Commit Graph

993 Commits

Author SHA1 Message Date
Sean Parkinson 1847c6e778 Merge pull request #9721 from dgarske/x25519_nb
Add X25519 non-blocking support and async example improvements
2026-02-12 07:56:58 +10:00
David Garske bc12b7563f Peer review improvements 2026-02-10 14:51:51 -08:00
Juliusz Sosinowicz f810dc2a01 Add check for KeyShare in ServerHello
Fixes ZD21171
2026-02-10 12:39:27 +01:00
David Garske 2a18b7ee44 Fix non-blocking X25519/ECC with WOLFSSL_ASYNC_CRYPT_SW
The non-blocking setup for X25519 and ECC in TLS was unconditionally
setting up nbCtx, which caused functions to return FP_WOULDBLOCK. However,
with INVALID_DEVID (the default), TLS has no async loop to handle
FP_WOULDBLOCK, only WC_PENDING_E via the async framework.

The fix follows the pattern used in asn.c: only set up nbCtx when the async
device is active (devId != INVALID_DEVID). With INVALID_DEVID, the code now
uses the blocking fallback (WC_ECC_NONBLOCK_ONLY) instead.

This prevents unit test timeouts when built with --enable-curve25519=nonblock
or --enable-ecc=nonblock.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-09 09:22:36 -08:00
David Garske 19bb7198a2 Peer review fixes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 10:24:31 -08:00
David Garske 4d3925d526 Add X25519 non-blocking support for key gen and shared secret
## Summary
- Add non-blocking (incremental) Curve25519 key generation and shared secret via `WC_X25519_NONBLOCK`, modeled after the existing ECC non-blocking pattern (`WC_ECC_NONBLOCK`)
- Implement `curve25519_nb()` and `fe_inv__distinct_nb()` in `fe_low_mem.c` as state-machine variants that return `FP_WOULDBLOCK` to yield after each field multiply
- Add `wc_curve25519_set_nonblock()` API to attach/detach non-blocking context to a key
- Integrate X25519 non-blocking with TLS 1.2/1.3 key share generation and shared secret in `tls.c` and `internal.c` (behind `WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW`)
- Add `--enable-curve25519=nonblock` configure option (auto-enables `--enable-asynccrypt` and `--enable-asynccrypt-sw`)
- Add X25519 async software dispatch cases in `async.c` and types in `async.h`
- Fix async guard in `curve25519.c` to require `WOLFSSL_ASYNC_CRYPT_SW` (matching other algorithms)
- Overhaul `examples/async/` client/server: non-blocking I/O via `WOLFSSL_USER_IO`, standalone `Makefile`, X25519/ECC mode selection, CI-friendly ready-file sync
- Add `examples/configs/user_settings_curve25519nonblock.h` and CI coverage in `os-check.yml` and new `async-examples.yml` workflow
- Add wolfcrypt test and API test coverage for X25519 non-blocking
2026-02-04 21:28:52 -08:00
Kareem 1e770e1a0f Send decode_error alert rather than illegal_parameter when receiving an empty/malformed keyshare extension. Fixes #9640. 2026-02-04 15:40:30 -07:00
Sean Parkinson bc9e37118e Regression test fixes
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.

wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.
2026-01-28 07:37:29 +10:00
Tobias Frauenschläger 14ce7956f1 Increase test coverage
* More PQC configurations
* More CMake setups
* Fix various bugs uncovered by these tests

Added some missing feature additions to CMake to make the example
`user_settings_all.` config file work for the CI test.
2026-01-23 09:27:16 +01:00
Tobias Frauenschläger eb8ba6124e Support TLS 1.3 ECC Brainpool authentication
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
2026-01-22 14:14:09 +01:00
Tobias Frauenschläger a462398387 Support Brainpool ECC curve TLS 1.3 key exchange
When both TLS 1.3 and Brainpool curves are enabled, three new groups can
be used for the ECDHE key exchange according to RFC 8734:
* WOLFSSL_ECC_BRAINPOOLP256R1TLS13 (31)
* WOLFSSL_ECC_BRAINPOOLP384R1TLS13 (32)
* WOLFSSL_ECC_BRAINPOOLP512R1TLS13 (33)

Also ensure that the existing TLS 1.2 curves are sent properly.

The TLS client application is updated to support handshakes via
Brainpool curves using the new argument "--bpKs".
2026-01-22 14:14:09 +01:00
Daniel Pouzzner 9ae87e2a48 Merge pull request #9657 from embhorn/gh9655
Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3
2026-01-16 23:59:31 -06:00
Daniel Pouzzner 0ceed2d832 Merge pull request #9664 from padelsbach/hmac-update-len-check
Add length check to Hmac_UpdateFinal_CT to prevent build error
2026-01-16 15:35:58 -06:00
Ruby Martin 2596d56802 verify length limit for supported version ext
add length check to tls extensions
2026-01-15 10:58:26 -07:00
Eric Blankenhorn 3c5b8f900e Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3 2026-01-15 07:36:52 -06:00
Paul Adelsbach f3fb63aea7 Add length check to Hmac_UpdateFinal_CT to prevent build error 2026-01-14 09:31:35 -08:00
Kareem 6145f3aba2 Fix incorrect alert being sent when wolfSSL receives unexpected PSK extension.
Fixes #9503.
2025-12-26 15:24:14 -07:00
Juliusz Sosinowicz f61bfd7805 Check KeyShare after HRR 2025-12-17 10:27:04 +01:00
Sean Parkinson 44be44a509 TLS 1.3 missing extension: return correct alert code
Change TLS 1.3 handling to return missing_extension alert code when
 - KeyShare is present but SupportedGroups is missing and
 - SupportedGroups is present but KeyShare is missing

Added tests for this.
2025-12-15 09:07:13 +10:00
JacobBarthelmeh c5fb83f52d fix warnings for g++ build with async 2025-11-21 14:38:40 -07:00
Sean Parkinson 1ec18949bc TLS 1.3 duplicate KeyShare entry fix
Fix comparison to be greater than or equal in case count is incremented
after maxing out.
2025-11-13 08:23:19 +10:00
Anthony Hu 6e583a01f1 Use suites->hashSigAlgoSz instead of len in call to TLSX_SignatureAlgorithms_MapPss 2025-11-04 15:36:33 -05:00
effbiae 8969e5f36a refactor to TLSX_EchChangeSNI 2025-10-17 13:51:42 +11:00
Sean Parkinson c111c5bacc Regression testing
x509.c: realloc may fail and therefore need to store result in a
temporary so the old pointer is not lost.

tls.c: free the name if it is not pushed on to the stack of peer CA
names. Failure to push can be from memory allocation failure.

aes.c: Don't compile XTS decrypt functions without HAVE_AES_DECRYPT.

Fix tests to have better pre-processor protection.
2025-10-16 12:13:32 +10:00
Daniel Pouzzner b2c105d5f7 Merge pull request #9292 from embhorn/zd20626
Fix GCC warnings
2025-10-13 23:17:13 -05:00
effbiae 75a6621c63 hand edits for small stack compress 2025-10-11 11:40:30 +11:00
effbiae 7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
Eric Blankenhorn aa56c40d30 Fix / suppress GCC warnings 2025-10-10 11:56:03 -05:00
Juliusz Sosinowicz f9063c406b Enables dynamic TLS cert loading with OCSP
Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.

The server no longer needs to load the CA to staple OCSP responses.

Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
2025-10-03 13:08:11 +02:00
Sean Parkinson ea4554c941 Merge pull request #9234 from effbiae/TLSX_WriteWithEch
restore inner server name in TLSX_WriteWithEch
2025-10-03 09:20:40 +10:00
Daniel Pouzzner d5750ac7ca Merge pull request #9250 from gasbytes/issue-9247
Added check in TLX_Parse to check if KeyShare extension is present SupportedGroups must be present too (and viceversa)
2025-09-30 20:36:50 -05:00
Daniel Pouzzner 234ba7780a Merge pull request #9148 from SparkiDev/ct_volatile
Mark variables as volatile
2025-09-30 20:35:52 -05:00
Daniel Pouzzner b4ee8869c8 Merge pull request #9246 from julek-wolfssl/gh/9240
Abort connection if we are about to send the same CH
2025-09-30 20:35:32 -05:00
Reda Chouk be02b1ea72 Added check in TLX_Parse to check if KeyShare extension is present
SupportedGroups must be present too (and viceversa).
From RFC 8446 Section 9.2.
2025-09-29 13:10:32 +02:00
Juliusz Sosinowicz f798a585d9 Abort connection if we are about to send the same CH 2025-09-26 12:08:53 +02:00
Sean Parkinson aa87b35964 Mark variables as volatile
Ensures compiler optimizers don't stop code from being constant time.
2025-09-24 08:47:20 +10:00
effbiae a8fb94b425 restore inner server name in TLSX_WriteWithEch 2025-09-23 23:30:25 +10:00
Mattia Moffa 4535572428 Use memio in tests, fix ifdef, fix typos 2025-09-23 11:50:21 +02:00
Mattia Moffa 3bdb43eb6a Add support for certificate_authorities extension in ClientHello 2025-09-17 15:33:05 +02:00
Anthony Hu 2885df68b4 Properly detect duplicate CKS extensions. 2025-08-25 12:01:50 -04:00
David Garske 1f579afc66 Merge pull request #9117 from SparkiDev/tls13_ks_fix
TLS 1.3 KeyShare: error on duplicate group
2025-08-22 12:54:54 -07:00
Sean Parkinson b1cdf0b214 TLS 1.3 KeyShare: error on duplicate group
Don't allow a KeyShare extension from the client to have more
than one entry for any group.
2025-08-21 08:23:31 +10:00
Sean Parkinson cd55fe6135 TLS 1.3: Fix for onlyDhePskKe
Make client enforce onlyDhPskKe flag.
2025-08-19 14:29:30 +10:00
Josh Holtrop e6eac9b920 Fix inconsistent function prototype parameter names for wolfssl 2025-08-07 09:28:50 -04:00
Ruby Martin 598a3e6232 check return value of wc_DhGetNamedKeyParamSize 2025-08-01 14:56:35 -06:00
Anthony Hu c7e054a7a7 Rename ML-KEM hybrids to match IETF Draft. 2025-07-25 13:27:26 -04:00
Daniel Pouzzner b7b0ab6dbf src/tls.c: fix double free just added to TLSX_KeyShare_GenPqcKeyClient(). 2025-07-23 16:18:22 -05:00
Daniel Pouzzner 8d7009e9de src/tls.c: in TLSX_KeyShare_GenPqcKeyClient(), add smallstack coverage to !WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ code paths. 2025-07-23 12:02:07 -05:00
Sean Parkinson 1f72866489 Merge pull request #8993 from miyazakh/tsip_tlsproperties_uc
Make properties related to TLS handshake hidden for TSIP TLS user-context structure
2025-07-22 17:05:44 +10:00
Hideki Miyazaki 0a0b9a3c24 Make properties related to TLS handshake hidden for TSIP TLS user context structure 2025-07-11 14:25:06 +09:00