Commit Graph

9576 Commits

Author SHA1 Message Date
JacobBarthelmeh b5738236d9 Merge pull request #10187 from embhorn/zd21587
Fixes in TLS ECH, handle empty records, and ASN len check
2026-04-22 14:44:15 -06:00
JacobBarthelmeh bc4bec63fc Merge pull request #10094 from sebastian-carpenter/GH-10068
Fixes: for GH #10068
2026-04-22 14:24:25 -06:00
JacobBarthelmeh c098e53948 Merge pull request #10247 from julek-wolfssl/fenrir/20260417
Fenrir fixes
2026-04-21 16:26:38 -06:00
JacobBarthelmeh ad8b6dbc32 Merge pull request #10217 from ColtonWilley/null-checks-evp-ocsp-x509
Fix NULL derefs, buffer overflow, and i2d contract in EVP/OCSP/X509
2026-04-20 17:27:19 -06:00
Juliusz Sosinowicz a010825bb0 Address review comments on Fenrir zeroization fixes
Two follow-ups raised by Copilot review on PR #10247:

src/pk_rsa.c: Make derAllocSz a word32 instead of int and only assign
it after a successful XMALLOC, so the cleanup path can never call
ForceZero with a wrapped-around size derived from a negative derSz.

src/pk.c: Capture allocSz at the XMALLOC call site (and clear it back
to 0 on allocation failure) so the relationship between the buffer
allocation and the recorded size is explicit and cannot drift if the
surrounding control flow changes.
2026-04-20 16:12:30 +00:00
Tobias Frauenschläger 847f3d6bab Make sure large buffers are on the heap with SMALL_STACK 2026-04-19 20:38:41 +02:00
Mattia Moffa 807214dc55 Avoid unneeded temporary stack buffer; remove redundant check 2026-04-17 19:32:23 +02:00
Juliusz Sosinowicz 1e040923c6 Only zero unused tail of PKCS#8 PEM buffer
F-2148

The prior fix zeroed the computed DER staging area, but PEM output from
wc_DerToPemEx fills most of the buffer and overlaps that region,
corrupting the valid PEM. Preserve the allocation size and zero only
the bytes beyond the actual PEM length, or the whole buffer on failure.
2026-04-17 17:02:58 +02:00
Juliusz Sosinowicz 00fff0f3fc Zeroize PKCS#8 DER staging area in PEM write helper
F-2148

pem_write_mem_pkcs8privatekey stages the PKCS#8 DER encoded private key
at the tail of the PEM buffer, then writes the shorter PEM output at
the head of the same buffer. The DER tail is not overwritten, leaking
the plaintext private key to heap memory after the callers free. Zero
the DER staging area before returning.
2026-04-17 16:48:06 +02:00
Juliusz Sosinowicz 87e5c62111 Zeroize EC DER buffer in i2d_ECPrivateKey error path
F-2147

The error path in wolfSSL_i2d_ECPrivateKey could free an EC private key
DER staging buffer that may contain a partial private scalar. Zeroize
before XFREE.
2026-04-17 16:47:47 +02:00
Juliusz Sosinowicz 9925f90720 Zeroize RSA DER buffer in d2i_RSAPrivateKey_bio before free
F-2146

wolfSSL_d2i_RSAPrivateKey_bio read PKCS#1-encoded RSA private key DER
from a BIO into a heap buffer and freed it without ForceZero. Zeroize
before XFREE on both success and error paths.
2026-04-17 16:47:33 +02:00
Juliusz Sosinowicz a82828b3ac Zeroize RSA DER buffer in CTX_use_RSAPrivateKey before free
F-2145

wolfSSL_CTX_use_RSAPrivateKey staged the RSA private key DER (PKCS#1:
n, e, d, p, q, dP, dQ, qInv) in a heap buffer and freed it without
ForceZero. Zeroize before XFREE.
2026-04-17 16:47:19 +02:00
Juliusz Sosinowicz fa3feb7442 Zeroize static ephemeral key buffer before free
F-2144

SetStaticEphemeralKey loaded a private key file into keyBuf and freed it
without ForceZero. Static ephemeral keys are long-lived, so zeroize the
buffer before XFREE.
2026-04-17 16:46:57 +02:00
Juliusz Sosinowicz 9790719955 Zeroize sniffer watch key buffer before free
F-2143

ssl_SetWatchKey_file loaded a private key file into a heap buffer and
freed it without ForceZero on both error and success paths. Zeroize
before XFREE.
2026-04-17 16:46:43 +02:00
Juliusz Sosinowicz 4c8adc5046 Zeroize RSA DER buffer in To_Der error path
F-2142

wolfSSL_RSA_To_Der could free a buffer holding RSA private key material
when the DER encoding step failed. Record the allocation size and
ForceZero the buffer before XFREE on the private key path.
2026-04-17 16:46:24 +02:00
Juliusz Sosinowicz dfd37f4299 Zeroize EC DER buffer in PEM write error path
F-2141

The error path in wolfSSL_PEM_write_mem_ECPrivateKey freed the EC
private key DER staging buffer without ForceZero. Zeroize before free.
2026-04-17 16:45:29 +02:00
Juliusz Sosinowicz a05dd200a9 Zeroize DSA DER buffer in PEM write before free
F-2140

wolfSSL_PEM_write_mem_DSAPrivateKey serializes the DSA private key to a
heap DER buffer and freed it on five paths without ForceZero. Zeroize
the buffer before each XFREE.
2026-04-17 16:45:14 +02:00
Juliusz Sosinowicz cb495320fe Zeroize DER buffer in der_to_enc_pem_alloc before free
F-2139

Previously the plaintext private key DER buffer was freed via XFREE
without a preceding ForceZero when no password encryption was requested.
Track the actual allocation size and zeroize the buffer before release.
2026-04-17 16:44:45 +02:00
Tobias Frauenschläger 0de3925207 Add RFC8773bis cert_with_extern_psk support
Implement RFC8773bis (draft-ietf-tls-8773bis-13)
cert_with_extern_psk for TLS 1.3, including protocol checks
and API support.

Includes unit tests for API and handshake behavior as well
as tests in the testsuite using extended examples.
2026-04-17 15:12:04 +02:00
Sean Parkinson 755a90b3f3 Merge pull request #10218 from julek-wolfssl/zd/21535
Fix bugs found in crl.c, keys.c, and ssl_certman.c review
2026-04-17 10:46:48 +10:00
Sean Parkinson 9d1fe652b1 Merge pull request #10224 from embhorn/zd21594
Various fixes in internal.c
2026-04-17 09:44:33 +10:00
Brett Nicholas 4bf334c299 Merge pull request #10009 from night1rider/SHE-update
Add SHE (Secure Hardware Extension) support to wolfCrypt
2026-04-16 16:49:00 -06:00
Daniel Pouzzner 801c412ad2 src/tls.c, wolfssl/ssl.h, tests/api.c: followup to ff7a32d022 (#10182):
* Fix OOB heap reads via TLSX_ExtractEch() by preemptively rejecting oversized
  SNI names in TLSX_UseSNI().

* In TLSX_EchChangeSNI(), don't attempt to truncate if an oversized name is
  seen, just return error.

* Move definition of WOLFSSL_HOST_NAME_MAX to an ungated context in ssl.h, and
  use it consistently in tls.c, eliminating the duplicative
  WOLFSSL_HOST_NAME_MAX.
2026-04-16 11:12:02 -05:00
Sean Parkinson 3c2a92d21d Merge pull request #10225 from kareem-wolfssl/zd21544
Fix uninitialized before use warning.  Fix unsupported #warning directive by Tasking compiler.
2026-04-16 08:55:49 +10:00
Sean Parkinson f286f62cb3 Merge pull request #10201 from gasbytes/quic_record_cap
add missing WOLFSSL_QUIC_MAX_RECORD_CAPACITY check on the early-data
2026-04-16 08:42:35 +10:00
Sean Parkinson 6be03a5dab Merge pull request #10182 from embhorn/zd21576
Fix TLSX_EchChangeSNI to check hostname termination
2026-04-16 08:37:42 +10:00
Sean Parkinson 0c93bf9e7c Merge pull request #10229 from mattia-moffa/20260415-zd21621
Fix regressions (fast math MAX_ENCODED_SIG_SZ; DTLS export IV buffer size)
2026-04-16 08:33:23 +10:00
Sean Parkinson 1fab25301f Merge pull request #10221 from julek-wolfssl/gh/10197
TLS 1.3: evict session from cache after accepted 0-RTT resumption
2026-04-16 08:16:31 +10:00
Eric Blankenhorn 0ddde71279 Fix from review 2026-04-15 17:07:22 -05:00
night1rider f081a08c5c Address comments from bigbrett and Fenrir bot. Rename she.{c,h} to wc_she.{c,h}, fix naming consistency, auto-enable CMAC/AES dependencies, add WC_SHE_SW_DEFAULT opt-inAddress PR #10009 review comments from bigbrett and Fenrir 2026-04-15 11:28:03 -06:00
night1rider eeedc470e9 Add SHE (Secure Hardware Extension) support to wolfCrypt 2026-04-15 11:27:44 -06:00
Daniel Pouzzner bfca39a97b src/ssl.c, src/ssl_sess.c, src/x509.c, wolfssl/internal.h: rename wolfssl_get_ex_new_index() to wolfssl_local_get_ex_new_index(). 2026-04-15 11:53:32 -05:00
Daniel Pouzzner d8085cc427 src/ssl_load.c, wolfssl/ssl.h, tests/api.c: rename wolfSSL*PrivateKey_id() to wolfSSL*PrivateKey_Id_ex(), and add missing WOLF_PRIVATE_KEY_ID gating. 2026-04-15 11:53:06 -05:00
sebastian-carpenter 9a161a69f2 extra overflow clamp 2026-04-15 09:31:22 -06:00
Mattia Moffa bd3cf10270 DTLS export: cap IV size at buffer size
ExportKeyState was writing ssl->specs.iv_size bytes from
keys->aead_enc_imp_IV (always sized AEAD_MAX_IMP_SZ). ssl->specs.iv_size
carries a different meaning depending on the cipher suite: in AEAD
suites it's the implicit IV / nonce size, but in CBC it's the block
cipher's IV size (16). In CBC this overran the size of aead_enc_imp_IV
(12).
2026-04-15 12:39:49 +02:00
Daniel Pouzzner ebbab7ac45 src/crl.c: fix sequence in FreeCRL(): First decrement the refcount, then shut down the CRL monitor, then deallocate resources (fixes ASAN-detected read-after-free). 2026-04-14 23:09:20 -05:00
Sean Parkinson 6ac0f82b85 Merge pull request #10204 from mattia-moffa/20260413-fixes
SetSuitesHashSigAlgo fix
2026-04-15 11:39:26 +10:00
Sean Parkinson 5ad6097f15 Merge pull request #10168 from night1rider/zd-21534
Address bug fixes sent in by ZD 21534
2026-04-15 09:11:04 +10:00
Sean Parkinson 0b88017e20 Merge pull request #10181 from embhorn/zd21567
Fix ReqCertFromX509 to check bounds
2026-04-15 09:01:25 +10:00
Sean Parkinson 14ebd3d649 Merge pull request #10170 from embhorn/zd21566
Fix partial chain verification
2026-04-15 08:58:28 +10:00
Kareem 5defbc3219 Tasking compiler does not support #warning and needs the #pragma message case where available.
Fixes #10108.
2026-04-14 15:06:20 -07:00
Eric Blankenhorn fb726b70c7 Fix from review 2026-04-14 16:44:16 -05:00
Eric Blankenhorn 6aa9db43f2 Fix from review 2026-04-14 15:53:00 -05:00
Eric Blankenhorn 2e5a0b76af Various fixes in internal.c 2026-04-14 15:01:12 -05:00
Juliusz Sosinowicz e5f569ad7c TLS 1.3: evict session from cache after accepted 0-RTT resumption
Per RFC 8446 section 8, a server MUST ensure that any instance of it
would accept 0-RTT for the same 0-RTT handshake at most once. Without
this, the same ClientHello could be replayed to re-accept early data on
a subsequent connection.

After the PSK is authenticated (binder verified) in DoPreSharedKeys,
call wolfSSL_SSL_CTX_remove_session on ssl->session when the client
offered 0-RTT and the session permits it. That evicts the entry from
the internal cache (under the row's write lock) and invokes the
application's ctx->rem_sess_cb so any external cache can drop its copy
too. The session's timeout is also cleared so the live reference held
by the current handshake cannot be resumed again.

The mutation is paid only when the client actually included the
early_data extension on a 0-RTT-capable session, so normal resumptions
are unaffected and the existing remove-callback counts in
test_wolfSSL_CTX_add_session_ext_{tls13,dtls13} stay correct.

wolfSSL_SSL_CTX_remove_session was previously declared and defined only
under the OpenSSL compatibility layer. Because it is now called from
the core TLS 1.3 PSK path, the declaration in wolfssl/ssl.h and the
definition in src/ssl_sess.c are moved out of that block to match the
existing !NO_SESSION_CACHE gate under which the function is meaningful.
wolfSSL_SSL_get0_session stays in the compat block.

test_tls13_early_data_0rtt_replay verifies the behaviour. It does a
full TLS 1.3 handshake with stateful tickets (SSL_OP_NO_TICKET) and
max_early_data > 0, then tries to resume the saved session twice while
offering 0-RTT each time. A minimal single-slot external session cache
is wired up via wolfSSL_CTX_sess_set_{new,get,remove}_cb to confirm
both caches are cleared. Round 0 must resume and deliver the early
data, and rem_calls must hit 1 (the fix's single eviction). Round 1
must fall back to a full handshake (session_reused == 0), deliver no
early data, and leave rem_calls at 1.

Verified against multiple configurations (incl. --enable-all
--enable-earlydata, the no-compat -DHAVE_EXT_CACHE build, and the
os-check.yml combo). Valgrind under -g2 -O0 with OPENSSL_EXTRA +
HAVE_EXT_CACHE + HAVE_EX_DATA reports no errors and no
definitely-lost bytes.

Refs wolfSSL/wolfssl#10197
2026-04-14 15:35:50 +00:00
Eric Blankenhorn 0c0c426875 Fix from review 2026-04-14 09:35:29 -05:00
Juliusz Sosinowicz 4a36d16b30 Fix bugs found in crl.c, keys.c, and ssl_certman.c review
crl.c:
- wolfSSL_X509_CRL_dup: add NULL check on input before dereferencing crl->cm
- DupX509_CRL: distinguish empty source CRL list from allocation failure so
  duplicating a CRL with no entries no longer returns MEMORY_E
- wolfSSL_X509_STORE_add_crl: free newly-allocated CRL when wc_LockRwLock_Rd
  fails to avoid leaking it
- InitCRL: propagate wolfSSL_RefInit failure in OPENSSL_ALL +
  WOLFSSL_REFCNT_ERROR_RETURN builds, freeing crlLock (and cond when
  HAVE_CRL_MONITOR is enabled) on the error path

keys.c:
- GetCipherSpec: remove duplicate usingPSK_cipher assignment in
  BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 case
- GetCipherSpec: return UNSUPPORTED_SUITE for unknown cipher suite bytes in
  the TLS13_BYTE, ECDHE_PSK_BYTE, and SM_BYTE switch blocks, matching the
  behavior of the ECC_BYTE, CHACHA_BYTE, and normal suite switches
- SetKeys: fix misleading indentation on the AESCCM and SM4-CCM dec->aes
  NULL-check return statements

ssl_certman.c / internal.h:
- AddTrustedPeer: remove dead code that checked peerCert->permittedNames
  and peerCert->excludedNames immediately after XMEMSET zeroed the struct
- AddTrustedPeer: use cm->heap (matching allocation) instead of NULL when
  freeing cert on the ParseCert failure path
- Extract the body of wolfSSL_CertManagerFree into a new static helper
  DoCertManagerFree that unconditionally disposes of the certificate
  manager, bypassing the reference count check. wolfSSL_CertManagerFree
  now delegates to it after the RefDec check.
- Add caLockInit, tpLockInit, and refInit bitfield members to
  WOLFSSL_CERT_MANAGER that track which sub-resources were successfully
  initialized. DoCertManagerFree consults these flags so that it only
  destroys mutexes and the reference count that were actually set up,
  which makes partial-construction cleanup safe without relying on
  platform-specific behavior of free-on-zeroed-storage.
- wolfSSL_CertManagerNew_ex: set the init flags as each sub-resource is
  initialized, and on failure call DoCertManagerFree directly to free
  exactly the resources that succeeded. Set cm->heap immediately after
  XMEMSET so the forceful free path can use it.
2026-04-14 13:14:21 +00:00
Eric Blankenhorn c873f3f77d Fix from review 2026-04-14 07:58:43 -05:00
Eric Blankenhorn 8f73ae460d Fix TLSX_Parse to check dup ECH 2026-04-14 07:37:21 -05:00
Eric Blankenhorn a6fd25b94e Fix partial chain verification 2026-04-14 07:25:11 -05:00