejohnstown/revert-small-stack-fp
Revert "FP SmallStack Fix"
2024-09-24 15:24:22 -05:00
JacobBarthelmeh
6b806f8bda Merge pull request #8008 from bandi13/fixFipsCheck
Fix '--depth=1' repos
2024-09-24 13:30:12 -06:00
Brett Nicholas
967dc443fa remove trailing whitespace 2024-09-24 12:58:01 -06:00
jordan
c6124d573a asn: tiny peer review cleanup. 2024-09-24 13:01:13 -05:00
Bill Phipps
8aa63e3aad One more time to quiet clang tidy 2024-09-24 13:43:56 -04:00
Bill Phipps
5e1db686e1 Update logic to avoid clang-tidy warning. 2024-09-24 13:14:00 -04:00
Marco Oliverio
76f71a31f1 dtls13: support either side DTLSv1_3 method 2024-09-24 16:56:02 +00:00
Bill Phipps
35442d27b5 Fixed overlong lines. Thanks clang-tidy 2024-09-24 12:48:54 -04:00
Joshua Okeleke
6c5b174e51 Replace dummy iovec with #define NO_WRITEV 2024-09-24 18:37:10 +02:00
John Safranek
17261467a6 Revert "FP SmallStack Fix"
This reverts commit 47e51400bb.

Turns out we don't want to put those fp_ints on the stack unless
absolutely necessary.
2024-09-24 09:19:43 -07:00
Bill Phipps
0d158fc663 Updates due to peer review 2024-09-24 12:06:19 -04:00
Joshua Okeleke
1896b47399 Change comment style 2024-09-24 16:35:29 +02:00
Marco Oliverio
9dccd66a3a address review: better guarding in test 2024-09-24 12:54:15 +00:00
res0nance
62c6a3d892 ci: add Win32 and ARM64 windows CI 2024-09-24 19:35:39 +08:00
res0nance
34224d84d3 win: add arm64 to wolfssl64.sln 2024-09-24 19:26:05 +08:00
res0nance
665fd89c55 win: add arm64 to sslsnifftest.vcxproj 2024-09-24 18:18:10 +08:00
res0nance
4f856773cf win: add arm64 to server.vcxproj 2024-09-24 18:15:40 +08:00
res0nance
8bf196f32c win: add arm64 to client.vcxproj 2024-09-24 18:11:42 +08:00
res0nance
45d51bfe49 win: add arm64 to echoserver.vcxproj 2024-09-24 18:07:41 +08:00
res0nance
28cebe8c7e win: add arm64 to echoclient.vcxproj 2024-09-24 18:04:07 +08:00
res0nance
f599a0a7c3 win: add arm64 to sslsniffer.vcxproj 2024-09-24 17:59:00 +08:00
res0nance
6735fcf695 win: add arm64 to testsuite.vcxproj 2024-09-24 17:55:44 +08:00
res0nance
112a4ddbad win: add arm64 to wolfssl.vcxproj 2024-09-24 17:25:26 +08:00
jordan
0f646b6e4b asn: cleanup around edPubKeyASN. 2024-09-23 23:24:36 -05:00
Colton Willey
720e24209a Updates for doxygen and review comments 2024-09-23 13:29:41 -07:00
Andras Fekete
09b5362ed8 Fix '--depth=1' repos
When the repo was checked out as a shallow copy, we need to unshallow so FIPS builds can successfully find all the required tags and branches.
2024-09-23 16:21:50 -04:00
Bill Phipps
c16ebaeb47 Update to seperate CMAC and AES conditional compiles. Correct update. 2024-09-23 15:33:52 -04:00
Colton Willey
e5022e3ef0 Fix broken endif 2024-09-23 12:11:04 -07:00
Colton Willey
183aef241c CRL improvements, add parsing for CRL number, do not allow CRL duplicates, add callback for when CRL entry is updated. 2024-09-23 11:52:39 -07:00
Colton Willey
1a4b821c64 Add pthread link for liboqs testing 2024-09-23 11:46:19 -07:00
gojimmypi
27adc66cca Add conditional repository_owner to workflow, remove socat strategy 2024-09-23 11:30:58 -07:00
Colton Willey
cad2bbd7a7 Add NULL checks on key copy 2024-09-23 10:18:23 -07:00
Colton Willey
634e547fba Initial implementation of new option to always copy over key to SSL ctx 2024-09-23 10:04:33 -07:00
Sean Parkinson
67528f91b3 Dilithium: fixes
Fixes to hint error dectection.
Fix public key decode to fail when DER length is zero for the public key
data.
2024-09-23 09:05:17 +10:00
Daniel Pouzzner
bc6881974d Merge pull request #8001 from ejohnstown/ecc-test-fix
ECC Test Fix
2024-09-20 20:53:28 -05:00
John Safranek
735c0f6b3a ECC Test Fix
The ECC key generation test was failing due not using large enough of a
buffer. Fixed to use a better size.

1. Set the shared digest/sig buffer size in
   _ecc_pairwise_consistency_test() to the maximum possible based on the
   math in wc_ecc_sig_sz().
2024-09-20 17:25:21 -07:00
David Garske
a9cc880f65 Merge pull request #7993 from miyazakh/renesas_rx65n_rsk_update
Update TSIP driver version to v1.21 for RX65N RSK
2024-09-20 17:07:21 -07:00
David Garske
3c67abc664 Merge pull request #7954 from JacobBarthelmeh/pkcs7
add option to set custom SKID with PKCS7 bundle creation
2024-09-20 17:05:44 -07:00
JacobBarthelmeh
554d52b069 Merge pull request #7777 from night1rider/MAX32666-port
MAX32665 and MAX32666 TPU HW and ARM ASM Crypto Callback Support
2024-09-20 17:14:34 -06:00
JacobBarthelmeh
9781c1fea4 Merge pull request #7999 from douzzer/20240920-fixes
20240920-fixes
2024-09-20 17:01:11 -06:00
Hideki Miyazaki
3f0a17b331 Update TSIP driver version to v1.21
Use ASN_TEMPLATE
Extracting YEAR and MONTH from __DATE__
2024-09-21 06:23:59 +09:00
ZackLabPC
1ffcf4000b Making HW Mutex Functions Private Api 2024-09-20 15:21:27 -06:00
JacobBarthelmeh
baab3348f4 Merge pull request #7997 from dgarske/stm32g4
Support for STM32G4
2024-09-20 14:05:43 -06:00
Daniel Pouzzner
55cd8a800f FIPS v5 gating fixes:
configure.ac:
* fix logic in "Forcing off" test expressions, first flubbed in 19106a9510;
* fix auto-enable of compkey to exclude v5 even if v5-dev.

src/tls13.c: fix gating for HKDF _ex() variants (>=6.0, not >=5.3).

wolfcrypt/src/error.c: snip out stray spaces at start of several ECC error message strings.

wolfcrypt/test/test.c:
* in render_error_message(), use wolfSSL_ERR_reason_error_string() if available rather than wc_GetErrorString(), to render non-wolfcrypt error strings;
* in ecc_test_deterministic_k(), ecc384_test_deterministic_k(), ecc521_test_deterministic_k(), on FIPS <6.0, gate out SHA384 and SHA512 tests (FIPS v5 only supports SHA256 in wc_ecc_gen_deterministic_k());
* in cmac_test(), gate use of wc_AesCmacGenerate_ex() and wc_AesCmacVerify_ex() on >=6.0, not >=5.3.
2024-09-20 13:53:36 -05:00
ZackLabPC
9881edfabe Crypto Callback Support for ARM ASM: AES-ECB/CBC, SHA-1/256/384/512 + Fix SP SHA CB Bug 2024-09-20 09:42:53 -06:00
night1rider
1cb324affa Expanding mutexing and Adding in AES Callbacks for HW 2024-09-20 09:42:53 -06:00
night1rider
a7ef540344 Making so hw mutex define is not needed 2024-09-20 09:42:53 -06:00
night1rider
8f8b4e6665 Addressing Feedback, Adding Null Checks and Mutex Around TRNG 2024-09-20 09:42:53 -06:00
night1rider
fe7987f241 Adding SHA-384/512 support, Null Checks, RNG Health Test for HW, and MAA call update for MAX3266X Port. 2024-09-20 09:42:52 -06:00
night1rider
d714e55a2b Addressing PR comments typos and cleanup and support HAVE_AES_ECB, Sha1, and Sha224 2024-09-20 09:42:52 -06:00
msi-debian
2e8cf39feb Initial PR for MAX32665 and MAX32666 TPU HW Support 2024-09-20 09:42:52 -06:00
JacobBarthelmeh
8017c816bb check on RNG init return with test, and make input const 2024-09-20 08:34:28 -07:00
JacobBarthelmeh
5adad7d869 fix for sanity check of null input 2024-09-20 08:34:28 -07:00
JacobBarthelmeh
ca3b1a1412 add test case 2024-09-20 08:34:28 -07:00
JacobBarthelmeh
7a23cff27f add PKCS7 set custom SKID 2024-09-20 08:34:28 -07:00
JacobBarthelmeh
d796d8c107 Merge pull request #7994 from miyazakh/renesas_ra6m4_update
Update FSP version to v5.4.0 for RA6M4
2024-09-20 09:27:56 -06:00
JacobBarthelmeh
bddb83b62a Merge pull request #7992 from ejohnstown/ecc-pct-ss
Small Stack ECC Pairwise Consistency Test
2024-09-20 09:13:21 -06:00
András Fekete
005a57f745 Merge pull request #7989 from billphipps/atomic_fence
Update to use memory_order_seq_cst instead of GCC internal for C11
2024-09-20 09:46:27 -04:00
Juliusz Sosinowicz
cf96ab22ba Address code review 2024-09-20 15:31:01 +02:00
Juliusz Sosinowicz
99a99e3d6e Implement DTLS 1.2 Connection ID (CID) 2024-09-20 15:31:01 +02:00
András Fekete
bbbc40dacc Merge pull request #7996 from julek-wolfssl/move-mymemmem
memmem is only being used in testing so move it there

Failing test is disabled in: 5be198fa0e
2024-09-20 09:08:44 -04:00
Sean Parkinson
8768c55579 Merge pull request #7991 from douzzer/20240917-fixes
20240917-fixes
2024-09-20 15:20:51 +10:00
Daniel Pouzzner
5be198fa0e .github/workflows/packaging.yml: disable broken RedHat/Fedora rpm packaging tests. 2024-09-19 17:44:27 -05:00
Daniel Pouzzner
af8feed531 Revert "wolfssl/wolfcrypt/ecc.h: fixes for more linker relocation errors in Fedora packaging test: always export ECC_API functions, but when !WOLFSSL_PUBLIC_ECC_ADD_DBL, remap them with wc_ prefixes."
This reverts commit a31e914b98.
2024-09-19 17:44:08 -05:00
Daniel Pouzzner
a31e914b98 wolfssl/wolfcrypt/ecc.h: fixes for more linker relocation errors in Fedora packaging test: always export ECC_API functions, but when !WOLFSSL_PUBLIC_ECC_ADD_DBL, remap them with wc_ prefixes. 2024-09-19 17:30:44 -05:00
Daniel Pouzzner
da1b8358dc wolfcrypt/benchmark/benchmark.c: add RSA3072 to keygen bench. 2024-09-19 17:07:19 -05:00
Daniel Pouzzner
212708e3b4 wolfssl/wolfcrypt/ecc.h and wolfcrypt/src/ecc.c: refactor ecc_sets and ecc_sets_count using accessor functions, to fix linker relocation errors in Fedora packaging test. 2024-09-19 17:03:07 -05:00
David Garske
9d24480379 Fix WOLF_CONF_AESGCM=2. 2024-09-19 14:19:39 -07:00
Daniel Pouzzner
510d6a07bf wolfssl/wolfcrypt/types.h: dial in the __static_assert() gating+definitions, and add static_assert2(). 2024-09-19 13:10:47 -05:00
David Garske
9815d9bd03 Support for STM32G4. ZD 18675 2024-09-19 10:54:29 -07:00
Juliusz Sosinowicz
d7303664b5 memmem is only being used in testing so move it there 2024-09-19 15:54:20 +02:00
Daniel Pouzzner
fbbb2b876b wolfssl/wolfcrypt/types.h: add static_assert() definitions;
wolfssl/internal.h: add DTLS13_HANDSHAKE_HEADER_SZ;

src/tls13.c: in EchHashHelloInner(), use falseHeader[DTLS13_HANDSHAKE_HEADER_SZ] to fix buffer overrun;

src/dtls13.c: add static assert for DTLS13_HANDSHAKE_HEADER_SZ.
2024-09-19 01:15:42 -05:00
Hideki Miyazaki
1e0c2604dd Update FSP version to v5.4.0 for RA6M4
add example keys for signing CA
Update READNE
2024-09-19 14:19:05 +09:00
Daniel Pouzzner
263cb5bf78 tests/api.c:test_Sha512_Family_Final(): fix unreachable null pointer deref reported by clang-tidy in FIPS/Async configs. 2024-09-18 17:42:05 -05:00
John Safranek
a81efc0f6f Small Stack ECC Pairwise Consistency Test
1. Update the ECC PCT to use the key's heap to allocate any buffers for
   the test. This is similar to how RSA does it.
2. Put the buffers on the stack if not using small stack option.
2024-09-18 15:14:52 -07:00
Daniel Pouzzner
072c5311a5 m4/ax_atomic.m4: fixes for C++ compatibility.
wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API attribute to wolfSSL_Atomic_Int_Init, wolfSSL_Atomic_Int_FetchAdd, and wolfSSL_Atomic_Int_FetchAdd, and add fallback definitions for them, allowing elimination of SINGLE_THREADED implementations of wolfSSL_Ref*(), and allowing ungated use of wolfSSL_Atomic_* calls in api.c.

wolfcrypt/src/dh.c: in wc_DhAgree_ct(), remove frivolous XMEMSET() and stray semicolon.

wolfcrypt/benchmark/benchmark.c: fix bench_rsaKeyGen() to skip tests of key sizes below RSA_MIN_SIZE, and add 4096 bit benchmark if RSA_MAX_SIZE is big enough.

tests/unit.h:
* adopt definitions of TEST_FAIL, TEST_SUCCESS, and TEST_SKIPPED from unit.c, remap TEST_SKIPPED from -7777 to 3, and add TEST_SUCCESS_NO_MSGS, TEST_SKIPPED_NO_MSGS, EXPECT_DECLS_NO_MSGS(), and EXPECT_FAILURE_CODEPOINT_ID, to support existing and future expected-particular-failure test cases without log noise.
* rename outer gate from CyaSSL_UNIT_H to TESTS_UNIT_H.

tests/api.c:
* use EXPECT_DECLS_NO_MSGS() in test_ssl_memio_setup(), test_ssl_memio_read_write(), and test_wolfSSL_client_server_nofail_memio(), and globally update affected expected error codes to correspond.
* use atomics for {client,server}SessRemCount{Malloc,free} to fix races in SessRemCtxCb() and SessRemSslSetupCb().
2024-09-18 16:25:26 -05:00
Joshua Okeleke
337456cc1e Add support for (DevkitPro)libnds 2024-09-18 21:27:53 +02:00
Bill Phipps
7122001dd6 Update to use memory_order_seq_cst instead of GCC internal for C11 2024-09-18 13:48:26 -04:00
JacobBarthelmeh
b9908409d4 Merge pull request #7987 from bandi13/betterEngineFlagsFix
FIPS defines RSA_MIN_SIZE and users may want to override
2024-09-18 11:18:24 -06:00
JacobBarthelmeh
87dc45b938 Merge pull request #7986 from julek-wolfssl/crl-cb
Add crl error override callback
2024-09-18 10:43:37 -06:00
JacobBarthelmeh
46f2b21abf Merge pull request #7985 from julek-wolfssl/curl-ci
Use nproc not nproc+1 threads
2024-09-18 10:35:08 -06:00
JacobBarthelmeh
ffd0fb23f7 Merge pull request #7979 from SparkiDev/sp_x86_64_no_avx_fix
SP x86_64 asm: check for AVX2 support
2024-09-18 10:23:12 -06:00
JacobBarthelmeh
ec8a1ba956 Merge pull request #7962 from embhorn/zd18558
Add cmake support for WOLFSSL_CUSTOM_CURVES
2024-09-18 10:18:38 -06:00
JacobBarthelmeh
fcb8d3ffc5 Merge pull request #7887 from kojo1/crl-pss
allow sigParamsSz is zero and malloc(0) to return NULL
2024-09-18 10:04:29 -06:00
JacobBarthelmeh
fb2144d290 Merge pull request #7951 from julek-wolfssl/dtls13-cid-fixes
DTLS 1.3 CID fixes
2024-09-18 09:38:15 -06:00
Reda Chouk
949565f156 Merge branch 'wolfSSL:master' into fix-conversion 2024-09-18 17:16:48 +02:00
Reda Chouk
be88ddda15 more Wconversion fixes: api/test* block 2024-09-18 16:53:39 +02:00
Andras Fekete
bd77ee4f37 FIPS defines RSA_MIN_SIZE and users may want to override 2024-09-18 10:28:10 -04:00
Juliusz Sosinowicz
ae6c872797 Add crl error override callback 2024-09-18 11:58:53 +02:00
Juliusz Sosinowicz
84c80b4c0f make mymemmem available for linking 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
1e75a2367c Address code review 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
74ac2cd07d dtls 1.3: pad plaintext when too short for record header protection 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
29f51b6245 CheckcipherList: Check Cipher minor to detect TLS 1.3 ciphersuite 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
4a26af0dfa dtls 1.3: Add cid size to output buffer length 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
ee2b77c0bd Move manual memio to api.c 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
6d5fefde4a dtls 1.3: Check header length before copying 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
8ce6f17144 Add dtls 1.3 cid api test 2024-09-18 10:35:29 +02:00
Juliusz Sosinowicz
c166b9dd77 Use nproc not nproc+1 threads 2024-09-18 10:28:28 +02:00
JacobBarthelmeh
c3900470aa Merge pull request #7982 from bandi13/fixEngineFlags
Engine needs to have a RSA_MIN_SIZE=1024
2024-09-17 17:03:11 -06:00
Daniel Pouzzner
ef6f1562d6 Merge pull request #7980 from ejohnstown/small-stack-fp
FP SmallStack Fix
2024-09-17 17:28:46 -05:00
Andras Fekete
41b3a729d2 Engine needs to have a RSA_MIN_SIZE=1024 2024-09-17 17:36:37 -04:00
John Safranek
47e51400bb FP SmallStack Fix
The function _fp_exptmod_nct() is using WOLFSSL_NO_MALLOC to guard
using stack allocation vs malloc. It's twin function _fp_exptmod_ct()
is using WOLFSSL_SMALL_STACK for this. This is causing inappropriate use
of malloc() in a small stack environment. The no-malloc case will also
be kept so static memory and no-malloc fix still works.

1. Change the guards for `#ifndef WOLFSSL_NO_MALLOC` in the function
   `_fp_exptmod_nct()` to `#if defined(WOLFSSL_SMALL_STACK) &&
   !defined(WOLFSSL_NO_MALLOC)`.
2024-09-17 10:55:11 -07:00
Sean Parkinson
aa41e09937 SP x86_64 asm: check for AVX2 support
Check for AVX2 as well as BMI2 and ADX.
Some virtual machines may not have AVX2 with the others.
2024-09-17 14:14:27 +10:00
Sean Parkinson
5ef617a75a Merge pull request #7978 from douzzer/20240916-wc_DhAgree_ct-sp-math
20240916-wc_DhAgree_ct-sp-math
2024-09-17 09:38:07 +10:00
Daniel Pouzzner
04c781ad9b wolfcrypt/src/dh.c: in wc_DhAgree_ct(), implement failsafe constant-time key size fixup, to work around sp-math constant-time key clamping.
also fix a -Wunused in src/ssl_load.c:DataToDerBuffer() teased out by configuration permutations.
2024-09-16 17:33:25 -05:00
András Fekete
9666394b73 Merge pull request #7977 from billphipps/have_rsa_fix
Update to remove HAVE_RSA references.  Correct NO_MALLOC RSA test bug.
2024-09-16 16:26:26 -04:00
Bill Phipps
b4a491de12 Add missing guard to api.c 2024-09-16 14:03:31 -04:00
Bill Phipps
92f3a808b0 Update to remove HAVE_RSA references. Correct NO_MALLOC RSA test bug. 2024-09-16 13:29:38 -04:00
Sean Parkinson
e6b466dd71 Merge pull request #7923 from embhorn/rsa2048_min
Set RSA_MIN_SIZE default to 2048 bits
2024-09-16 21:38:19 +10:00
Daniel Pouzzner
52030f182b Merge pull request #7972 from miyazakh/renesas_tsip_update_
Renesas TSIP version update
2024-09-14 00:41:19 -05:00
Daniel Pouzzner
990d38a068 Merge pull request #7974 from dgarske/noasn
Support for NO_ASN when wildcard *.c is used
2024-09-14 00:34:15 -05:00
Daniel Pouzzner
80f3b0d3d8 Merge pull request #7926 from philljj/x509_acert_support
x509 attribute cert support
2024-09-14 00:30:29 -05:00
Daniel Pouzzner
4545a9b4a2 Merge pull request #7960 from night1rider/mmcau-DesEcb
DES ECB using mmcau HW Library, and DES ECB basic test
2024-09-14 00:07:18 -05:00
David Garske
0d5659ff2d Merge pull request #7975 from douzzer/20240913-fixes
20240913-fixes
2024-09-13 17:20:36 -07:00
Daniel Pouzzner
84f0800b96 configure.ac:
* set DEFAULT_ENABLED_ALL_ASM=no if enable_afalg or ENABLED_32BIT;
* omit enable_srtp_kdf from enable-all-crypto if enable_afalg.

linuxkm: add GetCAByAKID to wolfssl_linuxkm_pie_redirect_table.

src/x509.c: in GenerateDNSEntryIPString(), use XMEMSET() to initialize tmpName, not = {0}, to avoid unmaskable compiler emission of memset() call.

wolfssl/openssl/ssl.h: add OPENSSL_EXTRA to an existing OPENSSL_ALL-gated section, consistent with gating of correspinding section in wolfssl/ssl.h.

wolfssl/wolfcrypt/settings.h: adopt setup for WOLFSSL_SP_NO_UMAAL from wolfssl/wolfcrypt/sp_int.h now that it's used by wolfcrypt/src/port/arm/thumb2-poly1305-asm.S.
2024-09-13 18:01:11 -05:00
Eric Blankenhorn
91e411b4b9 Set RSA_MIN_SIZE default to 2048 bits 2024-09-13 16:02:05 -05:00
David Garske
8cea8283db Support for NO_ASN when wildcard *.c is used. Added STM32H743xx support. 2024-09-13 13:52:21 -07:00
jordan
7df446bf4e cleanup: fix cast warning, and small cleanup. 2024-09-13 09:26:19 -05:00
jordan
7faed6cded X509 attribute cert (acert) support. 2024-09-13 08:03:55 -05:00
Hideki Miyazaki
c49f1e22bd Update TSIP version for RX72N and GR-ROSE
fix readme
2024-09-13 14:12:39 +09:00
Sean Parkinson
4fa20cb770 Merge pull request #7965 from ColtonWilley/pkcs12_use_indef_len
Use context specific for PKCS7 encrypted data encoding
2024-09-13 12:17:08 +10:00
Colton Willey
b0ddccc802 Change PKCS7 encrypted content encoding to use ASN_CONTEXT_SPECIFIC 2024-09-12 16:46:35 -07:00
Daniel Pouzzner
5b337e69d9 Merge pull request #7961 from philljj/fips_pkcallback
Update HAVE_FIPS define guard in test.h.
2024-09-12 18:18:48 -05:00
Sean Parkinson
171ab4b13a Merge pull request #7967 from douzzer/20240910-configure-enable-all-asm-and-sp-cleanup
20240910-configure-enable-all-asm-and-sp-cleanup
2024-09-13 09:18:37 +10:00
Daniel Pouzzner
f6d40ad229 Merge pull request #7955 from gojimmypi/pr-espressif-port-updates
Update Espressif sha, util, mem, time helpers
2024-09-12 18:15:25 -05:00
Daniel Pouzzner
95c94f52d9 Merge pull request #7953 from gojimmypi/pr-espressif-settings
Update wolfcrypt settings.h for Espressif ESP-IDF, template update
2024-09-12 18:11:34 -05:00
Daniel Pouzzner
e9d820b730 Merge pull request #7799 from anhu/fips_macro_guard
Better macro guarding fix undeclared var error
2024-09-12 17:56:00 -05:00
Daniel Pouzzner
b736d78950 Merge pull request #7948 from anhu/MATCH_SUITE
Convert MATCH_SUITE_ERROR to OpenSSL error in wolfSSL_get_error()
2024-09-12 17:50:35 -05:00
David Garske
de3c45a02c Merge pull request #7971 from douzzer/20240912-gating-tweaks
20240912-gating-tweaks
2024-09-12 15:30:11 -07:00
Daniel Pouzzner
e3301b06f6 OpenSSL coexistence tweaks 2024-09-12 16:37:41 -05:00
Daniel Pouzzner
ad7c25b409 Merge pull request #7823 from cconlon/rsaPssSignPkCallbackNoPrehashTls13
PK callbacks: add build option to give full data to TLS 1.3 RSA-PSS sign callback instead of hash
2024-09-12 15:40:59 -05:00
Daniel Pouzzner
eb53a95f57 wolfcrypt/src/asn.c:DecodeSingleResponse(): fix gating for "at" working var, by refactoring gating for WOLFSSL_OCSP_PARSE_STATUS sections for clarity. 2024-09-12 14:38:50 -05:00
Daniel Pouzzner
3fac3b71ca configure.ac:
* move leanpsk and asn option processing early to make their results available to existing math back end selector logic;
* add -DWOLFSSL_ASN_ALL to enable-all-crypto;
* tweak asn option processing to preserve "original" value in case later configure logic wants to pivot on that.
2024-09-12 13:29:02 -05:00
Daniel Pouzzner
53c4c0095a wolfcrypt/src/sp_cortexm.c: update from scripts#423. 2024-09-12 13:29:02 -05:00
Daniel Pouzzner
98a51029f8 configure.ac: in --enable-all-asm handler, support only x86_64 and aarch64, and enable sp-asm only for them, to avoid "ASM not available for CPU" error from sp-asm handler. 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
8d0047fedf SP: fixes for several bugprone-macro-parentheses and -Wconversions. 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
428e15816f configure.ac:
* in handling for enable-all-asm, add check for full Gnu C and don't auto-enable all-asm unless full Gnu C and enable-all-crypto, among other sanity checks.
* in enable-all and enable-all-crypto, correctly conditionalize several FIPS-v6-only features/algorithms.
* in FIPS v5 setup, force off SRTP and SRTP-KDF (with warnings).
2024-09-12 13:29:01 -05:00
Daniel Pouzzner
e227b2ad7d wolfcrypt/src/sp_int.c: fix bugprone-too-small-loop-variable in _sp_mul(). 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
5b8e9e692f wolfcrypt/src/siphash.c: fixes for bugprone-macro-parentheses. 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
1b0ef048ba configure.ac: move handling for enable-all-asm to precede handling for enable-all-crypto, and compute DEFAULT_ENABLED_ALL_ASM appropriately. 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
430d104430 configure.ac: render warnings when FIPS setup forces off options supplied to configure. 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
723d8efd1c configure.ac: consolidate enable-all-crypto settings in one place. 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
cf8f9a80fc configure.ac: add --enable-all-asm, and add it to --enable-all and --enable-all-crypto. 2024-09-12 13:29:01 -05:00
Daniel Pouzzner
3cb66ad18a configure.ac: update help and error messages re fastmath. 2024-09-12 13:29:01 -05:00
David Garske
20e2e33e25 Merge pull request #7939 from SparkiDev/thumb2_poly1305
undefined
2024-09-12 11:15:53 -07:00
András Fekete
75c6633039 Merge pull request #7970 from night1rider/XILINX-AFLAG-Fix
Fixing Redefine Errors/Warnings for --enable-afalg=xilinx
2024-09-12 13:04:29 -04:00
night1rider
c88f1c4d54 Fixing Redefine Errors/Warnings 2024-09-12 09:54:03 -06:00
Siert Wieringa
9e2a7b3653 Feature/multiple aes siv ads (#7911)
* Proposed new interface for AesSivEncrypt with number of ADs != 1.

* Implement AES SIV S2V computation with a number of ADs not equal to 1.

* Add Example A.1 from RFC5297 to AES SIV test vectors.

* Add tests for new AES SIV interface, and add test vectors for examples given in RFC5297.

* Include the nonce in count of maximum number of ADs.

* Addressing review comments.

* Addressing review comments: Use uppercase 'U' suffix on unsigned constant.

* Rename local variables named 'ad0' to 'ad', since the zero makes no sense, especially since in the RFC 5297 document they're actually counting the ADs from 1.
2024-09-12 07:55:29 -07:00
JacobBarthelmeh
088dfab22a Merge pull request #7968 from douzzer/20240911-fix-whitespace
20240911-fix-whitespace
2024-09-11 22:18:36 -06:00
Daniel Pouzzner
4159ba0a95 .github/workflows/openldap.yml: fix whitespace. 2024-09-11 23:01:42 -05:00
Daniel Pouzzner
974506db28 Merge pull request #7933 from julek-wolfssl/openldap-action
Add openldap action
2024-09-11 22:54:31 -05:00
Sean Parkinson
27033c225f Thumb-2 ChaCha, Poly1305: implemention in assembly
Implementation of ChaCha algorithm for ARM Thumb-2.
Implementation of Poly1305 algorithm for ARM Thumb-2.
2024-09-12 10:59:01 +10:00
Sean Parkinson
d23bfd2eb9 Merge pull request #7963 from anhu/p11nopin
Check for PIN before saving it.
2024-09-12 10:20:47 +10:00
Colton Willey
88d1ed7393 Modify pkcs8 pbe encryption to use indefinite length encoding, making it consistent with both old ASN code and openssl 2024-09-11 15:55:05 -07:00
Anthony Hu
246228e410 Check for PIN before saving it. 2024-09-11 14:39:03 -04:00
Eric Blankenhorn
a75c73cdef Add cmake support for WOLFSSL_CUSTOM_CURVES 2024-09-11 10:45:21 -05:00
jordan
ea57e82395 Update HAVE_FIPS define guard in test.h. 2024-09-11 08:20:15 -05:00
Sean Parkinson
1c8f1e6921 Merge pull request #7802 from douzzer/20240725-wc_DhAgree_ct
20240725-wc_DhAgree_ct
2024-09-11 08:06:58 +10:00
Reda Chouk
79d3b955ed tls.c type conversion fixed. 2024-09-10 13:51:21 +02:00
Daniel Pouzzner
213ac1ac0a Merge pull request #7959 from billphipps/sgx_c99_fix
Update to use C99 instead of C11 because of lack of SGX support
2024-09-10 00:39:40 -05:00
Sean Parkinson
10c1fa2088 Merge pull request #7931 from barracuda156/powerpc-darwin
Fixes for PowerPC
2024-09-10 10:34:09 +10:00
Sean Parkinson
500a3b41e4 Merge pull request #7932 from barracuda156/dispatch
Fixes for earlier macOS
2024-09-10 10:29:45 +10:00
night1rider
e912aff7e5 DES ECB using mmcau HW Library, and DES ECB basic test 2024-09-09 15:32:21 -06:00
Daniel Pouzzner
49a680540c add constant time DH key agreement APIs:
* adds wc_DhAgree_ct().
* adds wolfSSL_DH_compute_key_padded(), using wc_DhAgree_ct() if available, with fallback fixup code.
* adds unit test coverage in api.c:test_wolfSSL_DH() for expected-success calls to wolfSSL_DH_compute_key() and wolfSSL_DH_compute_key_padded().
2024-09-09 16:24:07 -05:00
Bill Phipps
232314039d Update to use C99 instead of C11 because of lack of SGX support 2024-09-09 12:10:53 -04:00
David Garske
dbfebeac43 Merge pull request #7956 from douzzer/20240906-errcode-fixups
20240906-errcode-fixups
2024-09-09 08:42:46 -07:00
Reda Chouk
884b51151b Merge branch 'fix-conversion' of github.com:gasbytes/wolfssl into fix-conversion 2024-09-09 16:06:16 +02:00
Reda Chouk
65db4b15d6 api type conversion errors, first half of tls* files 2024-09-09 16:05:15 +02:00
Daniel Pouzzner
c81c9be9ce error code fixes:
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
2024-09-06 19:33:48 -05:00
gojimmypi
b57fcd0bd8 Update Espressif sha, util, mem, time helpers 2024-09-06 16:33:04 -07:00
JacobBarthelmeh
398f8c90e2 Merge pull request #7952 from douzzer/20240906-GetCAByKeyHash-wolfssl_linuxkm_pie_redirect_table
20240906-GetCAByKeyHash-wolfssl_linuxkm_pie_redirect_table
2024-09-06 15:37:37 -06:00
gojimmypi
282e559113 Update wolfcrypt settings.h for Espressif ESP-IDF 2024-09-06 14:24:38 -07:00
Daniel Pouzzner
e708ef3b56 Merge pull request #7946 from gasbytes/fix-conversion
Fix conversion in ssl* files and in internal.c
2024-09-06 16:13:55 -05:00
Anthony Hu
9e204dc023 Convert MATCH_SUITE_ERROR to OpenSSL error in wolfSSL_get_error() 2024-09-06 16:29:30 -04:00
Anthony Hu
4bd39aa52e Better macro guarding fix undeclared var error 2024-09-06 15:15:34 -04:00
Daniel Pouzzner
87aef05f16 linuxkm: add GetCAByKeyHash to wolfssl_linuxkm_pie_redirect_table. 2024-09-06 14:15:19 -05:00
David Garske
80a63a3fce Merge pull request #7924 from anhu/pqm4_purge
Get rid of pqm4 in favour our own Kyber/MLDSA implementation
2024-09-06 12:00:26 -07:00
Daniel Pouzzner
945f97636a Merge pull request #7945 from ColtonWilley/no_external_network_test_option
Add option to skip all tests requiring an internet connection
2024-09-06 10:48:33 -05:00
Sean Parkinson
5f40f9a140 Thumb-2 ChaCha: implemention in assembly
Implementation of ChaCha algorithm for ARM Thumb-2.
2024-09-06 10:16:45 +10:00
Sean Parkinson
96e2c51f07 Merge pull request #7907 from ColtonWilley/rsa_pad_crypto_cb
Add new crypto callback for RSA with padding.
2024-09-06 08:48:36 +10:00
Sean Parkinson
6fc9dcae07 Merge pull request #7947 from douzzer/20240905-mp_sign_t
20240905-mp_sign_t
2024-09-06 08:46:23 +10:00
Colton Willey
9ad4e565fe Restore original comments 2024-09-05 15:10:50 -07:00
Daniel Pouzzner
dcaff9dff4 Merge pull request #7944 from JacobBarthelmeh/pkcs12
add parsing over optional PKCS8 attributes
2024-09-05 16:55:44 -05:00
David Garske
887c5abcb1 Merge pull request #7949 from douzzer/20240905-whitespace-and-utf8-cleanup
20240905-whitespace-and-utf8-cleanup
2024-09-05 14:38:19 -07:00
Daniel Pouzzner
9f6a75cdfd Merge pull request #7934 from rizlik/ocsp-get-ca-keyhash-fix
ocsp: search CA by key hash instead of ext key id
2024-09-05 15:03:54 -05:00
Daniel Pouzzner
a3fb5029f8 clean up trailing whitespace and misplaced CRLFs, add missing final newlines, remove stray UTF8 nonprintables (BOMs) and ASCIIfy stray homoglyphs (spaces and apostrophes), guided by expanded coverage in wolfssl-multi-test check-source-text. 2024-09-05 14:52:18 -05:00
Reda Chouk
73786112ec review addressed 2024-09-05 20:55:00 +02:00
Daniel Pouzzner
603c03c0be MPI: add mp_sign_t and sp_sign_t. 2024-09-05 10:37:02 -05:00
Marco Oliverio
6114691fd6 ocsp: try lookup certificate using keyHash as KeyId
try to lookup the certificate using the key hash as key identifier
first. If we can't find a certificate, it means that the certificate
uses another method to compute the key identifier so we need to fallback
to linear search.
2024-09-05 09:49:01 +00:00
Daniel Pouzzner
a3fea482db Merge pull request #7914 from julek-wolfssl/gh/7825
Fix failing test_dtls_frag_ch
2024-09-04 19:35:06 -05:00
Colton Willey
f749ca387d Rewrite to use test to make old mac sh versions happy 2024-09-04 16:34:09 -07:00
Colton Willey
8661cf6fee Update no network test option to overload meaning of existing WOLFSSL_EXTERNAL_TEST instead of using new flag 2024-09-04 16:09:16 -07:00
JacobBarthelmeh
9a8573afc9 touch up pkcs8 create function and test case warning 2024-09-04 15:48:44 -06:00
Colton Willey
8aa5f463b1 Add option to skip all tests requiring an internet connection. 2024-09-04 14:48:25 -07:00
JacobBarthelmeh
2a1165460e add parsing over optional PKCS8 attributes 2024-09-04 15:15:53 -06:00
David Garske
1c8767b4d3 Merge pull request #7942 from douzzer/20240904-fix-test_wolfSSL_EVP_sm3
20240904-fix-test_wolfSSL_EVP_sm3
2024-09-04 12:40:51 -07:00
Daniel Pouzzner
a31733db85 Merge pull request #7909 from SparkiDev/dilithium_fips204_draft
Dilithium: Support FIPS 204 Draft
2024-09-04 14:34:59 -05:00
Daniel Pouzzner
7e16016311 tests/api.c: fix expected retval from EVP_DigestInit() in test_wolfSSL_EVP_sm3() -- before 2c9a3c5c1c, EVP_DigestInit() incorrectly returned BAD_FUNC_ARG when passed a null ctx. 2024-09-04 14:04:29 -05:00
Daniel Pouzzner
53aec861a4 Merge pull request #7938 from billphipps/atomic_fence
Modernized memory fence support for C11 and clang
2024-09-04 13:17:26 -05:00
Daniel Pouzzner
c9ff15da21 Merge pull request #7901 from SparkiDev/memusage_8
Memory usage improvements
2024-09-04 12:34:44 -05:00
Colton Willey
3b5d0aa85a Fix up whitespace changes from editor autoformat 2024-09-04 10:25:20 -07:00
Colton Willey
f9af463db1 Update RSA verify documentation to specify that the output should be compared with the original plaintext 2024-09-04 10:13:40 -07:00
András Fekete
fb86818251 Merge pull request #7930 from mpsuzuki/fix-ocsp-test
[scripts/ocsp.test] Remove ${SCRIPT_DIR} from the pathname to ca-google-root.pem.
2024-09-04 12:59:25 -04:00
David Garske
0580c1a83a Merge pull request #7889 from miyazakh/renesas_rx65n_update
Update rx64n support on gr-rose
2024-09-04 08:08:49 -07:00
David Garske
7c7de235d8 Merge pull request #7937 from douzzer/20240903-missing-WC_NO_ERR_TRACEs
20240903-missing-WC_NO_ERR_TRACEs
2024-09-04 08:07:19 -07:00
David Garske
990b4d62ea Merge pull request #7940 from Irvise/master
Ada binding: correct Alire manifest and fix build
2024-09-04 08:05:58 -07:00
Sean Parkinson
88c3e0af22 Memory usage improvements
kdf.c: wc_PRF() - No need for previous, reuse current.
sha256.c: Transform_Sha256() - Add slow but small version for many
register implementation.
sp_int.h: Change 'used' and 'size' fields to 16-bit types when possible.
sp_int.c: Fixes for 16-bit used.
2024-09-04 22:51:31 +10:00
Irvise
2a96981dbe Ada binding: correct Alire manifest and fix build 2024-09-04 09:42:24 +02:00
Daniel Pouzzner
b26fa6cf59 Merge pull request #7918 from SparkiDev/type_conversion_fixes_3
Type conversion fixes
2024-09-03 20:18:00 -05:00
Daniel Pouzzner
121b8c52f8 Merge pull request #7869 from julek-wolfssl/libspdm-x509
libspdm x509 parts
2024-09-03 20:09:31 -05:00
Bill Phipps
ae939e9e6a Modernized memory fence support for C11 and clang 2024-09-03 21:09:30 -04:00
Daniel Pouzzner
806df85477 backfill more missing WC_NO_ERR_TRACE()s on error code operands, and refactor away the obsolete GEN_MEM_ERR macro mechanism in wolfcrypt/src/ecc.c. 2024-09-03 17:44:11 -05:00
Sean Parkinson
ec6c7051a8 Merge pull request #7928 from dgarske/riscv_fixes
Fixes for building on RISC-V
2024-09-04 08:03:45 +10:00
David Garske
b7a6c6c314 Fixes for building RISCV ASM with enable-all.
* Fix type warning for SHA512 ByteReverseWords call
* Fix issue with riscv-asm and xchacha.
2024-09-03 09:37:01 -07:00
Reda Chouk
a80a2cdcff Addressed type conversion error in internal.c 2024-09-03 16:26:32 +02:00
Reda Chouk
b237730dad fix type conversion in ssl* files 2024-09-02 18:08:14 +02:00
Marco Oliverio
293719c168 ocsp: search CA by key hash instead of ext key id 2024-09-02 15:25:53 +00:00
Juliusz Sosinowicz
9254e270be Add openldap action 2024-09-02 13:29:18 +02:00
Sean Parkinson
ed7beb4e0e Type conversion fixes
Changes to get compilation with -Wconversion passing on the files.
2024-09-02 19:19:23 +10:00
Juliusz Sosinowicz
2c9a3c5c1c Missing libspdm features
- RsaFunctionPrivate: detect when only n,e,d are available
- wolfSSL_EVP_add_digest: return success
- wolfSSL_EVP_add_cipher: return success
- wolfSSL_BN_bin2bn: accept NULL data if len is 0 (checked in mp_read_unsigned_bin)
- wolfssl_read_bio: advance correct bio
- wolfSSL_X509_set_ext: return raw extension data for BASIC_CA_OID
- Implement
  - sk_X509_EXTENSION_free
  - d2i_EC_PUBKEY_bio
  - d2i_RSA_PUBKEY_bio
  - d2i_X509_REQ_INFO
  - X509_REQ_INFO_free
  - ASN1_TIME_set_string_X509
2024-09-02 10:01:12 +02:00
Sergey Fedorov
70caed572a crl.c: use EV_TRIGGER when NOTE_TRIGGER unavailable 2024-09-01 21:03:18 +08:00
Sergey Fedorov
2ddfe15c4f Fix libdispatch usage condition 2024-09-01 21:03:18 +08:00
Sergey Fedorov
94478cb208 wc_port.h: fix macros for powerpc 2024-09-01 20:17:11 +08:00
Sergey Fedorov
ef2424336c sp_int.c: fix ppc asm for macOS 2024-09-01 20:17:11 +08:00
Sergey Fedorov
b6bfae9c24 asm.c: fix ppc asm for macOS 2024-09-01 20:17:11 +08:00
Sergey Fedorov
765e5d1689 types.h: add powerpc macros 2024-09-01 20:17:11 +08:00
suzuki toshiya
2fa0da74e4 [scripts/ocsp.test] Remove ${SCRIPT_DIR} from the pathname to ca-google-root.pem. 2024-08-31 18:22:20 +09:00
Daniel Pouzzner
4d837e74c4 Merge pull request #7303 from Irvise/master
[Ada] Initial library support
2024-08-31 00:26:29 -05:00
Colton Willey
2bcfff3497 Expand testing to include SW implementation of RSA with padding callback, code cleanup to address review comments. 2024-08-30 13:41:51 -07:00
David Garske
72fc08ede8 Merge pull request #7927 from douzzer/20240830-wolfSSL_ERR_reason_error_string-EnumCastOutOfRange
20240830-wolfSSL_ERR_reason_error_string-EnumCastOutOfRange
2024-08-30 13:17:32 -07:00
Daniel Pouzzner
126df1d9ee src/internal.c: in wolfSSL_ERR_reason_error_string(), return "unknown error number" when error==0 and !OPENSSL_EXTRA, to avoid provoking clang-analyzer-optin.core.EnumCastOutOfRange. 2024-08-30 14:32:56 -05:00
David Garske
13ec0f0694 Merge pull request #7916 from SparkiDev/riscv-sha3-asm
RISC-V ASM: SHA-3
2024-08-30 09:06:36 -07:00
Juliusz Sosinowicz
b67fd6f29c Fix failing test_dtls_frag_ch
- Add option to disable ECH
- InitSuites: clean up DTLS paths
- wolfSSL_parse_cipher_list: remove WOLFSSL_MAX_SUITE_SZ setting
- wolfSSL_parse_cipher_list: add rationale for keeping ciphersuites
- test_dtls_frag_ch: ECH and ciphersuites were pushing the ClientHello message over the fragmentation limit. Disabling ECH and limiting ciphersuites fixes the test.
2024-08-30 09:56:52 +02:00
Sean Parkinson
d475ecc8d3 Merge pull request #7917 from douzzer/20240828-WOLFSSL_DEBUG_TRACE_ERROR_CODES-TLS
20240828-WOLFSSL_DEBUG_TRACE_ERROR_CODES-TLS
2024-08-30 14:12:20 +10:00
Sean Parkinson
0df8a0f88c Merge pull request #7925 from JacobBarthelmeh/readme
update CVE listed in changelog
2024-08-30 14:11:17 +10:00
Daniel Pouzzner
2dcd04668b src/internal.c: in wolfSSL_ERR_reason_error_string(), restore handling for -WOLFSSL_X509_V_ERR_*, but separated from handling for the proper wolfSSL_ErrorCodes. 2024-08-29 21:28:02 -05:00
Daniel Pouzzner
255465a757 src/internal.c: in wolfSSL_ERR_reason_error_string(), remove handling for -WOLFSSL_X509_V_ERR_*, and make corresponding changes in wolfssl/error-ssl.h and tests/api.c. 2024-08-29 20:02:42 -05:00
JacobBarthelmeh
26756da925 update CVE listed in changelog 2024-08-29 16:45:23 -06:00
Daniel Pouzzner
4b4000bf61 Merge pull request #7903 from SparkiDev/ecc_sigalgo_params_null
Certificates: ECC signature algorithm parameter
2024-08-29 16:16:08 -05:00
Daniel Pouzzner
fab5c9f864 Merge pull request #7880 from ColtonWilley/tls13_send_cert_use_signed_len
Use signed variable for length calculation in SendTls13Certificate
2024-08-29 16:12:41 -05:00
Daniel Pouzzner
ef4ea53570 Merge pull request #7912 from julek-wolfssl/gh/7686
DTLS 1.3: check size including headers
2024-08-29 16:09:53 -05:00
Daniel Pouzzner
41449fac48 Merge pull request #7895 from embhorn/zd18433
Use verify callback before checking dates
2024-08-29 15:52:04 -05:00
Daniel Pouzzner
5e1bf9d4f2 Merge pull request #7908 from anhu/no_stdio
Don't include stdio.h if not needed.
2024-08-29 15:33:41 -05:00
Daniel Pouzzner
f670400183 Merge pull request #7921 from gasbytes/oss-fuzz-70747
added missing wolfSSL_X509_NAME_free(dName)
2024-08-29 15:15:52 -05:00
Daniel Pouzzner
17870d4159 src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E.
wolfssl/ssl.h, wolfssl/error-ssl.h, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, and src/internal.c:
* fix values of WOLFSSL_ERROR_SSL and WOLFSSL_ERROR_WANT_X509_LOOKUP to match OpenSSL values;
* move legacy CyaSSL compat layer error codes from ssl.h to error-ssl.h and renumber them to conform to existing sequence;
* move enum IOerrors from ssl.h to error-ssl.h to get picked up by support/gen-debug-trace-error-codes.sh;
* add to enum wolfSSL_ErrorCodes negative counterparts for several positive error return constants;
* include error-ssl.h from ssl.h;
* add label (wolfCrypt_ErrorCodes) to error-crypt.h enum, and in wc_GetErrorString(), use switch ((enum wolfCrypt_ErrorCodes)error) to activate switch warnings for missing enums;
* in wolfSSL_ERR_reason_error_string(), use switch((enum wolfSSL_ErrorCodes)error) to activate switch warnings for missing enums;
* in ssl.h, add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* in error-crypt.h, add missing WOLFSSL_API attribute to wc_backtrace_render(); and
* harmonize gating of error codes, ssl.h / error-ssl.h / internal.c:wolfSSL_ERR_reason_error_string() / api.c:error_test().

tests/api.c:
* add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
* in post_auth_version_client_cb(), add missing !NO_ERROR_STRINGS gating.

add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
2024-08-29 14:22:56 -05:00
Colton Willey
50a3a37ff2 Merge branch 'master' of github.com:ColtonWilley/wolfssl into rsa_pad_crypto_cb 2024-08-29 11:14:49 -07:00
Anthony Hu
844d0ec558 Get rid of pqm4 in favour our own Kyber/MLDSA implementation 2024-08-29 13:23:39 -04:00
Reda Chouk
109e4c3dfb added missing wolfSSL_X509_NAME_free(dName) 2024-08-29 17:59:02 +02:00
Juliusz Sosinowicz
31ec2b0acd Merge pull request #7920 from bandi13/fixOSPOpenSSH
Fix compilation error for RSA_MAX_SIZE
2024-08-29 16:41:18 +02:00
Andras Fekete
b886ffd04b Fix compilation error for RSA_MAX_SIZE 2024-08-29 09:31:10 -04:00
Sean Parkinson
7c3d66ecd6 RISC-V ASM: SHA-3
Add assembly implementations of SHA-3.
Use VSRL_VX instead of two VSRL_VI operations as immediate is only 5
bits.
2024-08-29 17:58:02 +10:00
Daniel Pouzzner
b178138d83 src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E, and de-gate error strings previously gated on HAVE_HTTP_CLIENT.
tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().

wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h:
* move several negative error return codes from ssl.h to error-ssl.h,
* renumber them to conform to existing sequence, and
* include error-ssl.h from ssl.h;
* add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* add missing WOLFSSL_API attribute to wc_backtrace_render().

add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
2024-08-28 23:05:04 -05:00
David Garske
d4f6b5b300 Merge pull request #7915 from embhorn/zd18539
Fix WOLFSSL_NO_TLS12 build error
2024-08-28 10:03:58 -07:00
Eric Blankenhorn
1a3a730eb9 Fix WOLFSSL_NO_TLS12 build error 2024-08-28 10:51:11 -05:00
David Garske
5e77c06ea2 Merge pull request #7913 from bandi13/fixDocumentation
Doxygen complains about the quotes used
2024-08-28 07:34:03 -07:00
Andras Fekete
6494233774 Doxygen complains about the quotes used 2024-08-28 09:31:34 -04:00
Juliusz Sosinowicz
b2f59f733a DTLS 1.3: check size including headers 2024-08-28 12:58:50 +02:00
Sean Parkinson
a3e239c2ad Certificates: ECC signature algorithm parameter
Allow, with a define, ECC signature algorithm parameters to be NULL and
not just empty.
Only for interop.
2024-08-28 11:10:41 +10:00
Sean Parkinson
652158fcac Dilithium: Support FIPS 204 Draft
Compile with WOLFSSL_DILITHIUM_FIPS204_DRAFT to get code that implements
the FIPS-204 August 2023 DRAFT.
Alternatively, --enable-dilithium=draft or
--enable-dilithium=fips204-draft
2024-08-28 11:02:01 +10:00
Anthony Hu
6174fb3545 Don't include stdio.h if not needed. 2024-08-27 17:44:04 -04:00
Hideki Miyazaki
0cfd48f200 update rx64n gr-rose key and signed cert
add a script to generate signed cert
2024-08-28 06:00:31 +09:00
Eric Blankenhorn
dcea21a9a5 Merge pull request #7897 from douzzer/20240823-WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS
20240823-WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS
2024-08-27 15:41:20 -05:00
Colton Willey
b7299a23c0 Add new crypto callback for RSA with padding. 2024-08-27 13:09:23 -07:00
Eric Blankenhorn
d0475def5f Merge pull request #7906 from douzzer/20240827-XFENCE-all-disable-asm-assert
20240827-XFENCE-all-disable-asm-assert
2024-08-27 14:32:20 -05:00
Daniel Pouzzner
349e06ab4a wolfssl/wolfcrypt/wc_port.h: use non-asm implementation of XFENCE when available. 2024-08-27 13:36:21 -05:00
Colton Willey
a57d234f6b Clean up sign comparison warnings 2024-08-27 10:07:11 -07:00
Daniel Pouzzner
e164bcb24d Merge pull request #7904 from SparkiDev/kyber_tls_fixes
Kyber: fix TLS usage
2024-08-27 00:44:56 -05:00
Daniel Pouzzner
90152fedda Merge pull request #7902 from gasbytes/wc_pkcs7_decodeauthenvelopeddata-problem
Added check on error out from wc_PKCS7_EncodeAuthEnvelopedData
2024-08-27 00:40:21 -05:00
Daniel Pouzzner
2537e08a99 Merge pull request #7890 from embhorn/zd18463
Various Coverity fixes
2024-08-26 23:34:23 -05:00
Sean Parkinson
893a486ae1 Kyber: fix TLS usage
Allow only select parameter sets to be compiled in.
Fixed unit.test to recognize when level is supported.
2024-08-27 10:35:08 +10:00
Anthony Hu
bf074d2bb9 Merge pull request #7877 from SparkiDev/ml_dsa_ml_kem_final
Dilithum, Kyber: Update to final specification
2024-08-26 16:48:05 -04:00
Daniel Pouzzner
b17b190695 tests/api.c: add missing deallocations in test_wc_dilithium_sign_vfy(). 2024-08-26 15:00:27 -05:00
Reda Chouk
25dd8b641e added check on error out from wc_PKCS7_EncodeAuthEnvelopedData 2024-08-26 19:29:06 +02:00
Sean Parkinson
60f438f0c3 Dilithum, Kyber: Update to final specification
FIPS 203 and FIPS 204 final specification changes.
2024-08-26 17:42:27 +10:00
Daniel Pouzzner
bcbb5441ec Merge pull request #7881 from gasbytes/eagain-proper-shutdown
Properly handling the shutdown when multiple ones go on EAGAIN back to back
2024-08-23 23:46:31 -05:00
Daniel Pouzzner
c454a4217c Merge pull request #7866 from gojimmypi/pr-espressif-config
Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig
2024-08-23 21:11:09 -05:00
Daniel Pouzzner
3f0ba97d1e Merge pull request #7893 from gojimmypi/pr-asn-allow-zero-serial
Introduce WOLFSSL_ASN_ALLOW_0_SERIAL
2024-08-23 21:09:41 -05:00
Daniel Pouzzner
1d34b565fa Merge pull request #7891 from SparkiDev/test_fixes_2
Test fixes
2024-08-23 21:08:44 -05:00
Takashi Kojo
4bedef9664 allow sigParamsSz is zero and malloc(0) to return NULL 2024-08-24 07:58:02 +09:00
Daniel Pouzzner
a39f521f7f Merge pull request #7884 from dgarske/x86_notwindows
Fixes for building x86 in Visual Studio for non-windows OS
2024-08-23 17:38:30 -05:00
Daniel Pouzzner
7725e75c42 add WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS flag for optional errcode tracing in apps, define it in wolfcrypt/test/test.c when defined(WOLFSSL_DEBUG_TRACE_ERROR_CODES), and deploy WC_NO_ERR_TRACE() to test.c where needed. 2024-08-23 16:35:43 -05:00
Eric Blankenhorn
6dab58266d Various Coverity fixes 2024-08-23 16:09:18 -05:00
Eric Blankenhorn
be37587bc3 Use verify callback before checking dates 2024-08-23 16:02:23 -05:00
Reda Chouk
8a6d7ff9a5 more clang-tidy edits 2024-08-23 21:31:55 +02:00
Reda Chouk
f4a27772e0 removed unnecessary copy of cb 2024-08-23 17:44:49 +02:00
Juliusz Sosinowicz
88d4f486e2 Merge pull request #7892 from douzzer/20240822-fixes
20240822-fixes
2024-08-23 16:47:23 +02:00
Daniel Pouzzner
166519ae67 wolfssl/openssl/asn1.h: use macro for ASN1_BIT_STRING_FIRST_BYTE to avoid non-const errors under gcc-6.5; tests/api.c: fix uninited data defect in test_wolfssl_EVP_chacha20_poly1305(). 2024-08-22 14:41:06 -05:00
Reda Chouk
577cce60df defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && !defined(WOLFSSL_NO_TLS12) 2024-08-22 21:30:57 +02:00
Reda Chouk
7d2ca8db5f addressing review:
- added unit test;
- formatting;
2024-08-22 21:30:57 +02:00
Reda Chouk
2356bec909 no magic values 2024-08-22 21:30:57 +02:00
Reda Chouk
db64d36f00 properly handling the shutdown when multiple ones go on EAGAIN back to
back.
2024-08-22 21:30:56 +02:00
gojimmypi
8baf39310f Introduce WOLFSSL_ASN_ALLOW_0_SERIAL 2024-08-22 12:30:15 -07:00
Sean Parkinson
56adefcdc5 Ed25519: don't define ASM functions when small
Small builds don't allow ASM implementations.
Don't have functions defined for ASM  when building small
implementation.
2024-08-22 17:05:26 +10:00
Sean Parkinson
08d8a74992 Test fixes
api.c:
	Update #ifdefs.
sp_int.c:
	Fix free call when hardening is disabled.
2024-08-22 16:09:22 +10:00
Sean Parkinson
e99bbf9429 Merge pull request #7875 from douzzer/20240814-debug-trace-errcodes-MP
20240814-debug-trace-errcodes-MP
2024-08-22 10:10:45 +10:00
Daniel Pouzzner
1a0bf421bd Merge pull request #7781 from julek-wolfssl/sssd
init sssd support
2024-08-21 19:05:08 -05:00
Sean Parkinson
2505a59dae Merge pull request #7886 from douzzer/20240819-shebang-bash-env
20240819-shebang-bash-env
2024-08-21 14:50:15 +10:00
Daniel Pouzzner
2448d482f4 wolfssl/wolfcrypt/error-crypt.h: move MPI error codes to range {-97, -100} to avoid collisions. 2024-08-20 23:37:21 -05:00
Daniel Pouzzner
05c4955316 linuxkm: add support for WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES using dump_stack(). 2024-08-20 23:36:07 -05:00
Daniel Pouzzner
0da78a7ee2 move several MP error codes from wolfssl/wolfcrypt/sp_int.h, wolfssl/wolfcrypt/tfm.h, and wolfssl/wolfcrypt/integer.h, to wolfssl/wolfcrypt/error-crypt.h, harmonizing their names and numbers.
wolfssl/wolfcrypt/error-crypt.h: add WC_FIRST_E.

wolfcrypt/src/error.c: add MP error code strings.

wolfssl/error-ssl.h: add WOLFSSL_FIRST_E and WOLFSSL_LAST_E.

wolfcrypt/test/test.c: update error_test() for new error code layout, refactoring the "missing" check.

src/internal.c: use WC_FIRST_E and WC_LAST_E  in wolfSSL_ERR_reason_error_string().

src/ssl.c: fix wolfSSL_ERR_GET_REASON() to identify in-range error codes using WC_FIRST_E, WC_LAST_E, WOLFSSL_FIRST_E, and WOLFSSL_LAST_E.

sp_int.h: provide for WOLFSSL_DEBUG_TRACE_ERROR_CODES, and refactor MP error codes as enums, for consistency with other error codes.

wolfcrypt/src/ecc.c: fix 2 identicalInnerCondition's.
2024-08-20 14:09:06 -05:00
Daniel Pouzzner
1c68da282c portability enhancement: use "#!/usr/bin/env <interpreter>" on all perl scripts and shell scripts that use bash extensions, and use "#!/bin/sh" on the rest. 2024-08-20 13:48:33 -05:00
Juliusz Sosinowicz
305a699398 Add sssd action 2024-08-20 17:12:43 +02:00
David Garske
4f4fb4bd0a Merge pull request #7888 from douzzer/20240820-configure-silent
20240820-configure-silent
2024-08-20 05:35:23 -07:00
Juliusz Sosinowicz
3260a9b680 Address code review 2024-08-20 10:53:44 +02:00
Daniel Pouzzner
c4f978ffc8 Merge pull request #7874 from mpsuzuki/fix-posix-date
POSIX does not request "date" command to support "-R" option.
2024-08-20 00:42:52 -05:00
Daniel Pouzzner
0becc347b1 configure.ac: inhibit options.h reminder message when --quiet. 2024-08-20 00:25:15 -05:00
David Garske
294362a0b7 Fixes for building x86 in Visual Studio for non-windows OS. 2024-08-19 13:00:41 -07:00
suzuki toshiya
e417091f61 [configure.ac] spell out RFC 5322 "date" format for POSIX-conforming "date" with no extension.
Following to the advice by Daniel Pouzzner (see the discussion in the issue #7874),
no need to invoke "env" command to set LC_TIME.

* IEEE Std 1003.1-2024 does not request the "-R" option:
	https://pubs.opengroup.org/onlinepubs/9799919799/

* Default "date" in Solaris 11.4 does not support "-R":
	https://docs.oracle.com/cd/E88353_01/html/E37839/date-1.html
* Default "date" in HP-UX 11.22 does not support "-R":
	https://man.freebsd.org/cgi/man.cgi?query=date&apropos=0&sektion=0&manpath=HP-UX+11.22&arch=default&format=html
* Default "date" in AIX 7 does not support "-R":
	https://www.ibm.com/docs/en/aix/7.3?topic=d-date-command
2024-08-18 15:50:54 +09:00
gojimmypi
a0fc2f0497 Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig 2024-08-17 13:42:30 -07:00
Daniel Pouzzner
e562a1c4d1 Merge pull request #7867 from ColtonWilley/cert_copy_option
Add new option to always copy cert buffer for each SSL object
2024-08-17 00:07:00 -05:00
Daniel Pouzzner
b412e5f24e Merge pull request #7879 from dgarske/options_h
Improve wolfssl/options.h issues
2024-08-16 23:54:54 -05:00
Daniel Pouzzner
c90aa27e06 Merge pull request #7882 from kojo1/client-help
Fix <null> in the help message
2024-08-16 23:13:45 -05:00
Takashi Kojo
723adaad20 Fix <null> in the help message 2024-08-17 12:08:07 +09:00
Daniel Pouzzner
9a693f5e65 Merge pull request #7876 from mpsuzuki/fix-config-stray-redirect
Using ">>" with no command in configure can be ambigious for some ancient /bin/sh.
2024-08-16 15:38:39 -05:00
Colton Willey
d5268d8bb5 Update NULL check to be consistent with other checks 2024-08-16 10:46:31 -07:00
Colton Willey
a09e3bb3e7 Use signed variable for length calculation in SendTls13Certificate 2024-08-16 10:43:11 -07:00
Daniel Pouzzner
b693127dcd Analyzer fixes 2024-08-16 17:24:34 +02:00
Juliusz Sosinowicz
a6a40de249 init sssd support
- Refactor OCSP to separate IO callback
- wolfSSL_BIO_reset: fix return
- CheckCertCRL_ex: return CRL_CERT_DATE_ERR instead of ASN_AFTER_DATE_E
- CheckCertCRL_ex: return most relevant error code
- i2d/d2i APIs: correct parameters handling and return codes
- Custom ASN1 structures: major refactor to make it much more versatile
- Use WOLFSSL_ASSERT_SIZEOF_GE where applicable
- wolfSSL_EVP_SignFinal: implement ecc
- wolfSSL_EVP_VerifyFinal: implement ecc
- OBJ_NAME_do_all: bring closer to OpenSSL functionality
- Correct return of *_push api
- Implement:
  - OCSP_REQ_CTX API
  - d2i_ECPKParameters
  - wolfSSL_sk_insert
  - OCSP_parse_url
  - X509_STORE_set1_param
  - X509_get0_subject_key_id
  - X509_OBJECT_retrieve_by_subject
  - OCSP_sendreq_nbio
2024-08-16 17:22:41 +02:00
David Garske
a9be38eaf0 Improve wolfssl/options.h issues. Fixes #7853. 2024-08-15 15:49:43 -07:00
David Garske
1190d1bafe Merge pull request #7873 from SparkiDev/riscv-poly1305-asm
RISC-V 64 ASM: Add Poly1305 implementation
2024-08-15 09:40:06 -07:00
Colton Willey
d056b63742 Always free existing SSL cert to be compatible with openssl behavior 2024-08-15 09:24:44 -07:00
suzuki toshiya
bbdf7fc1b0 [configure.ac] ">>" without preceding command does not work in traditional Bourne shell. 2024-08-15 13:59:16 +09:00
Sean Parkinson
ccd8b9aa8d Merge pull request #7872 from douzzer/20240814-linuxkm-kyber-asm
20240814-linuxkm-kyber-asm
2024-08-15 14:46:55 +10:00
Daniel Pouzzner
003ea8bff0 Merge pull request #7868 from dgarske/pq_xms_lmss
Fixes for building wolfBoot sources for PQ LMS/XMSS
2024-08-14 23:28:12 -05:00
Daniel Pouzzner
14254e8a6e Merge pull request #7862 from bigbrett/wc-test-nocryptocb
cryptocb test disable option
2024-08-14 23:18:02 -05:00
Daniel Pouzzner
0c24aff183 Merge pull request #7864 from gojimmypi/pr-fix-dh-ret
fix interim return variable name when DH enabled
2024-08-14 23:08:29 -05:00
Daniel Pouzzner
39a4780878 Merge pull request #7870 from anhu/pkcs7_correct_issuer
Ensure correct issuer is copied into PKCS7 struct during verification
2024-08-14 23:05:20 -05:00
Daniel Pouzzner
a2acc41b3f wolfcrypt/src/wc_kyber.c: in kyberkey_encapsulate(), don't overallocate "at" for USE_INTEL_SPEEDUP. 2024-08-14 21:51:12 -05:00
Colton Willey
65d7c6a533 Do not overwrite cert in wolfSSL_set_SSL_CTX if one is already set, remove unreachable frees. 2024-08-14 17:07:20 -07:00
Sean Parkinson
3ade7a875e RISC-V 64 ASM: Add Poly1305 implementation
Implementation using standard and vector instructions.
2024-08-15 09:01:34 +10:00
Colton Willey
dcf3af5382 Modify tests to make analyzers happy 2024-08-14 14:33:38 -07:00
Daniel Pouzzner
7a29b1e4fd add comments explaining dependence on idempotency for race-free dynamics re checkedAESNI, haveAESNI, intel_flags, and sha_method. see #7863. 2024-08-14 15:23:48 -05:00
Colton Willey
15abea7f20 Use 1 instead of TRUE 2024-08-14 13:19:43 -07:00
Colton Willey
337cddfd90 Rework implementation to use existing weOwnCert logic 2024-08-14 13:13:25 -07:00
Daniel Pouzzner
1fa2d2d625 ASN: move DecodedCert.extSubjKeyIdSz and .extAuthKeyIdSz out of the OPENSSL_EXTRA gate. fixes test.c:certext_test(), broken by f8c968d8d1 for some valid configs. 2024-08-14 14:45:11 -05:00
Daniel Pouzzner
21484ec75a linuxkm: add asm support for Kyber. 2024-08-14 14:45:11 -05:00
Colton Willey
f4decf84da Enable cert copy by default for openssl extra 2024-08-14 12:16:14 -07:00
Anthony Hu
8b57e3e741 Merge pull request #7807 from Laboratory-for-Safe-and-Secure-Systems/mlkem_compat
ML-KEM compatibility
2024-08-14 13:50:10 -04:00
Anthony Hu
498dadad97 Ensure correct issuer is copied into PKCS7 struct during verification 2024-08-14 11:29:02 -04:00
Juliusz Sosinowicz
055d68db9c Merge pull request #7804 from douzzer/20240728-EVP_PKEY_is_a
20240728-EVP_PKEY_is_a
2024-08-14 16:36:06 +02:00
Daniel Pouzzner
ee966beb77 wolfcrypt/src/evp.c: add wolfSSL_EVP_PKEY_is_a() and test_EVP_PKEY_is_a(). also add test_EVP_CIPHER_key_length() and add missing RC4 clause to wolfSSL_EVP_Cipher_key_length(). 2024-08-14 09:23:02 -05:00
David Garske
01eaa56290 Fixes for building wolfBoot sources for PQ LMS/XMSS.
* Don't throw `#error "This code requires libxmss"`, just gate ext_xmss on HAVE_LIBXMSS. Same for LMS.
2024-08-13 14:10:45 -07:00
Daniel Pouzzner
7dbf2a06dd Merge pull request #7865 from bandi13/fixMemOverrunInTest
Fix possible memory overrun in tests
2024-08-13 15:59:00 -05:00
Colton Willey
ef500c2e62 Add new option to always copy cert buffer for each SSL object 2024-08-13 13:32:25 -07:00
Andras Fekete
ab7bc29006 Fix curl.yml 2024-08-13 16:18:29 -04:00
Andras Fekete
f8c968d8d1 Fix possible memory overrun 2024-08-13 13:43:54 -04:00
gojimmypi
e0e05766ac fix interim return variable name when DH enabled 2024-08-13 09:10:22 -07:00
Fernando Oleo Blanco
5ea22effcc Update documentation 2024-08-13 10:56:25 +02:00
Daniel Pouzzner
3875a1855e Merge pull request #7859 from SparkiDev/aarch64_poly1305_asm_improv
Aarch64 Poly1305 ASM: Improve performance
2024-08-12 18:35:49 -05:00
Daniel Pouzzner
7fac450c92 Merge pull request #7860 from dgarske/have_config
Add missing config.h on .c files
2024-08-12 18:33:04 -05:00
Daniel Pouzzner
869431495f Merge pull request #7861 from bandi13/smallPatches
No need to check for dependencies
2024-08-12 18:30:33 -05:00
Daniel Pouzzner
53f5ded48d Merge pull request #7849 from miyazakh/renesas_tsip_update
RX72N support update
2024-08-12 18:26:32 -05:00
Brett Nicholas
10a3634e86 cmake support 2024-08-12 16:01:15 -06:00
Brett Nicholas
8df5d61179 add optional cryptocb test disable macro to wolfCrypt tests 2024-08-12 15:16:33 -06:00
Andras Fekete
e2d2915fc1 No need to check for dependencies
Suggested in https://github.com/wolfSSL/wolfssl/issues/7857#issuecomment-2283962525
2024-08-12 14:58:02 -04:00
David Garske
08622bab39 Fix to remove NO_BIG_INT from MICROCHIP_PIC32 in settings.h. 2024-08-12 09:29:20 -07:00
David Garske
537827ebde Add missing config.h on some .c files. 2024-08-12 09:29:07 -07:00
Sean Parkinson
3725594020 Aarch64 Poly1305 ASM: Improve performance
Do as many multiplications in base 64 rather than 26 with normal integer
registers.
2024-08-12 12:47:44 +10:00
Sean Parkinson
9f9e89082f Merge pull request #7854 from embhorn/rsa_min_1024
Update default RSA min to 1024
2024-08-12 10:04:13 +10:00
Fernando Oleo Blanco
bec3cd8b6f Document Alire use 2024-08-11 18:36:54 +02:00
Fernando Oleo Blanco
ae7e7e716a Update upstream 2024-08-10 13:56:14 +02:00
Kaleb Himes
f660299de0 Merge pull request #7856 from douzzer/20240809-fips-dev-feature-unlock
20240809-fips-dev-feature-unlock
2024-08-09 16:00:30 -06:00
JacobBarthelmeh
85bab19090 Merge pull request #7845 from ColtonWilley/pkcs7_digest_absent_params
Add option for absent hash params in PKCS7
2024-08-09 15:56:28 -06:00
Hideki Miyazaki
debbea3843 put back the RNG
comment to CUSTOM RAND GENERATE BLOCK
2024-08-10 06:45:18 +09:00
Daniel Pouzzner
0d84597d78 Merge pull request #7855 from embhorn/zd18433
Fix example settings
2024-08-09 15:32:17 -05:00
Daniel Pouzzner
84b91d0e1e Merge pull request #7841 from mrdeep1/dtls_downgrade_cid
Support DTLS1.3 downgrade when server supports CID
2024-08-09 15:30:20 -05:00
Daniel Pouzzner
bba3995434 Merge pull request #7834 from oltolm/cmake_fix
cmake: fix parsing WOLFSSL_DEFINITIONS
2024-08-09 15:24:15 -05:00
Daniel Pouzzner
d351430222 Merge pull request #7840 from mrdeep1/dtls_downgrade
Support DTLS1.3 downgrade when server sends multiple handshakes in packet
2024-08-09 15:22:46 -05:00
Daniel Pouzzner
0d952c3343 Merge pull request #7850 from bandi13/dockerfileFixes
Dockerfile fixes
2024-08-09 15:19:59 -05:00
Daniel Pouzzner
656ba24de5 Merge pull request #7852 from SparkiDev/sp_no_rng_fix
SP: no RNG fix
2024-08-09 15:00:15 -05:00
Daniel Pouzzner
e142b16ae2 Merge pull request #7848 from miyazakh/fips_wcPBKDF2ex
Check klen in byte in wc_PBKDF2_ex
2024-08-09 14:49:53 -05:00
Daniel Pouzzner
034e13298f Merge pull request #7847 from SparkiDev/sp_xfree_2
SP: Remove check of NULL before XFREE
2024-08-09 14:47:05 -05:00
Daniel Pouzzner
98f8ab085e configure.ac: when FIPS_VERSION==dev, unlock features to allow user-forced enablement/disablement. also, add line breaks for clarity on the similar clauses in the v5* section. 2024-08-09 14:38:22 -05:00
Andras Fekete
edb95ae7ae Clear out remnants of old code 2024-08-09 14:22:38 -04:00
Colton Willey
0a5ebaf806 Change SetAlgoIdEx to be local 2024-08-09 11:22:21 -07:00
Eric Blankenhorn
373f5ee9ae Fix example settings 2024-08-09 13:06:29 -05:00
Eric Blankenhorn
9dddd99b3b Update default RSA min to 1024 2024-08-09 10:41:41 -05:00
Sean Parkinson
17a09d9853 SP: no RNG fix
Don't use RNG API when WC_NO_RNG is defined.
2024-08-09 10:18:12 +10:00
Sean Parkinson
2a08d3001c Merge pull request #7846 from douzzer/20240806-debug-trace-errcodes-backtrace
20240806-debug-trace-errcodes-backtrace
2024-08-09 09:45:01 +10:00
Daniel Pouzzner
c25d86c6c7 support/gen-debug-trace-error-codes.sh: tweak for compatibility with mawk. 2024-08-08 15:57:14 -05:00
Andras Fekete
085b78994d Update buildAndPush script 2024-08-08 16:44:22 -04:00
Andras Fekete
63ec8fe83a Add in 'libbacktrace' 2024-08-08 16:14:03 -04:00
Andras Fekete
e1502e7f5b Need a newer version that doesn't complain about libz 2024-08-08 15:39:16 -04:00
Daniel Pouzzner
a75d520727 src/pk.c: fix a null deref (nullPointerRedundantCheck) in wolfSSL_RSA_GenAdd() added in d350ba6c41. 2024-08-08 11:40:57 -05:00
Daniel Pouzzner
24e34aa41a wolfcrypt/src/logging.c: in WOLFSSL_BUFFER(), on averted overrun, log a buffer error rather than silently failing; in wc_backtrace_render(), fix !WOLFSSL_MUTEX_INITIALIZER race mitigation code. 2024-08-08 10:49:05 -05:00
Daniel Pouzzner
f5e775fe95 wolfcrypt/src/wc_kyber.c: fixes for null derefs (nullPointerRedundantCheck) in wc_KyberKey_MakeKeyWithRandom() and wc_KyberKey_Decapsulate() added in d350ba6c41. 2024-08-08 09:13:56 -05:00
Daniel Pouzzner
763ced668e fixes for defects identified by cppcheck and clang-tidy on --enable-debug builds: null deref in tests/api.c:load_pem_key_file_as_der(), redundant declarations in wolfcrypt/benchmark/benchmark.c, and numerous unchecked XSNPRINTF()s in wolfcrypt/src/logging.c and src/internal.c. 2024-08-08 09:00:42 -05:00
Daniel Pouzzner
5f6067c3e1 add --enable-debug-trace-errcodes=backtrace.
* uses libbacktrace to enhance existing "ERR TRACE" messages with backtraces, rendered in same format as the sanitizers.
* adds wc_backtrace_render() and some related callbacks to wolfcrypt/src/logging.c.
* adds an overrideable WOLFSSL_DEBUG_BACKTRACE_RENDER_CLAUSE to the WC_ERR_TRACE() mechanism in wolfssl/wolfcrypt/error-crypt.h.
2024-08-08 09:00:42 -05:00
Hideki Miyazaki
493022b4b4 revert 2b4acf5027
fix build failure when no using TSIP
2024-08-08 18:34:36 +09:00
Hideki Miyazaki
180ad206fc check klen in byte 2024-08-08 08:52:08 +09:00
Sean Parkinson
abc910c03c SP: Remove check of NULL before XFREE
Removed more checks of NULL before XFREE.
Formatting fixes as well.
2024-08-08 09:36:05 +10:00
Daniel Pouzzner
0ab1f1969d Merge pull request #7828 from miyazakh/zd18141_ocspv2multi
Sever side checks OCSP even if it uses v2 multi
2024-08-07 17:40:23 -05:00
Daniel Pouzzner
92952a5538 Merge pull request #7839 from bandi13/noIfXFREE
No if xfree
2024-08-07 17:08:12 -05:00
Andras Fekete
38d191c159 More PR comment fixes 2024-08-07 16:56:57 -04:00
Colton Willey
75c3030554 Add option for absent hash params in PKCS7 2024-08-07 11:07:45 -07:00
Andras Fekete
a31d8c5ce7 Addressing PR comments 2024-08-07 11:14:15 -04:00
Sean Parkinson
632d9653da Merge pull request #7842 from embhorn/zd18417
Fix template DecodeSubjDirAttr to set extSubjDirAttr data
2024-08-07 18:29:04 +10:00
Sean Parkinson
18aa2b8d78 Merge pull request #7843 from dgarske/fix_sp_small_gcc
Fix for SP small calling label with GCC
2024-08-07 09:23:46 +10:00
Daniel Pouzzner
6116d5edb4 Merge pull request #7824 from anhu/maxq10xx_update
Update to the maxq10xx support
2024-08-06 18:01:39 -05:00
Sean Parkinson
2cc5ecf117 Merge pull request #7759 from JacobBarthelmeh/poly1305
w64wrapper for poly1305
2024-08-07 07:31:25 +10:00
Andras Fekete
b6a9c38950 Addressing PR comments 2024-08-06 15:29:32 -04:00
David Garske
91ea7ab206 Fix for SP small calling label with GCC (broken in PR #7753). 2024-08-06 11:05:40 -07:00
David Garske
a30d9c9818 Merge pull request #7833 from SparkiDev/riscv-sha512-asm
RISC-V 64: Add assembly code for SHA-512
2024-08-06 10:39:10 -07:00
Anthony Hu
29a5cc39f2 Duplicate code removed 2024-08-06 10:19:09 -07:00
Anthony Hu
3cf3f297ba Update to the maxq10xx support 2024-08-06 10:19:09 -07:00
Andras Fekete
101088c390 Fix potential NULL dereference 2024-08-06 12:35:01 -04:00
Eric Blankenhorn
1c2b47d8ad Fix template DecodeSubjDirAttr to set extSubjDirAttr data 2024-08-06 11:34:14 -05:00
Jon Shallow
f1c918c261 Support DTLS1.3 downgrade when server supports CID
With --enable-dtlscid, a client sending a Client Hello to a DLTS1.2
server that supports CID, the server provides the appropriate CID and
assumes that CID has been negotiated.

However, in the case of MbedTLS, it then rejects packets that do not
match its expected CID from the client - as wolfSSL no longer sends
the CID as it is not DTLS1.2.

https://datatracker.ietf.org/doc/html/rfc9147#section-4

If a Connection ID is negotiated, then it MUST be contained in all datagrams.

This fix drops the CID if a Hello Verify Request is received, so the
second Client Hello does not include the CID.

https://datatracker.ietf.org/doc/html/rfc6347#section-4.2.1

When responding to a HelloVerifyRequest, the client MUST use the same
parameter values (version, random, session_id, cipher_suites,
compression_method) as it did in the original ClientHello.

Dropping the CID extension does not violate this.
2024-08-06 16:48:04 +01:00
Andras Fekete
3a83c33499 Fix compilation error 2024-08-06 11:44:32 -04:00
Daniel Pouzzner
6fea4f1266 Merge pull request #7803 from SparkiDev/dilithium_hint_check_fix
Dilithium: fix check hint
2024-08-06 10:25:35 -05:00
Jon Shallow
bcbd701155 Support DTLS1.3 downgrade when server sends multiple handshakes in packet
If the server sends Server Hello, Server Key Exchange and Server Hello Done
in a single DTLS packet, but for DTLS1.2 in response to a client DTLS1.3
request, then FIRST_REPLAY state does not occur until the server re-sends
the packet.  At this point wolfSSLconnect() gets used and all bursts into
life.

When processing handshakes in wolfSSL_connect_TLSv13() for case
HELLO_AGAIN_REPLY, downgrade to using  wolfSSLconnect() to continue
processing the remaining handshakes in the packet.

Found when using Mbed TLS for the server.
2024-08-06 16:17:48 +01:00
JacobBarthelmeh
f1ace62363 add null sanity check and adjust add 2024-08-06 09:12:17 -06:00
Andras Fekete
f419e2351b Remove NULL test with 'ptr = NULL' at the end 2024-08-06 10:55:37 -04:00
Andras Fekete
d350ba6c41 remove NULL test with XFREE arguments with dereference 2024-08-06 10:44:59 -04:00
Andras Fekete
d6a7187538 Programmatically remove NULL test with { XFREE() } 2024-08-06 10:37:43 -04:00
Daniel Pouzzner
f7fc0695c1 Merge pull request #7837 from bandi13/fixMemLeak
Fix memory leak
2024-08-06 09:37:10 -05:00
Andras Fekete
208f2d6781 One more occurrence 2024-08-06 10:32:50 -04:00
Andras Fekete
eb0c64d79a Remove NULL test when there is a dereference 2024-08-06 10:29:02 -04:00
Andras Fekete
d7a0f49906 Programmatically remove NULL test before XFREE 2024-08-06 10:20:45 -04:00
Hideki Miyazaki
c947fc8fda sever side checks OCSP even if it uses v2 multi 2024-08-06 13:01:56 +09:00
Sean Parkinson
4062b94fb3 RISC-V 64: Add assembly code for SHA-512
Cleanup RISC-V 64 SHA-256 by removing unused rev_idx.
2024-08-06 10:21:48 +10:00
Sean Parkinson
ac4f3fb75f Merge pull request #7831 from space88man/RSA-callbacks-fulldata
wolfssl/wolfcrypt/pkcs11.sh: add full data RSA PSS mechs
2024-08-06 09:51:57 +10:00
S-P Chan
5083489174 wolfssl/wolfcrypt/pkcs11.sh: add full data RSA PSS mechs 2024-08-06 07:09:47 +08:00
JacobBarthelmeh
cc2ed4a75b add w64Add for build with word64 2024-08-05 16:47:35 -06:00
Sean Parkinson
fc19c36bf8 Dilithium: fix check hint
When all indeces are 0, then don't check hints against indeces.
2024-08-06 08:22:47 +10:00
Andras Fekete
a0b2da98e6 Remove if(ptr) XFREE(ptr) 2024-08-05 17:47:59 -04:00
Tobias Frauenschläger
2a2f9d5916 ML-KEM compatibility
As the WolfSSL implementation of the PQC KEM algorithm kyber also
supports the ML-KEM draft version (enabled by `WOLFSSL_ML_KEM`), we have
to update the groups code point to be compatible with other TLS
implementations (e.g. OQS provider).

Also updated the reference to the source of the values to the current
OQS Github.

Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
2024-08-05 21:19:15 +02:00
Andras Fekete
df0663b70e Fix memory leak
CC="gcc -fsanitize=address" ./configure --enable-dtls  --enable-opensslextra --enable-debug CFLAGS="-DNO_WOLFSSL_SERVER" && make && tests/unit.test
2024-08-05 14:45:35 -04:00
oltolm
ea307c79e5 cmake: fix parsing WOLFSSL_DEFINITIONS 2024-08-05 20:39:23 +02:00
David Garske
039853cbd5 Merge pull request #7813 from SparkiDev/no_system_headers
Don't attempt to include system headers when not required
2024-08-05 11:32:55 -07:00
David Garske
792f81382c Merge pull request #7836 from bigbrett/apple-universal-readme-curl-instructions
apple-universal README update: add curl instructions
2024-08-05 10:51:47 -07:00
David Garske
b26c34c695 Merge pull request #7830 from kojo1/doc-hmac
clarify description, wc_HmacSetKey
2024-08-05 10:51:15 -07:00
Sean Parkinson
0e0c3634ec Don't attempt to include system headers when not required
Some builds don't require system headers: no filesystem and single
threaded.
2024-08-05 10:49:16 -07:00
András Fekete
ab2256c088 Merge pull request #7835 from julek-wolfssl/tar-artifacts
Use tar to preserve links
2024-08-05 13:21:58 -04:00
Juliusz Sosinowicz
332c64a77c docker-OpenWRT.yml: Follow links 2024-08-05 18:31:04 +02:00
Juliusz Sosinowicz
5320b425e7 Use tar to preserve links
Something broke in the actions/download-artifact action and it is not preserving symbolic links. It didn't get a new release so my guess is that something was updated in the node environment or in npm. This is a future proof solution to preserve the fs structure between upload and download.
2024-08-05 18:23:20 +02:00
Brett Nicholas
573ade3178 added curl instructions to apple-universal README 2024-08-05 10:22:41 -06:00
Sean Parkinson
54370cc51e Merge pull request #7829 from douzzer/20240804-SetDNSEntry-double-free
20240804-SetDNSEntry-double-free
2024-08-05 12:51:31 +10:00
Takashi Kojo
8368a32e7e clarify description 2024-08-05 05:59:36 +09:00
Daniel Pouzzner
d65be7af21 wolfcrypt/src/asn.c and wolfssl/wolfcrypt/asn.h: in SetDNSEntry(), defer XFREE(dnsEntry, ...) until end (fixes double free); add PBE_NONE to enum PBESTypes; in EncryptContent(), initialize id to PBE_NONE to fix a -Wmaybe-uninitialized (CheckAlgo() can leave it unchanged even when returning success). 2024-08-04 15:41:52 -05:00
Daniel Pouzzner
9aa0742baa Merge pull request #7798 from dgarske/asn_macros
ASN macro simplification

merged with github CI tests failing due to unrelated upstream changes (same tests all previously succeeded on this PR, with only 25d14f1937 added in the meantime).

supplementary testing with `wolfssl-multi-test.sh ... super-quick-check` after rebase on then-current `master` 15e99c8eff.
2024-08-02 16:36:50 -05:00
David Garske
35b45aa015 Merge pull request #7826 from douzzer/20240802-linuxkm-kernel-6v11
20240802-linuxkm-kernel-6v11
2024-08-02 14:03:38 -07:00
David Garske
25d14f1937 Fail with NOT_COMPILED_IN if someone tries to use ConfirmSignature with NO_ASN_CRYPT. Also default to signature failed. 2024-08-02 08:25:15 -07:00
Daniel Pouzzner
19ea0b22d0 linuxkm: update for kernel 6.11 (__kvmalloc_node_noprof and __kmalloc_cache_noprof). 2024-08-02 10:16:51 -05:00
David Garske
b12a773821 Merge pull request #7818 from SparkiDev/riscv-chacha-asm
RISC-V ChaCha20: assembly implementations
2024-08-02 07:52:53 -07:00
Sean Parkinson
423c1d3e57 fixup 2024-08-02 11:58:50 +10:00
Sean Parkinson
01afe89fa2 Merge pull request #7822 from anhu/WOLFSSL_NO_GOOGLE_TEST
Only run the google test if the WOLFSSL_EXTERNAL_TEST env var is set.
2024-08-02 09:06:21 +10:00
David Garske
a18d0161ef Fixes for minor implicit cast warnings and line length. Also fixed benchmark.c error without ChaCha and unused encrypt_only. 2024-08-01 15:26:02 -07:00
Chris Conlon
a918c0e080 Add TLS13_RSA_PSS_SIGN_CB_NO_PREHASH for TLS 1.3 RSA-PSS PK sign callback without prehash 2024-08-01 15:41:28 -06:00
Anthony Hu
bd88078639 Change to use already existing WOLFSSL_EXTERNAL_TEST 2024-08-01 17:10:53 -04:00
Anthony Hu
1199d5a5a8 If the WOLFSSL_NO_GOOGLE_TEST env var is set, don't run the google test. 2024-08-01 16:41:22 -04:00
David Garske
15e99c8eff Merge pull request #7820 from Laboratory-for-Safe-and-Secure-Systems/sha3_cmake
Build SHA3 assembly with INTEL_SPEEDUP
2024-08-01 11:40:09 -07:00
David Garske
c3adf6635b Merge pull request #7775 from gojimmypi/pr-arduino-script
Update Arduino publishing script for 5.7.2 release
2024-08-01 11:24:40 -07:00
David Garske
9f62ff6e38 Merge pull request #7691 from julek-wolfssl/ntp-action
Add ntp action
2024-08-01 11:19:13 -07:00
David Garske
d2373246ad Merge pull request #7657 from julek-wolfssl/cyrus-sasl-test-retry
Retry sasl tests as they appear to be flaky
2024-08-01 11:18:54 -07:00
David Garske
e1c1b5019e Merge pull request #7651 from julek-wolfssl/rng-tools-action
Add rng-tools action
2024-08-01 11:16:17 -07:00
David Garske
16d05972ed Merge pull request #7819 from julek-wolfssl/mosq-tests-retry
Retry mosquitto tests as they appear to be flaky
2024-08-01 11:15:53 -07:00
David Garske
65283fb9bb Improvement for the --enable-asn=nocrypt. Note: This option skips certificate signature checking, so make check TLS expected failures do not pass. Cleanup of the api.c headers / macros. 2024-08-01 10:27:22 -07:00
Tobias Frauenschläger
aee446f3e5 Build SHA3 assembly with INTEL_SPEEDUP
Make sure the file `sha3_asm.S` is compiled when `WOLFSSL_INTEL_ASM` is
enabled using CMake.

Signed-off-by: Tobias Frauenschläger <tobias.frauenschlaeger@oth-regensburg.de>
2024-08-01 16:31:18 +02:00
Juliusz Sosinowicz
4c86219afa Retry mosquitto tests as they appear to be flaky 2024-08-01 14:17:19 +02:00
Juliusz Sosinowicz
edb5d09e6c Add rng-tools action 2024-08-01 13:56:37 +02:00
Juliusz Sosinowicz
90861d9e6d Retry sasl tests as they appear to be flaky 2024-08-01 12:05:33 +02:00
Juliusz Sosinowicz
3943e1324f Add ntp action 2024-08-01 11:54:47 +02:00
Sean Parkinson
ebb49b6e68 RISC-V ChaCha20: assembly implementations
ChaCha20:
  scalar and vector implementations
  vector implementations doing 6, 4, 2, 1 block at a time.
  scalar implemetations using roriw and pack
  vector implementations using VROR_VI and roriw.

RISC-V SHA-256: avoid using s0 if it can be helped.
2024-08-01 17:51:59 +10:00
Sean Parkinson
1b8254d668 Merge pull request #7808 from Laboratory-for-Safe-and-Secure-Systems/preTBS_memory_leak
Fix memory leak in wc_GeneratePreTBS()
2024-08-01 08:47:47 +10:00
Sean Parkinson
1bc085358a Merge pull request #7817 from dgarske/wildcard_c
Fix for .c files to ensure macro guards for wildcard
2024-08-01 08:46:35 +10:00
David Garske
1dd94bb0cb Fix for .c files to ensure macro guards for wildcard. 2024-07-31 14:23:05 -07:00
David Garske
54997837f4 Merge pull request #7805 from julek-wolfssl/wolfSSL_X509_REQ_add1_attr_by_NID-push-cleanup
wolfSSL_X509_REQ_add1_attr_by_NID: clean up push call for analyzers
2024-07-31 13:16:30 -07:00
David Garske
1ade735579 Merge pull request #7815 from douzzer/20240731-Wconversion
20240731-Wconversion
2024-07-31 13:15:08 -07:00
David Garske
7023d5212c Fix for --enable-all --enable-asn=original. 2024-07-31 13:10:52 -07:00
Daniel Pouzzner
6017c86e5d wolfcrypt/src/wc_port.c: fix -Wconversions in wc_strdup_ex(). 2024-07-31 19:36:59 +00:00
David Garske
548a2c6d8e Fixed issues building with nocrypt. Improved logic on ASN_BER_TO_DER. Improved logic on unknown extension callback (new WC_ASN_UNKNOWN_EXT_CB gate). 2024-07-31 09:42:46 -07:00
Sean Parkinson
407b78962e Merge pull request #7811 from lealem47/removeNULL
Remove HAVE_NULL_CIPHER from --enable-openssh
2024-07-31 21:55:13 +10:00
Sean Parkinson
dbf88e4c73 Merge pull request #7779 from rizlik/ocsp-dfree-fix
ocsp: don't free ocsp request if saved in ssl->ctx->certOcspRequest
2024-07-31 09:31:42 +10:00
Sean Parkinson
ad76038b86 Merge pull request #7812 from dgarske/fix_tls12_secret_callback
Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret
2024-07-31 09:29:09 +10:00
David Garske
6a1139a6ee Merge pull request #7758 from SparkiDev/riscv-sha256-asm
RISC-V 64: Add assembly code for SHA-256
2024-07-30 16:23:57 -07:00
Sean Parkinson
31cb72ed8a Merge pull request #7788 from anhu/kyber_with_fips
Allow kyber to be built with FIPS
2024-07-31 09:04:29 +10:00
David Garske
1d9b86e2b0 Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret. API test cleanups (no sleep needed). 2024-07-30 11:54:17 -07:00
David Garske
877c1d781f Fix bad C89 XSNPRINTF remap. 2024-07-30 10:39:48 -07:00
David Garske
bbbc1e074c Fixes for clang-tidy. 2024-07-30 10:35:21 -07:00
David Garske
afb6fe6c5f Fixes for building due to missing OCSP and DecodePolicyOID (--enable-curl and --enable-openssh). 2024-07-30 10:35:21 -07:00
David Garske
20f7d6f9f4 ASN macro simplification. Added new --enable-asn=all and WOLFSSL_ASN_ALL option. Added granular macros for ASN features like: WOLFSSL_ASN_CA_ISSUER, WOLFSSL_ASN_PARSE_KEYUSAGE, WOLFSSL_ASN_TIME_STRING, WOLFSSL_OCSP_PARSE_STATUS. 2024-07-30 10:35:20 -07:00
Lealem Amedie
fb3185bb72 Remove HAVE_NULL_CIPHER from --enable-openssh 2024-07-30 10:46:56 -06:00
András Fekete
50d60bf0e7 Code sonar cleanup (#7782)
* Fix Warning 826814.9284764
* Fix Warning 826836.9285316
Co-authored-by: Andras Fekete <andras@wolfssl.com>
2024-07-30 09:42:43 -07:00
Daniel Pouzzner
f4c16d22a1 Merge pull request #7806 from SparkiDev/dilithium_der_fix
Dilithium: DER encoding fix
2024-07-30 09:43:39 -05:00
Tobias Frauenschläger
36d01cdb9b Fix memory leak in wc_GeneratePreTBS()
In the wc_GeneratePreTBS() method (used for WOLFSSL_DUAL_ALG_CERTS
support), there was a workaround for alt names in certificates, as the
CopyDecodedToX509() method wasn't properly copying them. As a proper
copy mechanism is implemented now, we have to remove the workaround as
it now causes a memory leak of the copied values.

Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
2024-07-30 10:38:48 +02:00
Sean Parkinson
f1e01e4636 RISC-V 64: Add assembly code for SHA-256
Move common defines out of AES file to header file.
2024-07-30 12:21:13 +10:00
Sean Parkinson
7da6149250 Merge pull request #7792 from dgarske/sprintf
Fix for using sprintf in test.h
2024-07-30 09:18:50 +10:00
Sean Parkinson
1681cb2d7e Dilithium: DER encoding fix
Underlying function SetAsymKeyDer() changed semantics.
Update tests to reflect new behaviour.
2024-07-30 09:09:26 +10:00
David Garske
f9dc5e9f4d Fixes for uses of deprecated sprintf. If C89 remap XSNPRINTF to use sprintf. 2024-07-29 14:03:44 -07:00
David Garske
6d39a78dba Fix for using sprintf.
Resolves warning:

```
./configure CC="gcc -fsanitize=address" && make
In file included from ./wolfclu/clu_header_main.h:71:
/usr/local/include/wolfssl/test.h:1103:18: error: 'sprintf' is deprecated: This function is provided for compatibility reasons only.  Due to security concerns inherent in the design of sprintf(3), it is highly recommended that you use snprintf(3) instead. [-Werror,-Wdeprecated-declarations]
        strLen = sprintf(serialMsg, " %s", words[3]);
                 ^
```
2024-07-29 11:22:32 -07:00
David Garske
3fc7be8e3b Merge pull request #7793 from gojimmypi/pr-platformio-update
Update PlatformIO examples to wolfssl 5.7.2
2024-07-29 11:09:30 -07:00
Juliusz Sosinowicz
2d5462d77d wolfSSL_X509_REQ_add1_attr_by_NID: clean up push call for analyzers 2024-07-29 18:18:07 +02:00
Marco Oliverio
31380aca13 fixup! ocsp: don't free ocsp request if saved in ssl->ctx->certOcspRequest 2024-07-29 15:00:41 +00:00
Sean Parkinson
034af8d99c Merge pull request #7787 from dgarske/stm32u5a
Fix STM32 Hash FIFO and add support for STM32U5A9xx
2024-07-29 17:36:52 +10:00
Sean Parkinson
3b74a64029 Merge pull request #7791 from aidangarske/privkeytoder_fix2
`api.c` and `asn.c` changes to allow 0 to be passed in and expanded coverage on test cases.
2024-07-29 09:40:20 +10:00
András Fekete
b1765ca6b4 Merge pull request #7785 from dgarske/asn_original
Fixes for ASN original
2024-07-26 14:49:13 -04:00
David Garske
5e58affd5d Merge pull request #7789 from SparkiDev/test_ssl_load
SSL loading of keys/certs: testing and fixes
2024-07-26 11:48:13 -07:00
Sean Parkinson
f7094ff3c4 Dilithium: add option to precalc with small sign (#7744)
WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC added.
It allocates memory for and pre-calculates s1, s2 and t0.
This saves decoding the vectors repeatedly in each signature trial.
2024-07-26 11:46:55 -07:00
David Garske
c3b5322f86 Merge pull request #7753 from SparkiDev/cortexm_label_fix_2
Cortex-M/Thumb2 ASM: fix label
2024-07-26 11:45:09 -07:00
Sean Parkinson
caab2c2dca SSL loading of keys/certs: testing and fixes
Added tests to cover ssl_load.c functions.
Fixes from testing.
pk.c: renamed wolfssl_dh_load_key to wolfssl_dh_load_params as it
doesn't handle keys - just parameters.
2024-07-26 11:43:10 +10:00
Daniel Pouzzner
92f1c6e339 Merge pull request #7794 from anhu/custom_ext_stop
Stop testing custom extensions in dual alg cert tests.
2024-07-25 16:33:56 -05:00
JacobBarthelmeh
56eed9e059 Merge pull request #7795 from douzzer/20240725-array_add-Wconversion
20240725-array_add-Wconversion
2024-07-25 15:19:25 -06:00
Daniel Pouzzner
b40913e80c wolfcrypt/src/random.c: restore outer cast in array_add() to avoid -Wconversion added in b28e22aef0, itself a fix for a defect added in ed11669f3c (root cause of warning is implicit type promotion). 2024-07-25 15:25:32 -05:00
Anthony Hu
73dc9baaf9 Stop testing custom extensions in dual alg cert tests. 2024-07-25 16:09:19 -04:00
gojimmypi
c2e8121462 Update PlatformIO examples to wolfssl 5.7.2 2024-07-25 12:04:58 -07:00
David Garske
42930b28f3 Merge pull request #7790 from JacobBarthelmeh/random
fix for casting with add
2024-07-25 09:13:23 -07:00
aidan garske
55540d03e7 fix for PR#7786 BUFFER_E bad case 2024-07-25 09:03:19 -07:00
JacobBarthelmeh
b28e22aef0 fix for casting with add 2024-07-25 09:16:05 -06:00
aidan garske
dace3acd4d api.c and asn.c changes to allow 0 to be passed in and expanded coverage on test cases
(cherry picked from commit 8572f67e60d419ddd74d4a2b7051dcaa7d0ca6b4)
2024-07-25 08:09:37 -07:00
Anthony Hu
181c408d17 Allow kyber to be built with FIPS 2024-07-24 20:36:51 -04:00
David Garske
c4f73f5955 Peer review cleanups. 2024-07-24 16:57:51 -07:00
Sean Parkinson
324e714a6a Merge pull request #7750 from space88man/wip-padding-refactor
PKCS#11 RSA Padding Offload
2024-07-25 09:20:01 +10:00
David Garske
42403a526e Fix to resolve STM32 hash FIFO. Simplify logic for ensuring FIFO gets filled before doing a save/restore. ZD 18294 2024-07-24 16:06:04 -07:00
Kaleb Himes
3a4788b7bb Merge pull request #7783 from douzzer/20240723-AesGcmXcrypt-NULL-in-checks
20240723-AesGcmXcrypt-NULL-in-checks
2024-07-24 15:33:42 -06:00
David Garske
7f7d94abd5 Fixes for ASN original (old) to support checking int leading 0 and invalid OID. Disable invalid UTF8 test for old ASN (only supported with newer ASN template). 2024-07-24 12:35:37 -07:00
David Garske
97dcf123f0 Merge pull request #7780 from ColtonWilley/update_zephyr_readme
Update zephyr readme
2024-07-24 10:42:44 -07:00
David Garske
4b9d89d387 Fix autoconf issue with == 2024-07-24 09:10:25 -07:00
David Garske
3e2123f0b3 Disable the ECC custom curve tests for original (old) ASN. 2024-07-24 08:45:19 -07:00
David Garske
007f9ea39d Fix to restore --enable-asn=original. Fixes for building with ASN original (old). Add the new limit checks for alt names and subtree to the old ASN code. 2024-07-24 08:28:25 -07:00
Marco Oliverio
a1fbfa94d2 tests: add OCSP callback fails test 2024-07-24 15:20:11 +00:00
S-P Chan
d2d71c276d wolfssl/wolfcrypt/pkcs11.h: RSA PKCS/PSS/OAEP related operations 2024-07-24 22:47:27 +08:00
David Garske
d0782a97ce Merge pull request #7773 from Laboratory-for-Safe-and-Secure-Systems/kyber_compat
Kyber fixes
2024-07-24 07:37:10 -07:00
Tobias Frauenschläger
e2b642d4ab WolfSSL Kyber and CMake fixes
* Make sure wc_kyber implementation is compiled using CMake (also for
  Zephyr)
* Fix compilation issue when Liboqs is also enabled
* Fix WOLFSSL_INTEL_ASM and WOLFSSL_ARM_ASM CMake options

Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
2024-07-24 09:55:29 +02:00
Daniel Pouzzner
f8726148df wolfcrypt/src/aes.c: in wc_AesGcmEncrypt() and wc_AesGcmDecrypt(), check and return BAD_FUNC_ARG for nonzero sizes associated with null pointers. 2024-07-23 19:07:32 -05:00
Sean Parkinson
3284f53574 Cortex-M/Thumb2 ASM: fix label
IAR doesn't like %=.
Fix code to be consistent in use of labels and branch instructions.
2024-07-24 09:20:40 +10:00
Sean Parkinson
a34ea32f52 Merge pull request #7730 from anhu/unknownExtCallbackEx
Extend the unknown extension callback.
2024-07-24 08:37:44 +10:00
Colton Willey
e1995b8313 Update zephyr readme with link to new instructions for Zephyr TLS socket support 2024-07-23 09:56:17 -07:00
David Garske
140abe6c72 Merge pull request #7746 from douzzer/20240711-linuxkm-cross-compilation
20240711-linuxkm-cross-compilation
2024-07-23 09:26:39 -07:00
Marco Oliverio
bb60c58800 ocsp: don't free ocsp request if saved in ssl->ctx->certOcspRequest 2024-07-23 16:02:07 +00:00
Daniel Pouzzner
6ee22de999 linuxkm: initial support for cross-compilation.
also, additional backward-compatibility measures around cp and clean recipe in linuxkm/Makefile.

also, in sp_int.c, tweak DECL_DYN_SP_INT_ARRAY() to use an explicit XMEMSET() to clear n[], to avoid unshimmable implicit memset() from gcc on aarch64.
2024-07-23 10:29:03 -05:00
David Garske
8f908e76f9 Merge pull request #7776 from douzzer/20240722-fixes
20240722-fixes
2024-07-23 06:46:38 -07:00
David Garske
7c6eb7c4a1 Merge pull request #7751 from SparkiDev/ecc_koblitz_ssl
ECC key load: fixes
2024-07-22 16:40:59 -07:00
Daniel Pouzzner
367508f498 wolfcrypt/src/asn.c: in EccSpecifiedECDomainDecode(), in calls to DataToHexString(), cast curve->size to word32 to resolve -Wconversion.
wolfcrypt/src/dh.c: in GeneratePrivateDh186(), add explicit suppression of uninitvar for "cBuf" arg that isn't fully initialized.

wolfcrypt/test/test.c: in mp_test_param(), explicitly initialize "buffer" to avoid uninitvar warning.

configure.ac: in FIPS builds, don't include enable_cryptocb in --enable-all or --enable-all-crypto.  (they can still be enabled explicitly in FIPS builds with --enable-cryptocb, but the combination is not currently supported.)
2024-07-22 18:21:36 -05:00
Sean Parkinson
a3b6ec4a13 Merge pull request #7716 from anhu/post-hs-auth-check
Check the return code when calling post handshake auth functions
2024-07-23 08:20:51 +10:00
Anthony Hu
b1dcdabcd4 Check the return code when calling post handshake auth functions 2024-07-22 17:10:59 -04:00
David Garske
6a26569ddc Support for STM32U5A9xx board. Fixes for building example with fast math (TFM) and CMSIS OS 2. 2024-07-22 14:09:15 -07:00
gojimmypi
a07a658771 Update Arduino publishing script for 5.7.2 release 2024-07-22 09:32:08 -07:00
David Garske
604a1fe2da Merge pull request #7774 from Laboratory-for-Safe-and-Secure-Systems/zephyr_v3_7
Zephyr V3.7 warning fix
2024-07-22 07:15:46 -07:00
Tobias Frauenschläger
bdfe2c3fdf Zephyr V3.7 warning fix
The required feature flag CONFIG_PTHREAD_IPC is deprecated since Zephyr
version 3.7. The new option is CONFIG_POSIX_THREADS. This change clears
the warning.

Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
2024-07-22 10:58:20 +02:00
David Garske
a9ff7730ce Merge pull request #7772 from douzzer/20240719-test-hpke-PRIVATE_KEY_UNLOCK
20240719-test-hpke-PRIVATE_KEY_UNLOCK
2024-07-20 11:44:08 -07:00
Daniel Pouzzner
765231060e wolfcrypt/test/test.c: add missing PRIVATE_KEY_UNLOCK() for hpke_test(). 2024-07-19 18:31:01 -05:00
Daniel Pouzzner
6952d1a5ea wolfssl/wolfcrypt/error-crypt.h: add NO_STDIO_FILESYSTEM definition for WC_ERR_TRACE(). 2024-07-19 18:30:31 -05:00
David Garske
33f71f6f60 Merge pull request #7770 from bandi13/fixWolfEngineFlag
Fix the actual definition of the ECC_MIN_KEY_SZ
2024-07-19 14:37:55 -07:00
David Garske
575df43889 Merge pull request #7768 from JacobBarthelmeh/copyright
update copyright to 2024
2024-07-19 14:27:39 -07:00
David Garske
4d8a6b84fb Merge pull request #7760 from douzzer/20240718-BIO_DGRAM-memory-leak
20240718-BIO_DGRAM-memory-leak
2024-07-19 14:24:30 -07:00
David Garske
16a2d2e71d Merge pull request #7769 from douzzer/20240719-PQ-fixes
20240719-PQ-fixes
2024-07-19 14:20:33 -07:00
aidan garske
74e161e437 Merge branch 'InitSuites_Orderadj' of github.com:aidangarske/wolfssl into InitSuites_Orderadj 2024-07-19 13:19:13 -07:00
aidan garske
f8814fb68f InitSuites changes to order making BUILD_TLS_AES_256_GCM_SHA384 be prioritized over BUILD_TLS_AES_128_GCM_SHA256 to match TLS 1.2. 2024-07-19 13:14:10 -07:00
Andras Fekete
c3d30e7987 Fix the actual definition of the ECC_MIN_KEY_SZ 2024-07-19 16:01:56 -04:00
JacobBarthelmeh
f5ed2460df cast to larger type for multiplication 2024-07-19 13:59:05 -06:00
Daniel Pouzzner
787397b28e src/bio.c and related:
* refactor WOLFSSL_BIO.num and WOLFSSL_BIO.ptr as unions, for clarity and bug resistance (no functional changes).

* in wolfSSL_BIO_free(), add WOLFSSL_BIO_DGRAM to the test for closing bio->num.fd, fixing a descriptor leak.

* use SOCKET_INVALID consistently as the invalid value for WOLFSSL_BIO.num.fd, and use SOCKET_T consistently as the internal type for file descriptors.

* move the definitions for SOCKET_T and SOCKET_INVALID from wolfio.h to the filesystem section of wc_port.h, and allow override definitions of SOCKET_T.

detected and tested with wolfssl-multi-test.sh ... pq-hybrid-all-rpk-valgrind-unittest. also tested with wolfssl-multi-test.sh ... super-quick-check.
2024-07-19 14:50:26 -05:00
Daniel Pouzzner
e13a8ddcfb fixes for null derefs in native Dilithium and Kyber implementations, detected by unit.test and cppcheck. 2024-07-19 14:35:39 -05:00
Daniel Pouzzner
0aa0f26289 wolfcrypt/src/dilithium.c: fix null deref in wc_dilithium_init_ex(). 2024-07-19 14:25:53 -05:00
JacobBarthelmeh
31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
JacobBarthelmeh
8a9c893c6f fix for initialization of high value and funtction signature 2024-07-19 11:03:44 -06:00
David Garske
0eeae4da8c Merge pull request #6460 from embhorn/mosquitto_osp
Add support for Mosquitto OSP
2024-07-19 07:49:32 -07:00
David Garske
bd5586623a Merge pull request #7703 from SparkiDev/def_ticket_cbc_hmac
Default session ticket enc/dec: allow AES-CBC with HMAC
2024-07-19 07:41:27 -07:00
David Garske
74d4ae0075 Merge pull request #7704 from aidangarske/PKCS7_PEM
Added PKCS7 PEM support:
2024-07-19 07:39:51 -07:00
David Garske
3e02a70c07 Merge pull request #7707 from JacobBarthelmeh/psk
use max key length for PSK encrypt buffer size
2024-07-19 07:38:57 -07:00
David Garske
851bb34f3c Merge pull request #7762 from ColtonWilley/increase_default_max_alt_names
Increase default max alt names from 128 to 1024
2024-07-19 07:37:50 -07:00
David Garske
08b211c3bb Merge pull request #7761 from kareem-wolfssl/zd18300
Fix not calling the signing callback when using PK callbacks + TLS 1.3.
2024-07-19 07:37:37 -07:00
David Garske
b5e188830d Merge pull request #7755 from philljj/misc_cleanup
Misc cleanup: FreeX509 null pointer checks, and spelling cleanup.
2024-07-19 07:37:24 -07:00
David Garske
8bf2fb0ae0 Merge pull request #7765 from Laboratory-for-Safe-and-Secure-Systems/dilithium_fixes
Dilithium fixes
2024-07-19 07:36:05 -07:00
David Garske
b3c812921a Merge pull request #7764 from gojimmypi/pr-asn-update
minor asn update: comments, code format, dateType check in CheckDate.
2024-07-19 07:35:02 -07:00
Tobias Frauenschläger
f87849b6f6 Dilithium fixes
* Fixed incorrect XFREE calls
* Use key->heap where possible
* Fixed compilation with WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM and
  WC_DILITHIUM_CACHE_PUB_VECTORS
* Fixed compilation with WOLFSSL_DILITHIUM_ASSIGN_KEY (const pointers)

Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
2024-07-19 07:52:14 +02:00
gojimmypi
8356b349a5 minor asn update: comments, code format, dateType check in CheckDate. 2024-07-18 18:25:53 -07:00
Sean Parkinson
e6fcd488a6 Merge pull request #7685 from dgarske/renesas_rx_tsip
Renesas RX TSIP ECDSA support
2024-07-19 10:53:00 +10:00
Sean Parkinson
47dcac657c Merge pull request #7763 from douzzer/20240718-cppcheck-2v14v2-suppressions
20240718-cppcheck-2v14v2-suppressions
2024-07-19 10:03:04 +10:00
David Garske
4eab0f1231 Fix hard coded values in TSIP ECC verify. Fix issues with tab indentation and spelling. 2024-07-18 16:45:27 -07:00
Daniel Pouzzner
4bc04673d1 suppress 4 uninitvar warnings, all associated with passing partially written arrays (true but benign positives). newly detected by cppcheck 2.14.2. 2024-07-18 17:22:17 -05:00
Hideki Miyazaki
945a24e5b4 fix compile error 2024-07-19 06:41:17 +09:00
Colton Willey
a82b76978e Modify max altname test to run if limit has been lowered 2024-07-18 11:28:11 -07:00
Colton Willey
7434092a3a Increase default max alt names from 128 to 1024 2024-07-18 11:11:38 -07:00
Kareem
3492caba51 Fix not calling the signing callback when using PK callbacks + TLS 1.3. 2024-07-18 10:33:19 -07:00
JacobBarthelmeh
04ab561a65 add smallstack support for poly1305 w64wrapper 2024-07-18 07:30:08 -06:00
JacobBarthelmeh
902087df6f add w64wrapper support in poly1305 2024-07-18 07:21:57 -06:00
Sean Parkinson
27c3140c2b Merge pull request #7757 from douzzer/20240717-fixes
20240717-fixes
2024-07-18 10:41:03 +10:00
Daniel Pouzzner
c36ab59f24 fixes for defects identified by nightly testing:
* ecc.c: in wc_ecc_free(), fix gating around handling for key->sign_k to resolve memory leak, and in wc_ecc_gen_deterministic_k(), fix -Wconversion.

* test.c: add missing mp_free()s to ecdsa_test_deterministic_k_rs() and ecc521_test_deterministic_k().

* wc_HashType: change several occurrences of int to enum wc_HashType, including ecc_key.hashType and API wc_ecc_set_deterministic_ex(), to resolve C++ warnings.

* fixes for various C++ warnings/errors in crypto and TLS layers and test and benchmark code -- implicit casts, negative initializers for unsigned type, jumped initializers, and missing enums in switch()es.
2024-07-17 18:07:08 -05:00
jordan
6a745518bc Misc cleanup: FreeX509 null pointer checks, and spelling cleanup. 2024-07-17 10:04:52 -05:00
Sean Parkinson
ec9fcf5353 Merge pull request #7648 from douzzer/20240418-exosip-apis
20240418-exosip-apis
2024-07-17 22:59:34 +10:00
David Garske
bbd8fdfc38 Cleanup Renesas RX default devId and improve logic for overflow check. 2024-07-16 17:48:16 -07:00
Daniel Pouzzner
ee7748f2e3 PR7648 20240418-exosip-apis peer review:
* tweak typography;
* move wolfSSL_i2d_X509_PUBKEY() from ssl.c to x509.c;
* in asn.h, add !NO_ASN_OLD_TYPE_NAMES macros to remap old names (ISSUER, SUBJECT, BEFORE, AFTER) by default unless the macros are already defined.
2024-07-16 19:12:19 -05:00
Daniel Pouzzner
9023aeef75 BIO/wolfio: refactor TranslateReturnCode(), wolfSSL_LastError(), and TranslateIoError() into complete+consistent wolfSSL_LastError() and TranslateIoReturnCode(), handling all special cases correctly, and correctly returning WOLFSSL_CBIO_ERR_WANT_WRITE and WOLFSSL_CBIO_ERR_TIMEOUT. use TranslateIoReturnCode() directly in wolfIO_Recv(), wolfIO_Send(), wolfIO_RecvFrom(), wolfIO_SendTo(), and remove now-superfluous TranslateIoError() calls from EmbedReceive(), EmbedSend(), EmbedReceiveFrom(), EmbedSendTo(), EmbedReceiveFromMcast(). 2024-07-16 19:12:19 -05:00
Daniel Pouzzner
5298039d09 fixes from peer review: move OS-specific code from wolfSSL_BIO_read() and wolfSSL_BIO_write() to wolfIO_Recv(), wolfIO_Send(), wolfIO_RecvFrom(), and wolfIO_SendTo(); add SOCKET_ETIMEDOUT definitions to wolfio.h; misc cleanups. 2024-07-16 19:12:19 -05:00
Daniel Pouzzner
0c1163f01f src/bio.c: restore inadvertently removed update of bio->connected in wolfSSL_BIO_ctrl() case BIO_CTRL_DGRAM_SET_CONNECTED. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
9e99544315 wolfssl/ssl.h: fix double-WOLFSSL_API on wolfSSL_CTX_load_verify_locations_compat(). 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
1159fc333f src/bio.c: in wolfSSL_BIO_ADDR_size(), add missing gate on HAVE_SYS_UN_H for AF_UNIX. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
51c49b678e src/bio.c: fix gating for WOLFSSL_BIO_DGRAM handling. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
0a928ead3f address peer review around WOLFSSL_HAVE_BIO_ADDR:
refactor housekeeping for bio->bytes_read and bio->bytes_write, and add WOLFSSL_BIO_HAVE_FLOW_STATS gate;

add WOLFSSL_BIO_FLAG_RETRY housekeeping for WOLFSSL_BIO_SOCKET and WOLFSSL_BIO_DGRAM;

refactor WOLFSSL_BIO.peer_addr to be inline rather than a pointer;

add wolfSSL_set_mtu_compat() and wolfSSL_CTX_load_verify_locations_compat() implementations;

enable WOLFSSL_HAVE_BIO_ADDR and WOLFSSL_DTLS_MTU when OPENSSL_ALL.
2024-07-16 19:12:18 -05:00
Daniel Pouzzner
61eb6987d0 src/ssl.c: remove old version of wolfSSL_set_bio(). 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
62db3533ae wolfSSL_CTX_load_verify_locations(): set up with OpenSSL-compatible behavior (WOLFSSL_LOAD_FLAG_IGNORE_ERR). 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
2d370f3e4e wolfSSL_BIO_read(): return MEMORY_E if wolfSSL_BIO_ADDR_new() fails. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
7216a543dd checkpoint: complete test_wolfSSL_BIO_datagram(); fix some WOLFSSL_HAVE_BIO_ADDR gates to also gate on WOLFSSL_DTLS and OPENSSL_EXTRA; use DTLS_RECVFROM_FUNCTION, DTLS_SENDTO_FUNCTION, SOCKET_T, SOCKADDR, SOCKADDR_IN, and SOCKADDR_IN6 macros and types, and add SOCKADDR_UN type. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
bd7f7c8bdf checkpoint: add wolfSSL_BIO_ADDR_free to wolfSSL_BIO_free(); tweak EXPECT_SUCCESS() to tolerate TEST_SKIPPED; add WIP test_wolfSSL_BIO_datagram. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
29ec038aa6 checkpoint: add WOLFSSL_BIO_ADDR, wolfSSL_BIO_ADDR_new(), wolfSSL_BIO_ADDR_free(), wolfSSL_BIO_ADDR_clear(), wolfIO_SendTo(), wolfIO_RecvFrom(); fix name of wolfSSL_BIO_s_datagram(). 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
08940866c3 checkpoint progress: add macro definitions for BIO_CTRL_DGRAM_SET_CONNECTED, BIO_CTRL_DGRAM_SET_PEER, WOLFSSL_MULTI_LABEL_WILDCARDS, WOLFSSL_MULTI_LABEL_WILDCARDS, NID_id_GostR3410_2001, NID_id_GostR3410_2012_256, NID_id_GostR3410_2012_512; fix flag arithmetic in wolfSSL_X509_check_host(); add compat macros for i2d_X509_PUBKEY, BIO_new_dgram. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
3f921e0a32 checkpoint progress: add wolfSSL_BIO_s_dgram, wolfSSL_BIO_new_dgram, WOLFSSL_BIO_DGRAM, and remove now-duplicate prototype and definition of wolfSSL_X509_STORE_get0_param. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
8468a70b72 add wolfSSL_i2d_X509_PUBKEY, wolfSSL_X509_VERIFY_PARAM_lookup, and wolfSSL_X509_STORE_get0_param, and make wolfSSL_X509_VERIFY_PARAM_inherit a public API; add macros to openssl compat layer: DTLS_client_method, DTLS_server_method, X509_VERIFY_PARAM_lookup, X509_VERIFY_PARAM_inherit, X509_STORE_get0_param; add "const char *name" slot to struct WOLFSSL_X509_VERIFY_PARAM to support wolfSSL_X509_VERIFY_PARAM_lookup. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
1e7810153f add wolfSSL_set_rbio, wolfSSL_set_wbio, wolfSSL_BIO_number_read, wolfSSL_BIO_number_written, and compat layer shim macros SSL_set0_rbio, SSL_set0_wbio, BIO_number_read, BIO_number_written, BIO_reset. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
41efa0492c add ASN_ prefixes to ISSUER, SUBJECT, BEFORE, and AFTER enum constants defined in wolfssl/wolfcrypt/asn.h. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
198f4030e8 add stub implementations of wolfSSL_COMP_get_name(), wolfSSL_get_current_compression(), and wolfSSL_get_current_expansion(), and add compat layer shim macros for them. 2024-07-16 19:12:18 -05:00
Daniel Pouzzner
685bfd1f9d add wolfSSL_get0_peername() and SSL_set_mtu(). 2024-07-16 19:12:18 -05:00
Sean Parkinson
0f3ebedba0 Merge pull request #7700 from aidangarske/ECDSA_deterministic_k
ecc.c and test.c changes to add support in ecc_sign_determinsitic.c
2024-07-17 09:12:32 +10:00
JacobBarthelmeh
0be4041479 Merge pull request #7727 from SparkiDev/dilithium_fixed_array
Dilithium: support fixed size arays in dilithium_key
2024-07-16 16:54:34 -06:00
aidan garske
237df2cb11 Hash Type selection changes to ecc.c. 2024-07-16 15:17:40 -07:00
Sean Parkinson
500951f059 Dilithium: support fixed size arays in dilithium_key
Support fixed size arrays for pre-generated matrix and vectors.
Define: WC_DILITHIUM_FIXED_ARRAY
2024-07-17 07:36:14 +10:00
aidan garske
96af77d757 Hash Type selection changes to ecc.c. 2024-07-16 11:12:29 -07:00
JacobBarthelmeh
bbd769d43a Merge pull request #7728 from SparkiDev/poly1305_aarch64_uniq_name
Poly1305 AArch64: unique naming of asm funcs
2024-07-16 10:10:54 -06:00
Eric Blankenhorn
1112751654 mosquitto workflow update 2024-07-16 10:28:40 -05:00
Eric Blankenhorn
4d247a3a88 Update to mosquitto 2.0.18 2024-07-16 07:37:33 -05:00
Eric Blankenhorn
7aad09fc87 Rebase for mosquitto 2024-07-16 07:37:33 -05:00
Sean Parkinson
e002b6efd3 Merge pull request #7742 from embhorn/zd18240
Fix ParseCRL_AuthKeyIdExt setting extAuthKeyIdSet
2024-07-16 09:38:54 +10:00
Sean Parkinson
f2f3a8273d Merge pull request #7732 from kaleb-himes/NUCLEUS-FIPS-SRTP-KDF
Check-in Nucleus Plus 2.3 port work
2024-07-16 09:37:15 +10:00
Sean Parkinson
137831367d Merge pull request #7710 from anhu/preTBS_altsigalg_fix
Stop stripping out the sequence header on the AltSigAlg extension.
2024-07-16 09:35:11 +10:00
Sean Parkinson
0d8763be57 Merge pull request #7665 from anhu/lighty-debug
Don't do multithreaded logging tests if single threaded
2024-07-16 09:28:11 +10:00
Sean Parkinson
56b8ac4fa1 Merge pull request #7636 from gojimmypi/PR-ESP8266-Make-Clarification
Clarify WOLFSSL_ROOT location for ESP8266 make builds
2024-07-16 09:06:33 +10:00
David Garske
2b4acf5027 Revert built-in wc_GenerateSeed support for RX TSIP removed in #6851. 2024-07-15 10:10:38 -07:00
Daniel Pouzzner
475ec7b680 Merge pull request #7550 from bandi13/addEnableProvider
Add enable provider
2024-07-15 12:08:03 -05:00
David Garske
95f4e0618b Merge pull request #7747 from lealem47/cubepack_armasm
Adding ARM ASM build option to STM32CubePack config
2024-07-15 09:35:44 -07:00
Andras Fekete
5b1e6db9a5 Allow user to override required flags 2024-07-15 09:46:36 -04:00
Sean Parkinson
93ca213a68 Merge pull request #7736 from space88man/fix-pkcs11-slot
wolfcrypt/src/wc_pkcs11.c: iterate correctly over slotId
2024-07-15 15:52:40 +10:00
Sean Parkinson
dc86dad26b ECC key load: fixes
asn.c:
  Return the curve OID sum with alg_id for ECC keys.
ssl_load.c:
Don't permanently strip the PKCS#8 information as it contains the
curve OID.
2024-07-15 15:46:05 +10:00
Daniel Pouzzner
12ba31967c Merge pull request #7748 from bandi13/addExtraTestingTools
Need to add more dependencies to be able to run all tests
2024-07-12 18:28:42 -05:00
Lealem Amedie
206d3f47f7 Fix typo and disable crypto offload if ARM_ASM enabled 2024-07-12 15:33:37 -06:00
Lealem Amedie
8c76cab2cb Add comment for new option 2024-07-12 14:59:40 -06:00
Andras Fekete
e7c068b9aa Add fix to netcat package 2024-07-12 15:48:19 -04:00
aidan garske
82fca1c483 InitSuites changes to order making BUILD_TLS_AES_256_GCM_SHA384 be prioritized over BUILD_TLS_AES_128_GCM_SHA256 2024-07-12 12:45:45 -07:00
Andras Fekete
d21e12851a Need to add more dependencies to be able to run all tests 2024-07-12 15:31:46 -04:00
Lealem Amedie
8e2775fc89 Adding ARM ASM build option to STM32CubePack config 2024-07-12 13:14:40 -06:00
Eric Blankenhorn
d6731f0f84 Fix ParseCRL_AuthKeyIdExt setting extAuthKeyIdSet 2024-07-12 07:43:23 -05:00
Anthony Hu
f84ea01f72 Get rid of macro test 2024-07-11 21:52:52 -04:00
JacobBarthelmeh
1cf96eb72c Merge pull request #7741 from douzzer/20240714-asn-Wconversion
20240714-asn-Wconversion
2024-07-11 16:48:52 -06:00
JacobBarthelmeh
baec0ced59 Merge pull request #7731 from ColtonWilley/zephyr_tls_support
Changes needed for default TLS support in zephyr kernel
2024-07-11 16:46:43 -06:00
Sean Parkinson
e0494b5f04 Merge pull request #7738 from dgarske/pkcs11_rsakeygen
Fix to support PKCS11 without RSA key generation
2024-07-12 08:45:53 +10:00
Sean Parkinson
d6ecaaddbd Merge pull request #7740 from JacobBarthelmeh/readme
update changelog for kyber fix, thanks to Antoon Purnal
2024-07-12 08:25:49 +10:00
Colton Willey
978456e39d Remove get cipher bytes from header 2024-07-11 14:51:38 -07:00
Colton Willey
7b089f548e Remove get cipher list bytes 2024-07-11 14:39:44 -07:00
Daniel Pouzzner
76f669b1cc wolfcrypt/src/asn.c: fix -Wconversion in GetLength_ex() added in fea7a89b86. 2024-07-11 14:47:58 -05:00
JacobBarthelmeh
a26476b8b2 update changelog for kyber fix, thanks to Antoon Purnal 2024-07-11 09:01:11 -06:00
Sean Parkinson
3cc7bbea67 Merge pull request #7737 from JacobBarthelmeh/staticmemory-singlethreaded
fix for staticmemory and singlethreaded build
2024-07-11 09:57:08 +10:00
Sean Parkinson
0979fe8fea Merge pull request #7709 from JacobBarthelmeh/staticmemory
fix test case for lean static memory build
2024-07-11 09:51:35 +10:00
David Garske
41cf8c090b Fix compiler issues with unused variable and printf. 2024-07-10 16:07:43 -07:00
Anthony Hu
fe2a826ede Better guarding. 2024-07-10 18:28:22 -04:00
Anthony Hu
6456281b41 Add support for uknown certificate extensions in PKCS7 2024-07-10 16:15:45 -04:00
David Garske
28db1b19e1 Fix to support PKCS11 without RSA key generation. Fixed Pkcs11Rsa where ret failure could be ignored. 2024-07-10 11:17:02 -07:00
cwilley
db4177ae2c Merge pull request #7723 from JacobBarthelmeh/max_ext
update over max ext test certs and add them to renew script
2024-07-10 11:08:17 -07:00
Anthony Hu
e581930cb7 Extend the unknown extension callback.
This will allow the user to pass in a context pointer. Allows them to avoid
global variables.

We also add unknown extensions callback when processing a CA in cert manager
as CA certs can have unknown extensions as well.

Fixes ZD 18252
2024-07-10 13:22:19 -04:00
JacobBarthelmeh
d4741de5dc Merge pull request #7708 from dgarske/afalg_shake
Fix to not allow Shake128/256 with Xilinx AFALG
2024-07-10 10:02:04 -06:00
JacobBarthelmeh
204668778b Merge pull request #7733 from SparkiDev/coverity_3
Coverity fixes
2024-07-10 10:01:29 -06:00
David Garske
9bd0985c87 Merge pull request #7701 from JacobBarthelmeh/testing1
with FREERTOS and OPENSSL_ALL add XREMALLOC define
2024-07-10 08:58:02 -07:00
JacobBarthelmeh
2543674d9f Merge pull request #7721 from SparkiDev/dilithium_fix_3
Dilithium: fixes
2024-07-10 09:51:40 -06:00
JacobBarthelmeh
6703a58c51 fix for staticmemory and singlethreaded build 2024-07-10 09:44:10 -06:00
S-P Chan
fdd03fa909 wolfcrypt/src/wc_pkcs11.c: iterate correctly over slotId when searching for token
Addresses #7734
2024-07-10 21:01:35 +08:00
Hideki Miyazaki
a5c2290e40 Update key data and set private key for client authentification 2024-07-10 17:13:09 +09:00
Sean Parkinson
fea7a89b86 Coverity fixes
pk.c:
	EncryptDerKey - setting wrong ret value on allocation failure.
	wolfssl_rsa_generate_key_native - now checks e is a valid long
before passing in.
	Fix formatting.

ssl_load.c:
	ProcessBufferPrivPkcs8Dec - now checking password is not NULL
before zeroizing. Allocation may fail and ForceZero doesn't check for
NULL.
	Fix formatting.

tests/api.c:
	test_RsaSigFailure_cm - Check cert_sz is greater than zero
before use.
	send_new_session_ticket - assert that building the message
doesn't return error or 0.
	test_ticket_nonce_malloc - fix setting of medium and big to use
preprocessor. Fix big to be medium + 20.

asn.c:
	GetLength_ex - Fix type of bytes so that it can go negative.

sp_int.h:
	sp_clamp - add one to ii while it is a signed.
	Fix formatting.
2024-07-10 11:40:48 +10:00
kaleb-himes
c333fdf545 Check-in Nucleus Plus 2.3 port work 2024-07-09 15:53:00 -06:00
Colton Willey
4ec07bb5a8 Changes needed for default TLS support in zephyr kernel 2024-07-09 12:00:34 -07:00
Hideki Miyazaki
2d0353bcb1 updae ecc key and signed cert 2024-07-09 20:40:34 +09:00
Sean Parkinson
90836c782b Poly1305 AArch64: unique naming of asm funcs
Change function names to ensure no clash with OpenSSL.
Specifically: poly1305_blocks()
2024-07-09 11:02:10 +10:00
David Garske
00e42151ca Merge pull request #7725 from JacobBarthelmeh/release
prepare for release 5.7.2
2024-07-08 11:02:46 -07:00
JacobBarthelmeh
c8aa0fa351 remove * in changelog created from search and replace 2024-07-08 10:31:13 -06:00
JacobBarthelmeh
203f65a636 prepare for release 5.7.2 2024-07-08 09:47:46 -06:00
JacobBarthelmeh
6c0aae714f update over max ext test certs and add them to renew script 2024-07-07 23:38:29 -07:00
Sean Parkinson
d1e26b4f5d Dilithium: fixes
Fix inclusion of functions dilithium_vec_check_low() in build:
--enable-dilithium=verify-only,44,65,87
CFLAGS=-DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
Fix memory leaks in unit.test:
--enable-dilithium CFLAGS=-DWC_DILITHIUM_CACHE_MATRIX_A 'CC=clang
-fsanitize=address'
2024-07-08 15:02:43 +10:00
JacobBarthelmeh
595e71d7f4 Merge pull request #7718 from douzzer/20240705-coverity-fixes
20240705-coverity-fixes
2024-07-06 21:53:16 -06:00
Daniel Pouzzner
e35e713c4a wolfcrypt/src/asn.c: fix for copy-paste error in FillSigner() WOLFSSL_DUAL_ALG_CERTS path. 2024-07-06 10:04:26 -05:00
Daniel Pouzzner
780fd98f40 src/internal.c: in ProcessPeerCerts(), smallstack refactor of a span gated on HAVE_CERTIFICATE_STATUS_REQUEST_V2, to get DecodedCert off the stack. 2024-07-06 10:04:06 -05:00
Daniel Pouzzner
c8a9bdbe15 wolfcrypt/src/asn.c: fix for -Wconversion in FillSigner(). 2024-07-05 20:42:32 -05:00
Daniel Pouzzner
88af1a2932 fixes for Coverity #394680, #394682, #394693, #394712. 2024-07-05 20:42:32 -05:00
David Garske
d8757a51b3 Merge pull request #7717 from JacobBarthelmeh/coverity
Some additional Coverity touch ups
2024-07-05 15:49:53 -07:00
JacobBarthelmeh
fee9788bb0 fix for coverity report 394710 2024-07-05 15:40:47 -06:00
JacobBarthelmeh
b948f6797c account for negative return value, fixes coverity issue 394678 2024-07-05 15:34:28 -06:00
JacobBarthelmeh
de20bb7ba9 fix for coverity issue 394677 2024-07-05 15:13:28 -06:00
David Garske
d5016d451f Merge pull request #7714 from JacobBarthelmeh/coverity
Coverity issues reported
2024-07-05 13:49:20 -07:00
JacobBarthelmeh
7ef424b193 Merge pull request #7715 from kaleb-himes/C394706
Address coverity issue 394706
2024-07-05 14:46:54 -06:00
JacobBarthelmeh
f8eb0c3776 fix for coverity issue 394676 possible null dereference 2024-07-05 14:06:19 -06:00
kaleb-himes
f42fb587a5 Address coverity issue 394706 2024-07-05 13:54:23 -06:00
JacobBarthelmeh
d4cf93c2cf avoid overflow if clamping a digit with used size 0 2024-07-05 13:17:53 -06:00
JacobBarthelmeh
c880fcf822 add check on padSz return, coverity issue 394711 2024-07-05 12:07:42 -06:00
JacobBarthelmeh
25d52dde3f fix coverity issue 367842 possible null dereference 2024-07-05 11:56:45 -06:00
JacobBarthelmeh
50a7243486 fix for coverity issue 394670 possible overflow 2024-07-05 11:53:19 -06:00
JacobBarthelmeh
fbdb064a4b coverity issue 394701 possible derefernce before null check 2024-07-05 11:24:42 -06:00
JacobBarthelmeh
ac52660d5b Merge pull request #7713 from SparkiDev/dilithium_sign_small_alloc
Dilithium: add implementation of signing that allocated less
2024-07-05 10:38:19 -06:00
JacobBarthelmeh
8946e3fb4b Merge pull request #7702 from rizlik/ocspv2
ocsp stapling improvements
2024-07-05 10:29:25 -06:00
Marco Oliverio
053170613a fixup! csrv2multi: pending ca list 2024-07-05 15:26:41 +00:00
JacobBarthelmeh
5ca9b2f8a4 Merge pull request #7712 from SparkiDev/kyber_ml_kem
KYBER/ML-KEM: make ML-KEM available
2024-07-05 09:15:08 -06:00
David Garske
4ae277d21e Fixes for building RX TSIP with e2Studio project. Fixed tsip_Tls13GenEccKeyPair incorrect free of key if TSIP not used (ZD18222). 2024-07-05 07:44:00 -07:00
Sean Parkinson
44a5e1a398 Dilithium: add implementation of signing that allocated less
Added implementation of signing that allocates less memory by doing the
matrix/vector loops in the sign code - WOLFSSL_DILITHIUM_SIGN_SMALL_MEM.
Split out vector operations into vector and polynomial operations so
that small mem signing can call them.
Fix benchmark to be able to compile with only Dilithium and no
asymmetric algorithms.
2024-07-05 16:20:06 +10:00
JacobBarthelmeh
e6fbe25398 Merge pull request #7711 from SparkiDev/dilithium_kats
Dilithium: Add KATs and fix key generation
2024-07-04 19:40:08 -06:00
David Garske
f91d0a2925 Remove hash type check not required for ECDSA deterministic k. Fix _HMAC_K devId. 2024-07-04 14:49:20 -07:00
Sean Parkinson
1fd9f2af91 KYBER/ML-KEM: make ML-KEM available
Added ML-KEM instead of Kyber implementation with WOLFSSL_ML_KEM.
Tests added from NIST for ML-KEM operations.
2024-07-04 23:51:23 +10:00
Sean Parkinson
387f36657c Dilithium: Add KATs and fix key generation
Add KATs from NIST and fix key generation to produce output of KATs.
2024-07-04 22:22:11 +10:00
Marco Oliverio
3e58cfd864 fixup! ocsp: improvements 2024-07-04 10:21:20 +02:00
Marco Oliverio
fe932b893c fixup! csrv2multi: pending ca list 2024-07-04 10:21:20 +02:00
Anthony Hu
4c13834500 Don't do multithreaded logging tests if single threaded 2024-07-03 19:31:21 -04:00
JacobBarthelmeh
1c23d2222c Merge pull request #7693 from philljj/zd18204
Fixes ZD 18204: check hashsigalgo matches ssl suites.
2024-07-03 17:12:43 -06:00
Anthony Hu
f5e27bfb0c Stop stripping out the sequence header on the AltSigAlg extension. 2024-07-03 19:02:04 -04:00
David Garske
4335dac794 Add wc_ecc_set_deterministic_ex to support custom hash type for deterministic sign or verify. 2024-07-03 15:13:29 -07:00
David Garske
4004e6886f Fix the FIPS Shake logic. 2024-07-03 10:39:51 -07:00
JacobBarthelmeh
a8780d4a80 fix test case for lean static memory build 2024-07-03 11:25:05 -06:00
jordan
f7f3ba9c76 check hashsigalgo matches ssl suites on client side. 2024-07-03 11:59:18 -05:00
David Garske
d3316b72d3 Fix to not allow Shake128/256 with Xilinx AFALG. Cleanup the Shake disable logic to allow forcing off with WOLFSSL_NO_SHAKE128 and WOLFSSL_NO_SHAKE256. 2024-07-03 09:49:52 -07:00
JacobBarthelmeh
955490e90a use max key length for PSK encrypt buffer size 2024-07-03 10:17:01 -06:00
Andras Fekete
7cc42d446e Update the true minimum ECC key size default
The discrepancy shows up when trying to compile with FIPS
2024-07-03 11:50:04 -04:00
JacobBarthelmeh
ba1eedb46b Merge pull request #7697 from SparkiDev/arm32_ldrd_strd_fix
ARM32 SHA-3 ASM: fix ldrd/strd for ARMv6
2024-07-02 17:18:06 -06:00
JacobBarthelmeh
d7b0aa92cb Merge pull request #7694 from SparkiDev/sp_x64_asm_fix_3
SP Intel x64 ASM: fix get_from_table ASM
2024-07-02 17:13:49 -06:00
JacobBarthelmeh
6409b68b21 Merge pull request #7698 from dgarske/asan_compat_list
Fix ASAN warning with compatibility layer cipher list parsing
2024-07-02 17:12:38 -06:00
JacobBarthelmeh
4ff0af79c7 Merge pull request #7705 from aidangarske/SHA3-cryptocb
Sha3.c wc_Sha3Update and  wc_Sha3Final Hash Type Change
2024-07-02 17:11:01 -06:00
JacobBarthelmeh
a490d4fdf7 Merge pull request #7628 from SparkiDev/alert_after_ch
TLS: wrong TLS version in alert after ClientHello
2024-07-02 17:10:24 -06:00
JacobBarthelmeh
5aca239714 Merge pull request #7692 from gasbytes/sni-csharp-wrapper-patch
Sni csharp wrapper patch
2024-07-02 16:49:31 -06:00
Andras Fekete
e340e41db3 Add --enable-wolfprovider 2024-07-02 15:57:53 -04:00
Andras Fekete
43b62c8ccf Make sure the ECC_MIN_SZ is set even when set to default 2024-07-02 15:57:53 -04:00
aidan garske
804f25d76b Sha3.c wc_Sha3Update and wc_Sha3Final changes so that hash type is determined in the processing functions. 2024-07-02 10:32:57 -07:00
aidan garske
c065e4a854 Added PKCS7 PEM support: "-----BEGIN PKCS7-----" and "-----END PKCS7-----" 2024-07-02 07:58:01 -07:00
Marco Oliverio
9222cb1304 ocsp: improvements 2024-07-02 09:51:34 +02:00
Marco Oliverio
b5206e8504 csrv2multi: pending ca list 2024-07-02 09:51:34 +02:00
Sean Parkinson
c82081591a Default session ticket enc/dec: allow AES-CBC with HMAC
Add option to use AES-CBC with HMAC for default session ticket enc/dec.
Defaults to AES-128-CBC with HMAC-SHA256.
Options include:
  WOLFSSL_TICKET_ENC_HMAC_SHA512 for HMAC-SHA512
  WOLFSSL_TICKET_ENC_HMAC_SHA384 for HMAC-SHA384
  WOLFSSL_TICKET_ENC_AES256_CBC for AES-256-CBC
2024-07-02 11:34:03 +10:00
Juliusz Sosinowicz
7814e4c264 DoCertificateStatus: Clean up logic in WOLFSSL_CSR2_OCSP_MULTI 2024-07-02 01:29:44 +02:00
Juliusz Sosinowicz
dabfad9f6c Fix ocsp stapling test 2 2024-07-02 01:29:44 +02:00
David Garske
7ad0248558 Fix for RX TSIP ECDSA Verify hash padding/truncation. Fix to set ECDSA crypto callback "res" on success. 2024-07-01 13:43:26 -07:00
JacobBarthelmeh
32066373c2 Merge pull request #7695 from dgarske/compat_realloc
Fixes for building the compatibility layer with no realloc
2024-07-01 11:37:52 -06:00
David Garske
9ec29e9ad9 Reduced duplicate code in deterministic test. 2024-07-01 10:35:03 -07:00
David Garske
ac7f44b0dc Fix the async tests for deterministic sign. The _ex versions cannot be called again. Fix possible leak with async and deterministic sign. 2024-07-01 10:13:28 -07:00
JacobBarthelmeh
bbf3bb4bf4 Merge pull request #7699 from SparkiDev/regression_fixes_13
Regression testing: fix compilation for unusual configs
2024-07-01 11:02:46 -06:00
JacobBarthelmeh
72aa6ad178 with FREERTOS and OPENSSL_ALL add XREMALLOC define 2024-07-01 11:00:47 -06:00
aidan garske
c07e7f1e58 Fixed async test for test.c deterministic K. 2024-07-01 09:51:07 -07:00
aidan garske
b5b0e17587 ecc.c and test.c changes to add support in ecc_sign_determinsitic.c for SHA256, SHA384, and SHA512 for SECP256R1, SECP384R1, SECP521R1. 2024-07-01 08:43:32 -07:00
Sean Parkinson
1e3f623ff3 Regression testing: fix compilation for unusual configs
Disable ECC but have OPENSSL_EXTRA and curve25519 - fix #ifdef
protection in ssl.c.

tests/api.c:
SSL_SESSION_get_max_fragment_length is not available when no session
cache.
ASN1 APIs using generalized time disabled when NO_ASN_TIME defined so
disable tests.
2024-07-01 21:52:56 +10:00
Sean Parkinson
45442db047 ARM32 SHA-3 ASM: fix ldrd/strd for ARMv6
LDRD/STRD not available with ARMv6 and the alternative is two ldr/str
operations. Pointer was 64-bits causing second ldr/str to be 8 bytes
passed first and not 4 bytes. Fixed in asm to add 4 rather than index.
2024-07-01 15:23:53 +10:00
jordan
7dfef18cf4 Refactor unneeded PickHashSigAlgo_ex function. 2024-06-28 18:32:13 -05:00
JacobBarthelmeh
98a5a4c201 Merge pull request #7660 from julek-wolfssl/zd/18188
wolfSSL_get_SSL_CTX: Make parameter const
2024-06-28 16:40:06 -06:00
David Garske
7faf0dccc7 Fix for ASAN warning with compatibility layer lists in ParseCipherList and CheckcipherList (ZD 18175). Add test case for ASAN to trigger NULL + 1 warning. Cleanup messy WOLFSSL_TIRTOS in api.c. 2024-06-28 15:26:40 -07:00
David Garske
2fd7a2e4ae Fix for test.c memcb_test and missing XREALLOC. 2024-06-28 15:25:01 -07:00
JacobBarthelmeh
80d4f71eb9 Merge pull request #7683 from SparkiDev/def_ticket_cb_inlen
SSL default ticket encryption callback: check in len on decrypt
2024-06-28 16:04:58 -06:00
JacobBarthelmeh
4913289ce5 Merge pull request #7696 from SparkiDev/dilithium_fix_2
Dilithium: fixes
2024-06-28 16:00:05 -06:00
Sean Parkinson
864a9d0598 Dilithium: fixes
TLS uses DER API now and needs to be protected with the right #ifdefs.
Do the right check of size in wc_Dilithium_PrivateKeyDecode().
Don't require public key when doing private DER.
2024-06-28 10:55:16 +10:00
David Garske
2a86ca43f8 Fixes for building the compatibility layer with WOLFSSL_NO_REALLOC. Tested using ./configure --enable-opensslextra CFLAGS="-DWOLFSSL_NO_REALLOC".
Improve benchmark FreeRTOS default tick rate logic. For example Xilinx FreeRTOS uses 10ms tick (not default 1ms), so include `configTICK_RATE_HZ` in calculation if available.
Fix test.c warning around too many parens with no realloc.
2024-06-27 16:02:28 -07:00
Sean Parkinson
4dc52484f6 SP Intel x64 ASM: fix get_from_table ASM
Use movdqu instead of vmovdqu so that function works on SSE2 only CPUs.
2024-06-28 07:42:56 +10:00
JacobBarthelmeh
85552d0fc8 Merge pull request #7662 from julek-wolfssl/enable-WOLFSSL_RSA_KEY_CHECK
Enable WOLFSSL_RSA_KEY_CHECK with OPENSSLALL
2024-06-27 09:49:00 -06:00
jordan
107cc82a06 Fixes ZD 18204: check hashsigalgo matches ssl suites. 2024-06-27 10:45:02 -05:00
JacobBarthelmeh
c047e55b92 Merge pull request #7687 from douzzer/20240626-EvictSessionFromCache-ticketNonce-data-leak
20240626-EvictSessionFromCache-ticketNonce-data-leak
2024-06-27 09:41:42 -06:00
gasbytes
91cad98d67 1023 <- 1024, changed buffer to textmate 2024-06-27 17:35:43 +02:00
JacobBarthelmeh
5420c1a081 Merge pull request #7689 from douzzer/20240626-linuxkm-cp-no-clobber
20240626-linuxkm-cp-no-clobber
2024-06-27 09:32:24 -06:00
JacobBarthelmeh
7691bb6a2a Merge pull request #7690 from SparkiDev/regression_fixes_12
Regression testing: memory allocation failure
2024-06-27 09:32:00 -06:00
gasbytes
97adb4be6e fixed wolfSSL_SNI_GetFromBuffer 2024-06-27 17:03:05 +02:00
Juliusz Sosinowicz
f66e5a52bd wolfSSL_get_SSL_CTX: Make parameter const 2024-06-27 15:48:46 +02:00
gasbytes
6dd43caae9 wolfSSL_SNI_GetRequest working, fixing up wolfSSL_SNI_GetFromBuffer 2024-06-27 15:05:02 +02:00
Sean Parkinson
4d56cc1790 Regression testing: memory allocation failure
Fixes from memory allocation failure testing.
Also:
fix asn.c to have ifdef protection around code compiled in with dual
algorithm certificates.
  fix test_tls13_rpk_handshake() to support no TLS 1.2 or no TLS 1.3.
fix wc_xmss_sigsleft() to initialize the index to avoid compilation
error.
2024-06-27 17:17:53 +10:00
David Garske
73a1938e89 Added Renesas RX TSIP ECDSA Verify Crypto callback. 2024-06-26 17:39:29 -07:00
Daniel Pouzzner
ae0d40b119 linuxkm/Makefile: use old/deprecated cp --no-clobber rather than newfangled cp --update=none in libwolfssl.ko recipe, for compatibility with older cp (pre-coreutils-9.3 of 2023-04-18). note that coreutils-9.5 restores the behavior of --no-clobber pre-9.2, whereby skips of existing files are non-errors. 2024-06-26 17:58:29 -05:00
Daniel Pouzzner
4d43dbf83b src/ssl_sess.c: in EvictSessionFromCache(), free session->ticketNonce.data if it was dynamically allocated. fixes memory leak via wolfSSL_Cleanup(). 2024-06-26 14:15:42 -05:00
Daniel Pouzzner
474b8a0673 Merge pull request #7682 from SparkiDev/dilithium_fix_1
Dilithium: fix public and private key decode
2024-06-26 00:03:03 -04:00
Takashi Kojo
3d7583e743 Merge pull request #7684 from kojo1/pk-fix
Fix in pk.c
2024-06-26 11:33:38 +09:00
David Garske
e81e18859b Support for Renesas RX TSIP with ECDSA and Crypto Callbacks.
Fix building ECC with NO_ASN (`./configure --enable-cryptonly --disable-rsa --disable-asn --disable-examples`).
2024-06-25 17:43:16 -07:00
Takashi Kojo
72b6074b93 Fixes in pk.c 2024-06-26 08:47:41 +09:00
Sean Parkinson
6d0dc7f2e7 SSL default ticket encryption callback: check in len on decrypt
Make sure that the length of the data to decrypt is correct for the
default ticket encryption implementation.
2024-06-26 08:21:17 +10:00
JacobBarthelmeh
22abd37408 Merge pull request #7681 from SparkiDev/kyber_improv_1
Kyber: Improve performance
2024-06-25 15:25:51 -06:00
JacobBarthelmeh
38335f4947 Merge pull request #7678 from bandi13/fixReturnType
ret will be set to 1 (WOLFSSL_SUCCESS), the rest checks for 'ret == 0'
2024-06-25 10:53:03 -06:00
JacobBarthelmeh
263eb6c60f Merge pull request #7666 from SparkiDev/sp_x64_asm_fix_2
SP Intel x64 ASM: fixes
2024-06-25 10:18:31 -06:00
JacobBarthelmeh
f466453d61 Merge pull request #7680 from philljj/fix_infer_issues
Fix Infer issues.
2024-06-25 09:42:49 -06:00
Sean Parkinson
8bba660f9c Dilithium: fix public and private key decode
Fixes to decoding to prevent accessing NULL key.
2024-06-25 19:37:11 +10:00
Sean Parkinson
aa61f98955 Kyber: Improve performance
Unroll loops and use larger types.
Allow benchmark to run each kyber parameter separately.
Allow benchmark to have -ml-dsa specified which runs all parameters.
Fix thumb2 ASM C code to not have duplicate includes and ifdef checks.
Fix thumb2 ASM C code to include error-crypt.h to ensure no empty
translation unit.
Check for WOLFSSL_SHA3 before including Thumb2 SHA-3 assembly code.
2024-06-25 18:53:53 +10:00
jordan
394948ce94 Fix Infer issues. 2024-06-24 20:44:33 -05:00
David Garske
7b029d3447 Fixes for building WOLFSSL_RENESAS_TSIP_CRYPTONLY and NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH. 2024-06-24 16:26:27 -07:00
Sean Parkinson
5793f626ac Merge pull request #7677 from Laboratory-for-Safe-and-Secure-Systems/mldsa_fixes
Fixes for WolfSSL ML-DSA implementation
2024-06-25 09:12:25 +10:00
Juliusz Sosinowicz
b7394274ae Enable WOLFSSL_RSA_KEY_CHECK with OPENSSLALL 2024-06-24 22:15:04 +02:00
David Garske
be68ba4850 Merge pull request #7676 from SparkiDev/dilithium_opt_1
Dilithium: C code optimized
2024-06-24 12:09:29 -07:00
Andras Fekete
773451a5dc ret will be set to 1 (WOLFSSL_SUCCESS), the rest checks for 'ret == 0'
Need to use another type of return code
2024-06-24 12:11:57 -04:00
Tobias Frauenschläger
7cd610bc45 Fixes for WolfSSL ML-DSA implementation
* Update OIDs etc. to match OQS ML-DSA values (old ones were Dilithium
  Round 3 values)
* Make sure private key files/buffers containing both the private and
  the public key are parsed correctly

Signed-off-by: Tobias Frauenschläger
<tobias.frauenschlaeger@oth-regensburg.de>
2024-06-24 15:00:44 +02:00
Sean Parkinson
0900e00ee7 Merge pull request #7650 from kaleb-himes/SRTP-KDF-CODEREVIEWr2
Add sanity for case id'd in optesting review
2024-06-24 17:04:13 +10:00
Sean Parkinson
75475ae624 Merge pull request #7633 from JacobBarthelmeh/netos
use WOLFSSL_NETOS_STACK_SZ for stack size when creating tx thread
2024-06-24 16:44:47 +10:00
Sean Parkinson
f1b1483c63 Merge pull request #7669 from JacobBarthelmeh/x509_dn
sanity check for empty directory strings
2024-06-24 16:44:03 +10:00
Sean Parkinson
a094831e1a Dilithium: C code optimized
Changes to get best out of 32-bit ARM chips.
Fixes come compile errors when cutting out functions.
WOLFSSL_DILITHIUM_SIGN_CHECK_Y and WOLFSSL_DILITHIUM_SIGN_CHECK_W0 added
to speed up signing. No longer specification conformat when either used.
2024-06-24 16:37:43 +10:00
David Garske
2312cb4563 Merge pull request #7667 from SparkiDev/sha3_thumb2_arm32_asm
SHA-3 Thumb2, ARM32 ASM: Add assembly implemention
2024-06-23 20:16:32 -07:00
David Garske
59c7abf635 Merge pull request #7675 from douzzer/20240622-SHA3-CRYPTO_CB
20240622-SHA3-CRYPTO_CB
2024-06-22 18:21:30 -07:00
Daniel Pouzzner
b4e15d028c WOLF_CRYPTO_CB && WOLFSSL_SHA3: add FIPS gating to wc_CryptoCb_Sha3Hash() and test routine myCryptoDevCb(). 2024-06-22 11:20:53 -05:00
JacobBarthelmeh
0cf5421e5a Merge pull request #7673 from douzzer/20240621-fix-oqs_dilithium_make_key-leak
20240621-fix-oqs_dilithium_make_key-leak
2024-06-21 15:37:24 -06:00
JacobBarthelmeh
7405ea8162 Merge pull request #7671 from miyazakh/dtls_ocsp
Fix ocsp response message build for DTLS
2024-06-21 14:43:29 -06:00
JacobBarthelmeh
c9d83babe0 Merge pull request #7363 from kaleb-himes/WinCE-supporting-work
Manually check-in pre-operational-testing changes for WinCE port effort
2024-06-21 14:02:48 -06:00
kaleb-himes
23f796c0b4 Cleanup excess line 2024-06-21 15:55:08 -04:00
kaleb-himes
871dc9c19b Implement peer review feedback 2024-06-21 15:54:04 -04:00
kaleb-himes
a1645d684a 448 streaming base on ENABLED flag and below FIPS section 2024-06-21 15:54:04 -04:00
kaleb-himes
f00e5247bb Add sanity for case id'd in optesting review 2024-06-21 15:54:04 -04:00
JacobBarthelmeh
e72db4a306 Merge pull request #7612 from dgarske/rsa_pad
Improvements to RSA padding to expose Pad/Unpad API's
2024-06-21 13:19:28 -06:00
JacobBarthelmeh
aea32e37a9 Merge pull request #7140 from kaleb-himes/140-3-ARMv8-PAA-porting
XCODE support for v5.2.3 of the FIPS module
2024-06-21 13:14:54 -06:00
Daniel Pouzzner
25b72497d8 wolfcrypt/src/dilithium.c: add missing OQS_SIG_free() in oqs_dilithium_make_key() (liboqs wrapper). 2024-06-21 14:04:32 -05:00
JacobBarthelmeh
0303a828ec Merge pull request #7670 from aidangarske/CryptocbSHA3
Added crypto callback for SHA3.
2024-06-21 11:28:01 -06:00
kaleb-himes
3eda3436d1 Peer review, great catch! Thanks @JacobBarthelmeh 2024-06-21 10:44:24 -06:00
kaleb-himes
610af43d03 XCODE support for v5.2.3 of the FIPS module 2024-06-21 10:36:57 -06:00
kaleb-himes
94e031e905 Manually check-in pre-operational-testing changes for WinCE port effort 2024-06-21 09:52:57 -06:00
Sean Parkinson
8734f1251d SHA-3 Thumb2, ARM32 ASM: Add assembly implemention
Add SHA-3 assembly implementation for Thumb2 and ARM32.
2024-06-21 14:38:51 +10:00
Hideki Miyazaki
ac5b81edd1 fix unit test 2024-06-21 13:22:00 +09:00
Hideki Miyazaki
30eb558d58 fix ocsp response when using DTLS 2024-06-21 09:57:59 +09:00
aidan garske
e8c3a7dfce fix for wolfcrypt/src/sha3.c (void)type 2024-06-20 15:03:51 -07:00
aidan garske
1ef9a8fe7c Added crypto callback for SHA3 and extended the test.c tests for it in cryptocb_test. 2024-06-20 14:15:28 -07:00
JacobBarthelmeh
8ee01ebaf2 sanity check for empty directory strings 2024-06-20 13:42:31 -06:00
JacobBarthelmeh
63f666a599 Merge pull request #7659 from embhorn/zd18179
Fixes in ASN1 and X509
2024-06-20 13:10:40 -06:00
David Garske
d545253df7 Merge pull request #7594 from JacobBarthelmeh/socat
Updating socat version support
2024-06-20 09:17:41 -07:00
Sean Parkinson
118d2cc8cc Merge pull request #7664 from anhu/derLenType
Der --> Len. Copy paste typo.
2024-06-20 08:53:00 +10:00
Sean Parkinson
75d06cd6f3 SP Intel x64 ASM: fixes
Don't use RIP relative with XMM/YMM instructions.
For MSVC asm, explicitly state type for pointer.
For MSVC asm, don't use vmodvqu for saving XMM registers unless this is
AVX2 code.
2024-06-20 08:33:05 +10:00
Anthony Hu
32ca92bd97 Der --> Len. Copy paste typo. 2024-06-19 17:25:54 -04:00
Daniel Pouzzner
38c7327660 Merge pull request #7622 from SparkiDev/ml-dsa
Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87
2024-06-19 13:32:35 -04:00
Sean Parkinson
3e3a00dafd Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87
Impemented FIPS 204 (Draft) Module-Lattice-Based Signature Standard.
Implementation include making a key, signing and verification.
Make key API added.
Updated liboqs calls to use ML-DSA implementation instead of Dilithium.
2024-06-19 21:27:01 +10:00
JacobBarthelmeh
24291b4147 Merge pull request #7600 from SparkiDev/wc_ecc_mulmod_zero_z1
ECC: when multiplying by zero, set z to 1
2024-06-18 16:36:35 -06:00
JacobBarthelmeh
2b0d724a4d Merge pull request #7658 from douzzer/20240618-linuxkm-4.14.336LTS
20240618-linuxkm-4.14.336LTS
2024-06-18 16:31:37 -06:00
David Garske
71be6524f7 Merge pull request #7649 from SparkiDev/cortexm_label_fix
Cortex-M inline assembly: labels with unique number appended
2024-06-18 15:31:13 -07:00
Sean Parkinson
6f4aa54f5b Merge pull request #7655 from JacobBarthelmeh/vcpkg
add no stub and ex data cmake options
2024-06-19 07:45:31 +10:00
JacobBarthelmeh
9175355c81 set LD_LIBRARY_PATH for socat test
work around hang from test 373 to 374

add setting SHELL env for socat test

remove some tests for exec sniffing and sorted address options failing with actions but not locally
2024-06-18 14:46:09 -06:00
Eric Blankenhorn
d4a90e8a71 Fix wolfSSL_ASN1_TIME_to_generalizedtime with UTC time 2024-06-18 15:08:01 -05:00
Eric Blankenhorn
5efa82a239 Check for null sig in wolfSSL_X509_CRL_get_signature 2024-06-18 14:47:01 -05:00
Eric Blankenhorn
95cd9c81c8 Add attr to get_dn_attr_by_nid 2024-06-18 14:41:58 -05:00
Daniel Pouzzner
f6f83a20ed linuxkm/linuxkm_wc_port.h: add a suppression needed for targeting LTS kernel version 4.14.336. 2024-06-18 14:39:44 -05:00
JacobBarthelmeh
684fef2429 add no stub and ex data cmake options 2024-06-18 10:20:18 -06:00
JacobBarthelmeh
eef20ceb51 Merge pull request #7654 from SparkiDev/kyber_c_ntt_invntt_fast
Kyber: Improve performance of C implementation
2024-06-18 09:38:25 -06:00
JacobBarthelmeh
0cd3bd7ad3 Merge pull request #7653 from SparkiDev/sm2_offical_tv
SM2: change to official test vector
2024-06-18 09:33:05 -06:00
Sean Parkinson
1eea3720e3 Merge pull request #7647 from douzzer/20240614-WOLFSSL_MSG-code-points
20240614-WOLFSSL_MSG-code-points
2024-06-18 18:37:35 +10:00
Sean Parkinson
f863513f37 Kyber: Improve performance of C implementation
Add larger faster implementations of NTT and inverse NTT.
Allow smaller but still fast implementations to be used as well.
2024-06-18 18:09:33 +10:00
Daniel Pouzzner
187dbd9974 wolfcrypt/src/logging.c: address peer review for PR #7647. 2024-06-17 23:37:13 -05:00
Sean Parkinson
c91d306531 Merge pull request #7646 from kojo1/i2d-ecdsa
alloc a buffer for NULL pointer
2024-06-18 11:47:44 +10:00
Sean Parkinson
fbd69f9b48 ECC: when multiplying by zero, set z to 1
Make sure zero times a point is infinity but z is 1 as it is assumed
later on.
2024-06-18 11:30:57 +10:00
Takashi Kojo
2f379ed322 alloc a buff for NULL pointer 2024-06-18 09:41:11 +09:00
Sean Parkinson
8d77df15ef SM2: change to official test vector
Change create digest to official test vector.
2024-06-18 10:40:47 +10:00
Sean Parkinson
a141041d13 Merge pull request #7652 from douzzer/20240617-fix-wc_Sha256-overalignment
20240617-fix-wc_Sha256-overalignment
2024-06-18 10:39:15 +10:00
Daniel Pouzzner
87114faa94 Revert "compatibility for EVP_CipherUpdate with AES-GCM"
This reverts commit b7a28cc704.

WOLFSSL_AESGCM_STREAM needs to be conditional as arranged by configure.ac.
2024-06-17 19:04:19 -05:00
Daniel Pouzzner
f3c93a7b57 wolfssl/wolfcrypt/sha256.h: in definition of struct wc_Sha256, conditionalize alignment optimization of digest and buffer slots on defined(WC_64BIT_CPU), to avoid overalignment warnings on 32 bit targets. this also fixes overalignment of struct Hmac. 2024-06-17 19:03:38 -05:00
Sean Parkinson
7018f464ee Merge pull request #4718 from kojo1/oss-compat
compatibility for EVP_CipherUpdate with AES-GCM
2024-06-18 08:48:36 +10:00
Sean Parkinson
8aaf5670f4 Cortex-M inline assembly: labels with unique number appended
When functions are inlined, the labels need to be unique.
Putting '%=' on the end of the label ensures that the compilers appends
a unique number to the end.
2024-06-17 17:47:40 +10:00
Daniel Pouzzner
2c69e4a56b add --debug-code-points and WOLFSSL_DEBUG_CODEPOINTS,
add file_name and line_number args to wolfssl_log(),

and inside WOLFSSL_DEBUG_CODEPOINTS gates,

add WOLFSSL_MSG_EX2(), WOLFSSL_MSG2(), WOLFSSL_ENTER2(), and WOLFSSL_LEAVE2(), each with file and line args,

and add wrapper macros for WOLFSSL_MSG, WOLFSSL_MSG_EX, WOLFSSL_ENTER, and WOLFSSL_LEAVE, that pass in file and line.
2024-06-15 00:54:39 -05:00
Daniel Pouzzner
5df57207ac Merge pull request #7642 from julek-wolfssl/sasl-action
Add sasl action
2024-06-14 19:21:48 -04:00
Daniel Pouzzner
38089f11cd Merge pull request #7643 from julek-wolfssl/net-snmp-action
Add net-snmp action
2024-06-14 19:20:50 -04:00
Juliusz Sosinowicz
a4ee5af1ed Add sasl action 2024-06-14 12:43:53 +02:00
Daniel Pouzzner
a120b83dac Merge pull request #7585 from kaleb-himes/SRTP-KDF-CODEREVIEW
Add FIPS required forward declaration of streaming struct
2024-06-14 00:53:39 -04:00
JacobBarthelmeh
512b468dbb explicit socat path with test 2024-06-13 13:15:31 -06:00
JacobBarthelmeh
98d2ca1d42 fix updated socat yml file 2024-06-13 13:01:57 -06:00
JacobBarthelmeh
3d70fb1d50 adjust test yml file 2024-06-13 12:51:51 -06:00
Daniel Pouzzner
385a097646 Merge pull request #7638 from gasbytes/patch
added check if the buf is at least RECORD_HEADER_SZ
2024-06-13 14:27:40 -04:00
Juliusz Sosinowicz
fce14ffddb Add net-snmp action 2024-06-13 17:41:15 +02:00
gasbytes
88527a3d6e word32 -> sword32 2024-06-13 13:44:50 +02:00
kaleb-himes
8ca8827b58 Isolate forward declaration of Gmac 2024-06-12 18:16:33 -04:00
kaleb-himes
20911f254b ECC, DH, GCM, GMAC, CCM and AES updated services 2024-06-12 18:16:33 -04:00
kaleb-himes
ae9291f4d3 Add FIPS required forward declaration of streaming struct 2024-06-12 18:16:33 -04:00
Daniel Pouzzner
897d55f060 Merge pull request #7630 from julek-wolfssl/libvncserver-action
Add libvncserver action
2024-06-12 17:08:28 -04:00
Daniel Pouzzner
d2f4cc9e28 Merge pull request #7616 from embhorn/zd17762
Static analysis fixes
2024-06-12 17:07:02 -04:00
Daniel Pouzzner
b0d0a1afe8 Merge pull request #7639 from bandi13/fixLibOQS
liboqs depends on pthreads now
2024-06-12 14:52:50 -04:00
Andras Fekete
372f57e528 Address PR suggestions 2024-06-12 14:22:10 -04:00
Andras Fekete
211742bfe0 liboqs depends on pthreads now 2024-06-12 13:45:57 -04:00
Kaleb Himes
9f9a82e469 Merge pull request #7637 from lealem47/armasm_fips
Force inline ASM for armv7 with FIPS
2024-06-12 07:53:37 -06:00
gojimmypi
20e0e12185 Exclude autogen binaries from ESP8266 client example makefile 2024-06-12 09:51:10 +02:00
gasbytes
845e2f752c added check if the buf is at least RECORD_HEADER_SZ
when adding the record headers through quic
2024-06-11 22:10:18 +02:00
Lealem Amedie
b7d32d0609 Force inline ASM for armv7 with FIPS 2024-06-11 13:32:46 -06:00
gojimmypi
891b986fd4 Clarify WOLFSSL_ROOT location for ESP8266 make builds 2024-06-11 18:13:24 +02:00
Sean Parkinson
d49308e64a Merge pull request #7634 from douzzer/20240608-WOLFSSL_DEBUG_TRACE_ERROR_CODES
20240608-WOLFSSL_DEBUG_TRACE_ERROR_CODES
2024-06-11 21:25:22 +10:00
Daniel Pouzzner
ac459e3cec Merge pull request #7631 from dgarske/cmake_singlethreaded
Fix for CMake single threaded
2024-06-10 19:29:10 -04:00
JacobBarthelmeh
30dbf7c047 add socat yml CI test 2024-06-10 16:56:54 -06:00
Daniel Pouzzner
202b0a15b4 Merge pull request #7629 from julek-wolfssl/test_wrong_cs_downgrade-clamp
test_wrong_cs_downgrade: clamp error to exact value
2024-06-10 18:26:54 -04:00
JacobBarthelmeh
b9e5c0252d remove extra asign and use ExpectIntEQ test directly 2024-06-10 16:19:27 -06:00
Daniel Pouzzner
1b907d05ed WOLFSSL_DEBUG_TRACE_ERROR_CODES: restore several initializations, one because needed (in wolfSSL_UseSecureRenegotiation()), the rest in an abundance of caution, and rearrange wolfSSL_CryptHwMutexInit() and wolfSSL_CryptHwMutexUnLock() in a similar abundance of caution. 2024-06-10 13:44:03 -05:00
Daniel Pouzzner
b3e8f0ad24 add --enable-debug-trace-errcodes, WOLFSSL_DEBUG_TRACE_ERROR_CODES, WC_ERR_TRACE(), WC_NO_ERR_TRACE(), support/gen-debug-trace-error-codes.sh. also add numerous deployments of WC_NO_ERR_TRACE() to inhibit frivolous/misleading errcode traces when -DWOLFSSL_DEBUG_TRACE_ERROR_CODES. 2024-06-08 16:39:53 -05:00
JacobBarthelmeh
1753d524d7 use WOLFSSL_NETOS_STACK_SZ for stack size when creating tx thread 2024-06-07 14:30:26 -06:00
JacobBarthelmeh
f7bc78cad0 Merge pull request #7602 from night1rider/Parsing-bug
Send BUFFER_ERROR if size does not meet minimum Requirements
2024-06-07 13:54:03 -06:00
night1rider
ebca3376ef Send BUFFER_ERROR if size does not meet minimum reqs for the extension 2024-06-07 10:26:30 -06:00
David Garske
e960a00650 Merge pull request #7625 from JacobBarthelmeh/x509
sanity check on non conforming serial number of 0
2024-06-07 08:33:38 -07:00
David Garske
fda8b4f64f Fix for CMake single threaded. https://github.com/wolfSSL/wolfssl/issues/7609#issuecomment-2154327463 2024-06-07 06:59:59 -07:00
Juliusz Sosinowicz
6a29dfc6fb Add libvncserver action
Depends on https://github.com/wolfSSL/osp/pull/176
2024-06-07 12:40:48 +02:00
Juliusz Sosinowicz
8c47e8d6f2 test_wrong_cs_downgrade: clamp error to exact value 2024-06-07 11:33:38 +02:00
Sean Parkinson
d7d8d14e95 TLS: wrong TLS version in alert after ClientHello
Ignore protocol version being less than expected when received directly
after ClientHello.
Protocol version negotiation hasn't taken place and a lower version can
be sent to cover minimum supported protocol version.
2024-06-07 10:42:12 +10:00
Sean Parkinson
1c51465584 Merge pull request #7627 from douzzer/20240606-clang-tidy-and-mingw-fixes
20240606-clang-tidy-and-mingw-fixes
2024-06-07 10:08:55 +10:00
JacobBarthelmeh
d09f955e6c Merge pull request #7626 from lealem47/parseServerHello
Improved fix for TLS1.3 to TLS1.2 client downgrade
2024-06-06 17:16:30 -06:00
Sean Parkinson
c82230324e Merge pull request #7546 from oltolm/cmake
cmake: fix generation of options.h
2024-06-07 08:51:12 +10:00
JacobBarthelmeh
3d33c78e9d use unsigned char instead of uint8_t 2024-06-06 16:30:40 -06:00
JacobBarthelmeh
467b3cb561 add parsing 0 serial numbers for certs with python 2024-06-06 16:24:48 -06:00
Daniel Pouzzner
ac5cabaac9 fixes for USE_WINDOWS_API && !NO_FILESYSTEM && !NO_WOLFSSL_DIR:
* in wc_port.h, add XWRITE and XREAD definitions and include <io.h>;
* in wolfSSL_BIO_read(), implement Windows support for XREAD and XWRITE;
* in wolfSSL_BIO_write_filename(), add 'b' flag to XFOPEN flags;
* in wolfSSL_RAND_file_name(), add support for XALTHOMEVARNAME, and add Windows definition for it to wc_port.h alongside XWRITE and XREAD.

fixes test_wolfSSL_BIO, test_wolfSSL_X509_print, test_wolfSSL_RAND, test_wolfSSL_RSA_print in cross-mingw-all-crypto scenario.
2024-06-06 17:14:12 -05:00
Lealem Amedie
5a1ac2742c Reviewer feedback 2024-06-06 16:08:39 -06:00
Daniel Pouzzner
71db561c96 wolfcrypt/src/port/riscv/riscv-64-aes.c: fix trailing whitespace. 2024-06-06 16:25:50 -05:00
Daniel Pouzzner
ef925b8b30 wolfcrypt/src/wc_kyber_poly.c: fix bugprone-macro-parentheses for FROM_MSG_BIT. 2024-06-06 16:21:32 -05:00
JacobBarthelmeh
68f52cb49a add test case 2024-06-06 15:06:15 -06:00
Lealem Amedie
3de358ef06 Ensure extensions are only parsed once 2024-06-06 14:10:56 -06:00
Daniel Pouzzner
d80f05bf77 Merge pull request #7624 from gasbytes/stack-on-calcdx
update CalcDX with small-stack support
2024-06-06 16:05:56 -04:00
Lealem Amedie
7cc0ac14c4 Adding test case 2024-06-06 13:24:07 -06:00
JacobBarthelmeh
690d8f7f89 sanity check on non conforming serial number of 0 2024-06-06 13:22:57 -06:00
Lealem Amedie
f3061359d8 Improved fix for TLS1.3 to TLS1.2 client downgrade 2024-06-06 12:22:50 -06:00
David Garske
60ccaf379d Remove uses of stdint in api.c. 2024-06-06 10:57:46 -07:00
JacobBarthelmeh
29df90197e Merge pull request #7623 from bandi13/FixOpenSSLTest
Sometimes the first call hangs because the server is not completely up
2024-06-06 09:11:36 -06:00
David Garske
b69482ffac Merge pull request #7569 from SparkiDev/riscv_aes_asm
AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM
2024-06-06 08:11:31 -07:00
JacobBarthelmeh
7ce9ebde15 Merge pull request #7618 from julek-wolfssl/jwt-cpp
Fixes for jwt-cpp
2024-06-06 08:57:46 -06:00
Andras Fekete
fbb2737c2a Sometimes the first call hangs because the server is not completely up 2024-06-06 10:38:11 -04:00
Sean Parkinson
acd604db3d AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM
Add implementations of AES for ECB/CBC/CTR/GCM/CCM for RISC-V using
assembly.
Assembly with standard/scalar cryptography/vector cryptographt
instructions.
2024-06-06 13:16:00 +10:00
David Garske
5132a17fab Merge pull request #7613 from SparkiDev/kyber_fixes_2
Kyber: fix kyber_from_msg()
2024-06-05 17:28:39 -07:00
Sean Parkinson
b7d0c257e6 Merge pull request #7621 from douzzer/20240605-rename-fe_x25519_128
20240605-rename-fe_x25519_128
2024-06-06 09:41:52 +10:00
Sean Parkinson
162dffb463 Merge pull request #7619 from lealem47/zd18074
Fix for TLS1.3 to 1.2 downgrade
2024-06-06 09:39:32 +10:00
David Garske
1f75d0e1d7 Merge pull request #7620 from anhu/doc_wolfSSL_is_init_finished
Quick fixup in API doc for wolfSSL_is_init_finished()
2024-06-05 15:43:40 -07:00
Daniel Pouzzner
92bbd651b6 rename wolfcrypt/src/fe_x25519_128.i to wolfcrypt/src/fe_x25519_128.h to avoid appearance as a cleanable intermediate. 2024-06-05 16:56:03 -05:00
Anthony Hu
0de974c3a7 Quick fixup in API doc for wolfSSL_is_init_finished() 2024-06-05 16:40:06 -04:00
Lealem Amedie
d20ac2ce42 Fix for TLS1.3 to 1.2 downgrade 2024-06-05 11:26:10 -06:00
Chris Conlon
70d317ec79 Merge pull request #7571 from rlm2002/internship
Test case for wc_HpkeGenerateKeyPair() NULL argument
2024-06-05 10:57:19 -06:00
gasbytes
589353f346 update CalcDX with small-stack support 2024-06-05 18:53:34 +02:00
JacobBarthelmeh
18526152fe Merge pull request #7610 from gasbytes/sni-wrappers
CSharp Wrapper SNI Support
2024-06-05 10:27:42 -06:00
JacobBarthelmeh
8d63fb5fe5 Merge pull request #7590 from julek-wolfssl/expose-alerts
Allow user to send a user_canceled alert
2024-06-05 10:08:21 -06:00
JacobBarthelmeh
592a4522e1 Merge pull request #7615 from jackctj117/ssl-static-memory
Added Static Buffer Allocation API
2024-06-05 09:56:06 -06:00
gasbytes
453e2fadc1 dh2048Pem -> dhparam 2024-06-05 17:45:34 +02:00
David Garske
f3b61487e5 Merge pull request #7617 from julek-wolfssl/ipmitool
Add ipmitool action
2024-06-05 08:39:54 -07:00
Juliusz Sosinowicz
b3e795c4a5 Add jwt-cpp action 2024-06-05 15:06:12 +02:00
Juliusz Sosinowicz
72243300bf HMAC: fix signature 2024-06-05 13:43:57 +02:00
Juliusz Sosinowicz
ea02fea3ef opensslv: include version.h for libwolfssl hex symbol 2024-06-05 13:43:57 +02:00
gasbytes
2ab709c89a - Platform specific function to correctly set the path for the certificates;
- Updated all the examples with it;
2024-06-05 13:28:30 +02:00
gasbytes
6cb97a7262 fixed windows build path problem 2024-06-04 23:12:16 +02:00
gasbytes
f231c7be03 updated the README & haveSNI function 2024-06-04 23:08:56 +02:00
JacobBarthelmeh
119d2a5da1 do session conversion dance 2024-06-04 14:41:01 -06:00
Eric Blankenhorn
55837fa254 Static analysis fixes 2024-06-04 12:37:46 -05:00
gasbytes
70fc5c97fb made the workflow to compile & executes easier, updated the readme also 2024-06-04 19:13:51 +02:00
Jack Tjaden
7adf0fde8c Added Static Buffer Allocation API 2024-06-04 10:30:21 -06:00
gasbytes
983610ed68 - Applied David's patch to get access to the missing sni callback (arg)
- removed tlsext callback (since it's a compatibility one)
- updated testing examples and wrapper
2024-06-04 18:26:01 +02:00
gasbytes
5d0b7e0d18 updated readme & sni function 2024-06-04 17:54:21 +02:00
David Garske
0397d90713 Merge pull request #7614 from julek-wolfssl/pam-ipmi-tests
Fix pam-ipmi test
2024-06-04 08:20:27 -07:00
Juliusz Sosinowicz
ede8cde8a7 dtls: Increment sequence number in SendAlert 2024-06-04 17:13:04 +02:00
Juliusz Sosinowicz
e428c2833b Allow user to send a user_canceled alert 2024-06-04 17:13:04 +02:00
Juliusz Sosinowicz
2c644eb38a Add ipmitool action 2024-06-04 16:44:59 +02:00
Juliusz Sosinowicz
04430f55ca Fix pam-ipmi test 2024-06-04 16:09:35 +02:00
Sean Parkinson
df44face56 Kyber: fix kyber_from_msg()
New compilers with specific optimization levels will produce
non-constant time code for kyber_from_msg().
Add in an optimization blocker that stops the compiler from assuming
anything about the value to be ANDed with KYBER_Q_1_HALF.
2024-06-04 22:20:22 +10:00
David Garske
eb8f26926d Move the options.h.in template for cmake into new location. Added note about adding new options. 2024-06-03 15:38:36 -07:00
John Safranek
514fdfcd43 Merge pull request #7591 from dgarske/wolfssh_template
Template for wolfSSH minimal build using user_settings.h
2024-06-03 15:34:17 -07:00
David Garske
78b056c1b0 Merge pull request #7611 from lealem47/gh7609
cmake: Define SINGLE_THREADED macro when option enabled
2024-06-03 15:28:16 -07:00
David Garske
8763b127d9 Add CI test for the new user_settings_wolfssh.h. 2024-06-03 14:27:07 -07:00
gasbytes
b2e7707f18 removed sniHostName no longer used 2024-06-03 21:33:55 +02:00
gasbytes
c04c7685b1 added callback example: setting sni cb & arg server side, and passing the name client side via -S flag 2024-06-03 21:24:54 +02:00
David Garske
305a754de3 Improvements to RSA padding. Expose API's to support external pad/unpad. 2024-06-03 12:23:31 -07:00
David Garske
d07d4fb8ac Update support for wolfSSH with RSA_LOW_MEM. 2024-06-03 12:08:37 -07:00
David Garske
1f684e62d6 Merge pull request #7604 from ColtonWilley/explicit_len_pattern_match
Rewrite pattern matching to use explicit length
2024-06-03 12:04:12 -07:00
gasbytes
c325de993d removed WOLFSSL_SNI_HOST_NAME_OUTER && minor fix (missing sniHostName got lost during editing) 2024-06-03 20:05:00 +02:00
Lealem Amedie
a2e26fb36e cmake: define SINGLE_THREADED macro when option enabled 2024-06-03 12:01:50 -06:00
David Garske
b4910c4615 wolfSSH size optimizations. Disable RSA OAEP, enable SHA-1 with DH. Do not need SHA2-384/512. 2024-06-03 09:34:53 -07:00
David Garske
cfbadc8b07 Fixes for wolfSSH user_settings.h template. Add low resource option. 2024-06-03 09:34:53 -07:00
David Garske
3d374239a1 Template for wolfSSH minimal build using user_settings.h. ZD 17991. 2024-06-03 09:34:52 -07:00
David Garske
43f4ba91da Merge pull request #7608 from ejohnstown/rsa-add
Import Raw RSA Private Key
2024-06-03 09:33:38 -07:00
Colton Willey
0c0069331b Use same types for i and chklen, bring all lines under 80 chars 2024-06-03 09:25:41 -07:00
David Garske
4140a05fe4 Merge pull request #7592 from julek-wolfssl/pam-ipmi-tests
Add pam-ipmi action
2024-06-03 09:12:22 -07:00
John Safranek
e8e6eaeb4d Import Raw Rsa Key
1. Add API for importing an RSA private key, `wc_RsaPrivateKeyDecodeRaw()`,
   when all you have are the components of the key in raw arrays. Also
   recalculates dP and dQ if missing.
2. Add API test for `wc_RsaPrivateKeyDecodeRaw()`.
2024-06-03 09:03:29 -07:00
Juliusz Sosinowicz
b1146becfd Add pam-ipmi action 2024-06-03 14:13:06 +02:00
gasbytes
6f567b58bc completed the examples 2024-06-02 00:01:51 +02:00
gasbytes
15ac366bf9 added missing wrappers for sni setup & frees 2024-06-01 17:46:17 +02:00
David Garske
3975af88cf Merge pull request #7191 from kojo1/ecpoint-h2p
Add EC_POINT_hex2point
2024-06-01 07:13:31 -07:00
Takashi Kojo
bc2b184c98 Add EC_POINT_hex2point: zd #17090 2024-06-01 13:45:35 +09:00
David Garske
26284e2e5d Merge pull request #7607 from gojimmypi/PR-fix-7606
Fix for #7606: ESP_LOGI typo in esp32_sha.c
2024-05-31 17:59:08 -07:00
JacobBarthelmeh
533aa48b14 adjust macro guards around get max fragment 2024-05-31 16:52:31 -06:00
JacobBarthelmeh
2445fe844a rework get max fragment length 2024-05-31 16:45:50 -06:00
gojimmypi
4d2ce1131a Fix for #7606: ESP_LOGI typo 2024-05-31 15:33:46 -07:00
JacobBarthelmeh
2caee1c7c5 add support for spaces around '=' with x509 name print 2024-05-31 15:04:01 -06:00
JacobBarthelmeh
ff7626419e add some simple test cases 2024-05-31 15:02:58 -06:00
JacobBarthelmeh
01a1685159 updating socat support to version 1.8.0.0 2024-05-31 15:02:58 -06:00
David Garske
5657d88ddb Merge pull request #7605 from douzzer/20240531-linuxkm-6v10-updates
20240531-linuxkm-6v10-updates
2024-05-31 11:41:27 -07:00
Daniel Pouzzner
d3a6b71f5f linuxkm/Makefile: copy link tree of wolfcrypt/ as a whole, rather than just wolfcrypt/src/ and wolfcrypt/test/, to pull in wolfcrypt/benchmark/. 2024-05-31 13:11:52 -05:00
JacobBarthelmeh
40562a0cb3 Merge pull request #7599 from dgarske/asn_checkcertsig
Expose `wc_CheckCertSigPubKey` with `WOLFSSL_SMALL_CERT_VERIFY`
2024-05-31 09:20:35 -06:00
David Garske
0789ecb808 Fix the CheckCertSignature API mess. 2024-05-31 06:58:35 -07:00
Colton Willey
447f73c25e Merge branch 'master' of github.com:ColtonWilley/wolfssl into explicit_len_pattern_match 2024-05-30 20:12:16 -07:00
Sean Parkinson
4b77d4caa1 Merge pull request #7589 from rizlik/sp800_56c
wolfcrypt: support NIST 800-56C Option 1 KDF
2024-05-31 11:55:12 +10:00
Sean Parkinson
fc8a509b06 Merge pull request #7597 from ColtonWilley/max_altnames_and_name_constraints
Max limits on number of alternative names and name constraints
2024-05-31 11:24:30 +10:00
Colton Willey
f646cbcecb Address review comments, fix handling of . in name matching and add more tests for . handling 2024-05-30 18:03:38 -07:00
David Garske
7fadd4ed9f Merge pull request #7595 from JacobBarthelmeh/static
Pull in some staticmemory features
2024-05-30 16:31:54 -07:00
David Garske
bb57c1de94 Merge pull request #7603 from lealem47/detect_cut
Fix cut detection in configure.ac
2024-05-30 15:42:55 -07:00
Colton Willey
af3828b2b7 Rewrite pattern matching to always use explicit lengths instead of expecting NULL terminated strings, thus replicating the behavior of openssl X509_check_host() 2024-05-30 15:33:17 -07:00
Lealem Amedie
ecef3c214c Fix cut detection in configure.ac 2024-05-30 16:09:04 -06:00
JacobBarthelmeh
ebdc8b9a32 rename of macros, add descriptions, minor fixes 2024-05-30 14:48:52 -06:00
Colton Willey
1310c97a22 Add new certs to include.am 2024-05-30 12:45:46 -07:00
David Garske
66a5d8cc8a Merge pull request #7601 from douzzer/20240529-linuxkm-6v10-updates
20240529-linuxkm-6v10-updates
2024-05-30 11:49:11 -07:00
David Garske
107c10d795 Merge pull request #7596 from JacobBarthelmeh/decl
make function signature match declaration
2024-05-30 10:59:04 -07:00
David Garske
61fea768b3 Merge pull request #7598 from JacobBarthelmeh/x509
fix typo with NO_CERTS macro
2024-05-30 09:59:37 -07:00
Daniel Pouzzner
41cbbfe3ab linuxkm: updates for kernel 6.10: use new _noprof names for newly macro-shimmed kmalloc, krealloc, kzmalloc, kvmalloc_node, and kmalloc_trace, and refactor linuxkm/Makefile and linuxkm/Kbuild to set up links to sources in the dest tree (works around breakage from linux commit 9a0ebe5011). 2024-05-30 11:21:42 -05:00
JacobBarthelmeh
34ca03770f still compile in wc_RsaKeyToDer with keygen but NO_CERTS 2024-05-30 09:58:25 -06:00
gasbytes
52f1caf699 minor changes to the prototypes and actual implementation 2024-05-30 16:44:34 +02:00
gasbytes
095609107d prototypes 2024-05-30 16:14:17 +02:00
gasbytes
23bfb01e54 environment setup, updated the README 2024-05-30 15:41:01 +02:00
Marco Oliverio
174456437e wolcrypt: NIST_SP_800_56C address reviewer's comments 2024-05-30 11:39:49 +02:00
Colton Willey
f13a82610c Add flag guard for IGNORE_NAME_CONSTRAINTS 2024-05-29 22:41:36 -07:00
Colton Willey
a17677c946 Remove trailing whitespace 2024-05-29 21:29:55 -07:00
Colton Willey
473de5796c Free ctx before return 2024-05-29 20:52:09 -07:00
Colton Willey
284dea43fe Unify max name testing to use cert files for both cases. 2024-05-29 19:00:15 -07:00
Colton Willey
e620b47e1a Add configuration file for generating cert with too many name constraints 2024-05-29 18:23:13 -07:00
Colton Willey
a4544ce2eb Updates to address review comments 2024-05-29 17:54:52 -07:00
Colton Willey
af537a6ae3 Move definition to beginning of block 2024-05-29 17:02:29 -07:00
David Garske
3e9f656ac3 Merge pull request #7580 from kareem-wolfssl/zd17975
Fix missing stdio.h include on Freescale MQX.  Use sprintf as snprintf is not available on MQX.
2024-05-29 16:55:34 -07:00
David Garske
0b7f293691 Expose wc_CheckCertSigPubKey with WOLFSSL_SMALL_CERT_VERIFY. 2024-05-29 16:32:31 -07:00
JacobBarthelmeh
cf61df129c fix typo with NO_CERTS macro 2024-05-29 17:08:01 -06:00
JacobBarthelmeh
9673b3f218 make function signature match declaration 2024-05-29 17:00:22 -06:00
Colton Willey
b00ae2ac69 Initial implementation of max limits on number of alternative names and name constraints 2024-05-29 15:55:17 -07:00
JacobBarthelmeh
511c403631 account for yes/no options 2024-05-29 15:59:51 -06:00
JacobBarthelmeh
6cca3a0d92 tie in static memory debug callback 2024-05-29 15:50:14 -06:00
JacobBarthelmeh
288fe430f5 tying in lean staticmemory build with --enable-staticmemory=small 2024-05-29 15:50:11 -06:00
JacobBarthelmeh
18d80864b9 add lean static memory build 2024-05-29 15:44:09 -06:00
Marco Oliverio
8d41e68d1f fix: minor typos 2024-05-28 22:59:01 +02:00
Marco Oliverio
5306a85465 wolfcrypt: support NIST 800-56C Option 1 KDF 2024-05-28 14:40:52 +02:00
David Garske
200f309e0e Merge pull request #7587 from douzzer/20240524-pq-clang-tidy
20240524-pq-clang-tidy
2024-05-24 16:40:11 -07:00
Anthony Hu
021b573027 Merge pull request #7581 from dgarske/embos_emnet
Fixes for Segger emNet to handle non-blocking want read/want write
2024-05-24 17:31:16 -04:00
Daniel Pouzzner
8de00d7651 fix benign clang-analyzer-deadcode.DeadStores in pq crypto files introduced in 9a58301ab1. 2024-05-24 14:24:02 -05:00
Kareem
911f21ed36 Fix missing stdio.h include and XSNPRINTF definition on Freescale MQX. 2024-05-24 11:54:23 -07:00
Juliusz Sosinowicz
a5154b22f1 Merge pull request #7583 from gasbytes/patch-segv
separating two x509_store xmalloc checks
2024-05-24 19:58:29 +02:00
gasbytes
063e48014a fix tabs and spaces 2024-05-24 17:52:54 +02:00
David Garske
9b058ec3a2 Fixes for EMNET with non-blocking to handle want read/want write. ZD 18012 2024-05-24 07:42:18 -07:00
David Garske
3b5517692e Merge pull request #7582 from aidangarske/hpke_test_fix
Revert change from PR #7570
2024-05-24 07:35:39 -07:00
David Garske
51f19f42c6 Merge pull request #7574 from douzzer/20240522-quantum-safe-linuxkm
20240522-quantum-safe-linuxkm
2024-05-24 07:35:01 -07:00
David Garske
76e7d8627f Merge pull request #7584 from Frauschi/zephyr_fix
Zephyr fix for XSTRNCASECMP
2024-05-24 07:32:53 -07:00
Tobias Frauenschläger
30eb26bd79 Zephyr fix for XSTRNCASECMP
The macro missed the third argument for wc_strncasecmp().

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-05-24 11:49:58 +02:00
gasbytes
3f96d14b32 80 characters limit fix 2024-05-24 00:12:38 +02:00
gasbytes
12a5cb45fb separating two x509_store xmalloc checks 2024-05-23 23:04:00 +02:00
Ruby Martin
078fb66b29 Negative tests for all NULL arguments 2024-05-23 14:16:17 -06:00
Ruby Martin
b8838dca44 Tests all NULL argument cases 2024-05-23 13:36:48 -06:00
aidan garske
3670bfb9ae Revert change from PR #7570 2024-05-23 12:34:59 -07:00
Tobias Frauenschläger
d28dd602e5 Various fixes for dual algorithm certificates (#7577)
This commit adds varios fixes for the implementation of hybrid
certificates with two algorithms:
* Support for Certificate Signing Requests (both creating hybrid ones
  and also verifying ones)
* Fix for SAN fields in the DecodedCert and PreTBS generation
* Fix related to WOLFSSL_SMALL_STACK

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-05-23 15:03:55 -04:00
Anthony Hu
b98e4e0093 Merge pull request #7576 from Frauschi/pqc_private_key_fix
Fix PQC and hybrid certificate regressions
2024-05-23 15:03:16 -04:00
Chris Conlon
e05dbd531e Merge pull request #7570 from jackctj117/test
Code Coverage for hpke.c test case HAVE_CURVE448 using test.c
2024-05-23 11:49:37 -06:00
Chris Conlon
688ae60cd9 Merge pull request #7573 from aidangarske/hpke_sha512_test
Add test for HPKE for Curve448
2024-05-23 11:46:30 -06:00
David Garske
ff6e6848de Merge pull request #7578 from Frauschi/stm32h5_aes
Add support for STM32H5 AES hardware acceleration
2024-05-23 10:38:44 -07:00
David Garske
40db521f8b Merge pull request #7575 from josepho0918/cmac
Simplify CMAC verification logic
2024-05-23 10:37:57 -07:00
Tobias Frauenschläger
9a58301ab1 Fix PQC and hybrid certificate regressions
Due to recent changes in the logic to decode private keys and to parse
the TLS1.3 CertificateVerify message, some regressions regarding PQC
private keys and hybrid certificates have been introduced:
* Decoding PQC private keys fails as the PKCS8 header of a decoded DER
  file is now already removed before parsing the key.
* The key size wasn't properly stored in the context for PQC keys after
  decoding a certificate (always the maximum size)
* The two 16-bit size values in case of a hybrid signature in the
  CertificateVerify message have been incorrectly decoded as 32-bit
  values instead of 16-bit values. This resulted in wrong values,
  leading to segmentation faults.

All three regressions are fixed with the changes in this commit.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-05-23 16:01:28 +02:00
Sean Parkinson
023f604213 Merge pull request #7572 from douzzer/20240522-sha256-avx1-IS_INTEL_SHA
20240522-sha256-avx1-IS_INTEL_SHA
2024-05-23 22:37:54 +10:00
Tobias Frauenschläger
82642c1ee1 Add support for STM32H5 AES hardware acceleration
Tested with STM32H573i discovery board.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-05-23 12:22:11 +02:00
Joseph Chen
8a7e3ba52e Simplify CMAC verification logic 2024-05-23 15:12:10 +08:00
Daniel Pouzzner
5c497c62e7 initial linuxkm compatibility (no asm yet) for wc_kyber, wc_xmss, and wc_lms, and smallstack refactors for kyber512_kat(), kyber768_kat(), kyber1024_kat(), and kyber_test(). 2024-05-23 00:15:32 -05:00
Ruby Martin
f2492da6a4 include negative test comment and BAD_FUNC_ARG 2024-05-22 16:20:20 -06:00
Jack Tjaden
14068fb7f3 Removed returns & check next case for ret 2024-05-22 15:58:09 -06:00
Ruby Martin
159981f442 include negative test comment and BAD_FUNC_ARG 2024-05-22 15:23:38 -06:00
Daniel Pouzzner
110f4ec737 wolfcrypt/src/sha256.c: in WC_NO_INTERNAL_FUNCTION_POINTERS code path (linuxkm), fix oversight whereby Transform_Sha256_AVX1_Sha() was used on targets with false IS_INTEL_SHA(intel_flags). the former SHA256_AVX1 method id is now split into SHA256_AVX1_SHA and SHA256_AVX1_NOSHA, with corresponding fixes in Sha256_SetTransform(), inline_XTRANSFORM() and inline_XTRANSFORM_LEN(). 2024-05-22 15:39:46 -05:00
David Garske
24f581fe13 Merge pull request #7557 from cconlon/jniSessionCerts
Update --enable-jni to define SESSION_CERTS for wolfJSSE
2024-05-22 13:08:00 -07:00
aidan garske
fe5cc9589b Add HPKE Curve448 test case, however HPKE does not support 448 yet, so expect bad function argument return code. 2024-05-22 12:49:56 -07:00
Jack Tjaden
1a000ef94c single_test and BAD_FUNC_ARG fix 2024-05-22 13:13:56 -06:00
Jack Tjaden
52b6c361f9 test.c code coverage test hpke.c 2024-05-22 11:51:44 -06:00
David Garske
cb0048dbb1 Merge pull request #7567 from embhorn/gh7564
Fix doc for wolfSSL_CTX_EnableOCSP
2024-05-22 08:46:20 -07:00
David Garske
425dd1986b Merge pull request #7568 from lealem47/fips_pkcallback
Fix building FIPS v5 with PK callbacks
2024-05-22 08:45:58 -07:00
Ruby Martin
fe9882769e Test case for wc_HpkeGenerateKeyPair() NULL argument 2024-05-22 09:13:31 -06:00
Sean Parkinson
32c5acca22 Merge pull request #7566 from douzzer/20240521-fix-overshifts
20240521-fix-overshifts
2024-05-22 07:42:49 +10:00
Eric Blankenhorn
314afc9e10 Fix doc for wolfSSL_CTX_EnableOCSP 2024-05-21 16:12:23 -05:00
Lealem Amedie
ba5cc9bdaf Fix building FIPS v5 with PK callbacks 2024-05-21 15:07:32 -06:00
Daniel Pouzzner
c5ce984966 wolfcrypt/src/wc_xmss_impl.c:wc_xmssmt_sign_next_idx(): use (XmssIdx)1, not (word32)1, for a shift-by-height operand;
src/ssl.c:set_curves_list(): don't attempt to enable curves that are out-of-range for word32 disabled.
2024-05-21 13:57:40 -05:00
David Garske
caaa9feb64 Merge pull request #7551 from gojimmypi/PR-DSA-SHA1
Add settings.h check: DSA needs SHA1
2024-05-21 08:47:10 -07:00
David Garske
603b5d1795 Merge pull request #7563 from josepho0918/mqx_v5
Always use old I/O for MQXv5
2024-05-21 08:19:15 -07:00
Sean Parkinson
87b71c429a Merge pull request #7562 from gojimmypi/PR-ssl_load-correction
Correct warning message file name in ssl_load.c
2024-05-21 22:14:24 +10:00
Joseph Chen
ed321cd640 Always use old I/O for MQXv5 2024-05-21 10:00:40 +08:00
gojimmypi
543a746ddc Add settings check to disable DSA when SHA-1 is disabled 2024-05-20 17:58:25 -07:00
gojimmypi
84032fa24c Correct error message file name in ssl_load.c 2024-05-20 17:20:39 -07:00
Sean Parkinson
43b2c80862 Merge pull request #7552 from dgarske/ecies_own_salt
Add option for using a custom salt for ourselves
2024-05-21 09:19:12 +10:00
Sean Parkinson
095906f37a Merge pull request #7561 from kaleb-himes/SRTP-KDF-MAINTENANCE
Address periodic CAST failures observed in unit.test by pre-empting CASTs
2024-05-21 09:16:23 +10:00
David Garske
7d4e601902 Merge pull request #6623 from bigbrett/FIPS-TLS-benchmark-CAST-fix
Fix benchmark failure on FIPS builds
2024-05-20 14:07:59 -07:00
kaleb-himes
a22956d881 Address periodic CAST failures observed in unit.test by pre-empting the CASTs 2024-05-20 16:35:50 -04:00
Brett Nicholas
c6db51b8a0 fixed formatting 2024-05-20 12:47:30 -06:00
David Garske
fc172e9abd Merge pull request #7559 from gojimmypi/PR-PlatformIO-FreeRTOS
Update PlatformIO README and Examples
2024-05-20 09:36:23 -07:00
David Garske
0987bf4c1a Merge pull request #7544 from josepho0918/iar
Expand supported attributes for IAR
2024-05-20 09:34:55 -07:00
David Garske
5a0594d257 Match wc_ecc_ctx_set_kdf_salt argument names between header and implementation. 2024-05-20 08:38:23 -07:00
Sean Parkinson
b8aec63e14 Merge pull request #7560 from douzzer/20240518-XtsAesStreamData
20240518-XtsAesStreamData
2024-05-20 08:33:41 +10:00
Daniel Pouzzner
d0e73783f1 wolfcrypt/src/aes.c and wolfssl/wolfcrypt/aes.h: add FIPS_AES_XTS_MAX_BYTES_PER_TWEAK and struct XtsAesStreamData, with improved error checking on streaming AES-XTS APIs;
wolfcrypt/test/test.c and linuxkm/lkcapi_glue.c: update AES-XTS streaming calls to use struct XtsAesStreamData;

linuxkm/lkcapi_glue.c: add handling for CONFIG_CRYPTO_MANAGER*.
2024-05-18 22:00:00 -05:00
Daniel Pouzzner
5c6218696b wolfcrypt/src/misc.c: fix -Wconversions in CopyString();
src/ssl.c: fix missing semicolon in wolfSSL_CTX_check_private_key().
2024-05-18 02:31:58 -05:00
gojimmypi
22af731dd9 Update PlatformIO README and Examples 2024-05-17 16:47:07 -07:00
Chris Conlon
8f1029f86d Update --enable-jni to define SESSION_CERTS for wolfJSSE 2024-05-17 15:08:37 -06:00
David Garske
2d5e8402e8 Merge pull request #7553 from JacobBarthelmeh/coexist
error out if conflicting OPENSSL compat macros are defined
2024-05-17 12:56:59 -07:00
David Garske
15af87af8f Merge pull request #7555 from lealem47/forceSHA3
Force SHA3 on with FIPS V5
2024-05-17 12:30:20 -07:00
David Garske
16b39e8374 Merge pull request #7556 from gasbytes/patch
u_int16_t -> uint16_t
2024-05-17 12:29:54 -07:00
David Garske
391431c7d8 Merge pull request #7539 from bandi13/fixConversionPart2
Fix conversion part2
2024-05-17 12:29:46 -07:00
Lealem Amedie
54bf7fd5d9 Force SHA3 on with FIPS V5 2024-05-17 11:03:18 -06:00
gasbytes
a40dcd3cb3 u_int16_t -> uint16_t 2024-05-17 18:44:15 +02:00
JacobBarthelmeh
568ec43213 error out if conflicting OPENSSL compat macros are defined 2024-05-17 09:24:38 -06:00
David Garske
95095f5bc4 Add option for using a custom salt for ourselves. ZD 17988 2024-05-17 08:16:04 -07:00
Brett Nicholas
e823da99ae declare loop variable at top of function body 2024-05-17 07:08:32 -07:00
Brett Nicholas
9fa838881c fixed bug where tls_bench failed KATs for FIPS builds in a multithreaded environment 2024-05-17 07:08:32 -07:00
David Garske
7782f8eed2 Merge pull request #7528 from gojimmypi/PR-PlatformIO-FreeRTOS
Introduce IDE/PlatformIO; add wolfSSL Benchmark and Test Examples
2024-05-17 06:42:47 -07:00
Sean Parkinson
c0015cbda6 Merge pull request #7549 from douzzer/20240516-wc_AesXtsEnDecryptFinal
20240516-wc_AesXtsEnDecryptFinal
2024-05-17 09:43:26 +10:00
David Garske
219a338107 Merge pull request #7547 from philljj/spelling_cleanup
Used codespell and fixed some obvious typos.
2024-05-16 14:10:19 -07:00
David Garske
b866bf6b3d Merge pull request #7548 from julek-wolfssl/grpc
Point grpc.yml to the wolfssl repo
2024-05-16 14:09:57 -07:00
Daniel Pouzzner
6d0f611ab5 AES-XTS: add wc_AesXtsEncryptFinal() and wc_AesXtsDecryptFinal() for API consistency, and add error-checking (block alignment check) to wc_AesXtsEncryptUpdate() and wc_AesXtsDecryptUpdate(). 2024-05-16 15:20:37 -05:00
David Garske
a8dd736b1e Merge pull request #7158 from JacobBarthelmeh/psk
warning fix for small PSK build
2024-05-16 12:57:08 -07:00
Juliusz Sosinowicz
e4f20aff8b Point grpc.yml to the wolfssl repo 2024-05-16 21:32:04 +02:00
jordan
040e0c956a Used codespell and fixed obvious typos. 2024-05-16 13:53:26 -05:00
David Garske
dd55542949 Merge pull request #7541 from kaleb-himes/wolfEntropy-first-checkin
Add a recipe for wolfEntropy checkout
2024-05-16 11:51:46 -07:00
David Garske
0aa8e2eee7 Merge pull request #7445 from julek-wolfssl/grpc
Add grpc support
2024-05-16 11:41:54 -07:00
gojimmypi
439d81e0c9 Add PlatformIO license headers 2024-05-16 10:50:02 -07:00
gojimmypi
74c0d9b9f6 Update example/configs list, sort order. 2024-05-16 10:48:14 -07:00
oltolm
f744043db1 change the way "wolfssl/options.h.in" is generated 2024-05-16 18:55:27 +02:00
oltolm
5f46809988 fix compilation of tests with GCC 2024-05-16 18:55:27 +02:00
Juliusz Sosinowicz
76aba42bfa Fix api signature 2024-05-16 18:20:53 +02:00
Juliusz Sosinowicz
c07f73b1c7 Fix typo 2024-05-16 18:20:53 +02:00
Juliusz Sosinowicz
12b9367598 test_wolfSSL_check_domain: doesn't work with WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY 2024-05-16 18:20:53 +02:00
Juliusz Sosinowicz
d9a236ba1e SSL_get_error does not return x509 errors 2024-05-16 18:20:53 +02:00
Juliusz Sosinowicz
fcb5c362f9 Add grpc testing 2024-05-16 18:20:53 +02:00
Juliusz Sosinowicz
d9f7629296 Add grpc support
- Fix BIO_BIO type
  - Set retry flags correctly
- Add CRL callback
- Copy the alt names instead of trying to share a pointer
- Allow calling wolfSSL_get_servername on client side (to get the requested name)
- Return the chain in wolfSSL_X509_STORE_CTX_get_chain in the correct order
  - Peer first, top CA last
- Fix leak in RebuildFullName
- Add CopyString helper function
- Implement
  - X509_CRL_dup
  - ASN1_UTCTIME_set
  - X509_STORE_CTX_get0_param
  - X509_STORE_get0_param
  - X509_STORE_set_verify_cb
  - X509_STORE_set_get_crl
  - X509_set1_notAfter
  - X509_set1_notBefore
2024-05-16 18:20:53 +02:00
JacobBarthelmeh
79595a3602 account for sp math which defines NO_BIG_INT but still allows mp_int types 2024-05-16 09:48:56 -06:00
JacobBarthelmeh
712ff0a58d Merge pull request #7537 from dgarske/cleanups_20240515
Various typo and copy/paste cleanups
2024-05-16 09:38:38 -06:00
JacobBarthelmeh
21204244c5 Merge pull request #7394 from embhorn/zd17779
Add null check to wolfSSL_Free
2024-05-16 09:31:37 -06:00
David Garske
55ea3301b2 Merge pull request #7542 from gojimmypi/PR-Espressif-PlatformIO-semphr
Fix PlatformIO freertos semphr.h include
2024-05-16 08:28:12 -07:00
Daniel Pouzzner
fe7f92c2f1 Merge pull request #7545 from bandi13/reenableOpenVPNmasterTest
Reenable failing external project test
2024-05-16 11:26:04 -04:00
Andras Fekete
c0e372005b Reenable failing external project test 2024-05-16 09:26:01 -04:00
Joseph Chen
931ca9524a warn_used_result and unused __attribute__ on IAR 2024-05-16 14:53:31 +08:00
gojimmypi
7f1af2feb3 Fix PlatformIO freertos semphr.h include 2024-05-15 18:24:00 -07:00
gojimmypi
503bbbec8f Update PlatformIO wolfssl/wolfssl@^5.7.0-rev.3c 2024-05-15 17:13:03 -07:00
David Garske
db38351919 Merge pull request #7470 from kaleb-himes/SRTP-KDF-OPTEST
Srtp kdf optest
2024-05-15 16:33:26 -07:00
Sean Parkinson
ca47d492d4 Merge pull request #7218 from anhu/gcmccm
Fixup places where it should be CCM instead of GCM.
2024-05-16 09:24:43 +10:00
Sean Parkinson
abd1e367a5 Merge pull request #7420 from anhu/cmp_name_case
When comparing subject names, do not worry about case.
2024-05-16 09:10:56 +10:00
David Garske
1d1800a3bd Merge pull request #7380 from oltolm/yesno
make "yes;no" cmake options boolean instead of string
2024-05-15 15:18:42 -07:00
gojimmypi
51f814e6b7 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into PR-PlatformIO-FreeRTOS 2024-05-15 14:47:29 -07:00
Anthony Hu
1e2fb8f244 Fixup places where it should be CCM instead of GCM.
Fixes https://github.com/wolfSSL/wolfssl/issues/7216
2024-05-15 17:32:09 -04:00
kaleb-himes
42feca7028 Add a recipe for wolfEntropy checkout 2024-05-15 15:23:43 -06:00
Andras Fekete
412447ac41 Enable OPTION_CHECKING by default
This should halt `./configure` when an option is passed that is not recognized.
2024-05-15 16:54:55 -04:00
Fernando Oleo Blanco
ad25e9b063 [Ada] Clean Alire recipe 2024-05-15 22:33:29 +02:00
David Garske
287323ab4c Merge pull request #6933 from kareem-wolfssl/zd16927
Add stub for wolfSSL_set_ecdh_auto.
2024-05-15 13:04:06 -07:00
David Garske
8ba96e6881 Merge pull request #7534 from ColtonWilley/deny_null_term_altnames
Do not match altnames with NULL terminators in the middle
2024-05-15 12:41:37 -07:00
kaleb-himes
76527c3eaa Address a report from multi-test about 8-bit chars 2024-05-15 15:21:41 -04:00
Andras Fekete
0eb11ff466 Standard way to set defaults 2024-05-15 15:19:42 -04:00
Andras Fekete
b83d8f0cf6 Make sure MAX_ECC_BITS >= MIN_ECC_BITS 2024-05-15 15:19:13 -04:00
Andras Fekete
35ef7f4093 There is no default defined. Expected to be unset 2024-05-15 15:16:24 -04:00
Eric Blankenhorn
4e5a98e65d Fix from rebase 2024-05-15 14:03:12 -05:00
kaleb-himes
fa08e2cb62 Fix a long line in pbkdf2 test 2024-05-15 14:02:44 -04:00
kaleb-himes
6719909f4e Add logging.h header in pwdbased.c when DEBUG_WOLFSSL 2024-05-15 14:02:44 -04:00
kaleb-himes
7047991cda Log when iterations LT 1000 but take no action 2024-05-15 14:02:44 -04:00
kaleb-himes
a9511e118a Add SP800-132 112 bit minimum applicable after stretch/strengthen 2024-05-15 14:02:44 -04:00
kaleb-himes
a365d38762 After careful evaluation deciding not to include mem-zero check (for now) 2024-05-15 14:02:43 -04:00
kaleb-himes
82d9a7bbae Initialize scratch buffer 2024-05-15 14:02:43 -04:00
kaleb-himes
673c5993a7 Make the memzero check default with FIPS, fix benchmark app 2024-05-15 14:02:43 -04:00
kaleb-himes
766c3b5ad8 Comments and further relaxing of some other hmac restrictions 2024-05-15 14:02:43 -04:00
kaleb-himes
49e9c06679 (Has dependency PR) API Service update HmacSizeByType 2024-05-15 14:02:43 -04:00
David Garske
fd4db1497f Merge pull request #7536 from gasbytes/buffer_overflows_fix
added check that checks if the SEQ's length is > than the buff's length
2024-05-15 10:56:42 -07:00
David Garske
ac7aea9674 Merge pull request #7478 from JacobBarthelmeh/staticmemory
add global heap hint setter function
2024-05-15 10:43:15 -07:00
Kareem
4481f9b626 Add stub for wolfSSL_set_ecdh_auto. 2024-05-15 10:19:47 -07:00
David Garske
9166c1aa1c Various typo and copy/paste cleanups. 2024-05-15 10:01:40 -07:00
Colton Willey
b156a51e82 Code cleanup per review comments 2024-05-15 09:51:00 -07:00
JacobBarthelmeh
9aeef1d857 add void and remove rebase issue 2024-05-15 10:28:39 -06:00
gasbytes
2f24b35ab1 added check that checks if the SEQ's length is > than the buff's length 2024-05-15 18:20:33 +02:00
Colton Willey
de0a492499 Remove trailing whitespace 2024-05-15 09:12:00 -07:00
David Garske
c73e4333bf Merge pull request #7535 from gojimmypi/PR-fix-sha512-endianness
Fix Espressif SHA512 SW fallback endianness
2024-05-15 09:04:07 -07:00
David Garske
9c4c9234b1 Merge pull request #7532 from SparkiDev/wc_ecc_mulmod_zero
ECC: handle zero in wc_ecc_mulmod()
2024-05-15 09:02:02 -07:00
Colton Willey
d522feb1cd Free X509 object 2024-05-15 08:37:39 -07:00
Colton Willey
958b5ac465 Clean up cast warning 2024-05-15 08:30:38 -07:00
Colton Willey
eb24bce93f Add test case for bad alternative name 2024-05-15 08:22:11 -07:00
gojimmypi
b25a4f1082 Use zero, not Espressif macro for return code 2024-05-15 08:06:06 -07:00
gojimmypi
1024d7a809 Fix Espressif SHA512 SW fallback endianness 2024-05-15 07:36:10 -07:00
David Garske
92806a61c0 Merge pull request #7522 from douzzer/20240511-aes-xts-stream
20240511-aes-xts-stream
2024-05-15 06:22:20 -07:00
Daniel Pouzzner
1469aab109 linuxkm/lkcapi_glue.c: add native test coverage for WOLFSSL_AESXTS_STREAM.
wolfcrypt/test/test.c:
* add WOLFSSL_AESXTS_STREAM testing to the LARGE_XTS_SZ exercise in aes_xts_128_test().
* add the LARGE_XTS_SZ exercise to aes_xts_256_test().
* add aes_xts_192_test().
* fix -Werror=frame-larger-than=2048 in ed25519_test().
2024-05-15 00:45:51 -05:00
Daniel Pouzzner
4331bc092b configure.ac: on armasm, disable ENABLED_AESXTS_STREAM by default (not implemented). 2024-05-14 19:24:27 -05:00
Daniel Pouzzner
2fe366cc74 wolfcrypt/test/test.c: add test coverage for WOLFSSL_AESXTS_STREAM.
linuxkm/lkcapi_glue.c: typographic cleanups, and failsafe error return constructs when skcipher_walk_virt() returns zero walk.nbytes.

wolfcrypt/src/aes.c: additional comments and inline documentation.

.github/workflows/openvpn.yml: disable test on master branch.
2024-05-14 19:11:39 -05:00
Daniel Pouzzner
8392748cda wolfcrypt/src/aes.c: de-deduplicate code, AesXts{En,De}crypt_sw() vs AesXts{En,De}cryptUpdate_sw(). 2024-05-14 19:11:39 -05:00
Daniel Pouzzner
4f1f7b3a4d linuxkm/lkcapi_glue.c: update names of wc_AesXts{En,De}cryptInit().
wolfcrypt/src/aes.c: activate _AesXtsHelper() in AesXts{En,De}cryptUpdate_sw().
2024-05-14 19:11:39 -05:00
Sean Parkinson
643f472cfb AES-XTS ASM x64: Add Intel x64 implementation of streaming
Changed APIs from wc_AesXts*Start -> wc_AesXts*Init.
Enabled ASM for x64 in aes.c.
AesXtsDecryptStart_sw same as AesXtsEncryptStart_sw so changed them to
AesXtsInit_sw.
2024-05-14 19:11:39 -05:00
Daniel Pouzzner
f874d8753d AES-XTS-streaming: refactor API to eliminate caller-supplied tweak_block. instead, caller-supplied iv is used as a readwrite buffer. 2024-05-14 19:11:39 -05:00
Daniel Pouzzner
9e06524c6f wolfcrypt/src/aes.c: add prototypes and linkages for AES_XTS_{encrypt,decrypt}_{start,update}_{avx1,aesni}. 2024-05-14 19:11:39 -05:00
Daniel Pouzzner
3ad5ec4e0a make --enable-linuxkm-lkcapi-register require --enable-experimental, except for the known-good --enable-linuxkm-lkcapi-register="xts(aes)". 2024-05-14 19:11:39 -05:00
Daniel Pouzzner
70d7b6e48b add WOLFSSL_AESXTS_STREAM, --enable-aesxts-stream, wc_AesXtsEncryptStart(), wc_AesXtsDecryptStart(), wc_AesXtsEncryptUpdate(), wc_AesXtsDecryptUpdate(), and implement fixes in linuxkm/lkcapi_glue.c to use the streaming API when needed. also added support for 2*192 bit AES-XTS, needed for Linux kernel. 2024-05-14 19:11:38 -05:00
Colton Willey
676dfb7edb Do not allow NULL terminators in the middle of alt name for pattern matching. ZD 17987 2024-05-14 16:59:28 -07:00
Sean Parkinson
b63f308812 fixup 2024-05-15 09:07:04 +10:00
Sean Parkinson
36754683d6 ECC: handle zero in wc_ecc_mulmod()
Public API needs to handle multiplying by zero as the underlying code
doesn't and needn't.
2024-05-15 09:05:31 +10:00
Andras Fekete
6d1416d006 addressing PR comments 2024-05-14 16:02:56 -04:00
David Garske
28bd4ebeea Merge pull request #7520 from bandi13/fixConversion
Fix conversion
2024-05-14 11:26:37 -07:00
David Garske
7526f527d1 Merge pull request #7526 from lealem47/addCast
Fix for type conversion error
2024-05-14 10:30:08 -07:00
Andras Fekete
a1797f0d0d Fix casts depending on OS 2024-05-14 11:03:20 -04:00
Andras Fekete
a59a3d109f Explicit cast 2024-05-14 11:03:20 -04:00
Andras Fekete
12768cdf57 Fix conversion tls13.c 2024-05-14 11:02:28 -04:00
Andras Fekete
bf92797cbc Fix conversion error in client.c 2024-05-14 11:02:28 -04:00
Andras Fekete
0bf69e240a Fix build failures 2024-05-14 11:02:28 -04:00
Andras Fekete
702b6c25d5 Fix conversion error in benchmark.c 2024-05-14 11:02:28 -04:00
Andras Fekete
692a7d55ff Fix conversion error in wolfio.c 2024-05-14 11:02:28 -04:00
Andras Fekete
affd0a318e Fix sign conversion errors 2024-05-14 11:02:28 -04:00
David Garske
0e2bb28ff3 Merge pull request #7529 from SparkiDev/aes_decrypt_fixes
AES: NO_AES_DECRYPT defined
2024-05-14 06:59:02 -07:00
David Garske
1ee315bbab Merge pull request #7505 from gojimmypi/PR-Apple-Homekit-SRP-fix
Espressif updates to fix Apple Homekit SHA / SRP
2024-05-14 06:58:31 -07:00
Sean Parkinson
e1274013d8 AES: NO_AES_DECRYPT defined
Allow code to compile with NO_AES_DECRYPT with AES modes enabled and
disabled.
2024-05-14 16:27:36 +10:00
gojimmypi
fe5e5955bd Introduce IDE/PlatformIO 2024-05-13 19:12:34 -07:00
David Garske
1c4479867e Merge pull request #7416 from SparkiDev/ecc_blind_k
ECC: blind private key after use in signing
2024-05-13 18:56:44 -07:00
Sean Parkinson
a950e90215 Merge pull request #7527 from douzzer/20240513-test_wc_ecc_sm2_create_digest-clang-analyzer-optin.core.EnumCastOutOfRange
20240513-test_wc_ecc_sm2_create_digest-clang-analyzer-optin.core.EnumCastOutOfRange
2024-05-14 11:03:55 +10:00
Daniel Pouzzner
8ee7c36bb1 tests/api.c: add suppression for clang-analyzer-optin.core.EnumCastOutOfRange in "Bad hash type" subtest in test_wc_ecc_sm2_create_digest(). 2024-05-13 19:06:54 -05:00
Sean Parkinson
b7eca574bb SSL/TLS: blind private key DER
When WOLFSSL_BLIND_PRIVATE_KEY is defined, blind the private key DER
encoding so that stored private key data is always changing.
2024-05-14 09:47:51 +10:00
Sean Parkinson
f24ebdde25 ECC: blind private key after use in signing
Use a mask to blind the private key after use so that stored private key
is always changing.
2024-05-14 09:41:06 +10:00
Daniel Pouzzner
009ea6640b Merge pull request #7493 from SparkiDev/sm3_benchmark_fix
Benchmark, SM3: fix full hash testing
2024-05-13 19:22:22 -04:00
Lealem Amedie
f4275d53c4 Fix for type conversion error 2024-05-13 16:32:12 -06:00
David Garske
6b79e5380d Merge pull request #7525 from bandi13/fixCDTDisableOptionsTest
Unused variable error
2024-05-13 13:13:06 -07:00
gojimmypi
44ec470df0 Update esp32 sha uintptr_t types; ret (0/1 not TRUE/FALSE) 2024-05-13 12:36:35 -07:00
David Garske
7cce5684e6 Merge pull request #7468 from gojimmypi/PR-include-am
Cleanup & sort IDE include.am
2024-05-13 10:36:09 -07:00
David Garske
29f7578a61 Merge pull request #7446 from julek-wolfssl/hostap
hostap update
2024-05-13 10:35:01 -07:00
Andras Fekete
e5a0c0d5bf Unused variable error 2024-05-13 13:18:20 -04:00
Daniel Pouzzner
4b81a99f91 Merge pull request #7424 from SparkiDev/aes_xts_x64_msvc
AES XTS asm x64 MSVC
2024-05-13 13:05:23 -04:00
David Garske
1be10fddba Merge pull request #7509 from miyazakh/user_threading
Add user threading macro definition
2024-05-13 09:24:44 -07:00
David Garske
4eab5267f1 Merge pull request #7511 from julek-wolfssl/ec-meth
Stub EC_KEY_METHOD
2024-05-13 09:22:23 -07:00
David Garske
56129bd160 Merge pull request #7480 from gojimmypi/PR-cmake-liboqs-kyber
Introduce cmake SET_WOLFSSL_DEFINITIONS; Add Kyber and OQS
2024-05-13 09:21:23 -07:00
David Garske
a9164293c2 Merge pull request #7513 from julek-wolfssl/gh/7510
ed25519: check that the signature is smaller than the order
2024-05-13 09:16:17 -07:00
David Garske
568fda0e8b Merge pull request #7517 from bandi13/bugFixes
Bug fixes
2024-05-13 09:01:00 -07:00
David Garske
d39ab765f6 Merge pull request #7519 from julek-wolfssl/gh/7516
Return length in wc_Curve448PublicKeyToDer with NULL output param
2024-05-13 09:00:33 -07:00
Sean Parkinson
81c22128e3 Merge pull request #7523 from douzzer/20240511-clang-analyzer-unix.Stream
20240511-clang-analyzer-unix.Stream
2024-05-13 21:53:13 +10:00
Sean Parkinson
0d996f4e5f Merge pull request #7524 from douzzer/20240512-pkcs12_test-leak
20240512-pkcs12_test-leak
2024-05-13 09:06:04 +10:00
Daniel Pouzzner
1faa70c128 wolfcrypt/test/test.c:
* fix unconditional memory leak in pkcs12_test().
* refactor pkcs12_test() to fix error-conditional memory leaks.
* fix various old-style return codes in sm4_ccm_test(), pkcs12_test(), prf_test(), tls12_kdf_test(), xmss_test(), xmss_test_verify_only(), lms_test(), and lms_test_verify_only().
2024-05-12 14:13:06 -05:00
Daniel Pouzzner
9ac6bdd438 fixes and suppressions for defects reported by clang-analyzer-unix.Stream (new in llvm-19.0.0_pre20240504):
* added POSIX definitions for XFEOF(), XFERROR(), and XCLEARERR(), currently with no-op fallbacks for !POSIX.
* added missing file handle checks in testsuite/testsuite.c:file_test() and tests/utils.h:copy_file().
* added fixes and suppression around tests/api.c:test_wolfSSL_SMIME_read_PKCS7().
* added various fixes in examples/asn1/asn1.c and examples/pem/pem.c.
2024-05-11 15:24:54 -05:00
Andras Fekete
c5773f5f26 Make the function flow better
Will return 0 on failure.
2024-05-10 15:56:56 -04:00
Andras Fekete
f73a9f0d4f Fix function logic 2024-05-10 15:03:17 -04:00
Juliusz Sosinowicz
239706615c Return length in wc_Curve448PublicKeyToDer with NULL output param 2024-05-10 20:10:23 +02:00
JacobBarthelmeh
d68f3cf63c add macro guard around test case 2024-05-10 11:08:45 -06:00
JacobBarthelmeh
98a19f9fdd add debug log and adjust set global heap hint function 2024-05-10 11:08:43 -06:00
JacobBarthelmeh
de3d1a488d add global heap hint setter function 2024-05-10 11:08:01 -06:00
Sean Parkinson
add7428d1c TLS, SM2: fixes to get SM handshakes working
Pass around the algorithm id from the private key so that the WOLFSSL or
WOLFSSL_CTX get the correct key format set.
Use different verification context when self-signed certificate with SM2
and SM3 signature but public key OID is ECC.
2024-05-10 10:15:47 +10:00
Sean Parkinson
b87b521044 AES XTS asm x64 MSVC
Use assembly code for AES-XTS with MSVC for x64.
2024-05-10 09:10:36 +10:00
Daniel Pouzzner
cb689104d1 Merge pull request #7466 from julek-wolfssl/gh/7273
Mark all record sequence numbers before stateful parsing as read
2024-05-09 13:57:13 -04:00
Daniel Pouzzner
2335eb6bc6 Merge pull request #7488 from SparkiDev/asn_template_debug_fix
Asn template debug fix
2024-05-09 12:16:51 -04:00
philljj
2ed2da0a8f Merge pull request #7515 from douzzer/20240509-fix-linuxkm-x86_vector_register_glue
20240509-fix-linuxkm-x86_vector_register_glue
2024-05-09 11:53:36 -04:00
Sean Parkinson
b62e8c1467 ASN template debug compile error
Variable is length instead of len.
2024-05-09 10:44:36 -05:00
Juliusz Sosinowicz
ab03324dc7 ed25519: put entire order into buffer for sanity check 2024-05-09 10:36:37 +02:00
Daniel Pouzzner
611a1642a1 linuxkm/include.am: add linuxkm/x86_vector_register_glue.c to EXTRA_DIST. 2024-05-09 02:03:16 -05:00
Daniel Pouzzner
f7e1e370a0 Merge pull request #7438 from julek-wolfssl/zephr-no-malloc
zephyr no malloc
2024-05-09 02:57:20 -04:00
Daniel Pouzzner
10b31cc481 Merge pull request #7507 from rizlik/update_err_code_cert
tls13: update error code to NO_CERT_ERROR when no cert is set
2024-05-09 01:38:26 -04:00
Daniel Pouzzner
af928faca7 Merge pull request #7489 from anhu/zero_len_hash
Allow for zero length hash.  Its not an error.
2024-05-09 01:34:24 -04:00
Daniel Pouzzner
d53abc2e37 Merge pull request #7441 from kareem-wolfssl/zd17857
Allow using wolfSSL_CTX_set_default_verify_paths without WOLFSSL_SYS_CA_CERTS defined.
2024-05-09 00:38:04 -04:00
philljj
ac17616873 Merge pull request #7514 from douzzer/20240508-linuxkm-x86_vector_register_glue
20240508-linuxkm-x86_vector_register_glue
2024-05-08 21:45:39 -04:00
Daniel Pouzzner
5a784c818d Merge pull request #7319 from SparkiDev/chacha_poly1305_asm_msvc
ChaCha20, Poly1305 ASM for MSVC
2024-05-08 19:03:56 -04:00
Daniel Pouzzner
76b302381b Merge pull request #7484 from SparkiDev/mem_fail_fixes_1
Mem fail fix: ProcessingBuffer()
2024-05-08 18:36:45 -04:00
Hideki Miyazaki
5ceb992035 address review comments 2024-05-09 07:05:51 +09:00
Daniel Pouzzner
bc8664164b linuxkm: move the *SAVE_VECTOR_REGISTERS* code from linuxkm/linuxkm_memory.c to linuxkm/x86_vector_register_glue.c, to move various fidgity/unstable kernel function calls outside the PIE wolfCrypt container. 2024-05-08 16:18:33 -05:00
Juliusz Sosinowicz
2508c9e1f4 ed25519: check that the signature is smaller than the order 2024-05-08 17:54:37 +02:00
Juliusz Sosinowicz
d6291522b9 fixup! Stub EC_KEY_METHOD 2024-05-08 16:41:00 +02:00
Juliusz Sosinowicz
0f06faf3d4 Stub EC_KEY_METHOD 2024-05-08 16:37:30 +02:00
Andras Fekete
8f9c8a1203 Fix infinite loop
'ret' could be set to non-zero inside the loop and the 'cmac->bufferSz' never gets reset causing 'add' to become 0 in the subsequent loop.
2024-05-08 09:52:37 -04:00
Juliusz Sosinowicz
df425b306f Fix https://github.com/wolfSSL/wolfssl/issues/7391 2024-05-08 10:35:42 +02:00
Juliusz Sosinowicz
86c120a3f0 Increase hostap test timeout 2024-05-08 10:35:42 +02:00
Juliusz Sosinowicz
16ec3e52b7 Jenkins fixes 2024-05-08 10:35:42 +02:00
Juliusz Sosinowicz
433f3ae0b9 Add latest patch set to CI 2024-05-08 10:35:42 +02:00
Juliusz Sosinowicz
a987e76677 Use uml for hostap tests
Remove tests that fail with openssl
2024-05-08 10:33:30 +02:00
Juliusz Sosinowicz
6b47ebd66a Expose *_set_groups for TLS < 1.3
- Add test to make sure we fail on curve mismatch
2024-05-08 10:33:20 +02:00
Juliusz Sosinowicz
020bcd0043 Advertise all supported sigalgs by default 2024-05-08 10:33:20 +02:00
Juliusz Sosinowicz
66f72a258f Remove unused internal API 2024-05-08 10:33:20 +02:00
Juliusz Sosinowicz
77a7297c42 Filter cipher list on TLS version change 2024-05-08 10:33:20 +02:00
Juliusz Sosinowicz
06798ab8bf EAP-FAST
Implement PACs for EAP-FAST
- wolfSSL_set_session_ticket_ext_cb
- server side wolfSSL_set_session_secret_cb (tls <=1.2 only)
2024-05-08 10:33:20 +02:00
Sean Parkinson
52861cbdbf Merge pull request #7476 from per-allansson/one-crl-to-rule-them-all
An expired CRL should not override a successful match in other CRL
2024-05-08 09:47:22 +10:00
Hideki Miyazaki
95e9806e9e add user threading macro definition 2024-05-08 06:56:43 +09:00
Daniel Pouzzner
97110700b2 Merge pull request #7430 from jpbland1/check-session-setup
Add `wolfSSL_SessionIsSetup`
2024-05-07 13:51:33 -04:00
András Fekete
33817747c4 Merge pull request #7506 from julek-wolfssl/gh/no-main
Don't use main.yml since it has a limit of 20 jobs
2024-05-07 09:22:56 -04:00
Juliusz Sosinowicz
14ce8ce198 Jenkins fixes 2024-05-07 11:46:36 +02:00
Marco Oliverio
b0c991eeb2 tls13: update error code to NO_CERT_ERROR when no cert is set 2024-05-07 10:55:48 +02:00
Juliusz Sosinowicz
589bdba256 Apply suggestions from code review
Co-authored-by: Bill Phipps <bill@wolfssl.com>
2024-05-07 10:38:01 +02:00
Juliusz Sosinowicz
77a6481d65 fixup! Add testing for zephyr no malloc 2024-05-07 10:38:01 +02:00
Juliusz Sosinowicz
d7361b3677 Increase zephyr thread sample memory 2024-05-07 10:38:01 +02:00
Juliusz Sosinowicz
8d8f4d4e1e fixup! zephyr no malloc 2024-05-07 10:38:01 +02:00
Juliusz Sosinowicz
cbd490d1d7 fixup! zephyr no malloc 2024-05-07 10:38:01 +02:00
Juliusz Sosinowicz
550d9ad9a4 Add testing for zephyr no malloc 2024-05-07 10:38:01 +02:00
Juliusz Sosinowicz
7ed5e0b3ba zephyr no malloc
- cert gen
- csr gen
- pkcs12
- Compiles for Zephyr 3.4.0 and 2.7.4
- Add support for CONFIG_POSIX_API
2024-05-07 10:38:01 +02:00
Juliusz Sosinowicz
2ffb5cc16c Move haproxy.yml to disabled directory 2024-05-07 10:31:04 +02:00
Daniel Pouzzner
4e6a34504d Merge pull request #7500 from SparkiDev/lms_xmss_move_wolfcrypt
LMS, XMSS: move code into wolfCrypt
2024-05-07 01:12:18 -04:00
Chris Conlon
95abc1074b Merge pull request #7278 from JacobBarthelmeh/pkcs7-validate
add guard around public key validation on import
2024-05-06 13:51:29 -06:00
JacobBarthelmeh
7bc73d351f Merge pull request #7504 from ejohnstown/generic-pool-fix
Generic Memory Pools Fix
2024-05-06 13:11:47 -06:00
Juliusz Sosinowicz
7206508329 Don't use main.yml since it has a limit of 20 jobs 2024-05-06 17:18:01 +02:00
gojimmypi
e90c6bcd24 Espressif updates to fix Apple Homekit SRP. 2024-05-04 14:33:23 -07:00
John Safranek
195bbcc315 Generic Memory Pools Fix
1. Add some expository comments describing the purpose of:
   * WOLFMEM_MAX_BUCKETS
   * WOLFMEM_DEF_BUCKETS
   * WOLFMEM_BUCKETS
   * WOLFMEM_DIST
2. Switch the API test for LoadStaticMemory() to named constants.
3. Delete redundant test case. Add a new test case.
4. In the wolfCrypt test for the memory constants, check the sizes of
   the WOLFMEM_BUCKETS and WOLFMEM_DIST lists against
   WOLFMEM_DEF_BUCKETS which should be their length. Check that
   WOLFMEM_DEF_BUCKETS is not greater than WOLFMEM_MAX_BUCKETS.
5. Default for WOLFMEM_MAX_BUCKETS should be WOLFMEM_DEF_BUCKETS, set it
   to what is specified. Add a warning if MAX is less than DEF.
6. Separate the definition of the constant LARGEST_MEM_BUCKET so it is
   dependent on config and not if WOLFMEM_BUCKETS isn't set.
2024-05-03 16:15:38 -07:00
JacobBarthelmeh
081731be8b Merge pull request #7392 from gojimmypi/PR-Espressif-wolfcrypt-test
Update Espressif Examples and Libraries
2024-05-03 15:31:23 -06:00
Anthony Hu
4ddba7ac8a When comparing subject names, do not worry about case. 2024-05-03 15:03:07 -04:00
Sean Parkinson
e47f1d4190 LMS, XMSS: move code into wolfCrypt
Move implementations of LMS and XMSS into wolfCrypt and use by default.
2024-05-03 15:43:22 +10:00
Per Allansson
b88803cbb3 Fix formatting 2024-05-03 06:43:15 +02:00
philljj
d22991bb03 Merge pull request #7499 from douzzer/20240502-test_server_loop-double-close
20240502-test_server_loop-double-close
2024-05-02 23:53:04 -04:00
Daniel Pouzzner
0c1d583ab4 tests/api.c: fix double close in test_server_loop(). 2024-05-02 19:07:36 -05:00
Sean Parkinson
51b85ee1e3 Merge pull request #7490 from dgarske/ecc_curvecache_nomalloc
Support for ECC_CACHE_CURVE with no malloc
2024-05-02 07:17:01 +10:00
Sean Parkinson
75b178f666 Merge pull request #7492 from JacobBarthelmeh/porting
remove assumption of struct layout
2024-05-02 07:14:06 +10:00
philljj
b61a6baf2b Merge pull request #7497 from douzzer/20240501-fix-pqcrypto-private_key-callback-names
20240501-fix-pqcrypto-private_key-callback-names
2024-05-01 16:02:29 -04:00
András Fekete
ba89e0786d Merge pull request #7498 from douzzer/20240501-openssl-sha3-sizeof-fix
20240501-openssl-sha3-sizeof-fix
2024-05-01 15:50:17 -04:00
Daniel Pouzzner
678038a077 wolfssl/openssl/sha3.h: use sizeof(wc_Sha3), not sizeof(struct wc_Sha3), for compatibility with afalg_hash.h and other ports that don't define a struct wc_Sha3. 2024-05-01 14:19:32 -05:00
Daniel Pouzzner
5905f9289d fix namespace collision: rename types read_private_key_cb and write_private_key_cb to wc_{lms,xmss}_read_private_key_cb and wc_{lms,xmss}_write_private_key_cb. 2024-05-01 13:58:57 -05:00
András Fekete
866468ec2c Merge pull request #7496 from douzzer/20240501-xilinx-wc_Sha3
20240501-xilinx-wc_Sha3
2024-05-01 14:51:56 -04:00
Daniel Pouzzner
a25644c379 Merge pull request #7495 from bandi13/fixWindowsNetdb_h
Fix windows 'gethostbyname' declaration
2024-05-01 14:16:45 -04:00
Daniel Pouzzner
7f6f824594 wolfssl/wolfcrypt/port/xilinx/xil-sha3.h: fix struct name -- struct wc_Sha3, not struct Sha3. 2024-05-01 12:47:23 -05:00
Andras Fekete
c3131b3234 Fix windows 'gethostbyname' declaration 2024-05-01 13:37:22 -04:00
David Garske
3afa420c31 Add option NO_ECC_CACHE_CURVE to allow disabling ECC curve cache with async. 2024-05-01 07:25:28 -07:00
Sean Parkinson
1ddc552828 TLS, SM2: fix ecc key type
Set the curve explicitly if it is SM2.
Set the key type to signature algorithm to handle SM2.
2024-05-01 17:56:49 +10:00
Sean Parkinson
e45686cce9 Merge pull request #7494 from douzzer/20240430-xmss-analyzer-cleanups
20240430-xmss-analyzer-cleanups
2024-05-01 14:36:46 +10:00
Sean Parkinson
840d1e9fac Benchmark, SM2: initialize vars for small stack
Variables may not be initialized in benchmark test when building for
small stack.
2024-05-01 13:52:46 +10:00
Daniel Pouzzner
fa30d3ae0b wolfcrypt/benchmark/benchmark.c: fixes for clang-analyzer-deadcode.DeadStores in bench_xmss_sign_verify();
wolfcrypt/test/test.c: fix for invalidPrintfArgType_sint in xmss_test_verify_only().
2024-04-30 22:48:48 -05:00
Sean Parkinson
aab97fe9e2 ChaCha20, Poly1305 ASM for MSVC
Make ChaCha20 and Poly1305 asm available for MSVC.
2024-05-01 13:44:25 +10:00
Sean Parkinson
db6b1388ce Benchmark, SM3: fix full hash testing
Test now has an array of hashes.
Use only first hash when testing full digest operation.
2024-05-01 09:57:13 +10:00
Sean Parkinson
4594151588 Merge pull request #7418 from ejohnstown/generic-pool
Generic Memory Pools
2024-05-01 08:53:56 +10:00
Sean Parkinson
72d49964b9 Merge pull request #7379 from mrdeep1/enable-rpk
configure.ac: Add in --enable-rpk option
2024-05-01 08:44:08 +10:00
Sean Parkinson
2a125ad304 Merge pull request #7479 from gojimmypi/PR-cmake-update
Introduce cmake_policy CMP0128 NEW
2024-05-01 08:39:58 +10:00
Sean Parkinson
76e478ad8d Merge pull request #7491 from bandi13/fixDTLStest
Make the DTLS tests a bit more resilient
2024-05-01 08:38:41 +10:00
JacobBarthelmeh
5aa39a6397 remove assumption of struct layout 2024-04-30 15:42:38 -06:00
Andras Fekete
256d81795a Make the DTLS tests a bit more resilient
The assumption is that the wrong PIDs are getting killed. Better use the current shell's child processes (ie: 'jobs' command) than storing some calculated PID
2024-04-30 15:49:51 -04:00
John Safranek
6be55269db Generic Memory Pools
1. Add API for function `wc_UnloadStaticMemory()` which frees the mutex
   used by the static memory pool.
2. Update the `wc_LoadStaticMemory_ex()` test to free the static memory
   pool's mutex on each successful test case.
2024-04-30 09:34:48 -07:00
John Safranek
f6ae432be1 Generic Memory Pools
1. Add API test for function `wc_LoadStaticMemory_ex()`.
2024-04-30 09:29:20 -07:00
gojimmypi
216925a946 Introduce cmake get/set_wolfssl_definitions; Add Kyber and OQS 2024-04-30 08:41:46 -07:00
David Garske
eaa5edb65b Support for ECC_CACHE_CURVE with no malloc. ZD 17774 2024-04-30 08:22:56 -07:00
Anthony Hu
529b6a1eb9 Allow for zero length hash. Its not an error.
Fixes ZD17910
2024-04-30 11:06:30 -04:00
Sean Parkinson
f18633a000 Merge pull request #7474 from miyazakh/renesas_rz_rsip_update
Improve Renesas RZ support
2024-04-30 21:59:12 +10:00
Hideki Miyazaki
d4b265e84c convert outLen type correctly 2024-04-30 17:19:11 +09:00
David Garske
6b1e6e3ef9 Spelling fixes. 2024-04-30 17:19:11 +09:00
Hideki Miyazaki
07de40e4bd fix warnings
fix encrypted key use case

Update README
2024-04-30 17:19:11 +09:00
gojimmypi
980e26da63 Introduce cmake_policy CMP0128 NEW 2024-04-29 19:27:41 -07:00
Sean Parkinson
0d86137317 Merge pull request #7487 from bandi13/fixDockerfile
Fix dockerfile
2024-04-30 11:50:24 +10:00
Sean Parkinson
068a3b5e99 Merge pull request #7481 from douzzer/20240424-sha-C-dynamic-fallback
20240424-sha-C-dynamic-fallback
2024-04-30 09:00:57 +10:00
Sean Parkinson
5cc05956d5 Merge pull request #7485 from dgarske/pkcs11_async
Improved the prioritization of crypto callback vs async crypt in ECC …
2024-04-30 08:41:14 +10:00
Daniel Pouzzner
bb4c2cbad6 address peer review: typography in linuxkm/linuxkm_memory.c, typography, clarity, and efficiency in wolfcrypt/src/sha256.c and wolfcrypt/src/sha512.c. 2024-04-29 14:02:44 -05:00
David Garske
5af0b1e83b Improved the prioritization of crypto callback vs async crypt in ECC and RSA. Resolves possible use of uninitialized value on ECC/RSA key when PKCS11 is enabled. See #7482 2024-04-29 10:34:01 -07:00
Andras Fekete
b90035d7b0 Remove 'dunfell' as its support ends in 3 days 2024-04-29 12:26:29 -04:00
Andras Fekete
13f83045a4 Add in 'langdale' and 'scarthgap' containers 2024-04-29 12:22:54 -04:00
Andras Fekete
aa1f253a8a Force a rebuild using the latest sources 2024-04-29 12:21:47 -04:00
Sean Parkinson
41eaa8466d Mem fail fix: ProcessingBuffer()
When ProcessBufferCertTypes() is not called, 'der' is not freed.
2024-04-29 23:05:29 +10:00
Per Allansson
e96a65a93d An expired CRL should not override a successful match in other CRL 2024-04-29 09:35:28 +02:00
Sean Parkinson
bd9a27a39b Merge pull request #7472 from ColtonWilley/remove-des3-guard-from-pkcs12-tests
Remove DES3 flag guard from pkcs12 tests
2024-04-29 10:54:39 +10:00
Daniel Pouzzner
393bf4a8e2 wolfssl/openssl/sha3.h: use sizeof(struct wc_Sha3) only ifdef WOLFSSL_SHA3. 2024-04-27 13:17:01 -05:00
Daniel Pouzzner
7260cc124c smallstack refactors of wolfcrypt/src/evp.c:wolfssl_evp_digest_pk_final() and wolfcrypt/test/test.c:openssl_test(). 2024-04-27 12:35:23 -05:00
Daniel Pouzzner
885497ba5a add missing gate around Sha256_SetTransform() declaration in wolfcrypt/src/sha256.c;
remove stray definitions of XTRANSFORM*() in wolfcrypt/src/sha512.c;

restore global intel_flags in the !WC_NO_INTERNAL_FUNCTION_POINTERS paths of sha256.c and sha512.c;

disable test_wolfSSL_dtls_compare_stateless() in tests/api.c when DEBUG_VECTOR_REGISTER_ACCESS_FUZZING (it depends on a stable SHA512 hash of the in-memory struct WOLFSSL image).
2024-04-27 12:35:23 -05:00
Daniel Pouzzner
0566584191 implement full support for --enable-intelasm --enable-linuxkm. also add --enable-curve25519=noasm to allow use of the existing NO_CURVED25519_X64 code path by the linuxkm build (fe_x25519_asm.S is not kernel-compatible). 2024-04-27 12:35:23 -05:00
Daniel Pouzzner
326fd87b4f linuxkm/linuxkm_memory.c: fix circular dependency around wolfCrypt_Init(), allocate_wolfcrypt_linuxkm_fpu_states(), wc_linuxkm_fpu_state_assoc(), on FIPS. 2024-04-27 12:35:23 -05:00
Daniel Pouzzner
3f8e33369c implement WC_C_DYNAMIC_FALLBACK for SHA-3. 2024-04-27 12:35:23 -05:00
Daniel Pouzzner
4184b0e4f3 implement WC_C_DYNAMIC_FALLBACK for SHA512. 2024-04-27 12:35:23 -05:00
Daniel Pouzzner
65649b63d1 implement WC_C_DYNAMIC_FALLBACK for SHA256. 2024-04-27 12:35:23 -05:00
Daniel Pouzzner
4cc27fa58b rename WC_AES_C_DYNAMIC_FALLBACK to WC_C_DYNAMIC_FALLBACK. 2024-04-27 12:35:23 -05:00
David Garske
2496cc0c21 Merge pull request #7477 from julek-wolfssl/issue/7390-2
Fix quic header protect cipher return
2024-04-27 07:10:18 -07:00
John Safranek
d23994862c Generic Memory Pools
1. Added some extra parameter checking to wc_LoadStaticMemory_ex().
2. Added some extra parameter checking to wc_StaticBufferSz_ex().
3. Rename some parameters and add some logging prints.
4. Some static functions have some parameter checking and they are only
   calling in one spot, remove it.
2024-04-26 15:08:17 -07:00
Kareem
c1f23cc505 Allow using wolfSSL_CTX_set_default_verify_paths without WOLFSSL_SYS_CA_CERTS defined. 2024-04-26 10:22:40 -07:00
Kareem
21058820fb Fix NO_WOLFSSL_STUB typo. 2024-04-26 10:22:40 -07:00
Juliusz Sosinowicz
2328270222 Code review 2024-04-26 15:56:20 +02:00
Juliusz Sosinowicz
49952a97d7 Fix quic header protect cipher return 2024-04-26 14:18:40 +02:00
Sean Parkinson
e1bd4dd1ec Merge pull request #7473 from douzzer/20240425-fixes
20240425-fixes
2024-04-26 15:52:05 +10:00
Sean Parkinson
e41454004e Merge pull request #7475 from douzzer/20240425-master-for-jenkins
20240425-master-for-jenkins
2024-04-26 14:54:20 +10:00
Daniel Pouzzner
442d3f30cc src/ssl.c: refactor fix in wolfSSL_RAND_bytes() for race on initGlobalRNG to retain the initial check on initGlobalRNG, and just recheck it, to avoid possible access to uninitialized globalRNGMutex. 2024-04-25 23:47:39 -05:00
Daniel Pouzzner
185f35287e configure.ac: fix copyright year. 2024-04-25 22:44:28 -05:00
Daniel Pouzzner
59290cd066 src/quic.c: fix -Wunused-function for evp_cipher_eq(). 2024-04-25 22:09:28 -05:00
Daniel Pouzzner
963e14a1fe src/ssl.c: code style tweak from peer review. 2024-04-25 22:09:28 -05:00
Daniel Pouzzner
8e8e9bd0eb src/ssl.c: fix races in wolfSSL_Init() and wolfSSL_RAND_bytes(). 2024-04-25 22:09:28 -05:00
Daniel Pouzzner
460991a6f0 wolfcrypt/test/test.c: fix invalidPrintfArgType_sint in lms_test_verify_only(). 2024-04-25 22:09:28 -05:00
Sean Parkinson
c8e51112c3 Merge pull request #7372 from julek-wolfssl/zd/17435
Add secret logging callback to TLS <= 1.2
2024-04-26 09:41:58 +10:00
Sean Parkinson
5ee0e34d89 Merge pull request #7465 from julek-wolfssl/issue/7390
Clean up EVP usage in quic
2024-04-26 09:38:40 +10:00
Sean Parkinson
54022b146b Merge pull request #7456 from mrdeep1/enable-dtls13
dtls1.3: Fix issues when --enable-dtls13 enabled
2024-04-26 09:24:01 +10:00
Sean Parkinson
7881f4e04c Merge pull request #7471 from ColtonWilley/update-benchmark-rsa-size-parsing
Update benchmark to only parse rsa size if keygen is enabled
2024-04-26 09:11:32 +10:00
Sean Parkinson
e22ae7a1f8 Merge pull request #7469 from douzzer/20240424-fix-ports-whitespace
20240424-fix-ports-whitespace
2024-04-26 09:00:38 +10:00
Sean Parkinson
039fd26baf Merge pull request #7467 from anhu/quick_fix
Get rid of some code with NO_OLD_TLS
2024-04-26 08:57:46 +10:00
Sean Parkinson
9ac918c0d4 Merge pull request #7462 from kaleb-himes/SRTP-KDF-HARNESSrev2
Srtp kdf harness rev2
2024-04-26 08:21:37 +10:00
Colton Willey
2fb70b260b Remove DES3 flag guard from pkcs12 tests that do not depend on DES3 code 2024-04-25 12:15:02 -07:00
Colton Willey
7485e9935d Update benchmark to only parse rsa size if keygen is enabled, update keygen option help in configure.ac 2024-04-25 11:46:18 -07:00
Juliusz Sosinowicz
c62faa048c Add secret logging callback to TLS <= 1.2 2024-04-25 17:11:07 +02:00
Juliusz Sosinowicz
d61fec5af9 Clean up EVP usage in quic 2024-04-25 16:34:38 +02:00
Juliusz Sosinowicz
7644d792b6 Mark all record sequence numbers before stateful parsing as read
Fixes https://github.com/wolfSSL/wolfssl/issues/7273
2024-04-25 16:23:41 +02:00
Daniel Pouzzner
e862c85db4 fix formatting infractions in the ports (hard tabs, trailing whitespace, C++ comments, stray Unicode including numerous homoglyphs). 2024-04-24 18:32:48 -05:00
gojimmypi
565058370f Cleanup & sort IDE include.am 2024-04-24 15:36:15 -07:00
Anthony Hu
329650fb4c Get rid of some code with NO_OLD_TLS 2024-04-24 16:00:45 -04:00
kaleb-himes
24eed7de34 Remove debug printf and place comments inside gate 2024-04-24 10:55:13 -04:00
Jon Shallow
e36df36f84 dtls1.3: Fix issues when --enable-dtls13 enabled
Fixed issue reported by scan-build when DTLS13 is enabled.

Fix compile issue when WOLFSSL_DTLS_CH_FRAG is enabled.

Fix running of scripts/dtlscid.test by removing 'set -e' as bwrap
command may not be there.
2024-04-24 12:07:29 +01:00
Sean Parkinson
6e49aa7543 Merge pull request #7421 from philljj/update_lms_parms
Update enum wc_LmsParm for wolfboot support.
2024-04-24 16:39:10 +10:00
Sean Parkinson
c26f4041c6 Merge pull request #7463 from ColtonWilley/hmac-oversized-key-test-update
Update HMAC oversized key tests
2024-04-24 15:34:28 +10:00
Colton Willey
7f19be05bd Modify HMAC oversized key tests to consistently use test vectors from RFC. 2024-04-23 15:23:51 -07:00
Sean Parkinson
9d7913508b Merge pull request #7460 from douzzer/20240423-linuxkm-sha-2-3-asm-save-vector-regs
20240423-linuxkm-sha-2-3-asm-save-vector-regs
2024-04-24 07:33:05 +10:00
Jon Shallow
4a1df83b6f configure.ac: Add in --enable-rpk option
By default RPK (RFC7250) support is not enabled, but is enabled when
--enable-rpk, --enable-all or --enable-dist is used.

Makes use of the HAVE_RPK compile time option.

Fix clang issue reported in tests/api.c during test suites
2024-04-23 21:30:21 +01:00
kaleb-himes
80d21f10c6 Remove excess empty line 2024-04-23 13:47:26 -04:00
kaleb-himes
690671d447 ECC allow keyVer of 192-bit (import OK, generate restricted) 2024-04-23 13:45:41 -04:00
jordan
094ddb62c2 Add wc_LmsKey_ExportPubRaw to wolfcrypt test. 2024-04-23 10:48:53 -05:00
András Fekete
a75c2befb5 Add CUDA support (#7436)
* Redirect the AesEncrypt_C call to device
* Fix function declarations
* Force CC=nvcc with CUDA
* Don't let C++ mangle function names
* Add larger parallelization
* Add in memory copy to device
* `nvcc` does not support '-Wall' nor '-Wno-unused'
* Add in README.md
* Clean up script to output color coded data
* Fix Asymmetric cipher comparisons
* Add in standard output parsing in addition to the CSV
* Add option to output results in a CSV

---------

Co-authored-by: Andras Fekete <andras@wolfssl.com>
2024-04-23 08:26:27 -07:00
jordan
bc00c95fe5 Update enum wc_LmsParm for wolfboot support. 2024-04-23 09:37:07 -05:00
Daniel Pouzzner
5d9154e8c6 wolfcrypt/src/sha{256,512,3}.c add SAVE_VECTOR_REGISTERS() for SHA-2 and SHA-3 vectorized implementations, and add WC_NO_INTERNAL_FUNCTION_POINTERS code paths to fix GOT relocations around implementation function pointers. 2024-04-23 01:31:43 -05:00
Sean Parkinson
c3d9fb61a8 Merge pull request #7444 from miyazakh/trackmem_exclusion
Exclusively tracking mem properties
2024-04-23 11:08:42 +10:00
Sean Parkinson
eb125851cd Merge pull request #7447 from Naruto/feature/enable_sccache
add ENABLE_SCCACHE option
2024-04-23 11:05:43 +10:00
David Garske
3a89c452b3 Merge pull request #7454 from lealem47/stm32AesCtr
Fix for AES CTR on STM32
2024-04-22 10:04:06 -07:00
John Safranek
0b5c83f589 Generic Memory Pools
1. Make the function wolfSSL_GetMemStats() public.
2024-04-22 08:54:40 -07:00
John Safranek
7a0bcb05fb Generic Memory Pools
1. Add checks for listSz against WOLFMEM_MAX_BUCKETS.
2. Use WOLFMEM_DEF_BUCKETS for the size when using the default memory
   descriptions.
3. Whitespace.
2024-04-22 08:54:40 -07:00
John Safranek
15a0ae4244 Generic Memory Pools
1. Add generic function wolfSSL_StaticBufferSz_ex() where one specifies
   the memory bucket list sizes and distribution.
2. Rewrote wolfSSL_StaticBufferSz() in terms of the new function.
3. Changed the list pointers on wc_LoadStaticMemory_ex() and
   wc_init_memory_heap() to be pointers to const.
2024-04-22 08:54:40 -07:00
John Safranek
7481644842 Generic Memory Pools
1. Add the function wc_LoadStaticMemory_ex(), which is a generic version
   of wc_LoadStaticMemory().
2. Modify wc_LoadStaticMemory() to call wc_LoadStaticMemory_ex() with
   the bucket lists.
3. Rename the function wolfSSL_load_static_memory() as
   wc_partition_static_memory(), make it static, move it higher in the file.
2024-04-22 08:54:40 -07:00
John Safranek
2168b154b6 Generic Memory Pools
1. Modify wolfSSL_CTX_load_static_memory() to use wc_LoadStaticMemory()
   instead of reimplementing it.
2. Initialize the pointers in wc_LoadStaticMemory() to null.
3. Whitespace changes.
2024-04-22 08:54:37 -07:00
Sean Parkinson
b17ad46b30 Merge pull request #7458 from douzzer/20240422-wc_SRTCP_KDF_ex-Wconversion
20240422-wc_SRTCP_KDF_ex-Wconversion
2024-04-22 21:30:14 +10:00
Daniel Pouzzner
44e8f392ae wolfcrypt/src/kdf.c: fix -Wconversions in wc_SRTCP_KDF_ex(). 2024-04-22 01:11:46 -05:00
Sean Parkinson
5bb22d8343 Merge pull request #7439 from JacobBarthelmeh/build_test
fix for WOLFSSL_NO_PEM build
2024-04-22 10:48:57 +10:00
Sean Parkinson
e1b66ca62d Merge pull request #7407 from mrdeep1/key_share
Handle PSK-Only negotiation with key_share not being sent in Server Hello
2024-04-22 10:45:56 +10:00
Sean Parkinson
cfe645ca70 Merge pull request #7455 from kaleb-himes/SRTCP-48bit-indices
Srtcp 48bit indices
2024-04-22 10:43:07 +10:00
Sean Parkinson
eeadb2a7f3 Merge pull request #7457 from douzzer/20240420-wc_linuxkm_fpu_state_assoc-fixups
20240420-wc_linuxkm_fpu_state_assoc-fixups
2024-04-22 10:39:55 +10:00
Daniel Pouzzner
0a4eb1fbc7 linuxkm/linuxkm_memory.c: require kernel 5.4+ for AESNI/AVX, and add fixup code in wc_linuxkm_fpu_state_assoc_unlikely() to cope with migrations. in save_vector_registers_x86(), on kernel < 5.17, check test_thread_flag(TIF_NEED_FPU_LOAD) as a workaround for irq_fpu_usable() missing check for in_kernel_fpu. 2024-04-20 13:55:37 -05:00
Lealem Amedie
eafa425019 Engine doesn't need NO_OLD_RNG_NAME 2024-04-19 16:15:38 -06:00
JacobBarthelmeh
78670f5098 Merge pull request #7453 from douzzer/20240419-wolfSSL_CTX_SetTmpDH-double-free
20240419-wolfSSL_CTX_SetTmpDH-double-free
2024-04-19 13:48:37 -06:00
kaleb-himes
4b1edc78bb Add test case 2024-04-19 13:16:19 -06:00
Lealem Amedie
acc6ff84d8 Move rng seed cb call to wolfcrypt_test 2024-04-19 12:36:20 -06:00
Lealem Amedie
9bc0e31a32 Fix for AES CTR on STM32 2024-04-19 12:35:33 -06:00
kaleb-himes
e835517633 SRTCP 32-bit indices default plus errata 48-bit indices 2024-04-19 12:31:08 -06:00
JacobBarthelmeh
69be7a7c54 Merge pull request #7431 from lealem47/aes_cfb
Fix for AES-CFB1 encrypt/decrypt on size (8*x-1) bits
2024-04-19 10:55:27 -06:00
JacobBarthelmeh
a63ff277ed Merge pull request #7452 from douzzer/20240419-linuxkm-intelasm-expansion
20240419-linuxkm-intelasm-expansion
2024-04-19 10:46:11 -06:00
Daniel Pouzzner
39e2405e2f src/ssl_load.c: fix double-free in wolfSSL_CTX_SetTmpDH(). 2024-04-19 11:43:32 -05:00
JacobBarthelmeh
5f9ed54aaa Merge pull request #7451 from SparkiDev/test_fixes_1
Fixes from configuration testing
2024-04-19 10:43:31 -06:00
JacobBarthelmeh
c7f852fbbd Merge pull request #7450 from anhu/reneg_indic
check for conflicting secure renegotiation macros (settings.h)
2024-04-19 10:41:26 -06:00
JacobBarthelmeh
9242f611b2 Merge pull request #7449 from lealem47/nginx_stubs
Adding stubs required for latest nginx
2024-04-19 10:38:17 -06:00
Jon Shallow
7b22681287 Handle PSK-Only negotiation with key_share not being sent in Server Hello
The wrong cipher suite is potentially chosen if key_share is not seen by the client.

$ cat /tmp/test
Client_identitySHA256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

Server:
$ gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK:+ECDHE-ECDSA:+AES-128-CCM-8:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL:+SHA256 --pskpasswd=/tmp/test

Client:
$ examples/client/client -vd -g -s -p 5556 2>&1| grep HTTP
2024-04-19 17:14:28 +01:00
Daniel Pouzzner
0264a518e1 wolfcrypt/src/ed25519.c: in ed25519_pairwise_consistency_test(), add casts to mollify -Wconversion. 2024-04-19 01:41:35 -05:00
Daniel Pouzzner
28480ec0ea linuxkm/Kbuild: add SHA-2, SHA-3, ChaCha20, and poly1305, to kernel-safe vectorized-asm list. 2024-04-19 01:35:45 -05:00
Daniel Pouzzner
85f3fb9d07 Merge pull request #7409 from SparkiDev/asm_x64_rip_fix
SHA-256 x64 ASM - fix use of %rip
2024-04-19 02:33:47 -04:00
Sean Parkinson
d2b9a365f2 ChaCha20 and Poly1305 x64 ASM - fixu use of %rip
Get the address of the constants into a register at start instead of
calculating the address relative to the instruction pointer each time.
2024-04-19 09:59:54 +10:00
Sean Parkinson
97d560d9af Fixes from configuration testing
asn1.c: Allow sample to build without coding (base64 decoding).

set_curves_list(): function for ECC, Ed25519, Ed448 but this block of
code is ECC only. Fixed #ifdef protection.

wolfSSL_CTX_set1_curves_list and wolfSSL_set1_curves_list also available
when Curve25519/Curve448 compiled in but not ECC.
2024-04-19 08:40:19 +10:00
Lealem Amedie
7a7af18887 Guard with OPENSSL_EXTRA instead of WOLFSSL_NGINX 2024-04-18 16:33:37 -06:00
Anthony Hu
85326da7fc check for conflicting HAVE_RENEGOTIATION_INDICATION and HAVE_SECURE_RENEGOTIATION in settings.h 2024-04-18 17:51:33 -04:00
JacobBarthelmeh
fe671f72e1 Merge pull request #7435 from SparkiDev/ssl_misc_fixup
ssl_misc.c: wolfssl_file_len() protection
2024-04-18 14:36:38 -06:00
JacobBarthelmeh
ef153101b7 Merge pull request #7433 from SparkiDev/eddsa_fips_checks
EdDSA FIPS checks on public key
2024-04-18 14:34:31 -06:00
JacobBarthelmeh
9666e4d7e4 Merge pull request #7448 from douzzer/20240418-pq-hybrid-fixes
20240418-pq-hybrid-fixes
2024-04-18 14:31:27 -06:00
Daniel Pouzzner
e48f06bd53 fixes for WOLFSSL_DUAL_ALG_CERTS: "cannot take address of bit-field ‘altKeyType’" and "‘altPrivateKeyType’" in ProcessBufferTryDecode(), "‘heap’ undeclared" in ProcessBufferCertAltPublicKey(), "‘consumed’ undeclared" in ProcessFile(), "‘keySz’ undeclared" in wolfSSL_CTX_use_PrivateKey_Id(). 2024-04-18 13:49:44 -05:00
Lealem Amedie
a1cf316630 Adding stubs required for latest nginx 2024-04-18 12:28:31 -06:00
Lealem Amedie
295033441c Fix for AES-CFB1 encrypt/decrypt on size (8*x-1) bits 2024-04-18 11:31:28 -06:00
Naruto TAKAHASHI
38dc4f299c add ENABLE_SCCACHE option 2024-04-19 00:40:57 +09:00
kaleb-himes
0bd5967093 Adjust FIPS version and default configuration 2024-04-18 08:41:05 -06:00
Sean Parkinson
08b42b7c93 Merge pull request #7443 from douzzer/20240418-fix-aes_xts_128_test-DEBUG_VECTOR_REGISTER_ACCESS
20240418-fix-aes_xts_128_test-DEBUG_VECTOR_REGISTER_ACCESS
2024-04-18 21:10:40 +10:00
Hideki Miyazaki
dab6726e58 fix tracking mem properties under multi-threads 2024-04-18 15:14:25 +09:00
Daniel Pouzzner
436efb0078 wolfcrypt/test/test.c: in aes_xts_128_test(), change DEBUG_VECTOR_REGISTER_ACCESS gates to DEBUG_VECTOR_REGISTER_ACCESS_AESXTS (currently unused), after refactor of AES-XTS C fallback in 9f55dba2f2. (per-call fallback is no longer supported for AES-XTS.) 2024-04-18 00:59:03 -05:00
JacobBarthelmeh
41f31f4635 Merge pull request #7440 from douzzer/20240417-fix-LoadSystemCaCertsWindows
20240417-fix-LoadSystemCaCertsWindows
2024-04-17 15:47:48 -06:00
JacobBarthelmeh
58167a2ebb Merge pull request #7434 from douzzer/20240416-fips-v6-fixes
20240416-fips-v6-fixes
2024-04-17 13:52:35 -06:00
Daniel Pouzzner
6e3a9d5447 src/ssl_load.c: in LoadSystemCaCertsWindows(), fix flub introduced in 8e9810e87e. 2024-04-17 13:24:26 -05:00
JacobBarthelmeh
c2e60d523f fix for WOLFSSL_NO_PEM build 2024-04-17 11:16:18 -06:00
Sean Parkinson
593cb77e51 ssl_misc.c: wolfssl_file_len() protection
wolfssl_file_len is now used by wolfssl_read_file_static() which is
compiled in with less restrictions.
Fix #ifdef protection.
2024-04-17 22:44:13 +10:00
John Bland
804cf1c3b7 re-add function to new file 2024-04-17 04:04:00 -04:00
John Bland
b184cdf7b5 add underscore to make it more consistient and readable 2024-04-17 03:56:07 -04:00
John Bland
c1dbbcc81e add wolfSSLSessionIsSetup so the user can check if
a session ticket has been sent by the server
2024-04-17 03:54:51 -04:00
Sean Parkinson
c590fe514f EdDSA FIPS checks on public key
Check that the Ed25519 and Ed448 public key is valid even without
private key.
Perform pairwise consistency test, only in FIPS, when making a key i
Ed25519 and Ed448.
2024-04-17 17:50:33 +10:00
Daniel Pouzzner
3df11e7eab fixes for cppcheck uninitvar src/pk.c (false positives) and nullPointerRedundantCheck in src/ssl_load.c (true positive). 2024-04-17 01:00:41 -05:00
Daniel Pouzzner
fac834c80a configure.ac: in setup for enable-all and enable-all-crypto with enable-32bit, fix inconsistency whereby SHAKE was enabled but SHA512 and SHA3 weren't; remove unneeded+unwanted ENABLED_32BIT conditional force-off of SHA512, SHA384, SHA3, ED25519 (harmonizes with FIPS v6). 2024-04-17 00:43:41 -05:00
Daniel Pouzzner
d0edb3d0a9 scripts/aria-cmake-build-test.sh: fix masked exit value. 2024-04-17 00:43:41 -05:00
Daniel Pouzzner
855175da47 wolfcrypt/src/fe_448.c: fix several out-of-order declarations in fe448_mul_8(). 2024-04-17 00:43:41 -05:00
Daniel Pouzzner
9f55dba2f2 wolfcrypt/src/aes.c: in AES-XTS AESNI, use cautious strategy as in AESGCM_STREAM for SAVE_VECTOR_REGISTERS, due to random failures seen with DEBUG_VECTOR_REGISTER_ACCESS_FUZZING using the old per-call fallback strategy. 2024-04-17 00:43:41 -05:00
Daniel Pouzzner
b2f594e84b fixes for --enable-32bit CFLAGS=-m32 --enable-fips=v6 (fixes "#error ED448 requires SHAKE256"). 2024-04-17 00:43:41 -05:00
JacobBarthelmeh
03ed52bd81 Merge pull request #7297 from SparkiDev/ssl_move_5
ssl.c: Move functions out to separate files
2024-04-16 17:56:55 -06:00
JacobBarthelmeh
1f61ed3536 Merge pull request #7397 from dalybrown/expose-dtsl-in-ada
Expose DTLS in Ada wrapper and update examples
2024-04-16 13:37:23 -06:00
András Fekete
73a85af9b9 Merge pull request #7429 from julek-wolfssl/hostap-cert-update
Update hostap certs ref
2024-04-16 12:43:28 -04:00
Juliusz Sosinowicz
52a593c883 Update hostap certs ref 2024-04-16 17:53:29 +02:00
Sean Parkinson
8e9810e87e ssl.c: Move functions out to separate files
Moved E[CD][25519||448] APIs to pk.c
Move public key PEM APIs to pk.c.
Move wolfSSL loading and using of private keys and certificates to
ssl_load.c
Move PKCS#7 and PKCS#12 APIs to ssl_p7p12.c.
Move session and session cache APIs to ssl_sess.c.
Other minor fixes.
2024-04-16 10:30:59 +10:00
JacobBarthelmeh
9b92aea245 Merge pull request #7422 from douzzer/20240412-fips-v5-v6-linuxkm-fixes
20240412-fips-v5-v6-linuxkm-fixes
2024-04-15 17:32:53 -06:00
Daniel Pouzzner
281c2a431e wolfcrypt/test/test.c: fix return code in pbkdf2_test(), add DEBUG_WOLFSSL gates on keysize report in ecc_test_curve(), and add missing PRIVATE_KEY_UNLOCK()s in cryptocb_test() for fips-dev coverage. 2024-04-15 14:11:21 -05:00
Daniel Pouzzner
6e0a90190f fixes for v5 and v6+ FIPS builds, including linuxkm v6+ builds. 2024-04-15 14:11:21 -05:00
JacobBarthelmeh
be74cb7d94 Merge pull request #7419 from anhu/winpq
Add PQ Files for windows.
2024-04-15 10:21:47 -06:00
JacobBarthelmeh
1cb34a8bed Merge pull request #7411 from douzzer/20240410-lock-free-wc_linuxkm_fpu_state_assoc
20240410-lock-free-wc_linuxkm_fpu_state_assoc
2024-04-15 10:20:39 -06:00
JacobBarthelmeh
3742c4dd57 Merge pull request #7413 from gojimmypi/PR-PlatformIO-FreeRTOS
Modify PlatformIO FreeRTOS include path, settings.h
2024-04-12 14:32:55 -06:00
JacobBarthelmeh
3113e6c855 Merge pull request #7393 from philljj/xmss_w64_settings
Adjust wc_xmss and wc_lms settings to support wolfboot.
2024-04-12 14:14:50 -06:00
JacobBarthelmeh
7d0ce39408 Merge pull request #7396 from miyazakh/renesas_rx72n
fix rx72n compile failure
2024-04-12 14:03:45 -06:00
JacobBarthelmeh
77bbb35830 Merge pull request #7415 from bandi13/addDockerCrossCompilerDependency
Add yet another cross compiling tool
2024-04-12 13:19:27 -06:00
Anthony Hu
85765b1a57 Add PQ Files for windows. 2024-04-12 15:05:29 -04:00
jordan
6ae99485a1 Additional changes to support wolfboot wc_lms. 2024-04-12 10:51:55 -05:00
Andras Fekete
5e85adee0f Add yet another cross compiling tool 2024-04-11 23:14:16 -04:00
JacobBarthelmeh
8b656d5a5f Merge pull request #7295 from kaleb-himes/SRTP-KDF-FS
SRTP-KDF FS Preview
2024-04-11 13:41:05 -06:00
kaleb-himes
73e5303718 Removed duplicate file from project 2024-04-11 12:16:21 -06:00
kaleb-himes
29a41d5ff9 Add new fips-ready dependencies to WIN10 project 2024-04-11 10:56:46 -06:00
gojimmypi
b1261f5471 Modify PlatformIO FreeRTOS include path, settings.h 2024-04-11 07:46:35 -07:00
Daniel Pouzzner
954005af9a linuxkm/linuxkm_memory.c: refactor wc_linuxkm_fpu_state_assoc() as a lock-free O(1) mechanism with per-CPU rather than per-process state. 2024-04-11 00:06:28 -05:00
JacobBarthelmeh
ff09f418c0 Merge pull request #7408 from SparkiDev/asn_templ_rid
X.509 RID ASN template behaviour
2024-04-10 11:42:07 -06:00
kaleb-himes
264dcd4e15 Fix a file mode and more overlong lines 2024-04-10 10:18:49 -06:00
kaleb-himes
4a8443f0e4 Address new file item reported by Jenkins 2024-04-10 11:05:11 -04:00
Sean Parkinson
8b3fbe47e6 SHA-256 x64 ASM - fix use of %rip
Get the address of table K instead of using it directly each time a
value is required.
2024-04-10 15:02:19 +10:00
Sean Parkinson
36b47d1374 Merge pull request #7352 from JacobBarthelmeh/coverity4
Coverity Fixes
2024-04-10 10:46:54 +10:00
Sean Parkinson
b48b5c47f4 X.509 RID ASN template behaviour
Don't set the DNS entry for RID unless OPENSSL_ALL is defined to match
the behaviour of original ASN code.
2024-04-10 10:39:45 +10:00
kaleb-himes
2aae5eb0f5 Multi-test doesn't like over-long lines 2024-04-09 16:54:17 -06:00
kaleb-himes
55fc9c09e4 Set debugging off by default 2024-04-09 16:24:35 -06:00
kaleb-himes
455f1a6875 Addendum to windows support with OpenSSL Extra enabled 2024-04-09 16:19:48 -06:00
JacobBarthelmeh
a8415a7926 Merge pull request #7367 from mrdeep1/hello_verify_request
Support DTLS1.3 downgrade when using PSK
2024-04-09 16:17:59 -06:00
kaleb-himes
b8d31b042f Windows support 2024-04-09 13:55:05 -06:00
kaleb-himes
71e83cdd19 Resolve armasm fips wrappers and sanity 2024-04-09 11:41:41 -06:00
kaleb-himes
0d83d0d199 Make wolfEntropy optional and bring settings.h in sync w/ master 2024-04-09 10:44:17 -06:00
kaleb-himes
e45867bbc3 WIN fips section refactor / wolfEntropy API syntax adjustment 2024-04-09 09:48:33 -06:00
kaleb-himes
a3413ad009 Address Jenkins caught item 2024-04-09 09:48:33 -06:00
kaleb-himes
ef2a636610 Expose additional features of opensslall in a compliant way 2024-04-09 09:48:33 -06:00
kaleb-himes
afeb3f5358 More peer feedback 2024-04-09 09:48:33 -06:00
kaleb-himes
d40700b93d Fix offset (whitespace) 2024-04-09 09:48:33 -06:00
kaleb-himes
84e5ccece5 Implement peer review feedback 2024-04-09 09:48:33 -06:00
kaleb-himes
8485f88688 Bring fips-dev inline with fips-ready 2024-04-09 09:48:33 -06:00
kaleb-himes
2e63ae750d Comments for SP800-38E TODO, wolfEntropy optional setup and remove forced errors api.c 2024-04-09 09:48:33 -06:00
kaleb-himes
8092104396 Address a flush-left in test.c and gt 80 column limit in settings.h 2024-04-09 09:48:33 -06:00
kaleb-himes
b7d88e0852 Cleanup duplicate forward dec logic with different macros 2024-04-09 09:48:33 -06:00
kaleb-himes
84f5b4e5bf Touchup a few more edge cases caught by Jenkins 2024-04-09 09:48:33 -06:00
kaleb-himes
829d028d98 Add configure for wolfEngine with new module 2024-04-09 09:48:33 -06:00
kaleb-himes
4df091ae2a Restore debug messages that were cluttering up logs 2024-04-09 09:48:33 -06:00
kaleb_himes
81f5ac7f6c SRTP-KDF FS Preview 2024-04-09 09:48:33 -06:00
JacobBarthelmeh
dd79ca5d96 Merge pull request #7405 from SparkiDev/mismatch_cs_alert
No match cipher suite alert type change
2024-04-09 09:31:12 -06:00
JacobBarthelmeh
144ffdc713 Merge pull request #7400 from philljj/test_xmss_pubraw
Add wc_XmssKey_ExportPubRaw to wolfcrypt test.
2024-04-09 09:14:23 -06:00
jordan
4a069ee5c1 Small cleanup for review. 2024-04-08 21:41:33 -05:00
Daly Brown
707e60aa79 Address gnatprove issues in tls client 2024-04-08 19:40:06 -04:00
Sean Parkinson
d96e5ec589 No match cipher suite alert type change
TLS 1.0/1.1/1.2 specifications require the of a return a handshake
failure alert when no cipher suites match.
TLS 1.3 specification requires the return of a "handshake_failure" or
"insufficient_security" fatal alert.

Change alert sent from "illegal_parameter" to "handshake_failure".
2024-04-08 11:25:50 +10:00
Fernando Oleo Blanco
8d49dce2cb [Ada] Fix crate name in Alire 2024-04-06 01:12:02 +02:00
Fernando Oleo Blanco
afc1e96899 [Ada] Add initial Alire support, alpha version 2024-04-05 23:29:45 +02:00
Fernando Oleo Blanco
77cd3b837b [Ada] Explicitly add netdb.h support 2024-04-05 23:27:24 +02:00
Fernando Oleo Blanco
4a5373f21b Add Ada/Alire files to gitignore 2024-04-05 23:23:26 +02:00
Fernando Oleo Blanco
32d0abb407 Merge branch 'wolfSSL:master' into master 2024-04-05 22:11:28 +02:00
Daniel Pouzzner
d1efccd259 Merge pull request #7381 from dgarske/netdb_ioctl
Restore `HAVE_NETDB_H` and `HAVE_SYS_IOCTL_H` checks in the wolfio.c.
2024-04-05 16:02:21 -04:00
Daniel Pouzzner
a518f493b5 Merge pull request #7388 from JacobBarthelmeh/x509_cases
check for critical policy extension when not supported
2024-04-05 15:59:03 -04:00
Daniel Pouzzner
7d66cc46ff Merge pull request #7375 from mrdeep1/fix_rpk
RPK: Define Certificates correctly for (D)TLS1.2
2024-04-05 15:48:25 -04:00
Daniel Pouzzner
2ba12a89df Merge pull request #7386 from anhu/reseed_public
Make wc_RNG_DRBG_Reseed() a wolfCrypt API.
2024-04-05 14:27:26 -04:00
Anthony Hu
cf2f58bfdf Merge pull request #7395 from douzzer/20240403-RPK-cleanups
20240403-RPK-cleanups
2024-04-05 13:43:15 -04:00
Anthony Hu
3908bc34ed Merge pull request #7399 from douzzer/20240405-tls-endian-fixes
20240405-tls-endian-fixes
2024-04-05 13:40:07 -04:00
jordan
d0802335a8 Add wc_XmssKey_ExportPubRaw to wolfcrypt test. 2024-04-05 12:09:04 -05:00
Daly Brown
97e731f27b Address gnatprove warnings and errors 2024-04-05 12:09:11 -04:00
Daniel Pouzzner
cdf2504612 fixes for non-portable (endian-sensitive) code patterns around word16 in TLS layer. 2024-04-05 10:42:05 -05:00
Kaleb Himes
9d56484d33 Merge pull request #7398 from douzzer/20240404-fips-VERSION3
20240404-fips-VERSION3
2024-04-05 07:53:32 -06:00
gojimmypi
5cab707d8e Update Espressif Examples and Libraries 2024-04-04 20:40:52 -07:00
Daniel Pouzzner
9542843874 wolfssl/wolfcrypt/settings.h: streamline definitions of WOLFSSL_FIPS_VERSION_CODE for the !HAVE_FIPS and !HAVE_FIPS_VERSION cases; add WOLFSSL_FIPS_VERSION2_CODE and fix the incumbent FIPS_VERSION_{LT,LE,EQ,GE,GT} definitions to use it. 2024-04-04 22:27:51 -05:00
kaleb-himes
ae2a92e449 add "VERSION3" variants of macros for testing and computing FIPS versions. 2024-04-04 17:39:07 -05:00
Daly Brown
42f7be20c8 Fix assertion that address length must be greater than zero 2024-04-04 16:19:44 -04:00
Daly Brown
63547d954a Fix formatting issues and remove unused variable 2024-04-04 16:06:19 -04:00
Daly Brown
be72849d48 Expose DTLS in Ada wrapper and update examples 2024-04-04 15:52:14 -04:00
Hideki Miyazaki
6c029badcc fix rx72n compile 2024-04-04 15:40:15 +09:00
Daniel Pouzzner
747755b3c4 fixes for analyzer carps around HAVE_RPK:
fix clang-analyzer-deadcode.DeadStores in src/tls.c TLSX_ClientCertificateType_GetSize();

fix clang-analyzer-deadcode.DeadStores in tests/api.c test_tls13_rpk_handshake();

fix null pointer to XMEMCPY() in src/internal.c CopyDecodedName().
2024-04-04 00:15:01 -05:00
jordan
0c22f1f048 wc_xmss_impl requires misc.c functions. 2024-04-03 14:52:05 -05:00
JacobBarthelmeh
8b587b563c Merge pull request #7286 from Frauschi/hybrid_signatures
Improvements to dual algorithm certificates
2024-04-03 13:37:16 -06:00
Daniel Pouzzner
8511b2dc6b ProcessBuffer(): in WOLFSSL_DUAL_ALG_CERTS code path, fall through without disrupting ret, if cert->sapkiOID and cert->sapkiLen are unset. 2024-04-03 13:54:57 -05:00
jordan
79abae8c3d Only require WOLFSSL_W64_WRAPPER if WOLFSSL_XMSS_MAX_HEIGHT greater than 32. 2024-04-03 12:16:03 -05:00
David Garske
57603823e3 Merge pull request #7387 from JacobBarthelmeh/sm2
fix for oss-fuzz sm2 test build
2024-04-03 10:08:46 -07:00
JacobBarthelmeh
f6a24efe23 Merge pull request #7389 from dgarske/nxp_mmcau_sha256
Fix the NXP MMCAU HW acceleration for SHA2-256
2024-04-03 10:39:04 -06:00
Anthony Hu
9bfab33726 Address comments from Jacob. 2024-04-03 09:04:28 -04:00
David Garske
d7c6d7af44 Fix the NXP MMCAU HW acceleration for SHA2-256. Broken with LMS SHA2 refactor. 2024-04-02 19:32:41 -07:00
JacobBarthelmeh
c768f76d5a Merge pull request #7315 from fabiankeil/disable-3des-ciphers
Allow to enable DES3 support without the DES3 ciphers
2024-04-02 17:48:01 -06:00
JacobBarthelmeh
75da69911c Merge pull request #7369 from dgarske/infineon_modustoolbox
Support for Infineon Modus Toolbox with wolfSSL
2024-04-02 17:34:07 -06:00
JacobBarthelmeh
983616afa0 check for critical policy extension when not supported 2024-04-02 16:46:47 -06:00
JacobBarthelmeh
04ebc966d0 Merge pull request #7385 from philljj/spelling_cleanup
Used codespell and fixed obvious typos.
2024-04-02 14:35:51 -06:00
JacobBarthelmeh
d4f5825fd2 fix for sp build with ecc_map_ex 2024-04-02 11:40:53 -06:00
JacobBarthelmeh
ed4f052215 Merge pull request #7382 from bandi13/reEnableTest
Revert "Disable broken library"
2024-04-02 10:51:50 -06:00
JacobBarthelmeh
b334750bf2 Merge pull request #7383 from embhorn/zd17763
Fix build error with RECORD_SIZE defined
2024-04-02 10:51:11 -06:00
Anthony Hu
598a3bfdcd Make wc_RNG_DRBG_Reseed() a wolfCrypt API. 2024-04-02 12:33:35 -04:00
jordan
b65e42bf4d Used codespell and fixed obvious typos. 2024-04-02 10:19:39 -05:00
Eric Blankenhorn
e072677379 Fix build error with RECORD_SIZE defined 2024-04-02 10:02:35 -05:00
Fabian Keil
790129ee71 cmake: Add WOLFSSL_DES3_TLS_SUITES option 2024-04-02 16:27:11 +02:00
Daniel Pouzzner
092dba4593 wolfcrypt/src/asn.c: fix for benign identicalInnerCondition in ParseCertRelative(). 2024-04-01 23:50:05 -05:00
Anthony Hu
10d210ce26 Parenthesis 2024-04-01 19:05:59 -04:00
Anthony Hu
2d532dd6b8 Clean up after another round of analyzer execution. 2024-04-01 18:56:44 -04:00
Andras Fekete
6524fbb43f Revert "Disable broken library"
This reverts commit ce52a68c3d.
2024-04-01 18:11:42 -04:00
Anthony Hu
3a3a7c2a67 Forgot to clean up the preTBS. 2024-04-01 17:37:04 -04:00
Anthony Hu
6a4d4bf6f1 cks_order is used later; don't let it fall out of scope. 2024-04-01 17:37:03 -04:00
Anthony Hu
8f599defe0 Add check inspired by original implementation of asn. 2024-04-01 17:37:03 -04:00
Daniel Pouzzner
2f3495f286 src/tls13.c: remove unreachable break in DoTls13CertificateVerify().
tests/api.c: fix various use-after-frees of file in do_dual_alg_root_certgen() and do_dual_alg_server_certgen().
2024-04-01 17:37:03 -04:00
Anthony Hu
e4b7857e43 If WOLFSSL_TRUST_PEER_CERT is defined, the negative test is no longer negative. 2024-04-01 17:37:03 -04:00
Tobias Frauenschläger
136eaae4f1 Improvements to dual alg certificates
* Support for external keys (CryptoCb interface)
* Support for usage in mutual authentication
* better entity cert parsing
* Fix for Zephyr port to support the feature
* Check key support
* Proper validation of signatures in certificate chains
* Proper validation of peer cert with local issuer signature
	(alt pub key is cached now)
* Support for ECC & RSA as alt keys with PQC as primary
* Support for PQC certificate generation
* Better support for hybrid signatures with variable length signatures
* Support for primary and alternative private keys in a single
  file/buffer
* More API support for alternative private keys

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-04-01 17:37:03 -04:00
David Garske
da6a11d1d1 Restore HAVE_NETDB_H and HAVE_SYS_IOCTL_H checks in the wolfio.c. 2024-04-01 09:49:22 -07:00
oltolm
78b8ea3646 make "yes;no" cmake options boolean instead of string 2024-04-01 16:20:11 +02:00
Daniel Pouzzner
d930825a92 Merge pull request #7362 from jpbland1/rsa-make-key-no-malloc
fix wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC
2024-03-30 03:19:27 -04:00
John Bland
d8e9e90f9d refactor rawLen to avoid unused warning 2024-03-30 02:12:32 -04:00
Daniel Pouzzner
03d7eac9c4 Merge pull request #7337 from gojimmypi/PR-test-certbuf-256
wolfcrypt tests: improve file system gating for USE_CERT_BUFFERS
2024-03-30 00:43:20 -04:00
David Garske
5c486cb7a6 Merge pull request #7371 from douzzer/20240327-tls-int-overflows
20240327-tls-int-overflows
2024-03-29 11:37:08 -07:00
Jon Shallow
a0f3933881 Support (D)TLS1.3 downgrade when using PSK
DTLS Server:
examples/server/server -v3 -u -s

DTLS Client:
examples/client/client -vd -g -u -s

TLS Server:
examples/server/server -v3 -s

TLS Client:
examples/client/client -vd -g -s

Support checking for DTLS1.2 Hello Verify Request when using PSK.

Unset options.tls1_3 when handling a DTLS1.2 Hello Verify Request.

Unset options.tls1_3 when handling a (D)TLS1.2 Server Hello to stop
checking of Encrypted Client Hello

Requires ./configure --enable-all --enable-dtls13

Add in tests for DTLS1.3 and TLS1.3 downgrade when using PSK.
2024-03-29 18:04:30 +00:00
Daniel Pouzzner
038be95a4a wolfssl/wolfcrypt/types.h: add WC_SAFE_SUM_WORD32().
src/internal.c: mitigations for potential integer overflows in figuring allocation sizes.
2024-03-29 11:45:11 -05:00
Daniel Pouzzner
3f3dd4743a Merge pull request #7365 from rizlik/ecc_cmp_param_cleanup
wc_ecc_cmp_param cleanup
2024-03-29 01:48:46 -04:00
Daniel Pouzzner
1caed2139b Merge pull request #7374 from gojimmypi/PR-Kyber-Init
Initialize some Kyber client variables
2024-03-29 01:44:56 -04:00
Daniel Pouzzner
7e8c0156fe Merge pull request #7325 from dgarske/zephyr
Improve Zephyr support
2024-03-29 00:57:55 -04:00
András Fekete
5b3772c5d2 Merge pull request #7377 from douzzer/20240328-multi-test-fixes
20240328-multi-test-fixes
2024-03-28 16:58:30 -04:00
David Garske
83dc3dfac1 Add support for the Infineon/Cypress HAL TRNG. 2024-03-28 13:57:26 -07:00
Daniel Pouzzner
58462840c1 src/ssl.c: add missing cast in wolfSSL_GetSessionFromCache(). 2024-03-28 15:14:19 -05:00
Jon Shallow
f2e6f49721 RPK: Define Certificates correctly for (D)TLS1.2
As per https://datatracker.ietf.org/doc/html/rfc7250#section-3 Figure 1,
the RPK is a single ASN.1_subjectPublicKeyInfo, whereas X509 certificates
etc. are transmitted as a certificate list (even if there is only 1).

This is for (D)TLS1.2 transfers, and this PR fixes this.

As per https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 all
certificates (both RPK and Z509) are transferred using a certificate list.

Update examples client to support RPK certificates.

For testing:-
Server:
$ gnutls-serv --http --x509fmtder --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK --rawpkfile certs/server-keyPub.der --rawpkkeyfile certs/server-key.der

Client:
$ examples/client/client -g -p 5556 -c certs/client-keyPub.der -k certs/client-key.der --rpk --files-are-der
2024-03-28 17:58:02 +00:00
John Bland
7c0423eb65 reduce der buffer size 2024-03-28 12:56:26 -04:00
Daniel Pouzzner
7a283edd68 Merge pull request #7373 from bandi13/FixMultiTestWarning
Fix sanitizer complaint in multi-test script
2024-03-28 12:35:45 -04:00
gojimmypi
5bffbdb20c Initialize some Kyber client variables 2024-03-28 09:14:53 -07:00
Andras Fekete
4cb176ffff Fix sanitizer complaint 2024-03-28 11:44:12 -04:00
John Bland
6cc32e90b0 trim down buffer size 2024-03-28 03:01:46 -04:00
John Bland
254eb23443 add missing make call 2024-03-28 02:56:08 -04:00
John Bland
04db5baaa1 test wolfcrypt only 2024-03-28 02:56:08 -04:00
John Bland
6272465c44 use only one matrix index 2024-03-28 02:56:08 -04:00
John Bland
f63501f035 fix bad CFLAGS 2024-03-28 02:56:08 -04:00
John Bland
30189e5766 add autogen.sh to workflow 2024-03-28 02:56:08 -04:00
John Bland
71e52487bf add no malloc to main workflows file 2024-03-28 02:55:31 -04:00
John Bland
76ac4fa7e3 add github workflow to test no malloc 2024-03-28 02:54:49 -04:00
John Bland
9cd614fcac update rsa test to support no malloc 2024-03-28 02:54:49 -04:00
John Bland
4f51183b45 fix bad indenting 2024-03-28 02:54:49 -04:00
John Bland
305f87561d break out of loop on failure instead of return 2024-03-28 02:54:49 -04:00
John Bland
fb784a2ac9 more changes from PR comments 2024-03-28 02:54:49 -04:00
John Bland
0bd8775eae update based on PR comments 2024-03-28 02:54:49 -04:00
John Bland
d9d3f9a4f4 fix wc_MakeRsaKey and wc_RsaKeyToDer to work with
WOLFSSL_NO_MALLOC
2024-03-28 02:54:49 -04:00
Daniel Pouzzner
716870cbc2 Merge pull request #7370 from anhu/quickie
sizeof(oriType) ---> sizeof(asnDataOid)
2024-03-28 01:58:01 -04:00
Daniel Pouzzner
42a0cb23ac Merge pull request #7364 from gojimmypi/PR-Kyber-Init
Initialize some Kyber variables
2024-03-28 00:13:43 -04:00
Daniel Pouzzner
2f17b756b2 Merge pull request #7360 from rizlik/curl-ticket-nonce-malloc
configure.ac: enable ticket_nonce_malloc when using enable-curl
2024-03-27 23:58:21 -04:00
Daniel Pouzzner
98c912c3a0 Merge pull request #7359 from SparkiDev/asn1_test_bad_certs
ASN.1 testing: add tests of bad DER encodings
2024-03-27 23:55:57 -04:00
Daniel Pouzzner
0f6670a437 Merge pull request #7357 from kareem-wolfssl/gh7349
Fix potential division by zero in example server.
2024-03-27 23:52:55 -04:00
Daniel Pouzzner
ad74fb79ac Merge pull request #7354 from JacobBarthelmeh/ocsp-test
add ocsp test
2024-03-27 23:50:49 -04:00
Daniel Pouzzner
e8e3e9db43 Merge pull request #7285 from anhu/noMagic274
Get rid of magic number to size structs.
2024-03-27 23:43:28 -04:00
Daniel Pouzzner
f9b26d8c06 Merge pull request #7358 from bandi13/buildNewYoctoContainer
Build new yocto container
2024-03-27 23:41:46 -04:00
Daniel Pouzzner
708fd6003f Merge pull request #7320 from bandi13/addExtraToolsToDocker
More application dependencies
2024-03-27 23:39:41 -04:00
David Garske
2d7f9d1874 Support for Infineon Modus Toolbox with wolfSSL. 2024-03-27 15:37:50 -07:00
Anthony Hu
28a88d1c7c sizeof(oriType) ---> sizeof(asnDataOid) 2024-03-27 17:05:25 -04:00
Marco Oliverio
0a03940f5a wolfcrypt: wc_ecc_cmp_param: check string len before strncmp
also return -1 on param mismatch.
2024-03-26 14:59:41 +01:00
gojimmypi
01ae240fe8 Initialize some Kyber variables 2024-03-25 14:08:47 -07:00
Andras Fekete
22766578fc Add in powerpc cross compilation tools 2024-03-25 15:39:59 -04:00
gojimmypi
bf9775831f Improve wolfcrypt test NO_FILESYSTEM checks 2024-03-22 13:00:25 -07:00
Marco Oliverio
91ab6cafe0 configure.ac: enable ticket_nonce_malloc when using enable-curl
To support new session ticket nonce longer than MAX_TICKET_NONCE_STATIC_SZ. If
`--disable-ticket-nonce-malloc` is explicitly specified, the feature is not
enabled even if `--enable-curl` is specified.
2024-03-22 11:46:22 +01:00
Sean Parkinson
d4b1995a2c ASN.1 testing: add tests of bad DER encodings
Certificates with bad DER encoded ASN.1 added to testing.
Fix comment in asn.c.
2024-03-22 08:51:17 +10:00
Andras Fekete
0abb381497 Use official repo to build 2024-03-21 16:31:48 -04:00
Kareem
d867405ffb Fix floating point comparison. 2024-03-20 16:03:43 -07:00
Kareem
4d4f4e3f30 Fix potential division by zero in example server. 2024-03-20 15:48:46 -07:00
David Garske
8970ff4c34 Merge pull request #7355 from JacobBarthelmeh/release
prepare for release 5.7.0
2024-03-20 14:39:57 -07:00
JacobBarthelmeh
85601311a2 rework library versioning 2024-03-21 04:02:28 +07:00
David Garske
b8bebd6196 Fixes for ARM/Intel ASM support. 2024-03-20 13:14:05 -07:00
JacobBarthelmeh
e20ddc35b0 update version for CMake 2024-03-21 03:05:34 +07:00
JacobBarthelmeh
e80deece82 adjust ChangeLog text 2024-03-21 00:18:44 +07:00
JacobBarthelmeh
e5914effab prepare for release 5.7.0 2024-03-20 19:32:22 +07:00
JacobBarthelmeh
5884f75cbe add ocsp test 2024-03-20 03:01:43 +07:00
JacobBarthelmeh
3129e29a19 Merge pull request #7353 from ejohnstown/ocsp-ext
OCSP Extension Encoding Fix
2024-03-20 03:00:27 +07:00
John Safranek
6462986bf2 OCSP Extension Encoding Fix
1. Removed redundant check for the output being NULL in
   `EncodeOcspRequestExtensions()`. The chuck of code being protected
   only cared about the value of ret, not the pointer. The code was
   supposed to calculate the size of the data without writing it.
2024-03-19 09:13:28 -07:00
Andras Fekete
5e45bb4d25 Using PR version 2024-03-19 11:53:03 -04:00
David Garske
face8b6e43 Experimental support for Intel and ARM ASM with Zephyr. Related to issue #7116. 2024-03-18 13:40:10 -07:00
Andras Fekete
9bddddb952 First test build on 2024-03-06 2024-03-18 16:32:24 -04:00
JacobBarthelmeh
489a79ad8b CID 347893 set test cert manager to null after free 2024-03-19 02:59:06 +07:00
JacobBarthelmeh
228544c31e CID 327280 use after free in test case 2024-03-19 02:44:45 +07:00
JacobBarthelmeh
1926e045f3 Merge pull request #7351 from douzzer/20240318-linuxkm-lkcapi-register-yes
20240318-linuxkm-lkcapi-register-yes
2024-03-19 02:33:12 +07:00
David Garske
790e39ec03 Merge pull request #7350 from JacobBarthelmeh/scan_build_fix
scan-build fixes for pkcs7
2024-03-18 12:31:00 -07:00
Daniel Pouzzner
a14edf3614 configure.ac: for --enable-linuxkm-lkcapi-register, remap "yes" to "all"; in output config summary, add ENABLED_LINUXKM_LKCAPI_REGISTER, and move ENABLED_EXPERIMENTAL and ENABLED_LINUXKM_BENCHMARKS to the "Features" section. 2024-03-18 13:52:06 -05:00
JacobBarthelmeh
d51bef3d43 fix for memory leak on error 2024-03-19 00:58:32 +07:00
JacobBarthelmeh
b9619c3f0b Merge pull request #7343 from douzzer/20240315-pq-experimental
20240315-pq-experimental
2024-03-19 00:54:56 +07:00
David Garske
50b1044c2f Merge pull request #7347 from JacobBarthelmeh/coverity2
Coverity Fixes QUIC
2024-03-18 09:04:09 -07:00
JacobBarthelmeh
4751af9b89 scan-build fixes for pkcs7 2024-03-18 22:55:51 +07:00
Andras Fekete
42091b8970 Normally these tests take 3 minutes, but sometimes they take much longer 2024-03-18 11:22:03 -04:00
Andras Fekete
74d7696e69 More application dependencies 2024-03-18 11:21:24 -04:00
David Garske
ffb43d0150 Merge pull request #7348 from JacobBarthelmeh/coverity3
Coverity fixes
2024-03-18 08:20:31 -07:00
David Garske
69bc5c1c19 Merge pull request #7345 from JacobBarthelmeh/coverity
Coverity fixes
2024-03-18 08:15:59 -07:00
David Garske
03e306a98f Add include for project for cases when a custom user_settings.h file is used. Tested support with PSA. 2024-03-18 08:14:40 -07:00
David Garske
85c22abe4e Fix for Zephyr TimeNowInMilliseconds. Resolves issue with TLS v1.3 server and session tickets time (uptime in sim < 1000 ms was being made 0). 2024-03-18 08:14:40 -07:00
David Garske
737fa53636 Improve Zephyr support. Cleanup user_settings.h mess. Add FIPS support. 2024-03-18 08:14:40 -07:00
JacobBarthelmeh
dd6db025e3 add parenthesis around define value 2024-03-18 21:13:42 +07:00
JacobBarthelmeh
36e67af0f8 Merge pull request #7331 from SparkiDev/asn1_templ_issuer_cn
ASN.1 template: store issuer common name
2024-03-18 20:27:04 +07:00
JacobBarthelmeh
d6b4b27cd1 CID 299893 out of bounds read with XMEMCMP 2024-03-18 16:42:15 +07:00
JacobBarthelmeh
44f3e4a3b7 CID 337219 allocation using untrusted size 2024-03-18 16:04:37 +07:00
JacobBarthelmeh
635d326812 CID 337232 sanity check on tainted scalar 2024-03-18 15:03:04 +07:00
JacobBarthelmeh
be233fc805 Merge pull request #7346 from SparkiDev/regression_fixes_11
Regression test fixes
2024-03-18 14:29:44 +07:00
Sean Parkinson
638d0b1a9f Regression test fixes
pkcs7.c: pkcs7->stream must be restored or there will be a leak.
test.c: when compiled for compression, compiler warning about const
2024-03-18 09:57:22 +10:00
Sean Parkinson
84c42f4a4e ASN.1 template: store issuer common name
Under certain configurations the certificate issuer's common name is
kept in a DecodedCert. Wasn't implemented in ASN.1 template code.
2024-03-18 07:06:32 +10:00
JacobBarthelmeh
763c4a074c CID 315823 truncate on cast 2024-03-17 23:54:56 +07:00
JacobBarthelmeh
d71776aced coverity CID 352930, fix for out of bounds write 2024-03-17 23:31:37 +07:00
David Garske
abd7449f27 Merge pull request #7340 from JacobBarthelmeh/github_tests
workaround for Ubuntu runner, high entropy + ASLR
2024-03-17 08:56:50 -07:00
JacobBarthelmeh
5106cb16e2 workaround for llvm version and ASLR issue 2024-03-17 22:22:16 +07:00
David Garske
99dd8a333d Merge pull request #7342 from JacobBarthelmeh/testing1
revert null check in wc_Sha256Update
2024-03-15 14:24:45 -07:00
Daniel Pouzzner
924887b468 configure.ac and wolfssl/wolfcrypt/settings.h: implement --enable-experimental and add a WOLFSSL_EXPERIMENTAL_SETTINGS gate, and refactor "EXPERIMENTAL" features (all pq) to note and enforce requirement for --enable-experimental and WOLFSSL_EXPERIMENTAL_SETTINGS. 2024-03-15 16:15:26 -05:00
Daniel Pouzzner
3728cd3dc5 Kyber fixes:
wolfssl/wolfcrypt/wc_kyber.h: in definition of struct KyberKey, use correct type for devId;

wolfcrypt/src/wc_kyber_poly.c: numerous fixes for bugprone-macro-parentheses and readability-inconsistent-declaration-parameter-name;

tests/api.c: in test_tls13_apis(), add missing defined(HAVE_LIBOQS) gate on inclusion of ":P256_KYBER_LEVEL1" in groupList.
2024-03-15 16:06:32 -05:00
JacobBarthelmeh
5a5648a6ac Merge pull request #7341 from dgarske/psk_openssl
Fix for PSK callback with OPENSSL_EXTRA to correctly handle the 0 length
2024-03-16 02:22:24 +07:00
JacobBarthelmeh
ab8f5f71a0 revert null check in wc_Sha256Update 2024-03-16 02:03:07 +07:00
JacobBarthelmeh
2f43cc1c7b Merge pull request #7332 from SparkiDev/asn_templ_neg_int_check
ASN.1 parsing: check for badly encode negative INTEGER
2024-03-15 22:40:55 +07:00
David Garske
8d1714a307 Fix for PSK callback with OPENSSL_EXTRA to correctly handle the 0 length case. Thank you @miyazakh. Broken in #7302 2024-03-15 08:09:59 -07:00
JacobBarthelmeh
81c5cf794c Merge pull request #7339 from SparkiDev/regression_fixes_10
Regression testing fixes
2024-03-15 19:29:26 +07:00
Sean Parkinson
d1b16f2c7b Regression testing fixes
api.c: z and ret no longer only when !NO_ASN_TIME.
benchmark.c: rsaKey array type has changed and unusual code path needsed
updating.
cmac.c: Zeroization test failed when checkSz was zero as called function
didn't zero out cmac. checkSz is invalid.
test.c: rsaCaCertDerFile used even when NO_ASN_TIME.
test.h: --enable-sp-math only supports DH of 2048 bits and above. Change
default DH parameters to be 2048 bits.
2024-03-15 13:24:40 +10:00
Sean Parkinson
8684caa304 Merge pull request #7336 from douzzer/20240314-fix-armasm-sha256
20240314 -- fix -Wconversions in asn.c
2024-03-15 10:37:14 +10:00
Daniel Pouzzner
e3fc43c3d6 Merge pull request #7338 from SparkiDev/sha256_armv8_transform
SHA256 ARMv8: fix wc_Sha256Transform
2024-03-14 19:48:38 -04:00
Daniel Pouzzner
25efe6b66a wolfcrypt/src/asn.c: fix -Wconversions in GetASN_BitString(), GetASN_UTF8String(), and GetASN_ObjectId(). 2024-03-14 18:42:50 -05:00
Sean Parkinson
a0befd396f SHA256 ARMv8: fix wc_Sha256Transform
wc_Sha256Transform() was passing in data to underlying transform
function even though byte reversed data was in sha256->buffer.
2024-03-15 09:27:15 +10:00
David Garske
b7b6752e2e Merge pull request #7333 from gojimmypi/PR-tfm-mp_sqr
Enable TFM mp_sqr even when HAVE_ECC disabled
2024-03-14 12:45:09 -07:00
David Garske
36eec68571 Cleanup DES3 TLS descriptions and macro names. 2024-03-14 10:34:38 -07:00
David Garske
5dff8aa417 Merge pull request #7334 from SparkiDev/macosx_clang_15_asm_fix
MacOS X Intel ASM clang 15: fix asm to compile without warning
2024-03-14 10:10:42 -07:00
David Garske
8fd8548142 Merge pull request #7318 from SparkiDev/kyber_1
Kyber: Implementation in wolfSSL
2024-03-14 09:57:52 -07:00
JacobBarthelmeh
88370d8c3e Merge pull request #7277 from embhorn/readme_folders
Add directory layout to readme.
2024-03-14 19:09:12 +07:00
Daniel Pouzzner
3fd6af0cd2 Merge pull request #7283 from SparkiDev/lms
LMS: initial implementation
2024-03-14 01:48:57 -04:00
Sean Parkinson
3ba5dd3e6d MacOS X Intel ASM clang 15: fix asm to compile without warning
Don't use align when __APPLE__ is defined.
Make minimum alignment on variables in ASM 8 bytes (.p2align 3).

Fix x86 builds with ASM.
2024-03-14 11:42:12 +10:00
gojimmypi
bebfb120d7 Enable TFM mp_sqr even when HAVE_ECC disabled 2024-03-13 16:36:30 -07:00
Sean Parkinson
25b2c664f4 Kyber: Implementation in wolfSSL
Put Kyber implementation into wolfSSL.
2024-03-14 09:14:50 +10:00
Sean Parkinson
40681226aa ASN.1 parsing: check for badly encode negative INTEGER
When encoding a negative number, when the first byte is 0xff then the
next byte can't have top bit set.
2024-03-14 09:01:22 +10:00
David Garske
448378ce90 Merge pull request #7306 from SparkiDev/asn1_validate_fix_1
ASN.1 template: validate UTF8STRING and OBJECT IDENTIFER data
2024-03-13 15:23:02 -07:00
David Garske
924c0fd911 Merge pull request #7329 from gojimmypi/PR-Arduino-Build
Ignore build file warnings for Arduino; Update examples
2024-03-13 14:59:07 -07:00
David Garske
6f65d6749a Merge pull request #7321 from JacobBarthelmeh/vcpkg
fix for warning of no stdint.h include with uintptr_t
2024-03-13 14:43:47 -07:00
David Garske
c8bc74b232 Merge pull request #7324 from JacobBarthelmeh/sm2_bench
Sm2 benchmark build fix
2024-03-13 14:43:30 -07:00
gojimmypi
9057e8120d Ignore build file warnings for Arduino, update examples 2024-03-13 12:24:00 -07:00
JacobBarthelmeh
9f240bb34c fix for warning of no stdint.h include with uintptr_t 2024-03-14 00:38:02 +07:00
JacobBarthelmeh
ff14aa20a6 fix for benchmark build with sm4-gcm 2024-03-14 00:05:43 +07:00
JacobBarthelmeh
5c3b929d90 fix for benchmark build with sm2 2024-03-14 00:05:43 +07:00
JacobBarthelmeh
1e054b9613 Merge pull request #7302 from dgarske/pk_psk
Support for Public Key (PK) callbacks with PSK
2024-03-14 00:02:23 +07:00
David Garske
d2fd937075 Merge pull request #7328 from bandi13/disableLibSSH2Test
Disable broken library
2024-03-12 15:26:44 -07:00
Andras Fekete
ce52a68c3d Disable broken library
The tests on the libssh2 repo are also failing for the same reason
2024-03-12 17:04:20 -04:00
Sean Parkinson
084338dde7 ASN Template: GetASN_UTF8String optional
Allow UTF8String checking to be disabled with WOLFSSL_NO_ASN_STRICT.
2024-03-12 09:59:51 +10:00
David Garske
5dba7d3975 Merge pull request #7280 from Frauschi/pqc_kyber_fix
Fix for PQC enabled handshake
2024-03-11 09:26:13 -07:00
David Garske
bd20640e58 Merge pull request #7312 from philljj/zd17621
Handle failed alloc in TLSX_Write.
2024-03-09 15:20:50 -08:00
Fabian Keil
5d418d67b0 Allow to enable DES3 support without the DES3 ciphers
DES3 support is required to use PBES2-3DES-CBC-encoded keys
but also enabling the DES3 ciphers may be undesirable.
When using Privoxy it results in a "Bad" rating at sites like
https://www.howsmyssl.com/ due to the Sweet32 attack.
2024-03-09 12:22:44 +01:00
jordan
0e15a2e83a Handle failed alloc in TLSX_Write. 2024-03-08 22:56:27 -06:00
David Garske
0c40fb5c5f Merge pull request #7299 from SparkiDev/siphash_asm_fix_2
Siphash: x64 asm fix
2024-03-08 13:15:44 -08:00
David Garske
9fadcb2edc Merge pull request #7307 from bandi13/fixNightlyCrossworks
Fix nightly crossworks
2024-03-08 13:12:53 -08:00
David Garske
8298019a85 Merge pull request #7308 from bandi13/fixNightlySGX
Missing functions
2024-03-08 13:12:30 -08:00
David Garske
83cddc76ce Merge pull request #7309 from bandi13/fixNightlyG++
Missing cast to avoid warning
2024-03-08 13:12:09 -08:00
David Garske
b5633f9cea Merge pull request #7310 from gojimmypi/PR-Revert-Breadcrumbs
Revert some debug breadcrumbs in #7304
2024-03-08 13:06:41 -08:00
David Garske
11303ab796 Support for Public Key (PK) callbacks with PSK in TLS v1.2 and TLS v1.3 (client and server). ZD 17383 2024-03-08 12:21:06 -08:00
gojimmypi
56f3c93272 Revert per https://github.com/wolfSSL/wolfssl/pull/7304#pullrequestreview-1925571495 2024-03-08 12:05:54 -08:00
Andras Fekete
082397adda Missing cast to avoid warning 2024-03-08 14:46:17 -05:00
Andras Fekete
b17db818ce Missing functions
Compilation fails with "undefined reference to `sp_cmp'" etc.
2024-03-08 14:04:35 -05:00
Andras Fekete
98f8329bf2 Add indentation for legibility 2024-03-08 11:49:38 -05:00
Andras Fekete
8fcb007301 Missing gating for netdb.h includes 2024-03-08 11:46:49 -05:00
Sean Parkinson
5daf5fff86 Merge pull request #7272 from JacobBarthelmeh/pkcs7-enc
IO callbacks for content and output with PKCS7 bundle sign/encrypt
2024-03-08 07:18:11 +10:00
Sean Parkinson
28e8228744 Merge pull request #7304 from gojimmypi/PR-Arduino-Logging
Update Arduino examples: 32KB TLS Client/Server; Add wolfcrypt breadcrumbs.
2024-03-08 07:12:01 +10:00
JacobBarthelmeh
c24b187a88 fixes for clang-tidy warnings 2024-03-08 01:54:37 +07:00
JacobBarthelmeh
a07d92d3d3 refactoring and fixes for new PKCS7 stream code 2024-03-07 21:30:42 +07:00
Sean Parkinson
c568e3c092 Merge pull request #7067 from gojimmypi/PR-Espressif-Monitor-Keyword
Introduce WOLFSSL_ESPIDF_EXIT_MESSAGE macro
2024-03-07 21:57:19 +10:00
Sean Parkinson
77a77a9a9d Merge pull request #7296 from JacobBarthelmeh/autosar
initial AutoSAR shim layer
2024-03-07 21:55:50 +10:00
gojimmypi
38d5eec445 Introduce WOLFSSL_ESPIDF_EXIT_MESSAGE macro (+code review edits) 2024-03-07 00:44:11 -08:00
Sean Parkinson
faea635ee2 ASN.1 template: validate UTF8STRING and OBJECT IDENTIFER data
Check the data of UTF8STRING and OBJECT IDENTIFIER to ensure it is
properly encoded.
2024-03-07 18:01:16 +10:00
Sean Parkinson
6c8df33191 LMS: initial implementation
Initial wolfSSL implementation of LMS.
Changed LMS benchmarking to time making a key and reloading.
SHA-256:
  Added wc_Sha256HashBlock to make hashing a block fast.
Fixed assembly code to be able to hash a block from an external
buffer.
  Simplified code were possible.
Moved byte reversal decision logic to one place instead of replicating
length checks.
2024-03-07 11:43:16 +10:00
Sean Parkinson
f011012d8e Merge pull request #7300 from bandi13/codeSonarFixes
Code sonar fixes
2024-03-07 10:17:06 +10:00
Sean Parkinson
b7c36fa603 Merge pull request #7305 from embhorn/zd17629
Fix leak in wolfSSL_X509_STORE_CTX_get_chain
2024-03-07 10:16:44 +10:00
gojimmypi
e40eb3c774 Update Arduino examples; add wolfcrypt breadcrumbs. 2024-03-06 15:13:37 -08:00
Eric Blankenhorn
a0a9680325 Fix leak in wolfSSL_X509_STORE_CTX_get_chain 2024-03-06 15:13:38 -06:00
lealem47
39ad67607e Merge pull request #7240 from gojimmypi/PR-wolfssl_client_ESP8266
Update TLS client example for Espressif ESP8266
2024-03-06 13:18:28 -07:00
Fernando Oleo Blanco
79235a4698 [Ada] Initial library support 2024-03-06 20:20:55 +01:00
David Garske
21b82a20d5 Merge pull request #7301 from SparkiDev/thumb2_aes_key_align_fix
Thumb2 AES ASM: don't assume alignment on key
2024-03-06 09:47:38 -08:00
JacobBarthelmeh
ea9dfecc79 make rng global and get version from LIBWOLFSSL_VERSION_HEX 2024-03-06 17:52:31 +07:00
Sean Parkinson
5408118582 Merge pull request #7298 from douzzer/20240304-wolfcrypttest-fixes
20240304-wolfcrypttest-fixes
2024-03-06 14:51:23 +10:00
Daniel Pouzzner
321a72c906 misc fixes:
wolfcrypt/test/test.c: fix gating for verify4 in scrypt_test(), and fix WOLFSSL_SMALL_STACK -Wframe-larger-than=2048 warnings in sha256_test() and sha512_test().

src/ssl.c: fix for true-but-benign nullPointerRedundantCheck in ProcessBufferTryDecodeEd25519().

tests/api.c: fix for -Wmaybe-uninitialized in test_wc_PKCS7_VerifySignedData_RSA() identified via cross-m68k-all-asm.
2024-03-05 17:44:33 -06:00
Sean Parkinson
d057f10d58 Thumb2 AES ASM: don't assume alignment on key
Fix AES_set_encrypt_key to not assume a word alignment on key.
2024-03-06 08:50:21 +10:00
Sean Parkinson
86b663d67e Siphash: x64 asm fix
Make gcc-8 compiled code work.
2024-03-05 22:23:20 +10:00
JacobBarthelmeh
11c9035a62 misc fixes and correct name for test file 2024-03-05 18:31:42 +07:00
Sean Parkinson
ee39a8f17f Merge pull request #7262 from gojimmypi/PR-SHA-Interleave
Introduce SHA256/SHA512 interleave testing, HAVE_DSA; revised ERROR_OUT
2024-03-05 10:13:10 +10:00
Sean Parkinson
39002d82b4 Merge pull request #7294 from douzzer/20240301-wolfSSL_Init-identicalInnerCondition
20240301-wolfSSL_Init-identicalInnerCondition
2024-03-05 09:01:51 +10:00
Sean Parkinson
61749a0171 Merge pull request #7287 from JacobBarthelmeh/pkcs7_verify_stream
PKCS7 checking trailing 0's on indef with verify
2024-03-05 08:20:16 +10:00
Sean Parkinson
30366a9c03 Merge pull request #7293 from douzzer/20240301-linuxkm-leak-and-small-stack-fixes
20240301-linuxkm-leak-and-small-stack-fixes
2024-03-05 08:17:51 +10:00
Sean Parkinson
ee3aff1258 Merge pull request #7291 from dgarske/armasm_thumb_gcmsmall
Thumb2 AES GCM support for GCM_SMALL
2024-03-05 06:58:47 +10:00
Andras Fekete
717a32808f Fix missing include 2024-03-04 10:24:32 -05:00
JacobBarthelmeh
089e57371f remove a hard tab 2024-03-04 08:10:41 -07:00
Jacob Barthelmeh
b42a8b6c5d initial AutoSAR shim layer 2024-03-04 07:51:00 -07:00
Andras Fekete
d81a08a03b Catch error return code and remove redundant condition 2024-03-04 09:48:31 -05:00
JacobBarthelmeh
2708062d39 add sanity check for null buffer after malloc in test case 2024-03-04 07:33:21 -07:00
JacobBarthelmeh
f05e47bc09 length of characters and extra sanity check on input 2024-03-04 07:05:07 -07:00
JacobBarthelmeh
66f419bd18 add user ctx to stream IO callbacks 2024-03-04 06:00:07 -07:00
Daniel Pouzzner
88f07773d2 Merge pull request #7224 from mpsuzuki/pkg-config-static-link
Add "Libs.private: -m" to wolfssl.pc.in for a static linking
2024-03-01 19:24:05 -05:00
Daniel Pouzzner
7fbb209684 ssl.c: in wolfSSL_Init(), fix cppcheck identicalInnerCondition warning on non-FIPS configurations. 2024-03-01 17:54:55 -06:00
Daniel Pouzzner
efda4b5435 Merge pull request #7290 from lealem47/define_ssleay_version
Define SSLEAY_VERSION in wolfssl/openssl/crypto.h
2024-03-01 18:44:24 -05:00
Daniel Pouzzner
a59080a858 Merge pull request #7288 from bandi13/fixNETDB_H
Move netdb.h and ioctl.h into wolfio.c
2024-03-01 18:36:18 -05:00
Eric Blankenhorn
cf733c306c Merge pull request #7284 from douzzer/20240229-mutex-initializer-global-refactor
20240229-mutex-initializer-global-refactor
2024-03-01 16:43:10 -06:00
Zackery
4a167e9834 Merge pull request #7292 from bandi13/addMeta-WolfsslToBuild
This will force building of dependencies in the container
2024-03-01 15:14:24 -07:00
Daniel Pouzzner
b1edb08119 linuxkm/linuxkm_wc_port.h:
* fix WC_LINUXKM_ROUND_UP_P_OF_2() to not round up values that are already powers of 2, nor values larger than 8192.

linuxkm/lkcapi_glue.c:
* fix gating on km_AesSetKeyCommon().
* small stack refactors of Aes objects in self-test routines.
* change kmalloc/free to malloc/free in self-test routines.
* fix error-path "return"s to "goto exit"s in self-test routines.
* fix memory leak around large_input in aes_xts_128_test().

wolfcrypt/benchmark/benchmark.c:
* smallstack refactors in bench_chacha() and bench_chacha20_poly1305_aead().
* add error handling in bench_chacha().

wolfcrypt/src/chacha20_poly1305.c: smallstack refactor for wc_ChaCha20Poly1305_Encrypt() and wc_ChaCha20Poly1305_Decrypt().
2024-03-01 14:55:49 -06:00
Andras Fekete
4270f8cda3 This will force building of dependencies in the container
Fewer things to compile in subsequent tests
2024-03-01 15:21:46 -05:00
David Garske
7c836c8371 Thumb2 AES GCM support for GCM_SMALL. ZD 17225 2024-03-01 11:10:21 -08:00
Lealem Amedie
86966f62c7 Define SSLEAY_VERSION in wolfssl/openssl/crypto.h 2024-03-01 11:24:56 -07:00
JacobBarthelmeh
065bfb0172 add new test file to make dist 2024-03-02 00:12:01 +07:00
Andras Fekete
897a8419c1 Move netdb.h and ioctl.h into wolfio.c 2024-03-01 11:59:02 -05:00
JacobBarthelmeh
90b28b5cef add test case for verify of stream signed PKCS7 bundle 2024-03-01 23:43:46 +07:00
JacobBarthelmeh
05138154a9 check trailing 0's in signeeds check case 2024-03-01 22:57:10 +07:00
JacobBarthelmeh
95eb17944c Merge pull request #6961 from TakayukiMatsuo/pkcs7
Add streaming support for PKCS7_VerifySignedData.
2024-03-01 22:38:07 +07:00
JacobBarthelmeh
fbf1b783da initialize value to resolve warning 2024-03-01 21:39:27 +07:00
JacobBarthelmeh
c32d9c826c fix for check on hash with ECDSAk case 2024-03-01 21:14:15 +07:00
Daniel Pouzzner
52f003f5fc Merge pull request #7281 from philljj/zd17416
Fix Coverity issues.
2024-03-01 02:41:48 -05:00
Daniel Pouzzner
67d4019058 Merge pull request #7270 from philljj/zd17560
Fix dataASN null pointer dereference in asn.c.
2024-03-01 01:53:55 -05:00
Daniel Pouzzner
d1e62b3ff2 Merge pull request #7282 from SparkiDev/pqcrypto_fix_1
ASN PQC: fix typo
2024-03-01 01:40:04 -05:00
Daniel Pouzzner
03f9b210d7 Merge pull request #7279 from SparkiDev/ssl_priv_load_fail
SSL: Loading bad private key
2024-03-01 01:35:50 -05:00
Anthony Hu
032a0405e4 Get rid of magic number to size structs. 2024-02-29 15:23:48 -05:00
jordan
b3c276bf0b Fix wc_SetExtKeyUsageOID buffer warning: update size of oid. 2024-02-29 13:17:31 -06:00
Daniel Pouzzner
dfbde4514b global refactor of static mutex initialization to use WOLFSSL_MUTEX_INITIALIZER, and adjustment of WOLFSSL_MUTEX_INITIALIZER macro to take an argument, for Linux kernel compatibility. 2024-02-29 02:11:32 -06:00
Sean Parkinson
90baf1aadc ASN PQC: fix typo
Replace semicolon with comma.
2024-02-29 07:46:22 +10:00
jordan
c24add5da9 Fix dataASN null pointer dereference in asn.c. 2024-02-28 15:37:55 -06:00
Sean Parkinson
9addb3e45d SSL: Change other ProcessBufferTryDecode*()
Ed448, Falcon and Dilithium changed to return 0 when key format is 0.
2024-02-29 07:37:41 +10:00
jordan
1768b03ecd Fix wc_SetExtKeyUsageOID buffer warning. 2024-02-28 11:13:33 -06:00
Tobias Frauenschläger
403fcc5a4b Fix for PQC enabled handshake
When PQC Kyber support is enabled, incoming KeyShare messages are tested
regarding the named group is a PQC Kyber group (pure or hybrid). The
boundaries of this test are way too loose (large gap between the pure
ones and the hybrid ones). This could result in failing handshakes in
case a client uses GREASE (Generate Random Extensions And Sustain
Extensibility), as there group numbers in the large gap are used.

The fix is just to make sure that the PQC test uses the two small
boundaries of the PQC named groups.

The lower bound for the hybrid groups has also been updated to reflect
the current OQS definition.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-02-28 17:52:38 +01:00
Sean Parkinson
b53cc0e98c SSL: Loading bad private key
Fix ProcessBufferTryDecodeRsa and ProcessBufferTryDecodeEcc to only
clear error when key format isn't known.
2024-02-28 21:47:45 +10:00
JacobBarthelmeh
8a6c6ebfd5 add guard around public key validation on import 2024-02-28 13:48:58 +07:00
Daniel Pouzzner
6500444b26 Merge pull request #7072 from farazrbx/rbx
PlayStation compatibility
2024-02-28 00:52:01 -05:00
Daniel Pouzzner
daf43cd04f Merge pull request #7260 from kosmas-valianos/missingConst
Add const in the list of wolfSSL_CTX_set1_groups_list() and wolfSSL_set1_groups_list()
2024-02-28 00:28:37 -05:00
Daniel Pouzzner
af31fbc840 Merge pull request #7271 from bigbrett/cryptocb-random-wctestfix
add full support to wolfcrypt tests for random.c cryptocbs
2024-02-27 19:57:46 -05:00
Daniel Pouzzner
e64a26d6ae Merge pull request #7274 from SKlimaRA/SKlimaRA/fix-embos-heap-allocation-macros
fixed XMALLOC, XFREE and XREALLOC definitions for embOS
2024-02-27 17:29:10 -05:00
Faraz Fallahi
3c6651e1e2 PlayStation compatibility 2024-02-27 12:28:31 -08:00
Eric Blankenhorn
26c5c6f93c Add directory layout to readme. 2024-02-27 12:07:28 -06:00
Brett Nicholas
55421a11b9 review: removed WOLFSSL_ABI from and refactored args for wc_rng_new_ex, updated tests 2024-02-27 10:17:24 -07:00
Stanislav Klima
c5a5acd26f code review changes 2024-02-27 15:58:12 +01:00
Stanislav Klima
34b4066d2f fixed XMALLOC, XFREE and XREALLOC definitions for embOS 2024-02-27 14:47:39 +01:00
TakayukiMatsuo
eeda0caeb9 Add streaming support for PKCS7_VerifySignedData. 2024-02-27 15:04:32 +09:00
JacobBarthelmeh
9eac8cb41f add a test case 2024-02-26 09:44:23 -07:00
JacobBarthelmeh
2044d6b7dd add callbacks for PKCS7 streaming input and output 2024-02-26 08:28:12 -07:00
JacobBarthelmeh
10740abf9b warning fix for small PSK build 2024-02-26 15:28:28 +07:00
gojimmypi
0775baa2e1 Introduce SHA256/SHA512 interleave, HAVE_DSA; revised ERROR_OUT, cleanup 2024-02-23 17:52:20 -08:00
David Garske
a77c6d1fa0 Merge pull request #7269 from JacobBarthelmeh/cryptocb
add support for crypto cb only with ECC and CAAM
2024-02-23 13:19:32 -08:00
Brett Nicholas
1a5064cf8c add full support to wolfcrypt tests for random.c cryptocbs 2024-02-23 13:02:05 -07:00
JacobBarthelmeh
2f6cd765f1 revert some macro guards for support with sp math 2024-02-24 01:07:05 +07:00
JacobBarthelmeh
aa444c1b2c Merge pull request #7268 from dgarske/bench_fixes
Fixes for benchmark with small stack (RSA was being skipped)
2024-02-23 23:24:55 +07:00
JacobBarthelmeh
2364b699ff add support for crypto cb only with ECC and CAAM 2024-02-23 08:09:19 -08:00
Daniel Pouzzner
06469a43bc wolfcrypt/benchmark/benchmark.c:
* remove redundant nullness checks covered by WC_ALLOC_VAR() via WC_ALLOC_DO_ON_FAILURE();
* add "exit:" logic to bench_sm4_gcm();
* add missing WC_ALLOC_VAR() in bench_sm4_ccm();
* fix early return in bench_ed448KeySign().
2024-02-23 01:07:26 -06:00
David Garske
4055b0d832 Fix for some variable null checks that are not needed. 2024-02-22 16:28:15 -08:00
David Garske
cd0301fc66 Fixes for benchmark with small stack (RSA was being skipped). Added Thumb2 benchmarks for STM32H753. 2024-02-22 14:56:51 -08:00
JacobBarthelmeh
8a68e6aaa1 Merge pull request #7266 from bandi13/addYoctoDocker
Add in files for yocto build environment
2024-02-22 19:30:36 +07:00
JacobBarthelmeh
6f281d7e72 Merge pull request #7267 from douzzer/20240221-reproducible-build-tweaks
20240221-reproducible-build-tweaks
2024-02-22 19:28:12 +07:00
JacobBarthelmeh
162d4dc483 Merge pull request #7264 from bandi13/dockerFixes
Add in missing dependency for nightly-sp-test
2024-02-22 19:11:07 +07:00
Daniel Pouzzner
f1afa7eaff Merge pull request #7265 from embhorn/zd17547
Fix order of check for OPENSSL_EXTRA
2024-02-21 20:25:54 -05:00
Daniel Pouzzner
9e4887bcf4 configure.ac: fix --enable-reproducible-build using -g0 -ffile-prefix-map=... -Wl,--build-id=none. these fixes stabilize the hash of libwolfssl with respect to source and build directory, previously broken for out-of-tree builds. 2024-02-21 16:36:29 -06:00
Andras Fekete
e74d3e126e Add in files for yocto build environment 2024-02-21 16:49:35 -05:00
Andras Fekete
2ee47eac4d Add in missing dependency for nightly-sp-test 2024-02-21 16:16:26 -05:00
Eric Blankenhorn
3ad836ab47 Fix order of check for OPENSSL_EXTRA 2024-02-21 15:09:13 -06:00
Sean Parkinson
d027b305ab Merge pull request #7257 from philljj/zd17540
Fix unchecked ge448_scalarmult_base return value.
2024-02-22 07:05:09 +10:00
JacobBarthelmeh
88e7d47930 Merge pull request #7230 from anhu/tests_gating
Fixup some gating in the tests.
2024-02-22 01:24:55 +07:00
jordan
5aa06c26ff Fix unchecked ge448_scalarmult_base return value. 2024-02-21 08:40:38 -06:00
Anthony Hu
00c3f5be2e A fixup 2024-02-20 21:50:03 -05:00
JacobBarthelmeh
fd2b80ec22 Merge pull request #7245 from julek-wolfssl/transient-certs
Implement transient certs
2024-02-20 22:48:19 +07:00
Juliusz Sosinowicz
09de233fc0 Add dox for new API 2024-02-20 14:42:58 +01:00
Juliusz Sosinowicz
aa19d8221e Add test forcing caTable cleanup during active connections 2024-02-20 14:33:36 +01:00
Juliusz Sosinowicz
4caef93346 Implement transient certs
Add wolfSSL_CertManagerUnloadIntermediateCerts API to clear intermediate certs added to store.
2024-02-20 14:33:36 +01:00
Kosmas Valianos
73a6935386 Add const in the list of wolfSSL_CTX_set1_groups_list() and wolfSSL_set1_groups_list()
aligning with the wolfSSL_CTX_set1_sigalgs_list()/wolfSSL_set1_sigalgs_list() API
2024-02-20 09:14:39 +01:00
Sean Parkinson
af2b2dddb4 Merge pull request #7253 from julek-wolfssl/zd/17507
wc_ecc_shared_secret_ssh fix
2024-02-20 06:56:28 +10:00
JacobBarthelmeh
757fcbcc25 Merge pull request #7236 from julek-wolfssl/get-sig-nid
Implement SSL_get_peer_signature_nid and SSL_get_peer_signature_type_nid
2024-02-20 02:46:37 +07:00
JacobBarthelmeh
565a4e6773 Merge pull request #7256 from douzzer/20240217-fixes
20240217-fixes
2024-02-20 01:54:32 +07:00
Daniel Pouzzner
8d894fb01b wolfssl/wolfcrypt/types.h: add WC_ARRAY_ARG() and WC_HEAP_ARRAY_ARG() constructors, for passing arrays declared by WC_DECLARE_ARRAY() and WC_DECLARE_HEAP_ARRAY(). used this to refactor bench_rsa_helper() arg list, fixing a cppcheck argumentSize warning.
wolfcrypt/test/test.c: revert overeager constification of xmss_msg and xmss_sig.
2024-02-17 15:24:55 -06:00
David Garske
7f18338322 Merge pull request #7255 from ejohnstown/ocsp-date
OCSP Date Checks
2024-02-16 20:58:20 -08:00
John Safranek
52f4dcd7aa OCSP Date Checks
When calling DecodeResponseData(), no matter the return value, if it is
not success, it is assigned to ASN_PARSE_E. This isn't the pattern for
other branch parsing. Return the value returned.

This is seen when decoding an OCSP response that is past the
next-available time.
2024-02-16 12:12:27 -08:00
David Garske
e4ea2651a3 Merge pull request #7252 from douzzer/20240215-benchmark-smallstack-refactors
20240215-benchmark-smallstack-refactors
2024-02-16 11:45:59 -08:00
Daniel Pouzzner
af620513f1 wolfssl/wolfcrypt/types.h: fix bugprone-macro-parentheses in smallstack WC_ALLOC_VAR(). 2024-02-16 12:39:25 -06:00
David Garske
815c290293 Merge pull request #7231 from anhu/maxqrng
Use the MAXQ1065/1080 rng when available.
2024-02-16 09:43:46 -08:00
Daniel Pouzzner
3676dc02a6 wolfcrypt/benchmark/benchmark.c: mollify scan-build with XMEMSET()s in several false positives around WC_DECLARE_ARRAY(). 2024-02-16 10:27:06 -06:00
Daniel Pouzzner
44e0ee1ecd wolfssl/wolfcrypt/types.h:
* fix overallocation in WC_DECLARE_ARRAY() macro in the !WOLFSSL_SMALL_STACK path.
* rename WC_INIT_ARRAY() to WC_ALLOC_ARRAY() for clarity (it doesn't initialize any memory).
* rename WC_DECLARE_ARRAY_DYNAMIC_DEC(), WC_DECLARE_ARRAY_DYNAMIC_EXE(), and WC_FREE_ARRAY_DYNAMIC() to WC_DECLARE_HEAP_ARRAY(), WC_ALLOC_HEAP_ARRAY(), and WC_FREE_HEAP_ARRAY(), respectively, also for clarity, and refactor out the duplicate definitions.
* add WC_ALLOC_VAR(), and move the XMALLOC() in smallstack WC_DECLARE_VAR() into it.  smallstack WC_DECLARE_VAR() now initializes the pointer to NULL, like smallstack WC_DECLARE_ARRAY(), assuring all pointers are valid upon shortcircuit to cleanup for a failed allocation (see WC_ALLOC_DO_ON_FAILURE below).
* add a new hook "WC_ALLOC_DO_ON_FAILURE" in WC_ALLOC_VAR(), WC_ALLOC_ARRAY(), and WC_DECLARE_ARRAY_DYNAMIC_EXE(), which is invoked when an allocation fails.  by default the hook is defined to WC_DO_NOTHING.
* add basic safety to WC_*_HEAP_ARRAY() by recording/detecting allocation state via idx##VAR_NAME.
* add macros WC_ARRAY_OK() and WC_HEAP_ARRAY_OK() to test if allocation succeeded.
* add macros WC_CALLOC_ARRAY() and WC_CALLOC_HEAP_ARRAY() which zero the objects.
* add macro WC_CALLOC_VAR() which zeros the object.

ED448: smallstack refactor of ge448_scalarmult_base().

src/tls.c tests/api.c wolfcrypt/test/test.c: update WC_DECLARE_VAR()s with now-required matching WC_ALLOC_VAR()s.

wolfcrypt/benchmark/benchmark.c:
* no functional changes in default error-free behavior.
* add definition of WC_ALLOC_DO_ON_FAILURE() that prints error message, sets ret, and does goto exit.
* add BENCH_NTIMES and BENCH_AGREETIMES overrideeable macros, to allow fast sanitizer runs and slow high-precision runs.
* smallstack refactor of all declarations of stack arrays of the form foo[BENCH_MAX_PENDING], using WC_DECLARE_ARRAY() (35 in all).
* additional smallstack refactors, using WC_DECLARE_VAR(), for bench_aesxts(), bench_ed448KeyGen(), bench_eccsi*(), and bench_sakke*().
* fixes for various unhandled error conditions around malloc failures.

wolfcrypt/test/test.c: opportunistically constify several (42) static constants, moving them to the readonly data segment.

linuxkm/Makefile: if ENABLED_LINUXKM_BENCHMARKS, add wolfcrypt/benchmark/benchmark.o to WOLFSSL_OBJ_FILES.

linuxkm/Kbuild: enable FPU for benchmark.o, and remove enablement for module_hooks.o.

linuxkm/module_hooks.c: remove inline include of benchmark.c.
2024-02-16 10:26:21 -06:00
András Fekete
92b8196059 Merge pull request #7251 from miyazakh/ra6m4_jenkins
fix ra6m4 nightly jenkins failure
2024-02-16 09:09:12 -05:00
Juliusz Sosinowicz
469760e186 wc_ecc_shared_secret_ssh fix
- wc_ecc_shared_secret_ssh should either be declared or not. Having two different signatures for the same function is error prone.
- Don't use wc_ecc_shared_secret_ssh in our code. Use wc_ecc_shared_secret directly.
2024-02-16 13:38:35 +01:00
Juliusz Sosinowicz
44de6dfdd3 Return correct values in get_signature APIs and write tests 2024-02-16 11:32:22 +01:00
Juliusz Sosinowicz
98e328dafc Enable master openvpn testing
Depends on https://github.com/wolfSSL/wolfssl/pull/7236
2024-02-16 11:32:04 +01:00
Juliusz Sosinowicz
6537c7163c Implement SSL_get_peer_signature_nid and SSL_get_peer_signature_type_nid 2024-02-16 11:32:04 +01:00
Hideki Miyazaki
72d8acf5aa fix ra6m4 nightly jenkins failure 2024-02-16 15:45:32 +09:00
David Garske
d34b254247 Merge pull request #7249 from bandi13/missingOpenVPNDependencies
Add in dependencies when compiling with OpenVPN
2024-02-15 15:38:07 -08:00
David Garske
f0a162c265 Merge pull request #7250 from lealem47/ecbAsync
Fix for AES-ECB benchmark livelock with Async
2024-02-15 15:37:46 -08:00
Marco Oliverio
c8f3a8f14b fix: negotiate handshake until the end in wolfSSL_read/wolfSSL_write (#7237)
* tls: negotiate until hs is complete in wolfSSL_read/wolfSSL_write

Don't rely on ssl->options.handShakeSate == HANDSHAKE_DONE to check if
negotiation is needed. wolfSSL_Connect() or wolfSSL_Accept() job may not yet be
completed and/or some messages may be waiting in the buffer because of
non-blocking I/O.

* tests: test case for handshake with wolfSSL_read()/wolfSSL_write()

* doc: clarify wolfSSL_write()

* internal.c: rename: need_negotiate -> ssl_in_handshake
2024-02-15 13:48:19 -08:00
Lealem Amedie
4cc960787f Fix for AES-ECB benchmark livelock with Async 2024-02-15 12:51:22 -07:00
Andras Fekete
71fd4782c0 Add in dependencies when compiling with OpenVPN 2024-02-15 13:48:33 -05:00
David Garske
585f0f1956 Merge pull request #7248 from lealem47/ARMASM_UnitTest
Fix unit test failure for FIPS 140-2 + WOLFSSL_ARMASM
2024-02-15 08:25:42 -08:00
Lealem Amedie
b87f544af6 Reviewer feedback 2024-02-14 16:43:01 -07:00
Lealem Amedie
152c8565b9 Fix unit test failure for FIPS 140-2 + WOLFSSL_ARMASM 2024-02-14 16:24:58 -07:00
David Garske
d39cf1e499 Merge pull request #7246 from kareem-wolfssl/zd17176
Only include CRL monitor definitions when building with HAVE_CRL_MONITOR.
2024-02-14 13:45:23 -08:00
Kareem
6dc6d58c04 Remove redundant ifdefs. 2024-02-14 11:22:32 -07:00
David Garske
375415d042 Merge pull request #7229 from kaleb-himes/win-code-up
Windows doesn't like code before variables
2024-02-14 09:50:34 -08:00
Kareem
c119826e75 Only include CRL monitor definitions when building with HAVE_CRL_MONITOR. 2024-02-13 15:37:36 -07:00
Sean Parkinson
3b6a7691c5 Merge pull request #7235 from julek-wolfssl/gh/7228
Send alert on bad psk binder
2024-02-14 07:24:52 +10:00
David Garske
6f88ed0901 Merge pull request #7177 from gojimmypi/PR-Arduino-Update
Improved Arduino Support: ESP32, Due
2024-02-13 09:43:42 -08:00
David Garske
c8d0bb0bd8 Merge pull request #7212 from SparkiDev/eddsa_check_priv
EdDsa: check private value after sign
2024-02-13 09:27:34 -08:00
Sean Parkinson
e28d6a7b71 EdDsa: check private value after sign
Check the private value hasn't changed during signing with EdDSA.
2024-02-13 22:11:48 +10:00
Sean Parkinson
94680991a9 Merge pull request #7243 from douzzer/20240213-aes256_test-leak
20240213-aes256_test-leak
2024-02-13 22:03:49 +10:00
gojimmypi
68fb183fa6 Update TLS client example for Espressif ESP8266 2024-02-13 03:01:40 -08:00
Daniel Pouzzner
9b7decada0 wolfcrypt/test/test.c: fix Aes init/free lifecycle in aes192_test() and aes256_test(). 2024-02-13 01:23:11 -06:00
David Garske
2ebc897e31 Merge pull request #7241 from ejohnstown/ocsp-revoke-reason
Decode OCSP Revocation Reason
2024-02-12 15:11:26 -08:00
David Garske
2b9e9955c3 Merge pull request #7242 from SparkiDev/ct_valgrind_fixes_3
RSA ct test: force RsaFunctionCheckIn to not be inlined
2024-02-12 15:10:47 -08:00
Sean Parkinson
f031d034df RSA ct test: force RsaFunctionCheckIn to not be inlined
In non-debug compilation, RsaFunctionCheckIn may be inlined.
The function operates on the input - value to exponentiate.
Constant time testing excludes all operations in this function.
2024-02-13 07:37:24 +10:00
John Safranek
c17fb7498b OCSP Revocation Reason
1. The ASN.1 parser wasn't handling the OCSP response correctly when
   there was a revocation reason included in the response. The encoded
   reason value is constructed, and was getting marked as not
   constructed in the parser. Changed the flag to mark it as
   constructed.
2024-02-12 13:11:51 -08:00
David Garske
06f04def1b Merge pull request #7222 from rizlik/early_data_fix
tls13: wolfSSL_read_early_data() set outSz to 0 if no early data and update doc
2024-02-12 11:38:46 -08:00
Marco Oliverio
7b0fefbceb doc: update new wolfSSL_read_early_data() behavior 2024-02-12 17:20:15 +01:00
Marco Oliverio
e923d4c151 tls13: read_early_data: set outSz to 0 if no early data
If not data is read, set outSz to 0. This way the
caller can detect if no early data was read.
2024-02-12 17:20:15 +01:00
JacobBarthelmeh
83ae7245b0 Merge pull request #7151 from lealem47/pic24
MICROCHIP PIC24 support and example project
2024-02-12 23:15:10 +07:00
Juliusz Sosinowicz
9a08296fa0 Fix openssl client psk key so that psk actually works 2024-02-12 15:07:46 +01:00
Sean Parkinson
d5142d8553 Merge pull request #7234 from douzzer/20240208-test-config-and-linuxkm-tweaks
20240208-test-config-and-linuxkm-tweaks
2024-02-12 22:50:28 +10:00
Sean Parkinson
9f0aa38120 Merge pull request #7223 from gojimmypi/PR-debug-messages
Add wolfSSL debug messages
2024-02-12 07:35:50 +10:00
Daniel Pouzzner
2e970f53c5 Merge pull request #7232 from bandi13/moreDependencies
Add in dependencies of tests
2024-02-10 02:17:28 -05:00
Daniel Pouzzner
13021708d4 Merge pull request #7227 from julek-wolfssl/gh-retention-days
Increase retention days to make re-running easier
2024-02-10 02:16:34 -05:00
Daniel Pouzzner
c1931f78de Merge pull request #7225 from bandi13/fixStaticAnalysisError
Static analyzers complain that a->size is never initialized
2024-02-10 02:15:37 -05:00
Daniel Pouzzner
63fe12efe3 wolfcrypt/src/aes.c: fix WOLFSSL_AESGCM_STREAM && WC_AES_C_DYNAMIC_FALLBACK: establish AESNI status dynamically at time of wc_AesGcmSetKey(), and stick to it (or return failure) until the next wc_AesGcmSetKey(). this matches the semantics of the Linux kernel in-tree implementation, allowing safe registration of the wolfCrypt AESNI implementation with the LKCAPI.
configure.ac: move enable_aesgcm_stream=yes clauses in enable-all and enable-all-crypto to the main section, from the !ENABLED_LINUXKM_DEFAULTS section, and in ENABLED_LINUXKM_LKCAPI_REGISTER setup, remove the !ENABLED_AESNI from the condition for forcing on ENABLED_AESGCM_STREAM.

linuxkm/lkcapi_glue.c:
* remove all special-casing for AES-GCM with AESNI.
* add support for a LINUXKM_LKCAPI_PRIORITY_ALLOW_MASKING macro.

wolfssl/wolfcrypt/memory.h: add missing definition of SAVE_VECTOR_REGISTERS2() when DEBUG_VECTOR_REGISTER_ACCESS_FUZZING && !DEBUG_VECTOR_REGISTER_ACCESS.

wolfcrypt/src/memory.c:
* define SAVE_VECTOR_REGISTERS2_fuzzer() if DEBUG_VECTOR_REGISTER_ACCESS_FUZZING, regardless of DEBUG_VECTOR_REGISTER_ACCESS.
* add a DEBUG_VECTOR_REGISTER_ACCESS clause to the !HAVE_THREAD_LS version of SAVE_VECTOR_REGISTERS2_fuzzer().

wolfcrypt/test/test.c: remove several errant wc_AesFree()s in aes256_test().
2024-02-10 01:09:15 -06:00
Juliusz Sosinowicz
bd32dfd282 Send alert on bad psk binder
Issue reported in https://github.com/wolfSSL/wolfssl/pull/7228
2024-02-09 16:12:04 +01:00
Juliusz Sosinowicz
d34cf39206 Increase retention days to make re-running easier 2024-02-09 11:36:55 +01:00
Daniel Pouzzner
6146485d2a linuxkm/linuxkm_wc_port.h:
* add support for DEBUG_LINUXKM_FORTIFY_OVERLAY to allow KASAN analysis of the overlay without actually enabling CONFIG_FORTIFY_SOURCE (which is buggy in combination with KASAN).
* make SAVE_VECTOR_REGISTERS2 definition conditional on !defined(SAVE_VECTOR_REGISTERS2).

wolfssl/wolfcrypt/memory.h: fix the DEBUG_VECTOR_REGISTER_ACCESS definition for SAVE_VECTOR_REGISTERS to properly omit the on-success bookkeeping code even if the supplied fail_clause doesn't return.

wolfcrypt/src/rsa.c: in wc_MakeRsaKey() primality loop, invoke RESTORE_VECTOR_REGISTERS() SAVE_VECTOR_REGISTERS() to prevent lengthy kernel lockups.

wolfcrypt/src/dh.c: in wc_DhGenerateParams() primality loop, invoke RESTORE_VECTOR_REGISTERS() SAVE_VECTOR_REGISTERS() to prevent lengthy kernel lockups.

wolfcrypt/src/{curve25519.c,dh.c,dsa.c,ecc.c,eccsi.c,rsa.c,sakke.c,sp_int.c}: when WOLFSSL_LINUXKM, force {SAVE,RESTORE}_VECTOR_REGISTERS() to WC_DO_NOTHING if settings gate out applicable asm.
2024-02-09 00:47:23 -06:00
Daniel Pouzzner
91681f378f configure.ac:
* add srtp to enable-all
* add srtp-kdf to enable-all-crypto
* fix typo in enable-all[-crypto] where ENABLED_FIPS was used when FIPS_VERSION was needed.
* in enable-all[-crypto], conditionalize aesxts on !FIPS || FIPS_VERSION == dev.
* move AES-XTS CFLAG setup after FIPS settings, to allow non-dev FIPS to force it off, and add clause to FIPS v5 setup to do that.
* in FIPS v5 setup, add AES-XTS to the list of modes that forces -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB.

wolfcrypt/src/kdf.c: fix several benign -Wconversions.

wolfcrypt/test/test.c: add aes_cfb_test() and aes_xts_test() as top-level tests with separate "pass" messages, for transparency that those modes have indeed been tested in builds that activate them.
2024-02-09 00:46:54 -06:00
suzuki toshiya
e4b1e54235 configure or cmake sets LIBM variable if required, and write it in wolfssl.pc. 2024-02-09 13:58:28 +09:00
gojimmypi
bf29066d70 Add wolfSSL debug messages 2024-02-08 17:22:36 -08:00
Andras Fekete
340e22a6e4 Add in dependencies of tests 2024-02-08 16:48:10 -05:00
Anthony Hu
d0fd0a287b Fixup some gating in the tests.
Found with:

./configure --enable-wolfclu --enable-asn=template 'CFLAGS=-DNO_ASN_TIME -DWOLFSSL_CUSTOM_OID -DHAVE_OID_ENCODING'
2024-02-08 16:14:43 -05:00
kaleb-himes
f5670082b6 Windows doesn't like code before variables 2024-02-08 14:12:02 -07:00
Anthony Hu
16c74a31b2 Use the MAXQ1065/1080 rng when available. 2024-02-08 16:10:36 -05:00
Andras Fekete
16b40b2f75 Static analyzers complain that a->size is never initialized 2024-02-08 15:13:07 -05:00
Juliusz Sosinowicz
14830d0e09 Merge pull request #7226 from bandi13/disableOpenVPN_master
Temporarily disable OpenVPN-master test
2024-02-08 21:06:22 +01:00
Andras Fekete
de0d1ea1e7 Temporarily disable OpenVPN-master test 2024-02-08 13:52:32 -05:00
Daniel Pouzzner
7365c3c6ba Merge pull request #7215 from julek-wolfssl/openssh-workflow-update
Point openssh workflow to wolf master
2024-02-08 12:43:53 -05:00
Sean Parkinson
5b5f0ff32c Merge pull request #7194 from anhu/CerManUnExtCb
Adding unknown extension callback to CertManager
2024-02-08 22:10:32 +10:00
Sean Parkinson
9147a7254b Merge pull request #7214 from julek-wolfssl/zd/17314
DTLS sequence number and cookie fixes
2024-02-08 22:08:37 +10:00
suzuki toshiya
24c30d90e7 Add "Libs.private: -m" to wolfssl.pc.in for a static linking 2024-02-08 13:04:36 +09:00
gojimmypi
e078e74011 Update Arduino IDE README.md 2024-02-07 13:52:18 -08:00
Anthony Hu
271462128d Add a test 2024-02-07 16:49:46 -05:00
David Garske
7e142583c6 Merge pull request #7221 from SparkiDev/thumb2_inline_asm_iar_fix
Thumbs inline ASM IAR: fix register clobber list
2024-02-07 13:30:41 -08:00
David Garske
dec4caa98f Merge pull request #7206 from julek-wolfssl/gh/7196
Fix write_dup with chacha-poly
2024-02-07 08:40:30 -08:00
Sean Parkinson
91e1fe4496 Merge pull request #7220 from gojimmypi/PR-ssl-session-cache
Introduce MICRO_SESSION_CACHE, update comments
2024-02-07 21:25:53 +10:00
gojimmypi
538ade105c Correct C++-style comments in settings.h 2024-02-06 18:25:05 -08:00
Sean Parkinson
fff4effe31 Thumbs inline ASM IAR: fix register clobber list
Change register clobber list so that it reserves the same registers for
constants regardless of WOLFSSL_NO_VAR_ASSIGN_REG.
2024-02-07 10:28:01 +10:00
gojimmypi
10b5c375ef introduce MICRO_SESSION_CACHE, update comments 2024-02-06 14:07:50 -08:00
David Garske
8853096290 Merge pull request #7217 from douzzer/20240206-cmake-install-rule-by-default
20240206-cmake-install-rule-by-default
2024-02-06 10:48:55 -08:00
Daniel Pouzzner
c69442375b CMakeLists.txt: include the install rule by default, disabled with -DWOLFSSL_INSTALL=no, to restore status quo ante. see #7188 2024-02-06 12:08:57 -06:00
David Garske
735fbc7cee Merge pull request #7195 from philljj/zd17406
Update IAR-EWARM project user-settings.h.
2024-02-06 09:20:54 -08:00
Juliusz Sosinowicz
4244fe9ff4 Run openssh tests on PR's 2024-02-06 13:30:25 +01:00
Juliusz Sosinowicz
bdc0b80ddb Don't include unnecessary headers in public header file 2024-02-06 13:27:34 +01:00
Daniel Pouzzner
4d842f094e Merge pull request #7199 from lealem47/defaultASN
Default to ASN TEMPLATE library
2024-02-05 22:32:57 -05:00
Sean Parkinson
86b1aae218 Merge pull request #7209 from philljj/zd17416
Coverity issues: fix MD5 and SHA buffer overrun.
2024-02-06 08:58:27 +10:00
Lealem Amedie
d36bd47a27 For cppcheck: Explicitly initialize some variables 2024-02-05 15:09:05 -07:00
Daniel Pouzzner
48e40b8d8e Merge pull request #7201 from SparkiDev/sha256_aarch64_unaligned
SHA-256 Aarch64: fix alignments on loads and stores
2024-02-05 16:50:27 -05:00
Daniel Pouzzner
8665295573 Merge pull request #7198 from dgarske/tls12only
Template for TLS v1.2 only
2024-02-05 16:14:47 -05:00
Daniel Pouzzner
1356e079f1 Merge pull request #7207 from julek-wolfssl/update-actions
Update github actions
2024-02-05 16:11:39 -05:00
Daniel Pouzzner
2b33079d50 Merge pull request #7188 from innolectric/innolectric
Innolectric CMake changes
2024-02-05 16:08:58 -05:00
Sean Parkinson
9060da42a6 Merge pull request #7211 from douzzer/20240203-linuxkm-fixes
20240203-linuxkm-fixes
2024-02-06 07:08:40 +10:00
jordan
9ea52c3a51 Update IAR-EWARM project user-settings.h. 2024-02-05 15:01:07 -06:00
Daniel Pouzzner
5c421d0207 Merge pull request #7178 from anhu/OQS_MEM_LEAKS
Fixes that prevent memory leaks when using OQS.
2024-02-05 13:26:43 -05:00
Anthony Hu
9b697a5315 Missed gating 2024-02-05 12:38:25 -05:00
Juliusz Sosinowicz
54b562f501 Point openssh workflow to wolf master 2024-02-05 18:10:24 +01:00
Juliusz Sosinowicz
8bddeb10c7 DTLS sequence number and cookie fixes
- dtls: check that the cookie secret is not emtpy
- Dtls13DoDowngrade -> Dtls13ClientDoDowngrade
- dtls: generate both 1.2 and 1.3 cookie secrets in case we downgrade
- dtls: setup sequence numbers for downgrade
- add dtls downgrade sequence number check test

Fixes ZD17314
2024-02-05 16:09:03 +01:00
jordan
83169f91e9 Fix ShaFinal overrun. 2024-02-03 17:36:26 -06:00
Daniel Pouzzner
3a280e8295 linuxkm fixes:
linuxkm/linuxkm_wc_port.h: add fallback definition for static_assert() to support legacy kernels.
wolfcrypt/src/aes.c: fix AESNI runtime failure/fallback logic in wc_AesXtsSetKeyNoInit().
2024-02-03 13:46:45 -06:00
David Garske
ca726e97f8 Peer review fixes. 2024-02-03 10:43:46 -08:00
jordan
d111d7da1b Fix MD5 and SHA buffer overrun. 2024-02-02 19:50:22 -06:00
Daniel Pouzzner
851f059023 Merge pull request #7203 from julek-wolfssl/openssh-9.6
openssh 9.6p1 fixes
2024-02-02 19:51:55 -05:00
Daniel Pouzzner
4ed197d487 Merge pull request #7205 from julek-wolfssl/fix-test_wolfSSL_OPENSSL_hexstr2buf
test_wolfSSL_OPENSSL_hexstr2buf: test was always skipped
2024-02-02 18:45:31 -05:00
Daniel Pouzzner
866992151b Merge pull request #7208 from philljj/fix_ext_xmss_sigsleft
Fix ext_xmss sigsleft null deref.
2024-02-02 18:28:20 -05:00
Daniel Pouzzner
7823acbbde Merge pull request #7184 from JacobBarthelmeh/pkcs7-enc
PKCS7 streaming with encode/sign
2024-02-02 18:00:12 -05:00
jordan
13e427433c Fix ext_xmss sigsleft null deref. 2024-02-02 16:04:23 -06:00
JacobBarthelmeh
7592559fd3 rename argument, fix warnings on casts 2024-02-02 14:50:50 -07:00
Daniel Pouzzner
d1e0b37467 Merge pull request #7202 from julek-wolfssl/bio-include-ssl
If bio.h is included first then it can't include options.h on its own
2024-02-02 16:00:47 -05:00
Daniel Pouzzner
6230c29194 Merge pull request #7190 from SparkiDev/tls13_hrrcookie_fix
TLS 1.3, HRR Cookie: send cookie back in new ClientHello
2024-02-02 15:05:00 -05:00
Juliusz Sosinowicz
31bfac43ea Update github actions
Many of these updates should also speed up some steps
2024-02-02 20:14:28 +01:00
David Garske
32aecf4c35 Merge pull request #7180 from douzzer/20240126-LINUXKM_LKCAPI_REGISTER
20240126-LINUXKM_LKCAPI_REGISTER
2024-02-02 11:12:35 -08:00
Juliusz Sosinowicz
5b5d6481de Fix write_dup with chacha-poly 2024-02-02 19:47:25 +01:00
Juliusz Sosinowicz
188a69e649 test_wolfSSL_OPENSSL_hexstr2buf: test was always skipped 2024-02-02 18:29:15 +01:00
Juliusz Sosinowicz
be90fe073e tfm and integer: skip whitespace at end in radix read 2024-02-02 14:38:40 +01:00
Juliusz Sosinowicz
7ebb8cd007 Update radix tests 2024-02-02 12:09:50 +01:00
Juliusz Sosinowicz
d3b0a26b3b If bio.h is included first then it can't include options.h on its own
When EXTERNAL_OPTS_OPENVPN is defined, we should be including options.h internally. When bio.h is included first, we don't include options.h and we don't pass the `#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)` guard.
2024-02-02 11:02:39 +01:00
Sean Parkinson
c8b0aac144 SHA-256 Aarch64: fix alignments on loads and stores
Input buffer must be loaded with a byte alignment.
Fix other loads and stores to be consistent.
2024-02-02 12:41:12 +10:00
Daniel Pouzzner
10645de648 linuxkm: various tweaks:
* configure.ac: in linuxkm-lkcapi-register section, force ENABLED_AESGCM_STREAM=yes if ENABLED_AESGCM is yes and there is asm or FIPS in the picture.
* linuxkm/module_hooks.c: in updateFipsHash(), if DEBUG_LINUXKM_PIE_SUPPORT || WOLFSSL_LINUXKM_VERBOSE_DEBUG, print the base16 hash to the kernel log.
* linuxkm/lkcapi_glue.c:
  * implement KATs for AES-CBC, AES-CFB, and AES-GCM.
  * clean out extraneous code and macro usage inherited from test/test.c.
  * add post-registration crypto_tfm_alg_driver_name() tests for AES-CBC, AES-CFB, and AES-GCM.
2024-02-01 19:04:02 -06:00
Takashi Kojo
791c9e7aba Add EC_POINT_hex2point 2024-02-02 07:34:38 +09:00
Lealem Amedie
63f7298be2 Default to ASN TEMPLATE library 2024-02-01 14:52:06 -07:00
JacobBarthelmeh
ed4b87eb37 fix for clang-tidy null dereference error 2024-02-01 14:26:13 -07:00
JacobBarthelmeh
5fbadbb215 fix warning with test case 2024-02-01 11:50:51 -07:00
JacobBarthelmeh
8d0dc7a568 fix asn original build, vs warning, and add test cases 2024-02-01 11:50:51 -07:00
JacobBarthelmeh
bf23357c8c refactor streaming and additional comments 2024-02-01 11:50:51 -07:00
JacobBarthelmeh
c843064681 update macro guard 2024-02-01 11:50:51 -07:00
JacobBarthelmeh
75762d44b6 PKCS7 streaming with encode/sign 2024-02-01 11:50:51 -07:00
gojimmypi
ee0e25de5f Improved Arduino Support, ESP32, Due; (+ code review x2) 2024-02-01 08:31:00 -08:00
Juliusz Sosinowicz
335c51987e openssh 9.6p1 fixes
- wolfSSL_DSA_set0_key: allow setting just the public key
- radix16: allow skipping the end of line whitespace
- Add openssh action
2024-02-01 11:39:56 +01:00
Daniel Pouzzner
f9bf96d9ba Merge pull request #7187 from SparkiDev/sha256_intel_instrs
SHA-256: Implementation using Intel instructions
2024-01-31 19:15:43 -05:00
Daniel Pouzzner
1fda249468 Merge pull request #7189 from philljj/fix_static_nomalloc_build
Fix WOLFSSL_NO_MALLOC build.
2024-01-31 18:46:48 -05:00
Sean Parkinson
f48eb638da TLS 1.3, HRR Cookie: send cookie back in new ClientHello
Make it mandatory that the cookie is sent back in new ClientHello when
seen in a HelloRetryRequest.
2024-02-01 07:49:37 +10:00
Daniel Pouzzner
3064d725b9 Merge pull request #7193 from bandi13/fixOpenWRTTests
Snapshots disappear after a while. Versioned releases stay.
2024-01-31 16:38:55 -05:00
Anthony Hu
dfc10741a5 Adding unknown extension callback to CertManager 2024-01-31 16:27:07 -05:00
Andras Fekete
65902308e8 Snapshots disappear after a while. Versioned releases stay. 2024-01-31 16:02:41 -05:00
Daniel Pouzzner
75bd1af110 Merge pull request #7179 from philljj/fix_ext_xmss_sigsleft
Fix ext_xmss SigsLeft.
2024-01-31 14:33:18 -05:00
David Garske
9e47703402 Template for TLS v1.2 only. 2024-01-31 10:13:31 -08:00
Daniel Pouzzner
e1ee5e4421 linuxkm: spruce up arch-dependent CFLAGS setup in linuxkm/Kbuild; add "failed:" to error messages in km_AesGcmEncrypt() and km_AesGcmDecrypt(). 2024-01-31 11:49:46 -06:00
Daniel Pouzzner
f228a85cee AES-XTS: fix FIPS gating to use defined(HAVE_FIPS), not defined(HAVE_FIPS_VERSION). 2024-01-30 17:16:37 -06:00
jordan
7ddf20851d Fix WOLFSSL_NO_MALLOC build. 2024-01-30 09:00:02 -06:00
Juliusz Sosinowicz
48b99b0f10 Merge pull request #7185 from JacobBarthelmeh/zephyr
only download parts of zephyr sdk needed for test
2024-01-30 14:46:57 +01:00
Sean Parkinson
492490f7e6 SHA-256: Implementation using Intel instructions
Detects Intel SHA-256 instructions available for CPU.
Preferences implementation using Intel instructions.
2024-01-30 23:17:05 +10:00
Sean Parkinson
f7507f14cb Merge pull request #7186 from douzzer/20240129-fix-wc_RsaFunction_ex
20240129-fix-wc_RsaFunction_ex
2024-01-30 23:14:52 +10:00
Daniel Pouzzner
3d3c07944e wolfcrypt/src/ecc.c: fix logic around WOLF_CRYPTO_CB_ONLY_ECC in wc_ecc_shared_secret(), _ecc_make_key_ex(), wc_ecc_sign_hash(), and wc_ecc_verify_hash() (defects reported by -Wreturn-type, -Wmaybe-uninitialized around err, and a failure of ecc_onlycb_test()). 2024-01-29 22:30:33 -06:00
Daniel Pouzzner
67bbe1e1bb wolfcrypt/src/rsa.c: in wc_RsaFunction_ex(), if defined(WOLF_CRYPTO_CB_ONLY_RSA), add clause to return NO_VALID_DEVID if key->devId == INVALID_DEVID. fixes "control reaches end of non-void function" in PRB-single-flag.txt. 2024-01-29 22:00:20 -06:00
Daniel Pouzzner
11e8a89f67 wolfcrypt/src/aes.c: coddle XCode (clang) to clear frivolous -Wparentheses-equality. 2024-01-29 17:58:13 -06:00
Daniel Pouzzner
6261108d49 linuxkm: fix line lengths throughout; in linuxkm/lkcapi_glue.c: fix/harmonize error catching, reporting, and error codes; further address peer review feedback. 2024-01-29 17:48:31 -06:00
David Garske
de91add3d9 Merge pull request #7182 from SparkiDev/armv8_32_align_chacha20_asm
ARMv8 32 bit ChaCha20 ASM: loading from in/out
2024-01-29 14:59:56 -08:00
JacobBarthelmeh
920abd8b46 only download parts of zephyr sdk needed for test 2024-01-29 15:02:58 -07:00
David Garske
de4a6f9e00 Merge pull request #7167 from SparkiDev/rsa_dec_check_d
RSA Decryption: check private value after decryption
2024-01-29 14:01:27 -08:00
Lealem Amedie
154841a083 MICROCHIP PIC24 support and example project 2024-01-29 12:50:00 -07:00
David Garske
a6326bd80a Merge pull request #7183 from SparkiDev/regression_fixes_9
Regression testing fixes
2024-01-29 07:42:34 -08:00
David Garske
60de159707 Merge pull request #7176 from danielinux/iotsafe-sha384
IoT-Safe sha384+sha512 support
2024-01-29 07:35:50 -08:00
Sean Parkinson
13591dcae8 Regression testing fixes
internal.c: NO_CERT, privateKeySz not used.
./configure --disable-shared --disable-asn --disable-rsa --disable-ecc
--enable-psk

sp_int.c: fix when sp_gcm is available
./configure --disable-shared  --disable-shared --disable-ecc
--disable-dh --disable-aes --disable-aesgcm --disable-sha512
--disable-sha384 --disable-sha --disable-poly1305 --disable-chacha
--disable-md5 --disable-sha3 --enable-cryptonly --disable-inline
--enable-rsavfy --disable-asn --disable-oaep --disable-rng
--disable-filesystem --enable-sp=rsa2048 --disable-sp-asm
--enable-sp-math
2024-01-29 23:05:46 +10:00
Daniel Pouzzner
856c9a9a7f wolfcrypt/src/port/arm/armv8-aes.c: revert changes in a0415ce855. 2024-01-29 00:17:19 -06:00
Daniel Pouzzner
1fc67183a5 linuxkm: address peer review:
* support AES_ENCRYPTION_AND_DECRYPTION only if WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS is defined, and define it in linuxkm_wc_port.h if LINUXKM_LKCAPI_REGISTER.
* fix a typo in km_AesInitCommon().
* remove #if 0 code in lkcapi_glue.c.
2024-01-28 23:58:46 -06:00
Sean Parkinson
4585c6d508 ARMv8 32 bit ChaCha20 ASM: loading from in/out
Input and output buffers come from the application and are not
necessarily alighed.
Use instructions that allow unaligned access to these buffers.
2024-01-29 11:03:40 +10:00
Daniel Pouzzner
957fc7460c linuxkm/lkcapi_glue.c: refactor AES-CBC, AES-CFB, and AES-GCM glue around struct km_AesCtx with separate aes_encrypt and aes_decrypt Aes pointers, and no cached key, to avoid AesSetKey operations at encrypt/decrypt time. 2024-01-27 23:16:02 -06:00
Daniel Pouzzner
8ae031a5ed linuxkm/linuxkm_wc_port.h: improve my_memcpy(), my_memset(), and my_memmove() (CONFIG_FORTIFY_SOURCE workarounds) with copy-by-words codepaths. 2024-01-27 23:12:37 -06:00
Daniel Pouzzner
82d94dab68 linuxkm: move "#undef HAVE_PTHREAD" from linuxkm/module_hooks.c to wolfssl/wolfcrypt/settings.h. 2024-01-27 23:10:12 -06:00
Daniel Pouzzner
a0415ce855 wolfcrypt/src/port/arm/armv8-aes.c: fix for AesXts.aes_encrypt and AesXts.aes_decrypt. 2024-01-26 20:19:52 -06:00
Daniel Pouzzner
b1e5d0f9bb linuxkm: completion and stabilization of LKCAPI integration for AES-CBC, AES-CFB, AES-GCM, and AES-XTS:
linuxkm/lkcapi_glue.c (added in earlier commit):
implement linuxkm_lkcapi_register() and linuxkm_lkcapi_unregister() with idempotency.
add AES-XTS algorithm glue and self-test implementations.
add per-algorithm gating: LINUXKM_LKCAPI_REGISTER_AESCBC, _AESCFB, _AESGCM, and _AESXTS.
carry forward philljj's implementations for AES-CBC, AES-CFB, and AES-GCM, with various cleanups.

linuxkm/module_hooks.c:
print the "wolfCrypt container hashes" message only if DEBUG_LINUXKM_PIE_SUPPORT is set.
render the FIPS version for the self-test success message using the HAVE_FIPS_VERSION* macros.
add a "skipping full wolfcrypt_test() ..." message for --disable-crypttests builds.
add CONFIG_FORTIFY_SOURCE gates.

configure.ac:
add support for --enable-linuxkm-lkcapi-register;
add AES-XTS to output config summary;
rename --enable-xts to --enable-aesxts (retaining old option for backward compatibility).

linuxkm/linuxkm_wc_port.h: add support for CONFIG_FORTIFY_SOURCE.

linuxkm/linuxkm_memory.c:
fix retvals in save_vector_registers_x86() (wc-style MEMORY_E, not sys-style ENOMEM).
add __my_fortify_panic() implementation.

linuxkm/Kbuild: for ENABLED_LINUXKM_PIE in rename-pie-text-and-data-sections recipe, create an .rodata.wolfcrypt section.

linuxkm/include.am: add linuxkm/lkcapi_glue.c to EXTRA_DIST.

wolfcrypt/test/test.c:
when defined(HAVE_FIPS_VERSION), inhibit a test clause in aes_xts_128_test() disallowed by FIPS ("FIPS AES-XTS main and tweak keys must differ").
fix out-of-order user message in ecc_test().
2024-01-26 20:01:19 -06:00
jordan
947528ee16 Fix ext_xmss SigsLeft. 2024-01-26 17:07:43 -06:00
Daniel Pouzzner
39c74a9bf8 AES-XTS:
split XtsAes.aes in two, XtsAes.aes_encrypt and XtsAes.aes_decrypt, and add AES_ENCRYPTION_AND_DECRYPTION option constant, to accommodate Linux kernel crypto API model.
in wc_AesXtsSetKeyNoInit(), add FIPS check that main and tweak keys differ, and allow setting encrypt and decrypt keys simultaneously using AES_ENCRYPTION_AND_DECRYPTION.
in wc_AesXtsEncrypt() and wc_AesXtsDecrypt(), error if the required subkey has not been set.
2024-01-26 15:22:34 -06:00
Daniel Pouzzner
ec60f91b4a linuxkm: add linuxkm/lkcapi_glue.c. 2024-01-26 15:22:34 -06:00
Daniel Pouzzner
1f4cf4188d linuxkm:
* LKCAPI integration tweaks for buildability and streamlining.
* add DEBUG_VECTOR_REGISTER_ACCESS_FUZZING && !DEBUG_VECTOR_REGISTER_ACCESS, with a kernel-compatible implementation of SAVE_VECTOR_REGISTERS2_fuzzer().
2024-01-26 15:22:34 -06:00
Daniel Pouzzner
6e559ed015 linuxkm: squash of philljj's POC work integrating libwolfssl.ko with crypto_register_skcipher/crypto_register_aead, start 2022-12-26, end 2023-01-14. 2024-01-26 15:22:34 -06:00
Anthony Hu
fe87f16114 Fixes that prevent memory leaks when using OQS.
Fixes ZD 17177.
2024-01-26 14:54:01 -05:00
JacobBarthelmeh
3db58af4f8 Merge pull request #7173 from gojimmypi/PR-Espressif-SHA-updates
Improved Espressif SHA HW/SW selection
2024-01-26 11:51:15 -07:00
Daniele Lacamera
72e34a829a Fixed wrong define 2024-01-26 16:35:08 +01:00
JacobBarthelmeh
db3873ff40 Merge pull request #7172 from bandi13/fixUninitVar
Fix compilation errors about uninitialized variables
2024-01-26 08:32:41 -07:00
Daniele Lacamera
5b3ba8f4bb Removed "256-bit hash" references from doxygen 2024-01-26 10:22:40 +01:00
Daniele Lacamera
6dab75368d [IoT-Safe] Add support sha384 + sha512 2024-01-26 10:20:03 +01:00
gojimmypi
ac6181d7ae Improved Espressif SHA HW/SW selection 2024-01-25 15:23:58 -08:00
JacobBarthelmeh
578735e06c Merge pull request #7169 from julek-wolfssl/gh/7160
BIO_BIO: BIO_{write|read} on a BIO pair should wrap around ring buffer
2024-01-25 12:08:10 -08:00
lealem47
a13d107db4 Merge pull request #7171 from dgarske/stm32_cube_template
Improvements to the STM32Cube template
2024-01-25 10:58:46 -07:00
JacobBarthelmeh
4c7f038149 Merge pull request #7161 from SparkiDev/xmss
XMSS implementation
2024-01-25 08:41:13 -08:00
Andras Fekete
4971b9a567 Fix compilation errors about uninitialized variables
When compiling with '--enable-all CFLAGS=-Og' there were a ton of errors that needed fixing.
2024-01-25 09:49:30 -05:00
Juliusz Sosinowicz
4f1d777090 BIO_BIO: BIO_{write|read} on a BIO pair should wrap around ring buffer
- BIO_nread0 should return 0 when no data to read and -2 when not initialized
2024-01-25 13:46:45 +01:00
Sean Parkinson
a5961907b0 XMSS implementation
Supporting code for wolfSSL C implementation of XMSS.
2024-01-25 11:21:39 +10:00
David Garske
7305583f72 Improvements to the STM32Cube template. Fix defaults for ASN template and SNI. Disable Shake by default. Add comment about AES CFB. 2024-01-24 10:35:32 -08:00
JacobBarthelmeh
199a5476ec Merge pull request #7166 from miyazakh/gcc5_strict-aliasing
fix strict-aliasing rules warning on gcc 5.x
2024-01-24 10:18:13 -08:00
Sean Parkinson
999f84518c RSA Decryption: check private value after decryption 2024-01-24 16:09:15 +10:00
Hideki Miyazaki
00f4afb5ea fix strict-aliasing rules warning 2024-01-24 12:37:16 +09:00
JacobBarthelmeh
478c0633e7 Merge pull request #7159 from dgarske/features_20240122
Add PK Callback CMake support. Document `wc_RsaDirect`
2024-01-23 13:08:03 -08:00
David Garske
fa87e227b4 Restore useful comments above wc_RsaDirect in the .c file. 2024-01-23 08:39:35 -08:00
JacobBarthelmeh
3cbffd33b1 Merge pull request #7162 from per-allansson/dtls13-fips-missing-return
Fix missing return in DTLS1.3 / FIPS code
2024-01-23 08:30:11 -08:00
JacobBarthelmeh
1574de1008 Merge pull request #7128 from embhorn/zd17251
XC32 compiler version 4.x compatibility
2024-01-23 08:20:39 -08:00
JacobBarthelmeh
938698ec6b Merge pull request #7157 from philljj/fix_zephyr_benchmark_rsa
zephyr samples: fix wolfssl_benchmark RSA.
2024-01-23 08:17:10 -08:00
JacobBarthelmeh
78f7454043 Merge pull request #7154 from anhu/EccKeyParamCopy_error
Fix missing heap hint in `EccKeyParamCopy`
2024-01-23 08:11:35 -08:00
David Garske
3b20f49544 Merge pull request #7139 from douzzer/20230118-fix-_sp_mont_red-WOLFSSL_NO_CT_OPS
20230118-fix-_sp_mont_red-WOLFSSL_NO_CT_OPS
2024-01-23 07:18:25 -08:00
Per Allansson
92d7815b5c Fix missing return in DTLS1.3 / FIPS code 2024-01-23 08:35:07 +01:00
David Garske
916c22e021 Add PK (public key) callback support to CMake. 2024-01-22 13:42:31 -08:00
David Garske
3d62896137 Add documentation for wc_RsaDirect. 2024-01-22 13:41:25 -08:00
David Garske
dcc946575b Fix missing heap hint in EccKeyParamCopy. The XFREE is required or it will leak memory allocated in ASNToHexString. This only applies to WOLFSSL_CUSTOM_CURVES && !WOLFSSL_ASN_TEMPLATE. 2024-01-22 13:18:24 -08:00
Sean Parkinson
b0de0a1c95 Merge pull request #7143 from julek-wolfssl/zd/17303
EVP_Cipher: correct parameter checking
2024-01-23 07:15:20 +10:00
jordan
920aaebed7 zephyr samples: fix wolfssl_benchmark RSA. 2024-01-22 14:59:09 -06:00
JacobBarthelmeh
eb1fff3ad3 Merge pull request #7141 from julek-wolfssl/zd/17249
EarlySanityCheckMsgReceived: version_negotiated should always be checked
2024-01-22 12:18:57 -08:00
JacobBarthelmeh
f2a76a0630 Merge pull request #7156 from bandi13/checkNullInput
Check NULL input
2024-01-22 12:07:20 -08:00
Andras Fekete
5c75ca539e Check NULL input 2024-01-22 12:45:42 -05:00
JacobBarthelmeh
0c150d2391 Merge pull request #7150 from dgarske/getenv
Fix build with `NO_STDIO_FILESYSTEM` and improve checks for `XGETENV`
2024-01-22 08:33:24 -08:00
JacobBarthelmeh
12dafec3aa Merge pull request #7149 from dgarske/psa_cryptocb
Remove the PSA restriction to allow use with crypto callbacks
2024-01-22 08:24:51 -08:00
JacobBarthelmeh
2617669302 Merge pull request #7152 from douzzer/20240120-multi-test-fixes
20240120-multi-test-fixes
2024-01-22 08:19:23 -08:00
Anthony Hu
ccbb726859 Remove dead code in EccKeyParamCopy
Found with:

./configure --enable-ecccustcurves --enable-asn=original CFLAGS=-DWOLFSSL_ECC_CURVE_STATIC
2024-01-22 10:27:59 -05:00
Juliusz Sosinowicz
fc7143a8f4 Code review 2024-01-22 16:08:06 +01:00
Sean Parkinson
d2d653cfdc Merge pull request #7145 from douzzer/20240119-DoTls13CertificateVerify-CreateSigData-error-handling
20240119-DoTls13CertificateVerify-CreateSigData-error-handling
2024-01-22 07:36:49 +10:00
Sean Parkinson
b0d64b419d Merge pull request #7084 from julek-wolfssl/set-cipher-ssl
Allow SetCipherList to operate on SSL without modifying on SSL_CTX
2024-01-22 07:31:22 +10:00
Daniel Pouzzner
2edd18c49d src/x509.c: fix nullPointerRedundantCheck in wolfSSL_X509V3_set_ctx(). also adds thorough WOLFSSL_MSG() coverage for failures. 2024-01-20 13:08:21 -06:00
David Garske
d043333bee Merge pull request #7148 from gojimmypi/PR-fix-Espressif-cmake
Fix Espressif component cmake for environment variable source
2024-01-19 13:27:32 -08:00
David Garske
37fbb4fbae Merge pull request #7146 from kareem-wolfssl/zd17295
Remove git ignored files from IAR-EWARM projects.
2024-01-19 13:13:06 -08:00
David Garske
76550465bd Fixes build with NO_STDIO_FILESYSTEM defined. 2024-01-19 12:49:53 -08:00
David Garske
111f584d99 Remove the PSA restriction to allow use with crypto callbacks. 2024-01-19 12:15:40 -08:00
David Garske
a4affd9431 Improve use of XGETENV in wolfSSL_RAND_file_name to check for macro. 2024-01-19 12:13:19 -08:00
gojimmypi
92ab2eaca3 Fix Espressif component cmake for environment variable source 2024-01-19 11:54:10 -08:00
David Garske
6b8280f663 Merge pull request #7144 from bandi13/20240119-codesonar
20240119 codesonar
2024-01-19 09:35:02 -08:00
David Garske
a3a7012c81 Merge pull request #7136 from jpbland1/x509-new-ex
add heap hint support for a few of the x509 functions
2024-01-19 09:29:47 -08:00
Kareem
f1e833005b Remove git ignored files from IAR-EWARM projects. 2024-01-19 10:24:50 -07:00
Daniel Pouzzner
9aa99c0c9a src/tls13.c: in DoTls13CertificateVerify(), add missing error handling in several calls to CreateSigData(). 2024-01-19 11:12:23 -06:00
John Bland
66f04958e3 use wolfSSL_CTX_new_ex for heap hint support 2024-01-19 11:20:50 -05:00
Andras Fekete
dbc209d8ea Always initialize 'decryptedKey'
Warning 750167.5627928
2024-01-19 10:58:29 -05:00
Andras Fekete
7069a1805a Avoid "Use after free"
Warning 544767.5627232
2024-01-19 10:47:38 -05:00
Andras Fekete
2c162ffb97 Make sure aes->rounds is initialized
Warning 684346.5627323
2024-01-19 10:39:33 -05:00
Andras Fekete
726e7026cb Uninitialized variable because we don't check return value
Warning 544870.5627882
2024-01-19 10:31:20 -05:00
Juliusz Sosinowicz
1288d71132 Address code review 2024-01-19 15:59:22 +01:00
Juliusz Sosinowicz
f6ef146149 EarlySanityCheckMsgReceived: version_negotiated should always be checked
Multiple handshake messages in one record will fail the MsgCheckBoundary() check on the client side when the client is set to TLS 1.3 but allows downgrading.
  --> ClientHello
  <-- ServerHello + rest of TLS 1.2 flight
  Client returns OUT_OF_ORDER_E because in TLS 1.3 the ServerHello has to be the last message in a record. In TLS 1.2 the ServerHello can be in the same record as the rest of the server's first flight.
2024-01-19 14:57:35 +01:00
Juliusz Sosinowicz
afd0e5af4e Refactor haveAnon into useAnon
(ctx->|ssl->options.)useAnon means that the user has signalled that they want anonymous ciphersuites
2024-01-19 14:53:33 +01:00
Juliusz Sosinowicz
b8b847bbcf Allow SetCipherList to operate on SSL without modifying on SSL_CTX 2024-01-19 14:53:28 +01:00
Juliusz Sosinowicz
67700a1d70 Add libssh2 test 2024-01-19 12:46:53 +01:00
Juliusz Sosinowicz
e438131a3b EVP_Cipher: correct parameter checking
EVP_Cipher(ctx, NULL, NULL, 0) is a valid call for all algorithms. For none-AEAD it results in a no-op.
2024-01-19 12:32:17 +01:00
David Garske
ac81d9d29c Merge pull request #7110 from Frauschi/pq_secure_element
PQC: add CryptoCb support for PQC algorithms
2024-01-18 13:29:28 -08:00
Anthony Hu
9be390250d Adding support for dual key/signature certificates. (#7112)
Adding support for dual key/signature certificates with X9.146. Enabled with `--enable-dual-alg-certs` or `WOLFSSL_DUAL_ALG_CERTS`.
2024-01-18 13:20:57 -08:00
David Garske
8a45f43eb0 Merge pull request #7131 from bandi13/fips-check-upgrades
Fips check upgrades
2024-01-18 08:21:29 -08:00
David Garske
ec96fcdbae Merge pull request #7138 from ejohnstown/crl-mon-test-fix
CRL Monitor Test Fix
2024-01-18 08:20:05 -08:00
Tobias Frauenschläger
68ea31c52a Fix install step for liboqs port header
Make sure the header file of the liboqs port is properly installed
during a call to `make install`.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-01-18 17:07:39 +01:00
Tobias Frauenschläger
4d259da60a PQC: CryptoCb support for KEM algorithm Kyber
Add support for crypto callback and device id for all three Kyber PQC KEM
function calls.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-01-18 17:02:49 +01:00
Tobias Frauenschläger
8e6d151403 PQC: CryptoCb support for signature algorithms
Add initial support of the crypto callback API to the two PQC signature
algorithms Dilithium and Falcon. This ultimatelly enables the usage of
external hardware modules (e.g. secure elements) for these algorithms.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-01-18 17:02:38 +01:00
Daniel Pouzzner
9d56de200e wolfcrypt/src/sp_int.c: in _sp_mont_red(), gate calls to ctMaskIntGTE() on !WOLFSSL_NO_CT_OPS. 2024-01-18 00:36:52 -06:00
John Safranek
b66a108e97 CRL Monitor Test Fix
1. For Mach and FreeBsd builds, add the function link_file() which makes
   a hard link for a file.
2. Add a macro STAGE_FILE that either calls copy_file or link_file
   depending on doing a Mach or FreeBSD build or not.

This is to work around how the CRL Monitor is detecting file changes
made by the CRL monitor test in the testsuite. Linux and Windows are
detecting the file copies and deletes, and how macOS detects them.
kevent sees the link as a single change to the parent directory and
reads it. When you copy the file, kevent sees the new file getting
opened and triggering the file update.
2024-01-17 21:38:26 -08:00
John Bland
41ea1109ec update uses of wolfSSL_X509_new and wolfSSL_X509_d2i
where heap doesn't require a new ex function or struct field to avoid size increase
2024-01-17 18:46:24 -05:00
David Garske
4f8fd98d0d Merge pull request #7109 from Frauschi/falcon_compat
PQC: Update Falcon support to match OQS
2024-01-17 14:18:32 -08:00
Andras Fekete
41b70b8386 Giving up and reverting back to what it was. 2024-01-17 17:03:37 -05:00
David Garske
d5d279454b Merge pull request #7137 from douzzer/20240117-nightly-fixes
20240117-nightly-fixes
2024-01-17 13:57:48 -08:00
David Garske
5ef6ed56dc Merge pull request #7135 from lealem47/returnParity
Return correct error code in TEMPLATE DecodeECC_DSA_Sig_Ex
2024-01-17 12:34:52 -08:00
Andras Fekete
81aa495b51 Fix missing tags 2024-01-17 14:46:19 -05:00
Daniel Pouzzner
64667a5595 src/crl.c: fix "null pointer passed as argument 2" in new XMEMCPY() call in WC_RSA_PSS path of DupCRL_Entry(), added in b140f93b17, detected by gcc 14.0.0_pre20240107 p15 with sanitizers. 2024-01-17 13:38:05 -06:00
John Bland
03f32b623f update based on PR comments 2024-01-17 13:22:58 -05:00
David Garske
0b167faa56 Merge pull request #7133 from miyazakh/arm_isb
fix unsupported arm instruction compile error
2024-01-17 09:44:49 -08:00
John Bland
d1a3646d5c add heap hint support for a few of the x509 functions 2024-01-17 11:26:52 -05:00
Tobias Frauenschläger
b2888a9467 Update Falcon support to match OQS
Update the OIDs and related variables to match the current OQS values.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-01-17 16:54:26 +01:00
Lealem Amedie
cbc8e98876 Return correct error code in TEMPLATE DecodeECC_DSA_Sig_Ex 2024-01-17 08:49:09 -07:00
Hideki Miyazaki
b2f971555e isb available > armv6 2024-01-17 13:39:48 +09:00
David Garske
089468fbf1 Merge pull request #7132 from ejohnstown/x25519-ecdhe-psk
ECDHE-PSK with x25519
2024-01-16 20:16:01 -08:00
David Garske
11029127df Merge pull request #7119 from JacobBarthelmeh/crl
support for RSA-PSS signatures with CRL
2024-01-16 15:23:16 -08:00
Hideki Miyazaki
1af3502204 Merge pull request #7115 from TakayukiMatsuo/jpcmac
Update cmac-api documents
2024-01-17 08:18:11 +09:00
John Safranek
746ffac84a ECDHE-PSK with x25519
1. Add missing assignment of the WOLFSSL object's ecdhCurveOid value. It
   is set correctly in the previous cases, but got missed for ECDHE-PSK.
2. Add test cases to the unit testing.
2024-01-16 15:18:05 -08:00
JacobBarthelmeh
b140f93b17 refactor sigParams allocation and adjust test file name 2024-01-16 14:41:24 -07:00
TakayukiMatsuo
cdc46a7ddb Update cmac-api documents 2024-01-17 06:21:03 +09:00
Andras Fekete
79272b5861 Only take the latest from the repo. Don't need old history. 2024-01-16 15:41:15 -05:00
David Garske
7a77d64d56 Merge pull request #7059 from bigbrett/cryptocb-oneshot-cmac
Add cryptoCb hook to one-shot CMAC functions
2024-01-16 12:17:05 -08:00
Andras Fekete
a51c8d54d2 Standardize script style 2024-01-16 11:58:34 -05:00
Andras Fekete
5fc32a1124 Add in 'make check' bypass 2024-01-16 11:58:10 -05:00
JacobBarthelmeh
114d11a8d8 adding RSA-PSS macro guard around CRL use 2024-01-15 15:33:01 -07:00
JacobBarthelmeh
b38e20a721 add crl_rsapss.pem to make dist 2024-01-15 15:19:04 -07:00
David Garske
d4272bb48d Merge pull request #7129 from bandi13/configurePrintout
Print out how ./configure was called
2024-01-15 11:01:19 -08:00
Brett Nicholas
abbf9f2b77 Add cryptoCb hooks to one-shot CMAC functions; add CMAC coverage to cryptoCb tests; add context argument to CMAC generate_ex 2024-01-15 11:52:17 -07:00
Andras Fekete
b5015df35f Print out how ./configure was called
This will make debugging and tracing back from logs much easier
2024-01-15 10:07:00 -05:00
JacobBarthelmeh
5fc71161e9 add crl rsa pss for asn=original 2024-01-11 16:50:16 -07:00
Sean Parkinson
49d258f01a Merge pull request #7124 from SKlimaRA/SKlimaRA/tls13SessionTicketDoubleFree
fixed double free happening during EvictSessionFromCache
2024-01-12 09:09:29 +10:00
Sean Parkinson
9137ed671e Merge pull request #7107 from ejohnstown/fips-script
FIPS Script
2024-01-12 05:07:04 +10:00
Stanislav Klima
909b437571 cleared ticket and ticketNonce 2024-01-11 19:59:12 +01:00
Stanislav Klima
e63c50b1f3 fixed double free happening during EvictSessionFromCache 2024-01-11 19:52:03 +01:00
Sean Parkinson
8c6de41eb9 Merge pull request #7051 from JacobBarthelmeh/mb
fix and enhancement for AES-GCM use with Xilsecure
2024-01-12 03:44:43 +10:00
Sean Parkinson
5e8fca420e Merge pull request #7127 from dgarske/cryptocb_defhash
Fix for crypto callbacks to allow invalid devId for non _ex single shot hash functions
2024-01-11 11:22:26 +10:00
Eric Blankenhorn
535d507c16 XC32 compiler version 4.x compatibility 2024-01-10 16:34:40 -08:00
David Garske
340aed5498 Fix for crypto callbacks to allow invalid devId for non _ex single shot hash functions. 2024-01-10 15:33:10 -08:00
John Safranek
d9751aa103 FIPS Script
1. Update fips-check.sh for checking out v5.2.0.1 of the fips.c file.
2024-01-10 15:12:59 -08:00
Sean Parkinson
06d7b14af1 Merge pull request #7122 from julek-wolfssl/curl-deps
Add curl dependencies
2024-01-11 01:35:07 +10:00
David Garske
a2cfa35dc1 Merge pull request #7123 from bandi13/liberationFromGitHooks
Since no one uses this, we should remove commit hooks
2024-01-09 23:03:08 -08:00
David Garske
06a32d3437 Merge pull request #7097 from lealem47/removeUserCrypto
Remove user-crypto functionality and Intel IPP support
2024-01-09 17:33:28 -08:00
Andras Fekete
f3761ed28e Since no one uses this, we should remove commit hooks 2024-01-09 20:31:44 -05:00
Juliusz Sosinowicz
cae231b557 Add curl dependencies 2024-01-09 22:47:59 +01:00
JacobBarthelmeh
cd07e32b13 update crl files and add in compat support for RSA-PSS 2024-01-08 16:38:11 -08:00
billphipps
5631bc9b2d Merge pull request #7118 from douzzer/20240107-fix-linuxkm-commercial-POC
20240107-fix-linuxkm-commercial-POC
2024-01-07 14:33:06 -05:00
Daniel Pouzzner
d722276c50 linuxkm/module_hooks.c: add proper gating for my_fpregs_[un]lock(). 2024-01-07 11:16:43 -06:00
Sean Parkinson
0ebf82474a Merge pull request #7117 from douzzer/20240105-linuxkm-commercial-POC
20240105-linuxkm-commercial-POC
2024-01-07 15:15:56 +10:00
Sean Parkinson
08aa39f538 Merge pull request #7094 from dgarske/armasm_thumb_aes
Fixes for ARM ASM with Thumb
2024-01-07 15:10:16 +10:00
Daniel Pouzzner
9c36bb9073 linuxkm: add WOLFSSL_COMMERCIAL_LICENSE alternative to kernel_fpu_begin()/kernel_fpu_end() in save_vector_registers_x86()/restore_vector_registers_x86(): allocate wc_linuxkm_fpu_savebufs as a buffer for os_xsave()/os_xrstor(), and use fpregs_lock()/fpregs_unlock() to inhibit softirqs/preemption. 2024-01-05 23:21:24 -06:00
JacobBarthelmeh
d58acef895 add RSA-PSS CRL test case 2024-01-05 14:47:53 -08:00
JacobBarthelmeh
74f0625c89 add native asn template RSA-PSS support with CRL 2024-01-05 14:25:12 -08:00
Daniel Pouzzner
d5d476a3a1 Merge pull request #7113 from bandi13/codeSonarFixes
Leak
2024-01-05 12:38:17 -05:00
David Garske
8026aa44c8 Merge pull request #7114 from douzzer/20240104-with-liboqs-clang-tidy
20240104-with-liboqs-clang-tidy
2024-01-05 09:17:41 -08:00
David Garske
9e28d5010c Fixes for ARM ASM with Thumb. Fix for AES ECB build with Thumb. Add alignment to thumb2 AES tables. Refactor alignment macros and expose generic alignment macro XALIGNED. The WOLFSSL_USE_ALIGN still controls alignment enablement in wolfSSL/wolfCrypt. ZD 17225 and ZD 17226 2024-01-05 08:16:02 -08:00
Andras Fekete
f84fa8dd8d Uninitialized variable
Warning 581199.5810097
2024-01-04 17:13:28 -05:00
David Garske
77818d9c54 Merge pull request #6939 from danielinux/iotsafe_4B_ID
IoT-SAFE: allow for 4B ID fields
2024-01-04 13:57:26 -08:00
Daniel Pouzzner
7f53bcc4d0 fixes for clang-tidy reported defects and misstylings --with-liboqs:
* readability-named-parameter (style)
* bugprone-sizeof-expression (true bugs)
* clang-analyzer-deadcode.DeadStores (true bugs)
* clang-analyzer-core.NonNullParamChecker (true bug)
* clang-diagnostic-newline-eof (style)
* clang-diagnostic-shorten-64-to-32 (true but benign in practice)

fixes for sanitizer reported defects --with-liboqs: null pointer memcpy()s in TLSX_KeyShare_GenPqcKey() and server_generate_pqc_ciphertext().

fixes for silent crypto-critical failure in wolfSSL_liboqsGetRandomData(): refactor to accommodate oversize numOfBytes, and abort() if wc_RNG_GenerateBlock() returns failure.
2024-01-04 15:57:09 -06:00
Sean Parkinson
9e468a900b Merge pull request #7096 from julek-wolfssl/zd/17219
Add fencing to ClientSessionToSession()
2024-01-05 07:24:00 +10:00
Sean Parkinson
a8c94cf22b Merge pull request #7102 from julek-wolfssl/gh/7093
server: allow reading 0-RTT data after writing 0.5-RTT data
2024-01-05 07:20:53 +10:00
Sean Parkinson
32f3f7daab Merge pull request #7111 from Frauschi/fix_implicit_conversion
Fix implicit type conversion
2024-01-05 07:17:31 +10:00
Daniele Lacamera
bda44eda4a IoT-SAFE: allow for 4B ID fields 2024-01-04 19:18:40 +01:00
Tobias Frauenschläger
3fbbc7c1bb Fix implicit conversion.
Fix implicit type conversion from size_t to word32 in liboqs.c source
file to make it build with clang.

Fixes #7108.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2024-01-04 16:55:19 +01:00
Juliusz Sosinowicz
0e1573accc Code review 2024-01-04 13:49:47 +01:00
Juliusz Sosinowicz
14c812cdb7 Code review
Add server side check
2024-01-04 13:19:44 +01:00
Juliusz Sosinowicz
5bdcfaa5d0 server: allow reading 0-RTT data after writing 0.5-RTT data 2024-01-04 13:19:44 +01:00
Daniel Pouzzner
9db20774d8 Merge pull request #7099 from jpbland1/tls13-bounds-check
TLS13 padding bounds check
2024-01-04 01:09:36 -05:00
John Bland
b37716f5ce refactor and remove word16 index 2024-01-03 19:19:13 -05:00
John Bland
245c87fe8f clean up variable definitions 2024-01-03 17:39:20 -05:00
John Bland
e1435e96d2 do bounds check on full word32 size to match
inputBuffer length
2024-01-03 17:21:08 -05:00
JacobBarthelmeh
3f10496757 add weak source of entropy on microblaze to test with 2024-01-03 13:35:00 -08:00
Daniel Pouzzner
bcfaf0372c Merge pull request #7026 from Frauschi/liboqs
Improve liboqs integration
2024-01-03 16:20:26 -05:00
Sean Parkinson
52db533d9b Merge pull request #7106 from bandi13/20231114-codesonar-fixes
20231114 codesonar fixes
2024-01-04 07:16:33 +10:00
Sean Parkinson
100c2ecd6a Merge pull request #7091 from JacobBarthelmeh/forcezero
SHA256 uses ForceZero now too
2024-01-04 07:06:44 +10:00
Daniel Pouzzner
7e60b029c2 Merge branch 'master' into liboqs 2024-01-03 15:56:05 -05:00
Andras Fekete
e5d8ce9983 Fix memset size 2024-01-03 11:09:20 -05:00
Andras Fekete
d164a6c543 Buffer Overrun
Warning 545843.5806721
2024-01-03 10:00:31 -05:00
Andras Fekete
b206e074fc Uninitialized Variable
Warning 545067.3236517
2024-01-03 09:59:18 -05:00
Andras Fekete
f5c3fcfec4 Uninitialized variable
Warning 581107.3236416
2024-01-03 09:59:18 -05:00
Andras Fekete
c404df78b1 Uninitialized variable
Warning 581196.3236230
2024-01-03 09:59:18 -05:00
Andras Fekete
f00c5eb95d Fix double free
Warning 546055.3229451
2024-01-03 09:59:18 -05:00
John Bland
36c89cc5ad clean up some post-rebase issues 2024-01-02 20:12:13 -05:00
John Bland
b62f582fcc copy full inner hashes to hsHashesEch so that it has
the unmodified hrr and sh in the digest
2024-01-02 19:33:22 -05:00
John Bland
f6555fd753 update ech to use separate hsHashes for the ech log
which are not restarted and the inner hsHashes which are restared on HRR. also send empty string with 0 encLen when sending clientHelloInner2. setup works wolfssl->wolfssl but fails to match acceptance for first HRR message when talking to an openssl server, does still work without HRR when talking to cloudflare's server without HRR.
2024-01-02 19:31:52 -05:00
John Bland
36623f0869 fix ech config parsing to handle 1 byte public name len 2024-01-02 19:30:39 -05:00
John Bland
a5963b4b9f free the innerClientHello since it may be previously
allocated if an hrr happened
2024-01-02 19:30:38 -05:00
John Bland
c0b49ce443 stop double-populating the ech extension since that
blows away the ech and it's current hpke context, causing the hrr handling to fail
2024-01-02 19:30:38 -05:00
Daniel Pouzzner
461cf9ea71 Merge pull request #7103 from philljj/fix_infer_issues
Fix infer issues
2024-01-02 15:40:24 -05:00
jordan
e175004f85 Fix Infer Uninitialized Values. 2024-01-02 12:16:20 -06:00
JacobBarthelmeh
3901fa6a96 fix check on non aad use 2024-01-02 08:50:59 -08:00
JacobBarthelmeh
f8dbc7f15c use of device key with AES-GCM and add way to avoid malloc for tag 2024-01-02 08:50:59 -08:00
JacobBarthelmeh
567243d257 touch up autoconf build with xilinx and sp macro guards 2024-01-02 08:50:59 -08:00
Daniel Pouzzner
c8188eaabd Merge pull request #7100 from philljj/zd17237
Fix uninitialized keyUsage in DecodeKeyUsage.
2024-01-02 01:51:45 -05:00
Daniel Pouzzner
6de275111b Merge pull request #7101 from miyazakh/ra_fsp3p5
fix include path for FSP 3.5 on Renesas RA6M4
2024-01-02 01:18:18 -05:00
John Bland
a23edb84d4 only copy the hsHashes if the server is actually using ech 2023-12-29 16:31:13 -05:00
John Bland
4c63ec3fce fix memory leaks 2023-12-29 16:31:13 -05:00
John Bland
bc77f9f466 fix writing empty string when sending enc in response
to an hrr, fix bad getSize for hrr ech, fix using the wrong transcript hash for hrr ech, add new hrr test for ech to api.c
2023-12-29 16:30:34 -05:00
John Bland
167c702b6f don't mix declaration with code to satisfy compiler 2023-12-29 16:30:34 -05:00
John Bland
000c42ef70 fix implicit cast 2023-12-29 16:30:34 -05:00
John Bland
dfb45bc40e fix unitialized variable 2023-12-29 16:30:31 -05:00
John Bland
037c44609d refactor ECH code to handle hrr with special confirmation 2023-12-29 16:29:34 -05:00
John Bland
83d7225236 update ech to use multi use hpke context, still doesn' handle HRR 2023-12-29 16:15:56 -05:00
John Bland
34d7229d4e add functions for using an hpke context multiple times 2023-12-29 16:15:54 -05:00
David Garske
faeae02030 Merge pull request #7104 from douzzer/20231227-cppcheck-2v13v0
20231227-cppcheck-2v13v0
2023-12-28 18:03:26 -08:00
Daniel Pouzzner
b17ec3b4bc cppcheck-2.13.0 mitigations peer review:
* add explanation in DoSessionTicket() re autoVariables.
* re-refactor ECC_KEY_MAX_BITS() in ecc.c to use two separate macros, ECC_KEY_MAX_BITS() with same definition as before, and ECC_KEY_MAX_BITS_NONULLCHECK().
* in rsip_vprintf() use XVSNPRINTF() not vsnprintf().
* in types.h, fix fallthrough definition of WC_INLINE macro in !NO_INLINE cascade to be WC_MAYBE_UNUSED as it is when NO_INLINE.
2023-12-28 16:38:47 -06:00
Daniel Pouzzner
44b18de704 fixes for cppcheck-2.13.0 --force:
* fix null pointer derefs in wc_InitRsaKey_Id() and wc_InitRsaKey_Label() (nullPointerRedundantCheck).
* fix use of wrong printf variant in rsip_vprintf() (wrongPrintfScanfArgNum).
* fix wrong printf format in bench_xmss_sign_verify() (invalidPrintfArgType_sint).
* add missing WOLFSSL_XFREE_NO_NULLNESS_CHECK variants of XFREE() (WOLFSSL_LINUXKM, FREESCALE_MQX, FREESCALE_KSDK_MQX).
* suppress false-positive uninitvar on "limit" in CheckTLS13AEADSendLimit().
* suppress true-but-benign-positive autoVariables in DoClientHello().
* in wolfcrypt/src/ecc.c, refactor ECC_KEY_MAX_BITS() as a local function to resolve true-but-benign-positive identicalInnerCondition.
* refactor flow in wc_ecc_sign_hash_ex() to resolve true-but-benign-positive identicalInnerCondition.
2023-12-28 15:06:21 -06:00
Hideki Miyazaki
e3346fe3c4 fix include path for FSP 3.5 2023-12-28 16:00:05 +09:00
jordan
46bf30ca77 Fix uninitialized keyUsage in DecodeKeyUsage. 2023-12-27 22:58:52 -06:00
Daniel Pouzzner
457188f55e Merge pull request #7070 from dgarske/cryptocb_moreinfo
Fixes for TLS with crypto callbacks
2023-12-27 18:55:56 -05:00
David Garske
1c4d7285d3 Add documentation for HKDF functions. Improve param comments for devId. 2023-12-27 13:56:40 -08:00
lealem47
fc3977fc77 Merge pull request #7098 from dgarske/stm32_pka
Fixes for STM32 PKA
2023-12-27 14:36:53 -07:00
John Bland
e641c6b738 when removing the padding for the TLS13 verify message
step, check that the index doesn't wrap around due to a malformed packet
2023-12-27 16:06:40 -05:00
David Garske
cca6cc0495 Make new HDFK _ex functions public. 2023-12-27 11:40:29 -08:00
David Garske
c37edb09f7 Fix STM32 PKA V2 (STM32U5) point multiply missing order/coefB. 2023-12-27 11:37:16 -08:00
Lealem Amedie
837452b1ca Remove user-crypto functionality and Intel IPP support 2023-12-27 12:24:19 -07:00
David Garske
be8000d5f7 Add useful information about single precision math and document options for enabling additional curves/key sizes. 2023-12-27 10:27:56 -08:00
David Garske
0d057099af Fix line lengths. 2023-12-27 10:12:52 -08:00
David Garske
65ba8bd6ba Improve detection of FP_MAX_BITS for RSA or DH. 2023-12-27 10:11:06 -08:00
David Garske
3a798e148b Fix STM32 PKA ECC cast warning. 2023-12-27 09:57:40 -08:00
David Garske
b86dfffdbe Improve the TLS v1.3 expand key label warning for possible use of uninitialized "hash". 2023-12-27 09:52:56 -08:00
Juliusz Sosinowicz
157753defe Detect if using C99 and use correct inline asm notation 2023-12-27 18:02:13 +01:00
Juliusz Sosinowicz
4b21cf3efc Add fencing to ClientSessionToSession()
Prevent memory access before clientSession->serverRow and clientSession->serverIdx are sanitized.

Fixes ZD17219

Co-authored-by: Daniele Lacamera <dan@danielinux.net>
2023-12-27 16:23:52 +01:00
David Garske
b8392ef659 Merge pull request #7092 from douzzer/20231224-clang-unreachable-code-aggressive
20231224-clang-unreachable-code-aggressive
2023-12-26 14:56:42 -08:00
Daniel Pouzzner
e68facd889 src/ssl.c: in wolfSSL_curve_is_disabled(), fix shiftTooManyBitsSigned. 2023-12-25 00:27:49 -06:00
Daniel Pouzzner
8a32e7f3f9 fixes for clang -Wunreachable-code-aggressive:
tests/suites.c: in SuiteTest(), swap order of (void)s and return.

wolfcrypt/src/chacha.c: gate out unreachable C wc_Chacha_encrypt_bytes() call in wc_Chacha_Process, and gate out unused implementations of wc_Chacha_wordtobyte() and wc_Chacha_encrypt_bytes(), when defined(USE_INTEL_CHACHA_SPEEDUP).

wolfcrypt/src/sha256.c and wolfcrypt/src/sha512.c: fix logic in Sha256_SetTransform() and Sha512_SetTransform() to make the AVX1_RORX implementations accessible.  also add a missing Transform_Sha512_Len_p = NULL in the C path of Sha512_SetTransform().

wolfssl/internal.h: for the fallback definition of wolfSSL_curve_is_disabled, use an inline function instead of a compound-clause macro, because clang isn't smart enough to treat the compound expression as a bare constant zero, producing a lame-positive -Wunreachable-code.
2023-12-25 00:23:37 -06:00
JacobBarthelmeh
a97ee9d220 SHA256 uses ForceZero now too 2023-12-22 15:09:34 -08:00
David Garske
d9ac8b5422 Peer review fixes. Fix issues with Tls13HKDFExpandKeyLabel. Fix crypto callback line lengths. 2023-12-22 14:16:59 -08:00
JacobBarthelmeh
daf1d1728f Merge pull request #7090 from douzzer/20231222-clang-unreachable-code-aggressive
20231222-clang-unreachable-code-aggressive
2023-12-22 14:51:20 -07:00
Daniel Pouzzner
e65e9f11c7 fixes for clang -Wunreachable-code-aggressive (-Wunreachable-code/clang-diagnostic-unreachable-code in src/ssl.c:wolfSSL_CTX_load_verify_buffer_ex() and -Wunreachable-code/clang-diagnostic-unreachable-code-return in api.c:myCEKwrapFunc()). 2023-12-22 14:12:13 -06:00
Daniel Pouzzner
59cdd5c70f Merge pull request #7082 from bandi13/ARIA_Sign_fix
Aria sign fix
2023-12-21 19:01:54 -05:00
Sean Parkinson
f77f7c70d3 Merge pull request #7018 from dgarske/ti_aes
Fixes for TI AES and SHA
2023-12-22 07:55:00 +10:00
Sean Parkinson
f5ff72aa56 Merge pull request #7087 from dgarske/cryptocb_sha1
Allow crypto callbacks with SHA-1 HW
2023-12-22 07:54:50 +10:00
Andras Fekete
b5592c4571 Addressing PR comments 2023-12-21 16:48:15 -05:00
Sean Parkinson
00c9625ab8 Merge pull request #7081 from gojimmypi/PR-Espressif-ESP32-C2
Add wolfcrypt SHA support for ESP32-C2/ESP8684, other minor updates
2023-12-22 07:23:51 +10:00
Sean Parkinson
a5a2b3752d Merge pull request #7077 from gojimmypi/PR-Espressif-threads
wolfSSL_NewThread() type update for Espressif FreeRTOS
2023-12-22 07:22:33 +10:00
David Garske
0d212d8055 Further cleanup for Hashes.sha when not required. Gate all TLS SHA-1 on either old TLS or WOLFSSL_ALLOW_TLS_SHA1. 2023-12-21 09:41:29 -08:00
Daniel Pouzzner
5b3aaf8bbd Merge pull request #7086 from dgarske/rpm_spec
Remove obsolete mkdir call
2023-12-21 00:37:22 -05:00
David Garske
9311a961a0 Allow crypto callbacks with SHA-1 HW. Resolves build error in test.c with trying to use HW SHA-1 with crypto cb enabled. Note: sha.h changes are very small if ignoring whitespace. 2023-12-20 15:48:21 -08:00
David Garske
86f9171050 Remove obsolete mkdir call. 2023-12-20 14:52:08 -08:00
David Garske
a5464a9b51 Merge pull request #7083 from douzzer/20231219-clang-analyzer-optin.core.EnumCastOutOfRange
20231219-clang-analyzer-optin.core.EnumCastOutOfRange
2023-12-20 14:18:06 -08:00
Daniel Pouzzner
805c2d4487 Merge pull request #7085 from dgarske/async_v5.6.6
Fix for invalid `dh_ffdhe_test` test case using Intel QuickAssist
2023-12-20 15:31:58 -05:00
David Garske
00f196d497 Fix for invalid dh_ffdhe_test test with even P when using Intel QuickAssist. 2023-12-20 11:30:17 -08:00
Daniel Pouzzner
f2d573f01f wolfssl/wolfcrypt/asn.h, src/ssl.c: add "ANONk" to enum Key_Sum, and use the new value in wolfSSL_get_sigalg_info(), fixing clang-analyzer-optin.core.EnumCastOutOfRange.
add suppressions in tests for expected clang-analyzer-optin.core.EnumCastOutOfRange's.
2023-12-19 18:14:29 -06:00
Andras Fekete
77e8a66ca3 Not cryptocb's job to sanity check input
Don't need to check parameters at every level
2023-12-19 15:55:38 -05:00
Andras Fekete
12192b7683 Set result to invalid as first step 2023-12-19 15:54:25 -05:00
Andras Fekete
f45ffd8802 Rename variable to keep the names similar across functions 2023-12-19 15:37:58 -05:00
Andras Fekete
9e974027a8 Fix ARIA signing
Used the wrong function to extract key
2023-12-19 15:33:28 -05:00
David Garske
41d4f4a972 Fix TLS v1.2 case where SHA-1 could be used uninitialized. Exclude the SHA1 struct from HS_Hashes when not needed. Fixes mix-match of the SHA-1 with NO_OLD_TLS and WOLFSSL_ALLOW_TLS_SHA1. 2023-12-19 12:30:53 -08:00
David Garske
fb5eab8f79 Fix one shot hash routines to attempt offloading to crypto callbacks. Fix random.c health test to use devId. Fix FIPS unused "ssl". 2023-12-19 11:20:56 -08:00
David Garske
2001d1c74b Fixes for TLS v1.3 with crypto callbacks not offloading DeriveKeyMsg, KDF HMAC and ECH. 2023-12-19 08:15:58 -08:00
David Garske
66596ad9e1 Merge pull request #7075 from cconlon/v5.6.6-prep
5.6.6 version bump and README changes
2023-12-18 19:14:18 -08:00
gojimmypi
07a5566c52 Add wolfcrypt SHA support for ESP32-C2, other minor updates 2023-12-18 17:35:43 -08:00
David Garske
90748b5f61 Remove the SHA1-/SHA2-256 auto devId selection devId = wc_CryptoCb_GetDevIdAtIndex(0); 2023-12-18 17:14:58 -08:00
David Garske
8b203719d3 Add support for using devId with one-shot hash functions. 2023-12-18 17:14:43 -08:00
David Garske
d5e83310b6 Fix typo with HMAC determination of update/final. 2023-12-18 17:11:33 -08:00
David Garske
205403ebb2 Add more information in the DEBUG_CRYPTOCB. 2023-12-18 17:11:16 -08:00
Lealem Amedie
dd55cdbea8 Initialize variables to NULL 2023-12-18 16:51:51 -07:00
Chris Conlon
5046e577d3 update ChangeLog/README with 5.6.6 release information 2023-12-18 15:24:14 -07:00
Chris Conlon
a003338a88 bump version to 5.6.6 2023-12-18 12:16:34 -07:00
philljj
4e081960d3 Merge pull request #7078 from douzzer/20231218-AddSessionToClientCache-round-2
20231218-AddSessionToClientCache-round-2
2023-12-18 13:15:52 -06:00
Daniel Pouzzner
7eed28fbe0 src/ssl.c: in AddSessionToClientCache(), remove benign frivolous assignment, and fix so that ret is assigned only if no error. 2023-12-18 11:15:28 -06:00
Chris Conlon
3e483f32a4 Merge pull request #7076 from douzzer/20231216-client_usage_msg-array-length
20231216-client_usage_msg-array-length
2023-12-18 09:30:49 -07:00
gojimmypi
da644c7be3 wolfSSL_NewThread() type update for Espressif FreeRTOS 2023-12-17 11:59:42 -08:00
Daniel Pouzzner
ff9fee758e examples/client/client.c: fix client_usage_msg undersized array dimension. 2023-12-16 13:22:22 -06:00
Tobias Frauenschläger
8a89470422 Fix for liboqs on zephyr
When using WolfSSL on zephyr, we need POSIX names for networking systems
calls. This can either be enabled with CONFIG_NET_SOCKETS_POSIX_NAMES or
with CONFIG_POSIX_API. This commit enables support for the latter.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-12-16 12:40:26 +01:00
Tobias Frauenschläger
0780fd9719 liboqs: add RNG support for sphincs
Added a RNG argument to the wc_sphincs_sign_msg method to properly
generate necessary random data using the desired WolfSSL RNG object.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-12-16 12:40:26 +01:00
Tobias Frauenschläger
85c40b1728 liboqs: add RNG support for falcon
Added a RNG argument to the wc_falcon_sign_msg method to properly
generate necessary random data using the desired WolfSSL RNG object.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-12-16 12:40:26 +01:00
Tobias Frauenschläger
ec86a86096 liboqs: add RNG support for dilithium
Added a RNG argument to the wc_dilithium_sign_msg method to properly
generate necessary random data using the desired WolfSSL RNG object.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-12-16 12:40:26 +01:00
Tobias Frauenschläger
755c385b1f Liboqs: use WolfSSL RNG
Improve the interface to liboqs by properly configuring and using the
RNG provided by WolfSSL from within liboqs.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-12-16 12:40:25 +01:00
Tobias Frauenschläger
d31e2c3581 Added PQC support for the Zephyr port using liboqs
Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-12-16 12:40:25 +01:00
Chris Conlon
64e48deb0e Merge pull request #7074 from douzzer/20231215-srtp-cleanup
20231215-srtp-cleanup
2023-12-15 14:31:32 -07:00
Daniel Pouzzner
ef14176b7f SRTP fixes:
* in wolfssl/ssl.h, add missing arg names to wolfSSL_CTX_set_tlsext_use_srtp(), wolfSSL_set_tlsext_use_srtp(), and wolfSSL_export_dtls_srtp_keying_material();
* in wolfcrypt/src/kdf.c, call wc_AesFree if and only if wc_AesInit() succeeded;
* in src/ssl.c:DtlsSrtpSelProfiles(), fix bugprone-inc-dec-in-conditions;
* in tests/suites.c:execute_test_case(), fix several -Wdeclaration-after-statement and -Wmissing-field-initializers;
* in wolfcrypt/test/test.c, fix a shiftTooManyBitsSigned warning in srtpkdf_test(), and fix a typo (kaSz/ksSz).
2023-12-15 14:06:36 -06:00
Daniel Pouzzner
8f2a48c676 Merge pull request #7073 from julek-wolfssl/move-mutex-init
Move the mutex initializer into the appropriate existing section
2023-12-15 12:17:37 -05:00
Chris Conlon
62b3ca5fb5 Merge pull request #7071 from douzzer/20231214-WOLF_CRYPTO_CB-not-WC_AESFREE_IS_MANDATORY
20231214-WOLF_CRYPTO_CB-not-WC_AESFREE_IS_MANDATORY
2023-12-15 09:25:48 -07:00
Juliusz Sosinowicz
57355f357e Move the mutex initializer into the appropriate existing section 2023-12-15 10:03:06 +01:00
Daniel Pouzzner
7ebbb927f3 wolfssl/wolfcrypt/aes.h: don't set WC_AESFREE_IS_MANDATORY for WOLF_CRYPTO_CB -- free is only needed when callbacks are both installed and used. 2023-12-14 18:09:39 -06:00
Chris Conlon
2ffc818c28 Merge pull request #7069 from douzzer/20231213-misc-fixes
20231213-misc-fixes
2023-12-14 15:18:12 -07:00
David Garske
4b771a9b28 Document new macro and rename to: NO_TIME_SIGNEDNESS_CHECK 2023-12-14 13:58:29 -08:00
Chris Conlon
27c6ee4d05 Merge pull request #7068 from SparkiDev/srtp_kdf_label
SRTP/SRTCP KDF: add APIs that derives one key from a label
2023-12-14 14:54:58 -07:00
Chris Conlon
fb6b022f42 Merge pull request #7020 from SparkiDev/ecc_gen_k_by_reject
ECC: generate values in range of order by rejection
2023-12-14 14:54:39 -07:00
David Garske
8b048bc246 Disable the old TI workarounds. Enable support for CCM. 2023-12-14 13:50:03 -08:00
David Garske
f2e4360f8d Spelling fixes. 2023-12-14 12:15:32 -08:00
David Garske
1cf87ce0c9 Spelling fix. 2023-12-14 12:14:30 -08:00
Chris Conlon
f6ef58dbc2 Merge pull request #7064 from philljj/fix_infer_issues
Fix issues from infer diff report.
2023-12-14 12:27:34 -07:00
Daniel Pouzzner
64e4796ed6 wolfssl/wolfcrypt/wc_port.h: add definition for WOLFSSL_MUTEX_INITIALIZER, currently only #ifdef WOLFSSL_PTHREADS.
src/ssl.c: refactor dynamics of count_mutex, count_mutex_valid, and initRefCount, to be intrinsically race-free on pthreads builds, and to be always race-free for callers that call wolfSSL_Init() first, then wait for return before any other wolfSSL calls, and call wolfSSL_Cleanup() at most as many times as wolfSSL_Init().

also, in AddSessionToClientCache(), move final access to ClientCache inside the lock-protected span, to mollify Coverity.
2023-12-14 13:22:27 -06:00
Daniel Pouzzner
16c6bd6846 examples/client/client.c and tests/api.c: add missing CloseSocket() calls. 2023-12-14 13:22:27 -06:00
Chris Conlon
1b76f6d56b Merge pull request #7065 from miyazakh/fix_ra6m3
fix benchmark compile error
2023-12-14 09:15:32 -07:00
Sean Parkinson
659a245b27 SRTP/SRTCP KDF: add APIs that derives one key from a label
Added more generic APIs that derive a single key with a label.
Added defines for label values and index lengths.
2023-12-14 14:45:35 +10:00
Hideki Miyazaki
3af91c265b remove tab 2023-12-14 11:16:36 +09:00
David Garske
0bc244962a Fixes for TI AES GCM and GMAC. 2023-12-13 17:32:45 -08:00
David Garske
c021e3e85d Merge pull request #7066 from cconlon/v5.6.6-fixes
Fixes from release prep testing, example certificate updates
2023-12-13 17:00:45 -08:00
Chris Conlon
d0aa80eb37 update example/test certs for end of year release 2023-12-13 16:41:59 -07:00
Chris Conlon
a14a1bf467 define WOLFSSL_AES_DIRECT in configure.ac with --enable-aes-bitsliced 2023-12-13 16:41:59 -07:00
Chris Conlon
f5d33cedeb add variable name in wolfSSL_BIO_new() prototype 2023-12-13 16:41:59 -07:00
Chris Conlon
255086b7c8 fix API test warning, comparison of unsigned expression < 0 is always false 2023-12-13 16:41:59 -07:00
Chris Conlon
d36538c40a Merge pull request #7063 from embhorn/13dec2023_cov_fixes
Fixes for release
2023-12-13 16:19:13 -07:00
jordan
a1b44b6214 Fix issues from infer diff report: init mp_digit to 0. 2023-12-13 17:17:49 -06:00
Hideki Miyazaki
f209120218 fix benchmark compile error 2023-12-14 07:35:32 +09:00
jordan
f222adf4c2 Fix issues from infer diff report. 2023-12-13 15:59:03 -06:00
Chris Conlon
a66137d2fe Merge pull request #7062 from lealem47/leaks
Cleanup leaks in api.c and benchmark.c
2023-12-13 14:09:23 -07:00
Eric Blankenhorn
1d7fd42aa8 Fixes for release 2023-12-13 14:47:02 -06:00
Lealem Amedie
5fd0470f76 Cleanup leaks in api.c and benchmark.c 2023-12-13 13:00:52 -07:00
David Garske
8acee813cb Merge pull request #7061 from gojimmypi/PR-Espressif-user_settings-fix
Fix missing closing comment on example Espressif user_settings.h
2023-12-13 10:44:20 -08:00
Chris Conlon
3d959b96c9 Merge pull request #7060 from dgarske/various_20231212
Fix for benchmark without filesystem unused globals
2023-12-13 11:29:28 -07:00
David Garske
56c7e5c675 Merge pull request #7054 from cconlon/sslAlpnSelectCb
Add wolfSSL_set_alpn_select_cb() for setting ALPN select callback on WOLFSSL session
2023-12-13 09:24:07 -08:00
gojimmypi
eeb024a30d fix missing closing comment on example user_settings.h 2023-12-13 09:19:39 -08:00
Chris Conlon
269542ed96 add wolfSSL_set_alpn_select_cb() for WOLFSSL-level ALPN select callbacks 2023-12-13 09:16:44 -07:00
Sean Parkinson
b7b20ededd Merge pull request #7058 from lealem47/zd17174
Check buffer length before XMEMCMP in GetOID
2023-12-13 14:36:23 +10:00
Sean Parkinson
cbd5341332 Merge pull request #7056 from douzzer/20231212-QUIC-WOLFSSL_CALLBACKS-error
20231212-QUIC-WOLFSSL_CALLBACKS-error
2023-12-13 14:34:19 +10:00
Sean Parkinson
d455196955 Merge pull request #7055 from dgarske/fix_rpmspec
Fixes for RPM Spec: Move the .so to devel files
2023-12-13 14:33:09 +10:00
Sean Parkinson
f12b61183b Merge pull request #7029 from julek-wolfssl/zd/17108-fix
Additional TLS checks
2023-12-13 14:31:11 +10:00
David Garske
3b75a41006 Merge pull request #7057 from kaleb-himes/fix-fips-140-3-pr-failure
Address fips 140-3 failures with wolfEngine support enabled
2023-12-12 16:15:40 -08:00
kaleb-himes
ca5adfaecb Add comments per peer review 2023-12-12 15:21:28 -07:00
kaleb-himes
db7f08e12f Address fips 140-3 failures with wolfEngine support enabled 2023-12-12 15:14:51 -07:00
Lealem Amedie
2724edc257 Check buffer length before XMEMCMP in GetOID 2023-12-12 15:13:42 -07:00
Sean Parkinson
ce74a34154 Merge pull request #7019 from dgarske/armasm_mmcau
Patch to support NXP Kinetis MMCAU SHA2-256 with ARM ASM
2023-12-13 07:26:11 +10:00
Sean Parkinson
6e953e4d53 Merge pull request #7044 from julek-wolfssl/zd/17137
ocsp: don't error out if we can't verify our certificate
2023-12-13 07:23:46 +10:00
David Garske
3750ff5205 Fix for benchmark without filesystem and unused hash_input and cipher_input. 2023-12-12 13:22:17 -08:00
Daniel Pouzzner
1cc45b57d7 wolfssl/wolfcrypt/settings.h: add #if defined(WOLFSSL_QUIC) && defined(WOLFSSL_CALLBACKS) #error ("ERROR - tests/quic.c line 1027 failed"). 2023-12-12 14:26:25 -06:00
Juliusz Sosinowicz
493bb1760d Add option to remove early sanity checks 2023-12-12 17:31:48 +01:00
David Garske
573093ddf3 Move the .so to devel files. The pure *.so file is considered a dev file. 2023-12-12 08:15:05 -08:00
Juliusz Sosinowicz
51ba745214 ocsp: don't error out if we can't verify our certificate
We can omit either the CeritificateStatus message or the appropriate extension when we can not provide the OCSP staple that the peer is asking for. Let peer decide if it requires stapling and error out if we don't send it.
2023-12-12 14:49:52 +01:00
Juliusz Sosinowicz
627310d26a Additional TLS checks
- double check which messages need to be encrypted
- check msgs that have to be last in a record

ZD17108
2023-12-12 13:57:12 +01:00
Sean Parkinson
21f53f37a1 ECC: generate values in range of order by rejection
When generating private key and nonce for ECDSA, use rejection sampling.
Note: SP uses this algorithm
2023-12-12 14:55:56 +10:00
Sean Parkinson
1aed438a21 Merge pull request #7053 from douzzer/20231208-asn-big-short-ints
20231208-asn-big-short-ints
2023-12-12 13:53:37 +10:00
Sean Parkinson
043dde18be Merge pull request #7048 from anhu/PQ_uninit_key_free
Prevent freeing uninitialized keys
2023-12-12 13:47:30 +10:00
David Garske
058ffad657 Fix cast warnings on test with -1. 2023-12-11 16:25:47 -08:00
David Garske
8e44018baa Fix TI AES return codes. 2023-12-11 16:10:48 -08:00
David Garske
68cfaa76fc Fix for TI-RTOS time. Cleanup forced settings.h for WOLFSSL_TIRTOS. Compiler warning cleanups. 2023-12-11 15:57:26 -08:00
Kaleb Himes
00a1c68f97 Merge pull request #7052 from dgarske/stm32_fips
Fix to resolve collision between FIPS `RNG` in settings.h and STM32 HAL header
2023-12-11 16:12:07 -07:00
Daniel Pouzzner
c1b5135918 wolfcrypt/src/evp.c and wolfcrypt/test/test.c: in FIPS builds <5.3, gate out AES-XTS functionality that depends on new APIs added in #7031 (b14aba48af and 931ac4e568) (AES-XTS is non-FIPS in FIPS <5.3). 2023-12-11 12:14:29 -06:00
Daniel Pouzzner
9c17d5d2fa support ASN ShortInts up to 4 bytes (2^32-1):
* parameterize MAX_LENGTH_SZ using overrideable WOLFSSL_ASN_MAX_LENGTH_SZ, default value 5 (raised from 4).
* refactor other Misc_ASN constants to refer to MAX_LENGTH_SZ as appropriate.
* tweak BytePrecision() appropriately.
* refactor SetShortInt() to use BytePrecision() and include a length assert against MAX_SHORT_SZ to assure no buffer overruns with reduced WOLFSSL_ASN_MAX_LENGTH_SZ.
2023-12-11 12:14:29 -06:00
David Garske
f068bebb94 Fix to resolve collision between RNG in settings.h and the STM32 Cube HAL (ex: stm32h7xx.h). In STM32 platforms we use NO_OLD_RNGNAME (see https://github.com/wolfSSL/wolfssl/blob/master/examples/configs/user_settings_stm32.h#L616) 2023-12-11 10:01:21 -08:00
David Garske
540012844b Merge pull request #7049 from lealem47/ghIssue6983
Enable cURL and QUIC from CMake
2023-12-11 09:40:31 -08:00
David Garske
cb6676fa27 Merge pull request #7030 from julek-wolfssl/gh/7000
Store ssl->options.dtlsStateful when exporting DTLS session
2023-12-11 09:39:54 -08:00
David Garske
b5eb8995c9 Fix possible unused variable warning. 2023-12-11 09:22:47 -08:00
Juliusz Sosinowicz
4ce4dd7479 Use correct size for memset 2023-12-11 14:30:54 +01:00
Sean Parkinson
03a82711aa Merge pull request #7036 from anhu/SCSV
Make sure to send SCSV when application sets ciphersuites
2023-12-11 07:15:23 +10:00
JacobBarthelmeh
ac447d1afb Merge pull request #7031 from douzzer/20231201-openssl-compat-fixes
20231201-openssl-compat-fixes
2023-12-08 17:25:53 -07:00
JacobBarthelmeh
f708d42ef7 Merge pull request #7046 from dgarske/crl_cleanups
Various cleanups - CRL and comments - 20231207
2023-12-08 17:15:01 -07:00
JacobBarthelmeh
38eddd7f89 Merge pull request #7043 from gojimmypi/PR-Espressif-README
Espressif README files
2023-12-08 17:11:59 -07:00
David Garske
8a5a467543 Patch to support NXP Kinetis MMCAU SHA2-256 (FREESCALE_MMCAU_CLASSIC_SHA) with --enable-armasm. 2023-12-08 15:56:20 -08:00
Lealem Amedie
de4bd42de0 Enable cURL and QUIC from CMake 2023-12-08 15:57:29 -07:00
David Garske
b002c330c0 Fixes for TI AES and SHA. 2023-12-08 14:17:09 -08:00
David Garske
df954568be Fix typos 2. 2023-12-08 14:17:09 -08:00
David Garske
842a60465a Fix compiler error for missing Task_Handle. Fix typo. 2023-12-08 14:17:08 -08:00
David Garske
d17955f2d0 Cleanups for the ti-aes.c code to conform with coding standards. 2023-12-08 14:17:08 -08:00
kareem-wolfssl
0c9555b29e Merge pull request #7045 from julek-wolfssl/memcached-retry
Retry memcached tests 3 times on error
2023-12-08 14:03:54 -07:00
JacobBarthelmeh
0ba3646f32 Merge pull request #7037 from gojimmypi/PR-Expressif-Benchmark
Espressif benchmark update
2023-12-08 13:51:44 -07:00
Juliusz Sosinowicz
1bf0d8c896 Use SIGKILL to actually kill the runner 2023-12-08 20:23:00 +01:00
Anthony Hu
40015a06c4 Prevent freeing uninitialized keys 2023-12-08 13:52:24 -05:00
gojimmypi
62c0910e15 sync w/upstream; resolve merge conflict 2023-12-08 09:06:10 -08:00
JacobBarthelmeh
448b83697a Merge pull request #7035 from gojimmypi/PR-Espressif-wolfcrypt
Espressif wolfcrypt updates
2023-12-08 09:07:46 -07:00
JacobBarthelmeh
ae9632b14a Merge pull request #7025 from bandi13/universalScriptSimplify
Massively simplify apple-universal script
2023-12-08 09:03:30 -07:00
Juliusz Sosinowicz
6c7b47e003 Store ssl->options.dtlsStateful when exporting DTLS session 2023-12-08 15:35:34 +01:00
Juliusz Sosinowicz
21381b939b Retry memcached tests 3 times on error 2023-12-08 13:53:08 +01:00
gojimmypi
17c663b257 Espressif README files 2023-12-07 16:21:50 -08:00
David Garske
434526c345 Expand WOLFSSL_NO_CRL_DATE_CHECK to the process cert CRL next date check. Fix typo for DEBUG_CRYPTOCB. Add comments for wc_ValidateDate arguments. Improve linker script example for FIPS to put stdlib before FIPS and not force KEEP. 2023-12-07 14:45:16 -08:00
JacobBarthelmeh
c4b77adf48 Merge pull request #7007 from night1rider/ardunio-wolfssl
Ardunio Fixes relating to internal Intel Galileo Tests
2023-12-07 14:48:58 -07:00
Sean Parkinson
6c8bf7be55 Merge pull request #6963 from julek-wolfssl/dynamic-certs-n-ciphers
Add API to choose dynamic certs based on client ciphers/sigalgs
2023-12-08 07:45:36 +10:00
Sean Parkinson
61b0efce4f Merge pull request #7039 from embhorn/zd17127
Check for neg size in fp_read_unsigned_bin
2023-12-08 07:44:09 +10:00
gojimmypi
5e5286d30d Merge branch 'master' of https://github.com/wolfSSL/wolfssl into PR-Expressif-Benchmark 2023-12-07 13:26:20 -08:00
Eric Blankenhorn
27e93276de Check for neg size in fp_read_unsigned_bin 2023-12-07 14:26:12 -06:00
Anthony Hu
9fda21748a for clients only 2023-12-07 14:05:33 -05:00
JacobBarthelmeh
5caa71ec6a Merge pull request #7038 from SparkiDev/heapmath_mp_add_d
Heapmath mp_add_d: fix for when a and c same pointer
2023-12-07 10:04:13 -07:00
JacobBarthelmeh
9d0bb4c2bf Merge pull request #7040 from dgarske/win_vs
Fixes for building wolfSSL in Visual Studio
2023-12-07 10:02:33 -07:00
Anthony Hu
3c5b402740 Make sure to send SCSV when application sets ciphersuites 2023-12-07 11:53:55 -05:00
Juliusz Sosinowicz
fbe79d7317 Code review 2023-12-07 11:13:16 +01:00
Daniel Pouzzner
803b17a8b3 src/ssl_crypto.c: in wolfSSL_CMAC_CTX_free(), gate wc_CmacFree() on !FIPS || FIPS>=5.3. 2023-12-06 23:04:52 -06:00
Daniel Pouzzner
106e39bd76 tests/api.c: in test_wc_CmacFinal(), don't use wc_CmacFinalNoFree() if FIPS <5.3. 2023-12-06 21:58:55 -06:00
Daniel Pouzzner
931ac4e568 add documentation for wc_AesXtsInit(), wc_AesXtsSetKeyNoInit(), wc_CmacFinalNoFree(), and wc_CmacFree();
rename wc_AesXtsSetKey_NoInit() to wc_AesXtsSetKeyNoInit() for morphological consistency;

refactor wc_AesXtsSetKey() to call wc_AesXtsSetKeyNoInit() and clean up on failure;

readability tweak in wolfSSL_EVP_CipherFinal().
2023-12-06 19:26:46 -06:00
Daniel Pouzzner
b14aba48af wolfcrypt/src/cmac.c: add wc_CmacFree(), revert wc_CmacFinal(), rename wc_CmacFinal() as wc_CmacFinalNoFree() removing its deallocation clauses, and add new wc_CmacFinal() that calls wc_CmacFinalNoFree() then calls wc_CmacFree() unconditionally, for compatibility with legacy client code (some of which may have previously leaked).
tests/api.c: modify test_wc_CmacFinal() to use wc_CmacFinalNoFree() except for the final call.

wolfcrypt/src/aes.c:
* fix wc_AesEaxEncryptAuth() and wc_AesEaxDecryptAuth() to call wc_AesEaxFree() only if wc_AesEaxInit() succeeded.
* fix wc_AesEaxInit() to free all resources on failure.
* revert wc_AesEaxEncryptFinal() and wc_AesEaxDecryptFinal() changes, then change wc_CmacFinal() calls in them to wc_CmacFinalNoFree() calls.
* wc_AesEaxFree(): add wc_CmacFree() calls.
2023-12-06 16:55:57 -06:00
Sean Parkinson
c6d6100136 Merge pull request #7010 from julek-wolfssl/dtls13-0.5-rtt
dtls13: Add support for 0.5-RTT data
2023-12-07 08:41:42 +10:00
JacobBarthelmeh
0ffb586030 Merge pull request #7032 from SparkiDev/sp_int_neg_mont_red
SP int neg sp_mont_red_ex: disallow negative numbers
2023-12-06 15:04:46 -07:00
Sean Parkinson
226c631feb Heapmath mp_add_d: fix for when a and c same pointer
When parameters a and c to mp_add_d are the same pointer, c->sign was
being set to zero/positive and then a->sign was being checked.
Set the c->sign at end as it will always be zero/positive through the
code and the sign of the result isn't otherwise used.
2023-12-07 07:51:43 +10:00
msi-debian
0ff02e59ba Fixes relating to issues with internal testing with the Intel Galileo,
along with updating the file structure construction for the library.
2023-12-06 14:38:32 -07:00
gojimmypi
f3a9d4a56e Espressif Benchmark ESP-IDF 4.4 fixes 2023-12-06 13:23:14 -08:00
David Garske
db14914951 Fixes for building wolfSSL in Visual Studio. Adds missing files. Fix for type cast warnings. 2023-12-06 13:20:27 -08:00
gojimmypi
4bd78e5e31 Espressif benchmark update 2023-12-06 12:43:42 -08:00
gojimmypi
7de5710a75 Espressif error not warning for legacy macros 2023-12-06 11:01:51 -08:00
gojimmypi
ca1eba0919 Espressif wolfcrypt updates 2023-12-06 10:05:31 -08:00
JacobBarthelmeh
2c9208b0c6 Merge pull request #6765 from kojo1/zd16462
Eliminate bad record mac alert
2023-12-06 09:15:41 -07:00
Sean Parkinson
cf8a6efaa5 SP int neg sp_mont_red_ex: disallow negative numbers
Don't support negative a or m with sp_mont_red_ex().
2023-12-06 08:59:54 +10:00
Daniel Pouzzner
689a82a622 fix AES-related code, in both crypto and TLS layers, for various uninitialized data and resource leak defects around wc_AesInit() and wc_AesFree():
* followup to https://github.com/wolfSSL/wolfssl/pull/7009 "20231128-misc-fixes" and  https://github.com/wolfSSL/wolfssl/pull/7011 "Add missing wc_AesInit calls."

* adds WC_DEBUG_CIPHER_LIFECYCLE, which embeds asserts in low-level AES implementations for proper usage of wc_AesInit() and wc_AesFree().

* fixes native CMAC, AES-EAX, and AES-XTS implementations to assure resource release.

* adds missing wc_AesXtsInit() API, and adds a new wc_AesXtsSetKey_NoInit().

* fixes misspellings in EVP that unconditionally gated out AES-OFB and AES-XTS.

* fixes misspellings in EVP that unconditionally gated out AES-CBC and AES-CFB code in wolfSSL_EVP_CIPHER_CTX_cleanup_cipher().

* openssl compat AES low level cipher API has no counterpart to wc_AesFree(), so these compat APIs will now be gated out in configurations where they would otherwise leak memory or file descriptors (WOLFSSL_AFALG, WOLFSSL_DEVCRYPTO, WOLF_CRYPTO_CB, etc.).  A new macro, WC_AESFREE_IS_MANDATORY, is defined in wolfcrypt/aes.h to streamline this dependency.

* fixes 40 missing EVP_CIPHER_CTX_cleanup()s and 11 wc_AesFree()s in src/ssl.c, src/ssl_crypto.c, tests/api.c, and wolfcrypt/test/test.c.
2023-12-05 15:58:09 -06:00
JacobBarthelmeh
7753e3db8a Merge pull request #6844 from gojimmypi/Espressif-client-server-example
Espressif ESP32 Benchmark, Test, TLS 1.3 Client & Server Updates
2023-12-05 14:20:02 -07:00
JacobBarthelmeh
223d8c9a10 Merge pull request #7004 from julek-wolfssl/zd/17033
x509 AIA: store the first OCSP and CA Issuer URI's
2023-12-05 14:08:43 -07:00
gojimmypi
fb77319758 Espressif examples: polish & misc updates 2023-12-05 10:36:05 -08:00
JacobBarthelmeh
4c85a5a146 Merge pull request #7028 from ejohnstown/ocsp-err-ret
OCSP Error Return
2023-12-05 11:00:51 -07:00
David Garske
b92aa59bd8 Merge pull request #6692 from JacobBarthelmeh/tls13
fix setting ssl error with TLS 1.3 connect socket errors
2023-12-05 09:15:29 -08:00
gojimmypi
ce2c256544 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into Espressif-client-server-example 2023-12-05 08:02:31 -08:00
JacobBarthelmeh
1857648d7d Merge pull request #6976 from embhorn/gh6974
Fix build errors with dtls1.3 and no tls1.2
2023-12-04 14:53:35 -07:00
John Safranek
52658c51a9 OCSP Error Return
1. In CheckOcspResponse(), remove the existing check for UNKNOWN
   certificate status. Given the values of ret and ocsp->error, unknown
   won't get checked.
2. Separated checks for UKNOWN and REJECTED for logging purposes. Return
   that as an error.
3. Anything else should be a failure.
2023-12-04 11:31:04 -08:00
Jacob Barthelmeh
ef536f541f fix setting ssh error with TLS 1.3 connect socket errors 2023-12-04 09:09:09 -07:00
Sean Parkinson
195c14ccaf Merge pull request #6919 from JacobBarthelmeh/cert_dates
add self-sm2-cert.pem to certificate regen script
2023-12-04 09:05:37 +10:00
JacobBarthelmeh
5297cc74b4 Merge pull request #7016 from anhu/aes_init_docs
Add missing references to wc_AesInit in the API docs.
2023-12-01 16:59:49 -07:00
JacobBarthelmeh
adcc21b538 Merge pull request #6997 from cconlon/jniAlwaysVerifyCb
Update --enable-jni with WOLFSSL_ALWAYS_VERIFY_CB
2023-12-01 16:58:08 -07:00
JacobBarthelmeh
3ad0e1ef72 Merge pull request #7021 from res0nance/arm64-aes-gcm-clobber
AES GCM ARM64: Fix clobber lists
2023-12-01 16:52:14 -07:00
JacobBarthelmeh
c4ab1e6d47 Merge pull request #7017 from SparkiDev/asn_tmpl_ecc_raw_to_sig_fix
ASN template: StoreECC_DSA_Sig_Bin
2023-12-01 16:11:15 -07:00
JacobBarthelmeh
fa0362fd2b Merge pull request #7022 from julek-wolfssl/faster-memcached-tests
Parallelised memcached tests
2023-12-01 16:05:17 -07:00
JacobBarthelmeh
44d52c599c Merge pull request #7023 from SparkiDev/test_dsa_fix
Test DSA: fix unused variables
2023-12-01 15:53:08 -07:00
Chris Conlon
883d1a25be add WOLFSSL_ALWAYS_VERIFY_CB to --enable-jni, used with JSSE X509ExtendedTrustManager hostname verification 2023-12-01 09:23:10 -07:00
Andras Fekete
822405a6d8 Massively simplify apple-universal script 2023-12-01 09:44:43 -05:00
Sean Parkinson
02f8735abf Test DSA: fix unused variables
test.c: fix #if protection around unused variables
2023-12-01 11:04:53 +10:00
JacobBarthelmeh
abab390dd4 Merge pull request #7015 from lealem47/zd17088
Reworking MinGW mutex/threading
2023-11-30 17:00:19 -07:00
JacobBarthelmeh
a1e74d9974 Merge pull request #7014 from SparkiDev/ssl_free_tlsx_fixup
SSL_free, TLSX_Remove calls: fix #if protection
2023-11-30 16:56:46 -07:00
Sean Parkinson
8097ed74c3 Merge pull request #7012 from philljj/spelling_cleanup
Used codespell and fixed obvious typos.
2023-12-01 07:24:21 +10:00
Anthony Hu
cfa1b589c6 minor fix again 2023-11-30 15:26:42 -05:00
Anthony Hu
e6bd8dce6e Minor fix. 2023-11-30 15:18:47 -05:00
jordan
9265142369 Used codespell and fixed obvious typos. 2023-11-30 13:09:55 -06:00
JacobBarthelmeh
cbe8309b3b Merge pull request #7013 from SparkiDev/asm_arm_clobber_cc
ARM asm: add "cc" to all clobber lists
2023-11-30 11:05:03 -07:00
JacobBarthelmeh
a7e5c6c721 Merge pull request #7011 from philljj/add_missing_aesinit
Add missing wc_AesInit calls.
2023-11-30 11:01:02 -07:00
JacobBarthelmeh
cc65c3ec98 Merge pull request #7009 from douzzer/20231128-misc-fixes
20231128-misc-fixes
2023-11-30 10:59:42 -07:00
Daniel Pouzzner
cb381a2336 src/tls.c: fix misspelling in TLSX_KeyShare_ProcessPqc(). 2023-11-30 10:12:17 -06:00
Juliusz Sosinowicz
52d6073c9c Parallelised memcached tests 2023-11-30 16:02:13 +01:00
Sean Parkinson
21f662c7d1 ASN template: StoreECC_DSA_Sig_Bin
Strip leading zeros from R and S before encoding in ASN.1.
2023-11-30 20:31:29 +10:00
res0nance
14ba944f6c AES GCM ARM64: Fix clobber lists 2023-11-30 12:33:42 +08:00
Daniel Pouzzner
44db4f3e5a wolfssl/wolfcrypt/settings.h: add needed (void)s for unused args to several XMALLOC/XFREE/XREALLOC macros that were missing them. 2023-11-29 18:34:47 -06:00
jordan
8c1ab783a1 Add missing wc_AesInit calls: small cleanup. 2023-11-29 18:02:45 -06:00
Anthony Hu
ad1f709455 Add missing references to wc_AesInit in the API docs. 2023-11-29 18:47:26 -05:00
Lealem Amedie
e1ac56f2dd Reworking MINGW mutex/threading 2023-11-29 16:45:06 -07:00
Sean Parkinson
7ebad05446 SSL_free, TLSX_Remove calls: fix #if protection
TLSX_Remove calls added to FreeHanshakeResources() for when TLSX_FreeAll
can't be called but TLSX still being used.
Fix #if protection to compile in TLSX_Remove calls when available.
2023-11-30 09:27:29 +10:00
JacobBarthelmeh
6125e595bb Merge pull request #6989 from dgarske/stm32_bench
Updated STM32L4 (Cortex-M at 80MHz) benchmarks
2023-11-29 16:18:29 -07:00
Sean Parkinson
11e5544032 ARM asm: add "cc" to all clobber lists
Carry flags are more often than not affected by assembly code.
Carry wasn't in any inline assembly clobber list.
Always clobber "cc" to be safe.
2023-11-30 08:40:37 +10:00
Juliusz Sosinowicz
e891c721b8 fixup! dtls13: Add support for 0.5-RTT data 2023-11-29 23:22:38 +01:00
Juliusz Sosinowicz
3edfcfe162 Jenkins fixes 2023-11-29 23:17:10 +01:00
Juliusz Sosinowicz
9337cfbb16 Add wolfSSL_get_sigalg_info 2023-11-29 23:04:19 +01:00
Juliusz Sosinowicz
7c2344c389 Add API to get information about ciphersuites 2023-11-29 23:04:19 +01:00
Juliusz Sosinowicz
fbd8996949 Add API to choose dynamic certs based on client ciphers/sigalgs 2023-11-29 23:04:19 +01:00
Daniel Pouzzner
73ca6daf2b wolfssl/wolfcrypt/types.h: add needed (void)s for unused args to several XMALLOC/XFREE/XREALLOC macros that were missing them.
src/quic.c: fix misspelled DYNAMIC_TYPE_TMP_BUFFER.
2023-11-29 16:02:39 -06:00
jordan
3158e04863 Add missing wc_AesInit calls. 2023-11-29 12:54:28 -06:00
Daniel Pouzzner
93ab397c56 wolfcrypt/test/test.c: fix memory leak in dsa_test(). 2023-11-29 12:28:39 -06:00
Juliusz Sosinowicz
a7dce98797 Don't touch processReply state in DoApplicationData 2023-11-29 19:11:49 +01:00
Daniel Pouzzner
962bf88c9d wolfcrypt/src/ecc.c: add missing semicolon in SAVE_VECTOR_REGISTERS() args. 2023-11-29 11:59:35 -06:00
Juliusz Sosinowicz
c87339e5c3 dtls13: Add support for 0.5-RTT data 2023-11-29 15:55:59 +01:00
Daniel Pouzzner
4642077146 src/ssl.c: remove frivolous (void)heap to clear -Wdeclaration-after-statement.
wolfcrypt/src/aes.c: add NEED_AES_TABLES gate around AesSetKey_C() implementations (fixes WOLFSSL_KCAPI_AES builds, probably among others).

wolfcrypt/src/sp_int.c: add missing casts to clear -Wconversions.
2023-11-28 23:25:31 -06:00
JacobBarthelmeh
12ee732fe2 Merge pull request #6981 from douzzer/20231102-vector-register-dynamic-fallback-aes
20231102-vector-register-dynamic-fallback-aes
2023-11-28 13:15:02 -07:00
JacobBarthelmeh
61a2d2de3d Merge pull request #6955 from SparkiDev/rsa_dec_inv_blind_mul_mont
RSA private exponentiation: multiply blinding invert in Mont
2023-11-28 11:08:57 -07:00
JacobBarthelmeh
a111c5b27f Merge pull request #6993 from SparkiDev/thumb2_iar_no_inline_fix_2
SP Thumb2: make function no-inline
2023-11-28 10:47:58 -07:00
JacobBarthelmeh
373fc537f1 Merge pull request #7003 from SparkiDev/ssl_make_x25519_key_temp
SSL: make temp X25519/X448 key failure
2023-11-28 10:46:51 -07:00
JacobBarthelmeh
0ac27eb039 Merge pull request #7005 from SparkiDev/memusage_fix_5
Memory usage fixes: nonce type and TLSX extension free
2023-11-28 10:42:04 -07:00
Sean Parkinson
09d2ba8bc8 Memory usage fixes: nonce type and TLSX extension free
Nonce ciphers other than AES. Free uses DYNAMIC_TYPE_CIPHER.
AES allocation must use DYNAMIC_TYPE_CIPHER too.

If not all TLSX extensions can be freed, then free the ones that can.
Update TLSX_free() to have a message for each case.
2023-11-28 12:56:06 +10:00
David Garske
4b74a2f006 Updated STM32L4 (Cortex-M at 80MHz) benchmarks with v5.6.4 using the new ARM ASM speedups. 2023-11-27 15:48:32 -08:00
JacobBarthelmeh
602bd3b506 Merge pull request #6996 from SparkiDev/armv8_aes_gcm_init_stream_iv
ARMv8 AES-GCM streaming: check size of IV before storing
2023-11-27 09:39:46 -07:00
JacobBarthelmeh
36015e9131 Merge pull request #6998 from SparkiDev/tls_pad_no_hash_raw_fix
TLS_hmac: when no raw hash, make sure maxSz is not neg
2023-11-27 09:37:57 -07:00
JacobBarthelmeh
9f06d337e3 Merge pull request #6992 from SparkiDev/heapmath_addmod_ct
Heap math: mp_add/submod_ct make work when c == d
2023-11-27 09:28:49 -07:00
Juliusz Sosinowicz
8ac891d902 x509 AIA: store the first OCSP and CA Issuer URI's
Solves ZD17033
2023-11-27 14:47:36 +01:00
Sean Parkinson
f65f8be176 SSL: make temp X25519/X448 key failure
On failure to make the temporary X25519/X448 key, free it as the type is
stored in eccTempKeyPresent which also indicates a valid key is present.
Otherwise on SSL free, it will default to freeing the key with ECC APIs.
2023-11-27 08:50:22 +10:00
JacobBarthelmeh
008d4958bf Merge pull request #7001 from dgarske/testnb
Fix for TLS v1.3 in non-blocking loosing return code from `SendBuffered`
2023-11-24 12:34:57 -07:00
David Garske
09b6974ae9 Fix for TLS v1.3 in non-blocking loosing return code from SendBuffered. Example: SendBuffered returns WANT_WRITE (-327) and sets ssl->error, then below it was doing ssl->error = ret where ret = 0. 2023-11-24 09:30:09 -08:00
Sean Parkinson
d83a5a955c SP Thumb2: make function no-inline
Lost changes that make function not inlined.
2023-11-24 15:38:11 +10:00
Sean Parkinson
bc36202087 TLS_hmac: when no raw hash, make sure maxSz is not neg
When padding byte is invalid, the maxSz can be negative.
Make maxSz 0 in this case so that blocks doesn't get very large and
cause delays.
2023-11-23 09:51:44 +10:00
JacobBarthelmeh
2e89e46c0b Merge pull request #6990 from gojimmypi/PR-Espressif-C3-C6-S2-HW
Espressif ESP32-C3 ESP32-C6 ESP32-S2 Hardware Acceleration
2023-11-22 16:21:41 -07:00
JacobBarthelmeh
5b3f5496f8 Merge pull request #6430 from kareem-wolfssl/memcached
Add memcached support.
2023-11-22 16:20:28 -07:00
gojimmypi
98e8ee65dd remove stray Espressif include.am entry 2023-11-22 15:10:09 -08:00
gojimmypi
967a0c9625 Merge branch 'master' of https://github.com/wolfSSL/wolfssl into Espressif-client-server-example 2023-11-22 15:04:15 -08:00
JacobBarthelmeh
7036c8440b Merge pull request #6995 from gojimmypi/PR-var-init
Initialize variables to appease Espressif compiler
2023-11-22 15:54:40 -07:00
Sean Parkinson
b242b44b2c ARMv8 AES-GCM streaming: check size of IV before storing
Only store IV in Init function if it will fit in reg field of Aes
object.
2023-11-23 08:01:20 +10:00
JacobBarthelmeh
14e8ffcc18 remove locality from self-sm2-cert.pem 2023-11-22 14:30:27 -07:00
Sean Parkinson
416ce54276 Heap math: mp_add/submod_ct make work when c == d
mp_addmod_ct and mp_submod_ct expected c and d to be different pointers.
Change code to support this use case.
Fix whitespace.
2023-11-23 07:28:55 +10:00
gojimmypi
2da88115a6 Upstream merge + resolve conflict. 2023-11-22 13:17:14 -08:00
JacobBarthelmeh
e197d5f8a3 add self-sm2-cert.pem to certificate regen script 2023-11-22 14:14:07 -07:00
gojimmypi
6c41a6a374 Initialize variables to appease Espressif compiler 2023-11-22 13:02:51 -08:00
gojimmypi
5b01270205 Update all Expressif examples, ready for PR #6990 2023-11-22 12:37:15 -08:00
JacobBarthelmeh
0306d07c47 Merge pull request #6994 from embhorn/gh6988
Fix spelling warnings
2023-11-22 13:29:51 -07:00
Kareem
e175410b00 memcached: Revert wolfSSL_in_connect_init changes 2023-11-22 11:55:16 -07:00
Eric Blankenhorn
7223b5a708 Fix spelling warnings 2023-11-22 12:34:56 -06:00
JacobBarthelmeh
2f920b5cc4 Merge pull request #6892 from embhorn/gh6890
Add error reporting to loadX509orX509REQFromBuffer
2023-11-22 11:18:45 -07:00
JacobBarthelmeh
9810a8cd86 Merge pull request #6991 from lealem47/gh6983
Option to enable DTLS-SRTP in CMake
2023-11-22 11:09:30 -07:00
Kareem
72cbd9a44e memcached: Code review feedback 2023-11-21 17:59:55 -07:00
gojimmypi
9227020f8e code review updates for ESP32 C3/C6/S2 HW Acceleration 2023-11-21 16:22:49 -08:00
JacobBarthelmeh
dda72dc19c Merge pull request #6979 from SparkiDev/sp_arm64_noinline
SP ARM64 P-256: mark functions as SP_NOINLINE
2023-11-21 09:48:08 -07:00
JacobBarthelmeh
60909d5cba Merge pull request #6971 from SparkiDev/iar_thumb2_asm
IAR Thumb2 ASM: fixes
2023-11-21 09:46:31 -07:00
JacobBarthelmeh
ebbeb6c69e Merge pull request #6984 from res0nance/pqc-crash-fix
tls: return immediately if kyber_id2type() fails
2023-11-21 09:35:22 -07:00
gojimmypi
7e69030df1 Espressif ESP32-C3 ESP32-C6 ESP32-S2 Hardware Acceleration 2023-11-20 18:05:18 -08:00
Sean Parkinson
9ac3083e5d Thumb2 ASM fixes
Make a separate AES for IAR that has AES_encrypt_block and
AES_decrypt_block inlined. Default code is relying on compiler to use
specific registers and not modify others.

Improve performance of small SP ASM code for RSA.
2023-11-21 11:58:10 +10:00
Sean Parkinson
e97e1b5847 SP ARM64 P-256: mark functions as SP_NOINLINE
iOS device compilations are inlining functions and causing P-256 to
fail.
Add SP_NOINLINE to key P-256 functions.
Add "cc" to more clobber lists.
2023-11-21 10:43:38 +10:00
Lealem Amedie
846b91ea1b Enable DTLS-SRTP in CMake 2023-11-20 15:58:59 -07:00
JacobBarthelmeh
665469f02a Merge pull request #6986 from douzzer/20231119-all-cryptonly-opensslextra
20231119-all-cryptonly-opensslextra
2023-11-20 15:29:14 -07:00
JacobBarthelmeh
538ce14c62 Merge pull request #6953 from SKlimaRA/SKlimaRA/enable-ca-false
Enable encoding CA:FALSE with build flag
2023-11-20 15:03:14 -07:00
David Garske
14906df3ec Merge pull request #6970 from anhu/AES_with_FREESCALE_MMCAU
Fix build errors when defining FREESCALE_MMCAU
2023-11-20 09:32:49 -08:00
Kareem
ca61034d22 Add memcached support.
memcached support: add required functions/defines.

Fix running unit test when defining DEBUG_WOLFSSL_VERBOSE without OPENSSL_EXTRA.

Break out session_id_context APIs into separate option WOLFSSL_SESSION_ID_CTX, so they can be used without OPENSSL_EXTRA.

Make wolfSSL_ERR_get_error and wolfSSL_CTX_set_mode available for memcached.

Add --enable-memcached.

Include required defines for memcached.

Revert unit test fix, no longer needed.

Add Github actions test for memcached.  Stop defining DEBUG_WOLFSSL_VERBOSE for memcached.

Add auto retry to writes.

Memcached CI: correct libevent package name.

Memcached CI: Add pkgconfig path for Github CI wolfSSL prefix.

memcached: Fix WOLFSSL_OP_NO_RENEGOTIATION going outside of int bounds, add LD_LIBRARY_PATH for memcached CI test.

memcached CI: Use correct path for wolfSSL

memcached: Add required perl dependency for SSL tests

memcached: Update to 1.6.22

memcached: actually test tls

memcached: Update wolfSSL_SSL_in_before to be side agnostic.
2023-11-20 10:10:34 -07:00
JacobBarthelmeh
cbb270bc15 Merge pull request #6982 from julek-wolfssl/nginx-1.24.0-tests
Add nginx 1.24.0 testing
2023-11-20 10:08:06 -07:00
David Garske
7566328610 Implement proper wc_AesSetKeyLocal for NXP/Freescale MMCAU and LTC. This is required for AES CTR and AES Direct. 2023-11-20 08:15:50 -08:00
Anthony Hu
3fa612f49f Fix build errors when defining FREESCALE_MMCAU 2023-11-20 08:15:45 -08:00
Daniel Pouzzner
7dedfe08ef cryptonly and linuxkm fixes: fix --enable-all[-crypto] with --enable-opensslextra and --enable-cryptonly (build failures detected by multi-test linuxkm-all-asm-cryptonly-opensslextra-pie after merge of 54f2d56300 and e2bbacd548). 2023-11-19 17:22:46 -06:00
Sean Parkinson
9ed0018954 Merge pull request #6980 from gojimmypi/SM-cipher-type-PR
Fix evp SM cipherType check
2023-11-20 07:22:54 +10:00
res0nance
98789dc000 tls: return immediately if kyber_id2type() fails
This prevents a crash as ecc_key is not initialized but the
free function is still called.
2023-11-18 15:44:03 +08:00
Daniel Pouzzner
06dcc114c1 Merge pull request #6868 from lealem47/microsecond
Run benchmarks at microsecond level and record advanced stats
2023-11-17 20:09:07 -05:00
Lealem Amedie
64b98981de Fix for g++ 2023-11-17 16:44:24 -07:00
Daniel Pouzzner
efa61ade89 wolfcrypt/src/aes.c: add fallthrough no-op definitions for VECTOR_REGISTERS_{PUSH,POP} to cover WOLFSSL_TI_CRYPT || WOLFSSL_ARMASM. 2023-11-17 16:55:40 -06:00
Lealem Amedie
a95a7c7e08 One last missing cast 2023-11-17 13:55:49 -07:00
Lealem Amedie
ca195445a3 Add proper casts 2023-11-17 13:33:34 -07:00
Lealem Amedie
07d6d75d72 Fix for sanitizer finds 2023-11-17 13:28:30 -07:00
Daniel Pouzzner
347a17f7cf wolfcrypt/src/aes_asm.asm: fix missed _AESNI suffixing. 2023-11-17 10:15:03 -06:00
gojimmypi
16dba37ae6 fix wolfSSL_EVP_CIPHER_CTX_ctrl() SM GCM/CCM type 2023-11-17 07:56:56 -08:00
Juliusz Sosinowicz
03f3e6c6af Add nginx 1.24.0 testing 2023-11-17 10:48:46 +01:00
Daniel Pouzzner
a10260ca5f refactor AESNI implementations and *VECTOR_REGISTERS* macros to allow dynamic as-needed fallback to pure C, via WC_AES_C_DYNAMIC_FALLBACK.
wolfssl/wolfcrypt/aes.h: add key_C_fallback[] to struct Aes, and remove comment that "AESNI needs key first, rounds 2nd, not sure why yet" now that AES_128_Key_Expansion_AESNI no longer writes rounds after the expanded key.

wolfcrypt/src/aes.c:
* add _AESNI or _aesni suffixes/infixes to AESNI implementations that were missing them: AES_CBC_encrypt(), AES_CBC_decrypt_by*(), AES_ECB_encrypt(), AES_*_Key_Expansion(), AES_set_encrypt_key(), AES_set_decrypt_key(), AES_GCM_encrypt(), AES_GCM_decrypt(), AES_XTS_encrypt(), and AES_XTS_decrypt().
* move key size check from to start of wc_AesSetKeyLocal().
* refactor pure-C AES setkey and cipher implementations to use aes->key_C_fallback when defined(WC_AES_C_DYNAMIC_FALLBACK).
* refactor wc_AesSetKeyLocal() to set up both AESNI and pure-C expanded keys when defined(WC_AES_C_DYNAMIC_FALLBACK).
* refactor all (haveAESNI && aes->use_aesni) conditions to just (aes->use_aesni).
* add macros VECTOR_REGISTERS_PUSH and VECTOR_REGISTERS_POP, which do nothing but push a brace level when !defined(WC_AES_C_DYNAMIC_FALLBACK), but when defined(WC_AES_C_DYNAMIC_FALLBACK), they call SAVE_VECTOR_REGISTERS2() and on failure, temporarily clear aes->use_aesni and restore at _POP().
* refactor all invocations of SAVE_VECTOR_REGISTERS() and RESTORE_VECTOR_REGISTERS() to VECTOR_REGISTERS_PUSH and VECTOR_REGISTERS_POP, except in wc_AesSetKeyLocal(), wc_AesXtsEncrypt(), and wc_AesXtsDecrypt(), which are refactored to use SAVE_VECTOR_REGISTERS2(), with graceful failure concealment if defined(WC_AES_C_DYNAMIC_FALLBACK).
* orthogonalize cleanup code in wc_AesCbcEncrypt(),  wc_AesCcmEncrypt() and wc_AesCcmDecrypt().
* streamline fallthrough software definitions of wc_AesEncryptDirect() and wc_AesDecryptDirect(), and remove special-casing for defined(WOLFSSL_LINUXKM)&&defined(WOLFSSL_AESNI).

wolfcrypt/src/aes_asm.{S,asm}:
* remove errant "movl $10, 240(%rsi)" from AES_128_Key_Expansion_AESNI.
* add _AESNI suffixes/infixes to implementations that needed them.

wolfcrypt/src/{aes_gcm_asm.{S,asm},aes_xts_asm.S}: regenerate from revisions in scripts#357 -- adds _aesni suffixes to implementations that were missing them.

wolfssl/wolfcrypt/types.h: remove DEBUG_VECTOR_REGISTER_ACCESS macros, and add dummy fallthrough definitions for SAVE_VECTOR_REGISTERS2 and WC_DEBUG_SET_VECTOR_REGISTERS_RETVAL.

wolfssl/wolfcrypt/memory.h: adopt DEBUG_VECTOR_REGISTER_ACCESS code from types.h, and add definitions for WC_DEBUG_VECTOR_REGISTERS_RETVAL_INITVAL and WC_DEBUG_SET_VECTOR_REGISTERS_RETVAL.

linuxkm/linuxkm_wc_port.h: add arch-specific macro definitions for SAVE_VECTOR_REGISTERS2().

wolfcrypt/benchmark/benchmark.c: add missing gates around calls to RESTORE_VECTOR_REGISTERS().

configure.ac:
* cover various interdependencies in enable-all/enable-all-crypto, for better behavior in combination with --disable-aesgcm, --disable-ecc, --disable-ocsp, --disable-hmac, --disable-chacha, --disable-ed25519, and --disable-ed448.
* inhibit aesgcm_stream in enable-all/enable-all-crypto when ENABLED_LINUXKM_DEFAULTS, because it is currently incompatible with WC_AES_C_DYNAMIC_FALLBACK.
* add -DWC_AES_C_DYNAMIC_FALLBACK when ENABLED_LINUXKM_DEFAULTS.
* add 3 new interdependency checks: "ECCSI requires ECC.", "SAKKE requires ECC.", "WOLFSSH requires HMAC."

wolfcrypt/src/asn.c: tweak gating to accommodate defined(NO_RSA) && !defined(HAVE_ECC).

wolfcrypt/src/evp.c: tweak gating to accommodate defined(NO_HMAC).

wolfcrypt/src/logging.c: remove DEBUG_VECTOR_REGISTER_ACCESS code (moved to memory.c).

wolfcrypt/src/memory.c: change #include of settings.h to types.h; adopt DEBUG_VECTOR_REGISTER_ACCESS code from logging.c; add implementation of SAVE_VECTOR_REGISTERS2_fuzzer().

wolfcrypt/src/pwdbased.c: add explanatory #error scrypt requires HMAC.

wolfcrypt/test/test.c:
* add DEBUG_VECTOR_REGISTER_ACCESS clauses to aes_xts_128_test(), aesecb_test(), aesctr_test(), aes_test() CBC section, aes256_test() CBC section, and aesgcm_default_test_helper()
* remove duplicate wc_AesEcbDecrypt() in aesecb_test().
* add gating for pbkdf2_test().
* fix cleanup code in dsa_test().
* fix gating in pkcs7authenveloped_run_vectors() to accommodate !defined(HAVE_AESGCM).
* fix gating in cryptocb_test() to accommodate defined(NO_HMAC).

wolfssl/wolfcrypt/cryptocb.h: remove gates around "pk" sub-struct of struct wc_CryptoInfo -- wc_CryptoInfo.pk.type (an int) is used unconditionally when --enable-debug, and is used with DH.

wolfssl/wolfcrypt/error-crypt.h: fix whitespace.
2023-11-17 01:15:28 -06:00
Sean Parkinson
d3448e2c1a RSA private exponentiation: multiply blinding invert in Mont
When blinding, multiply result of exponentiation my blinding invert in
Montgomery form to make code more constant time.
2023-11-17 15:19:51 +10:00
Daniel Pouzzner
e395aad84b Merge pull request #6958 from embhorn/zd16866
Add XGMTIME validation
2023-11-16 21:28:27 -05:00
JacobBarthelmeh
957a0ce300 Merge pull request #6964 from lealem47/zd16470
Parse explicit parameters in StoreEccKey()
2023-11-16 15:59:21 -07:00
gojimmypi
4c6c2942b1 Fix evp SM cipherType 2023-11-16 13:38:39 -08:00
JacobBarthelmeh
6945093221 Merge pull request #6935 from SparkiDev/ssl_crypto_extract
ssl.c: Move out crypto compat APIs
2023-11-16 11:58:14 -07:00
David Garske
8e05b5a9ab Merge pull request #6975 from lealem47/gh6969
Add STM32H725 to default_conf.ftl
2023-11-15 21:15:36 -08:00
Sean Parkinson
8c61b2cc5f IAR Thumb2 ASM: fixes
Don't assign constants to registers with IAR.
Don't assume register usage in AES_set_encrypt_key.
2023-11-16 11:14:43 +10:00
JacobBarthelmeh
bb73c233fc Merge pull request #6973 from douzzer/20231115-misc-fixits
20231115-misc-fixits
2023-11-15 15:27:25 -07:00
lealem47
3576db8976 Merge pull request #6977 from JacobBarthelmeh/cmake
add wolfcrypt test and unit test to ctest
2023-11-15 14:47:49 -07:00
JacobBarthelmeh
9fa5d8872c Merge pull request #6948 from SparkiDev/ecc_curve_koblitz
ECC double point: SECP112R2 and SEC128R2 are Koblitz curves
2023-11-15 14:23:42 -07:00
Daniel Pouzzner
263973bde9 src/wolfio.c: fix stack allocations for cookie digests on NO_SHA builds;
configure.ac: fix dependencies for enable_dsa vs enable_sha in enable-all, enable-all-crypto, and ENABLED_DSA setup.
2023-11-15 14:43:23 -06:00
JacobBarthelmeh
ada085390b add wolfcrypt test and unit test to ctest 2023-11-15 10:38:49 -07:00
Lealem Amedie
cd1e9e9974 Add STM32H725 to default_conf.ftl 2023-11-15 10:30:01 -07:00
Lealem Amedie
2c7248492f Rename macro 2023-11-15 10:27:24 -07:00
Lealem Amedie
ac89c90afd Add RESET_MULTI_VALUE_STATS_VARS macro 2023-11-15 10:26:03 -07:00
Eric Blankenhorn
7bbeadcf97 Fix build errors with dtls1.3 and no tls1.2 2023-11-15 10:37:09 -06:00
JacobBarthelmeh
7daac20d24 Merge pull request #6952 from julek-wolfssl/dtls13-pqc-tests
Add dtls 1.3 PQC suites tests
2023-11-15 09:34:36 -07:00
Daniel Pouzzner
eaa66dc117 configure.ac: in enable-all, enable QUIC only if !ENABLED_LINUXKM_DEFAULTS, and enable aesgcm_stream only if enable_aesgcm. 2023-11-15 01:47:46 -06:00
Daniel Pouzzner
748b058dde wolfcrypt/src/aes.c: fix for -Wrestrict in wc_AesCbcDecrypt() when WOLFSSL_AESNI. 2023-11-15 00:51:21 -06:00
Sean Parkinson
26a9435f5c ECC point double: when z ordinate is 0 point is infinity
Recognize z == 0 as infinity in result of double.
2023-11-15 16:43:06 +10:00
Daniel Pouzzner
7569cfdff8 src/internal.c,src/wolfio.c: fallback to SHA256 when NO_SHA, in LoadCertByIssuer(), MicriumGenerateCookie(), uIPGenerateCookie(), and GNRC_GenerateCookie();
tests/api.c: when NO_SHA, omit test_wolfSSL_CertManagerCheckOCSPResponse() and test_wolfSSL_CheckOCSPResponse() (both use static artifacts with SHA1 name and key hashes).
2023-11-15 00:09:22 -06:00
Daniel Pouzzner
6a3451ca54 wolfcrypt/test/test.c: add WC_MAYBE_UNUSED attribute to declaration of max_relative_stack, to accommodate compilation settings when subsumed within testsuite. 2023-11-15 00:09:22 -06:00
Daniel Pouzzner
7e99ccc782 wolfcrypt/src/wc_port.c, wolfssl/wolfcrypt/wc_port.h: refactor WOLFSSL_GMTIME gmtime() into gmtime_r(), and always define HAVE_GMTIME_R when defined(WOLFSSL_GMTIME). 2023-11-15 00:09:22 -06:00
Sean Parkinson
2213306386 ECC double point: SECP112R2 and SEC128R2 are Koblitz curves
SECP112r2 and SECP128R2 are Koblitz curves, so don't compile them in
unless HAVE_ECC_KOBLITZ is defined. This requires custom curves which
enables point doubling to support A != -3.
2023-11-15 13:30:45 +10:00
JacobBarthelmeh
8f7adb2c16 Merge pull request #6967 from SparkiDev/aes_gcm_aarch64_hw_crypto
AES GCM ARM64: Replace hardware crypto assembly with generated code
2023-11-14 13:55:43 -07:00
Sean Parkinson
c4677927bc AES GCM ARM64: Replace hardware crypto assembly with generated code
Optimized assembly of AES GCM for ARM64 using hardware crypto
instructions.
Code replaced between "START..." and "END...".
2023-11-14 09:24:05 +10:00
Lealem Amedie
b464a277c1 Refactor logic to remove MAX_SAMPLE_RUNS 2023-11-13 13:40:07 -07:00
JacobBarthelmeh
1b55e20d5a Merge pull request #6966 from SparkiDev/aes_bitsliced_armasm_fix
AES bitsliced, ARMASM: config needs WOLFSSL_AES_DIRECT defined
2023-11-13 10:09:08 -07:00
Sean Parkinson
7eaff41e61 AES bitsliced, ARMASM: config needs WOLFSSL_AES_DIRECT defined
AES bitsliced needs WOLFSSL_AES_DIRECT defined when compiling for ARMASM
as there are different APIs used.
2023-11-13 07:40:40 +10:00
David Garske
7c24b2d4bd Merge pull request #6965 from ejohnstown/uint128-cmake
uint128 and CMake
2023-11-10 20:57:46 -08:00
JacobBarthelmeh
c903a8c4a6 Merge pull request #6854 from SparkiDev/aes_bit_sliced
AES bitsliced implementation added
2023-11-10 17:10:19 -07:00
Kaleb Himes
a04eb81e95 Merge pull request #6959 from SparkiDev/sp_c_rsa_pub_e_64bits
SP C: support e up to 64-bits
2023-11-10 16:33:12 -07:00
David Garske
12878fccae Merge pull request #6957 from lealem47/expandDistro
Add --enable-quic to --enable-all
2023-11-10 15:32:05 -08:00
John Safranek
d34d77681a uint128 and CMake
1. Add to the check for HAVE___UINT128_T adding it to the list of items
   that get dumped into the options.h file.
2023-11-10 14:59:41 -08:00
Lealem Amedie
04ea4da6fd Parse explicit parameters in StoreEccKey() 2023-11-10 15:11:08 -07:00
JacobBarthelmeh
63c27219a8 Merge pull request #6962 from julek-wolfssl/dtls13-no-hrr-docs
Add info on how to use WOLFSSL_DTLS13_NO_HRR_ON_RESUME
2023-11-10 14:26:46 -07:00
Juliusz Sosinowicz
b8d5ac83eb Add info on how to use WOLFSSL_DTLS13_NO_HRR_ON_RESUME 2023-11-10 10:43:26 +01:00
Sean Parkinson
3ab0fc1ba4 SP C: support e up to 64-bits
SP C code only supported one digit worth of e which is less than 64 or
32.
Change is to support up to 64 bit of e using sp_uint64 to hold value.
2023-11-10 09:58:51 +10:00
Eric Blankenhorn
a4bf774e1c Add XGMTIME validation 2023-11-09 16:06:37 -06:00
Lealem Amedie
e2bbacd548 Add QUIC to --enable-all 2023-11-09 14:44:02 -07:00
JacobBarthelmeh
49a219e0d1 Merge pull request #6930 from Frauschi/zephyr_fix
Fixes for the Zephyr port
2023-11-09 12:56:34 -07:00
JacobBarthelmeh
73d3277b74 Merge pull request #6947 from SparkiDev/sp_arm64_mont_red_4_fix
SP ARM64 asm: fix Montgomery reduction by 4
2023-11-09 08:39:52 -07:00
Juliusz Sosinowicz
a666c39b65 zephyr 3.5 github action 2023-11-09 10:41:54 +01:00
Tobias Frauenschläger
081b34919c Zephyr: improve order of random seed sources
When using Zephyr, we also want to use the proper wc_GenerateSeed
method. However, if one of the defines is set (e.g., NO_STM32_RNG), the
Zephyr option is ignored, although it would work. Hence, we have to
change the order in which these settings for the source of a random seed
are evaluated.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-11-09 10:41:54 +01:00
Tobias Frauenschläger
182eaa0b63 Zephyr: add support for RTC time
For ASN date validation, the actual wall clock time is needed from an
RTC. This commit adds support to read the RTC time in case it is
available in the Zephyr system. If the RTC is not available or an error
occurs during the readout, we fallback to the old implementation which
only supports relative time since boot.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-11-09 10:41:54 +01:00
Tobias Frauenschläger
4d8bbd7091 Zephyr: fix POSIX time include
The sys/time.h header causes redefinition errors regarding the fd_set
type and the select call inside socket_select.h. We want to include the
regular time.h header anyway, as done in random.c.

Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>

tmp
2023-11-09 10:41:54 +01:00
Tobias Frauenschläger
9d880fe161 Zephyr: Fix deprecation warning for rand32.h
Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
2023-11-09 10:41:54 +01:00
SKlimaRA
308346aa0d one less memcpy 2023-11-09 09:40:58 +01:00
JacobBarthelmeh
2b1c61a013 Merge pull request #6949 from bigbrett/zd16925
fix WOLFSSL_CALLBACK memory error
2023-11-08 23:35:32 -07:00
JacobBarthelmeh
3332b036d5 Merge pull request #6950 from SparkiDev/srtp_kdf_fix
SRTP KDF: Don't use i outside loop
2023-11-08 23:13:40 -07:00
JacobBarthelmeh
04c1e94e29 Merge pull request #6954 from SparkiDev/sp_cortexm_iar_branch_long
SP Cortex-M: branch long explicitly for IAR
2023-11-08 23:01:45 -07:00
JacobBarthelmeh
68b6bc87c7 Merge pull request #6916 from philljj/add_EXTENDED_KEY_USAGE_free
Add EXTENDED_KEY_USAGE_free to OpenSSL compat layer.
2023-11-08 22:07:40 -07:00
Sean Parkinson
168747615c SP Cortex-M: branch long explicitly for IAR
GCC doesn't like explicit wide branch instruction but will use
appropriate instruction implicitly.
IAR won't widen branch instruction unless explicitly told.
2023-11-09 08:27:42 +10:00
jordan
be24d68e5d Add EXTENDED_KEY_USAGE_free to OpenSSL compat layer. 2023-11-08 15:26:24 -06:00
Lealem Amedie
138d699cc7 Apply changes to new srtp-kdf code 2023-11-08 11:09:00 -07:00
Lealem Amedie
c0f3fe4434 Benchmarks: use clock_gettime() for ns resolution 2023-11-08 10:45:51 -07:00
Lealem Amedie
2cde843093 Measure max & min durations within the confines of MAX_SAMPLE_RUNS 2023-11-08 10:45:51 -07:00
Lealem Amedie
1303c0512c Extract some code blocks into macros 2023-11-08 10:45:51 -07:00
Lealem Amedie
46a5465c3f Remove redundant macro 2023-11-08 10:45:51 -07:00
Lealem Amedie
16ecc9b5f8 Address feedback and don't print avg ms if mean is displayed 2023-11-08 10:45:51 -07:00
Lealem Amedie
86a2b050fe Gate on NO_FILESYSTEM 2023-11-08 10:45:50 -07:00
Lealem Amedie
a40de50be2 Add ADVANCED_STATS in benchmark.c 2023-11-08 10:45:50 -07:00
Lealem Amedie
9006dd5edd Document new macro 2023-11-08 10:45:50 -07:00
Lealem Amedie
2ea0c2cae8 Run benchmarks at microsecond level 2023-11-08 10:45:50 -07:00
Stanislav Klima
a137847894 removed isCaSet from decoded cert 2023-11-08 12:24:29 +01:00
Stanislav Klima
1562106899 micro fix 2023-11-08 11:18:58 +01:00
Stanislav Klima
76d89a0c15 unused variable 2023-11-08 11:09:05 +01:00
Stanislav Klima
f518a8f7d5 new build flag WOLFSSL_ALLOW_ENCODING_CA_FALSE 2023-11-08 10:51:25 +01:00
Sean Parkinson
54f2d56300 ssl.c: Move out crypto compat APIs
ssl_crypto.c contains OpenSSL compatibility APIS for:
 - MD4, MD5, SHA/SHA-1, SHA2, SHA3
 - HMAC, CMAC
 - DES, DES3, AES, RC4
API implementations reworked.
Tests added for coverage.
TODOs for future enhancements.
2023-11-08 19:43:18 +10:00
Juliusz Sosinowicz
8bc79a0b43 Add dtls 1.3 PQC suites tests 2023-11-08 10:29:35 +01:00
Stanislav Klima
4bbb0e3876 drafted ca false 2023-11-08 10:23:46 +01:00
Mikhail Paulyshka
944c7e175b cmake: add WOLFSSL_X86_64_BUILD_ASM option 2023-11-08 09:18:07 +01:00
Mikhail Paulyshka
fca2f14f48 cmake: guard installation with WOLFSSL_INSTALL option 2023-11-08 09:18:07 +01:00
Mikhail Paulyshka
7adddc5fb8 cmake/functions: do not try to build x86_64 assembler on non-AMD64 platforms 2023-11-08 09:18:07 +01:00
Mikhail Paulyshka
703cfded28 cmake: introduce WOLFSSL_X86_64_BUILD variable 2023-11-08 09:18:06 +01:00
Sean Parkinson
716cb450aa SRTP KDF: Don't use i outside loop
When shifting index down, first XOR outside loop isn't meant to use i.
2023-11-08 15:04:46 +10:00
lealem47
1a3f3aa5f0 Merge pull request #6951 from douzzer/20231107-unit-test-regenerate-ocsp-reply
20231107-unit-test-regenerate-ocsp-reply
2023-11-07 20:09:32 -07:00
Daniel Pouzzner
9cb6243357 wolfcrypt/test/test.c: add all initializers in wolfcrypt_test_main() for args for C++ legality (C-style initializer added in e58fafcf3d). 2023-11-07 19:33:18 -06:00
Daniel Pouzzner
ca694938fd tests/api.c: update response vector in test_wolfSSL_CertManagerCheckOCSPResponse(), reflecting regenerated keys in certs/ocsp/. 2023-11-07 19:25:52 -06:00
David Garske
0fa47e9e28 Merge pull request #6943 from SparkiDev/iar_inline_asm_no_register
Thumb2 inline ASM: IAR doesn't do register variables
2023-11-07 14:23:44 -08:00
JacobBarthelmeh
b6e5b36f35 Merge pull request #6946 from dgarske/nooldtls_v1.1
Turn off old TLS v1.1 by default
2023-11-07 13:30:03 -07:00
Brett Nicholas
ba37dc9933 Fixes bug where example server with WOLFSSL_CALLBACKS hangs when used with
-6 option (simulated WANT_WRITE errors) or with DTLS, causing make check
to fail
2023-11-07 11:44:20 -07:00
David Garske
a46b6221b4 Turn off old TLS v1.1 by default (unless SSL v3.0 or TLS v1.0 enabled). 2023-11-07 09:23:59 -08:00
JacobBarthelmeh
d751029c07 Merge pull request #6945 from gojimmypi/PR-goto-alternate
introduce WARNING_OUT, when goto is not a hard error during tests
2023-11-07 10:17:53 -07:00
JacobBarthelmeh
8921a720a1 Merge pull request #6888 from SparkiDev/srtp_kdf
SRTP/SRTCP KDF: add implementation
2023-11-07 10:11:43 -07:00
JacobBarthelmeh
a6de9cd06f Merge pull request #6942 from SparkiDev/sp_int_sqr_volatile
SP int: ARM64 optimization issue
2023-11-07 10:09:25 -07:00
gojimmypi
e58fafcf3d introduce WARNING_OUT, optional WOLFSSL_ESPIDF_ERROR_PAUSE 2023-11-07 08:52:34 +01:00
Sean Parkinson
cefe108cab Thumb2 inline ASM: IAR doesn't do register variables
IAR doesn't parse register variable declarations with specified
registers. IAR doesn't even honor the register keyword.
Can use small negative but IAR doesn't like it.
Specify the positive value instead.
Add a small code size version of mont_reduce_full using umlal and umaal.
Make 'asm' usage in variables use keyword '__asm__'.
Explicitly don't inline some functions when compiling with IAR.
2023-11-07 16:12:07 +10:00
Sean Parkinson
01c3345c7a SP ARM64 asm: fix Montgomery reduction by 4
Handle add overflow properly in generic Montgomery reduction for 4
words. Used when reducing back to order of P-256 curve.
2023-11-07 11:39:03 +10:00
Sean Parkinson
8c3e1dbf48 SRTP/SRTCP KDF: add implementation
Add implementation of SRTP KDF and SRTCP KDF.
One shot APIs compatible with SP 800-135 and ACVP testing.
Tests added to test.c.
Benchmarking added.
Doxygen added.
2023-11-07 10:33:14 +10:00
JacobBarthelmeh
c852347dfb Merge pull request #6877 from gojimmypi/Espressif-cmake-update
Espressif Update wolfSSL component CMakeLists.txt
2023-11-06 13:43:07 -07:00
JacobBarthelmeh
c5e2f414ea Merge pull request #6929 from julek-wolfssl/dtls13-early-data-server-side
dtls 1.3: allow to skip cookie exchange on resumption
2023-11-06 13:30:21 -07:00
JacobBarthelmeh
8ac291bbe1 Merge pull request #6944 from miyazakh/fix_qt_jenkins_failure
skip DATE check if flags is set when calling AddTrustedPeer
2023-11-06 11:35:22 -07:00
JacobBarthelmeh
c92d25816a Merge pull request #6887 from julek-wolfssl/zd/16849
Implement untrusted certs in wolfSSL_X509_STORE_CTX_init
2023-11-06 10:13:43 -07:00
JacobBarthelmeh
8569e76a87 Merge pull request #6915 from bigbrett/typo-fix-DecodeBasicCAConstraint
fix typo in WOLFSSL_ENTER function name
2023-11-03 13:53:23 -06:00
JacobBarthelmeh
190b51ae6f Merge pull request #6810 from bandi13/codeSonar_fixes
Fix 'negative character value'
2023-11-03 13:52:06 -06:00
Juliusz Sosinowicz
8c87920903 Address code review 2023-11-03 11:02:41 +01:00
Sean Parkinson
5b863dcb12 AES bitsliced implementation added
AES bitsliced implementation that is cache attack safe.
Configure with:
  --enable-aes-bitslice
or define:
  WC_AES_BITSLICE
  HAVE_AES_ECB
  HAVE_AES_DIRECT
Very slow for CBC, CFB, OFB and any mode that uses a previous encrypt
block to calculate current.
CTR, GCM, XTS can parallelize the data and be much faster.

Added AES-ECB test to test.c.
2023-11-03 14:19:58 +10:00
Hideki Miyazaki
49121b5c47 move declaration to the top of func 2023-11-03 11:45:33 +09:00
Hideki Miyazaki
8d9dc3d79f skip DATE if flags is set when calling AddTrustedPeer 2023-11-03 09:38:23 +09:00
Sean Parkinson
b8ea978066 Merge pull request #6941 from douzzer/20231102-examples-asn1-double-fclose
20231102-examples-asn1-double-fclose
2023-11-03 08:50:13 +10:00
Sean Parkinson
cfb6560468 SP int: ARM64 optimization issue
Make variables volatile to avoid compiler optimization issues.
2023-11-03 08:08:29 +10:00
JacobBarthelmeh
c8af4edd74 Merge pull request #6940 from bandi13/takeInConstParameters
Can guarantee not to modify arguments of `mp_isodd` and `mp_iszero`
2023-11-02 15:45:51 -06:00
Daniel Pouzzner
d6f37d48d6 examples/asn1/asn1.c: remove now-redundant fclose(fp) in asn1App_ReadFile() (which also was incorrectly closing stdin). see #6905. 2023-11-02 16:14:40 -05:00
Andras Fekete
49b9764c52 Can guarantee not to modify arguments of mp_isodd and mp_iszero 2023-11-02 16:00:57 -04:00
David Garske
8fc754515a Merge pull request #6938 from SparkiDev/rsa_pss_salt_len_openssl_compat_fix
RSA PSS OpenSSL compatibility verification: support AUTO
2023-11-02 09:07:40 -07:00
JacobBarthelmeh
96977d1480 Merge pull request #6900 from julek-wolfssl/zd/16868
EVP_EncodeBlock should not append a newline
2023-11-02 09:20:39 -06:00
Sean Parkinson
4870435604 RSA PSS OpenSSL compatibility verification: support AUTO
When wolfSSL_RSA_verify_PKCS1_PSS() called with RSA_PSS_SALTLEN_AUTO
(RSA_PSS_SALTLEN_MAX_SIGN) it wasn't using RSA_PSS_SALT_LEN_DISCOVER
when available.
2023-11-02 11:24:18 +10:00
lealem47
2ee94023f9 Merge pull request #6937 from dgarske/stm32wl
Support for the STM32WL55 and PKA improvements for ECC parameters
2023-11-01 17:44:22 -06:00
David Garske
0dde07e282 Whitespace cleanups (appease multi-test "check-source-text"). 2023-11-01 15:03:12 -07:00
David Garske
33e12e3537 Support for the STM32WL55 and PKA improvements for ECC parameters. Fixes #6386 and Fixes #6396. 2023-11-01 13:55:31 -07:00
JacobBarthelmeh
9e34ed937e Merge pull request #6927 from dgarske/crl_no_date
Add build option for disabling CRL date check
2023-11-01 14:48:28 -06:00
JacobBarthelmeh
21f34ef028 Merge pull request #6905 from bandi13/moreCodeSonarFixes
Don't nag about leaked resources
2023-11-01 14:46:02 -06:00
Brett Nicholas
9d632ccaa6 apply lateRL offset to memcpy dest, not src 2023-11-01 14:32:11 -06:00
JacobBarthelmeh
15fdf6eccc Merge pull request #6910 from bigbrett/ios-ca-api
exercise --sys-ca-certs optionin external.test
2023-11-01 14:09:24 -06:00
Andras Fekete
bb9031da6e Remove dead code 2023-11-01 13:30:40 -04:00
JacobBarthelmeh
c920337f2f Merge pull request #6891 from julek-wolfssl/zd/16849-i2d_x509
Advance pointer in wolfSSL_i2d_X509
2023-11-01 11:02:44 -06:00
JacobBarthelmeh
026c4bcbc7 Merge pull request #6902 from dgarske/various_20231020
Fixes for PKCS w/out RSA and Cert/CSR signing with unknown OID
2023-11-01 10:58:10 -06:00
JacobBarthelmeh
a3ea84d8e8 Merge pull request #6917 from SparkiDev/sp_int_no_sp_digit
SP int: don't use sp_digit as the type is sp_int_digit
2023-11-01 10:57:07 -06:00
JacobBarthelmeh
98843798c2 Merge pull request #6934 from SparkiDev/regression_fixes_8
Regression test fixes
2023-11-01 10:55:41 -06:00
JacobBarthelmeh
59e947d3e6 Merge pull request #6936 from philljj/codespell_cleanup
Used codespell and fixed obvious typos.
2023-11-01 10:39:04 -06:00
jordan
34f349e510 Used codespell and fixed obvious typos. 2023-11-01 10:35:12 -05:00
Sean Parkinson
0eab70f806 Regression test fixes
Fixes for different configurations and memory allocation failure
testing.
2023-11-01 14:10:49 +10:00
Sean Parkinson
2e37ff4e45 SP int: don't use sp_digit as the type is sp_int_digit
Stop casting to the wrong type. SP int code use sp_int_digit and
sp_digit can be a different signedness.
2023-11-01 13:38:23 +10:00
JacobBarthelmeh
7435d235a6 Merge pull request #6931 from dgarske/async_v5.6.4
Async v5.6.4
2023-10-31 14:52:13 -06:00
David Garske
2ac0d47908 Fix for async edge case with Intel QuickAssist/Cavium Nitrox that was broken in PR #6783. Was causing re-entry and multiple calls for some operations like DH KeyGen that don't advance state on completion. https://github.com/wolfSSL/wolfAsyncCrypt/pull/71 2023-10-31 12:43:12 -07:00
Juliusz Sosinowicz
aed715cb2c dtls 1.3: allow to skip cookie exchange on resumption
tls 1.3: do cookie exchange when asked too even when found a matching cipher
2023-10-31 14:29:04 +01:00
David Garske
0455224439 Fix build errors in API unit test without IO dependencies. 2023-10-30 17:04:36 -07:00
David Garske
cdef51f537 Add build option for disabling CRL date check (WOLFSSL_NO_CRL_DATE_CHECK). ZD 16675 2023-10-30 15:45:33 -07:00
Andras Fekete
42c241dbbf Avoid use of uninitialized array 2023-10-27 15:38:46 -04:00
Andras Fekete
2877b7be50 Fix possible memory leak 2023-10-27 15:31:28 -04:00
Andras Fekete
21d465cf9a Fix possible double free 2023-10-27 15:31:28 -04:00
Andras Fekete
f8f080d7de Don't nag about leaked resources 2023-10-27 15:31:28 -04:00
Brett Nicholas
5277065c3c fix typo in WOLFSSL_ENTER function name 2023-10-26 13:01:05 -06:00
Brett
89d445a5a5 added --sys-ca-certs client connection to external test 2023-10-25 15:13:08 -06:00
Brett
60f75ea5a8 simplified apple header detection used in code 2023-10-25 15:13:06 -06:00
Juliusz Sosinowicz
8f60fb0053 Advance pointer in wolfSSL_i2d_X509 2023-10-24 10:25:06 +02:00
gojimmypi
1a113c5429 Espressif add TLS Client/Server local user_settings.h 2023-10-22 16:59:54 +02:00
gojimmypi
8eaf09d7a0 Update Espressif TLS Client/Server CMakeLists.txt 2023-10-22 16:53:56 +02:00
gojimmypi
9fe071fe73 Espressif remove pre-existing /include/user_settings.h during compile all. 2023-10-22 16:21:06 +02:00
David Garske
cf1dcdf402 Fix for adding signature where OID is not found. Currently our AddSignature function will add without OID, which is invalid. For example RSA is disabled and CSR tries to use CTC_SHA256wRSA. The wc_SignCert_ex will succeed and report success, but the CSR/Cert will be invalid (missing sigType OID). 2023-10-20 16:29:59 -07:00
David Garske
6887281361 Fix for ./configure --enable-pkcs7 --disable-rsa && make check. 2023-10-20 16:27:54 -07:00
Andras Fekete
0925f8ab18 Use 'unsigned char' 2023-10-20 16:16:48 -04:00
Andras Fekete
ec0a2f2683 Fix 'negative character value'
In a number of libc implementations, isalpha()/isalnum() is implemented using lookup tables (arrays): passing in a negative value can result in a read underrun.
2023-10-20 16:16:48 -04:00
Juliusz Sosinowicz
8cd6cd175d EVP_EncodeBlock should not append a newline 2023-10-20 13:20:11 +02:00
Juliusz Sosinowicz
d13d446c2e Add missing guard 2023-10-19 20:05:59 +02:00
Juliusz Sosinowicz
2ccbdd3a7e Log correct message 2023-10-19 19:07:45 +02:00
Eric Blankenhorn
962e35aa24 Add error reporting to loadX509orX509REQFromBuffer 2023-10-19 09:31:30 -05:00
Juliusz Sosinowicz
1ae248018f Implement untrusted certs in wolfSSL_X509_STORE_CTX_init 2023-10-18 22:24:19 +02:00
gojimmypi
f5d1cb5132 Update wolfSSL component CMakeLists.txt 2023-10-17 02:09:26 +02:00
Takashi Kojo
1f7ccc4eff Eliminate bad record mac alert 2023-09-12 07:17:04 +09:00
Takashi Kojo
b7a28cc704 compatibility for EVP_CipherUpdate with AES-GCM 2022-12-23 09:09:20 +09:00
2320 changed files with 948626 additions and 218509 deletions

21
.codespellexcludelines Normal file
View File

@@ -0,0 +1,21 @@
###############################################################################
# In this file, you should add the line of the file that needs to be ignored.
# The line should be exactly as it appears in the file.
###############################################################################
0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */
0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */
0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */
ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd\n\
static const byte plaintext[] = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras lacus odio, pretium vel sagittis ac, facilisis quis diam. Vivamus condimentum velit sed dolor consequat interdum. Etiam eleifend ornare felis, eleifend egestas odio vulputate eu. Sed nec orci nunc. Etiam quis mi augue. Donec ullamcorper suscipit lorem, vel luctus augue cursus fermentum. Etiam a porta arcu, in convallis sem. Integer efficitur elementum diam, vel scelerisque felis posuere placerat. Donec vestibulum sit amet leo sit amet tincidunt. Etiam et vehicula turpis. Phasellus quis finibus sapien. Sed et tristique turpis. Nullam vitae sagittis tortor, et aliquet lorem. Cras a leo scelerisque, convallis lacus ut, fermentum urna. Mauris quis urna diam. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nam aliquam vehicula orci id pulvinar. Proin mollis, libero sollicitudin tempor ultrices, massa augue tincidunt turpis, sit amet aliquam neque nibh nec dui. Fusce finibus massa quis rutrum suscipit cras amet";
rsource "Kconfig.tls-generic"
/* Loop over authenticated associated data AD1..ADn */
/* no easy answer [c'est la vie]. Just division */
const uint8_t* hashIn, int hashSz)
XMEMCPY(hash + (curveSz - hashSz), hashIn, hashSz);
0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, /* creen would be i */
0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, /* creen would be i */
\pagenumbering{alph}
DES3_KEY_SIZE = 24, /* 3 des ede */
/* functions added to support above needed, removed TOOM and KARATSUBA */
#include <sys/systm.h>
* extern global version from /usr/src/sys/sys/systm.h */

40
.cyignore Normal file
View File

@@ -0,0 +1,40 @@
# wolfSSL folders
$(SEARCH_wolfssl)/IDE
$(SEARCH_wolfssl)/examples
$(SEARCH_wolfssl)/linuxkm
$(SEARCH_wolfssl)/mcapi
$(SEARCH_wolfssl)/mplabx
$(SEARCH_wolfssl)/mqx
$(SEARCH_wolfssl)/tirtos
$(SEARCH_wolfssl)/tests
$(SEARCH_wolfssl)/testsuite
$(SEARCH_wolfssl)/wolfcrypt/src/port/autosar
$(SEARCH_wolfssl)/zephyr
# wolfSSL files
$(SEARCH_wolfssl)/wolfcrypt/src/aes_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/aes_xts_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/aes_gcm_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/aes_gcm_x86_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/chacha_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/fe_x25519_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/poly1305_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/sha256_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/sha512_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/sha3_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/sm3_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/sp_x86_64_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/sp_sm2_x86_64_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/wc_kyber_asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-aes-asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-curve25519.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-sha256-asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-curve25519.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-sha3-asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-sha512-asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-aes-asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-curve25519.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-sha256-asm.S
$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-sha512-asm.S

View File

@@ -6,8 +6,10 @@ body:
- type: markdown
attributes:
value: >
Thanks for reporting an bug. If you would prefer a private method,
please email support@wolfssl.com
Thanks for reporting a bug. If you would prefer a private method,
or if this is a vulnerability report please email support@wolfssl.com
instead. This is publicly viewable and not appropriate for vulnerability
reports.
- type: input
id: contact
attributes:

View File

@@ -6,7 +6,9 @@ body:
attributes:
value: >
Thanks for reporting an issue. If you would prefer a private method,
please email support@wolfssl.com
or if this is a vulnerability report please email support@wolfssl.com
instead. This is publicly viewable and not appropriate for vulnerability
reports.
- type: input
id: version
attributes:

View File

@@ -0,0 +1,108 @@
cmake_minimum_required(VERSION 3.18)
project(wolfcrypt_stm32h753 LANGUAGES C ASM)
set(WOLFSSL_ROOT "/opt/wolfssl" CACHE PATH "wolfSSL source")
set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY)
enable_language(ASM)
# Include paths for CMSIS device headers and STM32 HAL
# Order matters: CMSIS must come before HAL
include_directories(BEFORE
${CMAKE_SOURCE_DIR}
/opt/CMSIS_5/CMSIS/Core/Include # Core CMSIS (core_cm7.h, etc.) - must be first
/opt/cmsis-device-h7/Include # Device-specific CMSIS (stm32h7xx.h)
/opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Inc/Legacy
/opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Inc
)
# STM32 HAL source files (minimal set for CRYP and HASH)
# Note: These files are cloned in the Dockerfile before CMake runs
set(HAL_SRC_DIR /opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Src)
# Check if HAL directory exists, then add source files
if(EXISTS ${HAL_SRC_DIR})
set(HAL_SOURCES
${HAL_SRC_DIR}/stm32h7xx_hal.c
${HAL_SRC_DIR}/stm32h7xx_hal_rcc.c
${HAL_SRC_DIR}/stm32h7xx_hal_rcc_ex.c
${HAL_SRC_DIR}/stm32h7xx_hal_cortex.c
${HAL_SRC_DIR}/stm32h7xx_hal_dma.c
${HAL_SRC_DIR}/stm32h7xx_hal_dma_ex.c
${HAL_SRC_DIR}/stm32h7xx_hal_rng.c
# CRYP HAL files enabled for AES_GCM only
${HAL_SRC_DIR}/stm32h7xx_hal_cryp.c
${HAL_SRC_DIR}/stm32h7xx_hal_cryp_ex.c
# HASH HAL files disabled - Renode doesn't implement HASH peripheral
# ${HAL_SRC_DIR}/stm32h7xx_hal_hash.c
# ${HAL_SRC_DIR}/stm32h7xx_hal_hash_ex.c
)
else()
message(WARNING "HAL source directory not found: ${HAL_SRC_DIR}")
set(HAL_SOURCES "")
endif()
# wolfSSL build options
set(WOLFSSL_USER_SETTINGS ON CACHE BOOL "Use user_settings.h")
set(WOLFSSL_CRYPT_TESTS OFF CACHE BOOL "")
set(WOLFSSL_EXAMPLES OFF CACHE BOOL "")
set(BUILD_SHARED_LIBS OFF CACHE BOOL "")
add_subdirectory(${WOLFSSL_ROOT} ${CMAKE_BINARY_DIR}/wolfssl-build EXCLUDE_FROM_ALL)
target_include_directories(wolfssl PRIVATE
/opt/CMSIS_5/CMSIS/Core/Include # Core CMSIS first
/opt/cmsis-device-h7/Include # Device CMSIS
/opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Inc/Legacy
/opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Inc
${CMAKE_SOURCE_DIR} # For stm32h7xx_hal_conf.h
)
# Suppress the GENSEED_FORTEST warning (expected for emulation/test builds)
target_compile_options(wolfssl PRIVATE -Wno-cpp)
# wolfSSL STM32 port source file (needed for HASH and CRYPTO hardware acceleration)
set(WOLFSSL_STM32_PORT_SRC ${WOLFSSL_ROOT}/wolfcrypt/src/port/st/stm32.c)
add_executable(wolfcrypt_test.elf
startup_stm32h753.c
main.c
${WOLFSSL_ROOT}/wolfcrypt/test/test.c
${HAL_SOURCES}
${WOLFSSL_STM32_PORT_SRC}
)
target_include_directories(wolfcrypt_test.elf PRIVATE
${CMAKE_SOURCE_DIR}
${WOLFSSL_ROOT}
/opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Inc
/opt/STM32CubeH7/Drivers/STM32H7xx_HAL_Driver/Inc/Legacy
)
target_compile_definitions(wolfcrypt_test.elf PRIVATE
WOLFSSL_USER_SETTINGS
STM32H753xx
USE_HAL_DRIVER
USE_HAL_CONF # Enable HAL configuration
# NO_AES_CBC is defined in user_settings.h, no need to define it here
)
# HAL source files need the same compile options and must include stdint.h
# Disable all warnings for HAL files (third-party code we don't control)
set_source_files_properties(${HAL_SOURCES} PROPERTIES
COMPILE_FLAGS "-mcpu=cortex-m7 -mthumb -mfpu=fpv5-d16 -mfloat-abi=hard -ffunction-sections -fdata-sections -Os -include stdint.h -w"
)
target_compile_options(wolfcrypt_test.elf PRIVATE
-mcpu=cortex-m7 -mthumb -mfpu=fpv5-d16 -mfloat-abi=hard
-ffunction-sections -fdata-sections -Os
)
target_link_options(wolfcrypt_test.elf PRIVATE
-T${CMAKE_SOURCE_DIR}/stm32h753.ld
-Wl,--gc-sections
-nostartfiles
-specs=nano.specs
-specs=nosys.specs
)
target_link_libraries(wolfcrypt_test.elf PRIVATE wolfssl m c gcc nosys)

194
.github/renode-test/stm32h753/entrypoint.sh vendored Executable file
View File

@@ -0,0 +1,194 @@
#!/bin/bash
set -euo pipefail
LOG=/tmp/wolfcrypt-renode.log
TIMEOUT=300 # Maximum 5 minutes
echo "Running wolfCrypt test in Renode..."
# Try to find Renode binary in common installation locations
# When installed via .deb package, Renode is typically in /usr/bin/renode
RENODE_BIN="${RENODE_BIN:-$(command -v renode 2>/dev/null || true)}"
if [ -z "$RENODE_BIN" ]; then
# Check common installation paths (order matters - check standard locations first)
for path in /usr/bin/renode /usr/local/bin/renode /opt/renode/renode; do
if [ -x "$path" ]; then
RENODE_BIN="$path"
break
fi
done
fi
if [ -z "$RENODE_BIN" ] || [ ! -x "$RENODE_BIN" ]; then
echo "Renode binary not found in image."
echo "Checked paths: /usr/bin/renode, /usr/local/bin/renode, /opt/renode/renode"
echo "PATH: $PATH"
which renode || echo "renode not in PATH"
exit 2
fi
echo "Using Renode binary: $RENODE_BIN"
# Determine Renode root directory (where platforms/ directory is located)
if [ -d "/opt/renode/platforms" ]; then
RENODE_ROOT="/opt/renode"
elif [ -d "/usr/lib/renode/platforms" ]; then
RENODE_ROOT="/usr/lib/renode"
elif [ -d "/usr/share/renode/platforms" ]; then
RENODE_ROOT="/usr/share/renode"
else
# Try to find Renode root by checking where the binary is
RENODE_DIR=$(dirname "$(readlink -f "${RENODE_BIN}" 2>/dev/null || echo "${RENODE_BIN}")")
if [ -d "${RENODE_DIR}/../platforms" ]; then
RENODE_ROOT=$(readlink -f "${RENODE_DIR}/.." 2>/dev/null || echo "${RENODE_DIR}/..")
else
echo "Warning: Could not determine Renode root directory"
RENODE_ROOT=""
fi
fi
# Set RENODE_ROOT environment variable (Renode uses this to find platform files)
if [ -n "$RENODE_ROOT" ]; then
export RENODE_ROOT
echo "Using Renode root: ${RENODE_ROOT}"
# Also create .renode-root file in firmware directory as backup
echo "${RENODE_ROOT}" > /opt/firmware/.renode-root
chmod 644 /opt/firmware/.renode-root
else
echo "ERROR: Could not determine Renode root directory"
exit 1
fi
# Verify platform file exists
PLATFORM_FILE="${RENODE_ROOT}/platforms/cpus/stm32h753.repl"
if [ ! -f "${PLATFORM_FILE}" ]; then
echo "ERROR: Platform file not found at ${PLATFORM_FILE}"
echo "Searching for platform files..."
find "${RENODE_ROOT}" -name "stm32h753.repl" 2>/dev/null | head -5 || true
exit 1
fi
echo "Platform file found at: ${PLATFORM_FILE}"
# Change to firmware directory
cd /opt/firmware
# Create a modified Renode script with absolute path to platform file
# This avoids the .renode-root file lookup issue
cat > /opt/firmware/run-renode-absolute.resc <<EOF
# Renode test script for STM32H753 (with absolute platform path)
using sysbus
mach create "stm32h753"
# Use absolute path to platform file to avoid .renode-root lookup issues
machine LoadPlatformDescription @${PLATFORM_FILE}
sysbus LoadELF @/opt/firmware/wolfcrypt_test.elf
# Connect USART3 to the console for wolfCrypt output
showAnalyzer usart3
# Start emulation and run for a long time
# The entrypoint script will kill Renode when test completes
emulation RunFor "600s"
EOF
# Start Renode in background, output to log (unbuffered)
# Use the modified script with absolute path
echo "Starting Renode with command: ${RENODE_BIN} --disable-xwt --console -e \"i @/opt/firmware/run-renode-absolute.resc\""
stdbuf -oL -eL "${RENODE_BIN}" --disable-xwt --console -e "i @/opt/firmware/run-renode-absolute.resc" > "${LOG}" 2>&1 &
RENODE_PID=$!
echo "Renode PID: $RENODE_PID"
# Monitor the log for completion, errors, and flush output frequently
START_TIME=$(date +%s)
RESULT=""
LAST_LOG_SIZE=0
while true; do
# Check if Renode is still running
if ! kill -0 "$RENODE_PID" 2>/dev/null; then
break
fi
# Flush new log content to stdout (unbuffered)
if [ -f "${LOG}" ]; then
CURRENT_LOG_SIZE=$(stat -f%z "${LOG}" 2>/dev/null || stat -c%s "${LOG}" 2>/dev/null || echo 0)
if [ "$CURRENT_LOG_SIZE" -gt "$LAST_LOG_SIZE" ]; then
# Output new lines
tail -c +$((LAST_LOG_SIZE + 1)) "${LOG}" 2>/dev/null | head -c $((CURRENT_LOG_SIZE - LAST_LOG_SIZE))
LAST_LOG_SIZE=$CURRENT_LOG_SIZE
fi
fi
# Check for Renode errors (must check before completion to catch errors early)
if grep -q "\[ERROR\]" "${LOG}" 2>/dev/null; then
echo ""
echo "ERROR: Renode reported an error!"
RESULT="renode_error"
break
fi
# Check for completion messages
if grep -q "=== wolfCrypt test passed! ===" "${LOG}" 2>/dev/null; then
RESULT="passed"
break
fi
if grep -q "=== wolfCrypt test FAILED ===" "${LOG}" 2>/dev/null; then
RESULT="failed"
break
fi
# Check timeout
CURRENT_TIME=$(date +%s)
ELAPSED=$((CURRENT_TIME - START_TIME))
if [ "$ELAPSED" -ge "$TIMEOUT" ]; then
echo ""
echo "Timeout after ${TIMEOUT} seconds"
RESULT="timeout"
break
fi
sleep 0.5
done
# Kill Renode if still running
if kill -0 "$RENODE_PID" 2>/dev/null; then
kill "$RENODE_PID" 2>/dev/null || true
wait "$RENODE_PID" 2>/dev/null || true
fi
# Show the log output
cat "${LOG}"
# Report result
case "$RESULT" in
passed)
echo ""
echo "wolfCrypt tests completed successfully."
exit 0
;;
failed)
echo ""
echo "wolfCrypt tests FAILED."
exit 1
;;
renode_error)
echo ""
echo "Renode reported an error - test aborted."
exit 1
;;
timeout)
echo ""
echo "wolfCrypt tests timed out after ${TIMEOUT} seconds."
exit 1
;;
*)
echo ""
echo "wolfCrypt tests did not report a result."
exit 1
;;
esac

137
.github/renode-test/stm32h753/main.c vendored Normal file
View File

@@ -0,0 +1,137 @@
/* main.c - Entry point for wolfCrypt test on STM32H753 under Renode
*
* Runs the wolfCrypt test suite with output via USART3.
*/
#include <stdint.h>
#include <stddef.h>
#include <stdio.h>
/* wolfCrypt test entry point */
extern int wolfcrypt_test(void *args);
/* USART3 registers (STM32H7) */
#define USART3_BASE 0x40004800UL
#define USART3_CR1 (*(volatile uint32_t *)(USART3_BASE + 0x00))
#define USART3_BRR (*(volatile uint32_t *)(USART3_BASE + 0x0C))
#define USART3_ISR (*(volatile uint32_t *)(USART3_BASE + 0x1C))
#define USART3_TDR (*(volatile uint32_t *)(USART3_BASE + 0x28))
#define USART_CR1_UE (1 << 0)
#define USART_CR1_TE (1 << 3)
#define USART_ISR_TXE (1 << 7)
/* RCC registers for enabling USART3 clock */
#define RCC_BASE 0x58024400UL
#define RCC_APB1LENR (*(volatile uint32_t *)(RCC_BASE + 0xE8))
#define RCC_APB1LENR_USART3EN (1 << 18)
static void uart_init(void)
{
/* Enable USART3 clock */
RCC_APB1LENR |= RCC_APB1LENR_USART3EN;
/* Configure USART3: 115200 baud at 64MHz HSI */
USART3_BRR = 64000000 / 115200;
USART3_CR1 = USART_CR1_UE | USART_CR1_TE;
}
static void uart_putc(char c)
{
while (!(USART3_ISR & USART_ISR_TXE))
;
USART3_TDR = c;
}
static void uart_puts(const char *s)
{
while (*s) {
if (*s == '\n')
uart_putc('\r');
uart_putc(*s++);
}
}
/* newlib _write syscall - redirects printf to UART */
int _write(int fd, const char *buf, int len)
{
(void)fd;
for (int i = 0; i < len; i++) {
if (buf[i] == '\n')
uart_putc('\r');
uart_putc(buf[i]);
}
return len;
}
/* Heap management for malloc - required by printf with format strings */
extern char __heap_start__;
extern char __heap_end__;
void *_sbrk(ptrdiff_t incr)
{
static char *heap_ptr = NULL;
char *prev_heap_ptr;
if (heap_ptr == NULL) {
heap_ptr = &__heap_start__;
}
prev_heap_ptr = heap_ptr;
if (heap_ptr + incr > &__heap_end__) {
/* Out of heap memory */
return (void *)-1;
}
heap_ptr += incr;
return prev_heap_ptr;
}
/* Simple counter for time - used by GENSEED_FORTEST */
static volatile uint32_t tick_counter = 0;
/* time() stub for wolfSSL GENSEED_FORTEST */
#include <time.h>
time_t time(time_t *t)
{
tick_counter += 12345; /* Simple pseudo-random increment */
time_t val = (time_t)tick_counter;
if (t)
*t = val;
return val;
}
/* Result variable - can be monitored by Renode at fixed address */
volatile int test_result __attribute__((section(".data"))) = -1;
volatile int test_complete __attribute__((section(".data"))) = 0;
int main(int argc, char **argv)
{
(void)argc;
(void)argv;
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
uart_init();
uart_puts("\n\n=== Starting wolfCrypt test ===\n\n");
test_result = wolfcrypt_test(NULL);
test_complete = 1;
if (test_result == 0) {
uart_puts("\n\n=== wolfCrypt test passed! ===\n");
} else {
uart_puts("\n\n=== wolfCrypt test FAILED ===\n");
}
/* Spin forever after the test completes */
while (1) {
__asm__ volatile ("wfi");
}
return test_result;
}

View File

@@ -0,0 +1,20 @@
# Renode test script for STM32H753
# Note: @platforms/cpus/stm32h753.repl is relative to Renode root
# If RENODE_ROOT is set, Renode will use it; otherwise it looks for .renode-root file
using sysbus
mach create "stm32h753"
# Try relative path first (works if RENODE_ROOT or .renode-root is set correctly)
# If this fails, the absolute path will be tried in entrypoint.sh
machine LoadPlatformDescription @platforms/cpus/stm32h753.repl
sysbus LoadELF @/opt/firmware/wolfcrypt_test.elf
# Connect USART3 to the console for wolfCrypt output
showAnalyzer usart3
# Start emulation and run for a long time
# The entrypoint script will kill Renode when test completes
emulation RunFor "600s"

View File

@@ -0,0 +1,101 @@
/* Minimal startup code for STM32H753 running under Renode */
#include <stdint.h>
#include <stddef.h>
extern int main(int argc, char** argv);
void Default_Handler(void);
void Reset_Handler(void);
/* Symbols provided by the linker script */
extern unsigned long _estack;
extern unsigned long __data_start__;
extern unsigned long __data_end__;
extern unsigned long __bss_start__;
extern unsigned long __bss_end__;
extern unsigned long _sidata; /* start of .data in flash */
/* Minimal init_array support */
extern void (*__preinit_array_start[])(void);
extern void (*__preinit_array_end[])(void);
extern void (*__init_array_start[])(void);
extern void (*__init_array_end[])(void);
static void call_init_array(void)
{
size_t count, i;
count = __preinit_array_end - __preinit_array_start;
for (i = 0; i < count; i++)
__preinit_array_start[i]();
count = __init_array_end - __init_array_start;
for (i = 0; i < count; i++)
__init_array_start[i]();
}
void Reset_Handler(void)
{
unsigned long *src, *dst;
/* Copy .data from flash to RAM */
src = &_sidata;
for (dst = &__data_start__; dst < &__data_end__;)
*dst++ = *src++;
/* Zero .bss */
for (dst = &__bss_start__; dst < &__bss_end__;)
*dst++ = 0;
/* Call static constructors */
call_init_array();
/* Call main */
(void)main(0, (char**)0);
/* Infinite loop after main returns */
while (1) {
__asm__ volatile ("wfi");
}
}
void Default_Handler(void)
{
while (1) {
__asm__ volatile ("wfi");
}
}
/* Exception handlers - all weak aliases to Default_Handler */
void NMI_Handler(void) __attribute__((weak, alias("Default_Handler")));
void HardFault_Handler(void) __attribute__((weak, alias("Default_Handler")));
void MemManage_Handler(void) __attribute__((weak, alias("Default_Handler")));
void BusFault_Handler(void) __attribute__((weak, alias("Default_Handler")));
void UsageFault_Handler(void) __attribute__((weak, alias("Default_Handler")));
void SVC_Handler(void) __attribute__((weak, alias("Default_Handler")));
void DebugMon_Handler(void) __attribute__((weak, alias("Default_Handler")));
void PendSV_Handler(void) __attribute__((weak, alias("Default_Handler")));
void SysTick_Handler(void) __attribute__((weak, alias("Default_Handler")));
/* Vector table */
__attribute__ ((section(".isr_vector"), used))
void (* const g_pfnVectors[])(void) = {
(void (*)(void))(&_estack), /* Initial stack pointer */
Reset_Handler, /* Reset Handler */
NMI_Handler, /* NMI Handler */
HardFault_Handler, /* Hard Fault Handler */
MemManage_Handler, /* MPU Fault Handler */
BusFault_Handler, /* Bus Fault Handler */
UsageFault_Handler, /* Usage Fault Handler */
0, /* Reserved */
0, /* Reserved */
0, /* Reserved */
0, /* Reserved */
SVC_Handler, /* SVCall Handler */
DebugMon_Handler, /* Debug Monitor Handler */
0, /* Reserved */
PendSV_Handler, /* PendSV Handler */
SysTick_Handler /* SysTick Handler */
/* IRQ vectors would continue here */
};

View File

@@ -0,0 +1,109 @@
/* Minimal STM32H753 memory map for Renode run */
MEMORY
{
FLASH (rx) : ORIGIN = 0x08000000, LENGTH = 2048K
DTCM (xrw) : ORIGIN = 0x20000000, LENGTH = 128K
RAM (xrw) : ORIGIN = 0x24000000, LENGTH = 512K
}
_estack = ORIGIN(RAM) + LENGTH(RAM);
_Min_Heap_Size = 128K;
_Min_Stack_Size = 128K;
ENTRY(Reset_Handler)
SECTIONS
{
.isr_vector :
{
. = ALIGN(4);
KEEP(*(.isr_vector))
. = ALIGN(4);
} > FLASH
.text :
{
. = ALIGN(4);
*(.text*)
*(.rodata*)
*(.glue_7)
*(.glue_7t)
*(.eh_frame)
. = ALIGN(4);
_etext = .;
} > FLASH
.ARM.extab :
{
*(.ARM.extab* .gnu.linkonce.armextab.*)
} > FLASH
.ARM.exidx :
{
__exidx_start = .;
*(.ARM.exidx*)
__exidx_end = .;
} > FLASH
.preinit_array :
{
PROVIDE_HIDDEN(__preinit_array_start = .);
KEEP(*(.preinit_array*))
PROVIDE_HIDDEN(__preinit_array_end = .);
} > FLASH
.init_array :
{
PROVIDE_HIDDEN(__init_array_start = .);
KEEP(*(SORT(.init_array.*)))
KEEP(*(.init_array*))
PROVIDE_HIDDEN(__init_array_end = .);
} > FLASH
.fini_array :
{
PROVIDE_HIDDEN(__fini_array_start = .);
KEEP(*(SORT(.fini_array.*)))
KEEP(*(.fini_array*))
PROVIDE_HIDDEN(__fini_array_end = .);
} > FLASH
/* Location in flash where .data will be stored */
_sidata = LOADADDR(.data);
.data :
{
. = ALIGN(4);
__data_start__ = .;
*(.data*)
. = ALIGN(4);
__data_end__ = .;
} > RAM AT> FLASH
.bss :
{
. = ALIGN(4);
__bss_start__ = .;
*(.bss*)
*(COMMON)
. = ALIGN(4);
__bss_end__ = .;
} > RAM
.heap_stack (NOLOAD):
{
. = ALIGN(8);
PROVIDE(__heap_start__ = .);
. = . + _Min_Heap_Size;
PROVIDE(__heap_end__ = .);
PROVIDE(end = __heap_end__);
. = ALIGN(8);
PROVIDE(__stack_start__ = .);
. = . + _Min_Stack_Size;
PROVIDE(__stack_end__ = .);
} > RAM
}
PROVIDE(_init = 0);
PROVIDE(_fini = 0);

View File

@@ -0,0 +1,208 @@
/* Minimal HAL configuration for STM32H753 wolfCrypt build under Renode.
* RNG and CRYP HAL are enabled. CRYP is used for AES_GCM only (other AES modes disabled).
* HASH is disabled as Renode doesn't implement it.
*/
#ifndef STM32H7xx_HAL_CONF_H
#define STM32H7xx_HAL_CONF_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------- Module Selection ----------------------------- */
#define HAL_MODULE_ENABLED
#define HAL_CORTEX_MODULE_ENABLED
#define HAL_RCC_MODULE_ENABLED
#define HAL_GPIO_MODULE_ENABLED
#define HAL_RNG_MODULE_ENABLED
#define HAL_CRYP_MODULE_ENABLED /* Enabled for AES_GCM only */
/* #define HAL_HASH_MODULE_ENABLED */ /* Disabled - Renode doesn't implement HASH */
#define HAL_DMA_MODULE_ENABLED
#define HAL_FLASH_MODULE_ENABLED
#define HAL_PWR_MODULE_ENABLED
#define HAL_EXTI_MODULE_ENABLED
/* Disabled modules (explicit for clarity) */
/* #define HAL_SDRAM_MODULE_ENABLED */
/* ------------------------- Oscillator Values ---------------------------- */
#if !defined(HSE_VALUE)
#define HSE_VALUE 25000000UL /* External oscillator frequency in Hz */
#endif
#if !defined(HSE_STARTUP_TIMEOUT)
#define HSE_STARTUP_TIMEOUT 100UL /* Time out for HSE start up in ms */
#endif
#if !defined(CSI_VALUE)
#define CSI_VALUE 4000000UL /* Internal oscillator CSI in Hz */
#endif
#if !defined(HSI_VALUE)
#define HSI_VALUE 64000000UL /* Internal oscillator HSI in Hz */
#endif
#if !defined(HSI48_VALUE)
#define HSI48_VALUE 48000000UL /* Value of the Internal High Speed oscillator for USB in Hz */
#endif
#if !defined(LSE_VALUE)
#define LSE_VALUE 32768UL /* External low speed oscillator in Hz */
#endif
#if !defined(LSE_STARTUP_TIMEOUT)
#define LSE_STARTUP_TIMEOUT 5000UL /* Time out for LSE start up in ms */
#endif
#if !defined(LSI_VALUE)
#define LSI_VALUE 32000UL /* Internal low speed oscillator in Hz */
#endif
#if !defined(EXTERNAL_CLOCK_VALUE)
#define EXTERNAL_CLOCK_VALUE 12288000UL /* External audio clock in Hz */
#endif
/* ------------------------- System Configuration -------------------------- */
#define VDD_VALUE 3300UL /* Value of VDD in mV */
#define TICK_INT_PRIORITY 0x0FUL /* Tick interrupt priority */
#define USE_RTOS 0U
#define PREFETCH_ENABLE 0U
#define USE_HAL_ADC_REGISTER_CALLBACKS 0U
#define USE_HAL_CEC_REGISTER_CALLBACKS 0U
#define USE_HAL_COMP_REGISTER_CALLBACKS 0U
#define USE_HAL_CORDIC_REGISTER_CALLBACKS 0U
#define USE_HAL_CRYP_REGISTER_CALLBACKS 0U
#define USE_HAL_DAC_REGISTER_CALLBACKS 0U
#define USE_HAL_DCMI_REGISTER_CALLBACKS 0U
#define USE_HAL_DFSDM_REGISTER_CALLBACKS 0U
#define USE_HAL_DMA_REGISTER_CALLBACKS 0U
#define USE_HAL_DMA2D_REGISTER_CALLBACKS 0U
#define USE_HAL_DSI_REGISTER_CALLBACKS 0U
#define USE_HAL_DTS_REGISTER_CALLBACKS 0U
#define USE_HAL_ETH_REGISTER_CALLBACKS 0U
#define USE_HAL_FDCAN_REGISTER_CALLBACKS 0U
#define USE_HAL_FMAC_REGISTER_CALLBACKS 0U
#define USE_HAL_GFXMMU_REGISTER_CALLBACKS 0U
#define USE_HAL_HASH_REGISTER_CALLBACKS 0U
#define USE_HAL_HCD_REGISTER_CALLBACKS 0U
#define USE_HAL_HRTIM_REGISTER_CALLBACKS 0U
#define USE_HAL_I2C_REGISTER_CALLBACKS 0U
#define USE_HAL_I2S_REGISTER_CALLBACKS 0U
#define USE_HAL_IRDA_REGISTER_CALLBACKS 0U
#define USE_HAL_JPEG_REGISTER_CALLBACKS 0U
#define USE_HAL_LPTIM_REGISTER_CALLBACKS 0U
#define USE_HAL_LTDC_REGISTER_CALLBACKS 0U
#define USE_HAL_MDIOS_REGISTER_CALLBACKS 0U
#define USE_HAL_MMC_REGISTER_CALLBACKS 0U
#define USE_HAL_NAND_REGISTER_CALLBACKS 0U
#define USE_HAL_NOR_REGISTER_CALLBACKS 0U
#define USE_HAL_OPAMP_REGISTER_CALLBACKS 0U
#define USE_HAL_OSPI_REGISTER_CALLBACKS 0U
#define USE_HAL_OTFDEC_REGISTER_CALLBACKS 0U
#define USE_HAL_PCD_REGISTER_CALLBACKS 0U
#define USE_HAL_PSSI_REGISTER_CALLBACKS 0U
#define USE_HAL_QSPI_REGISTER_CALLBACKS 0U
#define USE_HAL_RNG_REGISTER_CALLBACKS 0U
#define USE_HAL_RTC_REGISTER_CALLBACKS 0U
#define USE_HAL_SAI_REGISTER_CALLBACKS 0U
#define USE_HAL_SD_REGISTER_CALLBACKS 0U
#define USE_HAL_SDRAM_REGISTER_CALLBACKS 0U
#define USE_HAL_SMARTCARD_REGISTER_CALLBACKS 0U
#define USE_HAL_SMBUS_REGISTER_CALLBACKS 0U
#define USE_HAL_SPDIFRX_REGISTER_CALLBACKS 0U
#define USE_HAL_SPI_REGISTER_CALLBACKS 0U
#define USE_HAL_SRAM_REGISTER_CALLBACKS 0U
#define USE_HAL_SWPMI_REGISTER_CALLBACKS 0U
#define USE_HAL_TIM_REGISTER_CALLBACKS 0U
#define USE_HAL_UART_REGISTER_CALLBACKS 0U
#define USE_HAL_USART_REGISTER_CALLBACKS 0U
#define USE_HAL_WWDG_REGISTER_CALLBACKS 0U
#define USE_HAL_XSPI_REGISTER_CALLBACKS 0U
/* ------------------------- SPI peripheral configuration ------------------ */
#define USE_SPI_CRC 0U
/* ------------------------- Assertion ------------------------------------- */
/* #define USE_FULL_ASSERT 1U */
#define assert_param(expr) ((void)0U)
/* ------------------------- Ethernet Configuration ------------------------ */
#define ETH_TX_DESC_CNT 4U
#define ETH_RX_DESC_CNT 4U
#define ETH_MAC_ADDR0 0x02U
#define ETH_MAC_ADDR1 0x00U
#define ETH_MAC_ADDR2 0x00U
#define ETH_MAC_ADDR3 0x00U
#define ETH_MAC_ADDR4 0x00U
#define ETH_MAC_ADDR5 0x00U
/* ------------------------- Include HAL headers --------------------------- */
/**
* @brief Include module's header file
*/
#ifdef HAL_RCC_MODULE_ENABLED
#include "stm32h7xx_hal_rcc.h"
#endif /* HAL_RCC_MODULE_ENABLED */
#ifdef HAL_GPIO_MODULE_ENABLED
#include "stm32h7xx_hal_gpio.h"
#endif /* HAL_GPIO_MODULE_ENABLED */
#ifdef HAL_DMA_MODULE_ENABLED
#include "stm32h7xx_hal_dma.h"
#endif /* HAL_DMA_MODULE_ENABLED */
#ifdef HAL_CORTEX_MODULE_ENABLED
#include "stm32h7xx_hal_cortex.h"
#endif /* HAL_CORTEX_MODULE_ENABLED */
#ifdef HAL_EXTI_MODULE_ENABLED
#include "stm32h7xx_hal_exti.h"
#endif /* HAL_EXTI_MODULE_ENABLED */
#ifdef HAL_FLASH_MODULE_ENABLED
#include "stm32h7xx_hal_flash.h"
#endif /* HAL_FLASH_MODULE_ENABLED */
#ifdef HAL_PWR_MODULE_ENABLED
#include "stm32h7xx_hal_pwr.h"
#endif /* HAL_PWR_MODULE_ENABLED */
#ifdef HAL_RNG_MODULE_ENABLED
#include "stm32h7xx_hal_rng.h"
#endif /* HAL_RNG_MODULE_ENABLED */
/* CRYP enabled for AES_GCM only */
#ifdef HAL_CRYP_MODULE_ENABLED
#include "stm32h7xx_hal_cryp.h"
#endif
/* #ifdef HAL_HASH_MODULE_ENABLED
#include "stm32h7xx_hal_hash.h"
#endif */
/* Exported macro ------------------------------------------------------------*/
#ifdef USE_FULL_ASSERT
/**
* @brief The assert_param macro is used for function's parameters check.
* @param expr: If expr is false, it calls assert_failed function
* which reports the name of the source file and the source
* line number of the call that failed.
* If expr is true, it returns no value.
* @retval None
*/
#define assert_param(expr) ((expr) ? (void)0U : assert_failed((uint8_t *)__FILE__, __LINE__))
/* Exported functions ------------------------------------------------------- */
void assert_failed(uint8_t *file, uint32_t line);
#else
#define assert_param(expr) ((void)0U)
#endif /* USE_FULL_ASSERT */
#ifdef __cplusplus
}
#endif
#endif /* STM32H7xx_HAL_CONF_H */

View File

@@ -0,0 +1,24 @@
set(CMAKE_SYSTEM_NAME Generic)
set(CMAKE_SYSTEM_PROCESSOR arm)
set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY)
set(CMAKE_C_COMPILER arm-none-eabi-gcc)
set(CMAKE_CXX_COMPILER arm-none-eabi-g++)
set(CMAKE_ASM_COMPILER arm-none-eabi-gcc)
set(CMAKE_AR arm-none-eabi-ar)
set(CMAKE_RANLIB arm-none-eabi-ranlib)
set(CMAKE_C_STANDARD 11)
set(CPU_FLAGS "-mcpu=cortex-m7 -mthumb -mfpu=fpv5-d16 -mfloat-abi=hard")
set(OPT_FLAGS "-Os -ffunction-sections -fdata-sections")
set(CMSIS_INCLUDES "-I/opt/cmsis-device-h7/Include -I/opt/CMSIS_5/CMSIS/Core/Include -I/opt/firmware")
set(CMAKE_C_FLAGS_INIT "${CPU_FLAGS} ${OPT_FLAGS} ${CMSIS_INCLUDES} -DSTM32H753xx")
set(CMAKE_CXX_FLAGS_INIT "${CPU_FLAGS} ${OPT_FLAGS} ${CMSIS_INCLUDES} -DSTM32H753xx")
set(CMAKE_ASM_FLAGS_INIT "${CPU_FLAGS}")
set(CMAKE_EXE_LINKER_FLAGS_INIT "-Wl,--gc-sections -static")

View File

@@ -0,0 +1,95 @@
/* user_settings_renode.h - wolfSSL/wolfCrypt configuration for STM32H753 under Renode
*
* Minimal, semihosting-friendly build for Cortex-M7 / STM32H753.
* Hardware RNG and CRYPTO (AES-GCM only) are enabled via Renode's STM32H753 emulation.
* HASH is disabled as Renode doesn't implement the HASH peripheral.
*/
#ifndef USER_SETTINGS_RENODE_H
#define USER_SETTINGS_RENODE_H
/* ------------------------- Platform ------------------------------------- */
#define WOLFSSL_ARM_CORTEX_M
#define WOLFSSL_STM32H7 /* STM32H7 series (includes H753) */
#define WOLFSSL_STM32_CUBEMX /* Use STM32 HAL for CRYPTO */
/* NO_STM32_CRYPTO is NOT defined, so CRYPTO will be enabled */
/* Disable HASH - Renode doesn't implement HASH peripheral */
#define NO_STM32_HASH
/* Required for consistent math library settings (CTC_SETTINGS) */
#define SIZEOF_LONG 4
#define SIZEOF_LONG_LONG 8
/* ------------------------- Threading / OS ------------------------------- */
#define SINGLE_THREADED
/* ------------------------- Filesystem / I/O ----------------------------- */
#define WOLFSSL_NO_CURRDIR
#define NO_FILESYSTEM
#define NO_WRITEV
/* ------------------------- wolfCrypt Only ------------------------------- */
#define WOLFCRYPT_ONLY
#define NO_DH
#define NO_DSA
/* Disable DES/3DES - Renode CRYPTO only supports AES_GCM */
#define NO_DES
#define NO_DES3
/* ------------------------- AES Mode Configuration ----------------------- */
/* Disable all AES modes except GCM - Renode CRYPTO only supports AES_GCM */
/* NO_AES_CBC prevents HAVE_AES_CBC from being defined in settings.h */
#define NO_AES_CBC
/* ------------------------- RNG Configuration ---------------------------- */
/* Enable STM32 hardware RNG (emulated by Renode) using direct register access */
#define WOLFSSL_STM32_RNG_NOLIB
/* NO_STM32_RNG is NOT defined, so STM32_RNG will be auto-enabled */
#define NO_DEV_RANDOM
#define HAVE_HASHDRBG
/* ------------------------- Math Library --------------------------------- */
/* Use SP Math (Single Precision) - modern, efficient, and secure */
#define WOLFSSL_SP_MATH_ALL
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_ARM_CORTEX_M_ASM
#define SP_WORD_SIZE 32
/* ------------------------- Crypto Hardening ----------------------------- */
#define WC_RSA_BLINDING
#define ECC_TIMING_RESISTANT
/* ------------------------- Size Optimization ---------------------------- */
#define WOLFSSL_SMALL_STACK
/* ------------------------- Test Configuration --------------------------- */
/* Use smaller key sizes for faster test runs in emulation */
#define BENCH_EMBEDDED
/* Use our own main() instead of the one in test.c */
#define NO_MAIN_DRIVER
/* ------------------------- Post-options.h cleanup ----------------------- */
/* Ensure unsupported AES modes stay disabled even after options.h processing */
/* These undefs will be processed after options.h includes, preventing
* Renode-unsupported modes from being used */
#ifdef HAVE_AES_CBC
#undef HAVE_AES_CBC
#endif
#ifdef HAVE_AES_ECB
#undef HAVE_AES_ECB
#endif
#ifdef HAVE_AES_CTR
#undef HAVE_AES_CTR
#endif
#ifdef HAVE_AES_CFB
#undef HAVE_AES_CFB
#endif
#ifdef HAVE_AES_OFB
#undef HAVE_AES_OFB
#endif
#endif /* USER_SETTINGS_RENODE_H */

34
.github/workflows/ada.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: WolfSSL Ada Build Tests
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
jobs:
build:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Install gnat
run: |
sudo apt-get update
sudo apt-get install -y gnat gprbuild
- name: Checkout wolfssl
uses: actions/checkout@master
with:
repository: wolfssl/wolfssl
path: wolfssl
- name: Build wolfssl Ada
working-directory: ./wolfssl/wrapper/Ada
run: |
mkdir obj
gprbuild default.gpr
gprbuild examples.gpr

465
.github/workflows/arduino.yml vendored Normal file
View File

@@ -0,0 +1,465 @@
name: Arduino CI Build (1 of 4) wolfssl
#
# Test fetches wolfssl-examples/Arduino and uses local, latest github master branch wolfssl
#
# These 4 workflows across 3 repos are interdependent for the current $REPO_OWNER:
#
# THIS Arduino CI Build 1: https://github.com/$REPO_OWNER/wolfssl # /.github/workflows/arduino.yml
# - Builds Arduino library from local clone of wolfssl master branch
# - Fetches examples from https://github.com/$REPO_OWNER/wolfssl-examples
#
# Arduino CI Build 2: https://github.com/$REPO_OWNER/wolfssl-examples # /.github/workflows/arduino-release.yml
# - Tests examples based on latest published release of Arduino library, NOT latest on wolfssl github.
# - Should be identical to Arduino CI Build 3 in every way but wolfssl install.
# - Copies only compile script from wolfssl-examples
# - Builds local examples
# - No other repos used
#
# Arduino CI Build 3: https://github.com/$REPO_OWNER/wolfssl-examples # /.github/workflows/arduino.yml
# - Fetches current wolfSSL from https://github.com/$REPO_OWNER/wolfssl
# - Creates an updated Arduino library
# - Compiles local examples
# - Contains the source of `compile-all-examples.sh` and respective board-list.txt
#
# Arduino CI Build 4: https://github.com/$REPO_OWNER/Arduino-wolfssl # /.github/workflows/arduino.yml
# - Assembles and installs an updated Arduino wolfssl library from LOCAL wolfssl master source
# - Copies only compile script copied from wolfssl-examples
# - Builds local examples
# - No other repos used
#
#
# ** NOTE TO MAINTAINERS **
#
# Consider using winmerge or similar tool to keep the 4 arduino[-release].yml files in relative sync.
# Although there are some specific differences, most of the contents are otherwise identical.
#
# See https://github.com/wolfSSL/Arduino-wolfSSL
#
# To test locally:
# cd [your WOLFSSL_ROOT], e.g. cd /mnt/c/workspace/wolfssl-$USER
# [optional checkout] e.g. git checkout tags/v5.8.4-stable
# pushd ./IDE/ARDUINO
# export ARDUINO_ROOT="$HOME/Arduino/libraries"
# ./wolfssl-arduino.sh INSTALL
# cd [your WOLFSSL_EXAMPLES_ROOT] e.g. /mnt/c/workspace/wolfssl-examples-$USER
#
# START OF COMMON SECTION
on:
push:
branches: [ '**', 'master', 'main', 'release/**' ]
paths:
# Specific to this Arduino CI Build (1 of 4)
- '.github/workflows/arduino.yml'
- 'IDE/ARDUINO/**'
- 'src/**'
- 'wolfcrypt/**'
- 'wolfssl/**'
pull_request:
branches: [ '**' ]
paths:
- '.github/workflows/arduino.yml'
- 'IDE/ARDUINO/**'
- 'src/**'
- 'wolfcrypt/**'
- 'wolfssl/**'
workflow_dispatch:
concurrency:
# Same branch push cancels other jobs. Other PR branches untouched
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
fqbn:
# When editing this list, be sure to also edit file: board_list.txt
# The compile-all-examples.sh optionally takes a FQBN parameter to
# optionally compile all examples ONLY for the respective fully qualified board name.
# See https://github.com/wolfSSL/wolfssl-examples/blob/master/Arduino/sketches/board_list.txt
- arduino:avr:ethernet
- arduino:avr:leonardoeth
- arduino:avr:mega
- arduino:avr:nano
- arduino:avr:uno
- arduino:avr:yun
- arduino:samd:mkrwifi1010
- arduino:samd:mkr1000
- arduino:samd:mkrfox1200
- arduino:mbed_edge:edge_control
- arduino:mbed_nano:nanorp2040connect
- arduino:mbed_portenta:envie_m7
- arduino:mbed_portenta:portenta_x8
- arduino:renesas_uno:unor4wifi
- arduino:sam:arduino_due_x
- arduino:samd:arduino_zero_native
- arduino:samd:tian
- esp32:esp32:esp32
- esp32:esp32:esp32s2
- esp32:esp32:esp32s3
- esp32:esp32:esp32c3
- esp32:esp32:esp32c6
- esp32:esp32:esp32h2
- esp8266:esp8266:generic
- teensy:avr:teensy40
# Not yet supported, not in standard library
# - esp32:esp32:nano_nora
# End strategy matrix
env:
REPO_OWNER: ${{ github.repository_owner }}
steps:
- name: Free disk space
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
sudo rm -rf /opt/ghc
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo apt-get clean
df -h
- name: Checkout Repository
uses: actions/checkout@v4
- name: Install Arduino CLI
run: |
# Script to fetch and run install.sh from arduino/arduino-cli
# The install script will test to see if the recently installed apps in the path
# So set it up in advance:
mkdir -p "${PWD}/bin"
echo "${PWD}/bin" >> $GITHUB_PATH
# Sets the install directory to a consistent path at the repo root.
ROOT_BIN="$GITHUB_WORKSPACE/bin"
# Ensures that BINDIR exists before the installer runs
mkdir -p "$ROOT_BIN"
# Save as a global environment variable
echo "$ROOT_BIN" >> "$GITHUB_PATH"
# Download and run install script from Arduino:
# -S show errors; -L follow redirects; -v Verbose
set +e # don't abort on error
set -o pipefail
curl -vSL --retry 5 --retry-delay 10 \
https://raw.githubusercontent.com/arduino/arduino-cli/master/install.sh \
| sh -x
rc=$?
c_rc=${PIPESTATUS[0]} # curl's exit code
s_rc=${PIPESTATUS[1]} # sh's exit code
set -e # restore default abort-on-error
# If there was a curl error, we have our own local copy that is more reliable and can add our own debugging
if [ "$rc" -ne 0 ]; then
echo "Primary install failed: curl=$c_rc, sh=$s_rc. Falling back..." >&2
echo "Using local copy of arduino_install.sh"
pushd ./Arduino/sketches
chmod +x ./arduino_install.sh
# Mimic curl install, does not use current directory:
BINDIR="$ROOT_BIN" sh -x ./arduino_install.sh
popd
else
echo "Alternative install script not needed."
fi
- name: Confirm Arduino CLI Install
run: arduino-cli version
- name: Derive CORE_ID (vendor:arch from FQBN)
run: |
CORE_ID="$(echo '${{ matrix.fqbn }}' | cut -d: -f1-2)"
echo "CORE_ID=$CORE_ID" >> "$GITHUB_ENV"
- name: Setup Arduino CLI
run: |
arduino-cli config init
# wait 10 minutes for big downloads (or use 0 for no limit)
arduino-cli config set network.connection_timeout 600s
arduino-cli config add board_manager.additional_urls https://www.pjrc.com/teensy/package_teensy_index.json
arduino-cli config add board_manager.additional_urls https://arduino.esp8266.com/stable/package_esp8266com_index.json
arduino-cli core update-index
echo "CORE_ID: $CORE_ID"
arduino-cli core install "$CORE_ID"
# The above is instead of:
# arduino-cli core install esp32:esp32 # ESP32
# arduino-cli core install arduino:avr # Arduino Uno, Mega, Nano
# arduino-cli core install arduino:sam # Arduino Due
# arduino-cli core install arduino:samd # Arduino Zero
# arduino-cli core install teensy:avr # PJRC Teensy
# arduino-cli core install esp8266:esp8266 # ESP8266
# arduino-cli core install arduino:mbed_nano # nanorp2040connect
# arduino-cli core install arduino:mbed_portenta # portenta_h7_m7
# arduino-cli core install arduino:mbed_edge
# arduino-cli core install arduino:renesas_uno
# For reference:
# mbed nano not yet tested
# sudo "/home/$USER/.arduino15/packages/arduino/hardware/mbed_nano/4.2.4/post_install.sh"
# Always install networking (not part of FQBN matrix)
# The first one also creates directory: /home/runner/Arduino/libraries
arduino-cli lib install "ArduinoJson" # Example dependency
arduino-cli lib install "WiFiNINA" # ARDUINO_SAMD_NANO_33_IOT
arduino-cli lib install "Ethernet" # Install Ethernet library
arduino-cli lib install "Bridge" # Pseudo-network for things like arduino:samd:tian
- name: Set Job Environment Variables
run: |
# Script to assign some common environment variables after everything is installed
ICON_OK=$(printf "\xE2\x9C\x85")
ICON_FAIL=$(printf "\xE2\x9D\x8C")
echo "GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")" >> "$GITHUB_ENV"
echo "ARDUINO_ROOT=$(realpath "$HOME/Arduino/libraries")" >> "$GITHUB_ENV"
# Show predefined summary:
echo "GITHUB_WORKSPACE = $GITHUB_WORKSPACE"
# Show assigned build:env values (e.g. "wolfssl", "gojimmpi" or other owners):
echo "REPO_OWNER = $REPO_OWNER"
echo "GITHUB_ENV=$GITHUB_ENV"
# Show our custom values:
echo "GITHUB_WORK = $GITHUB_WORK"
echo "ARDUINO_ROOT = $ARDUINO_ROOT"
# WOLFSSL_EXAMPLES_ROOT is the repo root, not example location
echo "WOLFSSL_EXAMPLES_ROOT = $WOLFSSL_EXAMPLES_ROOT"
- name: Cache Arduino Packages
uses: actions/cache@v4
with:
path: |
~/.arduino15
~/.cache/arduino
# Exclude staging directory from cache to save space
!~/.arduino15/staging
# Arduino libraries
# Specific to Arduino CI Build (2 of 4) Arduinbo Release wolfSSL for Local Examples
# Include all libraries, as the latest Arduino-wolfSSL will only change upon release.
~/Arduino/libraries
# Ensure wolfssl is not cached, we're always using the latest. See separate cache.
!~/Arduino/libraries/wolfssl
key: arduino-${{ runner.os }}-${{ env.CORE_ID }}-${{ hashFiles('Arduino/sketches/board_list.txt') }}
restore-keys: |
arduino-${{ runner.os }}-${{ env.CORE_ID }}-
arduino-${{ runner.os }}-
- name: Get wolfssl-examples
run: |
# Fetch Arduino examples from the wolfssl-examples repo
echo "Start pwd:"
pwd
# we're typically in $GITHUB_WORKSPACE=/home/runner/work/wolfssl/wolfssl
# goto /home/runner/work to fetch wolfssl-examples
echo "Current pwd for wolfssl-examples clone fetch: $(pwd)"
GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")
echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
# Typically /home/runner/work
echo "GITHUB_WORK=$GITHUB_WORK"
pushd "$GITHUB_WORK"
echo "Updated pwd for wolfssl-examples clone fetch: $(pwd)"
git clone --depth 1 https://github.com/$REPO_OWNER/wolfssl-examples.git wolfssl-examples-publish
cd ./wolfssl-examples-publish
echo "WOLFSSL_EXAMPLES_ROOT=$(pwd)"
echo "Path for wolfssl-examples-publish: $(pwd)"
popd # GITHUB_WORK
# ** END ** Get wolfssl-examples
- name: Install wolfSSL Arduino library
run: |
# Run the local wolfssl-arduino.sh install script to install wolfssl Arduino library.
echo "Installing wolfSSL Arduino library (no cache hit)."
rm -rf "$ARDUINO_ROOT/wolfssl"
# Methods of installing Arduino library:
# 1) arduino-cli lib install "wolfSSL"
# 2) manual copy of files (typical of the Arduino-wolfssl repo)
# 3) run ./wolfssl-arduino.sh INSTALL (typical of the wolfssl repo)
echo "Current pwd for wolfssl-examples clone fetch: $(pwd)"
GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")
echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
# Typically /home/runner/work
echo "GITHUB_WORK=$GITHUB_WORK"
pwd
pushd ./IDE/ARDUINO
# Set default ARDUINO_ROOT to Arduino library.
export ARDUINO_ROOT="$HOME/Arduino/libraries"
export WOLFSSL_EXAMPLES_ROOT="$GITHUB_WORK/wolfssl-examples-publish"
echo "ARDUINO_ROOT: $WOLFSSL_EXAMPLES_ROOT"
echo "WOLFSSL_EXAMPLES_ROOT: $WOLFSSL_EXAMPLES_ROOT"
bash ./wolfssl-arduino.sh INSTALL # Install wolfSSL library
popd
# ** END ** Install wolfSSL Arduino library
- name: List installed Arduino libraries
run: arduino-cli lib list
- name: Get compile-all-examples.sh
run: |
# Fetch compile script FROM THE CURRENT OWNER.
# This repo is Arduino-wolfssl; we'll fetch the script from the wolfssl-examples for the same repository owner.
echo "Repository owner: $REPO_OWNER"
echo "Current directory: $PWD"
echo "Current pwd for wolfssl-examples clone fetch: $PWD"
WOLFSSL_EXAMPLES_DIRECTORY="$ARDUINO_ROOT/wolfssl/examples"
THIS_BOARD_LIST="board_list.txt"
echo "WOLFSSL_EXAMPLES_DIRECTORY=$WOLFSSL_EXAMPLES_DIRECTORY"
# Fetch script and board list into WOLFSSL_EXAMPLES_DIRECTORY
echo "Fetching board_list.txt from REPO_OWNER=$REPO_OWNER"
curl -L "https://raw.githubusercontent.com/$REPO_OWNER/wolfssl-examples/master/Arduino/sketches/board_list.txt" \
-o "$WOLFSSL_EXAMPLES_DIRECTORY/$THIS_BOARD_LIST"
# Check if the first line is "404: Not Found" - which would indicate the curl path above is bad.
FILE="$WOLFSSL_EXAMPLES_DIRECTORY/board_list.txt"
# Ensure the file exists
if [[ ! -f "$FILE" ]]; then
echo "File not found: $FILE"
exit 1
fi
# Check if the first line is "404: Not Found"
if [[ $(head -n 1 "$FILE") == "404: Not Found" ]]; then
echo "The first line is '404: Not Found'"
exit 1
fi
# Fetch the compile script from repo: https://github.com/[$USER]/wolfssl-examples/
echo "Fetching compile-all-examples.sh from REPO_OWNER=$REPO_OWNER"
curl -L "https://raw.githubusercontent.com/$REPO_OWNER/wolfssl-examples/master/Arduino/sketches/compile-all-examples.sh" \
-o "$WOLFSSL_EXAMPLES_DIRECTORY/compile-all-examples.sh"
# Check if the first line is "404: Not Found" - which would indicate the curl path above is bad.
FILE="$WOLFSSL_EXAMPLES_DIRECTORY/compile-all-examples.sh"
# Ensure the file exists
if [[ ! -f "$FILE" ]]; then
echo "File not found: $FILE"
exit 1
fi
# Check if the first line is "404: Not Found"
if [[ $(head -n 1 "$FILE") == "404: Not Found" ]]; then
echo "The first line is '404: Not Found'"
exit 1
fi
pushd "$WOLFSSL_EXAMPLES_DIRECTORY"
echo "Current directory: $PWD"
echo "Current directory $PWD"
echo "Contents:"
ls -al
find ./ -type f | sort
# ensure we can execute the script here (permissions lost during curl fetch)
chmod +x ./compile-all-examples.sh
echo "Found compile script: $(ls -al ./compile-all-examples.sh ./$THIS_BOARD_LIST)"
popd
# ** END ** Get compile-all-examples.sh
# This will fail with Arduino published wolfSSL v5.7.6 and older
# as the examples moved. See https://github.com/wolfSSL/wolfssl/pull/8514
#
- name: Compile Arduino Sketches for Various Boards
run: |
# Call the compile-all-examples.sh script to compile all the examples for each of the fqbn names in the local copy of board_list.txt
echo "Current directory: $PWD"
echo "ARDUINO_ROOT: $ARDUINO_ROOT"
WOLFSSL_EXAMPLES_DIRECTORY="$ARDUINO_ROOT/wolfssl/examples"
echo "WOLFSSL_EXAMPLES_DIRECTORY: $WOLFSSL_EXAMPLES_DIRECTORY"
# Limit the number of jobs to 1 to avoid running out of memory
export ARDUINO_CLI_MAX_JOBS=1
echo "Change directory to Arduino examples..."
pushd "$WOLFSSL_EXAMPLES_DIRECTORY"
chmod +x ./compile-all-examples.sh
# The script expects all the examples to be in the current directory.
# Along with ./board_list.txt from examples repo
echo "Current directory: $PWD"
echo "Calling ./compile-all-examples.sh"
bash ./compile-all-examples.sh ./board_list.txt "${{ matrix.fqbn }}"
popd
# End Compile Arduino Sketches for Various Boards
- name: Cleanup to Save Disk Space
if: always()
run: |
echo "Disk usage before cleanup:"
df -h
echo ""
echo "Cleaning up build artifacts and temporary files..."
# Clean up Arduino build artifacts
find ~/Arduino -name "*.hex" -delete 2>/dev/null || true
find ~/Arduino -name "*.elf" -delete 2>/dev/null || true
find ~/Arduino -name "*.bin" -delete 2>/dev/null || true
find ~/Arduino -name "build" -type d -exec rm -rf {} + 2>/dev/null || true
rm -rf ~/.arduino15/packages/esp32/tools || true
rm -rf ~/.arduino15/packages/esp32/hardware || true
rm -rf ~/.espressif || true
# Clean up staging directories
rm -rf ~/.arduino15/staging/* || true
rm -rf ~/.cache/arduino/* || true
# Clean up git clone of wolfssl-examples
GITHUB_WORK=$(realpath "$GITHUB_WORKSPACE/../..")
rm -rf "$GITHUB_WORK/wolfssl-examples-publish" || true
# Clean up any temporary files in workspace
find "$GITHUB_WORKSPACE" -name "*.o" -delete 2>/dev/null || true
find "$GITHUB_WORKSPACE" -name "*.a" -delete 2>/dev/null || true
echo ""
echo "Disk usage after cleanup:"
df -h

View File

@@ -1,7 +1,16 @@
name: Async Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
@@ -9,25 +18,26 @@ jobs:
matrix:
config: [
# Add new configs here
'--enable-asynccrypt --enable-all --enable-dtls13',
'--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2',
'--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS"',
'--enable-asynccrypt --enable-all --enable-dtls13 CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT"',
'--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2 CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
'--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
]
name: make check
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL async
run: |
./async-check.sh install
./autogen.sh
./configure ${{ matrix.config }}
make check
- name: Print errors
- name: Print errors
if: ${{ failure() }}
run: |
if [ -f test-suite.log ] ; then

93
.github/workflows/bind.yml vendored Normal file
View File

@@ -0,0 +1,93 @@
name: bind9 Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-bind
path: build-dir.tgz
retention-days: 5
bind_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 9.18.0, 9.18.28, 9.18.33 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-bind
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
# hostap dependencies
sudo apt-get install -y libuv1-dev libnghttp2-dev libcap-dev libcmocka-dev
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout bind9
uses: actions/checkout@v4
with:
repository: isc-projects/bind9
path: bind
ref: v${{ matrix.ref }}
- name: Build and test bind9
working-directory: bind
run: |
export PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig
patch -p1 < $GITHUB_WORKSPACE/osp/bind9/${{ matrix.ref }}.patch
autoreconf -ivf
./configure --with-wolfssl
sed -i 's/SUBDIRS = system//g' bin/tests/Makefile # remove failing tests
make -j V=1
make -j V=1 check

126
.github/workflows/cmake.yml vendored Normal file
View File

@@ -0,0 +1,126 @@
name: WolfSSL CMake Build Tests
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
jobs:
build:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
steps:
# pull wolfSSL
- uses: actions/checkout@master
# install cmake
- name: Install cmake
run: |
sudo apt-get update
sudo apt-get install -y cmake
# pull wolfssl
- name: Checkout wolfssl
uses: actions/checkout@master
with:
repository: wolfssl/wolfssl
path: wolfssl
# build wolfssl
- name: Build wolfssl
working-directory: ./wolfssl
run: |
mkdir build
cd build
cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
-DWOLFSSL_16BIT:BOOL=no -DWOLFSSL_32BIT:BOOL=no -DWOLFSSL_AES:BOOL=yes \
-DWOLFSSL_AESCBC:BOOL=yes -DWOLFSSL_AESCCM:BOOL=yes -DWOLFSSL_AESCFB:BOOL=yes \
-DWOLFSSL_AESCTR:BOOL=yes -DWOLFSSL_AESGCM:STRING=yes -DWOLFSSL_AESKEYWRAP:BOOL=yes \
-DWOLFSSL_AESOFB:BOOL=yes -DWOLFSSL_AESSIV:BOOL=yes -DWOLFSSL_ALIGN_DATA:BOOL=yes \
-DWOLFSSL_ALPN:BOOL=ON -DWOLFSSL_ALT_CERT_CHAINS:BOOL=ON -DWOLFSSL_ARC4:BOOL=yes \
-DWOLFSSL_ARIA:BOOL=no -DWOLFSSL_ASIO:BOOL=no -DWOLFSSL_ASM:BOOL=yes -DWOLFSSL_ASN:BOOL=yes \
-DWOLFSSL_ASYNC_THREADS:BOOL=no -DWOLFSSL_BASE64_ENCODE:BOOL=yes -DWOLFSSL_CAAM:BOOL=no \
-DWOLFSSL_CERTEXT:BOOL=yes -DWOLFSSL_CERTGEN:BOOL=yes -DWOLFSSL_CERTGENCACHE:BOOL=no \
-DWOLFSSL_CERTREQ:BOOL=yes -DWOLFSSL_CHACHA:STRING=yes -DWOLFSSL_CMAC:BOOL=yes \
-DWOLFSSL_CODING:BOOL=yes -DWOLFSSL_CONFIG_H:BOOL=yes -DWOLFSSL_CRL:STRING=yes \
-DWOLFSSL_CRYPTOCB:BOOL=yes -DWOLFSSL_CRYPTOCB_NO_SW_TEST:BOOL=no \
-DWOLFSSL_CRYPT_TESTS:BOOL=yes -DWOLFSSL_CRYPT_TESTS_HELP:BOOL=no \
-DWOLFSSL_CRYPT_TESTS_LIBS:BOOL=no -DWOLFSSL_CURL:BOOL=yes -DWOLFSSL_CURVE25519:STRING=yes \
-DWOLFSSL_CURVE448:STRING=yes -DWOLFSSL_DEBUG:BOOL=yes -DWOLFSSL_DES3:BOOL=ON \
-DWOLFSSL_DES3_TLS_SUITES:BOOL=no -DWOLFSSL_DH:STRING=yes -DWOLFSSL_DH_DEFAULT_PARAMS:BOOL=yes \
-DWOLFSSL_DSA:BOOL=yes -DWOLFSSL_DTLS:BOOL=ON -DWOLFSSL_DTLS13:BOOL=yes \
-DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
-DWOLFSSL_ECCCUSTCURVES:STRING=all -DWOLFSSL_ECCSHAMIR:BOOL=yes \
-DWOLFSSL_ECH:BOOL=yes -DWOLFSSL_ED25519:BOOL=yes -DWOLFSSL_ED448:STRING=yes \
-DWOLFSSL_ENCKEYS:BOOL=yes -DWOLFSSL_ENC_THEN_MAC:BOOL=yes -DWOLFSSL_ERROR_QUEUE:BOOL=yes \
-DWOLFSSL_ERROR_STRINGS:BOOL=yes -DWOLFSSL_EXAMPLES:BOOL=yes -DWOLFSSL_EXPERIMENTAL:BOOL=yes \
-DWOLFSSL_EXTENDED_MASTER:BOOL=yes -DWOLFSSL_EX_DATA:BOOL=yes -DWOLFSSL_FAST_MATH:BOOL=no \
-DWOLFSSL_FILESYSTEM:BOOL=yes -DWOLFSSL_HARDEN:BOOL=yes -DWOLFSSL_HASH_DRBG:BOOL=yes \
-DWOLFSSL_HKDF:BOOL=yes -DWOLFSSL_HPKE:BOOL=yes -DWOLFSSL_HRR_COOKIE:STRING=yes \
-DWOLFSSL_INLINE:BOOL=yes -DWOLFSSL_INSTALL:BOOL=yes -DWOLFSSL_IP_ALT_NAME:BOOL=ON \
-DWOLFSSL_KEYGEN:BOOL=yes -DWOLFSSL_KEYING_MATERIAL:BOOL=ON \
-DWOLFSSL_MD4:BOOL=ON -DWOLFSSL_MD5:BOOL=yes -DWOLFSSL_MEMORY:BOOL=yes -DWOLFSSL_NO_STUB:BOOL=no \
-DWOLFSSL_OAEP:BOOL=yes -DWOLFSSL_OCSP:BOOL=yes -DWOLFSSL_OCSPSTAPLING:BOOL=ON \
-DWOLFSSL_OCSPSTAPLING_V2:BOOL=ON -DWOLFSSL_OLD_NAMES:BOOL=yes -DWOLFSSL_OLD_TLS:BOOL=yes \
-DWOLFSSL_OPENSSLALL:BOOL=yes -DWOLFSSL_OPENSSLEXTRA:BOOL=ON -DWOLFSSL_OPTFLAGS:BOOL=yes \
-DWOLFSSL_OQS:BOOL=no -DWOLFSSL_PKCALLBACKS:BOOL=yes -DWOLFSSL_PKCS12:BOOL=yes \
-DWOLFSSL_PKCS7:BOOL=yes -DWOLFSSL_POLY1305:BOOL=yes -DWOLFSSL_POSTAUTH:BOOL=yes \
-DWOLFSSL_PWDBASED:BOOL=yes -DWOLFSSL_QUIC:BOOL=yes -DWOLFSSL_REPRODUCIBLE_BUILD:BOOL=no \
-DWOLFSSL_RNG:BOOL=yes -DWOLFSSL_RSA:BOOL=yes -DWOLFSSL_RSA_PSS:BOOL=yes \
-DWOLFSSL_SESSION_TICKET:BOOL=ON -DWOLFSSL_SHA:BOOL=yes -DWOLFSSL_SHA224:BOOL=yes \
-DWOLFSSL_SHA3:STRING=yes -DWOLFSSL_SHA384:BOOL=yes -DWOLFSSL_SHA512:BOOL=yes \
-DWOLFSSL_SHAKE128:STRING=yes -DWOLFSSL_SHAKE256:STRING=yes -DWOLFSSL_SINGLE_THREADED:BOOL=no \
-DWOLFSSL_SNI:BOOL=yes -DWOLFSSL_SP_MATH_ALL:BOOL=yes -DWOLFSSL_SRTP:BOOL=yes \
-DWOLFSSL_STUNNEL:BOOL=yes -DWOLFSSL_SUPPORTED_CURVES:BOOL=yes -DWOLFSSL_SYS_CA_CERTS:BOOL=yes \
-DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
-DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
-DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
-DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
-DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
-DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
-DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
..
cmake --build .
ctest -j $(nproc)
cmake --install .
# clean up
cd ..
rm -rf build
# build "lean-tls" wolfssl
- name: Build wolfssl with lean-tls
working-directory: ./wolfssl
run: |
mkdir build
cd build
cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
-DWOLFSSL_LEAN_TLS:BOOL=yes \
..
cmake --build .
cmake --install .
# clean up
cd ..
rm -rf build
# CMake build with user_settings.h
- name: Build wolfssl with user_settings.h
working-directory: ./wolfssl
run: |
mkdir build
cp examples/configs/user_settings_all.h ./build/user_settings.h
cd build
cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
-DWOLFSSL_USER_SETTINGS=ON -DWOLFSSL_USER_SETTINGS_ASM=ON -DWOLFSSL_EXAMPLES=ON -DWOLFSSL_CRYPT_TESTS=ON \
-DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -I ." \
..
cmake --build .
ctest -j $(nproc)
cmake --install .
# clean up
cd ..
rm -rf build

30
.github/workflows/codespell.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
name: Codespell test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
codespell:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: codespell-project/actions-codespell@v2.1
with:
check_filenames: true
check_hidden: true
# Add comma separated list of words that occur multiple times that should be ignored (sorted alphabetically, case sensitive)
ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te,HSI,failT,
# The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored.
exclude_file: '.codespellexcludelines'
# To skip files entirely from being processed, add it to the following list:
skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked,./examples/asn1/dumpasn1.cfg,./examples/asn1/oid_names.h'

View File

@@ -0,0 +1,53 @@
name: Coverity Scan master branch
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * 1-5'
- cron: '0 0 * * 0'
- cron: '0 12 * * 0'
jobs:
coverity:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
ref: master
- name: Configure wolfSSL with enable-all M-F
if: github.event.schedule == '0 0 * * 1-5'
run: |
./autogen.sh
./configure --enable-all
- name: Configure wolfSSL with enable-all enable-smallstack Sun at 00:00
if: github.event.schedule == '0 0 * * 0'
run: |
./autogen.sh
./configure --enable-all --enable-smallstack
- name: Configure wolfSSL with bigendian Sun at 12:00
if: github.event.schedule == '0 12 * * 0'
run: |
./autogen.sh
./configure --enable-all CFLAGS="-DBIG_ENDIAN_ORDER"
- name: Check secrets
env:
token_var: ${{ secrets.COVERITY_SCAN_TOKEN }}
email_var: ${{ secrets.COVERITY_SCAN_EMAIL }}
run: |
token_len=${#token_var}
echo "$token_len"
email_len=${#email_var}
echo "$email_len"
- uses: vapier/coverity-scan-action@v1
with:
build_language: 'cxx'
project: "wolfSSL/wolfssl"
token: ${{ secrets.COVERITY_SCAN_TOKEN }}
email: ${{ secrets.COVERITY_SCAN_EMAIL }}
command: "make"

View File

@@ -1,12 +1,22 @@
name: curl Test
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
@@ -17,16 +27,20 @@ jobs:
configure: --enable-curl
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: wolf-install-curl
path: build-dir
retention-days: 1
path: build-dir.tgz
retention-days: 5
test_curl:
name: ${{ matrix.curl_ref }}
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 15
needs: build_wolfssl
@@ -38,14 +52,15 @@ jobs:
- name: Install test dependencies
run: |
sudo apt-get update
sudo apt-get install nghttp2
sudo pip install impacket
sudo apt-get install nghttp2 libpsl5 libpsl-dev python3-impacket apache2 apache2-dev
- name: Download lib
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: wolf-install-curl
path: build-dir
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Build curl
uses: wolfSSL/actions-build-autotools-project@v1
@@ -53,9 +68,9 @@ jobs:
repository: curl/curl
path: curl
ref: ${{ matrix.curl_ref }}
configure: --with-wolfssl=$GITHUB_WORKSPACE/build-dir
configure: --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-test-httpd=yes
check: false
- name: Test curl
working-directory: curl
run: make -j test-ci
run: make -j $(nproc) test-nonflaky

105
.github/workflows/cyrus-sasl.yml vendored Normal file
View File

@@ -0,0 +1,105 @@
name: cyrus-sasl Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
# Don't run tests as this config is tested in many other places
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-sasl
path: build-dir.tgz
retention-days: 5
sasl_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 2.1.28 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
steps:
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install krb5-kdc krb5-otp libkrb5-dev \
libsocket-wrapper libnss-wrapper krb5-admin-server libdb5.3-dev
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-sasl
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout sasl
uses: actions/checkout@v4
with:
repository: cyrusimap/cyrus-sasl
ref: cyrus-sasl-${{ matrix.ref }}
path: sasl
- name: Build cyrus-sasl
working-directory: sasl
run: |
patch -p1 < $GITHUB_WORKSPACE/osp/cyrus-sasl/${{ matrix.ref }}/${{ matrix.ref }}.patch
autoreconf -ivf
./configure --with-openssl=no --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-dblib=berkeley --disable-shared
# Need to run 'make' twice with '--disable-shared' for some reason
make -j || make -j
- name: Run testsuite
working-directory: sasl
run: |
make -j -C utils testsuite saslpasswd2
# Retry up to five times
for i in {1..5}; do
TEST_RES=0
$GITHUB_WORKSPACE/osp/cyrus-sasl/${{ matrix.ref }}/run-tests.sh || TEST_RES=$?
if [ "$TEST_RES" -eq "0" ]; then
break
fi
done

63
.github/workflows/disable-pk-algs.yml vendored Normal file
View File

@@ -0,0 +1,63 @@
name: disable-pk-algs Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-rsa --enable-dh',
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-ecc',
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-rsa --enable-curve25519',
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-ecc --enable-curve25519',
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-rsa --enable-curve448',
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-ecc --enable-curve448',
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-curve25519 --enable-ed25519',
'--disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-curve448 --enable-ed448',
'-enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-rsa',
'--enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-dh',
'--enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-ecc',
'--enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-curve25519',
'--enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-ed25519',
'--enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-curve448',
'--enable-cryptonly --disable-rsa --disable-dh --disable-ecc --disable-curve25519 --disable-ed25519 --disable-curve448 --disable-ed448 --enable-ed448',
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure ${{ matrix.config }}
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done

60
.github/workflows/disabled/haproxy.yml vendored Normal file
View File

@@ -0,0 +1,60 @@
name: HaProxy Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
haproxy_check:
strategy:
fail-fast: false
matrix:
# List of refs to test
ref: [ master ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-quic --enable-haproxy
install: true
- name: Checkout VTest
uses: actions/checkout@v4
with:
repository: vtest/VTest
path: VTest
- name: Build VTest
working-directory: VTest
# Special flags due to: https://github.com/vtest/VTest/issues/12
run: make FLAGS='-O2 -s -Wall'
- name: Checkout HaProxy
uses: actions/checkout@v4
with:
repository: haproxy/haproxy
path: haproxy
ref: ${{ matrix.ref }}
- name: Build HaProxy
working-directory: haproxy
run: >-
make -j TARGET=linux-glibc DEBUG='-DDEBUG_MEMORY_POOLS -DDEBUG_STRICT'
USE_OPENSSL_WOLFSSL=1 USE_QUIC=1 SSL_INC=$GITHUB_WORKSPACE/build-dir/include/
SSL_LIB=$GITHUB_WORKSPACE/build-dir/lib/ ADDLIB=-Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
- name: Test HaProxy
working-directory: haproxy
run: make reg-tests reg-tests/ssl VTEST_PROGRAM=$GITHUB_WORKSPACE/VTest/vtest

View File

@@ -1,11 +1,21 @@
name: hitch Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
# This should be a safe limit for the tests to run.
@@ -18,12 +28,15 @@ jobs:
configure: --enable-hitch
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: wolf-install-hitch
path: build-dir
retention-days: 1
path: build-dir.tgz
retention-days: 5
hitch_check:
strategy:
@@ -35,19 +48,22 @@ jobs:
ignore-tests: >-
test13-r82.sh test15-proxy-v2-npn.sh test39-client-cert-proxy.sh
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: wolf-install-hitch
path: build-dir
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
@@ -59,7 +75,7 @@ jobs:
sudo apt-get install -y libev-dev libssl-dev automake python3-docutils flex bison pkg-config make
- name: Checkout hitch
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: varnish/hitch
ref: 1.7.3
@@ -91,4 +107,4 @@ jobs:
working-directory: ./hitch
run: |
export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
make check
make check

View File

@@ -1,7 +1,16 @@
name: hostap and wpa-supplicant Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
@@ -13,6 +22,7 @@ jobs:
- build_id: hostap-build2
wolf_extra_config: --enable-brainpool --enable-wpas-dpp
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-20.04
# This should be a safe limit for the tests to run.
@@ -40,11 +50,11 @@ jobs:
install: true
- name: Upload built lib
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.build_id }}
path: build-dir
retention-days: 1
retention-days: 5
# Build wpa_supplicant with wolfSSL and hostapd with OpenSSL and interop.
hostap_test:
@@ -62,7 +72,7 @@ jobs:
config: [
{
hostap_ref: hostap_2_10,
hostap_cherry_pick: 5679ec5c3dda25a0547a5f66407fd9b0b55fd04a,
hostap_cherry_pick: 36fcbb1a4ee4aa604f15079eae2ffa4fe7f44680,
remove_teap: true,
# TLS 1.3 does not work for this version
build_id: hostap-build1,
@@ -70,7 +80,7 @@ jobs:
# Test the dpp patch
{
hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb,
hostap_cherry_pick: 5679ec5c3dda25a0547a5f66407fd9b0b55fd04a,
hostap_cherry_pick: 36fcbb1a4ee4aa604f15079eae2ffa4fe7f44680,
osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446,
build_id: hostap-build2
},
@@ -90,6 +100,7 @@ jobs:
build_id: hostap-build2
}
name: hwsim test
if: github.repository_owner == 'wolfssl'
# For openssl 1.1
runs-on: ubuntu-20.04
# This should be a safe limit for the tests to run.
@@ -113,7 +124,7 @@ jobs:
echo Our job run ID is $SHA_SUM
- name: Checkout wolfSSL
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
path: wolfssl
@@ -140,7 +151,7 @@ jobs:
echo "hostap_debug_flags=-d" >> $GITHUB_ENV
- name: Download lib
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: ${{ matrix.config.build_id }}
path: build-dir
@@ -170,9 +181,9 @@ jobs:
sudo rmmod mac80211_hwsim
- name: Checkout hostap
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: julek-wolfssl/hostap-mirror
repository: julek-wolfssl/hostap-mirror
path: hostap
ref: ${{ matrix.config.hostap_ref }}
# necessary for cherry pick step
@@ -185,7 +196,7 @@ jobs:
- if: ${{ matrix.config.osp_ref }}
name: Checkout OSP
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
@@ -201,7 +212,7 @@ jobs:
done
- if: ${{ matrix.hostapd }}
name: Setup hostapd config file
name: Setup hostapd config file
run: |
cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/hostapd.config \
hostap/hostapd/.config
@@ -211,7 +222,7 @@ jobs:
EOF
- if: ${{ matrix.wpa_supplicant }}
name: Setup wpa_supplicant config file
name: Setup wpa_supplicant config file
run: |
cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/wpa_supplicant.config \
hostap/wpa_supplicant/.config
@@ -250,7 +261,7 @@ jobs:
TESTS=$(printf '%s\n' "${ary[@]}" | tr '\n' ' ')
# Retry up to three times
for i in {1..3}; do
HWSIM_RES=0
HWSIM_RES=0 # Not set when command succeeds
# Logs can grow quickly especially in debug mode
sudo rm -rf logs
sudo ./start.sh
@@ -275,7 +286,7 @@ jobs:
- name: Upload failure logs
if: ${{ failure() && steps.testing.outcome == 'failure' }}
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: hostap-logs-${{ env.our_job_run_id }}
path: hostap/tests/hwsim/logs.zip

View File

@@ -1,34 +1,48 @@
name: Espressif examples tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
espressif_latest:
name: latest Docker container
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 12
container:
image: espressif/idf:latest
# The latest stable release is v5.5
image: espressif/idf:release-v5.5
# image: espressif/idf:latest # The "latest" has breaking changes for ESP-IDF V6
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Initialize Espressif IDE and build examples
run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh
espressif_v4_4:
name: v4.4 Docker container
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
container:
image: espressif/idf:release-v4.4
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Initialize Espressif IDE and build examples
run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh
espressif_v5_0:
name: v5.0 Docker container
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
container:
image: espressif/idf:release-v5.0
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Initialize Espressif IDE and build examples
run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh

View File

@@ -2,13 +2,23 @@
# there aren't any compatibility issues. Take a look at Docker/OpenWrt/README.md
name: OpenWrt test
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_library:
name: Compile libwolfssl.so
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
container:
@@ -16,34 +26,41 @@ jobs:
steps:
- name: Install required tools
run: apk add argp-standalone asciidoc bash bc binutils bzip2 cdrkit coreutils diffutils elfutils-dev findutils flex musl-fts-dev g++ gawk gcc gettext git grep intltool libxslt linux-headers make musl-libintl musl-obstack-dev ncurses-dev openssl-dev patch perl python3-dev rsync tar unzip util-linux wget zlib-dev autoconf automake libtool
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Compile libwolfssl.so
run: ./autogen.sh && ./configure --enable-all && make
# 2024-08-05 - Something broke in the actions. They are no longer following links.
- name: tar libwolfssl.so
working-directory: src/.libs
run: tar -zcf libwolfssl.tgz libwolfssl.so*
- name: Upload libwolfssl.so
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: openwrt-libwolfssl.so
path: src/.libs/libwolfssl.so
retention-days: 1
path: src/.libs/libwolfssl.tgz
retention-days: 5
compile_container:
name: Compile container
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 2
needs: build_library
strategy:
fail-fast: false
matrix:
release: [ "22.03-SNAPSHOT", "21.02-SNAPSHOT" ] # some other versions: 21.02.0 21.02.5 22.03.0 22.03.3 snapshot
release: [ "22.03.6", "21.02.7" ] # some other versions: 21.02.0 21.02.5 22.03.0 22.03.3 snapshot
steps:
- uses: actions/checkout@v3
- uses: docker/setup-buildx-action@v2
- uses: actions/download-artifact@v3
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: actions/download-artifact@v4
with:
name: openwrt-libwolfssl.so
path: Docker/OpenWrt/.
path: .
- name: untar libwolfssl.so
run: tar -xf libwolfssl.tgz -C Docker/OpenWrt
- name: Build but dont push
uses: docker/build-push-action@v3
uses: docker/build-push-action@v5
with:
context: Docker/OpenWrt
platforms: linux/amd64

47
.github/workflows/fil-c.yml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: Fil-C Tests
env:
FIL_C_VERSION: v0.674
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
run_fil_c:
strategy:
fail-fast: false
matrix:
config: [
# Add new configs here. Don't use CPPFLAGS.
'',
'--enable-all',
]
# This should be a safe limit for the tests to run.
timeout-minutes: 30
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
name: ${{ matrix.config }}
steps:
- name: Download fil-c release
run: gh release download ${{ env.FIL_C_VERSION }} --repo pizlonator/fil-c --pattern 'filc-*'
env:
GH_TOKEN: ${{ github.token }}
- name: Extract fil-c tarball
run: mkdir -p filc && tar -xf filc-*.tar* --strip-components=1 -C filc
- name: Build and test wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: ${{ matrix.config }} CC=$GITHUB_WORKSPACE/filc/build/bin/filcc --disable-asm CPPFLAGS=-DWC_NO_CACHE_RESISTANT
check: true

41
.github/workflows/gencertbuf.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
name: Test gencertbuf script
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
gencertbuf:
name: gencertbuf
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test generate wolfssl/certs_test.h
run: ./gencertbuf.pl
- name: Test wolfSSL
run: |
./autogen.sh
./configure --enable-all --enable-experimental --enable-dilithium --enable-kyber
make
./wolfcrypt/test/testwolfcrypt
- name: Print errors
if: ${{ failure() }}
run: |
if [ -f test-suite.log ] ; then
cat test-suite.log
fi

113
.github/workflows/grpc.yml vendored Normal file
View File

@@ -0,0 +1,113 @@
name: grpc Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all 'CPPFLAGS=-DWOLFSSL_RSA_KEY_CHECK -DHAVE_EX_DATA_CLEANUP_HOOKS'
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-grpc
path: build-dir.tgz
retention-days: 5
grpc_check:
strategy:
fail-fast: false
matrix:
include:
- ref: v1.60.0
tests: >-
bad_ssl_alpn_test bad_ssl_cert_test client_ssl_test
crl_ssl_transport_security_test server_ssl_test
ssl_transport_security_test ssl_transport_security_utils_test
test_core_security_ssl_credentials_test test_cpp_end2end_ssl_credentials_test
h2_ssl_cert_test h2_ssl_session_reuse_test
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 30
needs: build_wolfssl
steps:
- name: Confirm IPv4 and IPv6 support
run: |
ip addr list lo | grep 'inet '
ip addr list lo | grep 'inet6 '
- name: Install prereqs
run:
sudo apt-get install build-essential autoconf libtool pkg-config cmake clang libc++-dev
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-grpc
- name: Setup cmake version
uses: jwlawson/actions-setup-cmake@v2
with:
cmake-version: '3.25.x'
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout grpc
uses: actions/checkout@v4
with:
repository: grpc/grpc
path: grpc
ref: ${{ matrix.ref }}
- name: Build grpc
working-directory: ./grpc
run: |
patch -p1 < ../osp/grpc/grpc-${{ matrix.ref }}.patch
git submodule update --init
mkdir cmake/build
cd cmake/build
cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.1 -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
-DWOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir ../..
make -j $(nproc) ${{ matrix.tests }}
- name: Run grpc tests
working-directory: ./grpc
run: |
export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
./tools/run_tests/start_port_server.py
for t in ${{ matrix.tests }} ; do
./cmake/build/$t
done

View File

@@ -1,51 +1,98 @@
name: HaProxy Tests
name: haproxy Test
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
haproxy_check:
strategy:
fail-fast: false
matrix:
# List of refs to test
ref: [ master ]
name: ${{ matrix.ref }}
runs-on: ubuntu-latest
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-quic --enable-haproxy
configure: --enable-haproxy
install: true
- name: Checkout VTest
uses: actions/checkout@v3
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
repository: vtest/VTest
path: VTest
name: wolf-install-haproxy
path: build-dir.tgz
retention-days: 5
- name: Build VTest
working-directory: VTest
# Special flags due to: https://github.com/vtest/VTest/issues/12
run: make FLAGS='-O2 -s -Wall'
test_haproxy:
name: ${{ matrix.haproxy_ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 15
needs: build_wolfssl
strategy:
fail-fast: false
matrix:
haproxy_ref: [ 'v3.1.0', 'v3.2.0']
steps:
- name: Install test dependencies
run: |
sudo apt-get update
sudo apt-get install libpcre2-dev
- name: Checkout HaProxy
uses: actions/checkout@v3
with:
repository: haproxy/haproxy
path: haproxy
ref: ${{ matrix.ref }}
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-haproxy
- name: Build HaProxy
working-directory: haproxy
run: >-
make -j TARGET=linux-glibc DEBUG='-DDEBUG_MEMORY_POOLS -DDEBUG_STRICT'
USE_OPENSSL_WOLFSSL=1 USE_QUIC=1 SSL_INC=$GITHUB_WORKSPACE/build-dir/include/
SSL_LIB=$GITHUB_WORKSPACE/build-dir/lib/ ADDLIB=-Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Test HaProxy
working-directory: haproxy
run: make reg-tests reg-tests/ssl VTEST_PROGRAM=$GITHUB_WORKSPACE/VTest/vtest
# check cache for haproxy if not there then download it
- name: Check haproxy cache
uses: actions/cache@v4
id: cache-haproxy
with:
path: build-dir/haproxy-${{matrix.haproxy_ref}}
key: haproxy-${{matrix.haproxy_ref}}
- name: Download haproxy if needed
if: steps.cache-haproxy.outputs.cache-hit != 'true'
uses: actions/checkout@v3
with:
repository: haproxy/haproxy
ref: ${{matrix.haproxy_ref}}
path: build-dir/haproxy-${{matrix.haproxy_ref}}
- name: Build haproxy
working-directory: build-dir/haproxy-${{matrix.haproxy_ref}}
run: make clean && make TARGET=linux-glibc USE_OPENSSL_WOLFSSL=1 SSL_LIB=$GITHUB_WORKSPACE/build-dir/lib SSL_INC=$GITHUB_WORKSPACE/build-dir/include ADDLIB=-Wl,-rpath,$GITHUB_WORKSPACE/build-dir/lib CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address"
# wlallemand/VTest used in v3.1.0 is no longer available
- name: Patch build-vtest.sh for v3.1.0
if: matrix.haproxy_ref == 'v3.1.0'
working-directory: build-dir/haproxy-${{ matrix.haproxy_ref }}/scripts
run: |
sed -i 's|https://github.com/wlallemand/VTest/archive/refs/heads/haproxy-sd_notify.tar.gz|https://github.com/vtest/VTest2/archive/main.tar.gz|' build-vtest.sh
- name: Build haproxy vtest
working-directory: build-dir/haproxy-${{matrix.haproxy_ref}}
run: ./scripts/build-vtest.sh
- name: Test haproxy
working-directory: build-dir/haproxy-${{matrix.haproxy_ref}}
run: VTEST_PROGRAM=$GITHUB_WORKSPACE/build-dir/vtest/vtest make reg-tests -- --debug reg-tests/ssl/*

View File

@@ -0,0 +1,122 @@
#CC=ccache gcc
CONFIG_DRIVER_NONE=y
CONFIG_DRIVER_NL80211=y
CONFIG_RSN_PREAUTH=y
#CONFIG_TLS=internal
#CONFIG_INTERNAL_LIBTOMMATH=y
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
#CONFIG_TLS=openssl
CONFIG_TLS=wolfssl
CONFIG_EAP=y
CONFIG_ERP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_GTC=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_SIM=y
CONFIG_EAP_AKA=y
CONFIG_EAP_AKA_PRIME=y
CONFIG_EAP_GPSK=y
CONFIG_EAP_GPSK_SHA256=y
CONFIG_EAP_SAKE=y
CONFIG_EAP_PAX=y
CONFIG_EAP_PSK=y
CONFIG_EAP_VENDOR_TEST=y
CONFIG_EAP_FAST=y
CONFIG_EAP_TEAP=y
CONFIG_EAP_IKEV2=y
CONFIG_EAP_TNC=y
CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\"
LIBS += -rdynamic
CONFIG_EAP_UNAUTH_TLS=y
ifeq ($(CONFIG_TLS), openssl)
CONFIG_EAP_PWD=y
endif
ifeq ($(CONFIG_TLS), wolfssl)
CONFIG_EAP_PWD=y
endif
CONFIG_EAP_EKE=y
CONFIG_PKCS12=y
CONFIG_RADIUS_SERVER=y
CONFIG_IPV6=y
CONFIG_TLSV11=y
CONFIG_TLSV12=y
CONFIG_FULL_DYNAMIC_VLAN=y
CONFIG_VLAN_NETLINK=y
CONFIG_LIBNL32=y
CONFIG_LIBNL3_ROUTE=y
CONFIG_IEEE80211R=y
CONFIG_IEEE80211AC=y
CONFIG_IEEE80211AX=y
CONFIG_OCV=y
CONFIG_WPS=y
CONFIG_WPS_UPNP=y
CONFIG_WPS_NFC=y
#CONFIG_WPS_STRICT=y
CONFIG_WPA_TRACE=y
CONFIG_WPA_TRACE_BFD=y
CONFIG_P2P_MANAGER=y
CONFIG_DEBUG_FILE=y
CONFIG_DEBUG_LINUX_TRACING=y
CONFIG_WPA_CLI_EDIT=y
CONFIG_ACS=y
CONFIG_NO_RANDOM_POOL=y
CONFIG_WNM=y
CONFIG_INTERWORKING=y
CONFIG_HS20=y
CONFIG_SQLITE=y
CONFIG_SAE=y
CONFIG_SAE_PK=y
CFLAGS += -DALL_DH_GROUPS
CONFIG_FST=y
CONFIG_FST_TEST=y
CONFIG_TESTING_OPTIONS=y
CFLAGS += -DCONFIG_RADIUS_TEST
CONFIG_MODULE_TESTS=y
CONFIG_SUITEB=y
CONFIG_SUITEB192=y
# AddressSanitizer (ASan) can be enabled by uncommenting the following lines.
# This can be used as a more efficient memory error detector than valgrind
# (though, with still some CPU and memory cost, so VM cases will need more
# memory allocated for the guest).
#CFLAGS += -fsanitize=address -O1 -fno-omit-frame-pointer -g
#LIBS += -fsanitize=address -fno-omit-frame-pointer -g
#LIBS_h += -fsanitize=address -fno-omit-frame-pointer -g
#LIBS_n += -fsanitize=address -fno-omit-frame-pointer -g
#LIBS_c += -fsanitize=address -fno-omit-frame-pointer -g
# Undefined Behavior Sanitizer (UBSan) can be enabled by uncommenting the
# following lines.
#CFLAGS += -Wno-format-nonliteral
#CFLAGS += -fsanitize=undefined
##CFLAGS += -fno-sanitize-recover
#LIBS += -fsanitize=undefined
##LIBS += -fno-sanitize-recover
#LIBS_h += -fsanitize=undefined
#LIBS_n += -fsanitize=undefined
#LIBS_c += -fsanitize=undefined
CONFIG_MBO=y
CONFIG_TAXONOMY=y
CONFIG_FILS=y
CONFIG_FILS_SK_PFS=y
CONFIG_OWE=y
CONFIG_DPP=y
CONFIG_DPP2=y
CONFIG_WEP=y
CONFIG_PASN=y
CONFIG_AIRTIME_POLICY=y
CONFIG_IEEE80211BE=y

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,164 @@
#CC=ccache gcc
#CONFIG_TLS=openssl
CONFIG_TLS=wolfssl
#CONFIG_TLS=internal
#CONFIG_INTERNAL_LIBTOMMATH=y
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
CONFIG_IEEE8021X_EAPOL=y
CONFIG_ERP=y
CONFIG_EAP_MD5=y
CONFIG_MSCHAPV2=y
CONFIG_EAP_TLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_GTC=y
CONFIG_EAP_OTP=y
CONFIG_EAP_PSK=y
CONFIG_EAP_PAX=y
CONFIG_EAP_LEAP=y
CONFIG_EAP_SIM=y
CONFIG_EAP_AKA=y
CONFIG_EAP_AKA_PRIME=y
CONFIG_EAP_VENDOR_TEST=y
CONFIG_EAP_TLV=y
CONFIG_EAP_SAKE=y
CONFIG_EAP_GPSK=y
CONFIG_EAP_GPSK_SHA256=y
CONFIG_EAP_EKE=y
CONFIG_EAP_TNC=y
CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\"
LIBS += -rdynamic
CONFIG_EAP_FAST=y
CONFIG_EAP_TEAP=y
CONFIG_EAP_IKEV2=y
ifeq ($(CONFIG_TLS), openssl)
CONFIG_EAP_PWD=y
endif
ifeq ($(CONFIG_TLS), wolfssl)
CONFIG_EAP_PWD=y
endif
CONFIG_USIM_SIMULATOR=y
CONFIG_SIM_SIMULATOR=y
#CONFIG_PCSC=y
CONFIG_IPV6=y
CONFIG_DRIVER_NONE=y
CONFIG_PKCS12=y
CONFIG_CTRL_IFACE=unix
CONFIG_WPA_CLI_EDIT=y
CONFIG_OCSP=y
#CONFIG_ELOOP_POLL=y
CONFIG_CTRL_IFACE_DBUS_NEW=y
CONFIG_CTRL_IFACE_DBUS_INTRO=y
CONFIG_IEEE80211R=y
CONFIG_IEEE80211AC=y
CONFIG_IEEE80211AX=y
CONFIG_OCV=y
CONFIG_DEBUG_FILE=y
CONFIG_WPS=y
#CONFIG_WPS_STRICT=y
CONFIG_WPS_UPNP=y
CONFIG_WPS_NFC=y
CONFIG_WPS_ER=y
#CONFIG_WPS_REG_DISABLE_OPEN=y
CONFIG_DRIVER_WEXT=y
CONFIG_DRIVER_NL80211=y
CFLAGS += -I/usr/include/libnl3
CONFIG_LIBNL32=y
CONFIG_IBSS_RSN=y
CONFIG_AP=y
CONFIG_MESH=y
CONFIG_P2P=y
CONFIG_WIFI_DISPLAY=y
CONFIG_ACS=y
CONFIG_BGSCAN_SIMPLE=y
CONFIG_BGSCAN_LEARN=y
CONFIG_WPA_TRACE=y
CONFIG_WPA_TRACE_BFD=y
CONFIG_TDLS=y
CONFIG_TDLS_TESTING=y
CONFIG_NO_RANDOM_POOL=y
CONFIG_TLSV11=y
CONFIG_TLSV12=y
CONFIG_HT_OVERRIDES=y
CONFIG_VHT_OVERRIDES=y
CONFIG_HE_OVERRIDES=y
CONFIG_DEBUG_LINUX_TRACING=y
CONFIG_INTERWORKING=y
CONFIG_HS20=y
CONFIG_AUTOSCAN_EXPONENTIAL=y
CONFIG_AUTOSCAN_PERIODIC=y
CONFIG_EXT_PASSWORD_TEST=y
CONFIG_EXT_PASSWORD_FILE=y
CONFIG_EAP_UNAUTH_TLS=y
CONFIG_SAE=y
CONFIG_SAE_PK=y
CFLAGS += -DALL_DH_GROUPS
CONFIG_WNM=y
CONFIG_FST=y
CONFIG_FST_TEST=y
CONFIG_TESTING_OPTIONS=y
CONFIG_MODULE_TESTS=y
CONFIG_SUITEB=y
CONFIG_SUITEB192=y
# AddressSanitizer (ASan) can be enabled by uncommenting the following lines.
# This can be used as a more efficient memory error detector than valgrind
# (though, with still some CPU and memory cost, so VM cases will need more
# memory allocated for the guest).
#CFLAGS += -fsanitize=address -O1 -fno-omit-frame-pointer -g
#LIBS += -fsanitize=address -fno-omit-frame-pointer -g
#LIBS_c += -fsanitize=address -fno-omit-frame-pointer -g
#LIBS_p += -fsanitize=address -fno-omit-frame-pointer -g
# Undefined Behavior Sanitizer (UBSan) can be enabled by uncommenting the
# following lines.
#CFLAGS += -Wno-format-nonliteral
#CFLAGS += -fsanitize=undefined
##CFLAGS += -fno-sanitize-recover
#LIBS += -fsanitize=undefined
##LIBS += -fno-sanitize-recover
#LIBS_c += -fsanitize=undefined
#LIBS_p += -fsanitize=undefined
CONFIG_MBO=y
CONFIG_FILS=y
CONFIG_FILS_SK_PFS=y
CONFIG_PMKSA_CACHE_EXTERNAL=y
CONFIG_OWE=y
CONFIG_DPP=y
CONFIG_DPP2=y
CONFIG_WEP=y
CONFIG_PASN=y

View File

@@ -191,13 +191,7 @@ ap_wpa2_psk_supp_proto_no_gtk_in_group_msg
ap_wpa2_psk_supp_proto_too_long_gtk_in_group_msg
ap_wpa2_psk_supp_proto_too_long_gtk_kde
ap_wpa2_psk_supp_proto_gtk_not_encrypted
ap_wpa2_psk_supp_proto_no_igtk
ap_wpa2_psk_supp_proto_igtk_ok
ap_wpa2_psk_supp_proto_igtk_keyid_swap
ap_wpa2_psk_supp_proto_igtk_keyid_too_large
ap_wpa2_psk_supp_proto_igtk_keyid_unexpected
ap_wpa2_psk_wep
ap_wpa2_psk_ifdown
ap_wpa2_psk_drop_first_msg_4
ap_wpa2_psk_disable_enable
ap_wpa2_psk_incorrect_passphrase
@@ -210,10 +204,7 @@ ap_wpa2_disable_eapol_retry
ap_wpa2_disable_eapol_retry_group
ap_wpa2_psk_mic_0
ap_wpa2_psk_local_error
ap_wpa2_psk_inject_assoc
ap_wpa2_psk_no_control_port
ap_wpa2_psk_ap_control_port
ap_wpa2_psk_ap_control_port_disabled
ap_wpa2_psk_rsne_mismatch_ap
ap_wpa2_psk_rsne_mismatch_ap2
ap_wpa2_psk_rsne_mismatch_ap3
@@ -253,10 +244,8 @@ ap_wpa2_eap_aka_sql
ap_wpa2_eap_aka_config
ap_wpa2_eap_aka_ext
ap_wpa2_eap_aka_ext_auth_fail
ap_wpa2_eap_aka_prime
ap_wpa2_eap_aka_prime_imsi_identity
ap_wpa2_eap_aka_prime_imsi_privacy_key
ap_wpa2_eap_aka_prime_sql
ap_wpa2_eap_aka_prime_ext_auth_fail
ap_wpa2_eap_aka_prime_ext
ap_wpa2_eap_ttls_pap
@@ -416,19 +405,6 @@ ap_wpa2_radius_server_get_id
ap_wpa2_eap_tls_tod
ap_wpa2_eap_tls_tod_tofu
ap_wpa2_eap_sake_no_control_port
ap_wpa2_tdls
ap_wpa2_tdls_concurrent_init
ap_wpa2_tdls_concurrent_init2
ap_wpa2_tdls_decline_resp
ap_wpa2_tdls_long_lifetime
ap_wpa2_tdls_long_frame
ap_wpa2_tdls_reneg
ap_wpa2_tdls_wrong_lifetime_resp
ap_wpa2_tdls_diff_rsnie
ap_wpa2_tdls_wrong_tpk_m2_mic
ap_wpa2_tdls_wrong_tpk_m3_mic
ap_wpa2_tdls_double_tpk_m2
ap_wpa2_tdls_responder_teardown
dpp_network_intro_version
dpp_network_intro_version_change
dpp_network_intro_version_missing_req
@@ -459,12 +435,9 @@ dpp_qr_code_curves
dpp_qr_code_curves_brainpool
dpp_qr_code_unsupported_curve
dpp_qr_code_keygen_fail
dpp_qr_code_curve_select
dpp_qr_code_auth_broadcast
dpp_configurator_enrollee
dpp_configurator_enrollee_prime256v1
dpp_configurator_enrollee_secp384r1
dpp_configurator_enrollee_secp521r1
dpp_configurator_enrollee_brainpoolP256r1
dpp_configurator_enrollee_brainpoolP384r1
dpp_configurator_enrollee_brainpoolP512r1
@@ -477,7 +450,6 @@ dpp_qr_code_curve_brainpoolP384r1
dpp_qr_code_curve_brainpoolP512r1
dpp_qr_code_set_key
dpp_qr_code_auth_mutual
dpp_qr_code_auth_mutual2
dpp_qr_code_auth_mutual_p_256
dpp_qr_code_auth_mutual_p_384
dpp_qr_code_auth_mutual_p_521
@@ -514,13 +486,11 @@ dpp_config_no_signed_connector
dpp_config_unexpected_signed_connector_char
dpp_config_root_not_an_object
dpp_config_no_wi_fi_tech
dpp_config_unsupported_wi_fi_tech
dpp_config_no_discovery
dpp_config_no_discovery_ssid
dpp_config_too_long_discovery_ssid
dpp_config_no_cred
dpp_config_no_cred_akm
dpp_config_unsupported_cred_akm
dpp_config_error_legacy_no_pass
dpp_config_error_legacy_too_long_pass
dpp_config_error_legacy_psk_with_sae
@@ -531,13 +501,10 @@ dpp_config_connector_error_ext_sign
dpp_config_connector_error_too_short_timestamp
dpp_config_connector_error_invalid_timestamp
dpp_config_connector_error_invalid_timestamp_date
dpp_config_connector_error_invalid_time_zone
dpp_config_connector_error_invalid_time_zone_2
dpp_config_connector_error_expired_1
dpp_config_connector_error_expired_2
dpp_config_connector_error_expired_3
dpp_config_connector_error_expired_4
dpp_config_connector_error_expired_5
dpp_config_connector_error_expired_6
dpp_config_connector_error_no_groups
dpp_config_connector_error_empty_groups
@@ -565,13 +532,6 @@ dpp_ap_config_p256_bp256
dpp_ap_config_bp256_p256
dpp_ap_config_p521_bp512
dpp_ap_config_reconfig_configurator
dpp_auto_connect_1
dpp_auto_connect_2
dpp_auto_connect_2_connect_cmd
dpp_auto_connect_2_sta_ver1
dpp_auto_connect_2_ap_ver1
dpp_auto_connect_2_ver1
dpp_auto_connect_2_conf_ver1
dpp_auto_connect_legacy
dpp_auto_connect_legacy_ssid_charset
dpp_auto_connect_legacy_sae_1
@@ -580,13 +540,6 @@ dpp_auto_connect_legacy_psk_sae_1
dpp_auto_connect_legacy_psk_sae_2
dpp_auto_connect_legacy_psk_sae_3
dpp_auto_connect_legacy_pmf_required
dpp_qr_code_auth_responder_configurator
dpp_qr_code_auth_responder_configurator_group_id
dpp_qr_code_auth_enrollee_init_netrole
dpp_qr_code_hostapd_init
dpp_qr_code_hostapd_init_offchannel
dpp_qr_code_hostapd_init_offchannel_neg_freq
dpp_qr_code_hostapd_ignore_mismatch
dpp_test_vector_p_256
dpp_test_vector_p_256_b
dpp_test_vector_p_521
@@ -603,7 +556,6 @@ dpp_pkex_no_identifier
dpp_pkex_identifier_mismatch
dpp_pkex_identifier_mismatch2
dpp_pkex_identifier_mismatch3
dpp_pkex_5ghz
dpp_pkex_test_vector
dpp_pkex_code_mismatch
dpp_pkex_code_mismatch_limit
@@ -625,7 +577,6 @@ dpp_pkex_hostapd_errors
dpp_pkex_nak_curve_change
dpp_pkex_nak_curve_change2
dpp_hostapd_configurator
dpp_hostapd_configurator_enrollee_v1
dpp_hostapd_configurator_responder
dpp_hostapd_configurator_fragmentation
dpp_hostapd_enrollee_fragmentation
@@ -650,7 +601,6 @@ dpp_proto_stop_at_pkex_cr_req
dpp_proto_stop_at_pkex_cr_resp
dpp_proto_network_introduction
dpp_hostapd_auth_conf_timeout
dpp_hostapd_auth_resp_retries
dpp_tcp
dpp_tcp_port
dpp_tcp_mutual
@@ -702,6 +652,5 @@ dpp_qr_code_config_event_initiator_failure
dpp_qr_code_config_event_initiator_no_response
dpp_qr_code_config_event_initiator_both
dpp_tcp_qr_code_config_event_initiator
dpp_qr_code_config_event_responder
dpp_discard_public_action

View File

@@ -0,0 +1,47 @@
From a53a6a67dc121b45d611318e2a37815cc209839c Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 19 Apr 2024 16:41:38 +0200
Subject: [PATCH] Fixes for running tests under UML
- Apply commit ID fix from more recent commit
- priv_sz and pub_sz are checked and fail on UML. Probably because stack is zeroed out.
---
src/crypto/crypto_wolfssl.c | 2 +-
tests/hwsim/run-all.sh | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index 00ecf61352..a57fa50697 100644
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -785,7 +785,7 @@ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
int ret = -1;
WC_RNG rng;
DhKey *dh = NULL;
- word32 priv_sz, pub_sz;
+ word32 priv_sz = prime_len, pub_sz = prime_len;
if (TEST_FAIL())
return -1;
diff --git a/tests/hwsim/run-all.sh b/tests/hwsim/run-all.sh
index ee48cd0581..75c3a58b52 100755
--- a/tests/hwsim/run-all.sh
+++ b/tests/hwsim/run-all.sh
@@ -15,7 +15,13 @@ export LOGDIR
if [ -z "$DBFILE" ]; then
DB=""
else
- DB="-S $DBFILE --commit $(git rev-parse HEAD)"
+ DB="-S $DBFILE"
+ if [ -z "$COMMITID" ]; then
+ COMMITID="$(git rev-parse HEAD)"
+ fi
+ if [ -n "$COMMITID" ]; then
+ DB="$DB --commit $COMMITID"
+ fi
if [ -n "$BUILD" ]; then
DB="$DB -b $BUILD"
fi
--
2.34.1

View File

@@ -163,7 +163,6 @@ ap_wpa2_disable_eapol_retry_group
ap_wpa2_psk_mic_0
ap_wpa2_psk_local_error
ap_wpa2_psk_inject_assoc
ap_wpa2_psk_no_control_port
ap_wpa2_psk_ap_control_port
ap_wpa2_psk_ap_control_port_disabled
ap_wpa2_psk_rsne_mismatch_ap
@@ -269,16 +268,3 @@ ap_wpa2_eap_psk_mac_addr_change
ap_wpa2_eap_server_get_id
ap_wpa2_radius_server_get_id
ap_wpa2_eap_sake_no_control_port
ap_wpa2_tdls
ap_wpa2_tdls_concurrent_init
ap_wpa2_tdls_concurrent_init2
ap_wpa2_tdls_decline_resp
ap_wpa2_tdls_long_lifetime
ap_wpa2_tdls_long_frame
ap_wpa2_tdls_reneg
ap_wpa2_tdls_wrong_lifetime_resp
ap_wpa2_tdls_diff_rsnie
ap_wpa2_tdls_wrong_tpk_m2_mic
ap_wpa2_tdls_wrong_tpk_m3_mic
ap_wpa2_tdls_double_tpk_m2
ap_wpa2_tdls_responder_teardown

358
.github/workflows/hostap-vm.yml vendored Normal file
View File

@@ -0,0 +1,358 @@
name: hostap and wpa-supplicant Tests
# START OF COMMON SECTION
on:
workflow_dispatch: # Allows people to run it manually if they want but
# disables it from running automatically when broken
# To restore this to an auto test delete the above workflow_dispatch line and
# comments and uncomment the below lines for push and pull_request
# push:
# branches: [ 'master', 'main', 'release/**' ]
# pull_request:
# branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
env:
LINUX_REF: v6.12
jobs:
build_wolfssl:
strategy:
matrix:
include:
- build_id: hostap-vm-build1
wolf_extra_config: --disable-tls13
- build_id: hostap-vm-build2
wolf_extra_config: >-
--enable-wpas-dpp --enable-brainpool --with-eccminsz=192
--enable-tlsv10 --enable-oldtls
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
# No way to view the full strategy in the browser (really weird)
- name: Print strategy
run: |
cat <<EOF
${{ toJSON(matrix) }}
EOF
- if: ${{ runner.debug }}
name: Enable wolfSSL debug logging
run: |
echo "wolf_debug_flags=--enable-debug" >> $GITHUB_ENV
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: >-
--enable-wpas CPPFLAGS=-DWOLFSSL_STATIC_RSA
${{ env.wolf_debug_flags }} ${{ matrix.wolf_extra_config }}
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.build_id }}
path: build-dir.tgz
retention-days: 5
checkout_hostap:
name: Checkout hostap repo
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
- name: Checking if we have hostap in cache
uses: actions/cache@v4
id: cache
with:
path: hostap
key: hostap-repo
lookup-only: true
- name: Checkout hostap
if: steps.cache.outputs.cache-hit != 'true'
run: git clone https://w1.fi/hostap.git hostap
build_uml_linux:
name: Build UML (UserMode Linux)
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
needs: checkout_hostap
steps:
- name: Checking if we have kernel in cache
uses: actions/cache@v4
id: cache
with:
path: linux/linux
key: hostap-linux-${{ env.LINUX_REF }}
lookup-only: true
- name: Checking if we have hostap in cache
if: steps.cache.outputs.cache-hit != 'true'
uses: actions/cache/restore@v4
with:
path: hostap
key: hostap-repo
fail-on-cache-miss: true
- name: Checkout linux
if: steps.cache.outputs.cache-hit != 'true'
uses: actions/checkout@v4
with:
repository: torvalds/linux
path: linux
ref: ${{ env.LINUX_REF }}
- name: Compile linux
if: steps.cache.outputs.cache-hit != 'true'
run: |
cp hostap/tests/hwsim/vm/kernel-config.uml linux/.config
cd linux
yes "" | ARCH=um make -j $(nproc)
hostap_test:
strategy:
fail-fast: false
matrix:
# should hostapd be compiled with wolfssl
hostapd: [true, false]
# should wpa_supplicant be compiled with wolfssl
wpa_supplicant: [true, false]
# Fix the versions of hostap and osp to not break testing when a new
# patch is added in to osp. Tests are read from the corresponding
# configs/hostap_ref/tests file.
config: [
{
hostap_ref: hostap_2_10,
remove_teap: true,
# TLS 1.3 does not work for this version
build_id: hostap-vm-build1,
},
# Test the dpp patch
{
hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb,
osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446,
build_id: hostap-vm-build2
},
{
hostap_ref: 07c9f183ea744ac04585fb6dd10220c75a5e2e74,
osp_ref: e1876fbbf298ee442bc7ab8561331ebc7de17528,
build_id: hostap-vm-build2
},
]
exclude:
# don't test openssl on both sides
- hostapd: false
wpa_supplicant: false
# no hostapd support for dpp yet
- hostapd: true
config: {
hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb,
osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446,
build_id: hostap-vm-build2
}
name: hwsim test
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 45
needs: [build_wolfssl, build_uml_linux, checkout_hostap]
steps:
- name: Checking if we have kernel in cache
uses: actions/cache/restore@v4
id: cache
with:
path: linux/linux
key: hostap-linux-${{ env.LINUX_REF }}
fail-on-cache-miss: true
# No way to view the full strategy in the browser (really weird)
- name: Print strategy
run: |
cat <<EOF
${{ toJSON(matrix) }}
EOF
- name: Print computed job run ID
run: |
SHA_SUM=$(sha256sum << 'END_OF_HEREDOC' | cut -d " " -f 1
${{ toJSON(github) }}
END_OF_HEREDOC
)
echo "our_job_run_id=$SHA_SUM" >> $GITHUB_ENV
echo Our job run ID is $SHA_SUM
- name: Checkout wolfSSL
uses: actions/checkout@v4
with:
path: wolfssl
- name: Download lib
uses: actions/download-artifact@v4
with:
name: ${{ matrix.config.build_id }}
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
# hostap dependencies
sudo apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \
libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \
libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome
sudo pip install pycryptodome
- name: Checking if we have hostap in cache
uses: actions/cache/restore@v4
with:
path: hostap
key: hostap-repo
fail-on-cache-miss: true
- name: Checkout correct ref
working-directory: hostap
run: git checkout ${{ matrix.config.hostap_ref }}
- name: Update certs
working-directory: hostap/tests/hwsim/auth_serv
run: |
./update.sh
./sha512-generate.sh
# Force regeneration of rsa3072-ca.key to get rsa3072-generate.sh to
# correctly update all the certs
rm rsa3072-ca.key
./rsa3072-generate.sh
- if: ${{ matrix.config.osp_ref }}
name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
ref: ${{ matrix.config.osp_ref }}
- if: ${{ matrix.config.osp_ref }}
name: Apply patch files
working-directory: hostap
run: |
for f in $GITHUB_WORKSPACE/osp/hostap-patches/pending/*
do
patch -p1 < $f
done
- name: Apply extra patches
working-directory: hostap
run: |
FILE=$GITHUB_WORKSPACE/wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/extra.patch
if [ -f "$FILE" ]; then
patch -p1 < $FILE
fi
- if: ${{ matrix.hostapd }}
name: Setup hostapd config file
run: |
cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/hostapd.config \
hostap/hostapd/.config
cat <<EOF >> hostap/hostapd/.config
CFLAGS += -I$GITHUB_WORKSPACE/build-dir/include -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
LIBS += -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
EOF
- if: ${{ matrix.wpa_supplicant }}
name: Setup wpa_supplicant config file
run: |
cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/wpa_supplicant.config \
hostap/wpa_supplicant/.config
cat <<EOF >> hostap/wpa_supplicant/.config
CFLAGS += -I$GITHUB_WORKSPACE/build-dir/include -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
LIBS += -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
EOF
- name: Build hostap and wpa_supplicant
working-directory: hostap/tests/hwsim/
run: ./build.sh
- if: ${{ matrix.hostapd }}
name: Confirm hostapd linking with wolfSSL
run: ldd hostap/hostapd/hostapd | grep wolfssl
- if: ${{ matrix.wpa_supplicant }}
name: Confirm wpa_supplicant linking with wolfSSL
run: ldd hostap/wpa_supplicant/wpa_supplicant | grep wolfssl
- if: ${{ matrix.config.remove_teap }}
name: Remove EAP-TEAP from test configuration
working-directory: hostap/tests/hwsim/auth_serv
run: |
sed -e 's/"erp-teap@example.com"\tTEAP//' -i eap_user.conf
sed -e 's/"erp-teap@example.com"\tMSCHAPV2\t"password"\t\[2\]//' -i eap_user.conf
sed -e 's/"TEAP"\t\tTEAP//' -i eap_user.conf
sed -e 's/TEAP,//' -i eap_user.conf
- if: ${{ runner.debug }}
name: Enable hostap debug logging
run: |
echo "hostap_debug_flags=--debug" >> $GITHUB_ENV
- name: Run tests
id: testing
working-directory: hostap/tests/hwsim/
run: |
cat <<EOF >> vm/vm-config
KERNELDIR=$GITHUB_WORKSPACE/linux
KVMARGS="-cpu host"
EOF
git config --global --add safe.directory $GITHUB_WORKSPACE/hostap
# Run tests in increments of 200 to not stall out the parallel-vm script
while mapfile -t -n 200 ary && ((${#ary[@]})); do
TESTS=$(printf '%s\n' "${ary[@]}" | tr '\n' ' ')
HWSIM_RES=0 # Not set when command succeeds
./vm/parallel-vm.py ${{ env.hostap_debug_flags }} --nocurses $(nproc) $TESTS || HWSIM_RES=$?
if [ "$HWSIM_RES" -ne "0" ]; then
# Let's re-run the failing tests. We gather the failed tests from the log file.
FAILED_TESTS=$(grep 'failed tests' /tmp/hwsim-test-logs/*-parallel.log | sed 's/failed tests: //' | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
printf 'failed tests: %s\n' "$FAILED_TESTS"
./vm/parallel-vm.py ${{ env.hostap_debug_flags }} --nocurses $(nproc) $FAILED_TESTS
fi
rm -r /tmp/hwsim-test-logs
done < $GITHUB_WORKSPACE/wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/tests
- name: show errors
if: ${{ failure() && steps.testing.outcome == 'failure' }}
run: grep -riP 'fail|error' /tmp/hwsim-test-logs/latest
# The logs are quite big. It hasn't been useful so far so let's not waste
# precious gh space.
#- name: zip logs
# if: ${{ failure() && steps.testing.outcome == 'failure' }}
# working-directory: hostap/tests/hwsim/
# run: |
# rm /tmp/hwsim-test-logs/latest
# zip -9 -r logs.zip /tmp/hwsim-test-logs
#
#- name: Upload failure logs
# if: ${{ failure() && steps.testing.outcome == 'failure' }}
# uses: actions/upload-artifact@v4
# with:
# name: hostap-logs-${{ env.our_job_run_id }}
# path: hostap/tests/hwsim/logs.zip
# retention-days: 5

View File

@@ -0,0 +1,52 @@
name: Dynamic C Fallback Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DWC_DEBUG_CIPHER_LIFECYCLE"'
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL with WC_C_DYNAMIC_FALLBACK and DEBUG_VECTOR_REGISTER_ACCESS_FUZZING
run: |
./autogen.sh
randseed=$(head -c 4 /dev/urandom | od -t u4 --address-radix=n)
randseed="${randseed#"${randseed%%[![:space:]]*}"}"
echo "fuzzing seed=${randseed}"
./configure ${{ matrix.config }} CFLAGS="-DWC_DEBUG_VECTOR_REGISTERS_FUZZING_SEED=$randseed -fsanitize=leak -g -fno-omit-frame-pointer"
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done

85
.github/workflows/ipmitool.yml vendored Normal file
View File

@@ -0,0 +1,85 @@
name: ipmitool Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
# Don't run tests as this config is tested in many other places
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-ipmitool
path: build-dir.tgz
retention-days: 5
build_ipmitool:
strategy:
fail-fast: false
matrix:
git_ref: [ c3939dac2c060651361fc71516806f9ab8c38901 ]
name: ${{ matrix.git_ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
needs: build_wolfssl
steps:
- name: Install dependencies
run: export DEBIAN_FRONTEND=noninteractive && sudo apt-get update && sudo apt-get install -y libreadline-dev
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-ipmitool
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Build ipmitool
uses: wolfSSL/actions-build-autotools-project@v1
with:
repository: ipmitool/ipmitool
ref: ${{ matrix.git_ref }}
path: ipmitool
patch-file: $GITHUB_WORKSPACE/osp/ipmitool/*-${{ matrix.git_ref }}.patch
configure: --with-wolfssl=$GITHUB_WORKSPACE/build-dir
# No checks included and not running since it depends on hardware
check: false
- name: Confirm built with wolfSSL
working-directory: ipmitool
run: |
ldd src/ipmitool | grep wolfssl
ldd src/ipmievd | grep wolfssl

101
.github/workflows/jwt-cpp.yml vendored Normal file
View File

@@ -0,0 +1,101 @@
name: jwt-cpp Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
# Don't run tests as this config is tested in many other places
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-jwt-cpp
path: build-dir.tgz
retention-days: 5
build_pam-ipmi:
if: github.repository_owner == 'wolfssl'
strategy:
fail-fast: false
matrix:
config:
- ref: 0.7.0
runner: ubuntu-24.04
- ref: 0.6.0
runner: ubuntu-24.04
name: ${{ matrix.config.ref }}
runs-on: ${{ matrix.config.runner }}
needs: build_wolfssl
steps:
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install libgtest-dev
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-jwt-cpp
- name: Setup cmake version
uses: jwlawson/actions-setup-cmake@v2
with:
cmake-version: '3.25.x'
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout jwt-cpp
uses: actions/checkout@v4
with:
repository: Thalhammer/jwt-cpp
path: jwt-cpp
ref: v${{ matrix.config.ref }}
- name: Build pam-ipmi
working-directory: jwt-cpp
run: |
patch -p1 < ../osp/jwt-cpp/${{ matrix.config.ref }}.patch
PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
make -j -C build
ldd ./build/tests/jwt-cpp-test | grep wolfssl
- name: Run jwt-cpp tests
working-directory: jwt-cpp
run: ./build/tests/jwt-cpp-test

View File

@@ -1,29 +1,46 @@
name: Kerberos 5 Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 5
steps:
- name: workaround high-entropy ASLR
# not needed after either an update to llvm or runner is done
run: sudo sysctl vm.mmap_rnd_bits=28
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-krb CFLAGS='-fsanitize=address'
configure: --enable-krb CC='gcc -fsanitize=address'
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: wolf-install-krb5
path: build-dir
retention-days: 1
path: build-dir.tgz
retention-days: 5
krb5_check:
strategy:
@@ -32,25 +49,28 @@ jobs:
# List of releases to test
ref: [ 1.21.1 ]
name: ${{ matrix.ref }}
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 8
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: wolf-install-krb5
path: build-dir
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout krb5
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: krb5/krb5
ref: krb5-${{ matrix.ref }}-final
@@ -61,6 +81,10 @@ jobs:
run: |
patch -p1 < $GITHUB_WORKSPACE/osp/krb5/Patch-for-Kerberos-5-${{ matrix.ref }}.patch
- name: workaround high-entropy ASLR
# not needed after either an update to llvm or runner is done
run: sudo sysctl vm.mmap_rnd_bits=28
- name: Build krb5
working-directory: ./krb5/src
run: |
@@ -68,7 +92,7 @@ jobs:
# Using rpath because LD_LIBRARY_PATH is overwritten during testing
export WOLFSSL_CFLAGS="-I$GITHUB_WORKSPACE/build-dir/include -I$GITHUB_WORKSPACE/build-dir/include/wolfssl -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib"
export WOLFSSL_LIBS="-lwolfssl -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib"
./configure --with-crypto-impl=wolfssl --with-tls-impl=wolfssl --disable-pkinit \
./configure --with-crypto-impl=wolfssl --with-tls-impl=wolfssl --disable-pkinit --with-spake-openssl \
CFLAGS='-fsanitize=address' LDFLAGS='-fsanitize=address'
CFLAGS='-fsanitize=address' LDFLAGS='-fsanitize=address' make -j

91
.github/workflows/libspdm.yml vendored Normal file
View File

@@ -0,0 +1,91 @@
name: libspdm Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all --enable-static CFLAGS='-DRSA_MIN_SIZE=512'
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-libspdm
path: build-dir.tgz
retention-days: 5
libspdm_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 3.7.0 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-libspdm
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout libspdm
uses: actions/checkout@v4
with:
repository: DMTF/libspdm
path: libspdm
ref: ${{ matrix.ref }}
- name: Build and test libspdm
working-directory: libspdm
run: |
patch -p1 < ../osp/libspdm/${{ matrix.ref }}/libspdm-${{ matrix.ref }}.patch
git submodule update --init --recursive
# Silence cmake version warnings
find -name CMakeLists.txt -exec sed -i 's/cmake_minimum_required.*/cmake_minimum_required(VERSION 3.10)/g' {} \;
mkdir build
cd build
cmake -DARCH=x64 -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=wolfssl -DENABLE_BINARY_BUILD=1 \
-DCOMPILED_LIBWOLFSSL_PATH=$GITHUB_WORKSPACE/build-dir/lib/libwolfssl.a \
-DWOLFSSL_INCDIR=$GITHUB_WORKSPACE/build-dir/include ..
make -j
cd ../unit_test/sample_key
../../build/bin/test_crypt
../../build/bin/test_spdm_secured_message
../../build/bin/test_spdm_crypt

90
.github/workflows/libssh2.yml vendored Normal file
View File

@@ -0,0 +1,90 @@
name: libssh2 Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
check: false # config is already tested in many other PRB's
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-libssh2
path: build-dir.tgz
retention-days: 5
libssh2_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 1.11.1 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 8
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-libssh2
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Clone libssh2
uses: actions/checkout@v4
with:
repository: libssh2/libssh2
ref: libssh2-${{ matrix.ref }}
path: libssh2
- name: Build libssh2
working-directory: libssh2
run: |
autoreconf -fi
./configure --with-crypto=wolfssl --with-libwolfssl-prefix=$GITHUB_WORKSPACE/build-dir
- name: Update libssh2 test to use a stable version of debian
working-directory: libssh2
run: |
sed -i 's/testing-slim/oldstable-slim/' tests/openssh_server/Dockerfile
- name: Run libssh2 tests
working-directory: libssh2
run: make -j check
- name: Confirm libssh2 built with wolfSSL
run: ldd libssh2/src/.libs/libssh2.so | grep wolfssl
- name: print server logs
if: ${{ failure() }}
run: tail -n +1 libssh2/tests/*.log

91
.github/workflows/libvncserver.yml vendored Normal file
View File

@@ -0,0 +1,91 @@
name: libvncserver Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
# Don't run tests as this config is tested in many other places
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-libvncserver
path: build-dir.tgz
retention-days: 5
build_libvncserver:
strategy:
fail-fast: false
matrix:
ref: [ 0.9.13, 0.9.14 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-libvncserver
- name: Setup cmake version
uses: jwlawson/actions-setup-cmake@v2
with:
cmake-version: '3.25.x'
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout libvncserver
uses: actions/checkout@v4
with:
repository: LibVNC/libvncserver
path: libvncserver
ref: LibVNCServer-${{ matrix.ref }}
- name: Build libvncserver
working-directory: libvncserver
run: |
patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch
PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
make -j -C build VERBOSE=1
ldd build/libvncclient.so | grep wolfssl
ldd build/libvncserver.so | grep wolfssl
- name: Run libvncserver tests
working-directory: libvncserver
run: make -C build test

54
.github/workflows/linuxkm.yml vendored Normal file
View File

@@ -0,0 +1,54 @@
name: Kernel Module Build
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_library:
strategy:
matrix:
config: [
'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-lkcapi-register=all --enable-all --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --enable-dual-alg-certs --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --disable-sp-asm --enable-crypttests --enable-linuxkm-benchmarks CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096 -DBENCH_EMBEDDED -DBENCH_MIN_RUNTIME_SEC=0.01 -DBENCH_NTIMES=1 -DBENCH_AGREETIMES=1" --with-max-rsa-bits=16384',
'EXTRA_CPPFLAGS=-Werror --enable-option-checking=fatal --enable-linuxkm --enable-linuxkm-pie --enable-reproducible-build --enable-linuxkm-lkcapi-register=all --enable-all-crypto --enable-cryptonly --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-experimental --disable-qt --disable-quic --with-sys-crypto-policy=no --disable-opensslextra --disable-testcert --enable-intelasm --disable-sp-asm --enable-crypttests --enable-linuxkm-benchmarks CFLAGS="-DWOLFSSL_LINUXKM_VERBOSE_DEBUG -Wframe-larger-than=2048 -Wstack-usage=4096 -DBENCH_EMBEDDED -DBENCH_MIN_RUNTIME_SEC=0.01 -DBENCH_NTIMES=1 -DBENCH_AGREETIMES=1" --with-max-rsa-bits=16384'
]
name: build module
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Prepare target kernel for module builds
run: |
echo "updating linux-headers"
sudo apt-get update || $(exit 2)
sudo apt-get install linux-headers-$(uname -r) -y || $(exit 3)
echo "preparing target kernel $(uname -r)"
pushd "/lib/modules/$(uname -r)/build" || $(exit 4)
if [ -f /proc/config.gz ]; then gzip -dc /proc/config.gz > /tmp/.config && sudo mv /tmp/.config . || $(exit 5); elif [ -f "/boot/config-$(uname -r)" ]; then sudo cp -p "/boot/config-$(uname -r)" .config || $(exit 6); fi
sudo make -j 4 olddefconfig || $(exit 7)
sudo make M="$(pwd)" modules_prepare || $(exit 8)
popd >/dev/null
- name: autogen.sh
run: |
./autogen.sh || $(exit 9)
- name: Build libwolfssl.ko, targeting GitHub ubuntu-latest, with --enable-all, PQC, and smallstack and stack depth warnings
run: |
echo "running ./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }}"
./configure --with-linux-source=/lib/modules/$(uname -r)/build ${{ matrix.config }} || $(exit 10)
# try to remove profiling (-pg) because it leads to "_mcleanup: gmon.out: Permission denied"
make -j 4 KERNEL_EXTRA_CFLAGS_REMOVE=-pg FORCE_NO_MODULE_SIG=1 || $(exit 11)
ls -l linuxkm/libwolfssl.ko || $(exit 12)
echo "Successful linuxkm build."

View File

@@ -0,0 +1,26 @@
name: MacOS apple native cert validation tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
if: github.repository_owner == 'wolfssl'
runs-on: macos-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 5
steps:
- name: Build and configure wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
configure: CFLAGS='-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION -DWOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION -DRSA_MIN_SIZE=2048 -DNO_WOLFSSL_CIPHER_SUITE_TEST'

View File

@@ -1,45 +0,0 @@
name: CI
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
jobs:
espressif:
uses: ./.github/workflows/docker-Espressif.yml
multi-compiler:
uses: ./.github/workflows/multi-compiler.yml
multi-arch:
uses: ./.github/workflows/multi-arch.yml
openwrt:
uses: ./.github/workflows/docker-OpenWrt.yml
os-check:
uses: ./.github/workflows/os-check.yml
async:
uses: ./.github/workflows/async.yml
stunnel:
uses: ./.github/workflows/stunnel.yml
openvpn:
uses: ./.github/workflows/openvpn.yml
hostap:
uses: ./.github/workflows/hostap.yml
nginx:
uses: ./.github/workflows/nginx.yml
zephyr:
uses: ./.github/workflows/zephyr.yml
hitch:
uses: ./.github/workflows/hitch.yml
curl:
uses: ./.github/workflows/curl.yml
krb5:
uses: ./.github/workflows/krb5.yml
packaging:
uses: ./.github/workflows/packaging.yml
# TODO: Currently this test fails. Enable it once it becomes passing.
# haproxy:
# uses: ./.github/workflows/haproxy.yml

79
.github/workflows/mbedtls.sh vendored Normal file
View File

@@ -0,0 +1,79 @@
#!/usr/bin/env bash
set -e
set -x
# Basic TLS test
./mbedtls/build/programs/ssl/ssl_server2 > /tmp/server.log 2>&1 &
SERVER_PID=$!
sleep 0.1
./mbedtls/build/programs/ssl/ssl_client2 # Confirm working with mbed
env -C wolfssl ./examples/client/client -p 4433 -g \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
-k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
kill $SERVER_PID
sleep 0.1
env -C wolfssl ./examples/server/server -p 4433 -i -g \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/server2-sha256.crt \
-k ../mbedtls/framework/data_files/server2.key.pem > /tmp/server.log 2>&1 &
SERVER_PID=$!
sleep 0.1
./mbedtls/build/programs/ssl/ssl_client2
env -C wolfssl ./examples/client/client -p 4433 -g \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
-k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
kill $SERVER_PID
sleep 0.1
# Basic DTLS test
./mbedtls/build/programs/ssl/ssl_server2 dtls=1 > /tmp/server.log 2>&1 &
SERVER_PID=$!
sleep 0.1
./mbedtls/build/programs/ssl/ssl_client2 dtls=1 # Confirm working with mbed
env -C wolfssl ./examples/client/client -p 4433 -g -u \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
-k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
kill $SERVER_PID
sleep 0.1
env -C wolfssl ./examples/server/server -p 4433 -i -g -u \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/server2-sha256.crt \
-k ../mbedtls/framework/data_files/server2.key.pem > /tmp/server.log 2>&1 &
SERVER_PID=$!
sleep 0.1
env -C wolfssl ./examples/client/client -p 4433 -g -u \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
-k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
./mbedtls/build/programs/ssl/ssl_client2 dtls=1
kill $SERVER_PID
sleep 0.1
# DTLS 1.2 CID test
./mbedtls/build/programs/ssl/ssl_server2 dtls=1 cid=1 cid_val=121212 > /tmp/server.log 2>&1 &
SERVER_PID=$!
sleep 0.1
./mbedtls/build/programs/ssl/ssl_client2 dtls=1 cid=1 cid_val=232323 # Confirm working with mbed
env -C wolfssl ./examples/client/client -p 4433 -g -u --cid 232323 \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
-k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
kill $SERVER_PID
sleep 0.1
env -C wolfssl ./examples/server/server -p 4433 -i -g -u --cid 121212 \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/server2-sha256.crt \
-k ../mbedtls/framework/data_files/server2.key.pem > /tmp/server.log 2>&1 &
SERVER_PID=$!
sleep 0.1
./mbedtls/build/programs/ssl/ssl_client2 dtls=1 cid_val=232323
env -C wolfssl ./examples/client/client -p 4433 -g -u --cid 232323 \
-A ../mbedtls/framework/data_files/test-ca-sha256.crt \
-c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
-k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
kill $SERVER_PID
sleep 0.1

86
.github/workflows/mbedtls.yml vendored Normal file
View File

@@ -0,0 +1,86 @@
name: mbedtls interop Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
env:
MBED_REF: v3.6.2
jobs:
build_mbedtls:
name: Build mbedtls
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
- name: Checking if we have mbed in cache
uses: actions/cache@v4
id: cache
with:
path: mbedtls
key: mbedtls-${{ env.MBED_REF }}
lookup-only: true
- name: Checkout mbedtls
if: steps.cache.outputs.cache-hit != 'true'
uses: actions/checkout@v4
with:
repository: Mbed-TLS/mbedtls
ref: ${{ env.MBED_REF }}
path: mbedtls
- name: Compile mbedtls
if: steps.cache.outputs.cache-hit != 'true'
working-directory: mbedtls
run: |
git submodule update --init
mkdir build
cd build
cmake ..
make -j
# convert key to pem format
openssl pkey -in framework/data_files/cli-rsa-sha256.key.der -text > framework/data_files/cli-rsa-sha256.key.pem
openssl pkey -in framework/data_files/server2.key.der -text > framework/data_files/server2.key.pem
mbedtls_test:
name: Test interop with mbedtls
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
needs: build_mbedtls
timeout-minutes: 10
steps:
- name: Disable IPv6 (IMPORTANT, OTHERWISE DTLS MBEDTLS CLIENT WON'T CONNECT)
run: echo 1 | sudo tee /proc/sys/net/ipv6/conf/lo/disable_ipv6
- name: Checking if we have mbed in cache
uses: actions/cache/restore@v4
id: cache
with:
path: mbedtls
key: mbedtls-${{ env.MBED_REF }}
fail-on-cache-miss: true
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-dtls --enable-dtlscid
install: false
check: false
- name: Test interop
run: bash wolfssl/.github/workflows/mbedtls.sh
- name: print server logs
if: ${{ failure() }}
run: cat /tmp/server.log

14
.github/workflows/memcached.sh vendored Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
if [ -z "$GITHUB_WORKSPACE" ]; then
echo '$GITHUB_WORKSPACE is not set'
exit 1
fi
if [ -z "$HOST_ROOT" ]; then
echo '$HOST_ROOT is not set'
exit 1
fi
chroot $HOST_ROOT make -C $GITHUB_WORKSPACE/memcached \
-j$(nproc) PARALLEL=$(nproc) test_tls

123
.github/workflows/memcached.yml vendored Normal file
View File

@@ -0,0 +1,123 @@
name: memcached Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-memcached
install: true
- name: Bundle Docker entry point
run: cp wolfssl/.github/workflows/memcached.sh build-dir/bin
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-memcached
path: build-dir.tgz
retention-days: 5
memcached_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
include:
- ref: 1.6.22
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-memcached
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Install dependencies
run: |
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y libevent-dev libevent-2.1-7 automake pkg-config make libio-socket-ssl-perl
- name: Checkout memcached
uses: actions/checkout@v4
with:
repository: memcached/memcached
ref: 1.6.22
path: memcached
- name: Configure and build memcached
run: |
cd $GITHUB_WORKSPACE/memcached/
patch -p1 < $GITHUB_WORKSPACE/osp/memcached/memcached_1.6.22.patch
./autogen.sh
export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig ./configure --enable-wolfssl
make -j$(nproc)
- name: Confirm memcached built with wolfSSL
working-directory: ./memcached
run: |
export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
ldd memcached | grep wolfssl
- name: Run memcached tests
working-directory: ./memcached
run: |
# Retry up to three times
# Using docker because interrupting the tests doesn't close running
# background servers. They can become daemonized and then all re-runs
# will always fail.
chmod +x $GITHUB_WORKSPACE/build-dir/bin/memcached.sh
for i in {1..3}; do
echo "-------- RUNNING TESTS --------"
MEMCACHED_RES=0 # Not set when command succeeds
# Tests should usually take less than 4 minutes. If already taking
# 5 minutes then they are probably stuck. Interrupt and re-run.
time timeout -s SIGKILL 5m docker run -v /:/host \
-v $GITHUB_WORKSPACE/build-dir/bin/memcached.sh:/memcached.sh \
-e GITHUB_WORKSPACE=$GITHUB_WORKSPACE \
-e HOST_ROOT=/host \
-e LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH \
alpine:latest /memcached.sh || MEMCACHED_RES=$?
if [ "$MEMCACHED_RES" -eq "0" ]; then
break
fi
done
echo "test ran $i times"
if [ "$MEMCACHED_RES" -ne "0" ]; then
exit $MEMCACHED_RES
fi

142
.github/workflows/mono.yml vendored Normal file
View File

@@ -0,0 +1,142 @@
name: Linux Mono C# Build Test
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL C# Wrapper
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
# Build wolfSSL using the user_settings.h from the C# wrapper directory
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-usersettings CPPFLAGS=-I$GITHUB_WORKSPACE/wolfssl/wrapper/CSharp
install: true
check: false
- name: Install mono-complete
run: |
sudo apt-get update
sudo apt-get install -y mono-complete
- name: Copy wolfSSL.dll to C# wrapper directory
run: |
echo "Copying wolfSSL.dll to C# wrapper directory. $GITHUB_WORKSPACE/build-dir/lib contains:"
ls -la $GITHUB_WORKSPACE/build-dir/lib/*
cp $GITHUB_WORKSPACE/build-dir/lib/libwolfssl.so $GITHUB_WORKSPACE/wolfssl/wrapper/CSharp/wolfssl.dll
cp $GITHUB_WORKSPACE/build-dir/lib/libwolfssl.so $GITHUB_WORKSPACE/wolfssl/wrapper/CSharp/libwolfssl.so
- name: Build and run wolfCrypt test wrapper
working-directory: wolfssl/wrapper/CSharp
run: |
mcs wolfCrypt-Test/wolfCrypt-Test.cs wolfSSL_CSharp/wolfCrypt.cs wolfSSL_CSharp/wolfSSL.cs wolfSSL_CSharp/X509.cs -OUT:wolfcrypttest.exe
mono wolfcrypttest.exe
- name: Build wolfSSL client/server test
working-directory: wolfssl/wrapper/CSharp
env:
LD_LIBRARY_PATH: $GITHUB_WORKSPACE/build-dir/lib
run: |
mcs wolfSSL_CSharp/wolfSSL.cs wolfSSL_CSharp/X509.cs wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs -OUT:server.exe
mcs wolfSSL_CSharp/wolfCrypt.cs wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs wolfSSL_CSharp/wolfSSL.cs wolfSSL_CSharp/X509.cs -OUT:client.exe
- name: Test wolfSSL client/server communication
working-directory: wolfssl/wrapper/CSharp
env:
LD_LIBRARY_PATH: $GITHUB_WORKSPACE/build-dir/lib
run: |
# Start server in background and capture its PID
timeout 10s mono server.exe > server.log 2>&1 &
SERVER_PID=$!
# Wait for server to start
sleep 2
# Run client and capture output
timeout 5s mono client.exe > client.log 2>&1
CLIENT_EXIT_CODE=$?
# Wait a moment for server to process
sleep 1
# Kill server
kill $SERVER_PID 2>/dev/null || true
# Check if client completed successfully (exit code 0)
if [ $CLIENT_EXIT_CODE -eq 0 ]; then
echo "Client completed successfully"
else
echo "Client failed with exit code $CLIENT_EXIT_CODE"
cat client.log
exit 1
fi
# Check for success indicators in logs
if grep -q "SSL version is" client.log && grep -q "SSL cipher suite is" client.log; then
echo "TLS handshake successful - SSL version and cipher suite detected"
else
echo "TLS handshake failed - no SSL version/cipher detected"
echo "Client log:"
cat client.log
echo "Server log:"
cat server.log
exit 1
fi
- name: Test SNI functionality
working-directory: wolfssl/wrapper/CSharp
env:
LD_LIBRARY_PATH: $GITHUB_WORKSPACE/build-dir/lib
run: |
# Start server with SNI support in background
timeout 10s mono server.exe -S > server_sni.log 2>&1 &
SERVER_PID=$!
# Wait for server to start
sleep 2
# Run client with SNI and capture output
timeout 5s mono client.exe -S localhost > client_sni.log 2>&1
CLIENT_EXIT_CODE=$?
# Wait a moment for server to process
sleep 1
# Kill server
kill $SERVER_PID 2>/dev/null || true
# Check if client completed successfully
if [ $CLIENT_EXIT_CODE -eq 0 ]; then
echo "SNI client completed successfully"
else
echo "SNI client failed with exit code $CLIENT_EXIT_CODE"
cat client_sni.log
exit 1
fi
# Check for SNI success indicators
if grep -q "SSL version is" client_sni.log && grep -q "SSL cipher suite is" client_sni.log; then
echo "SNI TLS handshake successful"
else
echo "SNI TLS handshake failed"
echo "Client log:"
cat client_sni.log
echo "Server log:"
cat server_sni.log
exit 1
fi

105
.github/workflows/mosquitto.yml vendored Normal file
View File

@@ -0,0 +1,105 @@
name: mosquitto Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-mosquitto CFLAGS="-DALLOW_INVALID_CERTSIGN"
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-mosquitto
path: build-dir.tgz
retention-days: 5
mosquitto_check:
strategy:
fail-fast: false
matrix:
ref: [ 2.0.18 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-mosquitto
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Install dependencies
run: |
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y build-essential libev-dev libssl-dev automake python3-docutils libcunit1 libcunit1-doc libcunit1-dev pkg-config make python3-psutil
- name: Checkout mosquitto
uses: actions/checkout@v4
with:
repository: eclipse/mosquitto
ref: v${{ matrix.ref }}
path: mosquitto
- name: Update certs
run: |
cd $GITHUB_WORKSPACE/mosquitto/test/ssl
./gen.sh
cat all-ca.crt >> server.crt
- name: Configure and build mosquitto
run: |
cd $GITHUB_WORKSPACE/mosquitto/
patch -p1 < $GITHUB_WORKSPACE/osp/mosquitto/${{ matrix.ref }}.patch
make WITH_TLS=wolfssl WITH_CJSON=no WITH_DOCS=no WOLFSSLDIR=$GITHUB_WORKSPACE/build-dir
- name: Run mosquitto tests
working-directory: ./mosquitto
run: |
# Retry up to five times
for i in {1..5}; do
TEST_RES=0
make WITH_TLS=wolfssl WITH_CJSON=no WITH_DOCS=no WOLFSSLDIR=$GITHUB_WORKSPACE/build-dir ptest || TEST_RES=$?
if [ "$TEST_RES" -eq "0" ]; then
break
fi
done
if [ "$TEST_RES" -ne "0" ]; then
exit $TEST_RES
fi

37
.github/workflows/msys2.yml vendored Normal file
View File

@@ -0,0 +1,37 @@
name: MSYS2 Build Test
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
msys2:
if: github.repository_owner == 'wolfssl'
runs-on: windows-latest
defaults:
run:
shell: msys2 {0}
steps:
- uses: actions/checkout@v3
- uses: msys2/setup-msys2@v2
with:
msystem: msys
update: true
install: git gcc autotools base-devel autoconf netcat
- name: configure wolfSSL
run: ./autogen.sh && ./configure --disable-sys-ca-certs CFLAGS="-DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256 -DNO_WRITE_TEMP_FILES"
- name: build wolfSSL
run: make
- name: run tests
run: make check
- name: Display log
if: always()
run: cat test-suite.log

View File

@@ -1,7 +1,16 @@
name: Multiple architectures
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
my_matrix:
@@ -21,13 +30,16 @@ jobs:
- HOST: riscv64-linux-gnu
CC: riscv64-linux-gnu-gcc
ARCH: riscv64
EXTRA_OPTS: --enable-riscv-asm
# Config to ensure CPUs without Thumb instructions compiles
- HOST: arm-linux-gnueabi
CC: arm-linux-gnueabi-gcc
CFLAGS: -marm -DWOLFSSL_SP_ARM_ARCH=6
ARCH: armel
EXTRA_OPTS: --enable-sp-asm
runs-on: ubuntu-latest
opts: [ '-O2', '-O3', '-O1 -UFP_ECC', '-O0', '-Os', '-Ofast' ]
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
@@ -35,14 +47,14 @@ jobs:
run: |
sudo apt update
sudo apt install -y crossbuild-essential-${{ matrix.ARCH }} qemu-user
- uses: actions/checkout@v3
- name: Build
- uses: actions/checkout@v4
- name: Build for ${{ matrix.ARCH }} with Opt Level ${{ matrix.opts }}
env:
CC: ${{ matrix.CC }}
CFLAGS: ${{ matrix.CFLAGS }}
CFLAGS: ${{ matrix.CFLAGS }} ${{ matrix.opts }}
QEMU_LD_PREFIX: /usr/${{ matrix.HOST }}
run: ./autogen.sh && ./configure --host=${{ matrix.HOST }} --enable-all --disable-examples ${{ matrix.EXTRA_OPTS }} && make
- name: Print errors
run: ./autogen.sh && ./configure --host=${{ matrix.HOST }} --enable-all --disable-examples CPPFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT" ${{ matrix.EXTRA_OPTS }} && make
- name: Print errors
if: ${{ failure() }}
run: |
if [ -f config.log ] ; then

View File

@@ -1,7 +1,16 @@
name: Multiple compilers and versions
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
my_matrix:
@@ -12,41 +21,35 @@ jobs:
include:
- CC: gcc-9
CXX: g++-9
OS: ubuntu-latest
OS: ubuntu-24.04
- CC: gcc-10
CXX: g++-10
OS: ubuntu-latest
OS: ubuntu-24.04
- CC: gcc-11
CXX: g++-11
OS: ubuntu-latest
OS: ubuntu-24.04
- CC: gcc-12
CXX: g++-12
OS: ubuntu-latest
- CC: clang-10
CXX: clang++-10
OS: ubuntu-20.04
- CC: clang-11
CXX: clang++-11
OS: ubuntu-20.04
- CC: clang-12
CXX: clang++-12
OS: ubuntu-20.04
- CC: clang-13
CXX: clang++-13
OS: ubuntu-latest
OS: ubuntu-24.04
- CC: clang-14
CXX: clang++-14
OS: ubuntu-latest
OS: ubuntu-24.04
- CC: clang-19
CXX: clang++-19
OS: ubuntu-24.04
if: github.repository_owner == 'wolfssl'
runs-on: ${{ matrix.OS }}
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: export DEBIAN_FRONTEND=noninteractive && sudo apt-get update && sudo apt-get install -y ${{ matrix.CC }}
- uses: actions/checkout@v4
- name: Build
env:
CC: ${{ matrix.CC }}
CXX: ${{ matrix.CXX }}
run: ./autogen.sh && ./configure && make && make dist
run: ./autogen.sh && ./configure CFLAGS="-pedantic -Wdeclaration-after-statement" && make && make dist
- name: Show log on errors
if: ${{ failure() }}
run: |

84
.github/workflows/net-snmp.yml vendored Normal file
View File

@@ -0,0 +1,84 @@
name: net-snmp Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-net-snmp
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-net-snmp
path: build-dir.tgz
retention-days: 5
net-snmp_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
include:
- ref: 5.9.3
test_opts: -e 'agentxperl'
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-net-snmp
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Build net-snmp
uses: wolfSSL/actions-build-autotools-project@v1
with:
repository: net-snmp/net-snmp
ref: v${{ matrix.ref }}
path: net-snmp
patch-file: $GITHUB_WORKSPACE/osp/net-snmp/${{ matrix.ref }}.patch
configure: --disable-shared --with-wolfssl=$GITHUB_WORKSPACE/build-dir
check: false
- name: Run net-snmp tests
working-directory: net-snmp
run: |
autoconf --version | grep -P '2\.\d\d' -o > dist/autoconf-version
make -j test TESTOPTS="${{ matrix.test_opts }}"

View File

@@ -1,13 +1,23 @@
name: nginx Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
@@ -24,12 +34,15 @@ jobs:
configure: --enable-nginx ${{ env.wolf_debug_flags }}
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: wolf-install-nginx
path: build-dir
retention-days: 1
path: build-dir.tgz
retention-days: 5
nginx_check:
strategy:
@@ -65,30 +78,81 @@ jobs:
proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
stream_proxy_ssl_verify.t stream_ssl_alpn.t
- ref: 1.24.0
test-ref: 212d9d003886e3a24542855fb60355a417f037de
# Following tests pass with sanitizer on
sanitize-ok: >-
h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
uwsgi_ssl.t uwsgi_ssl_verify.t
# Following tests do not pass with sanitizer on (with OpenSSL too)
sanitize-not-ok: >-
grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
stream_proxy_ssl_verify.t
name: ${{ matrix.ref }}
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: wolf-install-nginx
path: build-dir
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Install dependencies
run: |
sudo cpan -iT Proc::Find Net::SSLeay IO::Socket::SSL
sudo cpan -iT Proc::Find
# Locking in the version of SSLeay used with testing
- name: Download and install Net::SSLeay 1.94 manually
run: |
curl -LO https://www.cpan.org/modules/by-module/Net/CHRISN/Net-SSLeay-1.94.tar.gz
tar -xzf Net-SSLeay-1.94.tar.gz
cd Net-SSLeay-1.94
perl Makefile.PL
make
sudo make install
# SSL version 2.091 changes '' return to undef causing test case to fail.
# Locking in the test version to use as 2.090
- name: Download and install IO::Socket::SSL 2.090 manually
run: |
curl -LO https://www.cpan.org/modules/by-module/IO/IO-Socket-SSL-2.090.tar.gz
tar -xzf IO-Socket-SSL-2.090.tar.gz
cd IO-Socket-SSL-2.090
perl Makefile.PL
make
sudo make install
- name: Checkout wolfssl-nginx
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: wolfssl/wolfssl-nginx
path: wolfssl-nginx
- name: Checkout nginx
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: nginx/nginx
path: nginx
@@ -104,7 +168,7 @@ jobs:
run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
- name: Checkout nginx-tests
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: nginx/nginx-tests
path: nginx-tests
@@ -147,6 +211,10 @@ jobs:
run: |
echo "nginx_c_flags=-O0" >> $GITHUB_ENV
- name: workaround high-entropy ASLR
# not needed after either an update to llvm or runner is done
run: sudo sysctl vm.mmap_rnd_bits=28
- name: Build nginx with sanitizer
working-directory: nginx
run: |
@@ -176,4 +244,4 @@ jobs:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
prove ${{ matrix.sanitize-ok }}

44
.github/workflows/no-malloc.yml vendored Normal file
View File

@@ -0,0 +1,44 @@
name: No Malloc Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC -DRSA_MIN_SIZE=1024 -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure ${{ matrix.config }}
make
./wolfcrypt/test/testwolfcrypt
- name: Print errors
if: ${{ failure() }}
run: |
if [ -f test-suite.log ] ; then
cat test-suite.log
fi

49
.github/workflows/no-tls.yml vendored Normal file
View File

@@ -0,0 +1,49 @@
name: --disable-tls Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--disable-tls --enable-all CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure ${{ matrix.config }}
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done

27
.github/workflows/nss.sh vendored Normal file
View File

@@ -0,0 +1,27 @@
#!/usr/bin/env bash
set -e
set -x
# Setup nss cert db
mkdir nssdb
./dist/Debug/bin/certutil -d nssdb -N --empty-password
./dist/Debug/bin/certutil -d nssdb -A -a -i wolfssl/certs/test/server-localhost.pem \
-t TCP -n 'wolf localhost'
# App data for nss
echo Hello from nss > /tmp/in
# TLS 1.3 test
env -C wolfssl ./examples/server/server -v 4 -p 4433 \
-c certs/test/server-localhost.pem -d -w > /tmp/server.log 2>&1 &
sleep 0.1
./dist/Debug/bin/tstclnt -V tls1.3: -h localhost -p 4433 -d nssdb -C -4 -A /tmp/in -v
sleep 0.1
# DTLS 1.3 test
env -C wolfssl ./examples/server/server -v 4 -p 4433 -u \
-c certs/test/server-localhost.pem -d -w > /tmp/server.log 2>&1 &
sleep 0.1
./dist/Debug/bin/tstclnt -V tls1.3: -P client -h localhost -p 4433 -d nssdb -C -4 -A /tmp/in -v
sleep 0.1

89
.github/workflows/nss.yml vendored Normal file
View File

@@ -0,0 +1,89 @@
name: nss interop Tests
### TODO uncomment stuff
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
env:
NSS_REF: NSS_3_107_RTM
jobs:
build_nss:
name: Build nss
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 30
steps:
- name: Checking if we have nss in cache
uses: actions/cache@v4
id: cache
with:
path: dist
key: nss-${{ env.NSS_REF }}
lookup-only: true
- name: Install dependencies
if: steps.cache.outputs.cache-hit != 'true'
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
# hostap dependencies
sudo apt-get install -y gyp ninja-build
- name: Checkout nss
if: steps.cache.outputs.cache-hit != 'true'
uses: actions/checkout@v4
with:
repository: nss-dev/nss
ref: ${{ env.NSS_REF }}
path: nss
- name: Compile nss
if: steps.cache.outputs.cache-hit != 'true'
run: |
hg clone https://hg.mozilla.org/projects/nspr
cd nss
./build.sh
nss_test:
name: Test interop with nss
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
needs: build_nss
timeout-minutes: 10
steps:
- name: Checking if we have nss in cache
uses: actions/cache/restore@v4
id: cache
with:
path: dist
key: nss-${{ env.NSS_REF }}
fail-on-cache-miss: true
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-dtls --enable-dtls13
install: false
check: false
- name: Test interop
run: bash wolfssl/.github/workflows/nss.sh
- name: print server logs
if: ${{ failure() }}
run: |
cat /tmp/server.log

93
.github/workflows/ntp.yml vendored Normal file
View File

@@ -0,0 +1,93 @@
name: ntp Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-ntp
path: build-dir.tgz
retention-days: 5
ntp_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 4.2.8p15, 4.2.8p17 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-ntp
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
# Avoid DoS'ing ntp site so cache the tar.gz
- name: Check if we have ntp
uses: actions/cache@v4
id: cache
with:
path: ntp-${{ matrix.ref }}.tar.gz
key: ntp-${{ matrix.ref }}.tar.gz
- name: Download ntp
if: steps.cache.outputs.cache-hit != 'true'
run: |
wget https://downloads.nwtime.org/ntp/4.2.8/ntp-${{ matrix.ref }}.tar.gz
- name: Extract ntp
run: |
tar -xf ntp-${{ matrix.ref }}.tar.gz
- name: Build and test ntp
working-directory: ntp-${{ matrix.ref }}
run: |
patch -p1 < $GITHUB_WORKSPACE/osp/ntp/${{ matrix.ref }}/ntp-${{ matrix.ref }}.patch
./bootstrap
./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir
make -j
make -j check

38
.github/workflows/ocsp.yml vendored Normal file
View File

@@ -0,0 +1,38 @@
name: OCSP Test
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
ocsp_stapling:
name: ocsp stapling
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Checkout wolfSSL
uses: actions/checkout@v4
- name: Build wolfSSL
run: autoreconf -ivf && ./configure --enable-ocsp --enable-ocspstapling && make
- name: Start OCSP responder 1
run: openssl ocsp -port 22221 -ndays 1000 -index certs/ocsp/index-intermediate1-ca-issued-certs.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/intermediate1-ca-cert.pem &
- name: Start OCSP responder 2
run: openssl ocsp -port 22220 -ndays 1000 -index certs/ocsp/index-ca-and-intermediate-cas.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/root-ca-cert.pem &
- name: Start TLS server
run: ./examples/server/server -p 11111 -c ./certs/ocsp/server1-cert.pem -k ./certs/ocsp/server1-key.pem -d &
- name: Test Look Up
run: ./examples/client/client -A ./certs/ocsp/root-ca-cert.pem -o

93
.github/workflows/openldap.yml vendored Normal file
View File

@@ -0,0 +1,93 @@
name: openldap Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-openldap CPPFLAGS=-DWOLFSSL_NO_ASN_STRICT
install: true
check: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-openldap
path: build-dir.tgz
retention-days: 5
openldap_check:
strategy:
fail-fast: false
matrix:
include:
# List of releases to test
- osp_ref: 2.5.13
git_ref: OPENLDAP_REL_ENG_2_5_13
- osp_ref: 2.6.7
git_ref: OPENLDAP_REL_ENG_2_6_7
name: ${{ matrix.osp_ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 20
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-openldap
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout openldap
uses: actions/checkout@v4
with:
repository: openldap/openldap
path: openldap
ref: ${{ matrix.git_ref }}
- name: Build and test OpenLDAP
working-directory: openldap
run: |
export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
patch -p1 < $GITHUB_WORKSPACE/osp/openldap/${{ matrix.osp_ref }}/openldap-${{ matrix.osp_ref }}.patch
rm aclocal.m4
autoreconf -ivf
./configure --with-tls=wolfssl --disable-bdb --disable-hdb \
CFLAGS="-I$GITHUB_WORKSPACE/build-dir/include \
-I$GITHUB_WORKSPACE/build-dir/include/wolfssl \
-L$GITHUB_WORKSPACE/build-dir/lib"
make -j depend
make -j
make -j check

105
.github/workflows/openssh.yml vendored Normal file
View File

@@ -0,0 +1,105 @@
name: openssh Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: >-
--enable-openssh --enable-dsa --with-max-rsa-bits=8192
--enable-intelasm --enable-sp-asm CFLAGS="-DRSA_MIN_SIZE=1024"
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-openssh
path: build-dir.tgz
retention-days: 5
openssh_check:
strategy:
fail-fast: false
matrix:
include:
# A good way to measure how much each test takes is to create a bash script
# in the openssh root like this (make it executable):
# time-measure.sh
# #!/bin/bash
# /usr/bin/time -a -o /tmp/LTESTS-times.txt -f '%e %C' /usr/bin/bash "$@"
# And invoke the openssh tests like this:
# rm -f /tmp/LTESTS-times.txt && \
# make tests TEST_SHELL=$(pwd)/time-measure.sh SKIP_UNIT=yes && \
# grep test-exec.sh /tmp/LTESTS-times.txt
- git_ref: 'V_9_6_P1'
osp_ver: '9.6'
SKIP_LTESTS: >-
exit-status rekey multiplex cert-userkey forward-control integrity
channel-timeout connection-timeout
- git_ref: 'V_9_9_P2'
osp_ver: '9.9p2'
SKIP_LTESTS: >-
exit-status rekey multiplex cert-userkey forward-control integrity
channel-timeout connection-timeout
- git_ref: 'V_10_0_P2'
osp_ver: '10.0p2'
SKIP_LTESTS: >-
exit-status rekey multiplex forward-control channel-timeout
connection-timeout
name: ${{ matrix.osp_ver }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-openssh
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Build and test openssh
uses: wolfSSL/actions-build-autotools-project@v1
with:
repository: openssh/openssh-portable
ref: ${{ matrix.git_ref }}
path: openssh
patch-file: $GITHUB_WORKSPACE/osp/openssh-patches/openssh-${{ matrix.osp_ver }}.patch
configure: --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-rpath=-Wl,-rpath=
check: false
# make tests take >20 minutes. Consider limiting?
- name: Run tests
working-directory: ./openssh
run: |
make tests SKIP_LTESTS='${{ matrix.SKIP_LTESTS }}'

50
.github/workflows/opensslcoexist.yml vendored Normal file
View File

@@ -0,0 +1,50 @@
name: OPENSSL_COEXIST and TEST_OPENSSL_COEXIST
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
'--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic -DTEST_OPENSSL_COEXIST -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"'
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test --enable-opensslcoexist and TEST_OPENSSL_COEXIST
run: |
./autogen.sh || $(exit 2)
./configure ${{ matrix.config }} || $(exit 3)
make -j 4 || $(exit 4)
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in config.log scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done

View File

@@ -1,13 +1,23 @@
name: OpenVPN Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
@@ -18,30 +28,36 @@ jobs:
configure: --enable-openvpn
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: wolf-install-openvpn
path: build-dir
retention-days: 1
path: build-dir.tgz
retention-days: 5
openvpn_check:
strategy:
fail-fast: false
matrix:
# List of refs to test
ref: [ master, release/2.6, v2.6.0 ]
ref: [ release/2.6, master ]
name: ${{ matrix.ref }}
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
timeout-minutes: 10
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: wolf-install-openvpn
path: build-dir
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Install dependencies
run: |
@@ -50,10 +66,14 @@ jobs:
linux-libc-dev man2html libcmocka-dev python3-docutils \
libtool automake autoconf libnl-genl-3-dev libnl-genl-3-200
- name: workaround high-entropy ASLR
# not needed after either an update to llvm or runner is done
run: sudo sysctl vm.mmap_rnd_bits=28
- if: ${{ matrix.ref != 'master' }}
name: Build and test openvpn with fsanitize
run: |
echo 'extra_c_flags=CFLAGS="-fsanitize=address -fno-omit-frame-pointer -O2"' >> $GITHUB_ENV
echo 'extra_c_flags=CC="gcc -fsanitize=address" CFLAGS="-fno-omit-frame-pointer -O2"' >> $GITHUB_ENV
- name: Build and test openvpn
uses: wolfSSL/actions-build-autotools-project@v1

View File

@@ -1,28 +1,89 @@
name: Ubuntu-Macos-Windows Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest, macos-latest ]
os: [ ubuntu-24.04, macos-latest ]
config: [
# Add new configs here
'',
'--enable-all --enable-asn=template',
'--enable-all --enable-asn=original',
'--enable-all --enable-asn=template CPPFLAGS=-DWOLFSSL_OLD_OID_SUM',
'--enable-all --enable-asn=original CPPFLAGS=-DWOLFSSL_OLD_OID_SUM',
'--enable-harden-tls',
'--enable-tls13 --enable-session-ticket --enable-dtls --enable-dtls13
--enable-opensslextra --enable-sessioncerts
CPPFLAGS=''-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE
-DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM'' ',
--enable-opensslextra --enable-sessioncerts
CPPFLAGS=''-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE
-DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM'' ',
'--enable-all --enable-secure-renegotiation',
'--enable-all --enable-haproxy --enable-quic',
'--enable-dtls --enable-dtls13 --enable-earlydata
--enable-session-ticket --enable-psk
CPPFLAGS=''-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME'' ',
'--enable-experimental --enable-kyber --enable-dtls --enable-dtls13
--enable-dtls-frag-ch',
'--enable-all --enable-dtls13 --enable-dtls-frag-ch',
'--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
--enable-dtls-mtu',
'--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
--enable-psk --enable-aesccm --enable-nullcipher
CPPFLAGS=-DWOLFSSL_STATIC_RSA',
'--enable-ascon --enable-experimental',
'--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
'--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ',
'--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys
CPPFLAGS=-DWOLFSSL_DH_EXTRA',
'--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
--enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS',
'--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB',
'--enable-opensslall --enable-opensslextra
CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ',
'--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ',
'--enable-opensslextra=x509small',
'CPPFLAGS=''-DWOLFSSL_EXTRA'' ',
'--enable-lms=small,verify-only --enable-xmss=small,verify-only',
'--disable-sys-ca-certs',
'--enable-all CPPFLAGS=-DWOLFSSL_DEBUG_CERTS ',
'--enable-all CPPFLAGS="-DWOLFSSL_CHECK_MEM_ZERO"',
'--enable-coding=no',
'--enable-dtls --enable-dtls13 --enable-ocspstapling --enable-ocspstapling2
--enable-cert-setup-cb --enable-sessioncerts',
'--enable-dtls --enable-dtls13 --enable-tls13
CPPFLAGS=-DWOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC',
'--disable-sni --disable-ecc --disable-tls13 --disable-secure-renegotiation-info',
'CPPFLAGS=-DWOLFSSL_BLIND_PRIVATE_KEY',
'--enable-all --enable-certgencache',
'--enable-sessionexport --enable-dtls --enable-dtls13',
'--enable-sessionexport',
'--disable-examples CPPFLAGS=-DWOLFSSL_NO_MALLOC',
'CPPFLAGS=-DNO_WOLFSSL_CLIENT',
'CPPFLAGS=-DNO_WOLFSSL_SERVER',
'CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
'CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
'CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
'--enable-all CPPFLAGS=-DNO_WOLFSSL_CLIENT',
'--enable-all CPPFLAGS=-DNO_WOLFSSL_SERVER',
'--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ${{ matrix.os }}
# This should be a safe limit for the tests to run.
timeout-minutes: 14
@@ -30,19 +91,20 @@ jobs:
- name: Build and test wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
configure: ${{ matrix.config }}
configure: CFLAGS="-pedantic -Wno-overlength-strings -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }}
check: true
make_user_settings:
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest, macos-latest ]
os: [ ubuntu-24.04, macos-latest ]
user-settings: [
# Add new user_settings.h here
'examples/configs/user_settings_all.h',
]
name: make user_setting.h
if: github.repository_owner == 'wolfssl'
runs-on: ${{ matrix.os }}
# This should be a safe limit for the tests to run.
timeout-minutes: 14
@@ -58,14 +120,29 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest, macos-latest ]
os: [ ubuntu-24.04, macos-latest ]
user-settings: [
# Add new user_settings.h here
# Add new user_settings.h here (alphabetical order)
'examples/configs/user_settings_ca.h',
'examples/configs/user_settings_dtls13.h',
'examples/configs/user_settings_EBSnet.h',
'examples/configs/user_settings_eccnonblock.h',
'examples/configs/user_settings_min_ecc.h',
'examples/configs/user_settings_openssl_compat.h',
'examples/configs/user_settings_pkcs7.h',
'examples/configs/user_settings_rsa_only.h',
'examples/configs/user_settings_template.h',
'examples/configs/user_settings_tls12.h',
'examples/configs/user_settings_tls13.h',
'examples/configs/user_settings_wolfboot_keytools.h',
'examples/configs/user_settings_wolfssh.h',
'examples/configs/user_settings_wolftpm.h',
# Not included (require special setup):
# - user_settings_pq.h: Requires --enable-experimental
# - user_settings_baremetal.h: Requires static memory, custom platform
]
name: make user_setting.h (testwolfcrypt only)
if: github.repository_owner == 'wolfssl'
runs-on: ${{ matrix.os }}
# This should be a safe limit for the tests to run.
timeout-minutes: 14
@@ -85,13 +162,14 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest, macos-latest ]
os: [ ubuntu-24.04, macos-latest ]
name: make user_setting.h (with sed)
if: github.repository_owner == 'wolfssl'
runs-on: ${{ matrix.os }}
# This should be a safe limit for the tests to run.
timeout-minutes: 14
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- if: ${{ matrix.os == 'macos-latest' }}
run: brew install automake libtool
- run: ./autogen.sh
@@ -105,7 +183,12 @@ jobs:
windows_build:
name: Windows Build Test
if: github.repository_owner == 'wolfssl'
runs-on: windows-latest
strategy:
fail-fast: false
matrix:
arch: [ x64, Win32, ARM64 ]
# This should be a safe limit for the tests to run.
timeout-minutes: 6
env:
@@ -116,12 +199,11 @@ jobs:
# You can convert this to a build matrix if you need coverage of multiple configuration types.
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
BUILD_CONFIGURATION: Release
BUILD_PLATFORM: x64
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1
uses: microsoft/setup-msbuild@v2
- name: Restore NuGet packages
working-directory: ${{env.GITHUB_WORKSPACE}}
@@ -131,8 +213,9 @@ jobs:
working-directory: ${{env.GITHUB_WORKSPACE}}
# Add additional options to the MSBuild command line here (like platform or verbosity level).
# See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{matrix.arch}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
- name: Run Test
- if: ${{ matrix.arch != 'ARM64' }}
name: Run Test
working-directory: ${{env.GITHUB_WORKSPACE}}
run: Release/x64/testsuite.exe
run: Release/${{matrix.arch}}/testsuite.exe

View File

@@ -1,17 +1,27 @@
name: Packaging Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Package wolfSSL
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
- name: Checkout wolfSSL
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Configure wolfSSL
run: |
@@ -28,18 +38,20 @@ jobs:
- name: Build wolfSSL .deb
run: make deb-docker
- name: Build wolfSSL .rpm
run: make rpm-docker
# disabled 20240919 -- broken target.
# - name: Build wolfSSL .rpm
# run: make rpm-docker
- name: Confirm packages built
run: |
DEB_COUNT=$(find -name 'libwolfssl*.deb' | wc -l)
if [ "$DEB_COUNT" != "2" ]; then
echo Did not find exactly two deb packages!!!
exit 1
fi
RPM_COUNT=$(find -name 'wolfssl*.rpm' | wc -l)
if [ "$RPM_COUNT" != "4" ]; then
echo Did not find exactly four rpm packages!!!
if [ "$DEB_COUNT" != "3" ]; then
echo Did not find exactly three deb packages!!!
exit 1
fi
# disabled 20240919 -- broken target.
# RPM_COUNT=$(find -name 'wolfssl*.rpm' | wc -l)
# if [ "$RPM_COUNT" != "4" ]; then
# echo Did not find exactly four rpm packages!!!
# exit 1
# fi

92
.github/workflows/pam-ipmi.yml vendored Normal file
View File

@@ -0,0 +1,92 @@
name: pam-ipmi Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
# Don't run tests as this config is tested in many other places
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-pam-ipmi
path: build-dir.tgz
retention-days: 5
build_pam-ipmi:
strategy:
fail-fast: false
matrix:
git_ref: [ e4b13e6725abb178f62ee897fe1c0e81b06a9431 ]
name: ${{ matrix.git_ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
needs: build_wolfssl
steps:
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install libpam-dev ninja-build meson
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-pam-ipmi
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout pam-ipmi
uses: actions/checkout@v4
with:
repository: openbmc/pam-ipmi
path: pam-ipmi
ref: ${{ matrix.git_ref }}
- name: Build pam-ipmi
working-directory: pam-ipmi
run: |
patch -p1 < ../osp/pam-ipmi/*-${{ matrix.git_ref }}.patch
PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig meson setup build
ninja -C build
- name: Confirm built with wolfSSL
working-directory: pam-ipmi
run: |
ldd ./build/src/pam_ipmisave/pam_ipmisave.so | grep wolfssl

57
.github/workflows/pq-all.yml vendored Normal file
View File

@@ -0,0 +1,57 @@
name: Quantum Resistant Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--enable-intelasm --enable-sp-asm --enable-mlkem=yes,kyber,ml-kem CPPFLAGS="-DWOLFSSL_ML_KEM_USE_OLD_IDS"',
'--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
'--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
'--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++',
'--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_BLIND_PRIVATE_KEY"',
'--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_BLIND_PRIVATE_KEY"',
'--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ"',
'--disable-intelasm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
'--disable-intelasm --enable-smallstack --enable-smallstackcache --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"',
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure ${{ matrix.config }}
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done

51
.github/workflows/psk.yml vendored Normal file
View File

@@ -0,0 +1,51 @@
name: PSK Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--enable-psk C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --disable-rsa --disable-ecc --disable-dh',
'--disable-oldtls --disable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all',
'--disable-oldtls --disable-tlsv12 --enable-tls13 --enable-psk -disable-rsa --disable-dh -disable-ecc --disable-asn C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK --enable-lowresource --enable-singlethreaded --disable-asm --disable-errorstrings --disable-pkcs12 --disable-sha3 --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha --disable-md5 -disable-aescbc --disable-chacha --disable-poly1305 --disable-coding --disable-sp-math-all'
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure ${{ matrix.config }}
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done

271
.github/workflows/renode-stm32h753.yml vendored Normal file
View File

@@ -0,0 +1,271 @@
name: Renode STM32H753 Test
# Platform-specific configuration
# To add a new platform, create a new workflow file based on this template
# and update these variables for the target MCU
env:
PLATFORM_NAME: stm32h753
PLATFORM_DISPLAY_NAME: STM32H753
CMSIS_DEVICE_REPO: cmsis-device-h7
CMSIS_DEVICE_PATH: /opt/cmsis-device-h7
CMSIS_DEVICE_CACHE_KEY: cmsis-device-h7-v1
STM32CUBE_REPO: STM32CubeH7
STM32CUBE_BRANCH: v1.11.2
STM32CUBE_PATH: /opt/STM32CubeH7
STM32CUBE_CACHE_KEY: stm32cubeh7-v1.11.2-v1
HAL_CONFIG_FILE: stm32h7xx_hal_conf.h
HAL_DRIVER_INC_PATH: STM32H7xx_HAL_Driver/Inc
HAL_DRIVER_SRC_PATH: STM32H7xx_HAL_Driver/Src
RENODE_PLATFORM_NAME: stm32h753
RENODE_REPL_PATH: platforms/cpus/stm32h753.repl
RENODE_TEST_DIR: .github/renode-test/stm32h753
on:
push:
branches: [ main, master, develop ]
pull_request:
branches: [ main, master, develop ]
workflow_dispatch:
jobs:
test:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout wolfSSL
uses: actions/checkout@v4
- name: Set up build environment
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
cmake \
ninja-build \
python3 \
git \
gcc-arm-none-eabi \
libnewlib-arm-none-eabi \
libstdc++-arm-none-eabi-newlib \
wget \
unzip
- name: Cache CMSIS Device
id: cache-cmsis-device
uses: actions/cache@v4
with:
path: ${{ env.CMSIS_DEVICE_PATH }}
key: ${{ env.CMSIS_DEVICE_CACHE_KEY }}
restore-keys: |
${{ env.CMSIS_DEVICE_CACHE_KEY }}-
- name: Cache CMSIS 5
id: cache-cmsis-5
uses: actions/cache@v4
with:
path: /opt/CMSIS_5
key: cmsis-5-v1
restore-keys: |
cmsis-5-
- name: Cache STM32Cube
id: cache-stm32cube
uses: actions/cache@v4
with:
path: ${{ env.STM32CUBE_PATH }}
key: ${{ env.STM32CUBE_CACHE_KEY }}
restore-keys: |
${{ env.STM32CUBE_CACHE_KEY }}-
- name: Cache Renode
id: cache-renode
uses: actions/cache@v4
with:
path: /opt/renode
key: renode-1.15.3-v1
restore-keys: |
renode-1.15.3-
- name: Install Renode dependencies
run: |
# Install Mono and other dependencies needed for Renode (always needed, even when cached)
sudo apt-get install -y --no-install-recommends \
mono-runtime \
libmono-cil-dev \
screen \
policykit-1 || true
- name: Install Renode (if not cached)
if: steps.cache-renode.outputs.cache-hit != 'true'
run: |
# Install Renode by extracting .deb (avoids GUI dependency issues for headless use)
cd /tmp
wget -q https://github.com/renode/renode/releases/download/v1.15.3/renode_1.15.3_amd64.deb
# Extract the .deb file
dpkg-deb -x renode_1.15.3_amd64.deb /tmp/renode-extract
# Copy Renode files to system locations
sudo mkdir -p /opt/renode
sudo cp -r /tmp/renode-extract/opt/renode/* /opt/renode/ || true
sudo cp -r /tmp/renode-extract/usr/* /usr/ || true
# Create symlink for easy access
if [ -f /opt/renode/renode ]; then
sudo ln -sf /opt/renode/renode /usr/local/bin/renode
elif [ -f /usr/bin/renode ]; then
echo "Renode already in PATH at /usr/bin/renode"
fi
# Cleanup
rm -rf /tmp/renode-extract renode_1.15.3_amd64.deb
- name: Setup Renode symlinks and permissions
run: |
# When Renode is cached, we need to recreate /usr/bin/renode wrapper script
# The /usr/bin/renode is a wrapper that checks Mono and calls /opt/renode/bin/Renode.exe
if [ -d /opt/renode ] && [ ! -x /usr/bin/renode ]; then
echo "Renode cached but /usr/bin/renode wrapper missing, recreating..."
# Create the wrapper script
sudo bash -c 'cat > /usr/bin/renode << '\''SCRIPT_EOF'\''
#!/bin/sh
MONOVERSION=5.20
REQUIRED_MAJOR=5
REQUIRED_MINOR=20
LAUNCHER=mono
if ! [ -x "$(command -v $LAUNCHER)" ]
then
echo "$LAUNCHER not found. Renode requires Mono $MONOVERSION or newer. Please refer to documentation for installation instructions. Exiting!"
exit 1
fi
# Check installed mono version
INSTALLED_MONO=`$LAUNCHER --version | head -n1 | cut -d'\'' '\'' -f5`
INSTALLED_MONO_MAJOR=`echo $INSTALLED_MONO | cut -d'\''.'\'' -f1`
INSTALLED_MONO_MINOR=`echo $INSTALLED_MONO | cut -d'\''.'\'' -f2`
if [ $INSTALLED_MONO_MAJOR -lt $REQUIRED_MAJOR ] || [ $INSTALLED_MONO_MAJOR -eq $REQUIRED_MAJOR -a $INSTALLED_MONO_MINOR -lt $REQUIRED_MINOR ]
then
echo "Wrong Mono version detected: $INSTALLED_MONO. Renode requires Mono $MONOVERSION or newer. Please refer to documentation for installation instructions. Exiting!"
exit 1
fi
exec $LAUNCHER $MONO_OPTIONS /opt/renode/bin/Renode.exe "$@"
SCRIPT_EOF'
sudo chmod +x /usr/bin/renode
echo "Created /usr/bin/renode wrapper script"
fi
# Also ensure /usr/local/bin/renode symlink exists
if [ -x /usr/bin/renode ] && [ ! -x /usr/local/bin/renode ]; then
sudo ln -sf /usr/bin/renode /usr/local/bin/renode
echo "Created symlink: /usr/local/bin/renode -> /usr/bin/renode"
fi
- name: Verify Renode installation
run: |
# Verify Renode is installed and accessible
RENODE_FOUND=false
RENODE_BIN=""
# Check various possible locations
for path in /opt/renode/renode /opt/renode/bin/renode /usr/local/bin/renode /usr/bin/renode; do
if [ -x "$path" ]; then
echo "Renode found at $path"
"$path" --version || true
RENODE_BIN="$path"
RENODE_FOUND=true
break
fi
done
if [ "$RENODE_FOUND" != "true" ]; then
echo "ERROR: Renode binary not found or not executable!"
echo "Searching for renode..."
find /opt /usr -name renode -type f 2>/dev/null | head -10 || true
echo "Checking /opt/renode contents:"
ls -la /opt/renode/ 2>/dev/null | head -10 || true
if [ -d /opt/renode ]; then
echo "Checking /opt/renode subdirectories:"
find /opt/renode -type f -name "*renode*" 2>/dev/null | head -10 || true
fi
exit 1
fi
- name: Clone CMSIS Device (if not cached)
if: steps.cache-cmsis-device.outputs.cache-hit != 'true'
run: |
sudo mkdir -p /opt
sudo git clone --depth 1 https://github.com/STMicroelectronics/${{ env.CMSIS_DEVICE_REPO }}.git ${{ env.CMSIS_DEVICE_PATH }}
- name: Clone CMSIS 5 (if not cached)
if: steps.cache-cmsis-5.outputs.cache-hit != 'true'
run: |
sudo mkdir -p /opt
sudo git clone --depth 1 https://github.com/ARM-software/CMSIS_5.git /opt/CMSIS_5
- name: Clone STM32Cube (if not cached)
if: steps.cache-stm32cube.outputs.cache-hit != 'true'
run: |
sudo mkdir -p /opt
sudo git clone --depth 1 --branch ${{ env.STM32CUBE_BRANCH }} --recurse-submodules https://github.com/STMicroelectronics/${{ env.STM32CUBE_REPO }}.git ${{ env.STM32CUBE_PATH }} || \
(sudo git clone --depth 1 --branch ${{ env.STM32CUBE_BRANCH }} https://github.com/STMicroelectronics/${{ env.STM32CUBE_REPO }}.git ${{ env.STM32CUBE_PATH }} && \
cd ${{ env.STM32CUBE_PATH }} && sudo git submodule update --init --recursive --depth 1)
- name: Setup firmware build directory and helper files
run: |
sudo mkdir -p /opt/firmware
# Copy helper files from repository
sudo cp -r ${{ github.workspace }}/${{ env.RENODE_TEST_DIR }}/* /opt/firmware/
# Copy HAL config to STM32Cube directory
sudo cp /opt/firmware/${{ env.HAL_CONFIG_FILE }} ${{ env.STM32CUBE_PATH }}/Drivers/${{ env.HAL_DRIVER_INC_PATH }}/ 2>/dev/null || true
sudo chmod +x /opt/firmware/entrypoint.sh
# Create .renode-root file so Renode can find platform files
# Try to find Renode installation directory and create .renode-root with proper permissions
if [ -d "/opt/renode/platforms" ]; then
echo "/opt/renode" | sudo tee /opt/firmware/.renode-root > /dev/null
sudo chmod 644 /opt/firmware/.renode-root
elif [ -d "/usr/lib/renode/platforms" ]; then
echo "/usr/lib/renode" | sudo tee /opt/firmware/.renode-root > /dev/null
sudo chmod 644 /opt/firmware/.renode-root
elif [ -d "/usr/share/renode/platforms" ]; then
echo "/usr/share/renode" | sudo tee /opt/firmware/.renode-root > /dev/null
sudo chmod 644 /opt/firmware/.renode-root
fi
- name: Build wolfSSL firmware (NOT CACHED - rebuilds on every run)
env:
WOLFSSL_ROOT: /opt/wolfssl
run: |
# Copy wolfSSL source (this is NOT cached - fresh checkout each time)
sudo cp -r ${{ github.workspace }} /opt/wolfssl
# Build with CMake
cd /opt/firmware
sudo cmake -G Ninja \
-DWOLFSSL_USER_SETTINGS=ON \
-DUSER_SETTINGS_FILE=/opt/firmware/user_settings.h \
-DCMAKE_TOOLCHAIN_FILE=/opt/firmware/toolchain-arm-none-eabi.cmake \
-DCMAKE_BUILD_TYPE=Release \
-DWOLFSSL_CRYPT_TESTS=OFF \
-DWOLFSSL_EXAMPLES=OFF \
-B /opt/firmware/build \
-S /opt/firmware
sudo cmake --build /opt/firmware/build
# Verify ELF file was created and copy it to expected location
if [ -f "/opt/firmware/build/wolfcrypt_test.elf" ]; then
sudo cp /opt/firmware/build/wolfcrypt_test.elf /opt/firmware/wolfcrypt_test.elf
echo "ELF file copied to /opt/firmware/wolfcrypt_test.elf"
ls -lh /opt/firmware/wolfcrypt_test.elf
else
echo "ERROR: ELF file not found at /opt/firmware/build/wolfcrypt_test.elf"
echo "Searching for ELF files..."
find /opt/firmware/build -name "*.elf" 2>/dev/null || true
exit 1
fi
- name: Run Renode test
run: |
# Ensure PATH includes standard binary locations for sudo
sudo env PATH="$PATH" /opt/firmware/entrypoint.sh

116
.github/workflows/rng-tools.yml vendored Normal file
View File

@@ -0,0 +1,116 @@
name: rng-tools Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all
install: true
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-rng-tools
path: build-dir.tgz
retention-days: 5
rng-tools_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 6.16 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
steps:
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y libcurl4-openssl-dev libjansson-dev libp11-dev librtlsdr-dev libcap-dev
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-rng-tools
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout jitterentropy-library
uses: actions/checkout@v4
with:
repository: smuellerDD/jitterentropy-library
path: jitterentropy-library
ref: v3.5.0
- name: Build jitterentropy-library
working-directory: jitterentropy-library
run: make -j
- name: Build rng-tools
uses: wolfSSL/actions-build-autotools-project@v1
with:
repository: nhorman/rng-tools
ref: v${{ matrix.ref }}
path: rng-tools
patch-file: $GITHUB_WORKSPACE/osp/rng-tools/${{ matrix.ref }}.patch
configure: --without-pkcs11 --enable-jitterentropy=$GITHUB_WORKSPACE/jitterentropy-library --with-wolfssl=$GITHUB_WORKSPACE/build-dir
check: false
- name: Testing rng-tools
id: testing
working-directory: rng-tools
run: |
# Retry up to five times
for i in {1..5}; do
TEST_RES=0
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib RNGD_JITTER_TIMEOUT=100 make check || TEST_RES=$?
if [ "$TEST_RES" -eq "0" ]; then
break
fi
done
if [ "$TEST_RES" -ne "0" ]; then
exit $TEST_RES
fi
- name: Print logs
if: ${{ failure() && steps.testing.outcome == 'failure' }}
working-directory: rng-tools/tests
run: cat test-suite.log

74
.github/workflows/rust-wrapper.yml vendored Normal file
View File

@@ -0,0 +1,74 @@
name: Build Rust Wrapper
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL Rust Wrapper
if: github.repository_owner == 'wolfssl'
runs-on: ${{ matrix.os }}
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: ${{ matrix.config }}
- name: Build Rust Wrapper
working-directory: wolfssl
run: make -C wrapper/rust
- name: Run Rust Wrapper Tests
working-directory: wolfssl
run: make -C wrapper/rust test
strategy:
matrix:
os: [ ubuntu-24.04, ubuntu-24.04-arm ]
config: [
# Add new configs here
'',
'--enable-all',
'--enable-cryptonly --disable-examples',
'--enable-cryptonly --disable-examples --disable-aes --disable-aesgcm',
'--enable-cryptonly --disable-examples --disable-aescbc',
'--enable-cryptonly --disable-examples --disable-aeseax',
'--enable-cryptonly --disable-examples --disable-aesecb',
'--enable-cryptonly --disable-examples --disable-aesccm',
'--enable-cryptonly --disable-examples --disable-aescfb',
'--enable-cryptonly --disable-examples --disable-aesctr',
'--enable-cryptonly --disable-examples --disable-aescts',
'--enable-cryptonly --disable-examples --disable-aesgcm',
'--enable-cryptonly --disable-examples --disable-aesgcm-stream',
'--enable-cryptonly --disable-examples --disable-aesofb',
'--enable-cryptonly --disable-examples --disable-aesxts',
'--enable-cryptonly --disable-examples --disable-cmac',
'--enable-cryptonly --disable-examples --disable-dh',
'--enable-cryptonly --disable-examples --disable-ecc',
'--enable-cryptonly --disable-examples --disable-ed25519',
'--enable-cryptonly --disable-examples --disable-ed25519-stream',
'--enable-cryptonly --disable-examples --disable-ed448',
'--enable-cryptonly --disable-examples --disable-ed448-stream',
'--enable-cryptonly --disable-examples --disable-hkdf',
'--enable-cryptonly --disable-examples --disable-hmac',
'--enable-cryptonly --disable-examples --disable-rng',
'--enable-cryptonly --disable-examples --disable-rsa',
'--enable-cryptonly --disable-examples --disable-rsapss',
'--enable-cryptonly --disable-examples --disable-sha224',
'--enable-cryptonly --disable-examples --disable-sha3',
'--enable-cryptonly --disable-examples --disable-sha384',
'--enable-cryptonly --disable-examples --disable-sha512',
'--enable-cryptonly --disable-examples --disable-shake128',
'--enable-cryptonly --disable-examples --disable-shake256',
'--enable-cryptonly --disable-examples --disable-srtp-kdf',
'--enable-cryptonly --disable-examples --disable-x963kdf',
]

53
.github/workflows/smallStackSize.yml vendored Normal file
View File

@@ -0,0 +1,53 @@
name: Stack Size warnings
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_library:
strategy:
matrix:
config: [
# defaults, noasm
'--disable-asm',
# defaults + native PQ, no asm
'--disable-asm --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium',
# all-crypto + native PQ, no asm
'--disable-asm --enable-all-crypto --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium',
# defaults, intelasm + sp-asm
'--enable-intelasm --enable-sp-asm',
# defaults + native PQ, intelasm + sp-asm
'--enable-intelasm --enable-sp-asm --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium',
# all-crypto + native PQ, intelasm + sp-asm
'--enable-intelasm --enable-sp-asm --enable-all-crypto --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium'
]
name: build library
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Build wolfCrypt with smallstack and stack depth warnings, and run testwolfcrypt
run: |
./autogen.sh || $(exit 2)
echo "running ./configure ... ${{ matrix.config }}"
./configure --enable-cryptonly --disable-cryptocb --disable-testcert --enable-smallstack --enable-smallstackcache --enable-crypttests --disable-benchmark --disable-examples --with-max-rsa-bits=16384 --enable-stacksize=verbose CFLAGS="-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END" ${{ matrix.config }} || $(exit 3)
make -j 4 || $(exit 4)
./wolfcrypt/test/testwolfcrypt

81
.github/workflows/socat.yml vendored Normal file
View File

@@ -0,0 +1,81 @@
name: socat Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-maxfragment --enable-opensslall --enable-opensslextra --enable-dtls --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS'
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-socat
path: build-dir.tgz
retention-days: 5
socat_check:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 30
needs: build_wolfssl
steps:
- name: Install prereqs
run:
sudo apt-get install build-essential autoconf libtool pkg-config clang libc++-dev
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-socat
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Download socat
run: curl -O http://www.dest-unreach.org/socat/download/socat-1.8.0.0.tar.gz && tar xvf socat-1.8.0.0.tar.gz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Build socat
working-directory: ./socat-1.8.0.0
run: |
patch -p1 < ../osp/socat/1.8.0.0/socat-1.8.0.0.patch
autoreconf -vfi
./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --enable-default-ipv=4
make
- name: Run socat tests
working-directory: ./socat-1.8.0.0
run: |
export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
export SHELL=/bin/bash
SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 36,64,146,214,216,217,309,310,386,399,402,403,459,460,467,468,475,478,492,528,530

94
.github/workflows/softhsm.yml vendored Normal file
View File

@@ -0,0 +1,94 @@
name: SoftHSMv2 Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all CFLAGS=-DRSA_MIN_SIZE=1024
install: true
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-softhsm
path: build-dir.tgz
retention-days: 5
softhsm_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 2.6.1 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 20
needs: build_wolfssl
steps:
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y libcppunit-dev
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-softhsm
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Checkout SoftHSMv2
uses: actions/checkout@v4
with:
repository: opendnssec/SoftHSMv2
path: softhsm
ref: ${{ matrix.ref }}
# Not using wolfSSL/actions-build-autotools-project@v1 because autogen.sh doesn't work
- name: Build softhsm
working-directory: softhsm
run: |
patch -p1 < $GITHUB_WORKSPACE/osp/softhsm/${{ matrix.ref }}.patch
autoreconf -if
./configure --with-crypto-backend=wolfssl WOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir
make -j
- name: Test softhsm
working-directory: softhsm
run: make -j check

99
.github/workflows/sssd.yml vendored Normal file
View File

@@ -0,0 +1,99 @@
name: sssd Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
if: github.repository_owner == 'wolfssl'
name: Build wolfSSL
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-all CFLAGS=-DWOLFSSL_NO_ASN_STRICT
install: true
check: false
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-sssd
path: build-dir.tgz
retention-days: 5
sssd_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 2.9.1 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
container:
image: quay.io/sssd/ci-client-devel:ubuntu-latest
env:
LD_LIBRARY_PATH: /usr/local/lib
# This should be a safe limit for the tests to run.
timeout-minutes: 20
needs: build_wolfssl
steps:
- name: Install dependencies
run: |
# Don't prompt for anything
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y build-essential autoconf libldb-dev libldb2 python3-ldb bc
- name: Setup env
run: |
ln -s samba-4.0/ldb.h /usr/include/ldb.h
ln -s samba-4.0/ldb_errors.h /usr/include/ldb_errors.h
ln -s samba-4.0/ldb_handlers.h /usr/include/ldb_handlers.h
ln -s samba-4.0/ldb_module.h /usr/include/ldb_module.h
ln -s samba-4.0/ldb_version.h /usr/include/ldb_version.h
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-sssd
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp
- name: Build and test sssd
uses: wolfSSL/actions-build-autotools-project@v1
with:
repository: SSSD/sssd
ref: ${{ matrix.ref }}
path: sssd
patch-file: $GITHUB_WORKSPACE/osp/sssd/${{ matrix.ref }}.patch
configure: >-
--without-samba --without-nfsv4-idmapd-plugin --with-oidc-child=no
--without-manpages WOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir
check: true

View File

@@ -1,13 +1,23 @@
name: stunnel Tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
@@ -18,12 +28,15 @@ jobs:
configure: --enable-stunnel
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: wolf-install-stunnel
path: build-dir
retention-days: 1
path: build-dir.tgz
retention-days: 5
stunnel_check:
strategy:
@@ -32,19 +45,22 @@ jobs:
# List of releases to test
ref: [ 5.67 ]
name: ${{ matrix.ref }}
runs-on: ubuntu-latest
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: wolf-install-stunnel
path: build-dir
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Checkout OSP
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
repository: wolfssl/osp
path: osp

70
.github/workflows/symbol-prefixes.yml vendored Normal file
View File

@@ -0,0 +1,70 @@
name: WOLFSSL_API_PREFIX_MAP
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_and_analyze:
strategy:
matrix:
config: [
'--enable-all --enable-mlkem --enable-mldsa --enable-xmss --enable-lms --enable-acert --with-sys-crypto-policy CFLAGS=-DWOLFSSL_API_PREFIX_MAP'
]
name: make and analyze
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test --enable-opensslcoexist and TEST_OPENSSL_COEXIST
run: |
./autogen.sh || $(exit 2)
./configure ${{ matrix.config }} || $(exit 3)
make -j 4 || $(exit 4)
# ignore properly prefixed symbols, and symbols associated with asm implementations (all internal) regardless of prefix:
readelf --symbols --wide src/.libs/libwolfssl.so | \
awk '
BEGIN {
total_public_symbols = 0;
unprefixed_public_symbols = 0;
}
{
if (($5 == "GLOBAL") && ($6 != "HIDDEN") && ($7 ~ /^[0-9]+$/)) {
++total_public_symbols;
}
}
{
if (($7 !~ /^[0-9]+$/) ||
($8 ~ /^(wc_|wolf|WOLF|__pfx|fe_|sp_[a-zA-Z090-0_]*[0-9])/) ||
($8 ~ /(_avx[12]|_AVX[12]|_sse[12]|_SSE[12]|_aesni|_AESNI|_bmi2|_x64$)/))
{
next;
}
}
{
if (($4 == "FUNC") && ($5 == "GLOBAL") && ($6 == "DEFAULT")) {
++unprefixed_public_symbols;
print;
}
}
END {
if (unprefixed_public_symbols) {
print unprefixed_public_symbols " unprefixed public symbols found, of " total_public_symbols " total." >"/dev/stderr";
exit(1);
} else {
print total_public_symbols " public symbols found in libwolfssl, all OK.";
exit(0);
}
}' || $(exit 5)

57
.github/workflows/threadx.yml vendored Normal file
View File

@@ -0,0 +1,57 @@
name: ThreadXBuild Test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
jobs:
build:
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Cache NetXDuo bundle
id: cache-netxduo
uses: actions/cache@v3
with:
path: ./v6.4.3_rel.tar.gz
key: netxduo-bundle-v6.4.3_rel
- name: Download NetXDuo bundle if not cached
if: steps.cache-netxduo.outputs.cache-hit != 'true'
run: |
wget https://github.com/eclipse-threadx/netxduo/archive/refs/tags/v6.4.3_rel.tar.gz
- name: Extract NetXDuo bundle
run: |
mkdir -p netxduo_src
tar -xzf v6.4.3_rel.tar.gz -C netxduo_src --strip-components=1
- name: Install NetXDuo Dependencies
working-directory: ./netxduo_src
run: |
./scripts/install.sh
- name: Configure NetX with DNS Client Support
working-directory: ./netxduo_src
run: |
cp addons/dns/nxd_dns.h ./common/inc/
cp addons/dns/nxd_dns.c ./common/src/
- name: Build NetXDuo with DNS Support
working-directory: ./netxduo_src
run: |
rm -rf test/cmake/threadx
rm -rf test/cmake/filex
./scripts/build_nxd64.sh
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-enckeys --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-DTHREADX -DHAVE_NETX -DWOLFSSL_USER_IO -I${{ github.workspace }}/netxduo_src/common/inc -I${{ github.workspace }}/netxduo_src/ports/linux/gnu/inc -I${{ github.workspace }}/netxduo_src/test/cmake/netxduo64/build/libs/inc" LDFLAGS="-L${{ github.workspace }}/netxduo_src/test/cmake/netxduo64/build/default_build_coverage/netxduo -L${{ github.workspace }}/netxduo_src/test/cmake/netxduo64/build/libs/threadx" LIBS="-lnetxduo -lthreadx"
install: false

60
.github/workflows/trackmemory.yml vendored Normal file
View File

@@ -0,0 +1,60 @@
name: WOLFSSL_TRACK_MEMORY Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
make_check:
strategy:
matrix:
config: [
# Add new configs here
'--enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY"',
'--enable-smallstack --enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY"',
'--enable-smallstackcache --enable-smallstack --enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY"',
# Note the below smallstackcache tests are crucial coverage for the Linux kernel
# module, when targeting a kernel with the randomness patch (linuxkm/patches/)
# applied.
#
# Note, don't combine wolfEntropy with the full TLS cipher suite test -- the implicit wc_InitRng()s in each suite have an enormous CPU footprint.
'--enable-wolfEntropy --enable-smallstackcache --enable-smallstack --enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY -DNO_WOLFSSL_CIPHER_SUITE_TEST"',
'--enable-intelrdseed --enable-smallstackcache --enable-smallstack --enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY -DNO_WOLFSSL_CIPHER_SUITE_TEST"',
'--enable-amdrand --enable-smallstackcache --enable-smallstack --enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY -DNO_WOLFSSL_CIPHER_SUITE_TEST"',
'--disable-asm --enable-wolfEntropy --enable-smallstackcache --enable-smallstack --enable-all CFLAGS="-DWC_RNG_SEED_CB -DWOLFSSL_TRACK_MEMORY -DWOLFSSL_DEBUG_MEMORY -DNO_WOLFSSL_CIPHER_SUITE_TEST"'
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: Test wolfSSL
run: |
./autogen.sh
./configure ${{ matrix.config }}
make -j 4
make check
- name: Print errors
if: ${{ failure() }}
run: |
for file in scripts/*.log
do
if [ -f "$file" ]; then
echo "${file}:"
cat "$file"
echo "========================================================================"
fi
done

88
.github/workflows/watcomc.yml vendored Normal file
View File

@@ -0,0 +1,88 @@
name: Build Watcom C
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
wolfssl_watcomc_windows:
if: github.repository_owner == 'wolfssl'
strategy:
fail-fast: false
matrix:
common:
- cmake: '-G "Watcom WMake" -DCMAKE_VERBOSE_MAKEFILE=TRUE -DWOLFSSL_ASM=no -DWOLFSSL_EXAMPLES=no -DWOLFSSL_CRYPT_TESTS=no'
platform:
- title: 'Windows OW 2.0'
system: 'Windows'
image: 'windows-latest'
owimage: '2.0'
id: 'win32ow20'
cmake: '-DCMAKE_SYSTEM_NAME=Windows -DCMAKE_SYSTEM_PROCESSOR=x86'
- title: 'Linux OW 2.0'
system: 'Linux'
image: 'ubuntu-latest'
owimage: '2.0'
id: 'linuxow20'
cmake: '-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_PROCESSOR=x86'
- title: 'OS/2 OW 2.0'
system: 'OS2'
image: 'windows-latest'
owimage: '2.0'
id: 'os2ow20'
cmake: '-DCMAKE_SYSTEM_NAME=OS2 -DCMAKE_SYSTEM_PROCESSOR=x86'
thread:
- id: 'multi'
cmake: ''
owcmake: '-DCMAKE_POLICY_DEFAULT_CMP0136=NEW -DCMAKE_WATCOM_RUNTIME_LIBRARY=MultiThreaded'
- id: 'single'
cmake: '-DWOLFSSL_SINGLE_THREADED=yes'
owcmake: '-DCMAKE_POLICY_DEFAULT_CMP0136=NEW -DCMAKE_WATCOM_RUNTIME_LIBRARY=SingleThreaded'
library:
- id: 'dll'
cmake: ''
owcmake: 'DLL'
- id: 'static'
cmake: '-DBUILD_SHARED_LIBS=no'
owcmake: ''
exclude:
- { platform: { system: 'Linux' }, library: { id: 'dll' } }
runs-on: ${{ matrix.platform.image }}
name: ${{ matrix.platform.title }} (${{ matrix.thread.id }} ${{ matrix.library.id }})
steps:
- name: Setup Open Watcom ${{ matrix.platform.owimage }}
uses: open-watcom/setup-watcom@v0
with:
version: ${{ matrix.platform.owimage }}
# Currently fixed to a monthly build because of historical instability with daily releases.
# See https://github.com/wolfSSL/wolfssl/pull/9167
# Pin to monthly release as needed:
tag: 2025-11-03-Build
- name: Checkout wolfSSL
uses: actions/checkout@v4
with:
path: wolfssl
- name: Build wolfSSL
working-directory: wolfssl
shell: bash
run: |
cmake -B build ${{matrix.common.cmake}} ${{ matrix.platform.cmake }} ${{ matrix.thread.cmake }} ${{ matrix.library.cmake }} ${{ matrix.thread.owcmake }}${{ matrix.library.owcmake }}
cmake --build build
- name: Upload build errors
if: failure()
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.platform.id }}-${{ matrix.thread.id }}-${{ matrix.library.id }}
path: |
build/**

58
.github/workflows/win-csharp-test.yml vendored Normal file
View File

@@ -0,0 +1,58 @@
name: Windows CSharp Build Test
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
jobs:
build:
if: github.repository_owner == 'wolfssl'
runs-on: windows-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 6
env:
# Path to the solution file relative to the root of the project.
SOLUTION_FILE_PATH: wolfssl\wrapper\CSharp\wolfSSL_CSharp.sln
# Configuration type to build.
# You can convert this to a build matrix if you need coverage of multiple configuration types.
# https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
BUILD_CONFIGURATION: Debug
BUILD_PLATFORM: x64
steps:
- name: Pull wolfssl
uses: actions/checkout@master
with:
repository: wolfssl/wolfssl
path: wolfssl
- name: Create FIPS stub files (autogen)
working-directory: wolfssl
run: |
echo $null >> wolfcrypt\src\fips.c
echo $null >> wolfcrypt\src\fips_test.c
echo $null >> wolfcrypt\src\wolfcrypt_first.c
echo $null >> wolfcrypt\src\wolfcrypt_last.c
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1
- name: Build
working-directory: ${{env.GITHUB_WORKSPACE}}
# Add additional options to the MSBuild command line here (like platform or verbosity level).
# See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
- name: Run wolfCrypt test
working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl\wrapper\CSharp\Debug\x64\
run: ./wolfCrypt-test.exe
- name: Run wolfSSL client/server example
working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl\wrapper\CSharp\Debug\x64\
run: ./wolfSSL-TLS-Server.exe && sleep 1 & ./wolfSSL-TLS-Client.exe

View File

@@ -0,0 +1,48 @@
name: wolfCrypt conversion warnings
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_library:
strategy:
matrix:
config: [
# Add new configs here
'--disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
'--enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
'--enable-smallstack --disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
'--enable-smallstack --enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
'--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"',
'--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion" --enable-32bit CFLAGS=-m32'
]
name: build library
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL
- name: install_multilib
run: |
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get install -y gcc-multilib
- name: Build wolfCrypt with extra type conversion warnings
run: |
./autogen.sh || $(exit 2)
echo "running ./configure ${{ matrix.config }}"
./configure ${{ matrix.config }} || $(exit 3)
make -j 4 || $(exit 4)

89
.github/workflows/xcode.yml vendored Normal file
View File

@@ -0,0 +1,89 @@
name: Xcode Build Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build:
if: github.repository_owner == 'wolfssl'
runs-on: macos-latest
# This should be a safe limit for the tests to run.
timeout-minutes: 10
strategy:
matrix:
include:
# macOS builds
- target: wolfssl_osx
arch: arm64
config: Release
sdk: macosx
name: macOS (ARM64, Release)
- target: wolfssl_osx
arch: x86_64
config: Release
sdk: macosx
name: macOS (x86_64, Release)
- target: wolfssl_osx
arch: arm64
config: Debug
sdk: macosx
name: macOS (ARM64, Debug)
- target: wolfssl_osx
arch: x86_64
config: Debug
sdk: macosx
name: macOS (x86_64, Debug)
# Universal build (both architectures)
- target: wolfssl_osx
arch: arm64
arch2: x86_64
config: Release
sdk: macosx
name: macOS (Universal, Release)
universal: true
# tvOS builds
- target: wolfssl_tvos
arch: arm64
config: Release
sdk: appletvos
name: tvOS (ARM64, Release)
- target: wolfssl_tvos
arch: arm64
config: Release
sdk: appletvsimulator
name: tvOS Simulator (ARM64, Release)
steps:
- uses: actions/checkout@v4
- name: Build wolfSSL with Xcode (${{ matrix.name }})
working-directory: ./IDE/XCODE
run: |
if [ "${{ matrix.universal }}" == "true" ]; then
xcodebuild -project wolfssl.xcodeproj \
-target ${{ matrix.target }} \
-configuration ${{ matrix.config }} \
-arch ${{ matrix.arch }} \
-arch ${{ matrix.arch2 }} \
-sdk ${{ matrix.sdk }} \
SYMROOT=build \
OBJROOT=build \
build
else
xcodebuild -project wolfssl.xcodeproj \
-target ${{ matrix.target }} \
-configuration ${{ matrix.config }} \
-arch ${{ matrix.arch }} \
-sdk ${{ matrix.sdk }} \
SYMROOT=build \
OBJROOT=build \
build
fi

View File

@@ -1,19 +1,34 @@
name: Zephyr tests
# START OF COMMON SECTION
on:
workflow_call:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
run_test:
name: Build and run
strategy:
fail-fast: false
matrix:
config:
- zephyr-ref: v3.4.0
zephyr-sdk: 0.16.1
runs-on: ubuntu-latest
- zephyr-ref: v3.5.0
zephyr-sdk: 0.16.3
- zephyr-ref: v2.7.4
zephyr-sdk: 0.16.3
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 15
timeout-minutes: 25
steps:
- name: Install dependencies
run: |
@@ -27,13 +42,18 @@ jobs:
make gcc gcc-multilib g++-multilib libsdl2-dev libmagic1 \
autoconf automake bison build-essential ca-certificates cargo ccache chrpath cmake \
cpio device-tree-compiler dfu-util diffstat dos2unix doxygen file flex g++ gawk gcc \
gcovr git git-core gnupg gperf gtk-sharp2 help2man iproute2 lcov libcairo2-dev \
gcovr git git-core gnupg gperf gtk-sharp3 help2man iproute2 lcov libcairo2-dev \
libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev \
libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make \
net-tools ninja-build openssh-client parallel pkg-config python3-dev python3-pip \
python3-ply python3-setuptools python-is-python3 qemu rsync socat srecord sudo \
python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \
texinfo unzip wget ovmf xz-utils
- name: Setup cmake version
uses: jwlawson/actions-setup-cmake@v2
with:
cmake-version: '3.25.x'
- name: Install west
run: sudo pip install west
@@ -61,30 +81,43 @@ jobs:
- name: Install zephyr SDK
run: |
wget -q https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${{ matrix.config.zephyr-sdk }}/zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64.tar.xz
tar xf zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64.tar.xz
wget -q https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${{ matrix.config.zephyr-sdk }}/zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz
tar xf zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz
cd zephyr-sdk-${{ matrix.config.zephyr-sdk }}
./setup.sh -h -c
./setup.sh -h -c -t x86_64-zephyr-elf
- name: Fix options for 2.7.4
if: ${{ matrix.config.zephyr-ref == 'v2.7.4' }}
working-directory: zephyr/modules/crypto/wolfssl
run: |
sed -i -e 's/CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE/CONFIG_MINIMAL_LIBC_MALLOC_ARENA_SIZE/g' $(find -name prj.conf)
- name: Run wolfssl test
id: wolfssl-test
working-directory: zephyr
run: |
./zephyr/scripts/twister --testsuite-root modules/crypto/wolfssl --test zephyr/samples/wolfssl_test/sample.crypto.wolfssl_test -vvv
./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_test/sample.crypto.wolfssl_test -vvv
rm -rf zephyr/twister-out
./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_test/sample.crypto.wolfssl_test_no_malloc -vvv
rm -rf zephyr/twister-out
- name: Run wolfssl TLS sock test
# Results in a page fault that I can't trace
if: ${{ matrix.config.zephyr-ref != 'v2.7.4' }}
id: wolfssl-tls-sock
working-directory: zephyr
run: |
./zephyr/scripts/twister --testsuite-root modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_sock/sample.crypto.wolfssl_tls_sock -vvv
./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_sock/sample.crypto.wolfssl_tls_sock -vvv
rm -rf zephyr/twister-out
./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_sock/sample.crypto.wolfssl_tls_sock_no_malloc -vvv
rm -rf zephyr/twister-out
- name: Run wolfssl TLS thread test
if: ${{ matrix.config.zephyr-ref != 'v2.7.4' }}
id: wolfssl-tls-thread
working-directory: zephyr
run: |
./zephyr/scripts/twister --testsuite-root modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_thread/sample.crypto.wolfssl_tls_thread -vvv
./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_thread/sample.crypto.wolfssl_tls_thread -vvv
rm -rf zephyr/twister-out
- name: Zip failure logs
@@ -94,7 +127,7 @@ jobs:
- name: Upload failure logs
if: ${{ failure() && (steps.wolfssl-test.outcome == 'failure' || steps.wolfssl-tls-sock.outcome == 'failure' || steps.wolfssl-tls-thread.outcome == 'failure') }}
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: zephyr-client-test-logs
path: logs.zip

102
.gitignore vendored
View File

@@ -3,13 +3,13 @@ ctaocrypt/src/src/
*.lo
*.la
*.o
*.patch
*.deps
*.d
*.libs
*.cache
.dirstamp
*.user
!*-VS2022.vcxproj.user
configure
config.*
!cmake/config.in
@@ -33,7 +33,7 @@ aclocal.m4
aminclude.am
lt*.m4
Makefile.in
Makefile
/Makefile
depcomp
missing
libtool
@@ -50,16 +50,6 @@ wolfcrypt_first.c
wolfcrypt_last.c
selftest.c
fipsv2.c
src/async.c
wolfssl/async.h
wolfcrypt/src/async.c
wolfssl/wolfcrypt/async.h
wolfcrypt/src/port/intel/quickassist.c
wolfcrypt/src/port/intel/quickassist_mem.c
wolfcrypt/src/port/cavium/cavium_nitrox.c
wolfssl/wolfcrypt/port/intel/quickassist.h
wolfssl/wolfcrypt/port/intel/quickassist_mem.h
wolfssl/wolfcrypt/port/cavium/cavium_nitrox.h
ctaocrypt/benchmark/benchmark
ctaocrypt/test/testctaocrypt
wolfcrypt/benchmark/benchmark
@@ -82,16 +72,19 @@ snifftest
output
mcapi/test
testsuite/testsuite
tests/unit
testsuite/testsuite.test
testsuite/*.der
testsuite/*.pem
testsuite/*.raw
testsuite/*.obj
testsuite/*.pdb
testsuite/*.idb
tests/unit
tests/unit.test
tests/bio_write_test.txt
tests/test-log-dump-to-file.txt
tests/cert_cache.tmp
test-write-dhparams.pem
testsuite/*.der
testsuite/*.pem
testsuite/*.raw
cert.der
cert.pem
certecc.der
@@ -242,6 +235,16 @@ linuxkm/libwolfssl.mod.c
linuxkm/libwolfssl.lds
linuxkm/module_exports.c
linuxkm/linuxkm/get_thread_size
linuxkm/linuxkm
linuxkm/src
linuxkm/patches/src
*.nds
bsdkm/export_syms
bsdkm/i386
bsdkm/libwolfssl.ko
bsdkm/machine
bsdkm/opt_global.h
bsdkm/x86
# autotools generated
scripts/unit.test
@@ -286,23 +289,6 @@ mqx/wolfcrypt_benchmark/.settings
mqx/wolfcrypt_benchmark/.cwGeneratedFileSetLog
mqx/wolfcrypt_benchmark/SaAnalysispointsManager.apconfig
# User Crypto example build
wolfcrypt/user-crypto/aclocal.m4
wolfcrypt/user-crypto/config.guess
wolfcrypt/user-crypto/autom4te.cache
wolfcrypt/user-crypto/config.log
wolfcrypt/user-crypto/config.status
wolfcrypt/user-crypto/config.sub
wolfcrypt/user-crypto/depcomp
wolfcrypt/user-crypto/install-sh
wolfcrypt/user-crypto/libtool
wolfcrypt/user-crypto/ltmain.sh
wolfcrypt/user-crypto/m4
wolfcrypt/user-crypto/missing
wolfcrypt/user-crypto/Makefile.in
wolfcrypt/user-crypto/lib/libusercrypto.*
*.hzs
# wolfSSL CSharp wrapper
wrapper/CSharp/x64/
@@ -339,6 +325,10 @@ wolfcrypt/src/port/intel/qat_test
# Arduino Generated Files
/IDE/ARDUINO/wolfSSL
scripts/memtest.txt
/IDE/ARDUINO/Arduino_README_prepend.md.tmp
/IDE/ARDUINO/library.properties.tmp
/IDE/ARDUINO/library.properties.tmp.backup
/IDE/ARDUINO/PREPENDED_README.md
# Doxygen generated files
doc/doxygen_warnings
@@ -415,12 +405,32 @@ XXX-fips-test
# Generated user_settings_asm.h.
user_settings_asm.h
# VisualGD
# VisualGDB
**/.visualgdb
# Espressif sdk config default should be saved in sdkconfig.defaults
# we won't track the actual working sdkconfig files
/IDE/Espressif/**/sdkconfig
/IDE/Espressif/**/sdkconfig.old
# ESP8266 RTOS SDK has a slightly different sdkconfig filename to exclude:
/IDE/Espressif/**/sdkconfig.debug
/IDE/Espressif/**/sdkconfig.release
/IDE/Espressif/**/sdkconfig-debug
/IDE/Espressif/**/sdkconfig-release
# Always include Espressif makefiles (typically only used for ESP8266)
!/IDE/Espressif/**/Makefile
!/IDE/Espressif/**/component.mk
# Ignore all the example logs
/IDE/Espressif/ESP-IDF/examples/**/logs/*
# MPLAB
/IDE/MPLABX16/wolfssl.X/dist/default/
/IDE/MPLABX16/wolfssl.X/.generated_files
/IDE/MPLABX16/wolfcrypt_test.X/dist/default/
/IDE/MPLABX16/wolfcrypt_test.X/.generated_files
# auto-created CMake backups
**/CMakeLists.txt.old
@@ -435,4 +445,28 @@ MagicCrypto
# debian packaging
debian/changelog
debian/control
debian/rules
*.deb
# Ada/Alire files
wrapper/Ada/alire/
wrapper/Ada/config/
wrapper/Ada/lib/
wrapper/Ada/obj/
# Rust wrapper files
/wrapper/rust/*/target/
# PlatformIO
/**/.pio
/**/.vscode/.browse.c_cpp.db*
/**/.vscode/c_cpp_properties.json
/**/.vscode/launch.json
/**/.vscode/ipch
/**/sdkconfig.esp32dev
# Autogenerated debug trace headers
wolfssl/debug-trace-error-codes.h
wolfssl/debug-untrace-error-codes.h
AGENTS.md

1115
.wolfssl_known_macro_extras Normal file

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

20
CMakePresets.json Normal file
View File

@@ -0,0 +1,20 @@
{
"version": 3,
"cmakeMinimumRequired": {
"major": 3,
"minor": 22,
"patch": 0
},
"configurePresets": [
{
"name": "vs2022-x64",
"displayName": "Visual Studio 2022 x64",
"generator": "Visual Studio 17 2022",
"architecture": "x64",
"binaryDir": "${sourceDir}/build",
"cacheVariables": {
"CMAKE_EXPORT_COMPILE_COMMANDS": "ON"
}
}
]
}

9
CMakeSettings.json Normal file
View File

@@ -0,0 +1,9 @@
{
"configurations": [
{
"name": "No-CMake",
"generator": "Ninja",
"buildCommandArgs": "echo 'No build command'"
}
]
}

833
COPYING
View File

@@ -1,281 +1,622 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Version 3, 29 June 2007
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
TERMS AND CONDITIONS
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
0. Definitions.
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
"This License" refers to version 3 of the GNU General Public License.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
A "covered work" means either the unmodified Program or a work based
on the Program.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
1. Source Code.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
The Corresponding Source for a work in source code form is that
same work.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
2. Basic Permissions.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
13. Use with the GNU Affero General Public License.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
14. Revised Versions of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
NO WARRANTY
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
15. Disclaimer of Warranty.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
@@ -287,15 +628,15 @@ free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
@@ -303,37 +644,31 @@ the "copyright" line and a pointer to where the full notice is found.
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<http://www.gnu.org/licenses/>.
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<http://www.gnu.org/philosophy/why-not-lgpl.html>.

File diff suppressed because it is too large Load Diff

View File

@@ -3,11 +3,14 @@ FROM $DOCKER_BASE_IMAGE
USER root
ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev libuv1-dev libpam0g-dev valgrind git linux-headers-generic gcc-multilib g++-multilib libpcap-dev bubblewrap gdb iputils-ping lldb bsdmainutils netcat binutils-arm-linux-gnueabi binutils-aarch64-linux-gnu"
# Set timezone to UTC
RUN ln -snf /usr/share/zoneinfo/UTC /etc/localtime && echo UTC > /etc/timezone
ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev libuv1-dev libpam0g-dev valgrind git linux-headers-generic gcc-multilib g++-multilib libpcap-dev bubblewrap gdb iputils-ping lldb bsdmainutils netcat-traditional binutils-arm-linux-gnueabi binutils-aarch64-linux-gnu"
ARG DEPS_LIBOQS="astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind git"
ARG DEPS_UDP_PROXY="wget libevent-dev"
ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump"
ARG DEPS_TOOLS="ccache"
ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump libpsl-dev python3-pandas python3-tabulate libnl-genl-3-dev libcap-ng-dev python3-virtualenv curl jq"
ARG DEPS_TOOLS="ccache clang-tidy maven libfile-util-perl android-tools-adb usbutils shellcheck"
RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \
&& apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} ${DEPS_UDP_PROXY} ${DEPS_TESTS} ${DEPS_TOOLS} \
&& apt clean -y && rm -rf /var/lib/apt/lists/*
@@ -37,10 +40,12 @@ RUN cd /opt/sources && git clone --single-branch https://github.com/cisco/hash-s
# Install pkixssh to /opt/pkixssh for X509 interop testing with wolfSSH
RUN mkdir /var/empty
RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz | tar xzf - && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install
RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-15.1.tar.gz | tar xzf - && cd pkixssh-15.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install
# Install udp/tcp-proxy
RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/.
# Install libbacktrace
RUN cd /opt/sources && git clone --depth=1 --single-branch https://github.com/ianlancetaylor/libbacktrace.git && cd libbacktrace && mkdir build && cd build && ../configure && make && make install
# Allow non-root to use tcpdump (will need NET_RAW and NET_ADMIN capability when running the container)
RUN setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump

View File

@@ -3,7 +3,7 @@ FROM $DOCKER_BASE_IMAGE
USER root
ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-aarch64-linux-gnu"
ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-powerpc-linux-gnu gcc-powerpc64-linux-gnu gcc-arm-none-eabi"
RUN DEBIAN_FRONTEND=noninteractive apt update \
&& apt install -y ${DEPS_TESTING} \
&& apt clean -y && rm -rf /var/lib/apt/lists/*

Some files were not shown because too many files have changed in this diff Show More