Commit Graph

9486 Commits

Author SHA1 Message Date
Daniel Pouzzner efe6ad4bd6 Merge pull request #10116 from Frauschi/zd21457
Additional fixes
2026-04-06 20:23:25 -05:00
Daniel Pouzzner 9347c895fc Merge pull request #10133 from Frauschi/ecc_curve_validation
Improved ECC curve validation
2026-04-06 20:20:35 -05:00
Daniel Pouzzner ede15b4ff4 Merge pull request #10137 from JacobBarthelmeh/acert
fix for acert builds
2026-04-06 19:17:48 -05:00
Daniel Pouzzner 32502e9963 Merge pull request #10102 from Frauschi/zd21460
Various fixes
2026-04-06 18:41:31 -05:00
Daniel Pouzzner 995092362f Merge pull request #10126 from julek-wolfssl/fenrir/20260302
Fenrir fixes
2026-04-06 18:40:11 -05:00
Daniel Pouzzner 0afd9f8819 Merge pull request #10127 from rlm2002/coverity
Coverity change 03042026
2026-04-06 18:24:22 -05:00
Daniel Pouzzner 4924402051 Merge pull request #10125 from kareem-wolfssl/zd21521
Add sz check to ChachaAEADDecrypt to prevent potential underflow.
2026-04-06 18:23:25 -05:00
Tobias Frauenschläger 0fb2d2ec11 ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point
lies on the intended curve when both USE_ECC_B_PARAM was compiled in
and the caller passed untrusted=1. In a default ./configure build,
USE_ECC_B_PARAM is not defined, so the check was compiled out entirely.
Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally
passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and
the EVP ECDH layer never triggered the check even when the macro was
present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i
guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but
wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points,
making the check dead code.

An attacker who can supply an EC public key (e.g. via an ECIES
ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or
EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist
of the target curve with a smooth-order subgroup. Each ECDH query
leaks the victim's static private scalar modulo a small prime; CRT
reconstruction across enough queries recovers the full key
(Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7
KARI are directly affected; TLS is affected in default builds because
the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the
handshake does pass.

Four changes close the attack:

1. Remove the USE_ECC_B_PARAM gate completely in the code base so that
   wc_ecc_point_is_on_curve() is compiled in all builds, not only
   those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS
   builds in settings.h).

2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2
   so that ECIES, PKCS#7 KARI, and EVP callers that go through the
   four-argument wrapper always validate the imported point.

3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN
   helpers (curve-equation check only) instead of sp_ecc_check_key_NNN
   (which additionally performs a full point*order scalar multiply).
   For prime-order curves (P-256, P-384, P-521, SM2) the on-curve
   equation check y^2 = x^3 + ax + b is sufficient to defeat
   invalid-curve attacks — every non-identity point on a prime-order
   curve has the full group order, so the expensive order-multiply
   check is unnecessary. This avoids the ~50% ECDH performance
   regression caused by the redundant scalar multiplication.

4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve
   validation via wolfSSL_EC_POINT_is_on_curve after import. The
   existing check was gated on !wolfSSL_BN_is_one(point->Z) and
   therefore dead code for all uncompressed-point imports. This closes
   the OpenSSL compat layer attack path (EC_POINT_oct2point followed
   by ECDH_compute_key).

Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the
same equation check using mp_int arithmetic.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-06 21:18:32 +02:00
JacobBarthelmeh f6b022883f fix for acert builds 2026-04-06 11:17:01 -06:00
Daniel Pouzzner abce5be989 wolfcrypt: add additional enforcement of correct digest sizes in signature gen and verify ops:
* add WC_FIPS_186_4, WC_FIPS_186_4_PLUS, WC_FIPS_186_5, and WC_FIPS_186_5_PLUS feature macros.
* add support for WC_HASH_CUSTOM_MIN_DIGEST_SIZE, WC_HASH_CUSTOM_MAX_DIGEST_SIZE, and
  WC_HASH_CUSTOM_MAX_BLOCK_SIZE, for use with custom digest algorithms.
* add SigOidMatchesKeyOid() helper function and WC_MIN_DIGEST_SIZE macro.
* add additional size and OID agreement checks for sig gen and verify ops.
* update ecc_test_vector() with FIPS 186-5 vectors.

Co-authored-by: Tobias Frauenschläger <tobias@wolfssl.com>
2026-04-06 00:53:57 -05:00
Tobias Frauenschläger cece804621 Cap DTLS1.3 max ACK records to prevent overflow
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:32:53 +02:00
Daniel Pouzzner 0c9b6397be Merge pull request #10103 from gasbytes/fix-dtls13-oversized-cert-chain
Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains
2026-04-03 11:55:03 -05:00
Reda Chouk 1653ecd07e Fix DTLS 1.3 extSz out-of-bounds and word16 truncation on oversized certificate chains 2026-04-03 12:10:42 +02:00
Juliusz Sosinowicz f2b9e3d654 Unconditionally validate TLS 1.2 ciphertext size in ProcessReply F-1476 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz f28fd3746b ForceZero mac buffer in ExpectedResumptionSecret before return F-1465 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz 96b4e01b20 ForceZero mac buffer in DoTls13Finished before return F-1464 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz ed0976a821 ForceZero binderKey and binder buffers in DoPreSharedKeys F-1463 2026-04-03 10:34:55 +02:00
Juliusz Sosinowicz b72a2133fc ForceZero hmac buffer in Tls13IntegrityOnly_Decrypt before return F-1466 2026-04-03 10:34:55 +02:00
Tobias Frauenschläger 1823f2e9fc tls: fix ECH heap buffer overflow via publicName SNI pollution
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions
unconditionally even when TLSX_Find returned NULL. This caused
TLSX_UseSNI to attach the attacker-controlled publicName to the shared
WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then
failed to clean it up because its removal was gated on serverNameX !=
NULL. The inner ClientHello was sized before the pollution but written
after it, causing TLSX_SNI_Write to memcpy 255 bytes past the
allocation boundary.

Fix by mirroring the guarded pattern of the ssl->extensions branch:
only set extensions when TLSX_Find returns non-NULL, and only perform
the SNI swap when extensions is non-NULL. Also move TLSX_Remove in
TLSX_EchRestoreSNI outside the serverNameX guard so any injected
publicName SNI is always cleaned up.

Also return BAD_FUNC_ARG when ECH is used without an inner SNI,
preventing ECH ClientHello construction in an invalid configuration.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:26 -06:00
Tobias Frauenschläger e5ab7fa745 x509: fix CA:FALSE bypass in wolfSSL_X509_verify_cert
When an untrusted issuer has CA:FALSE and no verify_cb is registered,
the !isCa branch now fails closed (ret=WOLFSSL_FAILURE, goto exit)
instead of falling through and skipping X509StoreVerifyCert for the
leaf. SetupStoreCtxError_ex is also hardened to never overwrite a
previously recorded error with success, preventing a later valid chain
link from clobbering ctx->error back to X509_V_OK. Tests added for
both the no-callback rejection and the error-preservation cases.

Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
2026-04-02 22:38:16 -06:00
Daniel Pouzzner d278da09df Merge pull request #10112 from embhorn/zd21470
Fix CertFromX509 copy length check
2026-04-02 23:21:11 -05:00
Daniel Pouzzner ed1f055116 Merge pull request #10119 from kareem-wolfssl/zd21512
Exit MatchDomainName if pattern or string length reach 0.
2026-04-02 22:54:53 -05:00
Daniel Pouzzner 7a6e37d697 Merge pull request #10064 from julek-wolfssl/master
Fixes for wolfclu
2026-04-02 22:54:10 -05:00
Daniel Pouzzner 2c41a7c5aa Merge pull request #10115 from julek-wolfssl/zd/21469
Fix multiple bugs in OCSP implementation
2026-04-02 22:50:28 -05:00
Kareem 5b6b138964 Add sz check to ChachaAEADDecrypt to prevent potential underflow.
Thanks to Zou Dikai for the report.
2026-04-02 16:41:55 -07:00
Eric Blankenhorn 772cda3d48 Fix CertFromX509 copy length check 2026-04-02 16:13:18 -05:00
Kareem 90d6312323 Rework check to avoid changing existing logic. 2026-04-02 11:17:20 -07:00
Kareem 1274c7b5e7 Exit MatchDomainName if pattern or string length reach 0. 2026-04-02 11:17:19 -07:00
Juliusz Sosinowicz 4cf33849b8 Fix multiple bugs in OCSP implementation
- wolfSSL_i2d_OCSP_REQUEST_bio: save/restore pointer before i2d call
  that advances it, preventing BIO_write from wrong offset and heap
  corruption on free
- wolfSSL_d2i_OCSP_RESPONSE: remove (unsigned char) cast that truncated
  pointer advance to 8 bits, breaking responses larger than 255 bytes
- wolfSSL_OCSP_CERTID_dup: deep-copy CertStatus to prevent double-free
  when both original and duplicate are freed
- wolfSSL_i2d_OCSP_RESPONSE: add NULL check on response parameter
- wolfSSL_i2d_OCSP_REQUEST: advance *data pointer per i2d convention
- FreeOCSP: NULL-check ocsp->cm before dereferencing for heap
- Fix WOLFSSL_LEAVE strings to match actual function names in
  wc_CheckCertOcspResponse, GetOcspEntry, GetOcspStatus,
  CheckOcspResponse, CheckOcspRequest

Add test for CERTID dup (double-free confirmed under ASAN without fix)
and pointer advancement assertions for d2i_OCSP_RESPONSE callers.

Reported in: ZD21469
2026-04-02 11:24:25 +02:00
Juliusz Sosinowicz 2f37ab38fd DTLS Bucket improvements
- test_wolfSSL_DTLS_fragment_buckets: rewrite to use Expect framework
- Correctly handle buckets between other buckets that don't touch
- Fix DTLS fragment combine when data overlaps cur from the left
2026-04-02 11:21:23 +02:00
Daniel Pouzzner 24f9981877 Merge pull request #10120 from douzzer/20260331-wolfcrypt-Wcast-qual
20260331-wolfcrypt-Wcast-qual

approved by @padelsbach
2026-04-02 00:25:13 -05:00
Daniel Pouzzner 661eb46d04 Merge pull request #10117 from gasbytes/2025-03-31-dtls-and-tls-focused-fixes
Multiple DTLS and TLS focused fixes.
2026-04-02 00:24:03 -05:00
Daniel Pouzzner 2cd4f1c69d Merge pull request #10111 from embhorn/zd21465
Fix ARIA build issue and FIPS guard
2026-04-02 00:09:06 -05:00
Daniel Pouzzner 4dc347082c Merge pull request #10071 from padelsbach/notbefore-notafter-bounds-check
Add bounds check on wolfSSL_X509_notBefore and wolfSSL_X509_notAfter
2026-04-02 00:08:32 -05:00
Daniel Pouzzner 0c67d7a844 Merge pull request #10080 from JeremiahM37/fenrir-issues
Fenrir fixes
2026-04-02 00:06:02 -05:00
Daniel Pouzzner 27aac0ac60 Merge pull request #10007 from julek-wolfssl/zd/21376
DTLS 1.3: don't echo legacy_session_id in ServerHello
2026-04-02 00:03:06 -05:00
Daniel Pouzzner 21c6568883 Fixes for -Wcast-qual hygiene in wolfCrypt.
.github/workflows/wolfCrypt-Wconversion.yml: Add -Wcast-qual to all scenarios.

wolfssl/wolfcrypt/signature.h, wolfcrypt/src/signature.c, doc/dox_comments/header_files/signature.h:

  Remove incorrect const qualifier on the key argument in

  * wc_SignatureVerifyHash()
  * wc_SignatureVerify()
  * wc_SignatureGenerateHash()
  * wc_SignatureGenerateHash_ex()
  * wc_SignatureGenerate()
  * wc_SignatureGenerate_ex()

  This fixes UB code patterns throughout signature.c.  key is inherently
  accessed readwrite by the underlying low level crypto.  Fortunately, wolfCrypt
  has no APIs/methods to allow actual const MPI key objects, therefore these
  seeming breaking API changes can't actually break any users.

globally:

  * Add const qualifiers to all struct pointer members that are assigned values
    computed from const pointers.

  * Add const qualifiers to intermediate casts for accessors and read-only
    dereference constructs, as needed for -Wcast-qual hygiene, e.g. for a macro
    GET_U16(a), use (*(const word16*)(a)) rather than (*(word16*)(a)).

  * Add const qualifiers to internal declarations, and remove illegal casts, as
    needed for -Wcast-qual hygiene.

  * Add missing const qualifiers to all casts for argument, operand, and
    assignment type agreement, as needed for -Wcast-qual hygiene, e.g.
    "*data = (const byte*)dataASN->data.ref.data" rather than
    "*data = (byte*)dataASN->data.ref.data".

wolfssl/wolfcrypt/asn.h, wolfssl/wolfcrypt/asn_public.h, wolfcrypt/src/asn.c, wolfcrypt/src/asn_orig.c:

  * Add additional lifecycle management for object members that are only sometimes locally allocated:

    DNS_entry.nameStored
    DNS_entry.ipStringStored
    DNS_entry.ridStringStored

wolfssl/wolfcrypt/types.h: add WC_BARRIER() macro -- a portable construct that
   prevents compiler optimizers from reordering operations across the barrier.

wolfssl/wolfcrypt/blake2-impl.h, wolfcrypt/src/blake2s.c, wolfcrypt/src/blake2b.c:

  * In blake2b_init(), blake2b_init_key(), blake2s_init(), and
    blake2s_init_key(), refactor blake2b_param initialization using WC_BARRIER()
    (fixes volatile abuse that triggered -Wcast-qual).

  * Remove the residual and unused WOLFSSL_BLAKE2[BS]_INIT_EACH_FIELD code.

wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h:

  Remove incorrect const qualifier on curve arg to wc_ecc_free_curve() (internal function).
2026-04-01 14:12:02 -05:00
Reda Chouk d3ce5b8537 DTLS 1.3 and TLS 1.3 focused fixes
dtls13.c:
- Fix wrong return value in Dtls13SendFragmentedInternal error path (return outputSz instead of recordLength)
- Fix incomplete bounds check in Dtls13SendFragmented to account for DTLS_HANDSHAKE_HEADER_SZ
- Fix wrong WOLFSSL_ENTER trace string in Dtls13EpochCopyKeys

tls13.c:
- Remove wrong (byte) cast on cookie->len passed to TlsCheckCookie
- Add missing bounds check on PSK identityLen in SetupPskKey before copying to client_identity
- Fix data race on static header array in ExpectedResumptionSecret
- Add defensive underflow check in EncryptTls13 for consistency with DecryptTls13
- Fix wrong return variable in DTLS 1.3 Finished send error path (return dtlsRet instead of ret)
- Add missing SM3 case and default in Tls13_Exporter hash switch to prevent NULL dereference
- Initialize *outSz to 0 in wolfSSL_write_early_data to match wolfSSL_read_early_data
- Add bounds check for bindersLen against helloSz in CheckPreSharedKeys
- Fix resource leak and hash state corruption in ExpectedResumptionSecret error paths
- Fix memory leak of rsaSigBuf in dual-alg RSA+RSA CertificateVerify
- Guard against word32 underflow in inputLength - HANDSHAKE_HEADER_SZ in DoTls13HandShakeMsg
- Fix swapped side parameter in DeriveFinishedSecret for server-side Finished processing
- Fix no_mac fall-through in ssl_handshake_md to return NULL instead of wrong digest
- Fix strict aliasing violation in FindPsk PSK key size check
- Remove duplicate !ssl->options.dtls check in TLS 1.3 middlebox compat condition

tests:
- Add regression tests for wolfSSL_write_early_data outSz initialization and DTLS 1.3 Finished send error propagation
2026-04-01 18:36:45 +02:00
Juliusz Sosinowicz 6a1db27bae Fix type casting for psk_keySz in MakePSKPreMasterSecret and initialize newSz in PKCS12_ConcatenateContent 2026-04-01 14:00:27 +02:00
Juliusz Sosinowicz 829fbbc702 Fix namespace collision on CRL reasons 2026-04-01 14:00:27 +02:00
Ruby Martin 8df8e4a87a prevent out of bounds read in loadX509orX509REQFromPemBio() 2026-03-31 14:47:19 -06:00
Paul Adelsbach ec9b6cf469 Add test cases 2026-03-31 09:29:46 -07:00
Paul Adelsbach 452652bbce Add bounds check on wolfSSL_X509_notBefore and wolfSSL_X509_notAfter 2026-03-31 09:29:46 -07:00
Eric Blankenhorn a3fad2af91 Fix feedback from review 2026-03-31 09:35:43 -05:00
Eric Blankenhorn 6495e8e941 Fix ARIA build issue and FIPS guard 2026-03-31 08:31:14 -05:00
Juliusz Sosinowicz 4c2a90c8ef Fix GetLength return value check in ASN1_INTEGER functions
Change GetLength() return check from > 0 to >= 0 in wolfSSL_ASN1_INTEGER_get_length
and wolfSSL_ASN1_INTEGER_get0_data. GetLength returns the decoded length (≥ 0) on
success and negative error codes on failure, so checking > 0 incorrectly excluded
zero-length values, making the DER-stripping logic dead code.
2026-03-31 12:44:30 +02:00
Juliusz Sosinowicz 3b0b50e392 DTLS1.3: Implement RFC 9147 legacy_session_id_echo requirements 2026-03-31 12:42:16 +02:00
Juliusz Sosinowicz c9c2376068 TLS1.3: Improve session version handling for resumption 2026-03-31 12:42:16 +02:00
Juliusz Sosinowicz fb4600bf54 Core: Unconditionally expose WOLFSSL_SESSION::version 2026-03-31 12:42:16 +02:00
Daniel Pouzzner 5f54de0577 Merge pull request #10076 from rizlik/dtls13_ack_improvements
Dtls13: ack management improvements
2026-03-30 22:59:54 -05:00