Commit Graph

30031 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 1a2fcb8607 F-4144: propagate SendAlert result in DoHelloRequest no-reneg trace
In the WOLFSSL_OP_NO_RENEGOTIATION refusal path, WOLFSSL_LEAVE logged a
hard-coded 0 while the function actually returned SendAlert()'s result.
Capture the return value first so the trace reflects reality (e.g. when
SendAlert fails due to write backpressure) and return it.
2026-06-08 19:28:06 +00:00
Juliusz Sosinowicz 1f4afe9ccc F-5810: require renegotiation_info on renegotiation ClientHello
The server validated client_verify_data only inside
TLSX_SecureRenegotiation_Parse, which never runs when the renegotiation_info
extension is absent, so a renegotiation ClientHello that omitted it was never
checked. Track a per-handshake renegInfoSeen flag and, after parsing the
renegotiation ClientHello extensions, abort with handshake_failure if the
extension was absent (RFC 5746 3.7). Also reject an SCSV received during
renegotiation (RFC 5746 3.5).
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 1173a365fe F-4144: honor WOLFSSL_OP_NO_RENEGOTIATION
The documented 'reject peer-initiated renegotiation' option was accepted and
stored but never consulted. Now DoHelloRequest replies with a no_renegotiation
warning instead of starting SCR when the bit is set (client side), and the
server refuses a renegotiation ClientHello with a no_renegotiation warning
instead of resetting handshake state.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 6e1ca6bc70 F-5818: invalidate cached session on fatal alert
DoAlert marked a connection closed on a received fatal alert but left the
established session in the resumption cache, and the send path did the same,
so a session whose connection ended in a fatal alert remained resumable. Per
RFC 5246 Section 7.2.2 the session identifier MUST be invalidated; evict the
established session from the cache on both receipt and transmission of a fatal
alert via the new InvalidateSessionOnFatalAlert helper.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 0ec0db9357 F-5813: fail TLS 1.2 record send before the sequence number wraps
GetSEQIncrement silently rolled the 64-bit write sequence counter from 2^64-1
back to 0, reusing sequence number 0 with the same keys. Per RFC 5246 Section
6.1 sequence numbers MUST NOT wrap. BuildMessage now refuses to emit a TLS 1.2
record once the write sequence number has reached its maximum, returning the
new SEQUENCE_NUMBER_E error so the caller renegotiates or closes instead.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz a3a2609b18 F-5811: verify resumed cipher suite matches cached session
On session-ID resumption the client only checked that the server's selected
suite was in its offered list, not that it equaled the resumed session's
suite, so a server could resume the session ID under a different cipher suite.
Per RFC 5246 Section 7.4.1.2 / F.1.4 a resumed session reuses its negotiated
suite; abort with a fatal illegal_parameter on mismatch.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz b2c80eae15 F-5807: enforce EMS consistency on client session resumption
CompleteServerHello's resumption branch derived keys from the cached master
secret without checking the resumed session's extended_master_secret state
against the abbreviated ServerHello, letting a MITM strip EMS on resumption.
Per RFC 7627 Section 5.3, abort with a fatal handshake_failure when the cached
session's EMS flag does not match the ServerHello EMS state.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 0269b58400 F-5633: zeroize DTLS 1.3 ChaCha record-number keys before free
FreeCiphers released the DTLS 1.3 record-number protection ChaCha contexts
with XFREE only, leaving key material in freed heap memory. ForceZero both
contexts before freeing, matching the regular TLS ChaCha path in
FreeCiphersSide, and also zeroize a partially-set key in
Dtls13InitChaChaCipher when wc_Chacha_SetKey fails.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz 2d36eca90e F-4868: reject trailing bytes in TLS 1.3 CertificateRequest
DoTls13CertificateRequest advanced past the certificate_request_context and
extensions blocks but never verified the whole message body was consumed,
silently ignoring trailing bytes. RFC 8446 Section 4.3.2 fixes the wire
format; enforce that the consumed length equals the message size and return
BUFFER_ERROR (decode_error) otherwise.
2026-06-08 14:25:10 +02:00
Juliusz Sosinowicz e4007a8956 F-4867: reject trailing bytes in TLS 1.3 EncryptedExtensions
DoTls13EncryptedExtensions only bounds-checked the extensions length against
the message size, silently ignoring any trailing bytes. RFC 8446 Section 4.3.1
defines the message as solely the extensions block, so enforce length equality
and return BUFFER_ERROR (decode_error) on a mismatch.
2026-06-08 14:21:53 +02:00
Juliusz Sosinowicz c18784a11c F-3888: add negative tests for tampered RSA signatures/hashes
Extend test_wolfSSL_RSA_verify and test_wolfSSL_RSA_padding_add_PKCS1_PSS
with negative cases that flip a byte in the signature/encoding and in the
hash, asserting verification fails. This guards the XMEMCMP-based signature
acceptance decision in wolfSSL_RSA_verify_mgf against regressions that would
let any decryption result of matching length pass as valid.
2026-06-08 14:21:53 +02:00
Daniel Pouzzner 8fca95ce65 Merge pull request #10532 from rlm2002/zd21800
Remove chain walk for OCSP responder
2026-06-05 16:27:00 -05:00
Daniel Pouzzner 02d08790af Merge pull request #10575 from julek-wolfssl/fenrir-fixes-20260601
Fenrir: TLS/DTLS conformance and crypto hardening fixes
2026-06-05 16:26:05 -05:00
Daniel Pouzzner 764245a8a1 Merge pull request #10489 from holtrop-wolfssl/zd21798
Check SNI/ALPN in TLS 1.2/1.3 session resumptions
2026-06-05 16:25:18 -05:00
Daniel Pouzzner d5560b06cf Merge pull request #10556 from holtrop-wolfssl/rust-crate-updates-3
Rust wrapper: add scrypt KDF and RSA-OAEP support
2026-06-05 16:24:29 -05:00
Daniel Pouzzner 97095d209a Merge pull request #10561 from sebastian-carpenter/tls-ech-send-on-rejection
Enhancement: Stand out less with ECH or GREASE ECH
2026-06-05 16:23:41 -05:00
Daniel Pouzzner c300c41a68 Merge pull request #10514 from kaleb-himes/PQ-DOX
Add PQ documentation
2026-06-05 16:23:05 -05:00
Daniel Pouzzner 3012154367 Merge pull request #10259 from sebastian-carpenter/tls-ech-keylog
TLS ECH keylogging
2026-06-05 16:22:11 -05:00
Daniel Pouzzner 7caa3b97a8 Merge pull request #10503 from kareem-wolfssl/zd21858
Fix potential mismatch in size between DECL_MP_INT_SIZE_DYN and NEW_MP_INT_SIZE, fix unused variable warning in random.c.
2026-06-05 16:20:55 -05:00
Daniel Pouzzner fe77e37025 Merge pull request #10476 from julek-wolfssl/cache-overhead
Cache AEAD record overhead on WOLFSSL
2026-06-05 16:20:15 -05:00
Daniel Pouzzner 1d934846ea Merge pull request #10565 from philljj/bsdkm_misc_cleanup
bsdkm: misc cleanup.
2026-06-05 15:21:57 -05:00
David Garske f9817cf996 Merge pull request #10431 from mattia-moffa/20260330-max32666-sha-bare-metal
MAX32666 bare-metal SHA accelerator
2026-06-05 13:03:00 -07:00
Daniel Pouzzner c99567c96d Merge pull request #10596 from SparkiDev/regression_fixes_24
Regression testing fixes
2026-06-05 13:37:56 -05:00
Daniel Pouzzner f8f1e932a5 Merge pull request #10534 from SparkiDev/tls13_psk_id_fix
TLSv1.3 PSK binders: always use id protection
2026-06-05 12:36:00 -05:00
Daniel Pouzzner 2d186b378a Merge pull request #10537 from SparkiDev/tls13_pt_alert_before_enc
TLS 1.3 plaintext alert: ignore before seeing encrypted
2026-06-05 11:12:47 -05:00
Daniel Pouzzner 4bf2d52780 Merge pull request #10571 from Frauschi/mlkem_rename
Migrate internal ML-KEM consumers to canonical wc_MlKemKey API
2026-06-05 11:00:44 -05:00
Daniel Pouzzner 727041b525 Merge pull request #10543 from anhu/zeroOnAuthFail
For chachapoly, force zero of output on auth fail
2026-06-05 10:55:05 -05:00
Daniel Pouzzner d80785bb07 Merge pull request #10583 from Frauschi/zephyr_patch
Fixes for Zephyr secure sockets integration
2026-06-05 10:06:23 -05:00
Sean Parkinson eeab53205a Merge pull request #10600 from douzzer/20260604-asm-and-linuxkm-fixes
20260604-asm-and-linuxkm-fixes
2026-06-05 20:55:43 +10:00
Daniel Pouzzner b8d8e918af Merge pull request #10597 from SparkiDev/sp_lazy_mutex_init_improv
SP gen: FP_ECC init mutex improvement
2026-06-04 22:38:06 -05:00
Sean Parkinson b0757c1cb7 TLS 1.3 plaintext alert: ignore before seeing encrypted
Change to ignore plaintext alerts when
WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC is defined only until first
encrypted message from peer is seen.

Negative testing added.
2026-06-05 12:35:04 +10:00
Sean Parkinson 0796519a99 More regression testing fixes
Leak fixes: free existing ssl->buffers.key before overwriting in SetSSL_CTX() (internal.c) and wolfSSL_set_SSL_CTX() (ssl.c)

UAF fix: wc_CheckRsaKey() — mp_memzero_check(tmp) moved before the free (rsa.c)

Build guards: #ifndef NO_ED25519/ED448_VERIFY around forged-sig test data (test_ed25519/ed448.c); guard equal()/cmov() for verify-only builds (ge_operations.c); guard unused pointers under WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC (wc_mldsa.c)

Test cleanups (test.c): fix UB from out-of-range enum in hash_test(), always free AES dec object, fix der buffer declaration under small-stack builds
2026-06-05 11:30:53 +10:00
Sean Parkinson 089f1f7c91 TLSv1.3 PSK binders: always use id protection
Removed WOLFSSL_PSK_ID_PROTECTION from use as it is now on by default.
Always check whether the server has a certificate (not a CA chain).
If there is a certificate then continue, otherwise, report a binder
error.

Added test to ensure binder error returned and alert sent when no
NO_CERT. test_tls13_bad_psk_binder already tested no certificate.

Allowed memio test harness to be built when NO_CERT is defined.
2026-06-05 11:16:48 +10:00
Sean Parkinson ada6c5f95b SP gen: FP_ECC init mutex improvement
F-1379
Better handling of the lazy mutex initialization to use atomics where
available.

Improved atomic code when no system support:
 - add types
 - used types in functions

Add --no-ec to unit.test to not run wolfCrypt tests.
2026-06-05 10:58:44 +10:00
Daniel Pouzzner af119869d2 Merge pull request #10364 from MarkAtwood/fix/evp-cipher-iv-length-cfb-ofb
fix: EVP_CIPHER_iv_length returns 0 for AES-CFB128 and AES-OFB (ZD-21730)
2026-06-04 17:26:48 -05:00
Daniel Pouzzner b2e4bd1a11 Merge pull request #9987 from MarkAtwood/fix/evp-pkey-cmp-after-der-roundtrip
evp: fix EVP_PKEY_cmp for EC keys after DER deserialization
2026-06-04 17:19:46 -05:00
Daniel Pouzzner 6c4c03dc76 Merge pull request #10593 from miyazakh/f4429_EntropyGet
f4429 Add missing upper-bound validation in wc_Entropy_Get()
2026-06-04 17:09:36 -05:00
David Garske 887f88b106 Merge pull request #10599 from michael-membrowse/master
fix membrowse report group
2026-06-04 14:38:11 -07:00
Daniel Pouzzner 50166aab36 wolfcrypt/src/port/ppc64/ppc64-aes-asm.S: use TOC-relative addressing consistently, and add ELFv2 global-entry prologues. 2026-06-04 16:28:08 -05:00
Mattia Moffa bd022d995a Update README so the #define can be grepped by CI 2026-06-04 23:11:53 +02:00
Michael Rogov Papernov 5d810f4625 fix membrowse report group 2026-06-04 21:04:16 +01:00
Daniel Pouzzner ca59984200 wolfssl/wolfcrypt/settings.h: for WOLFSSL_LINUXKM, force on NO_STDDEF_H to avoid conflicts with linux/stddef.h, which is always included indirectly in linuxkm_wc_port.h (via linux/kernel.h);
fix indentation in WOLFSSL_uITRON4 section.
2026-06-04 14:20:50 -05:00
Daniel Pouzzner a7b0b3ebc2 linuxkm/module_hooks.c: tweak wc_linuxkm_malloc_usable_size() and my_kallsyms_lookup_name(), moving wc_linuxkm_can_block() to where it's really needed in my_kallsyms_lookup_name(). 2026-06-04 14:18:34 -05:00
Daniel Pouzzner 99bf36bb61 wolfcrypt/src/port/arm/armv8-32-curve25519.S and wolfcrypt/src/port/arm/armv8-32-curve25519_c.c: fix MPI overflow in L_curve25519_inv_8, similar to fix in #10536 (efabd1844a). 2026-06-04 14:12:01 -05:00
Mattia Moffa 8404459918 Update README 2026-06-04 21:04:34 +02:00
Mattia Moffa 6291af4e88 Add WOLFSSL_MAX3266X_SHA_ONESHOT to go to previous behavior 2026-06-04 20:59:29 +02:00
jordan 27edd64118 bsdkm: call wolfkdriv_unregister before wolfkmod_cleanup, and misc cleanup. 2026-06-04 11:42:43 -05:00
philljj 1f0f29cf30 Merge pull request #10590 from douzzer/20260603-linuxkm-fixes
20260603-linuxkm-fixes
2026-06-04 11:14:35 -05:00
Sean Parkinson 26a2b793dc Regression testing fixes
1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.

2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.

3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.

4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".

5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
2026-06-04 18:29:24 +10:00
Hideki Miyazaki 904a70d179 Addressed Copilot comments 2026-06-04 15:30:39 +09:00