Commit Graph

9958 Commits

Author SHA1 Message Date
Daniel Pouzzner 326f40d032 Merge pull request #10626 from mattia-moffa/20260605-dtls-cid-check-newest
DTLS bugfixes
2026-07-03 01:18:38 -05:00
Daniel Pouzzner 8c7ab8eb4f Merge pull request #10686 from Frauschi/openssl_group_align
Align wolfSSL_set1_groups_list() arg handling with OpenSSL
2026-07-03 01:17:33 -05:00
Daniel Pouzzner a543bc4d78 Merge pull request #10745 from Frauschi/mandatory_psk
Enable support for mandatory PSKs
2026-07-03 01:16:45 -05:00
Daniel Pouzzner cce3f2571e Merge pull request #10803 from Frauschi/fenrir
Fenrir fixes
2026-07-03 01:11:03 -05:00
Daniel Pouzzner d638d2afd7 Merge pull request #10209 from ColtonWilley/harden-chain-depth-and-parser-bounds
Harden chain depth bounds and parser input validation
2026-07-03 01:03:36 -05:00
Daniel Pouzzner dc326f8c70 Merge pull request #10691 from julek-wolfssl/tls13-fragmented-sessionticket-defrag
TLS 1.3: reassemble fragmented post-handshake messages after FreeArrays
2026-07-03 00:50:10 -05:00
Daniel Pouzzner 3c72ada3b1 Merge pull request #10711 from kareem-wolfssl/zd21987
Add a NULL check to refineSuites.
2026-07-03 00:47:08 -05:00
Daniel Pouzzner 27e160fa53 Merge pull request #10764 from embhorn/gh10761
Fix TLS1.2 error code correction
2026-07-03 00:41:35 -05:00
Daniel Pouzzner 9d3152cae2 Merge pull request #10708 from rlm2002/support-fixes
Support fixes - various reports
2026-07-02 12:51:11 -05:00
Tobias Frauenschläger 79b30aa268 Enable support for mandatory PSKs
Add a new option to require that an external Pre-Shared Key is negotiated
for a handshake to succeed, configured via the new APIs
wolfSSL_CTX_require_psk()/wolfSSL_require_psk(). When set, a handshake
that completes without negotiating an external PSK is aborted with
PSK_MISSING_ERROR instead of falling back to a certificate handshake, so
the PSK acts as an additional security factor.

This is a TLS 1.3 / DTLS 1.3 feature. In (D)TLS 1.2 the use of a PSK is
determined by the negotiated cipher suite, so a mandatory PSK is instead
configured there by restricting the cipher suite list to PSK suites; the
new APIs therefore reject non-TLS-1.3 contexts with BAD_FUNC_ARG.

To keep the requirement fail-closed, the APIs also disable version
downgrade on the object so a downgrade-capable context (e.g. one created
from a v23 method) cannot silently fall back to (D)TLS 1.2 and complete
without a PSK; a peer that does not support (D)TLS 1.3 fails to connect.

The requirement applies to external PSKs only (not session tickets):
session-ticket resumption is exempt. To preserve forward secrecy a
mandatory external PSK must also use an (EC)DHE key exchange; a pure
psk_ke handshake is rejected with PSK_KEY_ERROR. When used with
WOLFSSL_CERT_WITH_EXTERN_PSK, it also ensures that peers are properly
authenticated with both the PSK and via certificates.

The new APIs live alongside the existing wolfSSL_[CTX_]no_dhe_psk()/
only_dhe_psk() PSK options and do not depend on certificate support, so
the feature is usable in NO_CERTS (PSK-only) builds.

Added unit tests for the new APIs and enforcement.
2026-07-02 16:02:20 +02:00
Mattia Moffa bf985f1d21 NewConnectionId: reject CID larger than DTLS_CID_MAX_SIZE 2026-07-02 14:16:25 +02:00
Tobias Frauenschläger 154f2e2ea4 F-6547 - Reject TLS KeyUpdate on QUIC connections
QUIC performs key updates at the packet-protection layer via the Key
Phase bit, so RFC 9001 section 6 requires a QUIC endpoint to reject any
received TLS KeyUpdate handshake message as a fatal unexpected_message
connection error and to never send one. The TLS 1.3 receive path
processed the message normally, rotating traffic secrets and possibly
emitting a prohibited KeyUpdate response, and the send path allowed a
QUIC connection to originate a KeyUpdate.

Guard the key_update case in SanityCheckTls13MsgReceived so a QUIC
connection aborts with a fatal unexpected_message alert, and guard
Tls13UpdateKeys so a QUIC connection cannot send a KeyUpdate. Add a
QUIC unit test that feeds a post-handshake KeyUpdate and confirms the
connection is refused.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger e8865748f2 F-6351 - Fix use after free in wolfSSL_ASN1_STRING_set self-alias
When the caller passes the object's own data pointer as the source,
wolfSSL_ASN1_STRING_set freed the existing buffer before copying from
it, reading freed memory in the dynamic case and copying cleared bytes
in the fixed-buffer case. Duplicate the source into a temporary buffer
when it aliases the object before disposing of the old buffer, then
free the temporary once the copy completes.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 3c5ae182a6 F-6350 - Cap d2i_ASN1_OBJECT parse window to OID size
An oversized length argument was passed straight to GetASNHeader as the
buffer bound. A caller supplying a length larger than the real buffer let
the OBJECT_ID header claim more content than was present, driving the OID
validation read past the end of the allocation. Since an ASN1_OBJECT is an
OID, clamp the parse window to the maximum OID encoding so the header
decode cannot read beyond a sane bound.
2026-07-02 11:36:01 +02:00
Tobias Frauenschläger 845a3a93b5 F-6345 - Reject oversized length in memory BIO write
wolfSSL_BIO_write rejected negative lengths but allowed a large positive
length through to wolfSSL_BIO_MEMORY_write. On a fresh buffer an INT_MAX
length overflowed the 4/3 buffer growth calculation, so the grow reported
success with a short allocation and the following copy read far past the
small source buffer.

Add an upper bound check that rejects lengths large enough to overflow the
growth math before any allocation or copy, and add a regression test that
drives a huge length through the public BIO_write entry point.
2026-07-02 11:36:01 +02:00
Mattia Moffa 3b21af4277 Invalidate record size cache when changing connection IDs 2026-07-02 05:54:03 +02:00
Daniel Pouzzner 076dc5a206 Merge pull request #10773 from rlm2002/coverity
24062026 Coverity fixes
2026-07-01 17:59:19 -05:00
Daniel Pouzzner fd3b489ea5 Merge pull request #10787 from stenslae/update-wolfssl-email
Updated email to facts@wolfssl.com
2026-07-01 17:52:20 -05:00
Daniel Pouzzner beca44b2fb Merge pull request #10795 from embhorn/gh10791
Fix to send record_overflow alert
2026-07-01 17:45:43 -05:00
Daniel Pouzzner 9f48aef47f Merge pull request #10638 from rizlik/nc_uri_trailing_dot
NameConstraints fixes
2026-07-01 17:14:08 -05:00
Daniel Pouzzner 5a9a49d5d5 Merge pull request #10730 from rizlik/dtlsv13_interop
dtlsv13: fix: send correct CH2 when server do not send HRR
2026-07-01 16:40:29 -05:00
Tobias Frauenschläger 9e71da21ac Merge pull request #10751 from aidangarske/tinytls13
Add --enable-tinytls13 TLS 1.3-only footprint profile.

Merging with PRB-master-job failing. Failures are unrelated to this PR.
2026-07-01 15:21:04 +02:00
philljj b5636ffaf9 Merge pull request #10696 from douzzer/20260615-linuxkm-fixes
20260615-linuxkm-fixes
2026-06-30 12:00:25 -05:00
David Garske 8d63afab99 Merge pull request #10767 from SparkiDev/ppc64_ppc32_asm_1
PPC64/PPC32 ASM: AES, SHA-2, SHA-3
2026-06-30 07:13:35 -07:00
Sean Parkinson 3e99430671 PPC64/PPC32 ASM: AES, SHA-2, SHA-3
PPC64:
  - Added AES-ECB/CBC/CTR/GCM/XTS using crypto instructions
  - Added SHA-256/512 using base scalar and crypto instructions
  - Added SHA-3 using base scalar and POWER8 VSX
  - Added SHA-3 x2/x3 but disabled compilation.
  - Added CPU id flags.
  - Changed the constant data format to be consistent with other platforms.
PPC32:
  - Added AES-ECB/CBC/CTR/GCM/XTS using base scalar
  - Added SHA-256/512 using base scalar
  - Added SHA-3 using base scalar
2026-06-30 08:52:45 +10:00
Daniel Pouzzner 300f58db6e src/include.am: remove wolfcrypt/src/aes_x86_64_asm.S from AESNI source lists in FIPS v2/v5/v6 sections. 2026-06-27 14:04:12 -05:00
Emma Stensland 92e76d4667 updated email to facts@wolfssl.com 2026-06-26 14:44:16 -06:00
Eric Blankenhorn 5d0678d38b Fix from review 2026-06-26 12:46:30 -05:00
Eric Blankenhorn c18833f520 Fix to send record_overflow alert 2026-06-26 11:49:59 -05:00
David Garske 0cecccdf6e Merge pull request #10756 from SparkiDev/aes_asm_ymm_zmm
Intel x64 ASM: Add new assembly for AES
2026-06-25 21:41:17 -07:00
Ruby Martin 0129f6fb72 Remove logically dead len and *data checks 2026-06-25 14:44:03 -06:00
Eric Blankenhorn 17523c69f6 Fix TLS1.2 error code correction 2026-06-23 14:32:24 -05:00
Sean Parkinson a342eba578 Intel x64 ASM: Add new assembly for AES
Support AES-XTS AVX512/VAES
Support AES-GCM AVX512/VAES
Support AES-ECB/CBC/CTR AVX512/VAES/AVX1/AES-NI.
Remove code from aes_asm.S/aes_asm.asm
Add CPU defines for AVX512 and VAES
Updated ASM files with new defines for AVX512.
Added support for printing out the new CPU Id flags in benchmark.
Added new files to Windows projects.
aes.c: Supports ECB/CBC/CTR in assembly. Supports calling AVX512/VAES assembly.
2026-06-23 20:54:59 +10:00
Aidan Garske 41fad5f307 Fix and expand tinytls13 footprint profile across CI configs
Make every --enable-tinytls13 spelling build and pass locally, and grow the
CI matrix to cover them. These are fixes found while testing the configs the
CI workflow had not actually exercised.

- internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the
  pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles.
- tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match
  its call site.
- settings.h: let the AES-256 adder survive the floor, default the
  user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so
  the test suite still runs, and keep ML-DSA ASN.1 for the cert profile.
- configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C
  floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor,
  and print a notice for the reduced security cert verify.
- examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as
  PSK mode in echoserver and echoclient.
- Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test
  that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced
  cipher suites, for builds with no example or unit test harness.
- certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert
  profiles drive a real PQC and PSS chain verify in CI.
- .github/workflows/tinytls13.yml: cover every profile and adder, run the
  smoke handshake on the build verified configs, and least privilege the
  workflow token.
2026-06-22 12:08:58 -07:00
aidan garske 8bce9f0ead Add --enable-tinytls13 TLS 1.3-only footprint profile (PSK+ECDHE floor + minimal X.509) 2026-06-19 15:22:59 -07:00
Marco Oliverio 9e7958c108 dtlsv13: fix: send correct CH2 when server do not send HRR 2026-06-18 13:46:08 +02:00
Sean Parkinson fc946d6327 Intel x86/x64 assembly fixes
Allow x86 to build with assembly for enable all - disable assembly when x86 and not assembly code available. Add file fe_operations.c when assembly and x86.
x86: fix ECB decrypt to use corect offsets for parameters
     fix AES-NI and AVX1 assembly code
     fix sp_int with assembly to compile
     minor optimizations of AES-GCM
x64: Don't emit move instruction if source and destination are the same reg
     Use xor instead of mov 0
     minor optimizations of AES-GCM for AES-NI
2026-06-18 21:03:50 +10:00
JacobBarthelmeh 633784e91b Merge pull request #10714 from Frauschi/zd21992_2
Some more fixes
2026-06-17 17:34:15 -06:00
Tobias Frauenschläger 8e5be42a9d Fix !aNULL/!eNULL to drop explicitly-listed anonymous/NULL cipher suites
ParseCipherList() only cleared the InitSuites mask for "!aNULL"/"!eNULL",
which governs generated defaults, so an explicitly listed ADH or NULL-cipher
suite survived (e.g. "ADH-AES128-SHA:!aNULL" still offered an unauthenticated
suite). Scrub the explicit suites after parsing; exclusions are order-
independent and sticky (a later "ALL" cannot re-enable them).

Add test_wolfSSL_set_cipher_list_exclusions.
2026-06-17 19:14:07 +02:00
Kareem e971d198d3 Add a NULL check to refineSuites.
Thanks to xiaoshuai for the report.
2026-06-16 16:48:00 -07:00
Ruby Martin ccbc1bac60 free md5/sha before returning error 2026-06-16 16:19:55 -06:00
Tobias Frauenschläger eaa563419e BIO: reject negative length in memory BIO read
Reject a negative read length in the memory BIO read path so it cannot bypass
the signed bounds checks and reach a wild copy. Adds a regression test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger f23544f094 TLS 1.3: fix for post-handshake authentication
Only exempt the missing-certificate check during the initial handshake; once a
post-handshake CertificateRequest is outstanding the server again requires the
client certificate (and its CertificateVerify). Adds a post-handshake auth
test.
2026-06-16 20:56:45 +02:00
Tobias Frauenschläger c929798460 TLS: validate negotiated certificate type for raw public keys
Ensure a peer's certificate form (X.509 vs raw public key) matches the
negotiated certificate type, defaulting to X.509 when none was negotiated,
on both the client and server. Adds RPK regression tests covering both
directions.
2026-06-16 20:31:36 +02:00
Tobias Frauenschläger 3e30e69c35 certman: enforce keyCertSign usage on chain-supplied intermediate CAs
Require the keyCertSign key usage on non-root intermediate CAs added during
path building when a KeyUsage extension is present, per RFC 5280. Adds a
regression test.
2026-06-16 20:31:36 +02:00
Tobias Frauenschläger d382439c7c PKCS7: tighten signature presence check in PKCS7_verify
Ensure a signer signature is actually verified before reporting a
PKCS7 SignedData object as verified, and add a regression test.
2026-06-16 20:19:22 +02:00
Juliusz Sosinowicz 0963541f3b TLS 1.3: reassemble fragmented post-handshake messages after FreeArrays
The handshake-message defragmentation buffer (pendingMsg/pendingMsgSz/
pendingMsgOffset/pendingMsgType) lived inside ssl->arrays, which
FreeHandshakeResources() releases once the handshake completes. For a
TLS 1.3 client the arrays are released whenever they are not being
retained for later use, e.g. when the library is built without
HAVE_SESSION_TICKET.

DoTls13HandShakeMsg() then took an "arrays == NULL" early path that
handed the record straight to DoTls13HandShakeMsgType() without any
reassembly. A post-handshake handshake message split across several
records -- such as a NewSessionTicket once a small max_fragment_length
has been negotiated -- was therefore rejected with INCOMPLETE_DATA (-310)
and the peer was reset. Fragmentation during the handshake was
unaffected because the arrays still existed at that point.

Move the defragmentation buffer fields out of Arrays and into the WOLFSSL
object so they survive FreeArrays(), and drop the now-unnecessary
arrays == NULL special case in DoTls13HandShakeMsg() so that
post-handshake messages are reassembled exactly like handshake messages.
The buffer is freed in wolfSSL_ResourceFree(). DoHandShakeMsg() (TLS 1.2)
is updated to use the relocated fields as well.

Add a regression test, test_tls13_fragmented_session_ticket, that
releases the client's handshake arrays after the handshake and injects a
NewSessionTicket fragmented across two records, confirming it is
reassembled and consumed instead of failing with INCOMPLETE_DATA.
2026-06-16 16:23:36 +00:00
Tobias Frauenschläger fe3d23ea1c Align wolfSSL_set1_groups_list() arg handling with OpenSSL
Align the argument parsing and handling of input group names to align it
with OpenSSL behavior:
* Do a case-insensitive comparison of the input names with our names
* Add aliases for "MLKEMxxx" groups without underscores in addition to
  our names with underscores (keep our for backward compatibility)
* Extend unit tests for both
2026-06-16 09:34:17 +02:00
David Garske 70883a4ead Merge pull request #10692 from JacobBarthelmeh/fuzz
additional sanity check on alert message size
2026-06-15 18:27:58 -07:00
JacobBarthelmeh 68422e84de additional sanity check on alert message size 2026-06-15 16:49:54 -06:00