Commit Graph

763 Commits

Author SHA1 Message Date
Tobias Frauenschläger e05a453944 Support RFC 9802 LMS and XMSS in X.509 certificate and CSR generation
Extend wc_MakeCert_ex/wc_SignCert_ex/wc_MakeCertReq_ex to issue HSS/LMS and
XMSS/XMSS^MT certificates and PKCS#10 requests, building on the existing
RFC 9802 verification support. New LMS_TYPE/XMSS_TYPE/XMSSMT_TYPE selectors,
wc_{Lms,Xmss}Key_PublicKeyToDer SPKI encoders, runtime signature-buffer
sizing, and sigType/key consistency checks. Generation is ASN.1-template
only, matching where the verification path lives.

Tests generate self-signed roots, CSRs and a CA->ECC-leaf chain in-process
and verify them, replacing the patched Bouncy Castle fixtures (only the stock
RFC 9802-aligned LMS interop anchor is kept).
2026-06-10 10:51:33 +02:00
Sean Parkinson 359e688dc3 ssl.c: Move functions out to own files and add testing
ssl_api_pk.c: added Public-key APIs (min/max key sizes, DH key test,
signature NIDs, tmp ecdh. Reworked code of new functions.
ssl_api_cert.c: added more SSL Certificate APIs. Reworked code of new
functions.
ssl_api_ext.c: TLS extension APIs (session tickets, max fragment,
groups, etc.). Reworked code.
ssl_api_dtls.c: DTLS APIs (cookie secret, etc.)

Improved test coverage for functions moved.
2026-06-10 09:11:59 +10:00
David Garske 4f09916e7e Merge pull request #10443 from anhu/protonamelist
Enforce only 1 protocolname in serverhello
2026-06-09 15:42:02 -07:00
David Garske 358ae9a559 Merge pull request #10249 from ColtonWilley/pr15-tls-config-bounds
Add negative-count and NULL checks to group-setting and shared-cipher APIs
2026-06-09 14:40:16 -07:00
David Garske e2d3b63139 Merge pull request #10207 from ColtonWilley/d2i_pem_negative_length
Add signed-length validation to d2i, PEM, and buffer-load APIs
2026-06-08 15:42:00 -07:00
David Garske dbf72c4f00 Merge pull request #10601 from kareem-wolfssl/f3772
Fenrir fixes
2026-06-08 15:23:05 -07:00
Colton Willey 41c09a734c Address review cleanups 2026-06-08 15:10:51 -07:00
David Garske c9cb0ef033 Merge pull request #10212 from ColtonWilley/fix-skid-overflow-and-null-checks
Harden X509 DER length handling in wolfSSL_X509_get_der and wolfSSL_i2d_X509
2026-06-08 15:01:14 -07:00
Daniel Pouzzner 672da2ad96 Merge pull request #10633 from holtrop-wolfssl/f-4141
Add unit tests that TLS resumption fails due to ALPN mismatch
2026-06-08 15:21:53 -05:00
Daniel Pouzzner f3ab345d1c Merge pull request #10553 from julek-wolfssl/tls-12-mutual-auth
Allow RSA client certs on ECDHE-ECDSA mutual auth
2026-06-08 15:21:29 -05:00
Daniel Pouzzner e51317261d Merge pull request #10630 from yosuke-wolfssl/fix/f_4890
Fix odd-length CertificateRequest signature_algorithms acceptance
2026-06-08 15:21:02 -05:00
Daniel Pouzzner 1943a6f33a Merge pull request #10550 from rizlik/sha512_only
add support for WOLF_CRYPTO_CB_ONLY_SHA512
2026-06-08 15:20:08 -05:00
Colton Willey 6211210c86 Strengthen regression tests for group and shared-cipher API guards 2026-06-08 12:41:34 -07:00
Colton Willey 00a21b0bfa Add regression tests for group-setting and shared-cipher API guards
Extend test_tls13_apis with negative-count assertions for
wolfSSL_CTX_set_groups and wolfSSL_set_groups, and NULL-groups
assertions for wolfSSL_CTX_set1_groups and wolfSSL_set1_groups
(tests/api/test_tls13.c).

Add test_wolfSSL_get_shared_ciphers covering NULL ssl, NULL buf, and
zero-length inputs (tests/api/test_tls.c).
2026-06-08 12:41:34 -07:00
Kareem 4a854b0a71 Add unit test for wc_AesEaxEncryptFinal authTagSz below minimum. 2026-06-08 10:29:10 -07:00
Juliusz Sosinowicz a3bc7c96a0 tests: relocate TLS 1.2 mutual-auth tests to avoid merge collision
The two new tests (test_tls12_ecdhe_ecdsa_rsa_client_cert and
test_tls12_ecdhe_rsa_ecdsa_client_cert) were appended right after
test_wolfSSL_alert_desc_string, the last function in test_tls.c. Another
in-flight branch appends its own new tests at the same anchor, producing
a spurious add/add merge conflict even though the additions are
independent. Move these two functions just above
test_wolfSSL_alert_desc_string so the two branches insert at different
locations and merge cleanly. Pure code movement; no behavior change.
2026-06-08 15:10:27 +02:00
Juliusz Sosinowicz fdda31b5c3 Allow RSA client certs on ECDHE-ECDSA mutual auth
The TLS 1.2 server derived the single advertised ClientCertificateType
and the signature_algorithms list in its CertificateRequest from the
negotiated cipher suite's own signature algorithm. On an ECDHE-ECDSA
suite only ecdsa_sign was offered (and only ECDSA sig algs), so RSA
clients could not authenticate even though the server could happily
verify an RSA certificate. The same was true in reverse for an RSA
server: the CertificateRequest only advertised rsa_sign.

Refactor SendCertificateRequest to advertise certificate_types and
signature_algorithms covering both sig families when both are compiled
in. Three static helpers in internal.c keep the logic in one place
without mutating ssl->suites:

  GetServerCertReqCertTypes    - certificate_types to emit
  GetServerCertReqHashSigAlgo  - signature_algorithms to emit
  InServerCertReqHashSigAlgo   - membership check used for verification

The advertised lists are written to stack buffers in the caller. To
keep DoCertificateVerify in agreement with what we actually sent, the
SupportedHashSigAlgo call site there is replaced with
InServerCertReqHashSigAlgo, which rebuilds the same list locally and
looks up the client's chosen algo.

Replace the magic certTypes buffer size with a new
MAX_CERT_REQ_CERT_TYPE_CNT constant declared next to
ClientCertificateType.

Add two end-to-end mutual-auth tests covering both directions:

  test_tls12_ecdhe_ecdsa_rsa_client_cert - ECDSA server, RSA client
  test_tls12_ecdhe_rsa_ecdsa_client_cert - RSA  server, ECDSA client

Update test_certreq_sighash_algos to permit RSA / RSA-PSS sig algs in
the ECDHE-ECDSA CertificateRequest; the previous assertion locked in
the ECDSA-only behaviour that this change corrects.

TLS 1.3 is unaffected: RFC 8446 removed certificate_types from
CertificateRequest, and TLS 1.3 cipher suites do not bind a signature
algorithm, so the server's hashSigAlgo already covers both sig
families when either has been compiled in.
2026-06-08 15:10:27 +02:00
Yosuke Shimizu a6f69ec09c Fix odd-length CertificateRequest signature_algorithms acceptance 2026-06-08 11:33:50 +09:00
Daniel Pouzzner 8fca95ce65 Merge pull request #10532 from rlm2002/zd21800
Remove chain walk for OCSP responder
2026-06-05 16:27:00 -05:00
Daniel Pouzzner 764245a8a1 Merge pull request #10489 from holtrop-wolfssl/zd21798
Check SNI/ALPN in TLS 1.2/1.3 session resumptions
2026-06-05 16:25:18 -05:00
Daniel Pouzzner 7caa3b97a8 Merge pull request #10503 from kareem-wolfssl/zd21858
Fix potential mismatch in size between DECL_MP_INT_SIZE_DYN and NEW_MP_INT_SIZE, fix unused variable warning in random.c.
2026-06-05 16:20:55 -05:00
Daniel Pouzzner fe77e37025 Merge pull request #10476 from julek-wolfssl/cache-overhead
Cache AEAD record overhead on WOLFSSL
2026-06-05 16:20:15 -05:00
Daniel Pouzzner c99567c96d Merge pull request #10596 from SparkiDev/regression_fixes_24
Regression testing fixes
2026-06-05 13:37:56 -05:00
Daniel Pouzzner f8f1e932a5 Merge pull request #10534 from SparkiDev/tls13_psk_id_fix
TLSv1.3 PSK binders: always use id protection
2026-06-05 12:36:00 -05:00
Daniel Pouzzner 2d186b378a Merge pull request #10537 from SparkiDev/tls13_pt_alert_before_enc
TLS 1.3 plaintext alert: ignore before seeing encrypted
2026-06-05 11:12:47 -05:00
Daniel Pouzzner 4bf2d52780 Merge pull request #10571 from Frauschi/mlkem_rename
Migrate internal ML-KEM consumers to canonical wc_MlKemKey API
2026-06-05 11:00:44 -05:00
Sean Parkinson b0757c1cb7 TLS 1.3 plaintext alert: ignore before seeing encrypted
Change to ignore plaintext alerts when
WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC is defined only until first
encrypted message from peer is seen.

Negative testing added.
2026-06-05 12:35:04 +10:00
Sean Parkinson 0796519a99 More regression testing fixes
Leak fixes: free existing ssl->buffers.key before overwriting in SetSSL_CTX() (internal.c) and wolfSSL_set_SSL_CTX() (ssl.c)

UAF fix: wc_CheckRsaKey() — mp_memzero_check(tmp) moved before the free (rsa.c)

Build guards: #ifndef NO_ED25519/ED448_VERIFY around forged-sig test data (test_ed25519/ed448.c); guard equal()/cmov() for verify-only builds (ge_operations.c); guard unused pointers under WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC (wc_mldsa.c)

Test cleanups (test.c): fix UB from out-of-range enum in hash_test(), always free AES dec object, fix der buffer declaration under small-stack builds
2026-06-05 11:30:53 +10:00
Sean Parkinson 089f1f7c91 TLSv1.3 PSK binders: always use id protection
Removed WOLFSSL_PSK_ID_PROTECTION from use as it is now on by default.
Always check whether the server has a certificate (not a CA chain).
If there is a certificate then continue, otherwise, report a binder
error.

Added test to ensure binder error returned and alert sent when no
NO_CERT. test_tls13_bad_psk_binder already tested no certificate.

Allowed memio test harness to be built when NO_CERT is defined.
2026-06-05 11:16:48 +10:00
Daniel Pouzzner af119869d2 Merge pull request #10364 from MarkAtwood/fix/evp-cipher-iv-length-cfb-ofb
fix: EVP_CIPHER_iv_length returns 0 for AES-CFB128 and AES-OFB (ZD-21730)
2026-06-04 17:26:48 -05:00
Daniel Pouzzner 6c4c03dc76 Merge pull request #10593 from miyazakh/f4429_EntropyGet
f4429 Add missing upper-bound validation in wc_Entropy_Get()
2026-06-04 17:09:36 -05:00
Marco Oliverio 0314b3fed2 cryptocb: support WOLF_CRYPTO_CB_ONLY_SHA512 2026-06-04 20:21:50 +02:00
Colton Willey 368e1486f6 Harden X509 DER length handling in wolfSSL_X509_get_der and wolfSSL_i2d_X509
- src/x509.c: Guard wolfSSL_X509_get_der against derCert->length > INT_MAX, and reject derSz <= 0 in wolfSSL_i2d_X509.
- tests/api/test_ossl_x509_io.{c,h}: Add API coverage for the X509 DER length guards.
2026-06-04 10:38:37 -07:00
Josh Holtrop b01382c13b Add unit tests that TLS resumption fails due to ALPN mismatch
Fix F-4141
2026-06-04 09:26:43 -04:00
Marco Oliverio 5744df1c77 test: add sha512 variants by sha512 general fallback test 2026-06-04 12:06:31 +02:00
Sean Parkinson 26a2b793dc Regression testing fixes
1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.

2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.

3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.

4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".

5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
2026-06-04 18:29:24 +10:00
Hideki Miyazaki 904a70d179 Addressed Copilot comments 2026-06-04 15:30:39 +09:00
Daniel Pouzzner 35329296e8 Merge pull request #10554 from gasbytes/ocsp-certid-serial-number-fix
OCSP_resp_find_status to require exact serial-length match
2026-06-03 22:49:31 -05:00
Daniel Pouzzner 12e7a1d5c3 Merge pull request #10548 from SparkiDev/x509_fixups_1
X509 API: fix issues
2026-06-03 22:48:19 -05:00
Daniel Pouzzner 4993571ccd Merge pull request #10549 from rizlik/nc_dns_wildcards
NameConstraints: support wildcard SAN
2026-06-03 22:29:49 -05:00
Hideki Miyazaki 9e711f5c9c Add MAX ENTROPY BITS check 2026-06-04 09:08:24 +09:00
Sean Parkinson aef6283a7e Merge pull request #10540 from Frauschi/small_order_check
Reject small-order public keys for Ed25519 and Ed448
2026-06-04 09:58:24 +10:00
David Garske 70da83972b Merge pull request #10536 from SparkiDev/curve25519_x64_red_fix
X25519 x64 ASM: fix full reduction
2026-06-03 09:24:48 -07:00
Daniel Pouzzner 768cdc39d3 wolfcrypt/src/asn.c: in DecodeGeneralName() and DecodeAcertGeneralName(),
* don't disable URI validation when defined(WOLFSSL_FPKI).
* return immediately with ASN_ALT_NAME_E when URI contains an unexpected '/', as in asn_orig.c DecodeAltNames(), fixing OOB read defect.

wolfcrypt/src/asn_orig.c: fix URI validation gating (ignore WOLFSSL_FPKI) in DecodeAltNames().

tests/api/test_certman.c: fix uriSan in test_wolfSSL_X509_check_host_URI_SAN_not_DNS_match() (make it a URI).

tests/api.c: align gating in test_wolfSSL_URI() with new dynamics (URIs validated regardless of defined(WOLFSSL_FPKI)).
2026-06-02 22:16:40 -05:00
Ruby Martin 5c3100ed5c Remove non-RFC-compliant OCSP responder chain walk. The chain walk
authorized any responder issued by an ancestor of the target's issuer;
  RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
  request.

    - Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
    - Drop now-unused vp parameter from CheckOcspResponder() and the
      OcspRespCheck() helper; cascade through template and non-template
      paths.

  OCSP test blobs:

    - Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
    - Add resp_server1_cert_ancestor_responder for the negative test.
    - Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
      runs under NO_FILESYSTEM; matching entry added to
      create_ocsp_test_blobs.py.
    - Regenerate response[] in test_certman.c with intermediate1-ca as
      signer; recipe switched from Wireshark export to openssl -respout
      + xxd -i for reproducibility.
    - Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
      serial byte actually flips (^= 0xFF).

  Live OCSP coverage:

    - Add ocsp-responder-int1 (delegated responder issued directly by
      intermediate1-ca, with id-kp-OCSPSigning EKU) for the
      responder->intermediate->root chain.
    - scripts/ocsp-stapling.test: intermediate1 responder switched to
      ocsp-responder-int1 (delegated path).
    - scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
      intermediate2 and intermediate3 sign their OCSP responses with
      their own CA keys (CA-direct path); root block unchanged
      (ocsp-responder-cert is still RFC-compliant for root-issued certs).
    - .github/workflows/ocsp.yml: server1 OCSP responder switched to
      ocsp-responder-int1 to match the cert chain.
    - New test_ocsp_ancestor_responder_rejected confirms the
      ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
2026-06-02 16:20:37 -06:00
Josh Holtrop 7f3d589c12 Support importing/exporting DTLS sessions with encrypt-then-mac options 2026-06-02 09:34:14 -04:00
Tobias Frauenschläger 320010aad6 Migrate internal ML-KEM consumers to canonical wc_MlKemKey API 2026-06-02 10:51:37 +02:00
Daniel Pouzzner d037bd1eed tests/api/test_pkcs12.c, tests/api/test_pwdbased.c: add missing FIPS version gates to test_wc_PKCS12_PBKDF(), test_wc_PKCS12_PBKDF_ex(), and test_wc_PBKDF1_ex_iterations();
wolfcrypt/src/evp_pk.c: fix identicalInnerCondition in wolfSSL_d2i_PKCS8_PKEY().
2026-06-01 14:23:38 -05:00
David Garske 71ca579ef2 Merge pull request #10317 from Roy-Carter/feature/pem_write_enhancement
Implementation for PEM_write_PrivateKey & PEM_write_PUBKEY
2026-06-01 10:10:39 -07:00
Sean Parkinson 8e4e76fdcc X509 API: fix issues
1. BasicConstraints pathLenConstraint absent vs. 0 —
get_ext_d2i/set_ext/V3_EXT_d2i now distinguish "no constraint" from 0
per RFC 5280 §4.2.1.9, using the existing basicConstPlSet flag.
2. GENERAL_NAME_print GEN_DIRNAME — added missing return-value
normalization so the directory name is actually printed (was emitting
only DirName:).
3. GENERAL_NAME_print GEN_DNS — use ASN1_STRING_print like the EMAIL/URI
cases, avoiding NULL-strData deref and NUL-truncation.
4. X509_print BasicConstraints — print , pathlen:N to match OpenSSL.
5. X509_print Extended Key Usage — print Any Extended Key Usage (was
omitted).
6. get_ext_d2i CRL_DIST_OID double-free — null gn immediately after
ownership transfers to dp, so an error from the next push doesn't free
it twice.
7. X509V3_EXT_print SAN truncation/failure — match XSNPRINTF size cap to
the allocation; was truncating at indent==1 and failing at indent>=2.
8. X509V3_EXT_print AUTH_KEY/SUBJ_KEY NULL deref — NULL-check
i2s_ASN1_STRING return before passing to %s.
9. X509_add_ext SAN type confusion — reject DIRNAME/RID/X400/EDIPARTY;
only the ASN1_STRING*-backed types are read via gn->d.ia5. Was
performing a wild-pointer XMEMCPY in add_altname_ex.

Also: extracted the SAN and WOLFSSL_CUSTOM_OID arms of X509_add_ext into
static helpers (behavior-preserving).

Regression tests added for #1–5 and #9; existing GENERAL_NAME_print test
hardened (gives GEN_DIRNAME a real directoryName, eliminating an OOB
read that the print fix would otherwise expose).
2026-06-01 09:57:19 +10:00