30512 Commits

Author SHA1 Message Date
Daniel Pouzzner 38a4143a48 Merge pull request #10843 from Frauschi/test_fix
Fix ret check in test.c
2026-07-03 02:20:23 -05:00
Tobias Frauenschläger d40aeeabc0 Fix ret check in test.c 2026-07-03 09:15:26 +02:00
Daniel Pouzzner 326f40d032 Merge pull request #10626 from mattia-moffa/20260605-dtls-cid-check-newest
DTLS bugfixes
2026-07-03 01:18:38 -05:00
Daniel Pouzzner 8c7ab8eb4f Merge pull request #10686 from Frauschi/openssl_group_align
Align wolfSSL_set1_groups_list() arg handling with OpenSSL
2026-07-03 01:17:33 -05:00
Daniel Pouzzner a543bc4d78 Merge pull request #10745 from Frauschi/mandatory_psk
Enable support for mandatory PSKs
2026-07-03 01:16:45 -05:00
Daniel Pouzzner 8847cf2aa4 Merge pull request #10768 from Frauschi/altNames_API
Add public alt-name list APIs
2026-07-03 01:14:57 -05:00
Daniel Pouzzner f22ec4ccae Merge pull request #10804 from Frauschi/pkcs7_no_eContent
PKCS#7: support SignedData with absent eContent
2026-07-03 01:14:05 -05:00
Daniel Pouzzner cce3f2571e Merge pull request #10803 from Frauschi/fenrir
Fenrir fixes
2026-07-03 01:11:03 -05:00
Daniel Pouzzner d638d2afd7 Merge pull request #10209 from ColtonWilley/harden-chain-depth-and-parser-bounds
Harden chain depth bounds and parser input validation
2026-07-03 01:03:36 -05:00
Daniel Pouzzner dc326f8c70 Merge pull request #10691 from julek-wolfssl/tls13-fragmented-sessionticket-defrag
TLS 1.3: reassemble fragmented post-handshake messages after FreeArrays
2026-07-03 00:50:10 -05:00
Daniel Pouzzner ec37935a1f Merge pull request #10697 from Frauschi/zd21977
Even more missing ForceZero in ML-KEM / ML-DSA
2026-07-03 00:47:57 -05:00
Daniel Pouzzner 3c72ada3b1 Merge pull request #10711 from kareem-wolfssl/zd21987
Add a NULL check to refineSuites.
2026-07-03 00:47:08 -05:00
Daniel Pouzzner 460b7ad041 Merge pull request #10742 from tjko/rpi_compile
Fix compiler error when WOLFSSL_RPIPICO is used.
2026-07-03 00:45:19 -05:00
Daniel Pouzzner 47b7d6ff04 Merge pull request #10739 from JacobBarthelmeh/test
fix for nightly memory allocation test cases with LMS
2026-07-03 00:44:29 -05:00
Daniel Pouzzner f5538d9ba4 Merge pull request #10758 from julek-wolfssl/fix-ocsp-stapling-tls13multi-wait-timeout
Bound waited example servers with timeout to fix flaky CI test hangs
2026-07-03 00:43:55 -05:00
Daniel Pouzzner 27e160fa53 Merge pull request #10764 from embhorn/gh10761
Fix TLS1.2 error code correction
2026-07-03 00:41:35 -05:00
David Garske 0ecc0c5973 Merge pull request #10828 from SparkiDev/sp_func_block_comment_1
SP: fix function block comments
2026-07-02 15:53:03 -07:00
Daniel Pouzzner 9d3152cae2 Merge pull request #10708 from rlm2002/support-fixes
Support fixes - various reports
2026-07-02 12:51:11 -05:00
David Garske d390a98f64 Merge pull request #10754 from SparkiDev/arm64_asm_c_fallback
Aarch64 asm: Have software fallback and CPU id checks
2026-07-02 09:30:19 -07:00
Tobias Frauenschläger 79b30aa268 Enable support for mandatory PSKs
Add a new option to require that an external Pre-Shared Key is negotiated
for a handshake to succeed, configured via the new APIs
wolfSSL_CTX_require_psk()/wolfSSL_require_psk(). When set, a handshake
that completes without negotiating an external PSK is aborted with
PSK_MISSING_ERROR instead of falling back to a certificate handshake, so
the PSK acts as an additional security factor.

This is a TLS 1.3 / DTLS 1.3 feature. In (D)TLS 1.2 the use of a PSK is
determined by the negotiated cipher suite, so a mandatory PSK is instead
configured there by restricting the cipher suite list to PSK suites; the
new APIs therefore reject non-TLS-1.3 contexts with BAD_FUNC_ARG.

To keep the requirement fail-closed, the APIs also disable version
downgrade on the object so a downgrade-capable context (e.g. one created
from a v23 method) cannot silently fall back to (D)TLS 1.2 and complete
without a PSK; a peer that does not support (D)TLS 1.3 fails to connect.

The requirement applies to external PSKs only (not session tickets):
session-ticket resumption is exempt. To preserve forward secrecy a
mandatory external PSK must also use an (EC)DHE key exchange; a pure
psk_ke handshake is rejected with PSK_KEY_ERROR. When used with
WOLFSSL_CERT_WITH_EXTERN_PSK, it also ensures that peers are properly
authenticated with both the PSK and via certificates.

The new APIs live alongside the existing wolfSSL_[CTX_]no_dhe_psk()/
only_dhe_psk() PSK options and do not depend on certificate support, so
the feature is usable in NO_CERTS (PSK-only) builds.

Added unit tests for the new APIs and enforcement.
2026-07-02 16:02:20 +02:00
Tobias Frauenschläger 11f71108ba PKCS#7: support SignedData with absent eContent
Allow encoding and verifying a CMS SignedData whose encapContentInfo
carries no eContent, that is, a signed-attributes-only signature over
empty content (RFC 5652 makes eContent OPTIONAL). This is required for
SCEP CertRep PENDING and FAILURE messages (RFC 8894 section 3.2.2),
which must omit the pkcsPKIEnvelope entirely.

Encode: wc_PKCS7_EncodeSignedData computes the messageDigest over the
empty content when detached is set and contentSz is 0, since there is no
eContent to drive the normal content-hashing pass.

Verify: PKCS7_VerifySignedData no longer rejects an absent eContent when
no external content or hash was supplied. It is processed as a detached
signature over empty content, and wc_PKCS7_VerifyContentMessageDigest
computes the digest of zero-length content using the parsed digest
algorithm. The messageDigest comparison still rejects a stripped
non-empty eContent.

Add pkcs7_signed_no_content_test, a round-trip over a CMS SignedData
whose encapContentInfo carries no eContent (a detached signature over
empty content, signed-attributes-only), as produced by SCEP CertRep
PENDING/FAILURE messages. The encode omits the eContent and the verify
accepts it without any caller-supplied content or hash, checking the
messageDigest against the hash of empty content. Run for RSA/SHA-256.
2026-07-02 14:17:20 +02:00
Mattia Moffa bf985f1d21 NewConnectionId: reject CID larger than DTLS_CID_MAX_SIZE 2026-07-02 14:16:25 +02:00
Tobias Frauenschläger 154f2e2ea4 F-6547 - Reject TLS KeyUpdate on QUIC connections
QUIC performs key updates at the packet-protection layer via the Key
Phase bit, so RFC 9001 section 6 requires a QUIC endpoint to reject any
received TLS KeyUpdate handshake message as a fatal unexpected_message
connection error and to never send one. The TLS 1.3 receive path
processed the message normally, rotating traffic secrets and possibly
emitting a prohibited KeyUpdate response, and the send path allowed a
QUIC connection to originate a KeyUpdate.

Guard the key_update case in SanityCheckTls13MsgReceived so a QUIC
connection aborts with a fatal unexpected_message alert, and guard
Tls13UpdateKeys so a QUIC connection cannot send a KeyUpdate. Add a
QUIC unit test that feeds a post-handshake KeyUpdate and confirms the
connection is refused.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger e8865748f2 F-6351 - Fix use after free in wolfSSL_ASN1_STRING_set self-alias
When the caller passes the object's own data pointer as the source,
wolfSSL_ASN1_STRING_set freed the existing buffer before copying from
it, reading freed memory in the dynamic case and copying cleared bytes
in the fixed-buffer case. Duplicate the source into a temporary buffer
when it aliases the object before disposing of the old buffer, then
free the temporary once the copy completes.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 3c5ae182a6 F-6350 - Cap d2i_ASN1_OBJECT parse window to OID size
An oversized length argument was passed straight to GetASNHeader as the
buffer bound. A caller supplying a length larger than the real buffer let
the OBJECT_ID header claim more content than was present, driving the OID
validation read past the end of the allocation. Since an ASN1_OBJECT is an
OID, clamp the parse window to the maximum OID encoding so the header
decode cannot read beyond a sane bound.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger d88ac76fda F-6347 - Reject negative and oversized length in EVP_EncodeUpdate
wolfSSL_EVP_EncodeUpdate did not validate the input length. A large
inl caused the block loop and the residual copy to read far past the
caller's input buffer, and a negative inl was silently treated as
success. Reject negative lengths and lengths whose base64 output would
overflow a positive int before processing any data.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 2943ee6a69 F-6346 - Reject oversized length in EVP_EncodeBlock
wolfSSL_EVP_EncodeBlock rejected negative input lengths but passed any
large positive length straight to Base64_Encode_NoNl, which read that
many bytes from the caller input buffer and ran past its allocation.

Reject input lengths whose base64 output would overflow a positive int,
which also bounds the read against the caller allocation. The encoded
length is the int return value, so the safe maximum input is
(INT_MAX / 4) * 3.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 845a3a93b5 F-6345 - Reject oversized length in memory BIO write
wolfSSL_BIO_write rejected negative lengths but allowed a large positive
length through to wolfSSL_BIO_MEMORY_write. On a fresh buffer an INT_MAX
length overflowed the 4/3 buffer growth calculation, so the grow reported
success with a short allocation and the following copy read far past the
small source buffer.

Add an upper bound check that rejects lengths large enough to overflow the
growth math before any allocation or copy, and add a regression test that
drives a huge length through the public BIO_write entry point.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 7562ae5e37 F-6427 - Reject RC2 cipher ops when no key is set
The RC2 encrypt and decrypt operations used the expanded key schedule
without checking that a key had ever been configured. On a zeroed or
otherwise unkeyed context the ECB ops ran over an all-zero schedule and
returned success, and the CBC wrappers inherited the same behavior, so
a caller who skipped wc_Rc2SetKey received ciphertext under an
unintended key with no error signalled.

Guard wc_Rc2EcbEncrypt and wc_Rc2EcbDecrypt on a zero keylen and return
MISSING_KEY when no key has been set. The CBC wrappers call these and
propagate the error. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed path for all four ops.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 5cf136d15a F-6426 - Reject Camellia cipher ops when no key is set
The Camellia encrypt and decrypt operations used the key schedule
without checking that a key had ever been configured. A zeroed or
otherwise unkeyed context has a keySz that does not match 128, 192,
or 256, so the underlying block transform hit the default no-op case
and CBC emitted an easily reversible XOR chain while still returning
success. A caller who forgot wc_CamelliaSetKey received a success
code with effectively unencrypted output.

Add a key-state check that accepts only valid Camellia key sizes and
have wc_CamelliaEncryptDirect, wc_CamelliaDecryptDirect,
wc_CamelliaCbcEncrypt, and wc_CamelliaCbcDecrypt return MISSING_KEY
when no key has been set. Mirrors the existing 3DES keySet guard.

Add a regression test covering the unkeyed and garbage key-size paths.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 4de819075f Merge pull request #10835 from yosuke-wolfssl/fix/cert
certs: re-sign orphaned rsapss/mldsa leaves and add chain guard
2026-07-02 11:34:59 +02:00
Mattia Moffa 3b21af4277 Invalidate record size cache when changing connection IDs 2026-07-02 05:54:03 +02:00
Yosuke Shimizu b87edc2040 certs: re-sign orphaned rsapss/mldsa leaves and add chain guard 2026-07-02 10:34:06 +09:00
Daniel Pouzzner 076dc5a206 Merge pull request #10773 from rlm2002/coverity
24062026 Coverity fixes
2026-07-01 17:59:19 -05:00
Daniel Pouzzner fd3b489ea5 Merge pull request #10787 from stenslae/update-wolfssl-email
Updated email to facts@wolfssl.com
2026-07-01 17:52:20 -05:00
Daniel Pouzzner 7dd269fc52 Merge pull request #10793 from embhorn/gh10790
Restore error code from DecodeGeneralName
2026-07-01 17:49:37 -05:00
Daniel Pouzzner beca44b2fb Merge pull request #10795 from embhorn/gh10791
Fix to send record_overflow alert
2026-07-01 17:45:43 -05:00
Daniel Pouzzner 22b552c668 Merge pull request #10809 from aidangarske/fenrir-6558-nameconstraints-minmax
Reject name constraint subtree with non-zero minimum or maximum
2026-07-01 17:38:28 -05:00
Daniel Pouzzner fed8d6a57e Merge pull request #10814 from kojiws/fix_ecc_31bytes_on_test
Fix ECC buffer test by correcting message length
2026-07-01 17:35:47 -05:00
Daniel Pouzzner 0703dc9c6e Merge pull request #10815 from SparkiDev/tls13_test_cv_sig_alg
TLSv1.3 test: CertificateVerify signature algorithm test
2026-07-01 17:27:48 -05:00
Daniel Pouzzner 7afcc3eef6 Merge pull request #10687 from rlm2002/zd-NameConstraints
Name Constraints cert chain walk
2026-07-01 17:24:52 -05:00
Daniel Pouzzner 9f48aef47f Merge pull request #10638 from rizlik/nc_uri_trailing_dot
NameConstraints fixes
2026-07-01 17:14:08 -05:00
Daniel Pouzzner d733f203fa Merge pull request #10663 from rizlik/pubkey_ecc_operation_cb
Introduce ECC Make PUB and ECC Check Pub crypto callbacks
2026-07-01 16:53:24 -05:00
Daniel Pouzzner fb54c0a56e Merge pull request #10734 from philljj/bsdkm_fixes
bsdkm: fenrir and misc cleanup.
2026-07-01 16:48:29 -05:00
Daniel Pouzzner 5a9a49d5d5 Merge pull request #10730 from rizlik/dtlsv13_interop
dtlsv13: fix: send correct CH2 when server do not send HRR
2026-07-01 16:40:29 -05:00
Daniel Pouzzner 64a0f384a4 Merge pull request #10780 from holtrop-wolfssl/rust-rename-dilithium-mldsa
Rust wrapper: rename dilithium to mldsa
2026-07-01 16:30:28 -05:00
Daniel Pouzzner 36437417b6 Merge pull request #10703 from holtrop-wolfssl/rust-validate-prefix-env-var
Rust wrapper: validate WOLFSSL_PREFIX in build.rs
2026-07-01 16:29:36 -05:00
Daniel Pouzzner a66b87b926 Merge pull request #10645 from holtrop-wolfssl/rust-ed-verify-result-codes
Rust wrapper: fix signature incorrect return value from Ed448 and Ed25519 verify functions.
2026-07-01 16:28:44 -05:00
David Garske c9e4b13be4 Merge pull request #10829 from douzzer/20260630-various-fixes
20260630-various-fixes
2026-07-01 14:28:27 -07:00
Daniel Pouzzner 323027d1d2 Merge pull request #10820 from lealem47/dh_min_sz
FIPS: Default to 2048 bit min DH crypto
2026-07-01 14:40:04 -05:00