Skip to content

Commit

Permalink
Initial support for STM32MP13 HAL
Browse files Browse the repository at this point in the history
This adds support for the STM32MP13 HAL, tested on the STM32MP135F MPU.

Using the HAL this modifies our previous RNG, AES-CBC, AES-GCM, HASH,
ECDSA and DES3 ST HAL acceleration to work with the MPU. It also works
around bugs found in the AES-GCM code of the HAL.

The HAL does not appear to have support for MD5 HASH at the moment, so
this has been given a flag to disable it on this MPU.

linuxkm: work around aarch64 dependency on alt_cb_patch_nops for enable-linuxkm-pie (FIPS support).

wolfssl/wolfcrypt/aes.h: #define WC_NO_COMPAT_AES_BLOCK_SIZE in OPENSSL_COEXIST builds.  see comment in source code with usage instructions.

wolfhsm-mldsa-fixes

SP ARM: big-endian support

Handle reading and writing from big-endian byte array when compiling for
big endian.
Rework little endian to be more effiecient too.

Fix wolfSSL_X509_STORE_get0_objects to handle case where no CA has been loaded

Fix conversion on various files. Work from Reda.

Additional conversion warnings.

Addressing CI/CD before continuing with the fixing

More Wconversion fixing (Renesas specific)

Moved variable to the top of the scope

fixes for OPENSSL_COEXIST with FIPS and with/without TEST_OPENSSL_COEXIST.

adjustments to x509.h macro list

Add STM32MP13 to Cube IDE

Add STM32MP13 HAL support for more SHA types

This adds STM32 HAL support for:

* SHA384
* SHA512 (with -224 and -256)
* SHA3 (all variants apart from SHAKE)

The partial FIFO block calculations have been adjusted based in the
STM32 code to support the larger hash sizes.

This should work with other chips such as the STM32U5xx, but is not
enabled for that yet.

Fix STM32 example broken in wolfSSL#8143.

Fixes for building with SP RSA small and RSA Public only. ZD 18996

src/ssl_sess.c: in wolfSSL_CTX_flush_sessions(), add missing check of s->sessionIDSz, similar to the fix to TlsSessionCacheGetAndLock() in wolfSSL#8182 (ef67b1c).  also, add missing macro to .wolfssl_known_macro_extras.

Fix test environment

Add size checks to sessionID

Fix for Compressed Keys with FIPS

build dsa in visual studio

wc_port: change zephyr struct k_thread tid member to pointer.

Fix issue with wc_lms_impl.c or wc_lms not including settings.h. Caused issue enabling LMS from user_settings.h.

Fixes for ML-DSA and LMS cast warnings and spelling errors.

Expose compatibility get_verify functions with openssl_extra.

Fix broken verify on Ada wrapper

The Ada wrapper had an `&` operator for the verification mode. This
effectively caused the verification mode to equal `0`.

The operator has been switched to `or` now, in addition, a getter has
been added to the API. This allows for the test I've added to the server
code to verify that it is being set correctly.

`OPENSSL_ALL` flag added to Ada so that the verify mode getter function
is compiled in.

Fixes wolfSSL#7461

Thanks to @dalybrown for reporting it.

Add libspdm action

Depends on wolfSSL/osp#217

configure.ac: add --enable-fips=cert4718 alias for v5, and make --enable-fips=v5 set FIPS to 5.2.1; set DEF_FAST_MATH and DEF_SP_MATH to "no" when "yes" would conflict with user-supplied arguments.

configure.ac: fix SC1105 ("Shells disambiguate (( differently or not at all.").

wolfssl/wolfcrypt/types.h and wolfssl/wolfcrypt/hash.h: define WOLF_AGG_DUMMY_MEMBER, pivoting on HAVE_EMPTY_AGGREGATES, and use WOLF_AGG_DUMMY_MEMBER in wc_Hashes.

src/ssl_crypto.c: revert FIPS gate threshold in wolfSSL_AES_decrypt() changed in d85c108 -- original value was correct, misdiagnosed by faulty test.

update fips-check.sh for cert wolfSSL#4718: remap linuxv5 as an alias for linuxv5.2.1, and add linuxv5-RC12.

fips-check.sh: add support for WOLFSSL_REPO and noautogen option; tweak git fetching to keep wolfssl and fips tags distinct, and fetch all needed tags by name to assure availability for checkout.  also, hide stdout noise from pushd/popd.

peer review: refactor HAVE_ANONYMOUS_INLINE_AGGREGATES and HAVE_EMPTY_AGGREGATES to conform to wolfssl convention -- defined() for true, !defined() for false -- while retaining ability for user override-off by passing in explicit 0 definition.

src/internal.c: in HashSkeData(), remove unneeded logically faulty nullness check around XFREE(ssl->buffers.digest.buffer, ...).

Add nss interop

Add sanity check for configuration method

Disable hitch OSP test

Fix from review

move !defined(EXTERNAL_OPTS_OPENVPN) assert from src/internal.c to wolfssl/wolfcrypt/types.h with refinements; refine logic+message of assert in wolfssl/wolfcrypt/settings.h re "wolfssl/options.h included in compiled wolfssl library object..".

wolfssl/wolfcrypt/settings.h: use #warning, not #error, for "No configuration for wolfSSL detected, check header order", to avoid unnecessary breakage of old projects with nonstandard custom settings.

Revert to ubuntu-22.04

add support for WOLFSSL_NO_OPTIONS_H:
* activate WOLFSSL_NO_OPTIONS_H in linuxkm/Kbuild for in-module test.o and benchmark.o.
* refine explanatory comments in settings.h re WOLFSSL_USE_OPTIONS_H, WOLFSSL_NO_OPTIONS_H, and WOLFSSL_CUSTOM_CONFIG.
* add safety catch to options.h/options.h.in to inhibit inclusion if defined(WOLFSSL_NO_OPTIONS_H).
* for good measure, add explicit check for WOLFSSL_NO_OPTIONS_H to wolfcrypt/benchmark/benchmark.c and wolfcrypt/test/test.c.

Improve Espressif SHA HW/SW mutex messages

.wolfssl_known_macro_extras: regenerate

Use proper ref count handling when adding to x509 store

Always keep original x509 pointer with proper refcounts even for self signed trusted CA

Dont use specific free function

Free x509 on fail to push

CMAKE: look for pthreads when importing wolfSSL if required

All required dependencies of a package must also be found in the
package configuration file. Consumers of wolfSSL can't know
if it was built with or without threads support. This change
adds find_package(Threads) lookup in the file used for
find_package(wolfssl) if wolfSSL was built with threads support.

Initial implementation for using PKCS11 to retrieve certificate for SSL CTX

Updates per review comments

Add support for cert format in get cert crypto callback

Use char instead of sword8, sanity length check on CKA_VALUE

No redundant NULL check on free

Remove redundant NULL check

Aarch64 Poly1305: fix corner case

Don't mask top 26 bits as it may have next bit set as reduction step was
only approximate.

Fix memory leak

make new sanity check be a warning

defining custom config avoids warning of library builds pulling in options.h

Add support for the RFC822 Mailbox attribute.

Aarch64: make code compile when no hardware crypto avail

Detects availability of instructions for Aarch64.

WOLFSSL_ALWAYS_KEEP_SNI enabled by default with --enable-jni

wolfSSL_CTX_set_tlsext_use_srtp() should return 1 on failure and 0 upon success.

Same with wolfSSL_set_tlsext_use_srtp().

See https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_tlsext_use_srtp/

Add a test.

Various cleanups and fixes:
* Fix to properly set configure.ac LMS/XMSS enables and build of those code files.
* Remove duplicate aes.c `wc_AesSetKeyLocal` call to `wc_AesSetIV`. Moved earlier in function in commit a10260c.
* Benchmark missing time.h with NO_ASN_TIME.
* Added option to support disabling AES CFB 1/8 `WOLFSSL_NO_AES_CFB_1_8`.
* Fixes for building with combinations of `WOLFSSL_RSA_VERIFY_ONLY` and `WOLFSSL_RSA_PUBLIC_ONLY`.
* Fix for building `--enable-stacksize=verbose` with single threaded.
* Various tab and formatting cleanups.
ZD 18996

Fixes for macro names.

Cleanup the gating for `WOLFSSL_NO_AES_CFB_1_8`.

Revert "Aarch64: make code compile when no hardware crypto avail"

fix for sig fault harden build

linuxkm/Kbuild and linuxkm/module_exports.c.template: on kernel >=6.13, add quotes around the namespace arg to EXPORT_SYMBOL_NS_GPL() (upstream change actually made in 6.13-rc2).

Aarch64: make code compile when no hardware crypto avail

Detects availability of instructions for Aarch64.

MacOS: allow SHA-3 instructions to be explicitly not used

Some iPads and iPhones don't support SHA-3 instructions.
Allow SHA-3 instructions to explicitly not be used for these devices.

Fix compile issue with NO_WOLFSSL_DIR

`test_wolfSSL_CTX_load_system_CA_certs()` would try to use DIR functions
when `NO_WOLFSSL_DIR` was used.

EdDSA Ed448: sc_muladd now does full reduction

sc_muladd was reducing to word boundary and not to order.
Now reduces to order as last step.

CID also supported in DTLS 1.2

Add CID interop with mbedtls

add shebang

use unique key

fix redirect order

Use source hostap repo

Initialize vars & change types to appease Windows/VS

fips-check.sh fixes + enhancements:
* change default WOLFSSL_REPO to the canonical upstream.
* refactor tag calculation without bash associative arrays, for backward compat.
* add support for fetching FIPS tags/branches into a persistent fips repo if one is found at ../fips.
* use --shared in git clones where applicable.
* always check out the master FIPS branch, for its tooling, and always make sure it's up to date with $FIPS_REPO.
* after each fetch for a previously unknown tag, explicitly associate the tag with the FETCH_HEAD.

Enable support for using certificate manager only. Fixes for building without TLS enabled (NO_TLS). ZD 19054. Tested using `./configure --disable-tlsv12 --disable-tls13 CFLAGS="-DNO_TLS" && make check`

Fix issues in `test_tls13_apis` with no filesystem or no RSA/ECC.

Fix nested `NO_TLS`.

Further fixes with NO_TLS to support use with compatibility layer.

Add `--disable-tls` option that can be used with `--enable-all` to disable TLS features and set `NO_TLS`. Useful for allowing certificate manager and crypto compatibility API's only.

configure.ac: fix faulty logic in FIPS v6 feature calculation re ENABLED_ARMASM_CRYPTO, originally added in 6e0a901.

wolfcrypt/src/aes.c: add missing WOLFSSL_ARMASM gate clause around wolfCrypt_FIPS_aes_ro_sanity, necessitated by 514a92d/wolfSSL#8293.

wolfCrypt -Wconversion expansion: fix numerous warnings, all benign, from -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion.

Espressif Managed Component wolfSSL 5.7.4 post-release update

fedora crypto-policies: initial support.

Fix RA6M jankins failure

Printing the rfc822Mailbox x509 attribute

fix: cast int operands to size_t in bio buffer size calc to prevent loss of precision

Fix C4333 warning by adjusting right shift operation on byte cast
  • Loading branch information
LinuxJedi authored and gasbytes committed Dec 21, 2024
1 parent ea8c7c8 commit 9756eac
Show file tree
Hide file tree
Showing 200 changed files with 8,520 additions and 2,959 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/async.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
]
name: make check
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
steps:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codespell.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ concurrency:
jobs:
codespell:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/coverity-scan-fixes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ on:
jobs:
coverity:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/curl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
Expand All @@ -40,7 +40,7 @@ jobs:
test_curl:
name: ${{ matrix.curl_ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 15
needs: build_wolfssl
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/cyrus-sasl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
Expand Down Expand Up @@ -48,7 +48,7 @@ jobs:
ref: [ 2.1.28 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
needs: build_wolfssl
Expand Down
File renamed without changes.
12 changes: 6 additions & 6 deletions .github/workflows/docker-Espressif.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,32 +15,32 @@ jobs:
espressif_latest:
name: latest Docker container
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 12
container:
image: espressif/idf:latest
steps:
- uses: actions/checkout@v4
- name: Initialize Espressif IDE and build examples
run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh
espressif_v4_4:
name: v4.4 Docker container
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
container:
image: espressif/idf:release-v4.4
steps:
- uses: actions/checkout@v4
- name: Initialize Espressif IDE and build examples
run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh
espressif_v5_0:
name: v5.0 Docker container
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
container:
image: espressif/idf:release-v5.0
steps:
- uses: actions/checkout@v4
- name: Initialize Espressif IDE and build examples
run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh
4 changes: 2 additions & 2 deletions .github/workflows/docker-OpenWrt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
build_library:
name: Compile libwolfssl.so
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
container:
Expand All @@ -42,7 +42,7 @@ jobs:
compile_container:
name: Compile container
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 2
needs: build_library
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/grpc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
Expand Down Expand Up @@ -52,7 +52,7 @@ jobs:
h2_ssl_cert_test h2_ssl_session_reuse_test
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 30
needs: build_wolfssl
Expand Down
54 changes: 39 additions & 15 deletions .github/workflows/hostap-vm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ concurrency:
# END OF COMMON SECTION

env:
LINUX_REF: v6.6
LINUX_REF: v6.12

jobs:
build_wolfssl:
Expand All @@ -28,7 +28,7 @@ jobs:
--enable-tlsv10 --enable-oldtls
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
Expand Down Expand Up @@ -63,34 +63,55 @@ jobs:
path: build-dir.tgz
retention-days: 5

checkout_hostap:
name: Checkout hostap repo
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
steps:
- name: Checking if we have hostap in cache
uses: actions/cache@v4
id: cache
with:
path: hostap
key: hostap-repo
lookup-only: true

- name: Checkout hostap
run: git clone git://w1.fi/hostap.git hostap

build_uml_linux:
name: Build UML (UserMode Linux)
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 10
needs: checkout_hostap
steps:
- name: Checking if we have kernel in cache
uses: actions/cache@v4
id: cache
with:
path: linux/linux
key: ${{ env.LINUX_REF }}
key: hostap-linux-${{ env.LINUX_REF }}
lookup-only: true

- name: Checkout hostap
- name: Checking if we have hostap in cache
if: steps.cache.outputs.cache-hit != 'true'
uses: actions/checkout@v4
uses: actions/cache/restore@v4
with:
repository: julek-wolfssl/hostap-mirror
path: hostap
key: hostap-repo
fail-on-cache-miss: true

- name: Checkout linux
if: steps.cache.outputs.cache-hit != 'true'
uses: actions/checkout@v4
with:
repository: torvalds/linux
path: linux
ref: ${{ env.LINUX_REF }}

- name: Compile linux
if: steps.cache.outputs.cache-hit != 'true'
Expand Down Expand Up @@ -141,19 +162,18 @@ jobs:
build_id: hostap-vm-build2
}
name: hwsim test
# For openssl 1.1
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 45
needs: [build_wolfssl, build_uml_linux]
needs: [build_wolfssl, build_uml_linux, checkout_hostap]
steps:
- name: Checking if we have kernel in cache
uses: actions/cache/restore@v4
id: cache
with:
path: linux/linux
key: ${{ env.LINUX_REF }}
key: hostap-linux-${{ env.LINUX_REF }}
fail-on-cache-miss: true

- name: show file structure
Expand Down Expand Up @@ -198,12 +218,16 @@ jobs:
libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \
libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome
- name: Checkout hostap
uses: actions/checkout@v4
- name: Checking if we have hostap in cache
uses: actions/cache/restore@v4
with:
repository: julek-wolfssl/hostap-mirror
path: hostap
ref: ${{ matrix.config.hostap_ref }}
key: hostap-repo
fail-on-cache-miss: true

- name: Checkout correct ref
working-directory: hostap
run: git checkout ${{ matrix.config.hostap_ref }}

- name: Update certs
working-directory: hostap/tests/hwsim/auth_serv
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ipmitool.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
if: github.repository_owner == 'wolfssl'
# This should be a safe limit for the tests to run.
timeout-minutes: 4
Expand Down Expand Up @@ -48,7 +48,7 @@ jobs:
git_ref: [ c3939dac2c060651361fc71516806f9ab8c38901 ]
name: ${{ matrix.git_ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
needs: build_wolfssl
steps:
- name: Install dependencies
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/jwt-cpp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
name: Build wolfSSL
# Just to keep it the same as the testing target
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
Expand Down Expand Up @@ -47,7 +47,7 @@ jobs:
matrix:
config:
- ref: 0.7.0
runner: ubuntu-latest
runner: ubuntu-22.04
- ref: 0.6.0
runner: ubuntu-22.04
name: ${{ matrix.config.ref }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/krb5.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
name: Build wolfSSL
# Just to keep it the same as the testing target
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 5
steps:
Expand Down Expand Up @@ -50,7 +50,7 @@ jobs:
ref: [ 1.21.1 ]
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
# This should be a safe limit for the tests to run.
timeout-minutes: 8
needs: build_wolfssl
Expand Down
Loading

0 comments on commit 9756eac

Please sign in to comment.