wolfSSL
diff --git a/‎ChangeLog.md‎
Lines changed: 13 additions & 0 deletions b/‎ChangeLog.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎README‎
Lines changed: 13 additions & 0 deletions b/‎README‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 13 additions & 0 deletions b/‎README.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎doc/dox_comments/header_files-ja/ssl.h‎
Lines changed: 0 additions & 1 deletion b/‎doc/dox_comments/header_files-ja/ssl.h‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎doc/dox_comments/header_files/srp.h‎
Lines changed: 5 additions & 3 deletions b/‎doc/dox_comments/header_files/srp.h‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎doc/dox_comments/header_files/ssl.h‎
Lines changed: 0 additions & 1 deletion b/‎doc/dox_comments/header_files/ssl.h‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎fips-check.sh‎
Lines changed: 12 additions & 8 deletions b/‎fips-check.sh‎
Lines changed: 12 additions & 8 deletions
diff --git a/‎fips-hash.sh‎
Lines changed: 2 additions & 1 deletion b/‎fips-hash.sh‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/internal.c‎
Lines changed: 4 additions & 0 deletions b/‎src/internal.c‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/tls.c‎
Lines changed: 8 additions & 5 deletions b/‎src/tls.c‎
Lines changed: 8 additions & 5 deletions
@@ -29,6 +29,19 @@ PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request num
 
 * [Low CVE-2025-12889] With TLS 1.2 connections a client can use any digest, specifically a weaker digest, rather than those in the CertificateRequest. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9395
 
+* [Low CVE-2025-13912] When using the Clang compiler, various optimization levels or flags could result in non-constant-time compiled code. Assembly implementations of the functions in wolfSSL were not affected. The report was done specifically with Clang version 18 but there was shown to be similarities in timing variations when using the optimization levels with Clang 14 and Clang 20.
+
+On the following architectures, the expected constant-time functions were found to have potential timing variations when specific compiler flags or optimization levels were used.
+
+AArch64: Using O3, Ofast, or --enable-nontrivial-unswitch with O1/O2 flags leads to possible timing variations with the software implementations of sp_read_radix, sp_div_2_mod_ct, and sp_addmod_ct. Using O3, O2, Ofast, Os, or Oz with --unroll-force-peel-count=50 leads to possible timing variations with wc_AesGcmDecrypt.
+
+RISC-V: TLS HMAC update/final operations, RSA unpad operations, and DH key pair generation with O1, O2, O3, Ofast, Oz, or Os. wc_AesGcmDecrypt and wc_Chacha_Process with O1, O2, O3, Os, or Ofast. Also SP software operations sp_div_2_mod_ct and sp_addmod_ct using O3 or Ofast.
+
+
+X86_64: TLS HMAC update/final operations and TimingVerifyPad used with verifying the TLS MAC with --fast-isel or --x86-cmov-converter-force-all compile flags. RSA unpad operations, ECC mulmod, and wc_Chacha_Process with the --x86-cmov-converter-force-all flag. DH key agreement, sp_div_2_mod_ct and sp_addmod_ct with O1, O2, O3, Os, or Ofast. wc_AesGcmDecrypt with the compiler flags O2, O3, Os, Ofast, Oz --x86-cmov-converter-force-all | --unroll-force-peel-count=50, or O1 --x86-cmov-converter-force-all.
+
+Thanks to Jing Liu, Zhiyuan Zhang, LUCÍA MARTÍNEZ GAVIER, Gilles Barthe, Marcel Böhme from Max Planck Institute for Security and Privacy (MPI-SP) for the report. Fixed in PR 9148.
+
 ## New Features
 * New ML-KEM / ML-DSA APIs and seed/import PKCS8 support; added _new/_delete APIs for ML-KEM/ML-DSA. (PR 9039, 9000, 9049)
 * Initial wolfCrypt FreeBSD kernel module support (PR 9392)
 
@@ -106,6 +106,19 @@ PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request num
 
 * [Low CVE-2025-12889] With TLS 1.2 connections a client can use any digest, specifically a weaker digest, rather than those in the CertificateRequest. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9395
 
+* [Low CVE-2025-13912] When using the Clang compiler, various optimization levels or flags could result in non-constant-time compiled code. Assembly implementations of the functions in wolfSSL were not affected. The report was done specifically with Clang version 18 but there was shown to be similarities in timing variations when using the optimization levels with Clang 14 and Clang 20.
+
+On the following architectures, the expected constant-time functions were found to have potential timing variations when specific compiler flags or optimization levels were used.
+
+AArch64: Using O3, Ofast, or --enable-nontrivial-unswitch with O1/O2 flags leads to possible timing variations with the software implementations of sp_read_radix, sp_div_2_mod_ct, and sp_addmod_ct. Using O3, O2, Ofast, Os, or Oz with --unroll-force-peel-count=50 leads to possible timing variations with wc_AesGcmDecrypt.
+
+RISC-V: TLS HMAC update/final operations, RSA unpad operations, and DH key pair generation with O1, O2, O3, Ofast, Oz, or Os. wc_AesGcmDecrypt and wc_Chacha_Process with O1, O2, O3, Os, or Ofast. Also SP software operations sp_div_2_mod_ct and sp_addmod_ct using O3 or Ofast.
+
+
+X86_64: TLS HMAC update/final operations and TimingVerifyPad used with verifying the TLS MAC with --fast-isel or --x86-cmov-converter-force-all compile flags. RSA unpad operations, ECC mulmod, and wc_Chacha_Process with the --x86-cmov-converter-force-all flag. DH key agreement, sp_div_2_mod_ct and sp_addmod_ct with O1, O2, O3, Os, or Ofast. wc_AesGcmDecrypt with the compiler flags O2, O3, Os, Ofast, Oz --x86-cmov-converter-force-all | --unroll-force-peel-count=50, or O1 --x86-cmov-converter-force-all.
+
+Thanks to Jing Liu, Zhiyuan Zhang, LUCÍA MARTÍNEZ GAVIER, Gilles Barthe, Marcel Böhme from Max Planck Institute for Security and Privacy (MPI-SP) for the report. Fixed in PR 9148.
+
 ## New Features
 * New ML-KEM / ML-DSA APIs and seed/import PKCS8 support; added _new/_delete APIs for ML-KEM/ML-DSA. (PR 9039, 9000, 9049)
 * Initial wolfCrypt FreeBSD kernel module support (PR 9392)
 
@@ -111,6 +111,19 @@ PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request num
 
 * [Low CVE-2025-12889] With TLS 1.2 connections a client can use any digest, specifically a weaker digest, rather than those in the CertificateRequest. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9395
 
+* [Low CVE-2025-13912] When using the Clang compiler, various optimization levels or flags could result in non-constant-time compiled code. Assembly implementations of the functions in wolfSSL were not affected. The report was done specifically with Clang version 18 but there was shown to be similarities in timing variations when using the optimization levels with Clang 14 and Clang 20.
+
+On the following architectures, the expected constant-time functions were found to have potential timing variations when specific compiler flags or optimization levels were used.
+
+AArch64: Using O3, Ofast, or --enable-nontrivial-unswitch with O1/O2 flags leads to possible timing variations with the software implementations of sp_read_radix, sp_div_2_mod_ct, and sp_addmod_ct. Using O3, O2, Ofast, Os, or Oz with --unroll-force-peel-count=50 leads to possible timing variations with wc_AesGcmDecrypt.
+
+RISC-V: TLS HMAC update/final operations, RSA unpad operations, and DH key pair generation with O1, O2, O3, Ofast, Oz, or Os. wc_AesGcmDecrypt and wc_Chacha_Process with O1, O2, O3, Os, or Ofast. Also SP software operations sp_div_2_mod_ct and sp_addmod_ct using O3 or Ofast.
+
+
+X86_64: TLS HMAC update/final operations and TimingVerifyPad used with verifying the TLS MAC with --fast-isel or --x86-cmov-converter-force-all compile flags. RSA unpad operations, ECC mulmod, and wc_Chacha_Process with the --x86-cmov-converter-force-all flag. DH key agreement, sp_div_2_mod_ct and sp_addmod_ct with O1, O2, O3, Os, or Ofast. wc_AesGcmDecrypt with the compiler flags O2, O3, Os, Ofast, Oz --x86-cmov-converter-force-all | --unroll-force-peel-count=50, or O1 --x86-cmov-converter-force-all.
+
+Thanks to Jing Liu, Zhiyuan Zhang, LUCÍA MARTÍNEZ GAVIER, Gilles Barthe, Marcel Böhme from Max Planck Institute for Security and Privacy (MPI-SP) for the report. Fixed in PR 9148.
+
 ## New Features
 * New ML-KEM / ML-DSA APIs and seed/import PKCS8 support; added _new/_delete APIs for ML-KEM/ML-DSA. (PR 9039, 9000, 9049)
 * Initial wolfCrypt FreeBSD kernel module support (PR 9392)
 
@@ -3796,7 +3796,6 @@ int  wolfSSL_BIO_ctrl_reset_read_request(WOLFSSL_BIO *bio);
     \endcode
 
     \sa wolfSSL_BIO_new
-    \sa wolfSSL_BIO_nwrite0
 */
 int  wolfSSL_BIO_nread0(WOLFSSL_BIO *bio, char **buf);
 
 
@@ -340,6 +340,8 @@ int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size);
     This function MUST be called after wc_SrpSetPassword or wc_SrpSetVerifier.
     The function wc_SrpSetPrivate may be called before wc_SrpGetPublic.
 
+    Caller must observe value of size upon return to know the actual size.
+
     \return 0 Success
     \return BAD_FUNC_ARG Returned if srp, pub, or size is null.
     \return SRP_CALL_ORDER_E Returned if wc_SrpGetPublic is called out
@@ -349,8 +351,8 @@ int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size);
 
     \param srp the Srp structure.
     \param pub the buffer to write the public ephemeral value.
-    \param size the the buffer size in bytes. Will be updated with
-    the ephemeral value size.
+    \param size IN: the buffer size in bytes.
+                OUT: Will be updated with the ephemeral value size.
 
     _Example_
     \code
@@ -369,7 +371,7 @@ int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size);
     wc_SrpSetPassword(&srp, password, passwordSize)
 
     byte public[64];
-    word32 publicSz = 0;
+    word32 publicSz = sizeof(public);
 
     if( wc_SrpGetPublic(&srp, public, &publicSz) != 0)
     {
 
@@ -4671,7 +4671,6 @@ int  wolfSSL_BIO_ctrl_reset_read_request(WOLFSSL_BIO *b);
     \endcode
 
     \sa wolfSSL_BIO_new
-    \sa wolfSSL_BIO_nwrite0
 */
 int  wolfSSL_BIO_nread0(WOLFSSL_BIO *bio, char **buf);
 
 
@@ -31,17 +31,19 @@ Usage() {
     cat <<usageText
 Usage: $0 [flavor] [keep] [nomakecheck] [nodoconfigure] [noautogen]
 Flavor is one of:
-    linuxv2 (FIPSv2, use for Win10)
-    fipsv2-OE-ready (ready FIPSv2)
+    linuxv2             (FIPSv2, use for Win10)
+    fipsv2-OE-ready     (ready FIPSv2)
     solaris
     netbsd-selftest
     marvell-linux-selftest
-    linuxv5 (current FIPS 140-3)
-    fips-ready (ready FIPS 140-3)
-    fips-dev (dev FIPS 140-3)
+    linuxv5             (current FIPS 140-3 [v5.2.1])
+    linuxv5-RC12        (current FIPS 140-3 [v5.2.0.1])
+    fips-ready          (ready FIPS 140-3)
+    fips-dev            (dev FIPS 140-3)
     wolfrand
     wolfentropy
-    v6.0.0
+    v6.0.0              (pending FIPS 140-3 [v6.0.0])
+
 keep: (default off) retains the temp dir $TEST_DIR for inspection.
 nomakecheck: (default off) don't run make check
 nodoconfigure: (default off) don't run configure
@@ -670,10 +672,12 @@ if [ "$DOCONFIGURE" = "yes" ]; then
     fi
 
     if [ -s wolfcrypt/src/fips_test.c ]; then
-        NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
+        OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
+        NEWHASH=$(echo "$OUT" | cut -c1-64)
         if [ -n "$NEWHASH" ]; then
             cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
-            sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c
+            sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak > \
+                                                    wolfcrypt/src/fips_test.c
             make clean
         fi
     fi
 
@@ -12,7 +12,8 @@ then
     exit 1
 fi
 
-NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
+OUT=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
+NEWHASH=$(echo "$OUT" | cut -c1-64)
 if test -n "$NEWHASH"
 then
     cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
 
@@ -13204,6 +13204,10 @@ int CheckHostName(DecodedCert* dCert, const char *domainName,
     int checkCN;
     int ret = WC_NO_ERR_TRACE(DOMAIN_NAME_MISMATCH);
 
+    if (dCert == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     if (CheckForAltNames(dCert, domainName, (word32)domainNameLen,
                                             &checkCN, flags, isIP) != 1) {
         ret = DOMAIN_NAME_MISMATCH;
 
@@ -16567,15 +16567,18 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
      * contain SupportedGroups and vice-versa. */
     if (IsAtLeastTLSv1_3(ssl->version) && msgType == client_hello && isRequest) {
         int hasKeyShare = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE));
-        int hasSupportedGroups = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
+        int hasSupportedGroups = !IS_OFF(seenType,
+            TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
 
         if (hasKeyShare && !hasSupportedGroups) {
-            WOLFSSL_MSG("ClientHello with KeyShare extension missing required SupportedGroups extension");
-            return MISSING_HANDSHAKE_DATA;
+            WOLFSSL_MSG("ClientHello with KeyShare extension missing required "
+                        "SupportedGroups extension");
+            return INCOMPLETE_DATA;
         }
         if (hasSupportedGroups && !hasKeyShare) {
-            WOLFSSL_MSG("ClientHello with SupportedGroups extension missing required KeyShare extension");
-            return MISSING_HANDSHAKE_DATA;
+            WOLFSSL_MSG("ClientHello with SupportedGroups extension missing "
+                        "required KeyShare extension");
+            return INCOMPLETE_DATA;
         }
     }
 #endif